1 /* vi: set sw=4 ts=4: */
3 * Based on shasum from http://www.netsw.org/crypto/hash/
4 * Majorly hacked up to use Dr Brian Gladman's sha1 code
6 * Copyright (C) 2002 Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK.
7 * Copyright (C) 2003 Glenn L. McGrath
8 * Copyright (C) 2003 Erik Andersen
10 * Licensed under GPLv2 or later, see file LICENSE in this tarball for details.
12 * ---------------------------------------------------------------------------
13 * Issue Date: 10/11/2002
15 * This is a byte oriented version of SHA1 that operates on arrays of bytes
16 * stored in memory. It runs at 22 cycles per byte on a Pentium P4 processor
18 * ---------------------------------------------------------------------------
20 * SHA256 and SHA512 parts are:
21 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
27 #define rotl32(x,n) (((x) << (n)) | ((x) >> (32 - (n))))
28 #define rotr32(x,n) (((x) >> (n)) | ((x) << (32 - (n))))
30 #define rotr64(x,n) (((x) >> (n)) | ((x) << (64 - (n))))
32 static inline uint64_t hton64(uint64_t v)
34 return (((uint64_t)htonl(v)) << 32) | htonl(v >> 32);
39 #define ntoh64(v) hton64(v)
41 /* To check alignment gcc has an appropriate operator. Other
43 #if defined(__GNUC__) && __GNUC__ >= 2
44 # define UNALIGNED_P(p,type) (((uintptr_t) p) % __alignof__(type) != 0)
46 # define UNALIGNED_P(p,type) (((uintptr_t) p) % sizeof(type) != 0)
50 #define SHA1_BLOCK_SIZE 64
51 #define SHA1_DIGEST_SIZE 20
52 #define SHA1_HASH_SIZE SHA1_DIGEST_SIZE
53 #define SHA1_MASK (SHA1_BLOCK_SIZE - 1)
55 static void sha1_process_block64(sha1_ctx_t *ctx)
57 uint32_t w[80], i, a, b, c, d, e, t;
59 /* note that words are compiled from the buffer into 32-bit */
60 /* words in big-endian order so an order reversal is needed */
61 /* here on little endian machines */
62 for (i = 0; i < SHA1_BLOCK_SIZE / 4; ++i)
63 w[i] = ntohl(ctx->wbuffer[i]);
65 for (/*i = SHA1_BLOCK_SIZE / 4*/; i < 80; ++i) {
66 t = w[i - 3] ^ w[i - 8] ^ w[i - 14] ^ w[i - 16];
76 /* Reverse byte order in 32-bit words */
77 #define ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
78 #define parity(x,y,z) ((x) ^ (y) ^ (z))
79 #define maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
80 /* A normal version as set out in the FIPS. This version uses */
81 /* partial loop unrolling and is optimised for the Pentium 4 */
84 t = a; a = rotl32(a,5) + f(b,c,d) + e + k + w[i]; \
85 e = d; d = c; c = rotl32(b, 30); b = t; \
88 for (i = 0; i < 20; ++i)
91 for (i = 20; i < 40; ++i)
92 rnd(parity, 0x6ed9eba1);
94 for (i = 40; i < 60; ++i)
97 for (i = 60; i < 80; ++i)
98 rnd(parity, 0xca62c1d6);
111 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
112 static const uint32_t K256[80] = {
113 0x428a2f98, 0x71374491,
114 0xb5c0fbcf, 0xe9b5dba5,
115 0x3956c25b, 0x59f111f1,
116 0x923f82a4, 0xab1c5ed5,
117 0xd807aa98, 0x12835b01,
118 0x243185be, 0x550c7dc3,
119 0x72be5d74, 0x80deb1fe,
120 0x9bdc06a7, 0xc19bf174,
121 0xe49b69c1, 0xefbe4786,
122 0x0fc19dc6, 0x240ca1cc,
123 0x2de92c6f, 0x4a7484aa,
124 0x5cb0a9dc, 0x76f988da,
125 0x983e5152, 0xa831c66d,
126 0xb00327c8, 0xbf597fc7,
127 0xc6e00bf3, 0xd5a79147,
128 0x06ca6351, 0x14292967,
129 0x27b70a85, 0x2e1b2138,
130 0x4d2c6dfc, 0x53380d13,
131 0x650a7354, 0x766a0abb,
132 0x81c2c92e, 0x92722c85,
133 0xa2bfe8a1, 0xa81a664b,
134 0xc24b8b70, 0xc76c51a3,
135 0xd192e819, 0xd6990624,
136 0xf40e3585, 0x106aa070,
137 0x19a4c116, 0x1e376c08,
138 0x2748774c, 0x34b0bcb5,
139 0x391c0cb3, 0x4ed8aa4a,
140 0x5b9cca4f, 0x682e6ff3,
141 0x748f82ee, 0x78a5636f,
142 0x84c87814, 0x8cc70208,
143 0x90befffa, 0xa4506ceb,
144 0xbef9a3f7, 0xc67178f2,
145 0xca273ece, 0xd186b8c7, /* [64]+ are used for sha512 only */
146 0xeada7dd6, 0xf57d4f7f,
147 0x06f067aa, 0x0a637dc5,
148 0x113f9804, 0x1b710b35,
149 0x28db77f5, 0x32caab7b,
150 0x3c9ebe0a, 0x431d67c4,
151 0x4cc5d4be, 0x597f299c,
152 0x5fcb6fab, 0x6c44198c
154 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
155 static const uint32_t K512_lo[80] = {
156 0xd728ae22, 0x23ef65cd,
157 0xec4d3b2f, 0x8189dbbc,
158 0xf348b538, 0xb605d019,
159 0xaf194f9b, 0xda6d8118,
160 0xa3030242, 0x45706fbe,
161 0x4ee4b28c, 0xd5ffb4e2,
162 0xf27b896f, 0x3b1696b1,
163 0x25c71235, 0xcf692694,
164 0x9ef14ad2, 0x384f25e3,
165 0x8b8cd5b5, 0x77ac9c65,
166 0x592b0275, 0x6ea6e483,
167 0xbd41fbd4, 0x831153b5,
168 0xee66dfab, 0x2db43210,
169 0x98fb213f, 0xbeef0ee4,
170 0x3da88fc2, 0x930aa725,
171 0xe003826f, 0x0a0e6e70,
172 0x46d22ffc, 0x5c26c926,
173 0x5ac42aed, 0x9d95b3df,
174 0x8baf63de, 0x3c77b2a8,
175 0x47edaee6, 0x1482353b,
176 0x4cf10364, 0xbc423001,
177 0xd0f89791, 0x0654be30,
178 0xd6ef5218, 0x5565a910,
179 0x5771202a, 0x32bbd1b8,
180 0xb8d2d0c8, 0x5141ab53,
181 0xdf8eeb99, 0xe19b48a8,
182 0xc5c95a63, 0xe3418acb,
183 0x7763e373, 0xd6b2b8a3,
184 0x5defb2fc, 0x43172f60,
185 0xa1f0ab72, 0x1a6439ec,
186 0x23631e28, 0xde82bde9,
187 0xb2c67915, 0xe372532b,
188 0xea26619c, 0x21c0c207,
189 0xcde0eb1e, 0xee6ed178,
190 0x72176fba, 0xa2c898a6,
191 0xbef90dae, 0x131c471b,
192 0x23047d84, 0x40c72493,
193 0x15c9bebc, 0x9c100d4c,
194 0xcb3e42b6, 0xfc657e2a,
195 0x3ad6faec, 0x4a475817
198 /* Process LEN bytes of BUFFER, accumulating context into CTX.
199 LEN is rounded _down_ to 64. */
200 static void sha256_process_block64(const void *buffer, size_t len, sha256_ctx_t *ctx)
202 const uint32_t *words = buffer;
203 uint32_t a = ctx->H[0];
204 uint32_t b = ctx->H[1];
205 uint32_t c = ctx->H[2];
206 uint32_t d = ctx->H[3];
207 uint32_t e = ctx->H[4];
208 uint32_t f = ctx->H[5];
209 uint32_t g = ctx->H[6];
210 uint32_t h = ctx->H[7];
212 /* First increment the byte count. FIPS 180-2 specifies the possible
213 length of the file up to 2^64 _bits_.
214 We compute the number of _bytes_ and convert to bits later. */
215 len &= ~(size_t)(sizeof(uint32_t) * 16 - 1);
218 /* Process all bytes in the buffer with 64 bytes in each round of
220 len /= (sizeof(uint32_t) * 16);
225 /* Operators defined in FIPS 180-2:4.1.2. */
226 #define Ch(x, y, z) ((x & y) ^ (~x & z))
227 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
228 #define S0(x) (rotr32(x, 2) ^ rotr32(x, 13) ^ rotr32(x, 22))
229 #define S1(x) (rotr32(x, 6) ^ rotr32(x, 11) ^ rotr32(x, 25))
230 #define R0(x) (rotr32(x, 7) ^ rotr32(x, 18) ^ (x >> 3))
231 #define R1(x) (rotr32(x, 17) ^ rotr32(x, 19) ^ (x >> 10))
233 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
234 for (t = 0; t < 16; ++t) {
235 W[t] = ntohl(*words);
239 for (/*t = 16*/; t < 64; ++t)
240 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
242 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
243 for (t = 0; t < 64; ++t) {
244 uint32_t T1 = h + S1(e) + Ch(e, f, g) + K256[t] + W[t];
245 uint32_t T2 = S0(a) + Maj(a, b, c);
261 /* Add the starting values of the context according to FIPS 180-2:6.2.2
263 ctx->H[0] = a += ctx->H[0];
264 ctx->H[1] = b += ctx->H[1];
265 ctx->H[2] = c += ctx->H[2];
266 ctx->H[3] = d += ctx->H[3];
267 ctx->H[4] = e += ctx->H[4];
268 ctx->H[5] = f += ctx->H[5];
269 ctx->H[6] = g += ctx->H[6];
270 ctx->H[7] = h += ctx->H[7];
272 /* Prepare for the next round. */
276 /* Process LEN bytes of BUFFER, accumulating context into CTX.
277 LEN is rounded _down_ to 128. */
278 static void sha512_process_block128(const void *buffer, size_t len, sha512_ctx_t *ctx)
280 const uint64_t *words = buffer;
281 uint64_t a = ctx->H[0];
282 uint64_t b = ctx->H[1];
283 uint64_t c = ctx->H[2];
284 uint64_t d = ctx->H[3];
285 uint64_t e = ctx->H[4];
286 uint64_t f = ctx->H[5];
287 uint64_t g = ctx->H[6];
288 uint64_t h = ctx->H[7];
290 /* First increment the byte count. FIPS 180-2 specifies the possible
291 length of the file up to 2^128 _bits_.
292 We compute the number of _bytes_ and convert to bits later. */
293 len &= ~(size_t)(sizeof(uint64_t) * 16 - 1);
294 ctx->total64[0] += len;
295 if (ctx->total64[0] < len)
298 len /= (sizeof(uint64_t) * 16);
303 /* Operators defined in FIPS 180-2:4.1.2. */
304 #define Ch(x, y, z) ((x & y) ^ (~x & z))
305 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
306 #define S0(x) (rotr64(x, 28) ^ rotr64(x, 34) ^ rotr64(x, 39))
307 #define S1(x) (rotr64(x, 14) ^ rotr64(x, 18) ^ rotr64(x, 41))
308 #define R0(x) (rotr64(x, 1) ^ rotr64(x, 8) ^ (x >> 7))
309 #define R1(x) (rotr64(x, 19) ^ rotr64(x, 61) ^ (x >> 6))
311 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
312 for (t = 0; t < 16; ++t) {
313 W[t] = ntoh64(*words);
316 for (/*t = 16*/; t < 80; ++t)
317 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
319 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
320 for (t = 0; t < 80; ++t) {
321 uint64_t K512_t = ((uint64_t)(K256[t]) << 32) + K512_lo[t];
322 uint64_t T1 = h + S1(e) + Ch(e, f, g) + K512_t + W[t];
323 uint64_t T2 = S0(a) + Maj(a, b, c);
339 /* Add the starting values of the context according to FIPS 180-2:6.3.2
341 ctx->H[0] = a += ctx->H[0];
342 ctx->H[1] = b += ctx->H[1];
343 ctx->H[2] = c += ctx->H[2];
344 ctx->H[3] = d += ctx->H[3];
345 ctx->H[4] = e += ctx->H[4];
346 ctx->H[5] = f += ctx->H[5];
347 ctx->H[6] = g += ctx->H[6];
348 ctx->H[7] = h += ctx->H[7];
355 void FAST_FUNC sha1_begin(sha1_ctx_t *ctx)
358 ctx->hash[0] = 0x67452301;
359 ctx->hash[1] = 0xefcdab89;
360 ctx->hash[2] = 0x98badcfe;
361 ctx->hash[3] = 0x10325476;
362 ctx->hash[4] = 0xc3d2e1f0;
365 static const uint32_t init256[] = {
375 static const uint32_t init512_lo[] = {
385 /* Initialize structure containing state of computation.
386 (FIPS 180-2:5.3.2) */
387 void FAST_FUNC sha256_begin(sha256_ctx_t *ctx)
389 memcpy(ctx->H, init256, sizeof(init256));
393 /* Initialize structure containing state of computation.
394 (FIPS 180-2:5.3.3) */
395 void FAST_FUNC sha512_begin(sha512_ctx_t *ctx)
398 for (i = 0; i < 8; i++)
399 ctx->H[i] = ((uint64_t)(init256[i]) << 32) + init512_lo[i];
400 ctx->total64[0] = ctx->total64[1] = 0;
405 /* SHA1 hash data in an array of bytes into hash buffer and call the */
406 /* hash_compile function as required. */
407 void FAST_FUNC sha1_hash(const void *buffer, size_t len, sha1_ctx_t *ctx)
409 uint32_t pos = (uint32_t) (ctx->total64 & SHA1_MASK);
410 uint32_t freeb = SHA1_BLOCK_SIZE - pos;
411 const unsigned char *sp = buffer;
415 while (len >= freeb) { /* transfer whole blocks while possible */
416 memcpy(((unsigned char *) ctx->wbuffer) + pos, sp, freeb);
419 freeb = SHA1_BLOCK_SIZE;
421 sha1_process_block64(ctx);
424 memcpy(((unsigned char *) ctx->wbuffer) + pos, sp, len);
427 void FAST_FUNC sha256_hash(const void *buffer, size_t len, sha256_ctx_t *ctx)
429 /* When we already have some bits in our internal buffer concatenate
430 both inputs first. */
431 if (ctx->wbuflen != 0) {
434 /* NB: 1/2 of wbuffer is used only in sha256_end
435 * when length field is added and hashed.
436 * With buffer twice as small, it may happen that
437 * we have it almost full and can't add length field. */
439 add = sizeof(ctx->wbuffer)/2 - ctx->wbuflen;
442 memcpy(&ctx->wbuffer[ctx->wbuflen], buffer, add);
445 /* If we still didn't collect full wbuffer, bail out */
446 if (ctx->wbuflen < sizeof(ctx->wbuffer)/2)
449 sha256_process_block64(ctx->wbuffer, 64, ctx);
451 buffer = (const char *)buffer + add;
455 /* Process available complete blocks. */
457 if (UNALIGNED_P(buffer, uint32_t)) {
459 sha256_process_block64(memcpy(ctx->wbuffer, buffer, 64), 64, ctx);
460 buffer = (const char *)buffer + 64;
464 sha256_process_block64(buffer, len /*& ~63*/, ctx);
465 buffer = (const char *)buffer + (len & ~63);
470 /* Move remaining bytes into internal buffer. */
472 memcpy(ctx->wbuffer, buffer, len);
477 void FAST_FUNC sha512_hash(const void *buffer, size_t len, sha512_ctx_t *ctx)
479 if (ctx->wbuflen != 0) {
482 add = sizeof(ctx->wbuffer)/2 - ctx->wbuflen;
485 memcpy(&ctx->wbuffer[ctx->wbuflen], buffer, add);
488 if (ctx->wbuflen < sizeof(ctx->wbuffer)/2)
491 sha512_process_block128(ctx->wbuffer, 128, ctx);
493 buffer = (const char *)buffer + add;
498 if (UNALIGNED_P(buffer, uint64_t)) {
500 sha512_process_block128(memcpy(ctx->wbuffer, buffer, 128), 128, ctx);
501 buffer = (const char *)buffer + 128;
505 sha512_process_block128(buffer, len /*& ~127*/, ctx);
506 buffer = (const char *)buffer + (len & ~127);
512 memcpy(ctx->wbuffer, buffer, len);
518 void FAST_FUNC sha1_end(void *resbuf, sha1_ctx_t *ctx)
520 /* SHA1 Final padding and digest calculation */
522 static const uint32_t mask[4] = { 0x00000000, 0xff000000, 0xffff0000, 0xffffff00 };
523 static const uint32_t bits[4] = { 0x80000000, 0x00800000, 0x00008000, 0x00000080 };
525 static const uint32_t mask[4] = { 0x00000000, 0x000000ff, 0x0000ffff, 0x00ffffff };
526 static const uint32_t bits[4] = { 0x00000080, 0x00008000, 0x00800000, 0x80000000 };
529 uint8_t *hval = resbuf;
530 uint32_t i, cnt = (uint32_t) (ctx->total64 & SHA1_MASK);
532 /* mask out the rest of any partial 32-bit word and then set */
533 /* the next byte to 0x80. On big-endian machines any bytes in */
534 /* the buffer will be at the top end of 32 bit words, on little */
535 /* endian machines they will be at the bottom. Hence the AND */
536 /* and OR masks above are reversed for little endian systems */
537 ctx->wbuffer[cnt >> 2] =
538 (ctx->wbuffer[cnt >> 2] & mask[cnt & 3]) | bits[cnt & 3];
540 /* we need 9 or more empty positions, one for the padding byte */
541 /* (above) and eight for the length count. If there is not */
542 /* enough space pad and empty the buffer */
543 if (cnt > SHA1_BLOCK_SIZE - 9) {
545 ctx->wbuffer[15] = 0;
546 sha1_process_block64(ctx);
548 } else /* compute a word index for the empty buffer positions */
549 cnt = (cnt >> 2) + 1;
551 while (cnt < 14) /* and zero pad all but last two positions */
552 ctx->wbuffer[cnt++] = 0;
554 /* assemble the 64-bit counter of bits in the buffer in BE */
557 uint64_t t = ctx->total64 << 3;
559 /* wbuffer is suitably aligned for this */
560 *(uint64_t *) &ctx->wbuffer[14] = t;
563 sha1_process_block64(ctx);
565 /* extract the hash value as bytes in case the hash buffer is */
566 /* misaligned for 32-bit words */
567 for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
568 hval[i] = (unsigned char) (ctx->hash[i >> 2] >> 8 * (~i & 3));
572 /* Process the remaining bytes in the internal buffer and the usual
573 prolog according to the standard and write the result to RESBUF.
575 IMPORTANT: On some systems it is required that RESBUF is correctly
576 aligned for a 32 bits value. */
577 void FAST_FUNC sha256_end(void *resbuf, sha256_ctx_t *ctx)
579 /* Take yet unprocessed bytes into account. */
580 unsigned bytes = ctx->wbuflen;
583 /* Now count remaining bytes. */
584 ctx->total64 += bytes;
586 /* Pad the buffer to the next 64-byte boundary with 0x80,0,0,0...
587 (FIPS 180-2:5.1.1) */
588 pad = (bytes >= 56 ? 64 + 56 - bytes : 56 - bytes);
589 memset(&ctx->wbuffer[bytes], 0, pad);
590 ctx->wbuffer[bytes] = 0x80;
592 /* Put the 64-bit file length in *bits* at the end of the buffer. */
594 uint64_t t = ctx->total64 << 3;
596 /* wbuffer is suitably aligned for this */
597 *(uint64_t *) &ctx->wbuffer[bytes + pad] = t;
600 /* Process last bytes. */
601 sha256_process_block64(ctx->wbuffer, bytes + pad + 8, ctx);
603 for (unsigned i = 0; i < 8; ++i)
604 ((uint32_t *) resbuf)[i] = ntohl(ctx->H[i]);
607 /* Process the remaining bytes in the internal buffer and the usual
608 prolog according to the standard and write the result to RESBUF.
610 IMPORTANT: On some systems it is required that RESBUF is correctly
611 aligned for a 64 bits value. */
612 void FAST_FUNC sha512_end(void *resbuf, sha512_ctx_t *ctx)
614 unsigned bytes = ctx->wbuflen;
617 ctx->total64[0] += bytes;
618 if (ctx->total64[0] < bytes)
621 /* Pad the buffer to the next 128-byte boundary with 0x80,0,0,0...
622 (FIPS 180-2:5.1.2) */
623 pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
624 memset(&ctx->wbuffer[bytes], 0, pad);
625 ctx->wbuffer[bytes] = 0x80;
627 *(uint64_t *) &ctx->wbuffer[bytes + pad + 8] = hton64(ctx->total64[0] << 3);
628 *(uint64_t *) &ctx->wbuffer[bytes + pad] = hton64((ctx->total64[1] << 3) | (ctx->total64[0] >> 61));
630 sha512_process_block128(ctx->wbuffer, bytes + pad + 16, ctx);
632 for (unsigned i = 0; i < 8; ++i)
633 ((uint64_t *) resbuf)[i] = hton64(ctx->H[i]);
projects / oweals / busybox.git / blob