1 /* vi:set ts=8 sts=4 sw=4 noet:
2 *
3 * VIM - Vi IMproved by Bram Moolenaar
4 *
5 * Do ":help uganda" in Vim to read copying and usage conditions.
6 * Do ":help credits" in Vim to see a list of people who contributed.
7 * See README.txt for an overview of the Vim source code.
8 *
9 * FIPS-180-2 compliant SHA-256 implementation
10 * GPL by Christophe Devine, applies to older version.
11 * Modified for md5deep, in public domain.
12 * Modified For Vim, Mohsin Ahmed, http://www.cs.albany.edu/~mosh
13 * Mohsin Ahmed states this work is distributed under the VIM License or GPL,
14 * at your choice.
15 *
16 * Vim specific notes:
17 * Functions exported by this file:
18 * 1. sha256_key() hashes the password to 64 bytes char string.
19 * 2. sha2_seed() generates a random header.
20 * sha256_self_test() is implicitly called once.
21 */
22
23 #include "vim.h"
24
25 #if defined(FEAT_CRYPT) || defined(FEAT_PERSISTENT_UNDO)
26
27 #define GET_UINT32(n, b, i) \
28 { \
29 (n) = ( (UINT32_T)(b)[(i) ] << 24) \
30 | ( (UINT32_T)(b)[(i) + 1] << 16) \
31 | ( (UINT32_T)(b)[(i) + 2] << 8) \
32 | ( (UINT32_T)(b)[(i) + 3] ); \
33 }
34
35 #define PUT_UINT32(n,b,i) \
36 { \
37 (b)[(i) ] = (char_u)((n) >> 24); \
38 (b)[(i) + 1] = (char_u)((n) >> 16); \
39 (b)[(i) + 2] = (char_u)((n) >> 8); \
40 (b)[(i) + 3] = (char_u)((n) ); \
41 }
42
43 void
sha256_start(context_sha256_T * ctx)44 sha256_start(context_sha256_T *ctx)
45 {
46 ctx->total[0] = 0;
47 ctx->total[1] = 0;
48
49 ctx->state[0] = 0x6A09E667;
50 ctx->state[1] = 0xBB67AE85;
51 ctx->state[2] = 0x3C6EF372;
52 ctx->state[3] = 0xA54FF53A;
53 ctx->state[4] = 0x510E527F;
54 ctx->state[5] = 0x9B05688C;
55 ctx->state[6] = 0x1F83D9AB;
56 ctx->state[7] = 0x5BE0CD19;
57 }
58
59 static void
sha256_process(context_sha256_T * ctx,char_u data[64])60 sha256_process(context_sha256_T *ctx, char_u data[64])
61 {
62 UINT32_T temp1, temp2, W[64];
63 UINT32_T A, B, C, D, E, F, G, H;
64
65 GET_UINT32(W[0], data, 0);
66 GET_UINT32(W[1], data, 4);
67 GET_UINT32(W[2], data, 8);
68 GET_UINT32(W[3], data, 12);
69 GET_UINT32(W[4], data, 16);
70 GET_UINT32(W[5], data, 20);
71 GET_UINT32(W[6], data, 24);
72 GET_UINT32(W[7], data, 28);
73 GET_UINT32(W[8], data, 32);
74 GET_UINT32(W[9], data, 36);
75 GET_UINT32(W[10], data, 40);
76 GET_UINT32(W[11], data, 44);
77 GET_UINT32(W[12], data, 48);
78 GET_UINT32(W[13], data, 52);
79 GET_UINT32(W[14], data, 56);
80 GET_UINT32(W[15], data, 60);
81
82 #define SHR(x, n) ((x & 0xFFFFFFFF) >> n)
83 #define ROTR(x, n) (SHR(x, n) | (x << (32 - n)))
84
85 #define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
86 #define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
87
88 #define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
89 #define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
90
91 #define F0(x, y, z) ((x & y) | (z & (x | y)))
92 #define F1(x, y, z) (z ^ (x & (y ^ z)))
93
94 #define R(t) \
95 ( \
96 W[t] = S1(W[t - 2]) + W[t - 7] + \
97 S0(W[t - 15]) + W[t - 16] \
98 )
99
100 #define P(a,b,c,d,e,f,g,h,x,K) \
101 { \
102 temp1 = h + S3(e) + F1(e, f, g) + K + x; \
103 temp2 = S2(a) + F0(a, b, c); \
104 d += temp1; h = temp1 + temp2; \
105 }
106
107 A = ctx->state[0];
108 B = ctx->state[1];
109 C = ctx->state[2];
110 D = ctx->state[3];
111 E = ctx->state[4];
112 F = ctx->state[5];
113 G = ctx->state[6];
114 H = ctx->state[7];
115
116 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98);
117 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491);
118 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF);
119 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5);
120 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B);
121 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1);
122 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4);
123 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5);
124 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98);
125 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01);
126 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE);
127 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3);
128 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74);
129 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE);
130 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7);
131 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174);
132 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1);
133 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786);
134 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6);
135 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC);
136 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F);
137 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA);
138 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC);
139 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA);
140 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152);
141 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D);
142 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8);
143 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7);
144 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3);
145 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147);
146 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351);
147 P( B, C, D, E, F, G, H, A, R(31), 0x14292967);
148 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85);
149 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138);
150 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC);
151 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13);
152 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354);
153 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB);
154 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E);
155 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85);
156 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1);
157 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B);
158 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70);
159 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3);
160 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819);
161 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624);
162 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585);
163 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070);
164 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116);
165 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08);
166 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C);
167 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5);
168 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3);
169 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A);
170 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F);
171 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3);
172 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE);
173 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F);
174 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814);
175 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208);
176 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA);
177 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB);
178 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7);
179 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2);
180
181 ctx->state[0] += A;
182 ctx->state[1] += B;
183 ctx->state[2] += C;
184 ctx->state[3] += D;
185 ctx->state[4] += E;
186 ctx->state[5] += F;
187 ctx->state[6] += G;
188 ctx->state[7] += H;
189 }
190
191 void
sha256_update(context_sha256_T * ctx,char_u * input,UINT32_T length)192 sha256_update(context_sha256_T *ctx, char_u *input, UINT32_T length)
193 {
194 UINT32_T left, fill;
195
196 if (length == 0)
197 return;
198
199 left = ctx->total[0] & 0x3F;
200 fill = 64 - left;
201
202 ctx->total[0] += length;
203 ctx->total[0] &= 0xFFFFFFFF;
204
205 if (ctx->total[0] < length)
206 ctx->total[1]++;
207
208 if (left && length >= fill)
209 {
210 memcpy((void *)(ctx->buffer + left), (void *)input, fill);
211 sha256_process(ctx, ctx->buffer);
212 length -= fill;
213 input += fill;
214 left = 0;
215 }
216
217 while (length >= 64)
218 {
219 sha256_process(ctx, input);
220 length -= 64;
221 input += 64;
222 }
223
224 if (length)
225 memcpy((void *)(ctx->buffer + left), (void *)input, length);
226 }
227
228 static char_u sha256_padding[64] = {
229 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
230 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
231 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
232 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
233 };
234
235 void
sha256_finish(context_sha256_T * ctx,char_u digest[32])236 sha256_finish(context_sha256_T *ctx, char_u digest[32])
237 {
238 UINT32_T last, padn;
239 UINT32_T high, low;
240 char_u msglen[8];
241
242 high = (ctx->total[0] >> 29) | (ctx->total[1] << 3);
243 low = (ctx->total[0] << 3);
244
245 PUT_UINT32(high, msglen, 0);
246 PUT_UINT32(low, msglen, 4);
247
248 last = ctx->total[0] & 0x3F;
249 padn = (last < 56) ? (56 - last) : (120 - last);
250
251 sha256_update(ctx, sha256_padding, padn);
252 sha256_update(ctx, msglen, 8);
253
254 PUT_UINT32(ctx->state[0], digest, 0);
255 PUT_UINT32(ctx->state[1], digest, 4);
256 PUT_UINT32(ctx->state[2], digest, 8);
257 PUT_UINT32(ctx->state[3], digest, 12);
258 PUT_UINT32(ctx->state[4], digest, 16);
259 PUT_UINT32(ctx->state[5], digest, 20);
260 PUT_UINT32(ctx->state[6], digest, 24);
261 PUT_UINT32(ctx->state[7], digest, 28);
262 }
263 #endif // FEAT_CRYPT || FEAT_PERSISTENT_UNDO
264
265 #if defined(FEAT_CRYPT) || defined(PROTO)
266 /*
267 * Returns hex digest of "buf[buf_len]" in a static array.
268 * if "salt" is not NULL also do "salt[salt_len]".
269 */
270 char_u *
sha256_bytes(char_u * buf,int buf_len,char_u * salt,int salt_len)271 sha256_bytes(
272 char_u *buf,
273 int buf_len,
274 char_u *salt,
275 int salt_len)
276 {
277 char_u sha256sum[32];
278 static char_u hexit[65];
279 int j;
280 context_sha256_T ctx;
281
282 sha256_self_test();
283
284 sha256_start(&ctx);
285 sha256_update(&ctx, buf, buf_len);
286 if (salt != NULL)
287 sha256_update(&ctx, salt, salt_len);
288 sha256_finish(&ctx, sha256sum);
289 for (j = 0; j < 32; j++)
290 sprintf((char *)hexit + j * 2, "%02x", sha256sum[j]);
291 hexit[sizeof(hexit) - 1] = '\0';
292 return hexit;
293 }
294
295 /*
296 * Returns sha256(buf) as 64 hex chars in static array.
297 */
298 char_u *
sha256_key(char_u * buf,char_u * salt,int salt_len)299 sha256_key(
300 char_u *buf,
301 char_u *salt,
302 int salt_len)
303 {
304 // No passwd means don't encrypt
305 if (buf == NULL || *buf == NUL)
306 return (char_u *)"";
307
308 return sha256_bytes(buf, (int)STRLEN(buf), salt, salt_len);
309 }
310
311 /*
312 * These are the standard FIPS-180-2 test vectors
313 */
314
315 static char *sha_self_test_msg[] = {
316 "abc",
317 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
318 NULL
319 };
320
321 static char *sha_self_test_vector[] = {
322 "ba7816bf8f01cfea414140de5dae2223" \
323 "b00361a396177a9cb410ff61f20015ad",
324 "248d6a61d20638b8e5c026930c3e6039" \
325 "a33ce45964ff2167f6ecedd419db06c1",
326 "cdc76e5c9914fb9281a1c7e284d73e67" \
327 "f1809a48a497200e046d39ccc7112cd0"
328 };
329
330 /*
331 * Perform a test on the SHA256 algorithm.
332 * Return FAIL or OK.
333 */
334 int
sha256_self_test(void)335 sha256_self_test(void)
336 {
337 int i, j;
338 char output[65];
339 context_sha256_T ctx;
340 char_u buf[1000];
341 char_u sha256sum[32];
342 static int failures = 0;
343 char_u *hexit;
344 static int sha256_self_tested = 0;
345
346 if (sha256_self_tested > 0)
347 return failures > 0 ? FAIL : OK;
348 sha256_self_tested = 1;
349
350 for (i = 0; i < 3; i++)
351 {
352 if (i < 2)
353 {
354 hexit = sha256_bytes((char_u *)sha_self_test_msg[i],
355 (int)STRLEN(sha_self_test_msg[i]),
356 NULL, 0);
357 STRCPY(output, hexit);
358 }
359 else
360 {
361 sha256_start(&ctx);
362 vim_memset(buf, 'a', 1000);
363 for (j = 0; j < 1000; j++)
364 sha256_update(&ctx, (char_u *)buf, 1000);
365 sha256_finish(&ctx, sha256sum);
366 for (j = 0; j < 32; j++)
367 sprintf(output + j * 2, "%02x", sha256sum[j]);
368 }
369 if (memcmp(output, sha_self_test_vector[i], 64))
370 {
371 failures++;
372 output[sizeof(output) - 1] = '\0';
373 // printf("sha256_self_test %d failed %s\n", i, output);
374 }
375 }
376 return failures > 0 ? FAIL : OK;
377 }
378
379 static unsigned int
get_some_time(void)380 get_some_time(void)
381 {
382 # ifdef HAVE_GETTIMEOFDAY
383 struct timeval tv;
384
385 // Using usec makes it less predictable.
386 gettimeofday(&tv, NULL);
387 return (unsigned int)(tv.tv_sec + tv.tv_usec);
388 # else
389 return (unsigned int)time(NULL);
390 # endif
391 }
392
393 /*
394 * Fill "header[header_len]" with random_data.
395 * Also "salt[salt_len]" when "salt" is not NULL.
396 */
397 void
sha2_seed(char_u * header,int header_len,char_u * salt,int salt_len)398 sha2_seed(
399 char_u *header,
400 int header_len,
401 char_u *salt,
402 int salt_len)
403 {
404 int i;
405 static char_u random_data[1000];
406 char_u sha256sum[32];
407 context_sha256_T ctx;
408
409 srand(get_some_time());
410
411 for (i = 0; i < (int)sizeof(random_data) - 1; i++)
412 random_data[i] = (char_u)((get_some_time() ^ rand()) & 0xff);
413 sha256_start(&ctx);
414 sha256_update(&ctx, (char_u *)random_data, sizeof(random_data));
415 sha256_finish(&ctx, sha256sum);
416
417 // put first block into header.
418 for (i = 0; i < header_len; i++)
419 header[i] = sha256sum[i % sizeof(sha256sum)];
420
421 // put remaining block into salt.
422 if (salt != NULL)
423 for (i = 0; i < salt_len; i++)
424 salt[i] = sha256sum[(i + header_len) % sizeof(sha256sum)];
425 }
426
427 #endif // FEAT_CRYPT
428