1 /* vi: set sw=4 ts=4: */
5 * Copyright (C) 2010 Denys Vlasenko
7 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
12 /* gcc 4.2.1 optimizes rotr64 better with inline than with macro
13 * (for rotX32, there is no difference). Why? My guess is that
14 * macro requires clever common subexpression elimination heuristics
15 * in gcc, while inline basically forces it to happen.
17 //#define rotl32(x,n) (((x) << (n)) | ((x) >> (32 - (n))))
18 static ALWAYS_INLINE uint32_t rotl32(uint32_t x, unsigned n)
20 return (x << n) | (x >> (32 - n));
22 //#define rotr32(x,n) (((x) >> (n)) | ((x) << (32 - (n))))
23 static ALWAYS_INLINE uint32_t rotr32(uint32_t x, unsigned n)
25 return (x >> n) | (x << (32 - n));
27 /* rotr64 in needed for sha512 only: */
28 //#define rotr64(x,n) (((x) >> (n)) | ((x) << (64 - (n))))
29 static ALWAYS_INLINE uint64_t rotr64(uint64_t x, unsigned n)
31 return (x >> n) | (x << (64 - n));
35 /* Feed data through a temporary buffer.
36 * The internal buffer remembers previous data until it has 64
37 * bytes worth to pass on.
39 static void FAST_FUNC common64_hash(md5_ctx_t *ctx, const void *buffer, size_t len)
41 unsigned bufpos = ctx->total64 & 63;
46 unsigned remaining = 64 - bufpos;
49 /* Copy data into aligned buffer */
50 memcpy(ctx->wbuffer + bufpos, buffer, remaining);
52 buffer = (const char *)buffer + remaining;
54 /* clever way to do "if (bufpos != 64) break; ... ; bufpos = 0;" */
58 /* Buffer is filled up, process it */
59 ctx->process_block(ctx);
60 /*bufpos = 0; - already is */
64 /* Process the remaining bytes in the buffer */
65 static void FAST_FUNC common64_end(md5_ctx_t *ctx, int swap_needed)
67 unsigned bufpos = ctx->total64 & 63;
68 /* Pad the buffer to the next 64-byte boundary with 0x80,0,0,0... */
69 ctx->wbuffer[bufpos++] = 0x80;
71 /* This loop iterates either once or twice, no more, no less */
73 unsigned remaining = 64 - bufpos;
74 memset(ctx->wbuffer + bufpos, 0, remaining);
75 /* Do we have enough space for the length count? */
77 /* Store the 64-bit counter of bits in the buffer */
78 uint64_t t = ctx->total64 << 3;
81 /* wbuffer is suitably aligned for this */
82 *(uint64_t *) (&ctx->wbuffer[64 - 8]) = t;
84 ctx->process_block(ctx);
93 * Compute MD5 checksum of strings according to the
94 * definition of MD5 in RFC 1321 from April 1992.
96 * Written by Ulrich Drepper <drepper@gnu.ai.mit.edu>, 1995.
98 * Copyright (C) 1995-1999 Free Software Foundation, Inc.
99 * Copyright (C) 2001 Manuel Novoa III
100 * Copyright (C) 2003 Glenn L. McGrath
101 * Copyright (C) 2003 Erik Andersen
103 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
106 /* 0: fastest, 3: smallest */
107 #if CONFIG_MD5_SIZE_VS_SPEED < 0
108 # define MD5_SIZE_VS_SPEED 0
109 #elif CONFIG_MD5_SIZE_VS_SPEED > 3
110 # define MD5_SIZE_VS_SPEED 3
112 # define MD5_SIZE_VS_SPEED CONFIG_MD5_SIZE_VS_SPEED
115 /* These are the four functions used in the four steps of the MD5 algorithm
116 * and defined in the RFC 1321. The first function is a little bit optimized
117 * (as found in Colin Plumbs public domain implementation).
118 * #define FF(b, c, d) ((b & c) | (~b & d))
124 #define FF(b, c, d) (d ^ (b & (c ^ d)))
125 #define FG(b, c, d) FF(d, b, c)
126 #define FH(b, c, d) (b ^ c ^ d)
127 #define FI(b, c, d) (c ^ (b | ~d))
129 /* Hash a single block, 64 bytes long and 4-byte aligned */
130 static void FAST_FUNC md5_process_block64(md5_ctx_t *ctx)
132 #if MD5_SIZE_VS_SPEED > 0
133 /* Before we start, one word to the strange constants.
134 They are defined in RFC 1321 as
135 T[i] = (int)(4294967296.0 * fabs(sin(i))), i=1..64
137 static const uint32_t C_array[] = {
139 0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
140 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501,
141 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be,
142 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821,
144 0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa,
145 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
146 0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed,
147 0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a,
149 0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c,
150 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70,
151 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x4881d05,
152 0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665,
154 0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039,
155 0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1,
156 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1,
157 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391
159 static const char P_array[] ALIGN1 = {
160 # if MD5_SIZE_VS_SPEED > 1
161 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, /* 1 */
163 1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, /* 2 */
164 5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2, /* 3 */
165 0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9 /* 4 */
168 uint32_t *words = (void*) ctx->wbuffer;
169 uint32_t A = ctx->hash[0];
170 uint32_t B = ctx->hash[1];
171 uint32_t C = ctx->hash[2];
172 uint32_t D = ctx->hash[3];
174 #if MD5_SIZE_VS_SPEED >= 2 /* 2 or 3 */
176 static const char S_array[] ALIGN1 = {
189 for (i = 0; i < 16; i++)
190 words[i] = SWAP_LE32(words[i]);
193 # if MD5_SIZE_VS_SPEED == 3
198 for (i = 0; i < 64; i++) {
215 temp += words[(int) (*pp++)] + *pc++;
216 temp = rotl32(temp, ps[i & 3]);
223 # else /* MD5_SIZE_VS_SPEED == 2 */
228 for (i = 0; i < 16; i++) {
229 temp = A + FF(B, C, D) + words[(int) (*pp++)] + *pc++;
230 temp = rotl32(temp, ps[i & 3]);
238 for (i = 0; i < 16; i++) {
239 temp = A + FG(B, C, D) + words[(int) (*pp++)] + *pc++;
240 temp = rotl32(temp, ps[i & 3]);
248 for (i = 0; i < 16; i++) {
249 temp = A + FH(B, C, D) + words[(int) (*pp++)] + *pc++;
250 temp = rotl32(temp, ps[i & 3]);
258 for (i = 0; i < 16; i++) {
259 temp = A + FI(B, C, D) + words[(int) (*pp++)] + *pc++;
260 temp = rotl32(temp, ps[i & 3]);
268 /* Add checksum to the starting values */
274 #else /* MD5_SIZE_VS_SPEED == 0 or 1 */
280 # if MD5_SIZE_VS_SPEED == 1
286 /* First round: using the given function, the context and a constant
287 the next context is computed. Because the algorithm's processing
288 unit is a 32-bit word and it is determined to work on words in
289 little endian byte order we perhaps have to change the byte order
290 before the computation. To reduce the work for the next steps
291 we save swapped words in WORDS array. */
293 # define OP(a, b, c, d, s, T) \
295 a += FF(b, c, d) + (*words IF_BIG_ENDIAN(= SWAP_LE32(*words))) + T; \
302 # if MD5_SIZE_VS_SPEED == 1
304 for (i = 0; i < 4; i++) {
305 OP(A, B, C, D, 7, *pc++);
306 OP(D, A, B, C, 12, *pc++);
307 OP(C, D, A, B, 17, *pc++);
308 OP(B, C, D, A, 22, *pc++);
311 OP(A, B, C, D, 7, 0xd76aa478);
312 OP(D, A, B, C, 12, 0xe8c7b756);
313 OP(C, D, A, B, 17, 0x242070db);
314 OP(B, C, D, A, 22, 0xc1bdceee);
315 OP(A, B, C, D, 7, 0xf57c0faf);
316 OP(D, A, B, C, 12, 0x4787c62a);
317 OP(C, D, A, B, 17, 0xa8304613);
318 OP(B, C, D, A, 22, 0xfd469501);
319 OP(A, B, C, D, 7, 0x698098d8);
320 OP(D, A, B, C, 12, 0x8b44f7af);
321 OP(C, D, A, B, 17, 0xffff5bb1);
322 OP(B, C, D, A, 22, 0x895cd7be);
323 OP(A, B, C, D, 7, 0x6b901122);
324 OP(D, A, B, C, 12, 0xfd987193);
325 OP(C, D, A, B, 17, 0xa679438e);
326 OP(B, C, D, A, 22, 0x49b40821);
330 /* For the second to fourth round we have the possibly swapped words
331 in WORDS. Redefine the macro to take an additional first
332 argument specifying the function to use. */
334 # define OP(f, a, b, c, d, k, s, T) \
336 a += f(b, c, d) + words[k] + T; \
342 # if MD5_SIZE_VS_SPEED == 1
344 for (i = 0; i < 4; i++) {
345 OP(FG, A, B, C, D, (int) (*pp++), 5, *pc++);
346 OP(FG, D, A, B, C, (int) (*pp++), 9, *pc++);
347 OP(FG, C, D, A, B, (int) (*pp++), 14, *pc++);
348 OP(FG, B, C, D, A, (int) (*pp++), 20, *pc++);
351 OP(FG, A, B, C, D, 1, 5, 0xf61e2562);
352 OP(FG, D, A, B, C, 6, 9, 0xc040b340);
353 OP(FG, C, D, A, B, 11, 14, 0x265e5a51);
354 OP(FG, B, C, D, A, 0, 20, 0xe9b6c7aa);
355 OP(FG, A, B, C, D, 5, 5, 0xd62f105d);
356 OP(FG, D, A, B, C, 10, 9, 0x02441453);
357 OP(FG, C, D, A, B, 15, 14, 0xd8a1e681);
358 OP(FG, B, C, D, A, 4, 20, 0xe7d3fbc8);
359 OP(FG, A, B, C, D, 9, 5, 0x21e1cde6);
360 OP(FG, D, A, B, C, 14, 9, 0xc33707d6);
361 OP(FG, C, D, A, B, 3, 14, 0xf4d50d87);
362 OP(FG, B, C, D, A, 8, 20, 0x455a14ed);
363 OP(FG, A, B, C, D, 13, 5, 0xa9e3e905);
364 OP(FG, D, A, B, C, 2, 9, 0xfcefa3f8);
365 OP(FG, C, D, A, B, 7, 14, 0x676f02d9);
366 OP(FG, B, C, D, A, 12, 20, 0x8d2a4c8a);
370 # if MD5_SIZE_VS_SPEED == 1
371 for (i = 0; i < 4; i++) {
372 OP(FH, A, B, C, D, (int) (*pp++), 4, *pc++);
373 OP(FH, D, A, B, C, (int) (*pp++), 11, *pc++);
374 OP(FH, C, D, A, B, (int) (*pp++), 16, *pc++);
375 OP(FH, B, C, D, A, (int) (*pp++), 23, *pc++);
378 OP(FH, A, B, C, D, 5, 4, 0xfffa3942);
379 OP(FH, D, A, B, C, 8, 11, 0x8771f681);
380 OP(FH, C, D, A, B, 11, 16, 0x6d9d6122);
381 OP(FH, B, C, D, A, 14, 23, 0xfde5380c);
382 OP(FH, A, B, C, D, 1, 4, 0xa4beea44);
383 OP(FH, D, A, B, C, 4, 11, 0x4bdecfa9);
384 OP(FH, C, D, A, B, 7, 16, 0xf6bb4b60);
385 OP(FH, B, C, D, A, 10, 23, 0xbebfbc70);
386 OP(FH, A, B, C, D, 13, 4, 0x289b7ec6);
387 OP(FH, D, A, B, C, 0, 11, 0xeaa127fa);
388 OP(FH, C, D, A, B, 3, 16, 0xd4ef3085);
389 OP(FH, B, C, D, A, 6, 23, 0x04881d05);
390 OP(FH, A, B, C, D, 9, 4, 0xd9d4d039);
391 OP(FH, D, A, B, C, 12, 11, 0xe6db99e5);
392 OP(FH, C, D, A, B, 15, 16, 0x1fa27cf8);
393 OP(FH, B, C, D, A, 2, 23, 0xc4ac5665);
397 # if MD5_SIZE_VS_SPEED == 1
398 for (i = 0; i < 4; i++) {
399 OP(FI, A, B, C, D, (int) (*pp++), 6, *pc++);
400 OP(FI, D, A, B, C, (int) (*pp++), 10, *pc++);
401 OP(FI, C, D, A, B, (int) (*pp++), 15, *pc++);
402 OP(FI, B, C, D, A, (int) (*pp++), 21, *pc++);
405 OP(FI, A, B, C, D, 0, 6, 0xf4292244);
406 OP(FI, D, A, B, C, 7, 10, 0x432aff97);
407 OP(FI, C, D, A, B, 14, 15, 0xab9423a7);
408 OP(FI, B, C, D, A, 5, 21, 0xfc93a039);
409 OP(FI, A, B, C, D, 12, 6, 0x655b59c3);
410 OP(FI, D, A, B, C, 3, 10, 0x8f0ccc92);
411 OP(FI, C, D, A, B, 10, 15, 0xffeff47d);
412 OP(FI, B, C, D, A, 1, 21, 0x85845dd1);
413 OP(FI, A, B, C, D, 8, 6, 0x6fa87e4f);
414 OP(FI, D, A, B, C, 15, 10, 0xfe2ce6e0);
415 OP(FI, C, D, A, B, 6, 15, 0xa3014314);
416 OP(FI, B, C, D, A, 13, 21, 0x4e0811a1);
417 OP(FI, A, B, C, D, 4, 6, 0xf7537e82);
418 OP(FI, D, A, B, C, 11, 10, 0xbd3af235);
419 OP(FI, C, D, A, B, 2, 15, 0x2ad7d2bb);
420 OP(FI, B, C, D, A, 9, 21, 0xeb86d391);
423 /* Add checksum to the starting values */
424 ctx->hash[0] = A_save + A;
425 ctx->hash[1] = B_save + B;
426 ctx->hash[2] = C_save + C;
427 ctx->hash[3] = D_save + D;
435 /* Initialize structure containing state of computation.
436 * (RFC 1321, 3.3: Step 3)
438 void FAST_FUNC md5_begin(md5_ctx_t *ctx)
440 ctx->hash[0] = 0x67452301;
441 ctx->hash[1] = 0xefcdab89;
442 ctx->hash[2] = 0x98badcfe;
443 ctx->hash[3] = 0x10325476;
445 ctx->process_block = md5_process_block64;
448 /* Used also for sha1 and sha256 */
449 void FAST_FUNC md5_hash(md5_ctx_t *ctx, const void *buffer, size_t len)
451 common64_hash(ctx, buffer, len);
454 /* Process the remaining bytes in the buffer and put result from CTX
455 * in first 16 bytes following RESBUF. The result is always in little
456 * endian byte order, so that a byte-wise output yields to the wanted
457 * ASCII representation of the message digest.
459 void FAST_FUNC md5_end(md5_ctx_t *ctx, void *resbuf)
461 /* MD5 stores total in LE, need to swap on BE arches: */
462 common64_end(ctx, /*swap_needed:*/ BB_BIG_ENDIAN);
464 /* The MD5 result is in little endian byte order */
466 ctx->hash[0] = SWAP_LE32(ctx->hash[0]);
467 ctx->hash[1] = SWAP_LE32(ctx->hash[1]);
468 ctx->hash[2] = SWAP_LE32(ctx->hash[2]);
469 ctx->hash[3] = SWAP_LE32(ctx->hash[3]);
471 memcpy(resbuf, ctx->hash, sizeof(ctx->hash[0]) * 4);
476 * Based on shasum from http://www.netsw.org/crypto/hash/
477 * Majorly hacked up to use Dr Brian Gladman's sha1 code
479 * Copyright (C) 2002 Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK.
480 * Copyright (C) 2003 Glenn L. McGrath
481 * Copyright (C) 2003 Erik Andersen
483 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
485 * ---------------------------------------------------------------------------
486 * Issue Date: 10/11/2002
488 * This is a byte oriented version of SHA1 that operates on arrays of bytes
489 * stored in memory. It runs at 22 cycles per byte on a Pentium P4 processor
491 * ---------------------------------------------------------------------------
493 * SHA256 and SHA512 parts are:
494 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
495 * Shrank by Denys Vlasenko.
497 * ---------------------------------------------------------------------------
499 * The best way to test random blocksizes is to go to coreutils/md5_sha1_sum.c
500 * and replace "4096" with something like "2000 + time(NULL) % 2097",
501 * then rebuild and compare "shaNNNsum bigfile" results.
504 static void FAST_FUNC sha1_process_block64(sha1_ctx_t *ctx)
507 uint32_t W[80], a, b, c, d, e;
508 const uint32_t *words = (uint32_t*) ctx->wbuffer;
510 for (t = 0; t < 16; ++t)
511 W[t] = SWAP_BE32(words[t]);
512 for (/*t = 16*/; t < 80; ++t) {
513 uint32_t T = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16];
527 #define ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
528 #define parity(x,y,z) ((x) ^ (y) ^ (z))
529 #define maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
530 /* A normal version as set out in the FIPS. */
534 a = rotl32(a, 5) + f(b, c, d) + e + k + W[t]; \
541 for (t = 0; t < 20; ++t)
544 for (/*t = 20*/; t < 40; ++t)
545 rnd(parity, 0x6ed9eba1);
547 for (/*t = 40*/; t < 60; ++t)
548 rnd(maj, 0x8f1bbcdc);
550 for (/*t = 60*/; t < 80; ++t)
551 rnd(parity, 0xca62c1d6);
564 /* Constants for SHA512 from FIPS 180-2:4.2.3.
565 * SHA256 constants from FIPS 180-2:4.2.2
566 * are the most significant half of first 64 elements
569 static const uint64_t sha_K[80] = {
570 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
571 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
572 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
573 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
574 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
575 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
576 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
577 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
578 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
579 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
580 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
581 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
582 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
583 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
584 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
585 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
586 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
587 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
588 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
589 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
590 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
591 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
592 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
593 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
594 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
595 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
596 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
597 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
598 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
599 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
600 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
601 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
602 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, /* [64]+ are used for sha512 only */
603 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
604 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
605 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
606 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
607 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
608 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
609 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
619 static void FAST_FUNC sha256_process_block64(sha256_ctx_t *ctx)
622 uint32_t W[64], a, b, c, d, e, f, g, h;
623 const uint32_t *words = (uint32_t*) ctx->wbuffer;
625 /* Operators defined in FIPS 180-2:4.1.2. */
626 #define Ch(x, y, z) ((x & y) ^ (~x & z))
627 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
628 #define S0(x) (rotr32(x, 2) ^ rotr32(x, 13) ^ rotr32(x, 22))
629 #define S1(x) (rotr32(x, 6) ^ rotr32(x, 11) ^ rotr32(x, 25))
630 #define R0(x) (rotr32(x, 7) ^ rotr32(x, 18) ^ (x >> 3))
631 #define R1(x) (rotr32(x, 17) ^ rotr32(x, 19) ^ (x >> 10))
633 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
634 for (t = 0; t < 16; ++t)
635 W[t] = SWAP_BE32(words[t]);
636 for (/*t = 16*/; t < 64; ++t)
637 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
648 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
649 for (t = 0; t < 64; ++t) {
650 /* Need to fetch upper half of sha_K[t]
651 * (I hope compiler is clever enough to just fetch
654 uint32_t K_t = sha_K[t] >> 32;
655 uint32_t T1 = h + S1(e) + Ch(e, f, g) + K_t + W[t];
656 uint32_t T2 = S0(a) + Maj(a, b, c);
672 /* Add the starting values of the context according to FIPS 180-2:6.2.2
684 static void FAST_FUNC sha512_process_block128(sha512_ctx_t *ctx)
688 /* On i386, having assignments here (not later as sha256 does)
689 * produces 99 bytes smaller code with gcc 4.3.1
691 uint64_t a = ctx->hash[0];
692 uint64_t b = ctx->hash[1];
693 uint64_t c = ctx->hash[2];
694 uint64_t d = ctx->hash[3];
695 uint64_t e = ctx->hash[4];
696 uint64_t f = ctx->hash[5];
697 uint64_t g = ctx->hash[6];
698 uint64_t h = ctx->hash[7];
699 const uint64_t *words = (uint64_t*) ctx->wbuffer;
701 /* Operators defined in FIPS 180-2:4.1.2. */
702 #define Ch(x, y, z) ((x & y) ^ (~x & z))
703 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
704 #define S0(x) (rotr64(x, 28) ^ rotr64(x, 34) ^ rotr64(x, 39))
705 #define S1(x) (rotr64(x, 14) ^ rotr64(x, 18) ^ rotr64(x, 41))
706 #define R0(x) (rotr64(x, 1) ^ rotr64(x, 8) ^ (x >> 7))
707 #define R1(x) (rotr64(x, 19) ^ rotr64(x, 61) ^ (x >> 6))
709 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
710 for (t = 0; t < 16; ++t)
711 W[t] = SWAP_BE64(words[t]);
712 for (/*t = 16*/; t < 80; ++t)
713 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
715 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
716 for (t = 0; t < 80; ++t) {
717 uint64_t T1 = h + S1(e) + Ch(e, f, g) + sha_K[t] + W[t];
718 uint64_t T2 = S0(a) + Maj(a, b, c);
734 /* Add the starting values of the context according to FIPS 180-2:6.3.2
747 void FAST_FUNC sha1_begin(sha1_ctx_t *ctx)
749 ctx->hash[0] = 0x67452301;
750 ctx->hash[1] = 0xefcdab89;
751 ctx->hash[2] = 0x98badcfe;
752 ctx->hash[3] = 0x10325476;
753 ctx->hash[4] = 0xc3d2e1f0;
755 ctx->process_block = sha1_process_block64;
758 static const uint32_t init256[] = {
770 static const uint32_t init512_lo[] = {
783 /* Initialize structure containing state of computation.
784 (FIPS 180-2:5.3.2) */
785 void FAST_FUNC sha256_begin(sha256_ctx_t *ctx)
787 memcpy(&ctx->total64, init256, sizeof(init256));
788 /*ctx->total64 = 0; - done by prepending two 32-bit zeros to init256 */
789 ctx->process_block = sha256_process_block64;
792 /* Initialize structure containing state of computation.
793 (FIPS 180-2:5.3.3) */
794 void FAST_FUNC sha512_begin(sha512_ctx_t *ctx)
797 /* Two extra iterations zero out ctx->total64[2] */
798 uint64_t *tp = ctx->total64;
799 for (i = 0; i < 2+8; i++)
800 tp[i] = ((uint64_t)(init256[i]) << 32) + init512_lo[i];
801 /*ctx->total64[0] = ctx->total64[1] = 0; - already done */
804 void FAST_FUNC sha512_hash(sha512_ctx_t *ctx, const void *buffer, size_t len)
806 unsigned bufpos = ctx->total64[0] & 127;
809 /* First increment the byte count. FIPS 180-2 specifies the possible
810 length of the file up to 2^128 _bits_.
811 We compute the number of _bytes_ and convert to bits later. */
812 ctx->total64[0] += len;
813 if (ctx->total64[0] < len)
816 remaining = 128 - bufpos;
818 /* Hash whole blocks */
819 while (len >= remaining) {
820 memcpy(ctx->wbuffer + bufpos, buffer, remaining);
821 buffer = (const char *)buffer + remaining;
825 sha512_process_block128(ctx);
828 /* Save last, partial blosk */
829 memcpy(ctx->wbuffer + bufpos, buffer, len);
832 remaining = 128 - bufpos;
835 /* Copy data into aligned buffer */
836 memcpy(ctx->wbuffer + bufpos, buffer, remaining);
838 buffer = (const char *)buffer + remaining;
840 /* clever way to do "if (bufpos != 128) break; ... ; bufpos = 0;" */
844 /* Buffer is filled up, process it */
845 sha512_process_block128(ctx);
846 /*bufpos = 0; - already is */
851 /* Used also for sha256 */
852 void FAST_FUNC sha1_end(sha1_ctx_t *ctx, void *resbuf)
856 /* SHA stores total in BE, need to swap on LE arches: */
857 common64_end(ctx, /*swap_needed:*/ BB_LITTLE_ENDIAN);
859 hash_size = (ctx->process_block == sha1_process_block64) ? 5 : 8;
860 /* This way we do not impose alignment constraints on resbuf: */
861 if (BB_LITTLE_ENDIAN) {
863 for (i = 0; i < hash_size; ++i)
864 ctx->hash[i] = SWAP_BE32(ctx->hash[i]);
866 memcpy(resbuf, ctx->hash, sizeof(ctx->hash[0]) * hash_size);
869 void FAST_FUNC sha512_end(sha512_ctx_t *ctx, void *resbuf)
871 unsigned bufpos = ctx->total64[0] & 127;
873 /* Pad the buffer to the next 128-byte boundary with 0x80,0,0,0... */
874 ctx->wbuffer[bufpos++] = 0x80;
877 unsigned remaining = 128 - bufpos;
878 memset(ctx->wbuffer + bufpos, 0, remaining);
879 if (remaining >= 16) {
880 /* Store the 128-bit counter of bits in the buffer in BE format */
882 t = ctx->total64[0] << 3;
884 *(uint64_t *) (&ctx->wbuffer[128 - 8]) = t;
885 t = (ctx->total64[1] << 3) | (ctx->total64[0] >> 61);
887 *(uint64_t *) (&ctx->wbuffer[128 - 16]) = t;
889 sha512_process_block128(ctx);
895 if (BB_LITTLE_ENDIAN) {
897 for (i = 0; i < ARRAY_SIZE(ctx->hash); ++i)
898 ctx->hash[i] = SWAP_BE64(ctx->hash[i]);
900 memcpy(resbuf, ctx->hash, sizeof(ctx->hash));