1 /* vi: set sw=4 ts=4: */
3 * Based on shasum from http://www.netsw.org/crypto/hash/
4 * Majorly hacked up to use Dr Brian Gladman's sha1 code
6 * Copyright (C) 2002 Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK.
7 * Copyright (C) 2003 Glenn L. McGrath
8 * Copyright (C) 2003 Erik Andersen
10 * Licensed under GPLv2 or later, see file LICENSE in this tarball for details.
12 * ---------------------------------------------------------------------------
13 * Issue Date: 10/11/2002
15 * This is a byte oriented version of SHA1 that operates on arrays of bytes
16 * stored in memory. It runs at 22 cycles per byte on a Pentium P4 processor
18 * ---------------------------------------------------------------------------
20 * SHA256 and SHA512 parts are:
21 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
22 * Shrank by Denys Vlasenko.
24 * ---------------------------------------------------------------------------
26 * The best way to test random blocksizes is to go to coreutils/md5_sha1_sum.c
27 * and replace "4096" with something like "2000 + time(NULL) % 2097",
28 * then rebuild and compare "shaNNNsum bigfile" results.
33 #define rotl32(x,n) (((x) << (n)) | ((x) >> (32 - (n))))
34 #define rotr32(x,n) (((x) >> (n)) | ((x) << (32 - (n))))
36 #define rotr64(x,n) (((x) >> (n)) | ((x) << (64 - (n))))
38 static inline uint64_t hton64(uint64_t v)
40 return (((uint64_t)htonl(v)) << 32) | htonl(v >> 32);
45 #define ntoh64(v) hton64(v)
47 /* To check alignment gcc has an appropriate operator. Other
49 #if defined(__GNUC__) && __GNUC__ >= 2
50 # define UNALIGNED_P(p,type) (((uintptr_t) p) % __alignof__(type) != 0)
52 # define UNALIGNED_P(p,type) (((uintptr_t) p) % sizeof(type) != 0)
56 #define SHA1_BLOCK_SIZE 64
57 #define SHA1_MASK (SHA1_BLOCK_SIZE - 1)
59 static void sha1_process_block64(sha1_ctx_t *ctx)
62 uint32_t w[80], a, b, c, d, e, t;
64 /* note that words are compiled from the buffer into 32-bit */
65 /* words in big-endian order so an order reversal is needed */
66 /* here on little endian machines */
67 for (i = 0; i < SHA1_BLOCK_SIZE / 4; ++i)
68 w[i] = ntohl(ctx->wbuffer[i]);
70 for (/*i = SHA1_BLOCK_SIZE / 4*/; i < 80; ++i) {
71 t = w[i - 3] ^ w[i - 8] ^ w[i - 14] ^ w[i - 16];
81 /* Reverse byte order in 32-bit words */
82 #define ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
83 #define parity(x,y,z) ((x) ^ (y) ^ (z))
84 #define maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
85 /* A normal version as set out in the FIPS. This version uses */
86 /* partial loop unrolling and is optimised for the Pentium 4 */
89 t = a; a = rotl32(a,5) + f(b,c,d) + e + k + w[i]; \
90 e = d; d = c; c = rotl32(b, 30); b = t; \
93 for (i = 0; i < 20; ++i)
96 for (/*i = 20*/; i < 40; ++i)
97 rnd(parity, 0x6ed9eba1);
99 for (/*i = 40*/; i < 60; ++i)
100 rnd(maj, 0x8f1bbcdc);
102 for (/*i = 60*/; i < 80; ++i)
103 rnd(parity, 0xca62c1d6);
116 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
117 static const uint32_t K256[80] = {
118 0x428a2f98, 0x71374491,
119 0xb5c0fbcf, 0xe9b5dba5,
120 0x3956c25b, 0x59f111f1,
121 0x923f82a4, 0xab1c5ed5,
122 0xd807aa98, 0x12835b01,
123 0x243185be, 0x550c7dc3,
124 0x72be5d74, 0x80deb1fe,
125 0x9bdc06a7, 0xc19bf174,
126 0xe49b69c1, 0xefbe4786,
127 0x0fc19dc6, 0x240ca1cc,
128 0x2de92c6f, 0x4a7484aa,
129 0x5cb0a9dc, 0x76f988da,
130 0x983e5152, 0xa831c66d,
131 0xb00327c8, 0xbf597fc7,
132 0xc6e00bf3, 0xd5a79147,
133 0x06ca6351, 0x14292967,
134 0x27b70a85, 0x2e1b2138,
135 0x4d2c6dfc, 0x53380d13,
136 0x650a7354, 0x766a0abb,
137 0x81c2c92e, 0x92722c85,
138 0xa2bfe8a1, 0xa81a664b,
139 0xc24b8b70, 0xc76c51a3,
140 0xd192e819, 0xd6990624,
141 0xf40e3585, 0x106aa070,
142 0x19a4c116, 0x1e376c08,
143 0x2748774c, 0x34b0bcb5,
144 0x391c0cb3, 0x4ed8aa4a,
145 0x5b9cca4f, 0x682e6ff3,
146 0x748f82ee, 0x78a5636f,
147 0x84c87814, 0x8cc70208,
148 0x90befffa, 0xa4506ceb,
149 0xbef9a3f7, 0xc67178f2,
150 0xca273ece, 0xd186b8c7, /* [64]+ are used for sha512 only */
151 0xeada7dd6, 0xf57d4f7f,
152 0x06f067aa, 0x0a637dc5,
153 0x113f9804, 0x1b710b35,
154 0x28db77f5, 0x32caab7b,
155 0x3c9ebe0a, 0x431d67c4,
156 0x4cc5d4be, 0x597f299c,
157 0x5fcb6fab, 0x6c44198c
159 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
160 static const uint32_t K512_lo[80] = {
161 0xd728ae22, 0x23ef65cd,
162 0xec4d3b2f, 0x8189dbbc,
163 0xf348b538, 0xb605d019,
164 0xaf194f9b, 0xda6d8118,
165 0xa3030242, 0x45706fbe,
166 0x4ee4b28c, 0xd5ffb4e2,
167 0xf27b896f, 0x3b1696b1,
168 0x25c71235, 0xcf692694,
169 0x9ef14ad2, 0x384f25e3,
170 0x8b8cd5b5, 0x77ac9c65,
171 0x592b0275, 0x6ea6e483,
172 0xbd41fbd4, 0x831153b5,
173 0xee66dfab, 0x2db43210,
174 0x98fb213f, 0xbeef0ee4,
175 0x3da88fc2, 0x930aa725,
176 0xe003826f, 0x0a0e6e70,
177 0x46d22ffc, 0x5c26c926,
178 0x5ac42aed, 0x9d95b3df,
179 0x8baf63de, 0x3c77b2a8,
180 0x47edaee6, 0x1482353b,
181 0x4cf10364, 0xbc423001,
182 0xd0f89791, 0x0654be30,
183 0xd6ef5218, 0x5565a910,
184 0x5771202a, 0x32bbd1b8,
185 0xb8d2d0c8, 0x5141ab53,
186 0xdf8eeb99, 0xe19b48a8,
187 0xc5c95a63, 0xe3418acb,
188 0x7763e373, 0xd6b2b8a3,
189 0x5defb2fc, 0x43172f60,
190 0xa1f0ab72, 0x1a6439ec,
191 0x23631e28, 0xde82bde9,
192 0xb2c67915, 0xe372532b,
193 0xea26619c, 0x21c0c207,
194 0xcde0eb1e, 0xee6ed178,
195 0x72176fba, 0xa2c898a6,
196 0xbef90dae, 0x131c471b,
197 0x23047d84, 0x40c72493,
198 0x15c9bebc, 0x9c100d4c,
199 0xcb3e42b6, 0xfc657e2a,
200 0x3ad6faec, 0x4a475817
203 /* Process LEN bytes of BUFFER, accumulating context into CTX.
204 LEN is rounded _down_ to 64. */
205 static void sha256_process_block64(const void *buffer, size_t len, sha256_ctx_t *ctx)
207 const uint32_t *words = buffer;
208 uint32_t a = ctx->hash[0];
209 uint32_t b = ctx->hash[1];
210 uint32_t c = ctx->hash[2];
211 uint32_t d = ctx->hash[3];
212 uint32_t e = ctx->hash[4];
213 uint32_t f = ctx->hash[5];
214 uint32_t g = ctx->hash[6];
215 uint32_t h = ctx->hash[7];
217 /* Process all bytes in the buffer with 64 bytes in each round of
219 len /= (sizeof(uint32_t) * 16);
224 /* Operators defined in FIPS 180-2:4.1.2. */
225 #define Ch(x, y, z) ((x & y) ^ (~x & z))
226 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
227 #define S0(x) (rotr32(x, 2) ^ rotr32(x, 13) ^ rotr32(x, 22))
228 #define S1(x) (rotr32(x, 6) ^ rotr32(x, 11) ^ rotr32(x, 25))
229 #define R0(x) (rotr32(x, 7) ^ rotr32(x, 18) ^ (x >> 3))
230 #define R1(x) (rotr32(x, 17) ^ rotr32(x, 19) ^ (x >> 10))
232 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
233 for (t = 0; t < 16; ++t) {
234 W[t] = ntohl(*words);
238 for (/*t = 16*/; t < 64; ++t)
239 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
241 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
242 for (t = 0; t < 64; ++t) {
243 uint32_t T1 = h + S1(e) + Ch(e, f, g) + K256[t] + W[t];
244 uint32_t T2 = S0(a) + Maj(a, b, c);
260 /* Add the starting values of the context according to FIPS 180-2:6.2.2
262 ctx->hash[0] = a += ctx->hash[0];
263 ctx->hash[1] = b += ctx->hash[1];
264 ctx->hash[2] = c += ctx->hash[2];
265 ctx->hash[3] = d += ctx->hash[3];
266 ctx->hash[4] = e += ctx->hash[4];
267 ctx->hash[5] = f += ctx->hash[5];
268 ctx->hash[6] = g += ctx->hash[6];
269 ctx->hash[7] = h += ctx->hash[7];
271 /* Prepare for the next round. */
275 /* Process LEN bytes of BUFFER, accumulating context into CTX.
276 LEN is rounded _down_ to 128. */
277 static void sha512_process_block128(const void *buffer, size_t len, sha512_ctx_t *ctx)
279 const uint64_t *words = buffer;
280 uint64_t a = ctx->hash[0];
281 uint64_t b = ctx->hash[1];
282 uint64_t c = ctx->hash[2];
283 uint64_t d = ctx->hash[3];
284 uint64_t e = ctx->hash[4];
285 uint64_t f = ctx->hash[5];
286 uint64_t g = ctx->hash[6];
287 uint64_t h = ctx->hash[7];
289 len /= (sizeof(uint64_t) * 16);
294 /* Operators defined in FIPS 180-2:4.1.2. */
295 #define Ch(x, y, z) ((x & y) ^ (~x & z))
296 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
297 #define S0(x) (rotr64(x, 28) ^ rotr64(x, 34) ^ rotr64(x, 39))
298 #define S1(x) (rotr64(x, 14) ^ rotr64(x, 18) ^ rotr64(x, 41))
299 #define R0(x) (rotr64(x, 1) ^ rotr64(x, 8) ^ (x >> 7))
300 #define R1(x) (rotr64(x, 19) ^ rotr64(x, 61) ^ (x >> 6))
302 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
303 for (t = 0; t < 16; ++t) {
304 W[t] = ntoh64(*words);
307 for (/*t = 16*/; t < 80; ++t)
308 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
310 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
311 for (t = 0; t < 80; ++t) {
312 uint64_t K512_t = ((uint64_t)(K256[t]) << 32) + K512_lo[t];
313 uint64_t T1 = h + S1(e) + Ch(e, f, g) + K512_t + W[t];
314 uint64_t T2 = S0(a) + Maj(a, b, c);
330 /* Add the starting values of the context according to FIPS 180-2:6.3.2
332 ctx->hash[0] = a += ctx->hash[0];
333 ctx->hash[1] = b += ctx->hash[1];
334 ctx->hash[2] = c += ctx->hash[2];
335 ctx->hash[3] = d += ctx->hash[3];
336 ctx->hash[4] = e += ctx->hash[4];
337 ctx->hash[5] = f += ctx->hash[5];
338 ctx->hash[6] = g += ctx->hash[6];
339 ctx->hash[7] = h += ctx->hash[7];
346 void FAST_FUNC sha1_begin(sha1_ctx_t *ctx)
349 ctx->hash[0] = 0x67452301;
350 ctx->hash[1] = 0xefcdab89;
351 ctx->hash[2] = 0x98badcfe;
352 ctx->hash[3] = 0x10325476;
353 ctx->hash[4] = 0xc3d2e1f0;
356 static const uint32_t init256[] = {
366 static const uint32_t init512_lo[] = {
376 /* Initialize structure containing state of computation.
377 (FIPS 180-2:5.3.2) */
378 void FAST_FUNC sha256_begin(sha256_ctx_t *ctx)
380 memcpy(ctx->hash, init256, sizeof(init256));
383 /* Initialize structure containing state of computation.
384 (FIPS 180-2:5.3.3) */
385 void FAST_FUNC sha512_begin(sha512_ctx_t *ctx)
388 for (i = 0; i < 8; i++)
389 ctx->hash[i] = ((uint64_t)(init256[i]) << 32) + init512_lo[i];
390 ctx->total64[0] = ctx->total64[1] = 0;
394 void FAST_FUNC sha1_hash(const void *buffer, size_t len, sha1_ctx_t *ctx)
396 unsigned in_buf = ctx->total64 & SHA1_MASK;
397 unsigned add = SHA1_BLOCK_SIZE - in_buf;
401 while (len >= add) { /* transfer whole blocks while possible */
402 memcpy(((unsigned char *) ctx->wbuffer) + in_buf, buffer, add);
403 buffer = (const char *)buffer + add;
405 add = SHA1_BLOCK_SIZE;
407 sha1_process_block64(ctx);
410 memcpy(((unsigned char *) ctx->wbuffer) + in_buf, buffer, len);
413 void FAST_FUNC sha256_hash(const void *buffer, size_t len, sha256_ctx_t *ctx)
415 unsigned in_buf = ctx->total64 & 63;
417 /* First increment the byte count. FIPS 180-2 specifies the possible
418 length of the file up to 2^64 _bits_.
419 We compute the number of _bytes_ and convert to bits later. */
422 /* When we already have some bits in our internal buffer concatenate
423 both inputs first. */
427 /* NB: 1/2 of wbuffer is used only in sha256_end
428 * when length field is added and hashed.
429 * With buffer twice as small, it may happen that
430 * we have it almost full and can't add length field. */
432 add = sizeof(ctx->wbuffer)/2 - in_buf;
435 memcpy(&ctx->wbuffer[in_buf], buffer, add);
438 /* If we still didn't collect full wbuffer, bail out */
439 if (in_buf < sizeof(ctx->wbuffer)/2)
442 sha256_process_block64(ctx->wbuffer, 64, ctx);
443 buffer = (const char *)buffer + add;
447 /* Process available complete blocks. */
449 if (UNALIGNED_P(buffer, uint32_t)) {
451 sha256_process_block64(memcpy(ctx->wbuffer, buffer, 64), 64, ctx);
452 buffer = (const char *)buffer + 64;
456 sha256_process_block64(buffer, len /*& ~63*/, ctx);
457 buffer = (const char *)buffer + (len & ~63);
462 /* Move remaining bytes into internal buffer. */
464 memcpy(ctx->wbuffer, buffer, len);
468 void FAST_FUNC sha512_hash(const void *buffer, size_t len, sha512_ctx_t *ctx)
470 unsigned in_buf = ctx->total64[0] & 127;
472 /* First increment the byte count. FIPS 180-2 specifies the possible
473 length of the file up to 2^128 _bits_.
474 We compute the number of _bytes_ and convert to bits later. */
475 ctx->total64[0] += len;
476 if (ctx->total64[0] < len)
482 add = sizeof(ctx->wbuffer)/2 - in_buf;
485 memcpy(&ctx->wbuffer[in_buf], buffer, add);
488 if (in_buf < sizeof(ctx->wbuffer)/2)
491 sha512_process_block128(ctx->wbuffer, 128, ctx);
492 buffer = (const char *)buffer + add;
497 if (UNALIGNED_P(buffer, uint64_t)) {
499 sha512_process_block128(memcpy(ctx->wbuffer, buffer, 128), 128, ctx);
500 buffer = (const char *)buffer + 128;
504 sha512_process_block128(buffer, len /*& ~127*/, ctx);
505 buffer = (const char *)buffer + (len & ~127);
511 memcpy(ctx->wbuffer, buffer, len);
516 void FAST_FUNC sha1_end(void *resbuf, sha1_ctx_t *ctx)
518 unsigned i, pad, in_buf;
520 /* Pad the buffer to the next 64-byte boundary with 0x80,0,0,0... */
521 in_buf = ctx->total64 & SHA1_MASK;
522 ((uint8_t *)ctx->wbuffer)[in_buf++] = 0x80;
523 pad = SHA1_BLOCK_SIZE - in_buf;
524 memset(((uint8_t *)ctx->wbuffer) + in_buf, 0, pad);
526 /* We need 1+8 or more empty positions, one for the padding byte
527 * (above) and eight for the length count.
528 * If there is not enough space, empty the buffer. */
530 sha1_process_block64(ctx);
531 memset(ctx->wbuffer, 0, SHA1_BLOCK_SIZE - 8);
532 ((uint8_t *)ctx->wbuffer)[0] = 0x80;
535 /* Store the 64-bit counter of bits in the buffer in BE format */
537 uint64_t t = ctx->total64 << 3;
539 /* wbuffer is suitably aligned for this */
540 *(uint64_t *) &ctx->wbuffer[14] = t;
543 sha1_process_block64(ctx);
546 for (i = 0; i < ARRAY_SIZE(ctx->hash); ++i)
547 ctx->hash[i] = htonl(ctx->hash[i]);
549 memcpy(resbuf, ctx->hash, sizeof(ctx->hash));
552 void FAST_FUNC sha256_end(void *resbuf, sha256_ctx_t *ctx)
554 unsigned i, pad, in_buf;
556 /* Pad the buffer to the next 64-byte boundary with 0x80,0,0,0...
557 (FIPS 180-2:5.1.1) */
558 in_buf = ctx->total64 & 63;
559 pad = (in_buf >= 56 ? 64 + 56 - in_buf : 56 - in_buf);
560 memset(&ctx->wbuffer[in_buf], 0, pad);
561 ctx->wbuffer[in_buf] = 0x80;
563 /* Put the 64-bit file length in *bits* at the end of the buffer. */
565 uint64_t t = ctx->total64 << 3;
567 /* wbuffer is suitably aligned for this */
568 *(uint64_t *) &ctx->wbuffer[in_buf + pad] = t;
571 /* Process last bytes. */
572 sha256_process_block64(ctx->wbuffer, in_buf + pad + 8, ctx);
575 for (i = 0; i < ARRAY_SIZE(ctx->hash); ++i)
576 ctx->hash[i] = htonl(ctx->hash[i]);
578 memcpy(resbuf, ctx->hash, sizeof(ctx->hash));
581 void FAST_FUNC sha512_end(void *resbuf, sha512_ctx_t *ctx)
583 unsigned i, pad, in_buf;
585 /* Pad the buffer to the next 128-byte boundary with 0x80,0,0,0...
586 (FIPS 180-2:5.1.2) */
587 in_buf = ctx->total64[0] & 127;
588 pad = in_buf >= 112 ? 128 + 112 - in_buf : 112 - in_buf;
589 memset(&ctx->wbuffer[in_buf], 0, pad);
590 ctx->wbuffer[in_buf] = 0x80;
592 *(uint64_t *) &ctx->wbuffer[in_buf + pad + 8] = hton64(ctx->total64[0] << 3);
593 *(uint64_t *) &ctx->wbuffer[in_buf + pad] = hton64((ctx->total64[1] << 3) | (ctx->total64[0] >> 61));
595 sha512_process_block128(ctx->wbuffer, in_buf + pad + 16, ctx);
598 for (i = 0; i < ARRAY_SIZE(ctx->hash); ++i)
599 ctx->hash[i] = hton64(ctx->hash[i]);
601 memcpy(resbuf, ctx->hash, sizeof(ctx->hash));