mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-22 09:32:21 +00:00
2d5a016ad4
For autocons, though it's copying from a static source, use strncpy anyway, despite the length being hardcoded already. This makes static analysis happier. Terminate the buff with a NULL. This is superfluous as the strcpies that preceed are guaranteed to null terminate, or exit the program. In clortho, free(tmps), which is a valid leak, though clortho isn't long running. Also, explicitly return 0, which is ultimately returned by main(). Static analysis could not figure out that padneeded implies that keylen is short of chunk size, so change the check to be expressly the scenario that static analysis was worried about directly, rather than indirectly. Hint to static analysis that we don't care about the time as a time value by masking the lower 32 bit explicitly. This was already happening, but static analysis was afraid that we wanted this as time instead of just some mutating value.
257 lines
8.5 KiB
C
257 lines
8.5 KiB
C
#include "sha-256.h"
|
|
#include <stdlib.h>
|
|
|
|
#define TOTAL_LEN_LEN 8
|
|
|
|
void hmac_sha256(uint8_t* hmac, char* msg, int msglen, char* key, unsigned int keylen) {
|
|
uint8_t *scratch;
|
|
uint8_t keyprime[SIZE_OF_SHA_256_CHUNK];
|
|
uint8_t keymod[SIZE_OF_SHA_256_CHUNK];
|
|
int padneeded;
|
|
if (keylen > SIZE_OF_SHA_256_CHUNK) {
|
|
calc_sha_256(keyprime, key, keylen);
|
|
keylen = SIZE_OF_SHA_256_HASH;
|
|
} else {
|
|
memcpy(keyprime, key, keylen);
|
|
}
|
|
padneeded = SIZE_OF_SHA_256_CHUNK - keylen;
|
|
if (keylen < SIZE_OF_SHA_256_CHUNK) {
|
|
memset(keyprime + keylen, 0, padneeded);
|
|
}
|
|
for (padneeded=0; padneeded < SIZE_OF_SHA_256_CHUNK; padneeded++) {
|
|
keymod[padneeded] = keyprime[padneeded] ^ 0x36;
|
|
}
|
|
scratch = malloc(SIZE_OF_SHA_256_CHUNK + msglen);
|
|
memcpy(scratch, keymod, SIZE_OF_SHA_256_CHUNK);
|
|
memcpy(scratch + SIZE_OF_SHA_256_CHUNK, msg, msglen);
|
|
calc_sha_256(hmac, scratch, SIZE_OF_SHA_256_CHUNK + msglen);
|
|
for (padneeded=0; padneeded < SIZE_OF_SHA_256_CHUNK; padneeded++) {
|
|
keymod[padneeded] = keyprime[padneeded] ^ 0x5c;
|
|
}
|
|
free(scratch);
|
|
scratch = malloc(SIZE_OF_SHA_256_CHUNK + SIZE_OF_SHA_256_HASH);
|
|
memcpy(scratch, keymod, SIZE_OF_SHA_256_CHUNK);
|
|
memcpy(scratch + SIZE_OF_SHA_256_CHUNK, hmac, SIZE_OF_SHA_256_HASH);
|
|
calc_sha_256(hmac, scratch, SIZE_OF_SHA_256_CHUNK + SIZE_OF_SHA_256_HASH);
|
|
free(scratch);
|
|
}
|
|
|
|
/*
|
|
* Comments from pseudo-code at https://en.wikipedia.org/wiki/SHA-2 are reproduced here.
|
|
* When useful for clarification, portions of the pseudo-code are reproduced here too.
|
|
*/
|
|
|
|
/*
|
|
* @brief Rotate a 32-bit value by a number of bits to the right.
|
|
* @param value The value to be rotated.
|
|
* @param count The number of bits to rotate by.
|
|
* @return The rotated value.
|
|
*/
|
|
static inline uint32_t right_rot(uint32_t value, unsigned int count)
|
|
{
|
|
/*
|
|
* Defined behaviour in standard C for all count where 0 < count < 32, which is what we need here.
|
|
*/
|
|
return value >> count | value << (32 - count);
|
|
}
|
|
|
|
/*
|
|
* @brief Update a hash value under calculation with a new chunk of data.
|
|
* @param h Pointer to the first hash item, of a total of eight.
|
|
* @param p Pointer to the chunk data, which has a standard length.
|
|
*
|
|
* @note This is the SHA-256 work horse.
|
|
*/
|
|
static inline void consume_chunk(uint32_t *h, const uint8_t *p)
|
|
{
|
|
unsigned i, j;
|
|
uint32_t ah[8];
|
|
|
|
/* Initialize working variables to current hash value: */
|
|
for (i = 0; i < 8; i++)
|
|
ah[i] = h[i];
|
|
|
|
/*
|
|
* The w-array is really w[64], but since we only need 16 of them at a time, we save stack by
|
|
* calculating 16 at a time.
|
|
*
|
|
* This optimization was not there initially and the rest of the comments about w[64] are kept in their
|
|
* initial state.
|
|
*/
|
|
|
|
/*
|
|
* create a 64-entry message schedule array w[0..63] of 32-bit words (The initial values in w[0..63]
|
|
* don't matter, so many implementations zero them here) copy chunk into first 16 words w[0..15] of the
|
|
* message schedule array
|
|
*/
|
|
uint32_t w[16];
|
|
|
|
/* Compression function main loop: */
|
|
for (i = 0; i < 4; i++) {
|
|
for (j = 0; j < 16; j++) {
|
|
if (i == 0) {
|
|
w[j] =
|
|
(uint32_t)p[0] << 24 | (uint32_t)p[1] << 16 | (uint32_t)p[2] << 8 | (uint32_t)p[3];
|
|
p += 4;
|
|
} else {
|
|
/* Extend the first 16 words into the remaining 48 words w[16..63] of the
|
|
* message schedule array: */
|
|
const uint32_t s0 = right_rot(w[(j + 1) & 0xf], 7) ^ right_rot(w[(j + 1) & 0xf], 18) ^
|
|
(w[(j + 1) & 0xf] >> 3);
|
|
const uint32_t s1 = right_rot(w[(j + 14) & 0xf], 17) ^
|
|
right_rot(w[(j + 14) & 0xf], 19) ^ (w[(j + 14) & 0xf] >> 10);
|
|
w[j] = w[j] + s0 + w[(j + 9) & 0xf] + s1;
|
|
}
|
|
const uint32_t s1 = right_rot(ah[4], 6) ^ right_rot(ah[4], 11) ^ right_rot(ah[4], 25);
|
|
const uint32_t ch = (ah[4] & ah[5]) ^ (~ah[4] & ah[6]);
|
|
|
|
/*
|
|
* Initialize array of round constants:
|
|
* (first 32 bits of the fractional parts of the cube roots of the first 64 primes 2..311):
|
|
*/
|
|
static const uint32_t k[] = {
|
|
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4,
|
|
0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe,
|
|
0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f,
|
|
0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
|
|
0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
|
|
0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
|
|
0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116,
|
|
0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
|
|
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7,
|
|
0xc67178f2};
|
|
|
|
const uint32_t temp1 = ah[7] + s1 + ch + k[i << 4 | j] + w[j];
|
|
const uint32_t s0 = right_rot(ah[0], 2) ^ right_rot(ah[0], 13) ^ right_rot(ah[0], 22);
|
|
const uint32_t maj = (ah[0] & ah[1]) ^ (ah[0] & ah[2]) ^ (ah[1] & ah[2]);
|
|
const uint32_t temp2 = s0 + maj;
|
|
|
|
ah[7] = ah[6];
|
|
ah[6] = ah[5];
|
|
ah[5] = ah[4];
|
|
ah[4] = ah[3] + temp1;
|
|
ah[3] = ah[2];
|
|
ah[2] = ah[1];
|
|
ah[1] = ah[0];
|
|
ah[0] = temp1 + temp2;
|
|
}
|
|
}
|
|
|
|
/* Add the compressed chunk to the current hash value: */
|
|
for (i = 0; i < 8; i++)
|
|
h[i] += ah[i];
|
|
}
|
|
|
|
/*
|
|
* Public functions. See header file for documentation.
|
|
*/
|
|
|
|
void sha_256_init(struct Sha_256 *sha_256, uint8_t hash[SIZE_OF_SHA_256_HASH])
|
|
{
|
|
sha_256->hash = hash;
|
|
sha_256->chunk_pos = sha_256->chunk;
|
|
sha_256->space_left = SIZE_OF_SHA_256_CHUNK;
|
|
sha_256->total_len = 0;
|
|
/*
|
|
* Initialize hash values (first 32 bits of the fractional parts of the square roots of the first 8 primes
|
|
* 2..19):
|
|
*/
|
|
sha_256->h[0] = 0x6a09e667;
|
|
sha_256->h[1] = 0xbb67ae85;
|
|
sha_256->h[2] = 0x3c6ef372;
|
|
sha_256->h[3] = 0xa54ff53a;
|
|
sha_256->h[4] = 0x510e527f;
|
|
sha_256->h[5] = 0x9b05688c;
|
|
sha_256->h[6] = 0x1f83d9ab;
|
|
sha_256->h[7] = 0x5be0cd19;
|
|
}
|
|
|
|
void sha_256_write(struct Sha_256 *sha_256, const void *data, size_t len)
|
|
{
|
|
sha_256->total_len += len;
|
|
|
|
const uint8_t *p = data;
|
|
|
|
while (len > 0) {
|
|
/*
|
|
* If the input chunks have sizes that are multiples of the calculation chunk size, no copies are
|
|
* necessary. We operate directly on the input data instead.
|
|
*/
|
|
if (sha_256->space_left == SIZE_OF_SHA_256_CHUNK && len >= SIZE_OF_SHA_256_CHUNK) {
|
|
consume_chunk(sha_256->h, p);
|
|
len -= SIZE_OF_SHA_256_CHUNK;
|
|
p += SIZE_OF_SHA_256_CHUNK;
|
|
continue;
|
|
}
|
|
/* General case, no particular optimization. */
|
|
const size_t consumed_len = len < sha_256->space_left ? len : sha_256->space_left;
|
|
memcpy(sha_256->chunk_pos, p, consumed_len);
|
|
sha_256->space_left -= consumed_len;
|
|
len -= consumed_len;
|
|
p += consumed_len;
|
|
if (sha_256->space_left == 0) {
|
|
consume_chunk(sha_256->h, sha_256->chunk);
|
|
sha_256->chunk_pos = sha_256->chunk;
|
|
sha_256->space_left = SIZE_OF_SHA_256_CHUNK;
|
|
} else {
|
|
sha_256->chunk_pos += consumed_len;
|
|
}
|
|
}
|
|
}
|
|
|
|
uint8_t *sha_256_close(struct Sha_256 *sha_256)
|
|
{
|
|
uint8_t *pos = sha_256->chunk_pos;
|
|
size_t space_left = sha_256->space_left;
|
|
uint32_t *const h = sha_256->h;
|
|
|
|
/*
|
|
* The current chunk cannot be full. Otherwise, it would already have be consumed. I.e. there is space left for
|
|
* at least one byte. The next step in the calculation is to add a single one-bit to the data.
|
|
*/
|
|
*pos++ = 0x80;
|
|
--space_left;
|
|
|
|
/*
|
|
* Now, the last step is to add the total data length at the end of the last chunk, and zero padding before
|
|
* that. But we do not necessarily have enough space left. If not, we pad the current chunk with zeroes, and add
|
|
* an extra chunk at the end.
|
|
*/
|
|
if (space_left < TOTAL_LEN_LEN) {
|
|
memset(pos, 0x00, space_left);
|
|
consume_chunk(h, sha_256->chunk);
|
|
pos = sha_256->chunk;
|
|
space_left = SIZE_OF_SHA_256_CHUNK;
|
|
}
|
|
const size_t left = space_left - TOTAL_LEN_LEN;
|
|
memset(pos, 0x00, left);
|
|
pos += left;
|
|
size_t len = sha_256->total_len;
|
|
pos[7] = (uint8_t)(len << 3);
|
|
len >>= 5;
|
|
int i;
|
|
for (i = 6; i >= 0; --i) {
|
|
pos[i] = (uint8_t)len;
|
|
len >>= 8;
|
|
}
|
|
consume_chunk(h, sha_256->chunk);
|
|
/* Produce the final hash value (big-endian): */
|
|
int j;
|
|
uint8_t *const hash = sha_256->hash;
|
|
for (i = 0, j = 0; i < 8; i++) {
|
|
hash[j++] = (uint8_t)(h[i] >> 24);
|
|
hash[j++] = (uint8_t)(h[i] >> 16);
|
|
hash[j++] = (uint8_t)(h[i] >> 8);
|
|
hash[j++] = (uint8_t)h[i];
|
|
}
|
|
return sha_256->hash;
|
|
}
|
|
|
|
void calc_sha_256(uint8_t hash[SIZE_OF_SHA_256_HASH], const void *input, size_t len)
|
|
{
|
|
struct Sha_256 sha_256;
|
|
sha_256_init(&sha_256, hash);
|
|
sha_256_write(&sha_256, input, len);
|
|
(void)sha_256_close(&sha_256);
|
|
}
|