summaryrefslogtreecommitdiffstats
path: root/meta/packages/shasum/files/sha256.c
diff options
context:
space:
mode:
authorRichard Purdie <richard@openedhand.com>2007-08-08 21:06:01 +0000
committerRichard Purdie <richard@openedhand.com>2007-08-08 21:06:01 +0000
commit20093245e320b661f949ca1bfb49d05a53f80aee (patch)
tree6b97cb4c7780bdebddeeaf9d8ae7c9c168ba71cc /meta/packages/shasum/files/sha256.c
parent9c900768c48f5eac3d8e8171392b5d3dee91b422 (diff)
downloadpoky-20093245e320b661f949ca1bfb49d05a53f80aee.tar.gz
Add shasum (from OE)
git-svn-id: https://svn.o-hand.com/repos/poky/trunk@2412 311d38ba-8fff-0310-9ca6-ca027cbcb966
Diffstat (limited to 'meta/packages/shasum/files/sha256.c')
-rw-r--r--meta/packages/shasum/files/sha256.c322
1 files changed, 322 insertions, 0 deletions
diff --git a/meta/packages/shasum/files/sha256.c b/meta/packages/shasum/files/sha256.c
new file mode 100644
index 0000000000..e2ee2c6b4e
--- /dev/null
+++ b/meta/packages/shasum/files/sha256.c
@@ -0,0 +1,322 @@
1/* sha256.h
2 *
3 * The sha256 hash function.
4 */
5
6/* nettle, low-level cryptographics library
7 *
8 * Copyright (C) 2001 Niels Möller
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation; either version 2 of the
13 * License, or (at your option) any later version.
14 *
15 * The nettle library is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
18 * License for more details.
19 *
20 * You should have received a copy of the GNU Lesser General Public License
21 * along with the nettle library; see the file COPYING.LIB. If not, write to
22 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
23 * MA 02111-1307, USA.
24 */
25
26/* Modelled after the sha1.c code by Peter Gutmann. */
27
28#include "mhash_sha256.h"
29#include <stdlib.h>
30#include <string.h>
31
32
33#ifndef EXTRACT_UCHAR
34#define EXTRACT_UCHAR(p) (*(unsigned char *)(p))
35#endif
36
37#define STRING2INT(s) ((((((EXTRACT_UCHAR(s) << 8) \
38 | EXTRACT_UCHAR(s+1)) << 8) \
39 | EXTRACT_UCHAR(s+2)) << 8) \
40 | EXTRACT_UCHAR(s+3))
41
42/* This has been modified in order to fit in mhash.
43 * --nmav.
44 */
45
46/* A block, treated as a sequence of 32-bit words. */
47#define SHA256_DATA_LENGTH 16
48
49#define ROTR(n,x) ((x)>>(n) | ((x)<<(32-(n))))
50#define SHR(n,x) ((x)>>(n))
51
52/* The SHA256 functions. The Choice function is the same as the SHA1
53 function f1, and the majority function is the same as the SHA1 f3
54 function. They can be optimized to save one boolean operation each
55 - thanks to Rich Schroeppel, rcs@cs.arizona.edu for discovering
56 this */
57
58/* #define Choice(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */
59#define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) )
60/* #define Majority(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */
61#define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) )
62
63#define S0(x) (ROTR(2,(x)) ^ ROTR(13,(x)) ^ ROTR(22,(x)))
64#define S1(x) (ROTR(6,(x)) ^ ROTR(11,(x)) ^ ROTR(25,(x)))
65
66#define s0(x) (ROTR(7,(x)) ^ ROTR(18,(x)) ^ SHR(3,(x)))
67#define s1(x) (ROTR(17,(x)) ^ ROTR(19,(x)) ^ SHR(10,(x)))
68
69/* Generated by the shadata program. */
70static const word32 K[64] = {
71 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
72 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
73 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
74 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
75 0xe49b69c1UL, 0xefbe4786UL, 0xfc19dc6UL, 0x240ca1ccUL,
76 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
77 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
78 0xc6e00bf3UL, 0xd5a79147UL, 0x6ca6351UL, 0x14292967UL,
79 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
80 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
81 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
82 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
83 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
84 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
85 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
86 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
87};
88
89/* The initial expanding function. The hash function is defined over an
90 64-word expanded input array W, where the first 16 are copies of the input
91 data, and the remaining 64 are defined by
92
93 W[ t ] = s1(W[t-2] + W[t-7] + s0(W[i-15] + W[i-16]
94
95 This implementation generates these values on the fly in a circular
96 buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this
97 optimization.
98*/
99
100#define EXPAND(W,i) \
101( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) )
102
103/* The prototype SHA sub-round. The fundamental sub-round is:
104
105 T1 = h + S1(e) + Choice(e,f,g) + K[t] + W[t]
106 T2 = S0(a) + Majority(a,b,c)
107 a' = T1+T2
108 b' = a
109 c' = b
110 d' = c
111 e' = d + T1
112 f' = e
113 g' = f
114 h' = g
115
116 but this is implemented by unrolling the loop 8 times and renaming
117 the variables
118 ( h, a, b, c, d, e, f, g ) = ( a, b, c, d, e, f, g, h ) each
119 iteration. This code is then replicated 8, using the next 8 values
120 from the W[] array each time */
121
122/* FIXME: We can probably reorder this to optimize away at least one
123 * of T1 and T2. It's crucial that DATA is only used once, as that
124 * argument will have side effects. */
125#define ROUND(a,b,c,d,e,f,g,h,k,data) do { \
126 word32 T1 = h + S1(e) + Choice(e,f,g) + k + data; \
127 word32 T2 = S0(a) + Majority(a,b,c); \
128 d += T1; \
129 h = T1 + T2; \
130} while (0)
131
132/* Initialize the SHA values */
133
134void sha256_init(struct sha256_ctx *ctx)
135{
136 /* Initial values, also generated by the shadata program. */
137 static const word32 H0[_SHA256_DIGEST_LENGTH] = {
138 0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL,
139 0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL,
140 };
141
142 memcpy(ctx->state, H0, sizeof(H0));
143
144 /* Initialize bit count */
145 ctx->count_low = ctx->count_high = 0;
146
147 /* Initialize buffer */
148 ctx->index = 0;
149}
150
151/* Perform the SHA transformation. Note that this code, like MD5, seems to
152 break some optimizing compilers due to the complexity of the expressions
153 and the size of the basic block. It may be necessary to split it into
154 sections, e.g. based on the four subrounds
155
156 Note that this function destroys the data area */
157
158static void sha256_transform(word32 * state, word32 * data)
159{
160 word32 A, B, C, D, E, F, G, H; /* Local vars */
161 unsigned i;
162 const word32 *k;
163 word32 *d;
164
165 /* Set up first buffer and local data buffer */
166 A = state[0];
167 B = state[1];
168 C = state[2];
169 D = state[3];
170 E = state[4];
171 F = state[5];
172 G = state[6];
173 H = state[7];
174
175 /* Heavy mangling */
176 /* First 16 subrounds that act on the original data */
177
178 for (i = 0, k = K, d = data; i < 16; i += 8, k += 8, d += 8) {
179 ROUND(A, B, C, D, E, F, G, H, k[0], d[0]);
180 ROUND(H, A, B, C, D, E, F, G, k[1], d[1]);
181 ROUND(G, H, A, B, C, D, E, F, k[2], d[2]);
182 ROUND(F, G, H, A, B, C, D, E, k[3], d[3]);
183 ROUND(E, F, G, H, A, B, C, D, k[4], d[4]);
184 ROUND(D, E, F, G, H, A, B, C, k[5], d[5]);
185 ROUND(C, D, E, F, G, H, A, B, k[6], d[6]);
186 ROUND(B, C, D, E, F, G, H, A, k[7], d[7]);
187 }
188
189 for (; i < 64; i += 16, k += 16) {
190 ROUND(A, B, C, D, E, F, G, H, k[0], EXPAND(data, 0));
191 ROUND(H, A, B, C, D, E, F, G, k[1], EXPAND(data, 1));
192 ROUND(G, H, A, B, C, D, E, F, k[2], EXPAND(data, 2));
193 ROUND(F, G, H, A, B, C, D, E, k[3], EXPAND(data, 3));
194 ROUND(E, F, G, H, A, B, C, D, k[4], EXPAND(data, 4));
195 ROUND(D, E, F, G, H, A, B, C, k[5], EXPAND(data, 5));
196 ROUND(C, D, E, F, G, H, A, B, k[6], EXPAND(data, 6));
197 ROUND(B, C, D, E, F, G, H, A, k[7], EXPAND(data, 7));
198 ROUND(A, B, C, D, E, F, G, H, k[8], EXPAND(data, 8));
199 ROUND(H, A, B, C, D, E, F, G, k[9], EXPAND(data, 9));
200 ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10));
201 ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11));
202 ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12));
203 ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13));
204 ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14));
205 ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15));
206 }
207
208 /* Update state */
209 state[0] += A;
210 state[1] += B;
211 state[2] += C;
212 state[3] += D;
213 state[4] += E;
214 state[5] += F;
215 state[6] += G;
216 state[7] += H;
217}
218
219static void sha256_block(struct sha256_ctx *ctx, const byte * block)
220{
221 word32 data[SHA256_DATA_LENGTH];
222 int i;
223
224 /* Update block count */
225 if (!++ctx->count_low)
226 ++ctx->count_high;
227
228 /* Endian independent conversion */
229 for (i = 0; i < SHA256_DATA_LENGTH; i++, block += 4)
230 data[i] = STRING2INT(block);
231
232 sha256_transform(ctx->state, data);
233}
234
235void
236sha256_update(struct sha256_ctx *ctx, const byte * buffer, unsigned length)
237{
238 if (ctx->index) { /* Try to fill partial block */
239 unsigned left = SHA256_DATA_SIZE - ctx->index;
240 if (length < left) {
241 memcpy(ctx->block + ctx->index, buffer, length);
242 ctx->index += length;
243 return; /* Finished */
244 } else {
245 memcpy(ctx->block + ctx->index, buffer, left);
246 sha256_block(ctx, ctx->block);
247 buffer += left;
248 length -= left;
249 }
250 }
251 while (length >= SHA256_DATA_SIZE) {
252 sha256_block(ctx, buffer);
253 buffer += SHA256_DATA_SIZE;
254 length -= SHA256_DATA_SIZE;
255 }
256 /* Buffer leftovers */
257 /* NOTE: The corresponding sha1 code checks for the special case length == 0.
258 * That seems supoptimal, as I suspect it increases the number of branches. */
259
260 memcpy(ctx->block, buffer, length);
261 ctx->index = length;
262}
263
264/* Final wrapup - pad to SHA1_DATA_SIZE-byte boundary with the bit pattern
265 1 0* (64-bit count of bits processed, MSB-first) */
266
267void sha256_final(struct sha256_ctx *ctx)
268{
269 word32 data[SHA256_DATA_LENGTH];
270 int i;
271 int words;
272
273 i = ctx->index;
274
275 /* Set the first char of padding to 0x80. This is safe since there is
276 always at least one byte free */
277
278/* assert(i < SHA256_DATA_SIZE);
279 */
280 ctx->block[i++] = 0x80;
281
282 /* Fill rest of word */
283 for (; i & 3; i++)
284 ctx->block[i] = 0;
285
286 /* i is now a multiple of the word size 4 */
287 words = i >> 2;
288 for (i = 0; i < words; i++)
289 data[i] = STRING2INT(ctx->block + 4 * i);
290
291 if (words > (SHA256_DATA_LENGTH - 2)) { /* No room for length in this block. Process it and
292 * pad with another one */
293 for (i = words; i < SHA256_DATA_LENGTH; i++)
294 data[i] = 0;
295 sha256_transform(ctx->state, data);
296 for (i = 0; i < (SHA256_DATA_LENGTH - 2); i++)
297 data[i] = 0;
298 } else
299 for (i = words; i < SHA256_DATA_LENGTH - 2; i++)
300 data[i] = 0;
301
302 /* There are 512 = 2^9 bits in one block */
303 data[SHA256_DATA_LENGTH - 2] =
304 (ctx->count_high << 9) | (ctx->count_low >> 23);
305 data[SHA256_DATA_LENGTH - 1] =
306 (ctx->count_low << 9) | (ctx->index << 3);
307 sha256_transform(ctx->state, data);
308}
309
310void sha256_digest(const struct sha256_ctx *ctx, byte * s)
311{
312 int i;
313
314 if (s!=NULL)
315 for (i = 0; i < _SHA256_DIGEST_LENGTH; i++) {
316 *s++ = ctx->state[i] >> 24;
317 *s++ = 0xff & (ctx->state[i] >> 16);
318 *s++ = 0xff & (ctx->state[i] >> 8);
319 *s++ = 0xff & ctx->state[i];
320 }
321}
322