| blob | f151ced498408d5f2a9c13013ae442a6ef31afc6 |
1 /* gchecksum.h - data hashing functions
2 *
3 * Copyright (C) 2007 Emmanuele Bassi <ebassi@gnome.org>
4 *
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2.1 of the License, or (at your option) any later version.
9 *
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
14 *
15 * You should have received a copy of the GNU Lesser General Public License
16 * along with this library; if not, see <http://www.gnu.org/licenses/>.
17 */
21 #include <string.h>
33 /**
34 * SECTION:checksum
35 * @title: Data Checksums
36 * @short_description: computes the checksum for data
37 *
38 * GLib provides a generic API for computing checksums (or "digests")
39 * for a sequence of arbitrary bytes, using various hashing algorithms
40 * like MD5, SHA-1 and SHA-256. Checksums are commonly used in various
41 * environments and specifications.
42 *
43 * GLib supports incremental checksums using the GChecksum data
44 * structure, by calling g_checksum_update() as long as there's data
45 * available and then using g_checksum_get_string() or
46 * g_checksum_get_digest() to compute the checksum and return it either
47 * as a string in hexadecimal form, or as a raw sequence of bytes. To
48 * compute the checksum for binary blobs and NUL-terminated strings in
49 * one go, use the convenience functions g_compute_checksum_for_data()
50 * and g_compute_checksum_for_string(), respectively.
51 *
52 * Support for checksums has been added in GLib 2.16
53 **/
55 #define IS_VALID_TYPE(type) ((type) >= G_CHECKSUM_MD5 && (type) <= G_CHECKSUM_SHA384)
57 /* The fact that these are lower case characters is part of the ABI */
60 #define MD5_DATASIZE 64
61 #define MD5_DIGEST_LEN 16
64 {
76 #define SHA1_DATASIZE 64
77 #define SHA1_DIGEST_LEN 20
80 {
84 /* we pack 64 unsigned chars into 16 32-bit unsigned integers */
90 #define SHA256_DATASIZE 64
91 #define SHA256_DIGEST_LEN 32
94 {
103 /* SHA2 is common thing for SHA-384, SHA-512, SHA-512/224 and SHA-512/256 */
105 #define SHA384_DIGEST_LEN 48
106 #define SHA512_DIGEST_LEN 64
109 {
113 guint8 block_len;
120 struct _GChecksum
121 {
122 GChecksumType type;
127 Md5sum md5;
128 Sha1sum sha1;
129 Sha256sum sha256;
130 Sha512sum sha512;
132 };
134 /* we need different byte swapping functions because MD5 expects buffers
135 * to be little-endian, while SHA1 and SHA256 expect them in big-endian
136 * form.
137 */
139 #if G_BYTE_ORDER == G_LITTLE_ENDIAN
140 #define md5_byte_reverse(buffer,length)
141 #else
142 /* assume that the passed buffer is integer aligned */
145 gulong length)
146 {
147 guint32 bit;
149 do
150 {
155 }
157 }
160 #if G_BYTE_ORDER == G_BIG_ENDIAN
161 #define sha_byte_reverse(buffer,length)
162 #else
165 gint length)
166 {
169 {
172 }
173 }
178 gsize digest_len)
179 {
181 gint i;
187 {
192 }
197 }
199 /*
200 * MD5 Checksum
201 */
203 /* This MD5 digest computation is based on the equivalent code
204 * written by Colin Plumb. It came with this notice:
205 *
206 * This code implements the MD5 message-digest algorithm.
207 * The algorithm is due to Ron Rivest. This code was
208 * written by Colin Plumb in 1993, no copyright is claimed.
209 * This code is in the public domain; do with it what you wish.
210 *
211 * Equivalent code is available from RSA Data Security, Inc.
212 * This code has been tested against that, and is equivalent,
213 * except that you don't need to include two pages of legalese
214 * with every copy.
215 */
217 static void
219 {
220 /* arbitrary constants */
227 }
229 /*
230 * The core of the MD5 algorithm, this alters an existing MD5 hash to
231 * reflect the addition of 16 longwords of new data. md5_sum_update()
232 * blocks the data and converts bytes into longwords for this routine.
233 */
234 static void
237 {
240 /* The four core functions - F1 is optimized somewhat */
241 #define F1(x, y, z) (z ^ (x & (y ^ z)))
242 #define F2(x, y, z) F1 (z, x, y)
243 #define F3(x, y, z) (x ^ y ^ z)
244 #define F4(x, y, z) (y ^ (x | ~z))
246 /* This is the central step in the MD5 algorithm. */
247 #define md5_step(f, w, x, y, z, data, s) \
248 ( w += f (x, y, z) + data, w = w << s | w >> (32 - s), w += x )
328 #undef F1
329 #undef F2
330 #undef F3
331 #undef F4
332 #undef md5_step
333 }
335 static void
338 gsize length)
339 {
340 guint32 bit;
345 /* carry from low to high */
351 /* bytes already in Md5sum->u.data */
354 /* handle any leading odd-sized chunks */
356 {
361 {
364 }
373 }
375 /* process data in 64-byte chunks */
377 {
385 }
387 /* handle any remaining bytes of data */
389 }
391 /* closes a checksum */
392 static void
394 {
395 guint count;
398 /* Compute number of bytes mod 64 */
401 /* Set the first char of padding to 0x80.
402 * This is safe since there is always at least one byte free
403 */
407 /* Bytes of padding needed to make 64 bytes */
410 /* Pad out to 56 mod 64 */
412 {
413 /* Two lots of padding: Pad the first block to 64 bytes */
419 /* Now fill the next block with 56 bytes */
421 }
422 else
423 {
424 /* Pad block to 56 bytes */
426 }
430 /* Append length in bits and transform */
439 /* Reset buffers in case they contain sensitive data */
442 }
446 {
448 }
450 static void
453 {
454 gint i;
458 }
460 /*
461 * SHA-1 Checksum
462 */
464 /* The following implementation comes from D-Bus dbus-sha.c. I've changed
465 * it to use GLib types and to work more like the MD5 implementation above.
466 * I left the comments to have an history of this code.
467 * -- Emmanuele Bassi, ebassi@gnome.org
468 */
470 /* The following comments have the history of where this code
471 * comes from. I actually copied it from GNet in GNOME CVS.
472 * - hp@redhat.com
473 */
475 /*
476 * sha.h : Implementation of the Secure Hash Algorithm
477 *
478 * Part of the Python Cryptography Toolkit, version 1.0.0
479 *
480 * Copyright (C) 1995, A.M. Kuchling
481 *
482 * Distribute and use freely; there are no restrictions on further
483 * dissemination and usage except those imposed by the laws of your
484 * country of residence.
485 *
486 */
488 /* SHA: NIST's Secure Hash Algorithm */
490 /* Based on SHA code originally posted to sci.crypt by Peter Gutmann
491 in message <30ajo5$oe8@ccu2.auckland.ac.nz>.
492 Modified to test for endianness on creation of SHA objects by AMK.
493 Also, the original specification of SHA was found to have a weakness
494 by NSA/NIST. This code implements the fixed version of SHA.
495 */
497 /* Here's the first paragraph of Peter Gutmann's posting:
499 The following is my SHA (FIPS 180) code updated to allow use of the "fixed"
500 SHA, thanks to Jim Gillogly and an anonymous contributor for the information on
501 what's changed in the new version. The fix is a simple change which involves
502 adding a single rotate in the initial expansion function. It is unknown
503 whether this is an optimal solution to the problem which was discovered in the
504 SHA or whether it's simply a bandaid which fixes the problem with a minimum of
505 effort (for example the reengineering of a great many Capstone chips).
506 */
508 static void
510 {
511 /* initialize constants */
518 /* initialize bits */
520 }
522 /* The SHA f()-functions. */
529 /* The SHA Mysterious Constants */
535 /* 32-bit rotate left - kludged with shifts */
536 #define ROTL(n,X) (((X) << n ) | ((X) >> (32 - n)))
538 /* The initial expanding function. The hash function is defined over an
539 80-word expanded input array W, where the first 16 are copies of the input
540 data, and the remaining 64 are defined by
542 W[ i ] = W[ i - 16 ] ^ W[ i - 14 ] ^ W[ i - 8 ] ^ W[ i - 3 ]
544 This implementation generates these values on the fly in a circular
545 buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this
546 optimization.
548 The updated SHA changes the expanding function by adding a rotate of 1
549 bit. Thanks to Jim Gillogly, jim@rand.org, and an anonymous contributor
550 for this information */
552 #define expand(W,i) (W[ i & 15 ] = ROTL (1, (W[ i & 15] ^ \
553 W[(i - 14) & 15] ^ \
554 W[(i - 8) & 15] ^ \
555 W[(i - 3) & 15])))
558 /* The prototype SHA sub-round. The fundamental sub-round is:
560 a' = e + ROTL( 5, a ) + f( b, c, d ) + k + data;
561 b' = a;
562 c' = ROTL( 30, b );
563 d' = c;
564 e' = d;
566 but this is implemented by unrolling the loop 5 times and renaming the
567 variables ( e, a, b, c, d ) = ( a', b', c', d', e' ) each iteration.
568 This code is then replicated 20 times for each of the 4 functions, using
569 the next 20 values from the W[] array each time */
571 #define subRound(a, b, c, d, e, f, k, data) \
572 (e += ROTL (5, a) + f(b, c, d) + k + data, b = ROTL (30, b))
574 static void
577 {
586 /* Heavy mangling, in 4 sub-rounds of 20 iterations each. */
671 /* Build message digest */
677 }
679 #undef K1
680 #undef K2
681 #undef K3
682 #undef K4
683 #undef f1
684 #undef f2
685 #undef f3
686 #undef f4
687 #undef ROTL
688 #undef expand
689 #undef subRound
691 static void
694 gsize count)
695 {
696 guint32 tmp;
697 guint dataCount;
699 /* Update bitcount */
705 /* Get count of bytes already in data */
708 /* Handle any leading odd-sized chunks */
710 {
715 {
718 }
727 }
729 /* Process data in SHA1_DATASIZE chunks */
731 {
739 }
741 /* Handle any remaining bytes of data. */
743 }
745 /* Final wrapup - pad to SHA_DATASIZE-byte boundary with the bit pattern
746 1 0* (64-bit count of bits processed, MSB-first) */
747 static void
749 {
750 gint count;
753 /* Compute number of bytes mod 64 */
756 /* Set the first char of padding to 0x80. This is safe since there is
757 always at least one byte free */
761 /* Bytes of padding needed to make 64 bytes */
764 /* Pad out to 56 mod 64 */
766 {
767 /* Two lots of padding: Pad the first block to 64 bytes */
773 /* Now fill the next block with 56 bytes */
775 }
776 else
777 {
778 /* Pad block to 56 bytes */
780 }
782 /* Append length in bits and transform */
792 /* Reset buffers in case they contain sensitive data */
795 }
799 {
801 }
803 static void
806 {
807 gint i;
811 }
813 /*
814 * SHA-256 Checksum
815 */
817 /* adapted from the SHA256 implementation in gsk/src/hash/gskhash.c.
818 *
819 * Copyright (C) 2006 Dave Benson
820 * Released under the terms of the GNU Lesser General Public License
821 */
823 static void
825 {
836 }
838 #define GET_UINT32(n,b,i) G_STMT_START{ \
839 (n) = ((guint32) (b)[(i) ] << 24) \
840 | ((guint32) (b)[(i) + 1] << 16) \
841 | ((guint32) (b)[(i) + 2] << 8) \
842 | ((guint32) (b)[(i) + 3] ); } G_STMT_END
844 #define PUT_UINT32(n,b,i) G_STMT_START{ \
845 (b)[(i) ] = (guint8) ((n) >> 24); \
846 (b)[(i) + 1] = (guint8) ((n) >> 16); \
847 (b)[(i) + 2] = (guint8) ((n) >> 8); \
848 (b)[(i) + 3] = (guint8) ((n) ); } G_STMT_END
850 static void
853 {
874 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
875 #define ROTR(x,n) (SHR (x,n) | (x << (32 - n)))
877 #define S0(x) (ROTR (x, 7) ^ ROTR (x,18) ^ SHR (x, 3))
878 #define S1(x) (ROTR (x,17) ^ ROTR (x,19) ^ SHR (x,10))
879 #define S2(x) (ROTR (x, 2) ^ ROTR (x,13) ^ ROTR (x,22))
880 #define S3(x) (ROTR (x, 6) ^ ROTR (x,11) ^ ROTR (x,25))
882 #define F0(x,y,z) ((x & y) | (z & (x | y)))
883 #define F1(x,y,z) (z ^ (x & (y ^ z)))
885 #define R(t) (W[t] = S1(W[t - 2]) + W[t - 7] + \
886 S0(W[t - 15]) + W[t - 16])
888 #define P(a,b,c,d,e,f,g,h,x,K) G_STMT_START { \
889 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
890 temp2 = S2(a) + F0(a,b,c); \
891 d += temp1; h = temp1 + temp2; } G_STMT_END
967 #undef SHR
968 #undef ROTR
969 #undef S0
970 #undef S1
971 #undef S2
972 #undef S3
973 #undef F0
974 #undef F1
975 #undef R
976 #undef P
986 }
988 static void
991 gsize length)
992 {
1009 {
1017 }
1020 {
1025 }
1029 }
1032 {
1037 };
1039 static void
1041 {
1067 }
1069 #undef PUT_UINT32
1070 #undef GET_UINT32
1074 {
1076 }
1078 static void
1081 {
1082 gint i;
1086 }
1088 /*
1089 * SHA-384, SHA-512, SHA-512/224 and SHA-512/256 Checksums
1090 *
1091 * Implemented following FIPS-180-4 standard at
1092 * http://csrc.nist.gov/publications/fips/fips180-4/fips180-4.pdf.
1093 * References in the form [§x.y.z] map to sections in that document.
1094 *
1095 * Author(s): Eduardo Lima Mitev <elima@igalia.com>
1096 * Igor Gnatenko <ignatenko@src.gnome.org>
1097 */
1099 /* SHA-384, SHA-512, SHA-512/224 and SHA-512/256 functions [§4.1.3] */
1100 #define Ch(x,y,z) ((x & y) ^ (~x & z))
1101 #define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z))
1102 #define SHR(n,x) (x >> n)
1103 #define ROTR(n,x) (SHR (n, x) | (x << (64 - n)))
1104 #define SIGMA0(x) (ROTR (28, x) ^ ROTR (34, x) ^ ROTR (39, x))
1105 #define SIGMA1(x) (ROTR (14, x) ^ ROTR (18, x) ^ ROTR (41, x))
1106 #define sigma0(x) (ROTR ( 1, x) ^ ROTR ( 8, x) ^ SHR ( 7, x))
1107 #define sigma1(x) (ROTR (19, x) ^ ROTR (61, x) ^ SHR ( 6, x))
1109 #define PUT_UINT64(n,b,i) G_STMT_START{ \
1110 (b)[(i) ] = (guint8) (n >> 56); \
1111 (b)[(i) + 1] = (guint8) (n >> 48); \
1112 (b)[(i) + 2] = (guint8) (n >> 40); \
1113 (b)[(i) + 3] = (guint8) (n >> 32); \
1114 (b)[(i) + 4] = (guint8) (n >> 24); \
1115 (b)[(i) + 5] = (guint8) (n >> 16); \
1116 (b)[(i) + 6] = (guint8) (n >> 8); \
1117 (b)[(i) + 7] = (guint8) (n ); } G_STMT_END
1119 /* SHA-384 and SHA-512 constants [§4.2.3] */
1161 };
1164 static void
1166 {
1167 /* Initial Hash Value [§5.3.4] */
1181 }
1183 static void
1185 {
1186 /* Initial Hash Value [§5.3.5] */
1200 }
1202 static void
1205 {
1206 gint i;
1207 gint t;
1212 /* SHA-512 hash computation [§6.4.2] */
1214 /* prepare the message schedule */
1216 {
1228 }
1233 else
1236 /* initialize the eight working variables */
1247 {
1260 }
1262 /* Compute the intermediate hash value H */
1271 }
1273 static void
1276 gsize length)
1277 {
1287 /* try to fill current block */
1290 {
1291 gsize fill_len;
1300 {
1303 }
1304 }
1306 /* process complete blocks */
1308 {
1315 }
1317 /* keep remaining data for next block */
1319 {
1322 }
1323 }
1325 static void
1327 {
1328 guint l;
1329 gint zeros;
1332 gint i;
1334 /* apply padding [§5.1.2] */
1343 pad_len++;
1349 /* put message bit length at the end of padding */
1356 /* update checksum with the padded block */
1359 /* copy resulting 64-bit words into digest */
1362 }
1366 {
1368 }
1372 {
1374 }
1376 static void
1379 {
1381 }
1383 static void
1386 {
1388 }
1390 #undef Ch
1391 #undef Maj
1392 #undef SHR
1393 #undef ROTR
1394 #undef SIGMA0
1395 #undef SIGMA1
1396 #undef sigma0
1397 #undef sigma1
1399 #undef PUT_UINT64
1401 /*
1402 * Public API
1403 */
1405 /**
1406 * g_checksum_type_get_length:
1407 * @checksum_type: a #GChecksumType
1408 *
1409 * Gets the length in bytes of digests of type @checksum_type
1410 *
1411 * Returns: the checksum length, or -1 if @checksum_type is
1412 * not supported.
1413 *
1414 * Since: 2.16
1415 */
1416 gssize
1418 {
1422 {
1441 }
1444 }
1446 /**
1447 * g_checksum_new:
1448 * @checksum_type: the desired type of checksum
1449 *
1450 * Creates a new #GChecksum, using the checksum algorithm @checksum_type.
1451 * If the @checksum_type is not known, %NULL is returned.
1452 * A #GChecksum can be used to compute the checksum, or digest, of an
1453 * arbitrary binary blob, using different hashing algorithms.
1454 *
1455 * A #GChecksum works by feeding a binary blob through g_checksum_update()
1456 * until there is data to be checked; the digest can then be extracted
1457 * using g_checksum_get_string(), which will return the checksum as a
1458 * hexadecimal string; or g_checksum_get_digest(), which will return a
1459 * vector of raw bytes. Once either g_checksum_get_string() or
1460 * g_checksum_get_digest() have been called on a #GChecksum, the checksum
1461 * will be closed and it won't be possible to call g_checksum_update()
1462 * on it anymore.
1463 *
1464 * Returns: (transfer full): the newly created #GChecksum, or %NULL.
1465 * Use g_checksum_free() to free the memory allocated by it.
1466 *
1467 * Since: 2.16
1468 */
1469 GChecksum *
1471 {
1483 }
1485 /**
1486 * g_checksum_reset:
1487 * @checksum: the #GChecksum to reset
1488 *
1489 * Resets the state of the @checksum back to its initial state.
1490 *
1491 * Since: 2.18
1492 **/
1493 void
1495 {
1502 {
1521 }
1522 }
1524 /**
1525 * g_checksum_copy:
1526 * @checksum: the #GChecksum to copy
1527 *
1528 * Copies a #GChecksum. If @checksum has been closed, by calling
1529 * g_checksum_get_string() or g_checksum_get_digest(), the copied
1530 * checksum will be closed as well.
1531 *
1532 * Returns: the copy of the passed #GChecksum. Use g_checksum_free()
1533 * when finished using it.
1534 *
1535 * Since: 2.16
1536 */
1537 GChecksum *
1539 {
1550 }
1552 /**
1553 * g_checksum_free:
1554 * @checksum: a #GChecksum
1555 *
1556 * Frees the memory allocated for @checksum.
1557 *
1558 * Since: 2.16
1559 */
1560 void
1562 {
1564 {
1568 }
1569 }
1571 /**
1572 * g_checksum_update:
1573 * @checksum: a #GChecksum
1574 * @data: (array length=length) (element-type guint8): buffer used to compute the checksum
1575 * @length: size of the buffer, or -1 if it is a null-terminated string.
1576 *
1577 * Feeds @data into an existing #GChecksum. The checksum must still be
1578 * open, that is g_checksum_get_string() or g_checksum_get_digest() must
1579 * not have been called on @checksum.
1580 *
1581 * Since: 2.16
1582 */
1583 void
1586 gssize length)
1587 {
1595 {
1600 }
1603 {
1620 }
1621 }
1623 /**
1624 * g_checksum_get_string:
1625 * @checksum: a #GChecksum
1626 *
1627 * Gets the digest as an hexadecimal string.
1628 *
1629 * Once this function has been called the #GChecksum can no longer be
1630 * updated with g_checksum_update().
1631 *
1632 * The hexadecimal characters will be lower case.
1633 *
1634 * Returns: the hexadecimal representation of the checksum. The
1635 * returned string is owned by the checksum and should not be modified
1636 * or freed.
1637 *
1638 * Since: 2.16
1639 */
1642 {
1651 {
1675 }
1680 }
1682 /**
1683 * g_checksum_get_digest: (skip)
1684 * @checksum: a #GChecksum
1685 * @buffer: (array length=digest_len): output buffer
1686 * @digest_len: (inout): an inout parameter. The caller initializes it to the size of @buffer.
1687 * After the call it contains the length of the digest.
1688 *
1689 * Gets the digest from @checksum as a raw binary vector and places it
1690 * into @buffer. The size of the digest depends on the type of checksum.
1691 *
1692 * Once this function has been called, the #GChecksum is closed and can
1693 * no longer be updated with g_checksum_update().
1694 *
1695 * Since: 2.16
1696 */
1697 void
1701 {
1704 gsize len;
1714 {
1717 {
1720 }
1725 {
1728 }
1733 {
1736 }
1741 {
1744 }
1749 {
1752 }
1758 }
1764 }
1766 /**
1767 * g_compute_checksum_for_data:
1768 * @checksum_type: a #GChecksumType
1769 * @data: (array length=length) (element-type guint8): binary blob to compute the digest of
1770 * @length: length of @data
1771 *
1772 * Computes the checksum for a binary @data of @length. This is a
1773 * convenience wrapper for g_checksum_new(), g_checksum_get_string()
1774 * and g_checksum_free().
1775 *
1776 * The hexadecimal string returned will be in lower case.
1777 *
1778 * Returns: the digest of the binary data as a string in hexadecimal.
1779 * The returned string should be freed with g_free() when done using it.
1780 *
1781 * Since: 2.16
1782 */
1783 gchar *
1786 gsize length)
1787 {
1803 }
1805 /**
1806 * g_compute_checksum_for_string:
1807 * @checksum_type: a #GChecksumType
1808 * @str: the string to compute the checksum of
1809 * @length: the length of the string, or -1 if the string is null-terminated.
1810 *
1811 * Computes the checksum of a string.
1812 *
1813 * The hexadecimal string returned will be in lower case.
1814 *
1815 * Returns: the checksum as a hexadecimal string. The returned string
1816 * should be freed with g_free() when done using it.
1817 *
1818 * Since: 2.16
1819 */
1820 gchar *
1823 gssize length)
1824 {
1832 }
1834 /**
1835 * g_compute_checksum_for_bytes:
1836 * @checksum_type: a #GChecksumType
1837 * @data: binary blob to compute the digest of
1838 *
1839 * Computes the checksum for a binary @data. This is a
1840 * convenience wrapper for g_checksum_new(), g_checksum_get_string()
1841 * and g_checksum_free().
1842 *
1843 * The hexadecimal string returned will be in lower case.
1844 *
1845 * Returns: the digest of the binary data as a string in hexadecimal.
1846 * The returned string should be freed with g_free() when done using it.
1847 *
1848 * Since: 2.34
1849 */
1850 gchar *
1853 {
1854 gconstpointer byte_data;
1855 gsize length;
1862 }