1 /*
2 * Copyright (C) 2007 Michael Niedermayer <michaelni@gmx.at>
3 * Copyright (C) 2009 Konstantin Shishkov
4 * based on public domain SHA-1 code by Steve Reid <steve@edmweb.com>
5 * and on BSD-licensed SHA-2 code by Aaron D. Gifford
6 *
7 * This file is part of FFmpeg.
8 *
9 * FFmpeg is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
13 *
14 * FFmpeg is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with FFmpeg; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
22 */
23
24 #include <string.h>
25
26 #include "config.h"
27 #include "attributes.h"
28 #include "bswap.h"
29 #include "error.h"
30 #include "sha.h"
31 #include "intreadwrite.h"
32 #include "mem.h"
33
34 /** hash context */
35 typedef struct AVSHA {
36 uint8_t digest_len; ///< digest length in 32-bit words
37 uint64_t count; ///< number of bytes in buffer
38 uint8_t buffer[64]; ///< 512-bit buffer of input values used in hash updating
39 uint32_t state[8]; ///< current hash value
40 /** function used to update hash for 512-bit input block */
41 void (*transform)(uint32_t *state, const uint8_t buffer[64]);
42 } AVSHA;
43
44 const int av_sha_size = sizeof(AVSHA);
45
av_sha_alloc(void)46 struct AVSHA *av_sha_alloc(void)
47 {
48 return av_mallocz(sizeof(struct AVSHA));
49 }
50
51 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
52
53 /* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
54 #define blk0(i) (block[i] = AV_RB32(buffer + 4 * (i)))
55 #define blk(i) (block[i] = rol(block[(i)-3] ^ block[(i)-8] ^ block[(i)-14] ^ block[(i)-16], 1))
56
57 #define R0(v,w,x,y,z,i) z += (((w)&((x)^(y)))^(y)) + blk0(i) + 0x5A827999 + rol(v, 5); w = rol(w, 30);
58 #define R1(v,w,x,y,z,i) z += (((w)&((x)^(y)))^(y)) + blk (i) + 0x5A827999 + rol(v, 5); w = rol(w, 30);
59 #define R2(v,w,x,y,z,i) z += ( (w)^(x) ^(y)) + blk (i) + 0x6ED9EBA1 + rol(v, 5); w = rol(w, 30);
60 #define R3(v,w,x,y,z,i) z += ((((w)|(x))&(y))|((w)&(x))) + blk (i) + 0x8F1BBCDC + rol(v, 5); w = rol(w, 30);
61 #define R4(v,w,x,y,z,i) z += ( (w)^(x) ^(y)) + blk (i) + 0xCA62C1D6 + rol(v, 5); w = rol(w, 30);
62
63 /* Hash a single 512-bit block. This is the core of the algorithm. */
64
sha1_transform(uint32_t state[5],const uint8_t buffer[64])65 static void sha1_transform(uint32_t state[5], const uint8_t buffer[64])
66 {
67 uint32_t block[80];
68 unsigned int i, a, b, c, d, e;
69
70 a = state[0];
71 b = state[1];
72 c = state[2];
73 d = state[3];
74 e = state[4];
75 #if CONFIG_SMALL
76 for (i = 0; i < 80; i++) {
77 int t;
78 if (i < 16)
79 t = AV_RB32(buffer + 4 * i);
80 else
81 t = rol(block[i-3] ^ block[i-8] ^ block[i-14] ^ block[i-16], 1);
82 block[i] = t;
83 t += e + rol(a, 5);
84 if (i < 40) {
85 if (i < 20)
86 t += ((b&(c^d))^d) + 0x5A827999;
87 else
88 t += ( b^c ^d) + 0x6ED9EBA1;
89 } else {
90 if (i < 60)
91 t += (((b|c)&d)|(b&c)) + 0x8F1BBCDC;
92 else
93 t += ( b^c ^d) + 0xCA62C1D6;
94 }
95 e = d;
96 d = c;
97 c = rol(b, 30);
98 b = a;
99 a = t;
100 }
101 #else
102
103 #define R1_0 \
104 R0(a, b, c, d, e, 0 + i); \
105 R0(e, a, b, c, d, 1 + i); \
106 R0(d, e, a, b, c, 2 + i); \
107 R0(c, d, e, a, b, 3 + i); \
108 R0(b, c, d, e, a, 4 + i); \
109 i += 5
110
111 i = 0;
112 R1_0; R1_0; R1_0;
113 R0(a, b, c, d, e, 15);
114 R1(e, a, b, c, d, 16);
115 R1(d, e, a, b, c, 17);
116 R1(c, d, e, a, b, 18);
117 R1(b, c, d, e, a, 19);
118
119 #define R1_20 \
120 R2(a, b, c, d, e, 0 + i); \
121 R2(e, a, b, c, d, 1 + i); \
122 R2(d, e, a, b, c, 2 + i); \
123 R2(c, d, e, a, b, 3 + i); \
124 R2(b, c, d, e, a, 4 + i); \
125 i += 5
126
127 i = 20;
128 R1_20; R1_20; R1_20; R1_20;
129
130 #define R1_40 \
131 R3(a, b, c, d, e, 0 + i); \
132 R3(e, a, b, c, d, 1 + i); \
133 R3(d, e, a, b, c, 2 + i); \
134 R3(c, d, e, a, b, 3 + i); \
135 R3(b, c, d, e, a, 4 + i); \
136 i += 5
137
138 R1_40; R1_40; R1_40; R1_40;
139
140 #define R1_60 \
141 R4(a, b, c, d, e, 0 + i); \
142 R4(e, a, b, c, d, 1 + i); \
143 R4(d, e, a, b, c, 2 + i); \
144 R4(c, d, e, a, b, 3 + i); \
145 R4(b, c, d, e, a, 4 + i); \
146 i += 5
147
148 R1_60; R1_60; R1_60; R1_60;
149 #endif
150 state[0] += a;
151 state[1] += b;
152 state[2] += c;
153 state[3] += d;
154 state[4] += e;
155 }
156
157 static const uint32_t K256[64] = {
158 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
159 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
160 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
161 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
162 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
163 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
164 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
165 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
166 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
167 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
168 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
169 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
170 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
171 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
172 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
173 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
174 };
175
176
177 #define Ch(x,y,z) (((x) & ((y) ^ (z))) ^ (z))
178 #define Maj(z,y,x) ((((x) | (y)) & (z)) | ((x) & (y)))
179
180 #define Sigma0_256(x) (rol((x), 30) ^ rol((x), 19) ^ rol((x), 10))
181 #define Sigma1_256(x) (rol((x), 26) ^ rol((x), 21) ^ rol((x), 7))
182 #define sigma0_256(x) (rol((x), 25) ^ rol((x), 14) ^ ((x) >> 3))
183 #define sigma1_256(x) (rol((x), 15) ^ rol((x), 13) ^ ((x) >> 10))
184
185 #undef blk
186 #define blk(i) (block[i] = block[i - 16] + sigma0_256(block[i - 15]) + \
187 sigma1_256(block[i - 2]) + block[i - 7])
188
189 #define ROUND256(a,b,c,d,e,f,g,h) \
190 T1 += (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[i]; \
191 (d) += T1; \
192 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
193 i++
194
195 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
196 T1 = blk0(i); \
197 ROUND256(a,b,c,d,e,f,g,h)
198
199 #define ROUND256_16_TO_63(a,b,c,d,e,f,g,h) \
200 T1 = blk(i); \
201 ROUND256(a,b,c,d,e,f,g,h)
202
sha256_transform(uint32_t * state,const uint8_t buffer[64])203 static void sha256_transform(uint32_t *state, const uint8_t buffer[64])
204 {
205 unsigned int i, a, b, c, d, e, f, g, h;
206 uint32_t block[64];
207 uint32_t T1;
208
209 a = state[0];
210 b = state[1];
211 c = state[2];
212 d = state[3];
213 e = state[4];
214 f = state[5];
215 g = state[6];
216 h = state[7];
217 #if CONFIG_SMALL
218 for (i = 0; i < 64; i++) {
219 uint32_t T2;
220 if (i < 16)
221 T1 = blk0(i);
222 else
223 T1 = blk(i);
224 T1 += h + Sigma1_256(e) + Ch(e, f, g) + K256[i];
225 T2 = Sigma0_256(a) + Maj(a, b, c);
226 h = g;
227 g = f;
228 f = e;
229 e = d + T1;
230 d = c;
231 c = b;
232 b = a;
233 a = T1 + T2;
234 }
235 #else
236
237 i = 0;
238 #define R256_0 \
239 ROUND256_0_TO_15(a, b, c, d, e, f, g, h); \
240 ROUND256_0_TO_15(h, a, b, c, d, e, f, g); \
241 ROUND256_0_TO_15(g, h, a, b, c, d, e, f); \
242 ROUND256_0_TO_15(f, g, h, a, b, c, d, e); \
243 ROUND256_0_TO_15(e, f, g, h, a, b, c, d); \
244 ROUND256_0_TO_15(d, e, f, g, h, a, b, c); \
245 ROUND256_0_TO_15(c, d, e, f, g, h, a, b); \
246 ROUND256_0_TO_15(b, c, d, e, f, g, h, a)
247
248 R256_0; R256_0;
249
250 #define R256_16 \
251 ROUND256_16_TO_63(a, b, c, d, e, f, g, h); \
252 ROUND256_16_TO_63(h, a, b, c, d, e, f, g); \
253 ROUND256_16_TO_63(g, h, a, b, c, d, e, f); \
254 ROUND256_16_TO_63(f, g, h, a, b, c, d, e); \
255 ROUND256_16_TO_63(e, f, g, h, a, b, c, d); \
256 ROUND256_16_TO_63(d, e, f, g, h, a, b, c); \
257 ROUND256_16_TO_63(c, d, e, f, g, h, a, b); \
258 ROUND256_16_TO_63(b, c, d, e, f, g, h, a)
259
260 R256_16; R256_16; R256_16;
261 R256_16; R256_16; R256_16;
262 #endif
263 state[0] += a;
264 state[1] += b;
265 state[2] += c;
266 state[3] += d;
267 state[4] += e;
268 state[5] += f;
269 state[6] += g;
270 state[7] += h;
271 }
272
273
av_sha_init(AVSHA * ctx,int bits)274 av_cold int av_sha_init(AVSHA *ctx, int bits)
275 {
276 ctx->digest_len = bits >> 5;
277 switch (bits) {
278 case 160: // SHA-1
279 ctx->state[0] = 0x67452301;
280 ctx->state[1] = 0xEFCDAB89;
281 ctx->state[2] = 0x98BADCFE;
282 ctx->state[3] = 0x10325476;
283 ctx->state[4] = 0xC3D2E1F0;
284 ctx->transform = sha1_transform;
285 break;
286 case 224: // SHA-224
287 ctx->state[0] = 0xC1059ED8;
288 ctx->state[1] = 0x367CD507;
289 ctx->state[2] = 0x3070DD17;
290 ctx->state[3] = 0xF70E5939;
291 ctx->state[4] = 0xFFC00B31;
292 ctx->state[5] = 0x68581511;
293 ctx->state[6] = 0x64F98FA7;
294 ctx->state[7] = 0xBEFA4FA4;
295 ctx->transform = sha256_transform;
296 break;
297 case 256: // SHA-256
298 ctx->state[0] = 0x6A09E667;
299 ctx->state[1] = 0xBB67AE85;
300 ctx->state[2] = 0x3C6EF372;
301 ctx->state[3] = 0xA54FF53A;
302 ctx->state[4] = 0x510E527F;
303 ctx->state[5] = 0x9B05688C;
304 ctx->state[6] = 0x1F83D9AB;
305 ctx->state[7] = 0x5BE0CD19;
306 ctx->transform = sha256_transform;
307 break;
308 default:
309 return AVERROR(EINVAL);
310 }
311 ctx->count = 0;
312 return 0;
313 }
314
av_sha_update(struct AVSHA * ctx,const uint8_t * data,size_t len)315 void av_sha_update(struct AVSHA *ctx, const uint8_t *data, size_t len)
316 {
317 unsigned int j;
318 size_t i;
319
320 j = ctx->count & 63;
321 ctx->count += len;
322 #if CONFIG_SMALL
323 for (i = 0; i < len; i++) {
324 ctx->buffer[j++] = data[i];
325 if (64 == j) {
326 ctx->transform(ctx->state, ctx->buffer);
327 j = 0;
328 }
329 }
330 #else
331 if (len >= 64 - j) {
332 const uint8_t *end;
333 memcpy(&ctx->buffer[j], data, (i = 64 - j));
334 ctx->transform(ctx->state, ctx->buffer);
335 data += i;
336 len -= i;
337 end = data + (len & ~63);
338 len = len % 64;
339 for (; data < end; data += 64)
340 ctx->transform(ctx->state, data);
341 j = 0;
342 }
343 memcpy(&ctx->buffer[j], data, len);
344 #endif
345 }
346
av_sha_final(AVSHA * ctx,uint8_t * digest)347 void av_sha_final(AVSHA* ctx, uint8_t *digest)
348 {
349 int i;
350 uint64_t finalcount = av_be2ne64(ctx->count << 3);
351
352 av_sha_update(ctx, "\200", 1);
353 while ((ctx->count & 63) != 56)
354 av_sha_update(ctx, "", 1);
355 av_sha_update(ctx, (uint8_t *)&finalcount, 8); /* Should cause a transform() */
356 for (i = 0; i < ctx->digest_len; i++)
357 AV_WB32(digest + i*4, ctx->state[i]);
358 }
359