1 /* vi: set sw=4 ts=4: */
3 * Based on shasum from http://www.netsw.org/crypto/hash/
4 * Majorly hacked up to use Dr Brian Gladman's sha1 code
6 * Copyright (C) 2002 Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK.
7 * Copyright (C) 2003 Glenn L. McGrath
8 * Copyright (C) 2003 Erik Andersen
10 * Licensed under GPLv2 or later, see file LICENSE in this tarball for details.
12 * ---------------------------------------------------------------------------
13 * Issue Date: 10/11/2002
15 * This is a byte oriented version of SHA1 that operates on arrays of bytes
16 * stored in memory. It runs at 22 cycles per byte on a Pentium P4 processor
18 * ---------------------------------------------------------------------------
20 * SHA256 and SHA512 parts are:
21 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
27 #define rotl32(x,n) (((x) << (n)) | ((x) >> (32 - (n))))
28 #define rotr32(x,n) (((x) >> (n)) | ((x) << (32 - (n))))
30 #define rotr64(x,n) (((x) >> (n)) | ((x) << (64 - (n))))
32 static inline uint64_t hton64(uint64_t v)
34 return (((uint64_t)htonl(v)) << 32) | htonl(v >> 32);
39 #define ntoh64(v) hton64(v)
41 /* To check alignment gcc has an appropriate operator. Other
43 #if defined(__GNUC__) && __GNUC__ >= 2
44 # define UNALIGNED_P(p,type) (((uintptr_t) p) % __alignof__(type) != 0)
46 # define UNALIGNED_P(p,type) (((uintptr_t) p) % sizeof(type) != 0)
50 #define SHA1_BLOCK_SIZE 64
51 #define SHA1_DIGEST_SIZE 20
52 #define SHA1_HASH_SIZE SHA1_DIGEST_SIZE
53 #define SHA1_MASK (SHA1_BLOCK_SIZE - 1)
55 static void sha1_process_block64(sha1_ctx_t *ctx)
57 uint32_t w[80], i, a, b, c, d, e, t;
59 /* note that words are compiled from the buffer into 32-bit */
60 /* words in big-endian order so an order reversal is needed */
61 /* here on little endian machines */
62 for (i = 0; i < SHA1_BLOCK_SIZE / 4; ++i)
63 w[i] = ntohl(ctx->wbuffer[i]);
65 for (/*i = SHA1_BLOCK_SIZE / 4*/; i < 80; ++i) {
66 t = w[i - 3] ^ w[i - 8] ^ w[i - 14] ^ w[i - 16];
76 /* Reverse byte order in 32-bit words */
77 #define ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
78 #define parity(x,y,z) ((x) ^ (y) ^ (z))
79 #define maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
80 /* A normal version as set out in the FIPS. This version uses */
81 /* partial loop unrolling and is optimised for the Pentium 4 */
84 t = a; a = rotl32(a,5) + f(b,c,d) + e + k + w[i]; \
85 e = d; d = c; c = rotl32(b, 30); b = t; \
88 for (i = 0; i < 20; ++i)
91 for (i = 20; i < 40; ++i)
92 rnd(parity, 0x6ed9eba1);
94 for (i = 40; i < 60; ++i)
97 for (i = 60; i < 80; ++i)
98 rnd(parity, 0xca62c1d6);
111 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
112 static const uint32_t K256[80] = {
113 0x428a2f98, 0x71374491,
114 0xb5c0fbcf, 0xe9b5dba5,
115 0x3956c25b, 0x59f111f1,
116 0x923f82a4, 0xab1c5ed5,
117 0xd807aa98, 0x12835b01,
118 0x243185be, 0x550c7dc3,
119 0x72be5d74, 0x80deb1fe,
120 0x9bdc06a7, 0xc19bf174,
121 0xe49b69c1, 0xefbe4786,
122 0x0fc19dc6, 0x240ca1cc,
123 0x2de92c6f, 0x4a7484aa,
124 0x5cb0a9dc, 0x76f988da,
125 0x983e5152, 0xa831c66d,
126 0xb00327c8, 0xbf597fc7,
127 0xc6e00bf3, 0xd5a79147,
128 0x06ca6351, 0x14292967,
129 0x27b70a85, 0x2e1b2138,
130 0x4d2c6dfc, 0x53380d13,
131 0x650a7354, 0x766a0abb,
132 0x81c2c92e, 0x92722c85,
133 0xa2bfe8a1, 0xa81a664b,
134 0xc24b8b70, 0xc76c51a3,
135 0xd192e819, 0xd6990624,
136 0xf40e3585, 0x106aa070,
137 0x19a4c116, 0x1e376c08,
138 0x2748774c, 0x34b0bcb5,
139 0x391c0cb3, 0x4ed8aa4a,
140 0x5b9cca4f, 0x682e6ff3,
141 0x748f82ee, 0x78a5636f,
142 0x84c87814, 0x8cc70208,
143 0x90befffa, 0xa4506ceb,
144 0xbef9a3f7, 0xc67178f2,
145 0xca273ece, 0xd186b8c7, /* [64]+ are used for sha512 only */
146 0xeada7dd6, 0xf57d4f7f,
147 0x06f067aa, 0x0a637dc5,
148 0x113f9804, 0x1b710b35,
149 0x28db77f5, 0x32caab7b,
150 0x3c9ebe0a, 0x431d67c4,
151 0x4cc5d4be, 0x597f299c,
152 0x5fcb6fab, 0x6c44198c
154 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
155 static const uint32_t K512_lo[80] = {
156 0xd728ae22, 0x23ef65cd,
157 0xec4d3b2f, 0x8189dbbc,
158 0xf348b538, 0xb605d019,
159 0xaf194f9b, 0xda6d8118,
160 0xa3030242, 0x45706fbe,
161 0x4ee4b28c, 0xd5ffb4e2,
162 0xf27b896f, 0x3b1696b1,
163 0x25c71235, 0xcf692694,
164 0x9ef14ad2, 0x384f25e3,
165 0x8b8cd5b5, 0x77ac9c65,
166 0x592b0275, 0x6ea6e483,
167 0xbd41fbd4, 0x831153b5,
168 0xee66dfab, 0x2db43210,
169 0x98fb213f, 0xbeef0ee4,
170 0x3da88fc2, 0x930aa725,
171 0xe003826f, 0x0a0e6e70,
172 0x46d22ffc, 0x5c26c926,
173 0x5ac42aed, 0x9d95b3df,
174 0x8baf63de, 0x3c77b2a8,
175 0x47edaee6, 0x1482353b,
176 0x4cf10364, 0xbc423001,
177 0xd0f89791, 0x0654be30,
178 0xd6ef5218, 0x5565a910,
179 0x5771202a, 0x32bbd1b8,
180 0xb8d2d0c8, 0x5141ab53,
181 0xdf8eeb99, 0xe19b48a8,
182 0xc5c95a63, 0xe3418acb,
183 0x7763e373, 0xd6b2b8a3,
184 0x5defb2fc, 0x43172f60,
185 0xa1f0ab72, 0x1a6439ec,
186 0x23631e28, 0xde82bde9,
187 0xb2c67915, 0xe372532b,
188 0xea26619c, 0x21c0c207,
189 0xcde0eb1e, 0xee6ed178,
190 0x72176fba, 0xa2c898a6,
191 0xbef90dae, 0x131c471b,
192 0x23047d84, 0x40c72493,
193 0x15c9bebc, 0x9c100d4c,
194 0xcb3e42b6, 0xfc657e2a,
195 0x3ad6faec, 0x4a475817
198 /* Process LEN bytes of BUFFER, accumulating context into CTX.
199 LEN is rounded _down_ to 64. */
200 static void sha256_process_block64(const void *buffer, size_t len, sha256_ctx_t *ctx)
202 const uint32_t *words = buffer;
203 uint32_t a = ctx->H[0];
204 uint32_t b = ctx->H[1];
205 uint32_t c = ctx->H[2];
206 uint32_t d = ctx->H[3];
207 uint32_t e = ctx->H[4];
208 uint32_t f = ctx->H[5];
209 uint32_t g = ctx->H[6];
210 uint32_t h = ctx->H[7];
212 /* First increment the byte count. FIPS 180-2 specifies the possible
213 length of the file up to 2^64 _bits_.
214 We compute the number of _bytes_ and convert to bits later. */
215 len &= ~(size_t)(sizeof(uint32_t) * 16 - 1);
218 /* Process all bytes in the buffer with 64 bytes in each round of
220 len /= (sizeof(uint32_t) * 16);
225 /* Operators defined in FIPS 180-2:4.1.2. */
226 #define Ch(x, y, z) ((x & y) ^ (~x & z))
227 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
228 #define S0(x) (rotr32(x, 2) ^ rotr32(x, 13) ^ rotr32(x, 22))
229 #define S1(x) (rotr32(x, 6) ^ rotr32(x, 11) ^ rotr32(x, 25))
230 #define R0(x) (rotr32(x, 7) ^ rotr32(x, 18) ^ (x >> 3))
231 #define R1(x) (rotr32(x, 17) ^ rotr32(x, 19) ^ (x >> 10))
233 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
234 for (t = 0; t < 16; ++t) {
235 W[t] = ntohl(*words);
239 for (/*t = 16*/; t < 64; ++t)
240 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
242 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
243 for (t = 0; t < 64; ++t) {
244 uint32_t T1 = h + S1(e) + Ch(e, f, g) + K256[t] + W[t];
245 uint32_t T2 = S0(a) + Maj(a, b, c);
261 /* Add the starting values of the context according to FIPS 180-2:6.2.2
263 ctx->H[0] = a += ctx->H[0];
264 ctx->H[1] = b += ctx->H[1];
265 ctx->H[2] = c += ctx->H[2];
266 ctx->H[3] = d += ctx->H[3];
267 ctx->H[4] = e += ctx->H[4];
268 ctx->H[5] = f += ctx->H[5];
269 ctx->H[6] = g += ctx->H[6];
270 ctx->H[7] = h += ctx->H[7];
272 /* Prepare for the next round. */
276 /* Process LEN bytes of BUFFER, accumulating context into CTX.
277 LEN is rounded _down_ to 128. */
278 static void sha512_process_block128(const void *buffer, size_t len, sha512_ctx_t *ctx)
280 const uint64_t *words = buffer;
281 uint64_t a = ctx->H[0];
282 uint64_t b = ctx->H[1];
283 uint64_t c = ctx->H[2];
284 uint64_t d = ctx->H[3];
285 uint64_t e = ctx->H[4];
286 uint64_t f = ctx->H[5];
287 uint64_t g = ctx->H[6];
288 uint64_t h = ctx->H[7];
290 /* First increment the byte count. FIPS 180-2 specifies the possible
291 length of the file up to 2^128 _bits_.
292 We compute the number of _bytes_ and convert to bits later. */
293 len &= ~(size_t)(sizeof(uint64_t) * 16 - 1);
294 ctx->total64[0] += len;
295 if (ctx->total64[0] < len)
298 len /= (sizeof(uint64_t) * 16);
303 /* Operators defined in FIPS 180-2:4.1.2. */
304 #define Ch(x, y, z) ((x & y) ^ (~x & z))
305 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
306 #define S0(x) (rotr64(x, 28) ^ rotr64(x, 34) ^ rotr64(x, 39))
307 #define S1(x) (rotr64(x, 14) ^ rotr64(x, 18) ^ rotr64(x, 41))
308 #define R0(x) (rotr64(x, 1) ^ rotr64(x, 8) ^ (x >> 7))
309 #define R1(x) (rotr64(x, 19) ^ rotr64(x, 61) ^ (x >> 6))
311 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
312 for (t = 0; t < 16; ++t) {
313 W[t] = ntoh64(*words);
316 for (/*t = 16*/; t < 80; ++t)
317 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
319 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
320 for (t = 0; t < 80; ++t) {
321 uint64_t K512_t = ((uint64_t)(K256[t]) << 32) + K512_lo[t];
322 uint64_t T1 = h + S1(e) + Ch(e, f, g) + K512_t + W[t];
323 uint64_t T2 = S0(a) + Maj(a, b, c);
339 /* Add the starting values of the context according to FIPS 180-2:6.3.2
341 ctx->H[0] = a += ctx->H[0];
342 ctx->H[1] = b += ctx->H[1];
343 ctx->H[2] = c += ctx->H[2];
344 ctx->H[3] = d += ctx->H[3];
345 ctx->H[4] = e += ctx->H[4];
346 ctx->H[5] = f += ctx->H[5];
347 ctx->H[6] = g += ctx->H[6];
348 ctx->H[7] = h += ctx->H[7];
355 void FAST_FUNC sha1_begin(sha1_ctx_t *ctx)
358 ctx->hash[0] = 0x67452301;
359 ctx->hash[1] = 0xefcdab89;
360 ctx->hash[2] = 0x98badcfe;
361 ctx->hash[3] = 0x10325476;
362 ctx->hash[4] = 0xc3d2e1f0;
365 static const uint32_t init256[] = {
375 static const uint32_t init512_lo[] = {
385 /* Initialize structure containing state of computation.
386 (FIPS 180-2:5.3.2) */
387 void FAST_FUNC sha256_begin(sha256_ctx_t *ctx)
389 memcpy(ctx->H, init256, sizeof(init256));
393 /* Initialize structure containing state of computation.
394 (FIPS 180-2:5.3.3) */
395 void FAST_FUNC sha512_begin(sha512_ctx_t *ctx)
398 for (i = 0; i < 8; i++)
399 ctx->H[i] = ((uint64_t)(init256[i]) << 32) + init512_lo[i];
400 ctx->total64[0] = ctx->total64[1] = 0;
405 /* SHA1 hash data in an array of bytes into hash buffer and call the */
406 /* hash_compile function as required. */
407 void FAST_FUNC sha1_hash(const void *buffer, size_t len, sha1_ctx_t *ctx)
409 unsigned wbuflen = ctx->total64 & SHA1_MASK;
410 unsigned add = SHA1_BLOCK_SIZE - wbuflen;
414 while (len >= add) { /* transfer whole blocks while possible */
415 memcpy(((unsigned char *) ctx->wbuffer) + wbuflen, buffer, add);
416 buffer = (const char *)buffer + add;
418 add = SHA1_BLOCK_SIZE;
420 sha1_process_block64(ctx);
423 memcpy(((unsigned char *) ctx->wbuffer) + wbuflen, buffer, len);
426 void FAST_FUNC sha256_hash(const void *buffer, size_t len, sha256_ctx_t *ctx)
428 /* When we already have some bits in our internal buffer concatenate
429 both inputs first. */
430 if (ctx->wbuflen != 0) {
433 /* NB: 1/2 of wbuffer is used only in sha256_end
434 * when length field is added and hashed.
435 * With buffer twice as small, it may happen that
436 * we have it almost full and can't add length field. */
438 add = sizeof(ctx->wbuffer)/2 - ctx->wbuflen;
441 memcpy(&ctx->wbuffer[ctx->wbuflen], buffer, add);
444 /* If we still didn't collect full wbuffer, bail out */
445 if (ctx->wbuflen < sizeof(ctx->wbuffer)/2)
448 sha256_process_block64(ctx->wbuffer, 64, ctx);
450 buffer = (const char *)buffer + add;
454 /* Process available complete blocks. */
456 if (UNALIGNED_P(buffer, uint32_t)) {
458 sha256_process_block64(memcpy(ctx->wbuffer, buffer, 64), 64, ctx);
459 buffer = (const char *)buffer + 64;
463 sha256_process_block64(buffer, len /*& ~63*/, ctx);
464 buffer = (const char *)buffer + (len & ~63);
469 /* Move remaining bytes into internal buffer. */
471 memcpy(ctx->wbuffer, buffer, len);
476 void FAST_FUNC sha512_hash(const void *buffer, size_t len, sha512_ctx_t *ctx)
478 if (ctx->wbuflen != 0) {
481 add = sizeof(ctx->wbuffer)/2 - ctx->wbuflen;
484 memcpy(&ctx->wbuffer[ctx->wbuflen], buffer, add);
487 if (ctx->wbuflen < sizeof(ctx->wbuffer)/2)
490 sha512_process_block128(ctx->wbuffer, 128, ctx);
492 buffer = (const char *)buffer + add;
497 if (UNALIGNED_P(buffer, uint64_t)) {
499 sha512_process_block128(memcpy(ctx->wbuffer, buffer, 128), 128, ctx);
500 buffer = (const char *)buffer + 128;
504 sha512_process_block128(buffer, len /*& ~127*/, ctx);
505 buffer = (const char *)buffer + (len & ~127);
511 memcpy(ctx->wbuffer, buffer, len);
517 void FAST_FUNC sha1_end(void *resbuf, sha1_ctx_t *ctx)
519 unsigned i, wbuflen, pad;
521 /* Pad the buffer to the next 64-byte boundary with 0x80,0,0,0... */
522 wbuflen = ctx->total64 & SHA1_MASK;
523 ((uint8_t *)ctx->wbuffer)[wbuflen++] = 0x80;
524 pad = SHA1_BLOCK_SIZE - wbuflen;
525 memset(((uint8_t *)ctx->wbuffer) + wbuflen, 0, pad);
527 /* We need 1+8 or more empty positions, one for the padding byte
528 * (above) and eight for the length count.
529 * If there is not enough space, empty the buffer. */
531 sha1_process_block64(ctx);
532 memset(ctx->wbuffer, 0, SHA1_BLOCK_SIZE - 8);
533 ((uint8_t *)ctx->wbuffer)[0] = 0x80;
536 /* Store the 64-bit counter of bits in the buffer in BE format */
538 uint64_t t = ctx->total64 << 3;
540 /* wbuffer is suitably aligned for this */
541 *(uint64_t *) &ctx->wbuffer[14] = t;
544 sha1_process_block64(ctx);
546 /* Extract the hash value as bytes in case resbuf is
547 * misaligned for 32-bit words */
548 for (i = 0; i < ARRAY_SIZE(ctx->hash); ++i) {
549 uint32_t t = ctx->hash[i];
550 t = ntohl(t); /* paranoia. this can be a macro */
551 move_to_unaligned32(resbuf, t); /* ditto */
552 resbuf = (char*)resbuf + 4;
557 /* Process the remaining bytes in the internal buffer and the usual
558 prolog according to the standard and write the result to RESBUF.
560 IMPORTANT: On some systems it is required that RESBUF is correctly
561 aligned for a 32 bits value. */
562 void FAST_FUNC sha256_end(void *resbuf, sha256_ctx_t *ctx)
564 /* Take yet unprocessed bytes into account. */
565 unsigned bytes = ctx->wbuflen;
568 /* Now count remaining bytes. */
569 ctx->total64 += bytes;
571 /* Pad the buffer to the next 64-byte boundary with 0x80,0,0,0...
572 (FIPS 180-2:5.1.1) */
573 pad = (bytes >= 56 ? 64 + 56 - bytes : 56 - bytes);
574 memset(&ctx->wbuffer[bytes], 0, pad);
575 ctx->wbuffer[bytes] = 0x80;
577 /* Put the 64-bit file length in *bits* at the end of the buffer. */
579 uint64_t t = ctx->total64 << 3;
581 /* wbuffer is suitably aligned for this */
582 *(uint64_t *) &ctx->wbuffer[bytes + pad] = t;
585 /* Process last bytes. */
586 sha256_process_block64(ctx->wbuffer, bytes + pad + 8, ctx);
588 for (unsigned i = 0; i < 8; ++i)
589 ((uint32_t *) resbuf)[i] = ntohl(ctx->H[i]);
592 /* Process the remaining bytes in the internal buffer and the usual
593 prolog according to the standard and write the result to RESBUF.
595 IMPORTANT: On some systems it is required that RESBUF is correctly
596 aligned for a 64 bits value. */
597 void FAST_FUNC sha512_end(void *resbuf, sha512_ctx_t *ctx)
599 unsigned bytes = ctx->wbuflen;
602 ctx->total64[0] += bytes;
603 if (ctx->total64[0] < bytes)
606 /* Pad the buffer to the next 128-byte boundary with 0x80,0,0,0...
607 (FIPS 180-2:5.1.2) */
608 pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
609 memset(&ctx->wbuffer[bytes], 0, pad);
610 ctx->wbuffer[bytes] = 0x80;
612 *(uint64_t *) &ctx->wbuffer[bytes + pad + 8] = hton64(ctx->total64[0] << 3);
613 *(uint64_t *) &ctx->wbuffer[bytes + pad] = hton64((ctx->total64[1] << 3) | (ctx->total64[0] >> 61));
615 sha512_process_block128(ctx->wbuffer, bytes + pad + 16, ctx);
617 for (unsigned i = 0; i < 8; ++i)
618 ((uint64_t *) resbuf)[i] = hton64(ctx->H[i]);