1 // Copyright 2014 The PDFium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
6
7 #include "core/fdrm/fx_crypt_sha.h"
8
9 #include "core/fxcrt/compiler_specific.h"
10 #include "core/fxcrt/fx_memcpy_wrappers.h"
11 #include "core/fxcrt/stl_util.h"
12
13 #define SHA_GET_UINT32(n, b, i) \
14 UNSAFE_BUFFERS({ \
15 (n) = ((uint32_t)(b)[(i)] << 24) | ((uint32_t)(b)[(i) + 1] << 16) | \
16 ((uint32_t)(b)[(i) + 2] << 8) | ((uint32_t)(b)[(i) + 3]); \
17 })
18
19 #define SHA_PUT_UINT32(n, b, i) \
20 UNSAFE_BUFFERS({ \
21 (b)[(i)] = (uint8_t)((n) >> 24); \
22 (b)[(i) + 1] = (uint8_t)((n) >> 16); \
23 (b)[(i) + 2] = (uint8_t)((n) >> 8); \
24 (b)[(i) + 3] = (uint8_t)((n)); \
25 })
26
27 #define SHA_GET_UINT64(n, b, i) \
28 UNSAFE_BUFFERS({ \
29 (n) = ((uint64_t)(b)[(i)] << 56) | ((uint64_t)(b)[(i) + 1] << 48) | \
30 ((uint64_t)(b)[(i) + 2] << 40) | ((uint64_t)(b)[(i) + 3] << 32) | \
31 ((uint64_t)(b)[(i) + 4] << 24) | ((uint64_t)(b)[(i) + 5] << 16) | \
32 ((uint64_t)(b)[(i) + 6] << 8) | ((uint64_t)(b)[(i) + 7]); \
33 })
34
35 #define SHA_PUT_UINT64(n, b, i) \
36 UNSAFE_BUFFERS({ \
37 (b)[(i)] = (uint8_t)((n) >> 56); \
38 (b)[(i) + 1] = (uint8_t)((n) >> 48); \
39 (b)[(i) + 2] = (uint8_t)((n) >> 40); \
40 (b)[(i) + 3] = (uint8_t)((n) >> 32); \
41 (b)[(i) + 4] = (uint8_t)((n) >> 24); \
42 (b)[(i) + 5] = (uint8_t)((n) >> 16); \
43 (b)[(i) + 6] = (uint8_t)((n) >> 8); \
44 (b)[(i) + 7] = (uint8_t)((n)); \
45 })
46
47 #define SHA384_F0(x, y, z) ((x & y) | (z & (x | y)))
48 #define SHA384_F1(x, y, z) (z ^ (x & (y ^ z)))
49 #define SHA384_SHR(x, n) (x >> n)
50 #define SHA384_ROTR(x, n) (SHA384_SHR(x, n) | x << (64 - n))
51 #define SHA384_S0(x) (SHA384_ROTR(x, 1) ^ SHA384_ROTR(x, 8) ^ SHA384_SHR(x, 7))
52 #define SHA384_S1(x) \
53 (SHA384_ROTR(x, 19) ^ SHA384_ROTR(x, 61) ^ SHA384_SHR(x, 6))
54 #define SHA384_S2(x) \
55 (SHA384_ROTR(x, 28) ^ SHA384_ROTR(x, 34) ^ SHA384_ROTR(x, 39))
56 #define SHA384_S3(x) \
57 (SHA384_ROTR(x, 14) ^ SHA384_ROTR(x, 18) ^ SHA384_ROTR(x, 41))
58 #define SHA384_P(a, b, c, d, e, f, g, h, x, K) \
59 { \
60 uint64_t temp1 = h + SHA384_S3(e) + SHA384_F1(e, f, g) + K + x; \
61 uint64_t temp2 = SHA384_S2(a) + SHA384_F0(a, b, c); \
62 d += temp1; \
63 h = temp1 + temp2; \
64 }
65 #define SHA384_R(t) \
66 (W[t] = SHA384_S1(W[t - 2]) + W[t - 7] + SHA384_S0(W[t - 15]) + W[t - 16])
67
68 #define rol(x, y) (((x) << (y)) | (((uint32_t)x) >> (32 - y)))
69 #define SHR(x, n) ((x & 0xFFFFFFFF) >> n)
70 #define ROTR(x, n) (SHR(x, n) | (x << (32 - n)))
71 #define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
72 #define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
73 #define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
74 #define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
75 #define F0(x, y, z) ((x & y) | (z & (x | y)))
76 #define F1(x, y, z) (z ^ (x & (y ^ z)))
77 #define R(t) \
78 UNSAFE_BUFFERS((W[t] = S1(W[t - 2]) + W[t - 7] + S0(W[t - 15]) + W[t - 16]))
79 #define PS(a, b, c, d, e, f, g, h, x, K) \
80 { \
81 uint32_t temp1 = h + S3(e) + F1(e, f, g) + K + x; \
82 uint32_t temp2 = S2(a) + F0(a, b, c); \
83 d += temp1; \
84 h = temp1 + temp2; \
85 }
86
87 namespace {
88
SHA_Core_Init(pdfium::span<uint32_t,5> h)89 void SHA_Core_Init(pdfium::span<uint32_t, 5> h) {
90 h[0] = 0x67452301;
91 h[1] = 0xefcdab89;
92 h[2] = 0x98badcfe;
93 h[3] = 0x10325476;
94 h[4] = 0xc3d2e1f0;
95 }
96
SHATransform(pdfium::span<uint32_t> digest,pdfium::span<uint32_t> block)97 void SHATransform(pdfium::span<uint32_t> digest, pdfium::span<uint32_t> block) {
98 std::array<uint32_t, 80> w;
99 int t;
100 for (t = 0; t < 16; t++) {
101 w[t] = block[t];
102 }
103 for (t = 16; t < 80; t++) {
104 uint32_t tmp = w[t - 3] ^ w[t - 8] ^ w[t - 14] ^ w[t - 16];
105 w[t] = rol(tmp, 1);
106 }
107 uint32_t a = digest[0];
108 uint32_t b = digest[1];
109 uint32_t c = digest[2];
110 uint32_t d = digest[3];
111 uint32_t e = digest[4];
112 for (t = 0; t < 20; t++) {
113 uint32_t tmp = rol(a, 5) + ((b & c) | (d & ~b)) + e + w[t] + 0x5a827999;
114 e = d;
115 d = c;
116 c = rol(b, 30);
117 b = a;
118 a = tmp;
119 }
120 for (t = 20; t < 40; t++) {
121 uint32_t tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0x6ed9eba1;
122 e = d;
123 d = c;
124 c = rol(b, 30);
125 b = a;
126 a = tmp;
127 }
128 for (t = 40; t < 60; t++) {
129 uint32_t tmp =
130 rol(a, 5) + ((b & c) | (b & d) | (c & d)) + e + w[t] + 0x8f1bbcdc;
131 e = d;
132 d = c;
133 c = rol(b, 30);
134 b = a;
135 a = tmp;
136 }
137 for (t = 60; t < 80; t++) {
138 uint32_t tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0xca62c1d6;
139 e = d;
140 d = c;
141 c = rol(b, 30);
142 b = a;
143 a = tmp;
144 }
145 digest[0] += a;
146 digest[1] += b;
147 digest[2] += c;
148 digest[3] += d;
149 digest[4] += e;
150 }
151
sha256_process(CRYPT_sha2_context * ctx,pdfium::span<const uint8_t,64> data)152 void sha256_process(CRYPT_sha2_context* ctx,
153 pdfium::span<const uint8_t, 64> data) {
154 uint32_t W[64];
155 SHA_GET_UINT32(W[0], data, 0);
156 SHA_GET_UINT32(W[1], data, 4);
157 SHA_GET_UINT32(W[2], data, 8);
158 SHA_GET_UINT32(W[3], data, 12);
159 SHA_GET_UINT32(W[4], data, 16);
160 SHA_GET_UINT32(W[5], data, 20);
161 SHA_GET_UINT32(W[6], data, 24);
162 SHA_GET_UINT32(W[7], data, 28);
163 SHA_GET_UINT32(W[8], data, 32);
164 SHA_GET_UINT32(W[9], data, 36);
165 SHA_GET_UINT32(W[10], data, 40);
166 SHA_GET_UINT32(W[11], data, 44);
167 SHA_GET_UINT32(W[12], data, 48);
168 SHA_GET_UINT32(W[13], data, 52);
169 SHA_GET_UINT32(W[14], data, 56);
170 SHA_GET_UINT32(W[15], data, 60);
171
172 uint32_t A = static_cast<uint32_t>(ctx->state[0]);
173 uint32_t B = static_cast<uint32_t>(ctx->state[1]);
174 uint32_t C = static_cast<uint32_t>(ctx->state[2]);
175 uint32_t D = static_cast<uint32_t>(ctx->state[3]);
176 uint32_t E = static_cast<uint32_t>(ctx->state[4]);
177 uint32_t F = static_cast<uint32_t>(ctx->state[5]);
178 uint32_t G = static_cast<uint32_t>(ctx->state[6]);
179 uint32_t H = static_cast<uint32_t>(ctx->state[7]);
180 PS(A, B, C, D, E, F, G, H, W[0], 0x428A2F98);
181 PS(H, A, B, C, D, E, F, G, W[1], 0x71374491);
182 PS(G, H, A, B, C, D, E, F, W[2], 0xB5C0FBCF);
183 PS(F, G, H, A, B, C, D, E, W[3], 0xE9B5DBA5);
184 PS(E, F, G, H, A, B, C, D, W[4], 0x3956C25B);
185 PS(D, E, F, G, H, A, B, C, W[5], 0x59F111F1);
186 PS(C, D, E, F, G, H, A, B, W[6], 0x923F82A4);
187 PS(B, C, D, E, F, G, H, A, W[7], 0xAB1C5ED5);
188 PS(A, B, C, D, E, F, G, H, W[8], 0xD807AA98);
189 PS(H, A, B, C, D, E, F, G, W[9], 0x12835B01);
190 PS(G, H, A, B, C, D, E, F, W[10], 0x243185BE);
191 PS(F, G, H, A, B, C, D, E, W[11], 0x550C7DC3);
192 PS(E, F, G, H, A, B, C, D, W[12], 0x72BE5D74);
193 PS(D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE);
194 PS(C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7);
195 PS(B, C, D, E, F, G, H, A, W[15], 0xC19BF174);
196 PS(A, B, C, D, E, F, G, H, R(16), 0xE49B69C1);
197 PS(H, A, B, C, D, E, F, G, R(17), 0xEFBE4786);
198 PS(G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6);
199 PS(F, G, H, A, B, C, D, E, R(19), 0x240CA1CC);
200 PS(E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F);
201 PS(D, E, F, G, H, A, B, C, R(21), 0x4A7484AA);
202 PS(C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC);
203 PS(B, C, D, E, F, G, H, A, R(23), 0x76F988DA);
204 PS(A, B, C, D, E, F, G, H, R(24), 0x983E5152);
205 PS(H, A, B, C, D, E, F, G, R(25), 0xA831C66D);
206 PS(G, H, A, B, C, D, E, F, R(26), 0xB00327C8);
207 PS(F, G, H, A, B, C, D, E, R(27), 0xBF597FC7);
208 PS(E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3);
209 PS(D, E, F, G, H, A, B, C, R(29), 0xD5A79147);
210 PS(C, D, E, F, G, H, A, B, R(30), 0x06CA6351);
211 PS(B, C, D, E, F, G, H, A, R(31), 0x14292967);
212 PS(A, B, C, D, E, F, G, H, R(32), 0x27B70A85);
213 PS(H, A, B, C, D, E, F, G, R(33), 0x2E1B2138);
214 PS(G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC);
215 PS(F, G, H, A, B, C, D, E, R(35), 0x53380D13);
216 PS(E, F, G, H, A, B, C, D, R(36), 0x650A7354);
217 PS(D, E, F, G, H, A, B, C, R(37), 0x766A0ABB);
218 PS(C, D, E, F, G, H, A, B, R(38), 0x81C2C92E);
219 PS(B, C, D, E, F, G, H, A, R(39), 0x92722C85);
220 PS(A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1);
221 PS(H, A, B, C, D, E, F, G, R(41), 0xA81A664B);
222 PS(G, H, A, B, C, D, E, F, R(42), 0xC24B8B70);
223 PS(F, G, H, A, B, C, D, E, R(43), 0xC76C51A3);
224 PS(E, F, G, H, A, B, C, D, R(44), 0xD192E819);
225 PS(D, E, F, G, H, A, B, C, R(45), 0xD6990624);
226 PS(C, D, E, F, G, H, A, B, R(46), 0xF40E3585);
227 PS(B, C, D, E, F, G, H, A, R(47), 0x106AA070);
228 PS(A, B, C, D, E, F, G, H, R(48), 0x19A4C116);
229 PS(H, A, B, C, D, E, F, G, R(49), 0x1E376C08);
230 PS(G, H, A, B, C, D, E, F, R(50), 0x2748774C);
231 PS(F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5);
232 PS(E, F, G, H, A, B, C, D, R(52), 0x391C0CB3);
233 PS(D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A);
234 PS(C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F);
235 PS(B, C, D, E, F, G, H, A, R(55), 0x682E6FF3);
236 PS(A, B, C, D, E, F, G, H, R(56), 0x748F82EE);
237 PS(H, A, B, C, D, E, F, G, R(57), 0x78A5636F);
238 PS(G, H, A, B, C, D, E, F, R(58), 0x84C87814);
239 PS(F, G, H, A, B, C, D, E, R(59), 0x8CC70208);
240 PS(E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA);
241 PS(D, E, F, G, H, A, B, C, R(61), 0xA4506CEB);
242 PS(C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7);
243 PS(B, C, D, E, F, G, H, A, R(63), 0xC67178F2);
244 ctx->state[0] += A;
245 ctx->state[1] += B;
246 ctx->state[2] += C;
247 ctx->state[3] += D;
248 ctx->state[4] += E;
249 ctx->state[5] += F;
250 ctx->state[6] += G;
251 ctx->state[7] += H;
252 }
253
254 const uint8_t kSha256Padding[64] = {
255 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
256 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
257 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
258
259 const uint8_t kSha384Padding[128] = {
260 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
261 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
262 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
263 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
264 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
265 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
266 };
267
268 constexpr auto constants = fxcrt::ToArray<const uint64_t>({
269 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL,
270 0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
271 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 0xd807aa98a3030242ULL,
272 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
273 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL,
274 0xc19bf174cf692694ULL, 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
275 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL,
276 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
277 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL,
278 0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
279 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 0x27b70a8546d22ffcULL,
280 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
281 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL,
282 0x92722c851482353bULL, 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
283 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL,
284 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
285 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL,
286 0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
287 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 0x748f82ee5defb2fcULL,
288 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
289 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL,
290 0xc67178f2e372532bULL, 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
291 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL,
292 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
293 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL,
294 0x431d67c49c100d4cULL, 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
295 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL,
296 });
297
sha384_process(CRYPT_sha2_context * ctx,pdfium::span<const uint8_t,128> data)298 void sha384_process(CRYPT_sha2_context* ctx,
299 pdfium::span<const uint8_t, 128> data) {
300 std::array<uint64_t, 80> W;
301 SHA_GET_UINT64(W[0], data, 0);
302 SHA_GET_UINT64(W[1], data, 8);
303 SHA_GET_UINT64(W[2], data, 16);
304 SHA_GET_UINT64(W[3], data, 24);
305 SHA_GET_UINT64(W[4], data, 32);
306 SHA_GET_UINT64(W[5], data, 40);
307 SHA_GET_UINT64(W[6], data, 48);
308 SHA_GET_UINT64(W[7], data, 56);
309 SHA_GET_UINT64(W[8], data, 64);
310 SHA_GET_UINT64(W[9], data, 72);
311 SHA_GET_UINT64(W[10], data, 80);
312 SHA_GET_UINT64(W[11], data, 88);
313 SHA_GET_UINT64(W[12], data, 96);
314 SHA_GET_UINT64(W[13], data, 104);
315 SHA_GET_UINT64(W[14], data, 112);
316 SHA_GET_UINT64(W[15], data, 120);
317 uint64_t A = ctx->state[0];
318 uint64_t B = ctx->state[1];
319 uint64_t C = ctx->state[2];
320 uint64_t D = ctx->state[3];
321 uint64_t E = ctx->state[4];
322 uint64_t F = ctx->state[5];
323 uint64_t G = ctx->state[6];
324 uint64_t H = ctx->state[7];
325 for (int i = 0; i < 10; ++i) {
326 uint64_t temp[8];
327 if (i < 2) {
328 temp[0] = W[i * 8];
329 temp[1] = W[i * 8 + 1];
330 temp[2] = W[i * 8 + 2];
331 temp[3] = W[i * 8 + 3];
332 temp[4] = W[i * 8 + 4];
333 temp[5] = W[i * 8 + 5];
334 temp[6] = W[i * 8 + 6];
335 temp[7] = W[i * 8 + 7];
336 } else {
337 temp[0] = SHA384_R(i * 8);
338 temp[1] = SHA384_R(i * 8 + 1);
339 temp[2] = SHA384_R(i * 8 + 2);
340 temp[3] = SHA384_R(i * 8 + 3);
341 temp[4] = SHA384_R(i * 8 + 4);
342 temp[5] = SHA384_R(i * 8 + 5);
343 temp[6] = SHA384_R(i * 8 + 6);
344 temp[7] = SHA384_R(i * 8 + 7);
345 }
346 SHA384_P(A, B, C, D, E, F, G, H, temp[0], constants[i * 8]);
347 SHA384_P(H, A, B, C, D, E, F, G, temp[1], constants[i * 8 + 1]);
348 SHA384_P(G, H, A, B, C, D, E, F, temp[2], constants[i * 8 + 2]);
349 SHA384_P(F, G, H, A, B, C, D, E, temp[3], constants[i * 8 + 3]);
350 SHA384_P(E, F, G, H, A, B, C, D, temp[4], constants[i * 8 + 4]);
351 SHA384_P(D, E, F, G, H, A, B, C, temp[5], constants[i * 8 + 5]);
352 SHA384_P(C, D, E, F, G, H, A, B, temp[6], constants[i * 8 + 6]);
353 SHA384_P(B, C, D, E, F, G, H, A, temp[7], constants[i * 8 + 7]);
354 }
355 ctx->state[0] += A;
356 ctx->state[1] += B;
357 ctx->state[2] += C;
358 ctx->state[3] += D;
359 ctx->state[4] += E;
360 ctx->state[5] += F;
361 ctx->state[6] += G;
362 ctx->state[7] += H;
363 }
364
365 } // namespace
366
CRYPT_SHA1Start(CRYPT_sha1_context * context)367 void CRYPT_SHA1Start(CRYPT_sha1_context* context) {
368 SHA_Core_Init(context->h);
369 context->total_bytes = 0;
370 context->blkused = 0;
371 }
372
CRYPT_SHA1Update(CRYPT_sha1_context * context,pdfium::span<const uint8_t> data)373 void CRYPT_SHA1Update(CRYPT_sha1_context* context,
374 pdfium::span<const uint8_t> data) {
375 const auto block_span = pdfium::make_span(context->block);
376 context->total_bytes += data.size();
377 if (context->blkused && data.size() < 64 - context->blkused) {
378 fxcrt::Copy(data, block_span.subspan(context->blkused));
379 context->blkused += data.size();
380 return;
381 }
382 std::array<uint32_t, 16> wordblock;
383 while (data.size() >= 64 - context->blkused) {
384 fxcrt::Copy(data.first(64 - context->blkused),
385 block_span.subspan(context->blkused));
386 data = data.subspan(64 - context->blkused);
387 for (int i = 0; i < 16; i++) {
388 wordblock[i] = (((uint32_t)context->block[i * 4 + 0]) << 24) |
389 (((uint32_t)context->block[i * 4 + 1]) << 16) |
390 (((uint32_t)context->block[i * 4 + 2]) << 8) |
391 (((uint32_t)context->block[i * 4 + 3]) << 0);
392 }
393 SHATransform(context->h, wordblock);
394 context->blkused = 0;
395 }
396 fxcrt::Copy(data, block_span);
397 context->blkused = static_cast<uint32_t>(data.size());
398 }
399
CRYPT_SHA1Finish(CRYPT_sha1_context * context,pdfium::span<uint8_t,20> digest)400 void CRYPT_SHA1Finish(CRYPT_sha1_context* context,
401 pdfium::span<uint8_t, 20> digest) {
402 uint64_t total_bits = 8 * context->total_bytes; // Prior to padding.
403 std::array<uint8_t, 64> c;
404 uint8_t pad;
405 if (context->blkused >= 56) {
406 pad = 56 + 64 - context->blkused;
407 } else {
408 pad = 56 - context->blkused;
409 }
410 fxcrt::Fill(pdfium::make_span(c).first(pad), 0);
411 c[0] = 0x80;
412 CRYPT_SHA1Update(context, pdfium::make_span(c).first(pad));
413 c[0] = (total_bits >> 56) & 0xFF;
414 c[1] = (total_bits >> 48) & 0xFF;
415 c[2] = (total_bits >> 40) & 0xFF;
416 c[3] = (total_bits >> 32) & 0xFF;
417 c[4] = (total_bits >> 24) & 0xFF;
418 c[5] = (total_bits >> 16) & 0xFF;
419 c[6] = (total_bits >> 8) & 0xFF;
420 c[7] = (total_bits >> 0) & 0xFF;
421 CRYPT_SHA1Update(context, pdfium::make_span(c).first<8u>());
422 for (int i = 0; i < 5; i++) {
423 digest[i * 4] = (context->h[i] >> 24) & 0xFF;
424 digest[i * 4 + 1] = (context->h[i] >> 16) & 0xFF;
425 digest[i * 4 + 2] = (context->h[i] >> 8) & 0xFF;
426 digest[i * 4 + 3] = (context->h[i]) & 0xFF;
427 }
428 }
429
CRYPT_SHA1Generate(pdfium::span<const uint8_t> data)430 DataVector<uint8_t> CRYPT_SHA1Generate(pdfium::span<const uint8_t> data) {
431 CRYPT_sha1_context s;
432 CRYPT_SHA1Start(&s);
433 CRYPT_SHA1Update(&s, data);
434
435 DataVector<uint8_t> digest(20);
436 CRYPT_SHA1Finish(&s, digest);
437 return digest;
438 }
439
CRYPT_SHA256Start(CRYPT_sha2_context * context)440 void CRYPT_SHA256Start(CRYPT_sha2_context* context) {
441 context->total_bytes = 0;
442 context->state[0] = 0x6A09E667;
443 context->state[1] = 0xBB67AE85;
444 context->state[2] = 0x3C6EF372;
445 context->state[3] = 0xA54FF53A;
446 context->state[4] = 0x510E527F;
447 context->state[5] = 0x9B05688C;
448 context->state[6] = 0x1F83D9AB;
449 context->state[7] = 0x5BE0CD19;
450 fxcrt::Fill(context->buffer, 0);
451 }
452
CRYPT_SHA256Update(CRYPT_sha2_context * context,pdfium::span<const uint8_t> data)453 void CRYPT_SHA256Update(CRYPT_sha2_context* context,
454 pdfium::span<const uint8_t> data) {
455 if (data.empty()) {
456 return;
457 }
458 const auto buffer_span = pdfium::make_span(context->buffer);
459 uint32_t left = context->total_bytes & 0x3F;
460 uint32_t fill = 64 - left;
461 context->total_bytes += data.size();
462 if (left && data.size() >= fill) {
463 fxcrt::Copy(data.first(fill), buffer_span.subspan(left));
464 sha256_process(context, buffer_span);
465 data = data.subspan(fill);
466 left = 0;
467 }
468 while (data.size() >= 64) {
469 sha256_process(context, data.first(64u));
470 data = data.subspan(64u);
471 }
472 if (!data.empty()) {
473 fxcrt::Copy(data, buffer_span.subspan(left));
474 }
475 }
476
CRYPT_SHA256Finish(CRYPT_sha2_context * context,pdfium::span<uint8_t,32> digest)477 void CRYPT_SHA256Finish(CRYPT_sha2_context* context,
478 pdfium::span<uint8_t, 32> digest) {
479 uint8_t msglen[8];
480 uint64_t total_bits = 8 * context->total_bytes; // Prior to padding.
481 SHA_PUT_UINT64(total_bits, msglen, 0);
482 uint32_t last = context->total_bytes & 0x3F;
483 uint32_t padn = (last < 56) ? (56 - last) : (120 - last);
484 CRYPT_SHA256Update(context, pdfium::span(kSha256Padding).first(padn));
485 CRYPT_SHA256Update(context, msglen);
486 SHA_PUT_UINT32(context->state[0], digest, 0);
487 SHA_PUT_UINT32(context->state[1], digest, 4);
488 SHA_PUT_UINT32(context->state[2], digest, 8);
489 SHA_PUT_UINT32(context->state[3], digest, 12);
490 SHA_PUT_UINT32(context->state[4], digest, 16);
491 SHA_PUT_UINT32(context->state[5], digest, 20);
492 SHA_PUT_UINT32(context->state[6], digest, 24);
493 SHA_PUT_UINT32(context->state[7], digest, 28);
494 }
495
CRYPT_SHA256Generate(pdfium::span<const uint8_t> data)496 DataVector<uint8_t> CRYPT_SHA256Generate(pdfium::span<const uint8_t> data) {
497 CRYPT_sha2_context ctx;
498 CRYPT_SHA256Start(&ctx);
499 CRYPT_SHA256Update(&ctx, data);
500
501 DataVector<uint8_t> digest(32);
502 CRYPT_SHA256Finish(&ctx, digest);
503 return digest;
504 }
505
CRYPT_SHA384Start(CRYPT_sha2_context * context)506 void CRYPT_SHA384Start(CRYPT_sha2_context* context) {
507 context->total_bytes = 0;
508 context->state[0] = 0xcbbb9d5dc1059ed8ULL;
509 context->state[1] = 0x629a292a367cd507ULL;
510 context->state[2] = 0x9159015a3070dd17ULL;
511 context->state[3] = 0x152fecd8f70e5939ULL;
512 context->state[4] = 0x67332667ffc00b31ULL;
513 context->state[5] = 0x8eb44a8768581511ULL;
514 context->state[6] = 0xdb0c2e0d64f98fa7ULL;
515 context->state[7] = 0x47b5481dbefa4fa4ULL;
516 fxcrt::Fill(context->buffer, 0);
517 }
518
CRYPT_SHA384Update(CRYPT_sha2_context * context,pdfium::span<const uint8_t> data)519 void CRYPT_SHA384Update(CRYPT_sha2_context* context,
520 pdfium::span<const uint8_t> data) {
521 if (data.empty()) {
522 return;
523 }
524 const auto buffer_span = pdfium::make_span(context->buffer);
525 uint32_t left = context->total_bytes & 0x7F;
526 uint32_t fill = 128 - left;
527 context->total_bytes += data.size();
528 if (left && data.size() >= fill) {
529 fxcrt::Copy(data.first(fill), buffer_span.subspan(left));
530 sha384_process(context, buffer_span);
531 data = data.subspan(fill);
532 left = 0;
533 }
534 while (data.size() >= 128) {
535 sha384_process(context, data);
536 data = data.subspan(128);
537 }
538 if (!data.empty()) {
539 fxcrt::Copy(data, buffer_span.subspan(left));
540 }
541 }
542
CRYPT_SHA384Finish(CRYPT_sha2_context * context,pdfium::span<uint8_t,48> digest)543 void CRYPT_SHA384Finish(CRYPT_sha2_context* context,
544 pdfium::span<uint8_t, 48> digest) {
545 uint8_t msglen[16];
546 uint64_t total_bits = 8 * context->total_bytes; // Prior to padding.
547 SHA_PUT_UINT64(0ULL, msglen, 0);
548 SHA_PUT_UINT64(total_bits, msglen, 8);
549 uint32_t last = context->total_bytes & 0x7F;
550 uint32_t padn = (last < 112) ? (112 - last) : (240 - last);
551 CRYPT_SHA384Update(context, pdfium::make_span(kSha384Padding).first(padn));
552 CRYPT_SHA384Update(context, msglen);
553 SHA_PUT_UINT64(context->state[0], digest, 0);
554 SHA_PUT_UINT64(context->state[1], digest, 8);
555 SHA_PUT_UINT64(context->state[2], digest, 16);
556 SHA_PUT_UINT64(context->state[3], digest, 24);
557 SHA_PUT_UINT64(context->state[4], digest, 32);
558 SHA_PUT_UINT64(context->state[5], digest, 40);
559 }
560
CRYPT_SHA384Generate(pdfium::span<const uint8_t> data)561 DataVector<uint8_t> CRYPT_SHA384Generate(pdfium::span<const uint8_t> data) {
562 CRYPT_sha2_context context;
563 CRYPT_SHA384Start(&context);
564 CRYPT_SHA384Update(&context, data);
565
566 DataVector<uint8_t> digest(48);
567 CRYPT_SHA384Finish(&context, digest);
568 return digest;
569 }
570
CRYPT_SHA512Start(CRYPT_sha2_context * context)571 void CRYPT_SHA512Start(CRYPT_sha2_context* context) {
572 context->total_bytes = 0;
573 context->state[0] = 0x6a09e667f3bcc908ULL;
574 context->state[1] = 0xbb67ae8584caa73bULL;
575 context->state[2] = 0x3c6ef372fe94f82bULL;
576 context->state[3] = 0xa54ff53a5f1d36f1ULL;
577 context->state[4] = 0x510e527fade682d1ULL;
578 context->state[5] = 0x9b05688c2b3e6c1fULL;
579 context->state[6] = 0x1f83d9abfb41bd6bULL;
580 context->state[7] = 0x5be0cd19137e2179ULL;
581 fxcrt::Fill(context->buffer, 0);
582 }
583
CRYPT_SHA512Update(CRYPT_sha2_context * context,pdfium::span<const uint8_t> data)584 void CRYPT_SHA512Update(CRYPT_sha2_context* context,
585 pdfium::span<const uint8_t> data) {
586 CRYPT_SHA384Update(context, data);
587 }
588
CRYPT_SHA512Finish(CRYPT_sha2_context * context,pdfium::span<uint8_t,64> digest)589 void CRYPT_SHA512Finish(CRYPT_sha2_context* context,
590 pdfium::span<uint8_t, 64> digest) {
591 uint8_t msglen[16];
592 uint64_t total_bits = 8 * context->total_bytes;
593 SHA_PUT_UINT64(0ULL, msglen, 0);
594 SHA_PUT_UINT64(total_bits, msglen, 8);
595 uint32_t last = context->total_bytes & 0x7F;
596 uint32_t padn = (last < 112) ? (112 - last) : (240 - last);
597 CRYPT_SHA512Update(context, pdfium::make_span(kSha384Padding).first(padn));
598 CRYPT_SHA512Update(context, msglen);
599 SHA_PUT_UINT64(context->state[0], digest, 0);
600 SHA_PUT_UINT64(context->state[1], digest, 8);
601 SHA_PUT_UINT64(context->state[2], digest, 16);
602 SHA_PUT_UINT64(context->state[3], digest, 24);
603 SHA_PUT_UINT64(context->state[4], digest, 32);
604 SHA_PUT_UINT64(context->state[5], digest, 40);
605 SHA_PUT_UINT64(context->state[6], digest, 48);
606 SHA_PUT_UINT64(context->state[7], digest, 56);
607 }
608
CRYPT_SHA512Generate(pdfium::span<const uint8_t> data)609 DataVector<uint8_t> CRYPT_SHA512Generate(pdfium::span<const uint8_t> data) {
610 CRYPT_sha2_context context;
611 CRYPT_SHA512Start(&context);
612 CRYPT_SHA512Update(&context, data);
613
614 DataVector<uint8_t> digest(64);
615 CRYPT_SHA512Finish(&context, digest);
616 return digest;
617 }
618