1 /* vi: set sw=4 ts=4: */
5 * Copyright (C) 2010 Denys Vlasenko
7 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
12 /* gcc 4.2.1 optimizes rotr64 better with inline than with macro
13 * (for rotX32, there is no difference). Why? My guess is that
14 * macro requires clever common subexpression elimination heuristics
15 * in gcc, while inline basically forces it to happen.
17 //#define rotl32(x,n) (((x) << (n)) | ((x) >> (32 - (n))))
18 static ALWAYS_INLINE uint32_t rotl32(uint32_t x, unsigned n)
20 return (x << n) | (x >> (32 - n));
22 //#define rotr32(x,n) (((x) >> (n)) | ((x) << (32 - (n))))
23 static ALWAYS_INLINE uint32_t rotr32(uint32_t x, unsigned n)
25 return (x >> n) | (x << (32 - n));
27 /* rotr64 in needed for sha512 only: */
28 //#define rotr64(x,n) (((x) >> (n)) | ((x) << (64 - (n))))
29 static ALWAYS_INLINE uint64_t rotr64(uint64_t x, unsigned n)
31 return (x >> n) | (x << (64 - n));
34 /* rotl64 only used for sha3 currently */
35 static ALWAYS_INLINE uint64_t rotl64(uint64_t x, unsigned n)
37 return (x << n) | (x >> (64 - n));
40 /* Feed data through a temporary buffer.
41 * The internal buffer remembers previous data until it has 64
42 * bytes worth to pass on.
44 static void FAST_FUNC common64_hash(md5_ctx_t *ctx, const void *buffer, size_t len)
46 unsigned bufpos = ctx->total64 & 63;
51 unsigned remaining = 64 - bufpos;
54 /* Copy data into aligned buffer */
55 memcpy(ctx->wbuffer + bufpos, buffer, remaining);
57 buffer = (const char *)buffer + remaining;
59 /* clever way to do "if (bufpos != 64) break; ... ; bufpos = 0;" */
63 /* Buffer is filled up, process it */
64 ctx->process_block(ctx);
65 /*bufpos = 0; - already is */
69 /* Process the remaining bytes in the buffer */
70 static void FAST_FUNC common64_end(md5_ctx_t *ctx, int swap_needed)
72 unsigned bufpos = ctx->total64 & 63;
73 /* Pad the buffer to the next 64-byte boundary with 0x80,0,0,0... */
74 ctx->wbuffer[bufpos++] = 0x80;
76 /* This loop iterates either once or twice, no more, no less */
78 unsigned remaining = 64 - bufpos;
79 memset(ctx->wbuffer + bufpos, 0, remaining);
80 /* Do we have enough space for the length count? */
82 /* Store the 64-bit counter of bits in the buffer */
83 uint64_t t = ctx->total64 << 3;
86 /* wbuffer is suitably aligned for this */
87 *(uint64_t *) (&ctx->wbuffer[64 - 8]) = t;
89 ctx->process_block(ctx);
98 * Compute MD5 checksum of strings according to the
99 * definition of MD5 in RFC 1321 from April 1992.
101 * Written by Ulrich Drepper <drepper@gnu.ai.mit.edu>, 1995.
103 * Copyright (C) 1995-1999 Free Software Foundation, Inc.
104 * Copyright (C) 2001 Manuel Novoa III
105 * Copyright (C) 2003 Glenn L. McGrath
106 * Copyright (C) 2003 Erik Andersen
108 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
111 /* 0: fastest, 3: smallest */
112 #if CONFIG_MD5_SMALL < 0
114 #elif CONFIG_MD5_SMALL > 3
117 # define MD5_SMALL CONFIG_MD5_SMALL
120 /* These are the four functions used in the four steps of the MD5 algorithm
121 * and defined in the RFC 1321. The first function is a little bit optimized
122 * (as found in Colin Plumbs public domain implementation).
123 * #define FF(b, c, d) ((b & c) | (~b & d))
129 #define FF(b, c, d) (d ^ (b & (c ^ d)))
130 #define FG(b, c, d) FF(d, b, c)
131 #define FH(b, c, d) (b ^ c ^ d)
132 #define FI(b, c, d) (c ^ (b | ~d))
134 /* Hash a single block, 64 bytes long and 4-byte aligned */
135 static void FAST_FUNC md5_process_block64(md5_ctx_t *ctx)
138 /* Before we start, one word to the strange constants.
139 They are defined in RFC 1321 as
140 T[i] = (int)(4294967296.0 * fabs(sin(i))), i=1..64
142 static const uint32_t C_array[] = {
144 0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
145 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501,
146 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be,
147 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821,
149 0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa,
150 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
151 0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed,
152 0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a,
154 0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c,
155 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70,
156 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x4881d05,
157 0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665,
159 0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039,
160 0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1,
161 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1,
162 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391
164 static const char P_array[] ALIGN1 = {
166 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, /* 1 */
168 1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, /* 2 */
169 5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2, /* 3 */
170 0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9 /* 4 */
173 uint32_t *words = (void*) ctx->wbuffer;
174 uint32_t A = ctx->hash[0];
175 uint32_t B = ctx->hash[1];
176 uint32_t C = ctx->hash[2];
177 uint32_t D = ctx->hash[3];
179 #if MD5_SMALL >= 2 /* 2 or 3 */
181 static const char S_array[] ALIGN1 = {
194 for (i = 0; i < 16; i++)
195 words[i] = SWAP_LE32(words[i]);
203 for (i = 0; i < 64; i++) {
220 temp += words[(int) (*pp++)] + *pc++;
221 temp = rotl32(temp, ps[i & 3]);
228 # else /* MD5_SMALL == 2 */
233 for (i = 0; i < 16; i++) {
234 temp = A + FF(B, C, D) + words[(int) (*pp++)] + *pc++;
235 temp = rotl32(temp, ps[i & 3]);
243 for (i = 0; i < 16; i++) {
244 temp = A + FG(B, C, D) + words[(int) (*pp++)] + *pc++;
245 temp = rotl32(temp, ps[i & 3]);
253 for (i = 0; i < 16; i++) {
254 temp = A + FH(B, C, D) + words[(int) (*pp++)] + *pc++;
255 temp = rotl32(temp, ps[i & 3]);
263 for (i = 0; i < 16; i++) {
264 temp = A + FI(B, C, D) + words[(int) (*pp++)] + *pc++;
265 temp = rotl32(temp, ps[i & 3]);
273 /* Add checksum to the starting values */
279 #else /* MD5_SMALL == 0 or 1 */
291 /* First round: using the given function, the context and a constant
292 the next context is computed. Because the algorithm's processing
293 unit is a 32-bit word and it is determined to work on words in
294 little endian byte order we perhaps have to change the byte order
295 before the computation. To reduce the work for the next steps
296 we save swapped words in WORDS array. */
298 # define OP(a, b, c, d, s, T) \
300 a += FF(b, c, d) + (*words IF_BIG_ENDIAN(= SWAP_LE32(*words))) + T; \
309 for (i = 0; i < 4; i++) {
310 OP(A, B, C, D, 7, *pc++);
311 OP(D, A, B, C, 12, *pc++);
312 OP(C, D, A, B, 17, *pc++);
313 OP(B, C, D, A, 22, *pc++);
316 OP(A, B, C, D, 7, 0xd76aa478);
317 OP(D, A, B, C, 12, 0xe8c7b756);
318 OP(C, D, A, B, 17, 0x242070db);
319 OP(B, C, D, A, 22, 0xc1bdceee);
320 OP(A, B, C, D, 7, 0xf57c0faf);
321 OP(D, A, B, C, 12, 0x4787c62a);
322 OP(C, D, A, B, 17, 0xa8304613);
323 OP(B, C, D, A, 22, 0xfd469501);
324 OP(A, B, C, D, 7, 0x698098d8);
325 OP(D, A, B, C, 12, 0x8b44f7af);
326 OP(C, D, A, B, 17, 0xffff5bb1);
327 OP(B, C, D, A, 22, 0x895cd7be);
328 OP(A, B, C, D, 7, 0x6b901122);
329 OP(D, A, B, C, 12, 0xfd987193);
330 OP(C, D, A, B, 17, 0xa679438e);
331 OP(B, C, D, A, 22, 0x49b40821);
335 /* For the second to fourth round we have the possibly swapped words
336 in WORDS. Redefine the macro to take an additional first
337 argument specifying the function to use. */
339 # define OP(f, a, b, c, d, k, s, T) \
341 a += f(b, c, d) + words[k] + T; \
349 for (i = 0; i < 4; i++) {
350 OP(FG, A, B, C, D, (int) (*pp++), 5, *pc++);
351 OP(FG, D, A, B, C, (int) (*pp++), 9, *pc++);
352 OP(FG, C, D, A, B, (int) (*pp++), 14, *pc++);
353 OP(FG, B, C, D, A, (int) (*pp++), 20, *pc++);
356 OP(FG, A, B, C, D, 1, 5, 0xf61e2562);
357 OP(FG, D, A, B, C, 6, 9, 0xc040b340);
358 OP(FG, C, D, A, B, 11, 14, 0x265e5a51);
359 OP(FG, B, C, D, A, 0, 20, 0xe9b6c7aa);
360 OP(FG, A, B, C, D, 5, 5, 0xd62f105d);
361 OP(FG, D, A, B, C, 10, 9, 0x02441453);
362 OP(FG, C, D, A, B, 15, 14, 0xd8a1e681);
363 OP(FG, B, C, D, A, 4, 20, 0xe7d3fbc8);
364 OP(FG, A, B, C, D, 9, 5, 0x21e1cde6);
365 OP(FG, D, A, B, C, 14, 9, 0xc33707d6);
366 OP(FG, C, D, A, B, 3, 14, 0xf4d50d87);
367 OP(FG, B, C, D, A, 8, 20, 0x455a14ed);
368 OP(FG, A, B, C, D, 13, 5, 0xa9e3e905);
369 OP(FG, D, A, B, C, 2, 9, 0xfcefa3f8);
370 OP(FG, C, D, A, B, 7, 14, 0x676f02d9);
371 OP(FG, B, C, D, A, 12, 20, 0x8d2a4c8a);
376 for (i = 0; i < 4; i++) {
377 OP(FH, A, B, C, D, (int) (*pp++), 4, *pc++);
378 OP(FH, D, A, B, C, (int) (*pp++), 11, *pc++);
379 OP(FH, C, D, A, B, (int) (*pp++), 16, *pc++);
380 OP(FH, B, C, D, A, (int) (*pp++), 23, *pc++);
383 OP(FH, A, B, C, D, 5, 4, 0xfffa3942);
384 OP(FH, D, A, B, C, 8, 11, 0x8771f681);
385 OP(FH, C, D, A, B, 11, 16, 0x6d9d6122);
386 OP(FH, B, C, D, A, 14, 23, 0xfde5380c);
387 OP(FH, A, B, C, D, 1, 4, 0xa4beea44);
388 OP(FH, D, A, B, C, 4, 11, 0x4bdecfa9);
389 OP(FH, C, D, A, B, 7, 16, 0xf6bb4b60);
390 OP(FH, B, C, D, A, 10, 23, 0xbebfbc70);
391 OP(FH, A, B, C, D, 13, 4, 0x289b7ec6);
392 OP(FH, D, A, B, C, 0, 11, 0xeaa127fa);
393 OP(FH, C, D, A, B, 3, 16, 0xd4ef3085);
394 OP(FH, B, C, D, A, 6, 23, 0x04881d05);
395 OP(FH, A, B, C, D, 9, 4, 0xd9d4d039);
396 OP(FH, D, A, B, C, 12, 11, 0xe6db99e5);
397 OP(FH, C, D, A, B, 15, 16, 0x1fa27cf8);
398 OP(FH, B, C, D, A, 2, 23, 0xc4ac5665);
403 for (i = 0; i < 4; i++) {
404 OP(FI, A, B, C, D, (int) (*pp++), 6, *pc++);
405 OP(FI, D, A, B, C, (int) (*pp++), 10, *pc++);
406 OP(FI, C, D, A, B, (int) (*pp++), 15, *pc++);
407 OP(FI, B, C, D, A, (int) (*pp++), 21, *pc++);
410 OP(FI, A, B, C, D, 0, 6, 0xf4292244);
411 OP(FI, D, A, B, C, 7, 10, 0x432aff97);
412 OP(FI, C, D, A, B, 14, 15, 0xab9423a7);
413 OP(FI, B, C, D, A, 5, 21, 0xfc93a039);
414 OP(FI, A, B, C, D, 12, 6, 0x655b59c3);
415 OP(FI, D, A, B, C, 3, 10, 0x8f0ccc92);
416 OP(FI, C, D, A, B, 10, 15, 0xffeff47d);
417 OP(FI, B, C, D, A, 1, 21, 0x85845dd1);
418 OP(FI, A, B, C, D, 8, 6, 0x6fa87e4f);
419 OP(FI, D, A, B, C, 15, 10, 0xfe2ce6e0);
420 OP(FI, C, D, A, B, 6, 15, 0xa3014314);
421 OP(FI, B, C, D, A, 13, 21, 0x4e0811a1);
422 OP(FI, A, B, C, D, 4, 6, 0xf7537e82);
423 OP(FI, D, A, B, C, 11, 10, 0xbd3af235);
424 OP(FI, C, D, A, B, 2, 15, 0x2ad7d2bb);
425 OP(FI, B, C, D, A, 9, 21, 0xeb86d391);
428 /* Add checksum to the starting values */
429 ctx->hash[0] = A_save + A;
430 ctx->hash[1] = B_save + B;
431 ctx->hash[2] = C_save + C;
432 ctx->hash[3] = D_save + D;
440 /* Initialize structure containing state of computation.
441 * (RFC 1321, 3.3: Step 3)
443 void FAST_FUNC md5_begin(md5_ctx_t *ctx)
445 ctx->hash[0] = 0x67452301;
446 ctx->hash[1] = 0xefcdab89;
447 ctx->hash[2] = 0x98badcfe;
448 ctx->hash[3] = 0x10325476;
450 ctx->process_block = md5_process_block64;
453 /* Used also for sha1 and sha256 */
454 void FAST_FUNC md5_hash(md5_ctx_t *ctx, const void *buffer, size_t len)
456 common64_hash(ctx, buffer, len);
459 /* Process the remaining bytes in the buffer and put result from CTX
460 * in first 16 bytes following RESBUF. The result is always in little
461 * endian byte order, so that a byte-wise output yields to the wanted
462 * ASCII representation of the message digest.
464 void FAST_FUNC md5_end(md5_ctx_t *ctx, void *resbuf)
466 /* MD5 stores total in LE, need to swap on BE arches: */
467 common64_end(ctx, /*swap_needed:*/ BB_BIG_ENDIAN);
469 /* The MD5 result is in little endian byte order */
471 ctx->hash[0] = SWAP_LE32(ctx->hash[0]);
472 ctx->hash[1] = SWAP_LE32(ctx->hash[1]);
473 ctx->hash[2] = SWAP_LE32(ctx->hash[2]);
474 ctx->hash[3] = SWAP_LE32(ctx->hash[3]);
476 memcpy(resbuf, ctx->hash, sizeof(ctx->hash[0]) * 4);
482 * Copyright 2007 Rob Landley <rob@landley.net>
484 * Based on the public domain SHA-1 in C by Steve Reid <steve@edmweb.com>
485 * from http://www.mirrors.wiretapped.net/security/cryptography/hashes/sha1/
487 * Licensed under GPLv2, see file LICENSE in this source tree.
489 * ---------------------------------------------------------------------------
491 * SHA256 and SHA512 parts are:
492 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
493 * Shrank by Denys Vlasenko.
495 * ---------------------------------------------------------------------------
497 * The best way to test random blocksizes is to go to coreutils/md5_sha1_sum.c
498 * and replace "4096" with something like "2000 + time(NULL) % 2097",
499 * then rebuild and compare "shaNNNsum bigfile" results.
502 static void FAST_FUNC sha1_process_block64(sha1_ctx_t *ctx)
504 static const uint32_t rconsts[] = {
505 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6
510 uint32_t a, b, c, d, e;
512 /* On-stack work buffer frees up one register in the main loop
513 * which otherwise will be needed to hold ctx pointer */
514 for (i = 0; i < 16; i++)
515 W[i] = W[i+16] = SWAP_BE32(((uint32_t*)ctx->wbuffer)[i]);
523 /* 4 rounds of 20 operations each */
525 for (i = 0; i < 4; i++) {
532 work = (work & b) ^ d;
535 /* Used to do SWAP_BE32 here, but this
536 * requires ctx (see comment above) */
540 work = ((b | c) & d) | (b & c);
541 else /* i = 1 or 3 */
544 W[cnt] = W[cnt+16] = rotl32(W[cnt+13] ^ W[cnt+8] ^ W[cnt+2] ^ W[cnt], 1);
547 work += e + rotl32(a, 5) + rconsts[i];
549 /* Rotate by one for next time */
552 c = /* b = */ rotl32(b, 30);
555 cnt = (cnt + 1) & 15;
566 /* Constants for SHA512 from FIPS 180-2:4.2.3.
567 * SHA256 constants from FIPS 180-2:4.2.2
568 * are the most significant half of first 64 elements
571 static const uint64_t sha_K[80] = {
572 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
573 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
574 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
575 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
576 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
577 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
578 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
579 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
580 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
581 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
582 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
583 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
584 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
585 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
586 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
587 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
588 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
589 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
590 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
591 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
592 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
593 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
594 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
595 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
596 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
597 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
598 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
599 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
600 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
601 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
602 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
603 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
604 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, /* [64]+ are used for sha512 only */
605 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
606 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
607 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
608 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
609 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
610 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
611 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
621 static void FAST_FUNC sha256_process_block64(sha256_ctx_t *ctx)
624 uint32_t W[64], a, b, c, d, e, f, g, h;
625 const uint32_t *words = (uint32_t*) ctx->wbuffer;
627 /* Operators defined in FIPS 180-2:4.1.2. */
628 #define Ch(x, y, z) ((x & y) ^ (~x & z))
629 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
630 #define S0(x) (rotr32(x, 2) ^ rotr32(x, 13) ^ rotr32(x, 22))
631 #define S1(x) (rotr32(x, 6) ^ rotr32(x, 11) ^ rotr32(x, 25))
632 #define R0(x) (rotr32(x, 7) ^ rotr32(x, 18) ^ (x >> 3))
633 #define R1(x) (rotr32(x, 17) ^ rotr32(x, 19) ^ (x >> 10))
635 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
636 for (t = 0; t < 16; ++t)
637 W[t] = SWAP_BE32(words[t]);
638 for (/*t = 16*/; t < 64; ++t)
639 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
650 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
651 for (t = 0; t < 64; ++t) {
652 /* Need to fetch upper half of sha_K[t]
653 * (I hope compiler is clever enough to just fetch
656 uint32_t K_t = sha_K[t] >> 32;
657 uint32_t T1 = h + S1(e) + Ch(e, f, g) + K_t + W[t];
658 uint32_t T2 = S0(a) + Maj(a, b, c);
674 /* Add the starting values of the context according to FIPS 180-2:6.2.2
686 static void FAST_FUNC sha512_process_block128(sha512_ctx_t *ctx)
690 /* On i386, having assignments here (not later as sha256 does)
691 * produces 99 bytes smaller code with gcc 4.3.1
693 uint64_t a = ctx->hash[0];
694 uint64_t b = ctx->hash[1];
695 uint64_t c = ctx->hash[2];
696 uint64_t d = ctx->hash[3];
697 uint64_t e = ctx->hash[4];
698 uint64_t f = ctx->hash[5];
699 uint64_t g = ctx->hash[6];
700 uint64_t h = ctx->hash[7];
701 const uint64_t *words = (uint64_t*) ctx->wbuffer;
703 /* Operators defined in FIPS 180-2:4.1.2. */
704 #define Ch(x, y, z) ((x & y) ^ (~x & z))
705 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
706 #define S0(x) (rotr64(x, 28) ^ rotr64(x, 34) ^ rotr64(x, 39))
707 #define S1(x) (rotr64(x, 14) ^ rotr64(x, 18) ^ rotr64(x, 41))
708 #define R0(x) (rotr64(x, 1) ^ rotr64(x, 8) ^ (x >> 7))
709 #define R1(x) (rotr64(x, 19) ^ rotr64(x, 61) ^ (x >> 6))
711 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
712 for (t = 0; t < 16; ++t)
713 W[t] = SWAP_BE64(words[t]);
714 for (/*t = 16*/; t < 80; ++t)
715 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
717 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
718 for (t = 0; t < 80; ++t) {
719 uint64_t T1 = h + S1(e) + Ch(e, f, g) + sha_K[t] + W[t];
720 uint64_t T2 = S0(a) + Maj(a, b, c);
736 /* Add the starting values of the context according to FIPS 180-2:6.3.2
749 void FAST_FUNC sha1_begin(sha1_ctx_t *ctx)
751 ctx->hash[0] = 0x67452301;
752 ctx->hash[1] = 0xefcdab89;
753 ctx->hash[2] = 0x98badcfe;
754 ctx->hash[3] = 0x10325476;
755 ctx->hash[4] = 0xc3d2e1f0;
757 ctx->process_block = sha1_process_block64;
760 static const uint32_t init256[] = {
772 static const uint32_t init512_lo[] = {
785 /* Initialize structure containing state of computation.
786 (FIPS 180-2:5.3.2) */
787 void FAST_FUNC sha256_begin(sha256_ctx_t *ctx)
789 memcpy(&ctx->total64, init256, sizeof(init256));
790 /*ctx->total64 = 0; - done by prepending two 32-bit zeros to init256 */
791 ctx->process_block = sha256_process_block64;
794 /* Initialize structure containing state of computation.
795 (FIPS 180-2:5.3.3) */
796 void FAST_FUNC sha512_begin(sha512_ctx_t *ctx)
799 /* Two extra iterations zero out ctx->total64[2] */
800 uint64_t *tp = ctx->total64;
801 for (i = 0; i < 2+8; i++)
802 tp[i] = ((uint64_t)(init256[i]) << 32) + init512_lo[i];
803 /*ctx->total64[0] = ctx->total64[1] = 0; - already done */
806 void FAST_FUNC sha512_hash(sha512_ctx_t *ctx, const void *buffer, size_t len)
808 unsigned bufpos = ctx->total64[0] & 127;
811 /* First increment the byte count. FIPS 180-2 specifies the possible
812 length of the file up to 2^128 _bits_.
813 We compute the number of _bytes_ and convert to bits later. */
814 ctx->total64[0] += len;
815 if (ctx->total64[0] < len)
818 remaining = 128 - bufpos;
820 /* Hash whole blocks */
821 while (len >= remaining) {
822 memcpy(ctx->wbuffer + bufpos, buffer, remaining);
823 buffer = (const char *)buffer + remaining;
827 sha512_process_block128(ctx);
830 /* Save last, partial blosk */
831 memcpy(ctx->wbuffer + bufpos, buffer, len);
834 remaining = 128 - bufpos;
837 /* Copy data into aligned buffer */
838 memcpy(ctx->wbuffer + bufpos, buffer, remaining);
840 buffer = (const char *)buffer + remaining;
842 /* clever way to do "if (bufpos != 128) break; ... ; bufpos = 0;" */
846 /* Buffer is filled up, process it */
847 sha512_process_block128(ctx);
848 /*bufpos = 0; - already is */
853 /* Used also for sha256 */
854 void FAST_FUNC sha1_end(sha1_ctx_t *ctx, void *resbuf)
858 /* SHA stores total in BE, need to swap on LE arches: */
859 common64_end(ctx, /*swap_needed:*/ BB_LITTLE_ENDIAN);
861 hash_size = (ctx->process_block == sha1_process_block64) ? 5 : 8;
862 /* This way we do not impose alignment constraints on resbuf: */
863 if (BB_LITTLE_ENDIAN) {
865 for (i = 0; i < hash_size; ++i)
866 ctx->hash[i] = SWAP_BE32(ctx->hash[i]);
868 memcpy(resbuf, ctx->hash, sizeof(ctx->hash[0]) * hash_size);
871 void FAST_FUNC sha512_end(sha512_ctx_t *ctx, void *resbuf)
873 unsigned bufpos = ctx->total64[0] & 127;
875 /* Pad the buffer to the next 128-byte boundary with 0x80,0,0,0... */
876 ctx->wbuffer[bufpos++] = 0x80;
879 unsigned remaining = 128 - bufpos;
880 memset(ctx->wbuffer + bufpos, 0, remaining);
881 if (remaining >= 16) {
882 /* Store the 128-bit counter of bits in the buffer in BE format */
884 t = ctx->total64[0] << 3;
886 *(uint64_t *) (&ctx->wbuffer[128 - 8]) = t;
887 t = (ctx->total64[1] << 3) | (ctx->total64[0] >> 61);
889 *(uint64_t *) (&ctx->wbuffer[128 - 16]) = t;
891 sha512_process_block128(ctx);
897 if (BB_LITTLE_ENDIAN) {
899 for (i = 0; i < ARRAY_SIZE(ctx->hash); ++i)
900 ctx->hash[i] = SWAP_BE64(ctx->hash[i]);
902 memcpy(resbuf, ctx->hash, sizeof(ctx->hash));
907 * The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
908 * Michael Peeters and Gilles Van Assche. For more information, feedback or
909 * questions, please refer to our website: http://keccak.noekeon.org/
911 * Implementation by Ronny Van Keer,
912 * hereby denoted as "the implementer".
914 * To the extent possible under law, the implementer has waived all copyright
915 * and related or neighboring rights to the source code in this file.
916 * http://creativecommons.org/publicdomain/zero/1.0/
918 * Busybox modifications (C) Lauri Kasanen, under the GPLv2.
921 #if CONFIG_SHA3_SMALL < 0
922 # define SHA3_SMALL 0
923 #elif CONFIG_SHA3_SMALL > 1
924 # define SHA3_SMALL 1
926 # define SHA3_SMALL CONFIG_SHA3_SMALL
929 #define ARCH_IS_64BIT (sizeof(long) >= sizeof(uint64_t))
932 cKeccakR_SizeInBytes = 576 / 8,
933 cKeccakNumberOfRounds = 24,
936 static const uint64_t KeccakF_RoundConstants[cKeccakNumberOfRounds] = {
937 0x0000000000000001ULL,
938 0x0000000000008082ULL,
939 0x800000000000808aULL,
940 0x8000000080008000ULL,
941 0x000000000000808bULL,
942 0x0000000080000001ULL,
943 0x8000000080008081ULL,
944 0x8000000000008009ULL,
945 0x000000000000008aULL,
946 0x0000000000000088ULL,
947 0x0000000080008009ULL,
948 0x000000008000000aULL,
949 0x000000008000808bULL,
950 0x800000000000008bULL,
951 0x8000000000008089ULL,
952 0x8000000000008003ULL,
953 0x8000000000008002ULL,
954 0x8000000000000080ULL,
955 0x000000000000800aULL,
956 0x800000008000000aULL,
957 0x8000000080008081ULL,
958 0x8000000000008080ULL,
959 0x0000000080000001ULL,
960 0x8000000080008008ULL
963 static const uint8_t KeccakF_RotationConstants[25] = {
964 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, 27, 41, 56, 8, 25, 43, 62,
968 static const uint8_t KeccakF_PiLane[25] = {
969 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, 15, 23, 19, 13, 12, 2, 20,
973 static const uint8_t KeccakF_Mod5[10] = {
974 0, 1, 2, 3, 4, 0, 1, 2, 3, 4
977 static void KeccakF(uint64_t *state)
983 for (x = 0; x < 25; x++) {
984 state[x] = SWAP_LE64(state[x]);
988 for (round = 0; round < cKeccakNumberOfRounds; ++round) {
992 for (x = 0; x < 5; ++x) {
993 BC[x] = state[x] ^ state[5 + x] ^ state[10 + x] ^
994 state[15 + x] ^ state[20 + x];
996 for (x = 0; x < 5; ++x) {
997 uint64_t temp = BC[KeccakF_Mod5[x + 4]] ^
998 rotl64(BC[KeccakF_Mod5[x + 1]], 1);
999 if (SHA3_SMALL && !ARCH_IS_64BIT) {
1000 for (y = 0; y <= 20; y += 5)
1001 state[y + x] ^= temp;
1003 /* on 64-bit arch, this is actually smaller too */
1004 state[0 + x] ^= temp;
1005 state[5 + x] ^= temp;
1006 state[10 + x] ^= temp;
1007 state[15 + x] ^= temp;
1008 state[20 + x] ^= temp;
1015 uint64_t t1 = state[1];
1016 for (x = 0; x < 24; ++x) {
1017 uint64_t t0 = state[KeccakF_PiLane[x]];
1018 state[KeccakF_PiLane[x]] = rotl64(t1, KeccakF_RotationConstants[x]);
1022 /* Especially large benefit for 32-bit arch:
1023 * 64-bit rotations by non-constant usually are SLOW on those.
1024 * We resort to unrolling here.
1025 * This optimizes out KeccakF_PiLane[] and KeccakF_RotationConstants[],
1026 * but generates 300-500 more bytes of code.
1029 uint64_t t1 = state[1];
1030 #define RhoPi_twice(x) \
1031 t0 = state[KeccakF_PiLane[x ]]; state[KeccakF_PiLane[x ]] = rotl64(t1, KeccakF_RotationConstants[x ]); \
1032 t1 = state[KeccakF_PiLane[x+1]]; state[KeccakF_PiLane[x+1]] = rotl64(t0, KeccakF_RotationConstants[x+1]);
1033 RhoPi_twice(0); RhoPi_twice(2);
1034 RhoPi_twice(4); RhoPi_twice(6);
1035 RhoPi_twice(8); RhoPi_twice(10);
1036 RhoPi_twice(12); RhoPi_twice(14);
1037 RhoPi_twice(16); RhoPi_twice(18);
1038 RhoPi_twice(20); RhoPi_twice(22);
1043 for (y = 0; y <= 20; y += 5) {
1046 BC[0] = state[y + 0];
1047 BC[1] = state[y + 1];
1048 BC[2] = state[y + 2];
1049 BC[3] = state[y + 3];
1050 BC[4] = state[y + 4];
1051 for (x = 0; x < 5; ++x) {
1053 BC[x] ^ ((~BC[KeccakF_Mod5[x + 1]]) &
1054 BC[KeccakF_Mod5[x + 2]]);
1057 /* 32-bit x86: +50 bytes code, 10% faster */
1058 uint64_t BC0, BC1, BC2, BC3, BC4;
1062 state[y + 0] = BC0 ^ ((~BC1) & BC2);
1064 state[y + 1] = BC1 ^ ((~BC2) & BC3);
1066 state[y + 2] = BC2 ^ ((~BC3) & BC4);
1067 state[y + 3] = BC3 ^ ((~BC4) & BC0);
1068 state[y + 4] = BC4 ^ ((~BC0) & BC1);
1073 state[0] ^= KeccakF_RoundConstants[round];
1076 if (BB_BIG_ENDIAN) {
1077 for (x = 0; x < 25; x++) {
1078 state[x] = SWAP_LE64(state[x]);
1083 void FAST_FUNC sha3_begin(sha3_ctx_t *ctx)
1085 memset(ctx, 0, sizeof(*ctx));
1088 void FAST_FUNC sha3_hash(sha3_ctx_t *ctx, const void *buf, size_t bytes)
1090 const uint8_t *data = buf;
1092 /* If already data in queue, continue queuing first */
1093 while (bytes != 0 && ctx->bytes_queued != 0) {
1094 uint8_t *buffer = (uint8_t*)ctx->state;
1095 buffer[ctx->bytes_queued] ^= *data++;
1097 ctx->bytes_queued++;
1098 if (ctx->bytes_queued == cKeccakR_SizeInBytes) {
1099 KeccakF(ctx->state);
1100 ctx->bytes_queued = 0;
1104 /* Absorb complete blocks */
1105 while (bytes >= cKeccakR_SizeInBytes) {
1106 /* XOR data onto beginning of state[].
1107 * We try to be efficient - operate on word at a time, not byte.
1108 * Yet safe wrt unaligned access: can't just use "*(long*)data"...
1110 unsigned count = cKeccakR_SizeInBytes / sizeof(long);
1111 long *buffer = (long*)ctx->state;
1114 move_from_unaligned_long(v, (long*)data);
1116 data += sizeof(long);
1119 KeccakF(ctx->state);
1120 bytes -= cKeccakR_SizeInBytes;
1123 /* Queue remaining data bytes */
1124 while (bytes != 0) {
1125 uint8_t *buffer = (uint8_t*)ctx->state;
1126 buffer[ctx->bytes_queued] ^= *data++;
1127 ctx->bytes_queued++;
1132 void FAST_FUNC sha3_end(sha3_ctx_t *ctx, uint8_t *hashval)
1135 uint8_t *buffer = (uint8_t*)ctx->state;
1136 /* 0 is the number of bits in last, incomplete byte
1137 * (that is, zero: we never have incomplete bytes):
1139 buffer[ctx->bytes_queued] ^= 1 << 0;
1140 buffer[cKeccakR_SizeInBytes - 1] ^= 0x80;
1142 KeccakF(ctx->state);
1145 memcpy(hashval, ctx->state, 64);
projects / oweals / busybox.git / blob