D-Bus  1.13.16
dbus-sha.c
1 /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
2 /* dbus-sha.c SHA-1 implementation
3  *
4  * Copyright (C) 2003 Red Hat Inc.
5  * Copyright (C) 1995 A. M. Kuchling
6  *
7  * Licensed under the Academic Free License version 2.1
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation; either version 2 of the License, or
12  * (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
22  *
23  */
24 
25 #include <config.h>
26 #include "dbus-internals.h"
27 #include "dbus-sha.h"
28 #include "dbus-marshal-basic.h" /* for byteswap routines */
29 #include <string.h>
30 
31 /* The following comments have the history of where this code
32  * comes from. I actually copied it from GNet in GNOME CVS.
33  * - hp@redhat.com
34  */
35 
36 /*
37  * sha.h : Implementation of the Secure Hash Algorithm
38  *
39  * Part of the Python Cryptography Toolkit, version 1.0.0
40  *
41  * Copyright (C) 1995, A.M. Kuchling
42  *
43  * Distribute and use freely; there are no restrictions on further
44  * dissemination and usage except those imposed by the laws of your
45  * country of residence.
46  *
47  */
48 
49 /* SHA: NIST's Secure Hash Algorithm */
50 
51 /* Based on SHA code originally posted to sci.crypt by Peter Gutmann
52  in message <30ajo5$oe8@ccu2.auckland.ac.nz>.
53  Modified to test for endianness on creation of SHA objects by AMK.
54  Also, the original specification of SHA was found to have a weakness
55  by NSA/NIST. This code implements the fixed version of SHA.
56 */
57 
58 /* Here's the first paragraph of Peter Gutmann's posting:
59 
60 The following is my SHA (FIPS 180) code updated to allow use of the "fixed"
61 SHA, thanks to Jim Gillogly and an anonymous contributor for the information on
62 what's changed in the new version. The fix is a simple change which involves
63 adding a single rotate in the initial expansion function. It is unknown
64 whether this is an optimal solution to the problem which was discovered in the
65 SHA or whether it's simply a bandaid which fixes the problem with a minimum of
66 effort (for example the reengineering of a great many Capstone chips).
67 */
68 
88 #ifndef DOXYGEN_SHOULD_SKIP_THIS
89 
90 /* The SHA block size and message digest sizes, in bytes */
91 
92 #define SHA_DATASIZE 64
93 #define SHA_DIGESTSIZE 20
94 
95 /* The SHA f()-functions. The f1 and f3 functions can be optimized to
96  save one boolean operation each - thanks to Rich Schroeppel,
97  rcs@cs.arizona.edu for discovering this */
98 
99 /*#define f1(x,y,z) ( ( x & y ) | ( ~x & z ) ) // Rounds 0-19 */
100 #define f1(x,y,z) ( z ^ ( x & ( y ^ z ) ) ) /* Rounds 0-19 */
101 #define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */
102 /*#define f3(x,y,z) ( ( x & y ) | ( x & z ) | ( y & z ) ) // Rounds 40-59 */
103 #define f3(x,y,z) ( ( x & y ) | ( z & ( x | y ) ) ) /* Rounds 40-59 */
104 #define f4(x,y,z) ( x ^ y ^ z ) /* Rounds 60-79 */
105 
106 /* The SHA Mysterious Constants */
107 
108 #define K1 0x5A827999L /* Rounds 0-19 */
109 #define K2 0x6ED9EBA1L /* Rounds 20-39 */
110 #define K3 0x8F1BBCDCL /* Rounds 40-59 */
111 #define K4 0xCA62C1D6L /* Rounds 60-79 */
112 
113 /* SHA initial values */
114 
115 #define h0init 0x67452301L
116 #define h1init 0xEFCDAB89L
117 #define h2init 0x98BADCFEL
118 #define h3init 0x10325476L
119 #define h4init 0xC3D2E1F0L
120 
121 /* Note that it may be necessary to add parentheses to these macros if they
122  are to be called with expressions as arguments */
123 /* 32-bit rotate left - kludged with shifts */
124 
125 #define ROTL(n,X) ( ( ( X ) << n ) | ( ( X ) >> ( 32 - n ) ) )
126 
127 /* The initial expanding function. The hash function is defined over an
128  80-word expanded input array W, where the first 16 are copies of the input
129  data, and the remaining 64 are defined by
130 
131  W[ i ] = W[ i - 16 ] ^ W[ i - 14 ] ^ W[ i - 8 ] ^ W[ i - 3 ]
132 
133  This implementation generates these values on the fly in a circular
134  buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this
135  optimization.
136 
137  The updated SHA changes the expanding function by adding a rotate of 1
138  bit. Thanks to Jim Gillogly, jim@rand.org, and an anonymous contributor
139  for this information */
140 
141 #define expand(W,i) ( W[ i & 15 ] = ROTL( 1, ( W[ i & 15 ] ^ W[ (i - 14) & 15 ] ^ \
142  W[ (i - 8) & 15 ] ^ W[ (i - 3) & 15 ] ) ) )
143 
144 
145 /* The prototype SHA sub-round. The fundamental sub-round is:
146 
147  a' = e + ROTL( 5, a ) + f( b, c, d ) + k + data;
148  b' = a;
149  c' = ROTL( 30, b );
150  d' = c;
151  e' = d;
152 
153  but this is implemented by unrolling the loop 5 times and renaming the
154  variables ( e, a, b, c, d ) = ( a', b', c', d', e' ) each iteration.
155  This code is then replicated 20 times for each of the 4 functions, using
156  the next 20 values from the W[] array each time */
157 
158 #define subRound(a, b, c, d, e, f, k, data) \
159  ( e += ROTL( 5, a ) + f( b, c, d ) + k + data, b = ROTL( 30, b ) )
160 
161 #endif /* !DOXYGEN_SHOULD_SKIP_THIS */
162 
163 /* Perform the SHA transformation. Note that this code, like MD5, seems to
164  break some optimizing compilers due to the complexity of the expressions
165  and the size of the basic block. It may be necessary to split it into
166  sections, e.g. based on the four subrounds
167 
168  Note that this corrupts the context->data area */
169 
170 static void
171 SHATransform(dbus_uint32_t *digest, dbus_uint32_t *data)
172 {
173  dbus_uint32_t A, B, C, D, E; /* Local vars */
174  dbus_uint32_t eData[16]; /* Expanded data */
175 
176  /* Set up first buffer and local data buffer */
177  A = digest[0];
178  B = digest[1];
179  C = digest[2];
180  D = digest[3];
181  E = digest[4];
182  memmove (eData, data, SHA_DATASIZE);
183 
184  /* Heavy mangling, in 4 sub-rounds of 20 interations each. */
185  subRound (A, B, C, D, E, f1, K1, eData[0]);
186  subRound (E, A, B, C, D, f1, K1, eData[1]);
187  subRound (D, E, A, B, C, f1, K1, eData[2]);
188  subRound (C, D, E, A, B, f1, K1, eData[3]);
189  subRound (B, C, D, E, A, f1, K1, eData[4]);
190  subRound (A, B, C, D, E, f1, K1, eData[5]);
191  subRound (E, A, B, C, D, f1, K1, eData[6]);
192  subRound (D, E, A, B, C, f1, K1, eData[7]);
193  subRound (C, D, E, A, B, f1, K1, eData[8]);
194  subRound (B, C, D, E, A, f1, K1, eData[9]);
195  subRound (A, B, C, D, E, f1, K1, eData[10]);
196  subRound (E, A, B, C, D, f1, K1, eData[11]);
197  subRound (D, E, A, B, C, f1, K1, eData[12]);
198  subRound (C, D, E, A, B, f1, K1, eData[13]);
199  subRound (B, C, D, E, A, f1, K1, eData[14]);
200  subRound (A, B, C, D, E, f1, K1, eData[15]);
201  subRound (E, A, B, C, D, f1, K1, expand ( eData, 16) );
202  subRound (D, E, A, B, C, f1, K1, expand ( eData, 17) );
203  subRound (C, D, E, A, B, f1, K1, expand ( eData, 18) );
204  subRound (B, C, D, E, A, f1, K1, expand ( eData, 19) );
205 
206  subRound (A, B, C, D, E, f2, K2, expand ( eData, 20) );
207  subRound (E, A, B, C, D, f2, K2, expand ( eData, 21) );
208  subRound (D, E, A, B, C, f2, K2, expand ( eData, 22) );
209  subRound (C, D, E, A, B, f2, K2, expand ( eData, 23) );
210  subRound (B, C, D, E, A, f2, K2, expand ( eData, 24) );
211  subRound (A, B, C, D, E, f2, K2, expand ( eData, 25) );
212  subRound (E, A, B, C, D, f2, K2, expand ( eData, 26) );
213  subRound (D, E, A, B, C, f2, K2, expand ( eData, 27) );
214  subRound (C, D, E, A, B, f2, K2, expand ( eData, 28) );
215  subRound (B, C, D, E, A, f2, K2, expand ( eData, 29) );
216  subRound (A, B, C, D, E, f2, K2, expand ( eData, 30) );
217  subRound (E, A, B, C, D, f2, K2, expand ( eData, 31) );
218  subRound (D, E, A, B, C, f2, K2, expand ( eData, 32) );
219  subRound (C, D, E, A, B, f2, K2, expand ( eData, 33) );
220  subRound (B, C, D, E, A, f2, K2, expand ( eData, 34) );
221  subRound (A, B, C, D, E, f2, K2, expand ( eData, 35) );
222  subRound (E, A, B, C, D, f2, K2, expand ( eData, 36) );
223  subRound (D, E, A, B, C, f2, K2, expand ( eData, 37) );
224  subRound (C, D, E, A, B, f2, K2, expand ( eData, 38) );
225  subRound (B, C, D, E, A, f2, K2, expand ( eData, 39) );
226 
227  subRound (A, B, C, D, E, f3, K3, expand ( eData, 40) );
228  subRound (E, A, B, C, D, f3, K3, expand ( eData, 41) );
229  subRound (D, E, A, B, C, f3, K3, expand ( eData, 42) );
230  subRound (C, D, E, A, B, f3, K3, expand ( eData, 43) );
231  subRound (B, C, D, E, A, f3, K3, expand ( eData, 44) );
232  subRound (A, B, C, D, E, f3, K3, expand ( eData, 45) );
233  subRound (E, A, B, C, D, f3, K3, expand ( eData, 46) );
234  subRound (D, E, A, B, C, f3, K3, expand ( eData, 47) );
235  subRound (C, D, E, A, B, f3, K3, expand ( eData, 48) );
236  subRound (B, C, D, E, A, f3, K3, expand ( eData, 49) );
237  subRound (A, B, C, D, E, f3, K3, expand ( eData, 50) );
238  subRound (E, A, B, C, D, f3, K3, expand ( eData, 51) );
239  subRound (D, E, A, B, C, f3, K3, expand ( eData, 52) );
240  subRound (C, D, E, A, B, f3, K3, expand ( eData, 53) );
241  subRound (B, C, D, E, A, f3, K3, expand ( eData, 54) );
242  subRound (A, B, C, D, E, f3, K3, expand ( eData, 55) );
243  subRound (E, A, B, C, D, f3, K3, expand ( eData, 56) );
244  subRound (D, E, A, B, C, f3, K3, expand ( eData, 57) );
245  subRound (C, D, E, A, B, f3, K3, expand ( eData, 58) );
246  subRound (B, C, D, E, A, f3, K3, expand ( eData, 59) );
247 
248  subRound (A, B, C, D, E, f4, K4, expand ( eData, 60) );
249  subRound (E, A, B, C, D, f4, K4, expand ( eData, 61) );
250  subRound (D, E, A, B, C, f4, K4, expand ( eData, 62) );
251  subRound (C, D, E, A, B, f4, K4, expand ( eData, 63) );
252  subRound (B, C, D, E, A, f4, K4, expand ( eData, 64) );
253  subRound (A, B, C, D, E, f4, K4, expand ( eData, 65) );
254  subRound (E, A, B, C, D, f4, K4, expand ( eData, 66) );
255  subRound (D, E, A, B, C, f4, K4, expand ( eData, 67) );
256  subRound (C, D, E, A, B, f4, K4, expand ( eData, 68) );
257  subRound (B, C, D, E, A, f4, K4, expand ( eData, 69) );
258  subRound (A, B, C, D, E, f4, K4, expand ( eData, 70) );
259  subRound (E, A, B, C, D, f4, K4, expand ( eData, 71) );
260  subRound (D, E, A, B, C, f4, K4, expand ( eData, 72) );
261  subRound (C, D, E, A, B, f4, K4, expand ( eData, 73) );
262  subRound (B, C, D, E, A, f4, K4, expand ( eData, 74) );
263  subRound (A, B, C, D, E, f4, K4, expand ( eData, 75) );
264  subRound (E, A, B, C, D, f4, K4, expand ( eData, 76) );
265  subRound (D, E, A, B, C, f4, K4, expand ( eData, 77) );
266  subRound (C, D, E, A, B, f4, K4, expand ( eData, 78) );
267  subRound (B, C, D, E, A, f4, K4, expand ( eData, 79) );
268 
269  /* Build message digest */
270  digest[0] += A;
271  digest[1] += B;
272  digest[2] += C;
273  digest[3] += D;
274  digest[4] += E;
275 }
276 
277 /* When run on a little-endian CPU we need to perform byte reversal on an
278  array of longwords. */
279 
280 #ifdef WORDS_BIGENDIAN
281 #define swap_words(buffer, byte_count)
282 #else
283 static void
284 swap_words (dbus_uint32_t *buffer,
285  int byte_count)
286 {
287  byte_count /= sizeof (dbus_uint32_t);
288  while (byte_count--)
289  {
290  *buffer = DBUS_UINT32_SWAP_LE_BE (*buffer);
291  ++buffer;
292  }
293 }
294 #endif
295 
296 static void
297 sha_init (DBusSHAContext *context)
298 {
299  /* Set the h-vars to their initial values */
300  context->digest[0] = h0init;
301  context->digest[1] = h1init;
302  context->digest[2] = h2init;
303  context->digest[3] = h3init;
304  context->digest[4] = h4init;
305 
306  /* Initialise bit count */
307  context->count_lo = context->count_hi = 0;
308 }
309 
310 static void
311 sha_append (DBusSHAContext *context,
312  const unsigned char *buffer,
313  unsigned int count)
314 {
315  dbus_uint32_t tmp;
316  unsigned int dataCount;
317 
318  /* Update bitcount */
319  tmp = context->count_lo;
320  if (( context->count_lo = tmp + ( ( dbus_uint32_t) count << 3) ) < tmp)
321  context->count_hi++; /* Carry from low to high */
322  context->count_hi += count >> 29;
323 
324  /* Get count of bytes already in data */
325  dataCount = (int) (tmp >> 3) & 0x3F;
326 
327  /* Handle any leading odd-sized chunks */
328  if (dataCount)
329  {
330  unsigned char *p = (unsigned char *) context->data + dataCount;
331 
332  dataCount = SHA_DATASIZE - dataCount;
333  if (count < dataCount)
334  {
335  memmove (p, buffer, count);
336  return;
337  }
338  memmove (p, buffer, dataCount);
339  swap_words (context->data, SHA_DATASIZE);
340  SHATransform (context->digest, context->data);
341  buffer += dataCount;
342  count -= dataCount;
343  }
344 
345  /* Process data in SHA_DATASIZE chunks */
346  while (count >= SHA_DATASIZE)
347  {
348  memmove (context->data, buffer, SHA_DATASIZE);
349  swap_words (context->data, SHA_DATASIZE);
350  SHATransform (context->digest, context->data);
351  buffer += SHA_DATASIZE;
352  count -= SHA_DATASIZE;
353  }
354 
355  /* Handle any remaining bytes of data. */
356  memmove (context->data, buffer, count);
357 }
358 
359 
360 /* Final wrapup - pad to SHA_DATASIZE-byte boundary with the bit pattern
361  1 0* (64-bit count of bits processed, MSB-first) */
362 
363 static void
364 sha_finish (DBusSHAContext *context, unsigned char digest[20])
365 {
366  int count;
367  unsigned char *data_p;
368 
369  /* Compute number of bytes mod 64 */
370  count = (int) context->count_lo;
371  count = (count >> 3) & 0x3F;
372 
373  /* Set the first char of padding to 0x80. This is safe since there is
374  always at least one byte free */
375  data_p = (unsigned char *) context->data + count;
376  *data_p++ = 0x80;
377 
378  /* Bytes of padding needed to make 64 bytes */
379  count = SHA_DATASIZE - 1 - count;
380 
381  /* Pad out to 56 mod 64 */
382  if (count < 8)
383  {
384  /* Two lots of padding: Pad the first block to 64 bytes */
385  memset (data_p, 0, count);
386  swap_words (context->data, SHA_DATASIZE);
387  SHATransform (context->digest, context->data);
388 
389  /* Now fill the next block with 56 bytes */
390  memset (context->data, 0, SHA_DATASIZE - 8);
391  }
392  else
393  /* Pad block to 56 bytes */
394  memset (data_p, 0, count - 8);
395 
396  /* Append length in bits and transform */
397  context->data[14] = context->count_hi;
398  context->data[15] = context->count_lo;
399 
400  swap_words (context->data, SHA_DATASIZE - 8);
401  SHATransform (context->digest, context->data);
402  swap_words (context->digest, SHA_DIGESTSIZE);
403  memmove (digest, context->digest, SHA_DIGESTSIZE);
404 }
405  /* End of internals */
407 
419 void
421 {
422  sha_init (context);
423 }
424 
431 void
433  const DBusString *data)
434 {
435  unsigned int inputLen;
436  const unsigned char *input;
437 
438  input = (const unsigned char*) _dbus_string_get_const_data (data);
439  inputLen = _dbus_string_get_length (data);
440 
441  sha_append (context, input, inputLen);
442 }
443 
457  DBusString *results)
458 {
459  unsigned char digest[20];
460 
461  sha_finish (context, digest);
462 
463  if (!_dbus_string_append_len (results, (const char *) digest, 20))
464  return FALSE;
465 
466  /* some kind of security paranoia, though it seems pointless
467  * to me given the nonzeroed stuff flying around
468  */
469  _DBUS_ZERO(*context);
470 
471  return TRUE;
472 }
473 
484  DBusString *ascii_output)
485 {
486  DBusSHAContext context;
487  DBusString digest;
488 
489  _dbus_sha_init (&context);
490 
491  _dbus_sha_update (&context, data);
492 
493  if (!_dbus_string_init (&digest))
494  return FALSE;
495 
496  if (!_dbus_sha_final (&context, &digest))
497  goto error;
498 
499  if (!_dbus_string_hex_encode (&digest, 0, ascii_output,
500  _dbus_string_get_length (ascii_output)))
501  goto error;
502 
503  _dbus_string_free (&digest);
504 
505  return TRUE;
506 
507  error:
508  _dbus_string_free (&digest);
509  return FALSE;
510 }
511  /* end of exported functions */
DBusSHAContext::count_lo
dbus_uint32_t count_lo
64-bit bit count
Definition: dbus-sha.h:40
_dbus_string_free
void _dbus_string_free(DBusString *str)
Frees a string created by _dbus_string_init(), and fills it with the same contents as #_DBUS_STRING_I...
Definition: dbus-string.c:271
_dbus_sha_init
void _dbus_sha_init(DBusSHAContext *context)
Initializes the SHA context.
Definition: dbus-sha.c:420
_dbus_string_append_len
dbus_bool_t _dbus_string_append_len(DBusString *str, const char *buffer, int len)
Appends block of bytes with the given length to a DBusString.
Definition: dbus-string.c:1161
_dbus_string_init
dbus_bool_t _dbus_string_init(DBusString *str)
Initializes a string.
Definition: dbus-string.c:182
DBusSHAContext
Struct storing state of the SHA algorithm.
Definition: dbus-sha.h:37
TRUE
#define TRUE
DBusString
Definition: dbus-string.h:42
FALSE
#define FALSE
_dbus_sha_compute
dbus_bool_t _dbus_sha_compute(const DBusString *data, DBusString *ascii_output)
Computes the ASCII hex-encoded shasum of the given data and appends it to the output string.
Definition: dbus-sha.c:483
_dbus_string_hex_encode
dbus_bool_t _dbus_string_hex_encode(const DBusString *source, int start, DBusString *dest, int insert_at)
Encodes a string in hex, the way MD5 and SHA-1 are usually encoded.
Definition: dbus-string.c:2309
DBusSHAContext::count_hi
dbus_uint32_t count_hi
No clue.
Definition: dbus-sha.h:41
_dbus_sha_final
dbus_bool_t _dbus_sha_final(DBusSHAContext *context, DBusString *results)
SHA finalization.
Definition: dbus-sha.c:456
DBusSHAContext::data
dbus_uint32_t data[16]
SHA data buffer.
Definition: dbus-sha.h:42
_dbus_sha_update
void _dbus_sha_update(DBusSHAContext *context, const DBusString *data)
Feeds more data into an existing shasum computation.
Definition: dbus-sha.c:432
_DBUS_ZERO
#define _DBUS_ZERO(object)
Definition: dbus-internals.h:194
DBusSHAContext::digest
dbus_uint32_t digest[5]
Message digest.
Definition: dbus-sha.h:39
dbus_bool_t
dbus_uint32_t dbus_bool_t
Definition: dbus-types.h:35