hash_md5_sha.c 24 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898
  1. /* vi: set sw=4 ts=4: */
  2. /*
  3. * Utility routines.
  4. *
  5. * Copyright (C) 2010 Denys Vlasenko
  6. *
  7. * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  8. */
  9. #include "libbb.h"
  10. /* gcc 4.2.1 optimizes rotr64 better with inline than with macro
  11. * (for rotX32, there is no difference). Why? My guess is that
  12. * macro requires clever common subexpression elimination heuristics
  13. * in gcc, while inline basically forces it to happen.
  14. */
  15. //#define rotl32(x,n) (((x) << (n)) | ((x) >> (32 - (n))))
  16. static ALWAYS_INLINE uint32_t rotl32(uint32_t x, unsigned n)
  17. {
  18. return (x << n) | (x >> (32 - n));
  19. }
  20. //#define rotr32(x,n) (((x) >> (n)) | ((x) << (32 - (n))))
  21. static ALWAYS_INLINE uint32_t rotr32(uint32_t x, unsigned n)
  22. {
  23. return (x >> n) | (x << (32 - n));
  24. }
  25. /* rotr64 in needed for sha512 only: */
  26. //#define rotr64(x,n) (((x) >> (n)) | ((x) << (64 - (n))))
  27. static ALWAYS_INLINE uint64_t rotr64(uint64_t x, unsigned n)
  28. {
  29. return (x >> n) | (x << (64 - n));
  30. }
  31. /* Feed data through a temporary buffer.
  32. * The internal buffer remembers previous data until it has 64
  33. * bytes worth to pass on.
  34. */
  35. static void FAST_FUNC common64_hash(md5_ctx_t *ctx, const void *buffer, size_t len)
  36. {
  37. unsigned bufpos = ctx->total64 & 63;
  38. ctx->total64 += len;
  39. while (1) {
  40. unsigned remaining = 64 - bufpos;
  41. if (remaining > len)
  42. remaining = len;
  43. /* Copy data into aligned buffer */
  44. memcpy(ctx->wbuffer + bufpos, buffer, remaining);
  45. len -= remaining;
  46. buffer = (const char *)buffer + remaining;
  47. bufpos += remaining;
  48. /* clever way to do "if (bufpos != 64) break; ... ; bufpos = 0;" */
  49. bufpos -= 64;
  50. if (bufpos != 0)
  51. break;
  52. /* Buffer is filled up, process it */
  53. ctx->process_block(ctx);
  54. /*bufpos = 0; - already is */
  55. }
  56. }
  57. /* Process the remaining bytes in the buffer */
  58. static void FAST_FUNC common64_end(md5_ctx_t *ctx, int swap_needed)
  59. {
  60. unsigned bufpos = ctx->total64 & 63;
  61. /* Pad the buffer to the next 64-byte boundary with 0x80,0,0,0... */
  62. ctx->wbuffer[bufpos++] = 0x80;
  63. /* This loop iterates either once or twice, no more, no less */
  64. while (1) {
  65. unsigned remaining = 64 - bufpos;
  66. memset(ctx->wbuffer + bufpos, 0, remaining);
  67. /* Do we have enough space for the length count? */
  68. if (remaining >= 8) {
  69. /* Store the 64-bit counter of bits in the buffer */
  70. uint64_t t = ctx->total64 << 3;
  71. if (swap_needed)
  72. t = bb_bswap_64(t);
  73. /* wbuffer is suitably aligned for this */
  74. *(uint64_t *) (&ctx->wbuffer[64 - 8]) = t;
  75. }
  76. ctx->process_block(ctx);
  77. if (remaining >= 8)
  78. break;
  79. bufpos = 0;
  80. }
  81. }
  82. /*
  83. * Compute MD5 checksum of strings according to the
  84. * definition of MD5 in RFC 1321 from April 1992.
  85. *
  86. * Written by Ulrich Drepper <drepper@gnu.ai.mit.edu>, 1995.
  87. *
  88. * Copyright (C) 1995-1999 Free Software Foundation, Inc.
  89. * Copyright (C) 2001 Manuel Novoa III
  90. * Copyright (C) 2003 Glenn L. McGrath
  91. * Copyright (C) 2003 Erik Andersen
  92. *
  93. * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  94. */
  95. /* 0: fastest, 3: smallest */
  96. #if CONFIG_MD5_SMALL < 0
  97. # define MD5_SMALL 0
  98. #elif CONFIG_MD5_SMALL > 3
  99. # define MD5_SMALL 3
  100. #else
  101. # define MD5_SMALL CONFIG_MD5_SMALL
  102. #endif
  103. /* These are the four functions used in the four steps of the MD5 algorithm
  104. * and defined in the RFC 1321. The first function is a little bit optimized
  105. * (as found in Colin Plumbs public domain implementation).
  106. * #define FF(b, c, d) ((b & c) | (~b & d))
  107. */
  108. #undef FF
  109. #undef FG
  110. #undef FH
  111. #undef FI
  112. #define FF(b, c, d) (d ^ (b & (c ^ d)))
  113. #define FG(b, c, d) FF(d, b, c)
  114. #define FH(b, c, d) (b ^ c ^ d)
  115. #define FI(b, c, d) (c ^ (b | ~d))
  116. /* Hash a single block, 64 bytes long and 4-byte aligned */
  117. static void FAST_FUNC md5_process_block64(md5_ctx_t *ctx)
  118. {
  119. #if MD5_SMALL > 0
  120. /* Before we start, one word to the strange constants.
  121. They are defined in RFC 1321 as
  122. T[i] = (int)(4294967296.0 * fabs(sin(i))), i=1..64
  123. */
  124. static const uint32_t C_array[] = {
  125. /* round 1 */
  126. 0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
  127. 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501,
  128. 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be,
  129. 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821,
  130. /* round 2 */
  131. 0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa,
  132. 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
  133. 0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed,
  134. 0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a,
  135. /* round 3 */
  136. 0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c,
  137. 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70,
  138. 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x4881d05,
  139. 0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665,
  140. /* round 4 */
  141. 0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039,
  142. 0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1,
  143. 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1,
  144. 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391
  145. };
  146. static const char P_array[] ALIGN1 = {
  147. # if MD5_SMALL > 1
  148. 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, /* 1 */
  149. # endif
  150. 1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, /* 2 */
  151. 5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2, /* 3 */
  152. 0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9 /* 4 */
  153. };
  154. #endif
  155. uint32_t *words = (void*) ctx->wbuffer;
  156. uint32_t A = ctx->hash[0];
  157. uint32_t B = ctx->hash[1];
  158. uint32_t C = ctx->hash[2];
  159. uint32_t D = ctx->hash[3];
  160. #if MD5_SMALL >= 2 /* 2 or 3 */
  161. static const char S_array[] ALIGN1 = {
  162. 7, 12, 17, 22,
  163. 5, 9, 14, 20,
  164. 4, 11, 16, 23,
  165. 6, 10, 15, 21
  166. };
  167. const uint32_t *pc;
  168. const char *pp;
  169. const char *ps;
  170. int i;
  171. uint32_t temp;
  172. # if BB_BIG_ENDIAN
  173. for (i = 0; i < 16; i++)
  174. words[i] = SWAP_LE32(words[i]);
  175. # endif
  176. # if MD5_SMALL == 3
  177. pc = C_array;
  178. pp = P_array;
  179. ps = S_array - 4;
  180. for (i = 0; i < 64; i++) {
  181. if ((i & 0x0f) == 0)
  182. ps += 4;
  183. temp = A;
  184. switch (i >> 4) {
  185. case 0:
  186. temp += FF(B, C, D);
  187. break;
  188. case 1:
  189. temp += FG(B, C, D);
  190. break;
  191. case 2:
  192. temp += FH(B, C, D);
  193. break;
  194. case 3:
  195. temp += FI(B, C, D);
  196. }
  197. temp += words[(int) (*pp++)] + *pc++;
  198. temp = rotl32(temp, ps[i & 3]);
  199. temp += B;
  200. A = D;
  201. D = C;
  202. C = B;
  203. B = temp;
  204. }
  205. # else /* MD5_SMALL == 2 */
  206. pc = C_array;
  207. pp = P_array;
  208. ps = S_array;
  209. for (i = 0; i < 16; i++) {
  210. temp = A + FF(B, C, D) + words[(int) (*pp++)] + *pc++;
  211. temp = rotl32(temp, ps[i & 3]);
  212. temp += B;
  213. A = D;
  214. D = C;
  215. C = B;
  216. B = temp;
  217. }
  218. ps += 4;
  219. for (i = 0; i < 16; i++) {
  220. temp = A + FG(B, C, D) + words[(int) (*pp++)] + *pc++;
  221. temp = rotl32(temp, ps[i & 3]);
  222. temp += B;
  223. A = D;
  224. D = C;
  225. C = B;
  226. B = temp;
  227. }
  228. ps += 4;
  229. for (i = 0; i < 16; i++) {
  230. temp = A + FH(B, C, D) + words[(int) (*pp++)] + *pc++;
  231. temp = rotl32(temp, ps[i & 3]);
  232. temp += B;
  233. A = D;
  234. D = C;
  235. C = B;
  236. B = temp;
  237. }
  238. ps += 4;
  239. for (i = 0; i < 16; i++) {
  240. temp = A + FI(B, C, D) + words[(int) (*pp++)] + *pc++;
  241. temp = rotl32(temp, ps[i & 3]);
  242. temp += B;
  243. A = D;
  244. D = C;
  245. C = B;
  246. B = temp;
  247. }
  248. # endif
  249. /* Add checksum to the starting values */
  250. ctx->hash[0] += A;
  251. ctx->hash[1] += B;
  252. ctx->hash[2] += C;
  253. ctx->hash[3] += D;
  254. #else /* MD5_SMALL == 0 or 1 */
  255. uint32_t A_save = A;
  256. uint32_t B_save = B;
  257. uint32_t C_save = C;
  258. uint32_t D_save = D;
  259. # if MD5_SMALL == 1
  260. const uint32_t *pc;
  261. const char *pp;
  262. int i;
  263. # endif
  264. /* First round: using the given function, the context and a constant
  265. the next context is computed. Because the algorithm's processing
  266. unit is a 32-bit word and it is determined to work on words in
  267. little endian byte order we perhaps have to change the byte order
  268. before the computation. To reduce the work for the next steps
  269. we save swapped words in WORDS array. */
  270. # undef OP
  271. # define OP(a, b, c, d, s, T) \
  272. do { \
  273. a += FF(b, c, d) + (*words IF_BIG_ENDIAN(= SWAP_LE32(*words))) + T; \
  274. words++; \
  275. a = rotl32(a, s); \
  276. a += b; \
  277. } while (0)
  278. /* Round 1 */
  279. # if MD5_SMALL == 1
  280. pc = C_array;
  281. for (i = 0; i < 4; i++) {
  282. OP(A, B, C, D, 7, *pc++);
  283. OP(D, A, B, C, 12, *pc++);
  284. OP(C, D, A, B, 17, *pc++);
  285. OP(B, C, D, A, 22, *pc++);
  286. }
  287. # else
  288. OP(A, B, C, D, 7, 0xd76aa478);
  289. OP(D, A, B, C, 12, 0xe8c7b756);
  290. OP(C, D, A, B, 17, 0x242070db);
  291. OP(B, C, D, A, 22, 0xc1bdceee);
  292. OP(A, B, C, D, 7, 0xf57c0faf);
  293. OP(D, A, B, C, 12, 0x4787c62a);
  294. OP(C, D, A, B, 17, 0xa8304613);
  295. OP(B, C, D, A, 22, 0xfd469501);
  296. OP(A, B, C, D, 7, 0x698098d8);
  297. OP(D, A, B, C, 12, 0x8b44f7af);
  298. OP(C, D, A, B, 17, 0xffff5bb1);
  299. OP(B, C, D, A, 22, 0x895cd7be);
  300. OP(A, B, C, D, 7, 0x6b901122);
  301. OP(D, A, B, C, 12, 0xfd987193);
  302. OP(C, D, A, B, 17, 0xa679438e);
  303. OP(B, C, D, A, 22, 0x49b40821);
  304. # endif
  305. words -= 16;
  306. /* For the second to fourth round we have the possibly swapped words
  307. in WORDS. Redefine the macro to take an additional first
  308. argument specifying the function to use. */
  309. # undef OP
  310. # define OP(f, a, b, c, d, k, s, T) \
  311. do { \
  312. a += f(b, c, d) + words[k] + T; \
  313. a = rotl32(a, s); \
  314. a += b; \
  315. } while (0)
  316. /* Round 2 */
  317. # if MD5_SMALL == 1
  318. pp = P_array;
  319. for (i = 0; i < 4; i++) {
  320. OP(FG, A, B, C, D, (int) (*pp++), 5, *pc++);
  321. OP(FG, D, A, B, C, (int) (*pp++), 9, *pc++);
  322. OP(FG, C, D, A, B, (int) (*pp++), 14, *pc++);
  323. OP(FG, B, C, D, A, (int) (*pp++), 20, *pc++);
  324. }
  325. # else
  326. OP(FG, A, B, C, D, 1, 5, 0xf61e2562);
  327. OP(FG, D, A, B, C, 6, 9, 0xc040b340);
  328. OP(FG, C, D, A, B, 11, 14, 0x265e5a51);
  329. OP(FG, B, C, D, A, 0, 20, 0xe9b6c7aa);
  330. OP(FG, A, B, C, D, 5, 5, 0xd62f105d);
  331. OP(FG, D, A, B, C, 10, 9, 0x02441453);
  332. OP(FG, C, D, A, B, 15, 14, 0xd8a1e681);
  333. OP(FG, B, C, D, A, 4, 20, 0xe7d3fbc8);
  334. OP(FG, A, B, C, D, 9, 5, 0x21e1cde6);
  335. OP(FG, D, A, B, C, 14, 9, 0xc33707d6);
  336. OP(FG, C, D, A, B, 3, 14, 0xf4d50d87);
  337. OP(FG, B, C, D, A, 8, 20, 0x455a14ed);
  338. OP(FG, A, B, C, D, 13, 5, 0xa9e3e905);
  339. OP(FG, D, A, B, C, 2, 9, 0xfcefa3f8);
  340. OP(FG, C, D, A, B, 7, 14, 0x676f02d9);
  341. OP(FG, B, C, D, A, 12, 20, 0x8d2a4c8a);
  342. # endif
  343. /* Round 3 */
  344. # if MD5_SMALL == 1
  345. for (i = 0; i < 4; i++) {
  346. OP(FH, A, B, C, D, (int) (*pp++), 4, *pc++);
  347. OP(FH, D, A, B, C, (int) (*pp++), 11, *pc++);
  348. OP(FH, C, D, A, B, (int) (*pp++), 16, *pc++);
  349. OP(FH, B, C, D, A, (int) (*pp++), 23, *pc++);
  350. }
  351. # else
  352. OP(FH, A, B, C, D, 5, 4, 0xfffa3942);
  353. OP(FH, D, A, B, C, 8, 11, 0x8771f681);
  354. OP(FH, C, D, A, B, 11, 16, 0x6d9d6122);
  355. OP(FH, B, C, D, A, 14, 23, 0xfde5380c);
  356. OP(FH, A, B, C, D, 1, 4, 0xa4beea44);
  357. OP(FH, D, A, B, C, 4, 11, 0x4bdecfa9);
  358. OP(FH, C, D, A, B, 7, 16, 0xf6bb4b60);
  359. OP(FH, B, C, D, A, 10, 23, 0xbebfbc70);
  360. OP(FH, A, B, C, D, 13, 4, 0x289b7ec6);
  361. OP(FH, D, A, B, C, 0, 11, 0xeaa127fa);
  362. OP(FH, C, D, A, B, 3, 16, 0xd4ef3085);
  363. OP(FH, B, C, D, A, 6, 23, 0x04881d05);
  364. OP(FH, A, B, C, D, 9, 4, 0xd9d4d039);
  365. OP(FH, D, A, B, C, 12, 11, 0xe6db99e5);
  366. OP(FH, C, D, A, B, 15, 16, 0x1fa27cf8);
  367. OP(FH, B, C, D, A, 2, 23, 0xc4ac5665);
  368. # endif
  369. /* Round 4 */
  370. # if MD5_SMALL == 1
  371. for (i = 0; i < 4; i++) {
  372. OP(FI, A, B, C, D, (int) (*pp++), 6, *pc++);
  373. OP(FI, D, A, B, C, (int) (*pp++), 10, *pc++);
  374. OP(FI, C, D, A, B, (int) (*pp++), 15, *pc++);
  375. OP(FI, B, C, D, A, (int) (*pp++), 21, *pc++);
  376. }
  377. # else
  378. OP(FI, A, B, C, D, 0, 6, 0xf4292244);
  379. OP(FI, D, A, B, C, 7, 10, 0x432aff97);
  380. OP(FI, C, D, A, B, 14, 15, 0xab9423a7);
  381. OP(FI, B, C, D, A, 5, 21, 0xfc93a039);
  382. OP(FI, A, B, C, D, 12, 6, 0x655b59c3);
  383. OP(FI, D, A, B, C, 3, 10, 0x8f0ccc92);
  384. OP(FI, C, D, A, B, 10, 15, 0xffeff47d);
  385. OP(FI, B, C, D, A, 1, 21, 0x85845dd1);
  386. OP(FI, A, B, C, D, 8, 6, 0x6fa87e4f);
  387. OP(FI, D, A, B, C, 15, 10, 0xfe2ce6e0);
  388. OP(FI, C, D, A, B, 6, 15, 0xa3014314);
  389. OP(FI, B, C, D, A, 13, 21, 0x4e0811a1);
  390. OP(FI, A, B, C, D, 4, 6, 0xf7537e82);
  391. OP(FI, D, A, B, C, 11, 10, 0xbd3af235);
  392. OP(FI, C, D, A, B, 2, 15, 0x2ad7d2bb);
  393. OP(FI, B, C, D, A, 9, 21, 0xeb86d391);
  394. # undef OP
  395. # endif
  396. /* Add checksum to the starting values */
  397. ctx->hash[0] = A_save + A;
  398. ctx->hash[1] = B_save + B;
  399. ctx->hash[2] = C_save + C;
  400. ctx->hash[3] = D_save + D;
  401. #endif
  402. }
  403. #undef FF
  404. #undef FG
  405. #undef FH
  406. #undef FI
  407. /* Initialize structure containing state of computation.
  408. * (RFC 1321, 3.3: Step 3)
  409. */
  410. void FAST_FUNC md5_begin(md5_ctx_t *ctx)
  411. {
  412. ctx->hash[0] = 0x67452301;
  413. ctx->hash[1] = 0xefcdab89;
  414. ctx->hash[2] = 0x98badcfe;
  415. ctx->hash[3] = 0x10325476;
  416. ctx->total64 = 0;
  417. ctx->process_block = md5_process_block64;
  418. }
  419. /* Used also for sha1 and sha256 */
  420. void FAST_FUNC md5_hash(md5_ctx_t *ctx, const void *buffer, size_t len)
  421. {
  422. common64_hash(ctx, buffer, len);
  423. }
  424. /* Process the remaining bytes in the buffer and put result from CTX
  425. * in first 16 bytes following RESBUF. The result is always in little
  426. * endian byte order, so that a byte-wise output yields to the wanted
  427. * ASCII representation of the message digest.
  428. */
  429. void FAST_FUNC md5_end(md5_ctx_t *ctx, void *resbuf)
  430. {
  431. /* MD5 stores total in LE, need to swap on BE arches: */
  432. common64_end(ctx, /*swap_needed:*/ BB_BIG_ENDIAN);
  433. /* The MD5 result is in little endian byte order */
  434. #if BB_BIG_ENDIAN
  435. ctx->hash[0] = SWAP_LE32(ctx->hash[0]);
  436. ctx->hash[1] = SWAP_LE32(ctx->hash[1]);
  437. ctx->hash[2] = SWAP_LE32(ctx->hash[2]);
  438. ctx->hash[3] = SWAP_LE32(ctx->hash[3]);
  439. #endif
  440. memcpy(resbuf, ctx->hash, sizeof(ctx->hash[0]) * 4);
  441. }
  442. /*
  443. * SHA1 part is:
  444. * Copyright 2007 Rob Landley <rob@landley.net>
  445. *
  446. * Based on the public domain SHA-1 in C by Steve Reid <steve@edmweb.com>
  447. * from http://www.mirrors.wiretapped.net/security/cryptography/hashes/sha1/
  448. *
  449. * Licensed under GPLv2, see file LICENSE in this source tree.
  450. *
  451. * ---------------------------------------------------------------------------
  452. *
  453. * SHA256 and SHA512 parts are:
  454. * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
  455. * Shrank by Denys Vlasenko.
  456. *
  457. * ---------------------------------------------------------------------------
  458. *
  459. * The best way to test random blocksizes is to go to coreutils/md5_sha1_sum.c
  460. * and replace "4096" with something like "2000 + time(NULL) % 2097",
  461. * then rebuild and compare "shaNNNsum bigfile" results.
  462. */
  463. static void FAST_FUNC sha1_process_block64(sha1_ctx_t *ctx)
  464. {
  465. static const uint32_t rconsts[] = {
  466. 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6
  467. };
  468. int i, j;
  469. int cnt;
  470. uint32_t W[16+16];
  471. uint32_t a, b, c, d, e;
  472. /* On-stack work buffer frees up one register in the main loop
  473. * which otherwise will be needed to hold ctx pointer */
  474. for (i = 0; i < 16; i++)
  475. W[i] = W[i+16] = SWAP_BE32(((uint32_t*)ctx->wbuffer)[i]);
  476. a = ctx->hash[0];
  477. b = ctx->hash[1];
  478. c = ctx->hash[2];
  479. d = ctx->hash[3];
  480. e = ctx->hash[4];
  481. /* 4 rounds of 20 operations each */
  482. cnt = 0;
  483. for (i = 0; i < 4; i++) {
  484. j = 19;
  485. do {
  486. uint32_t work;
  487. work = c ^ d;
  488. if (i == 0) {
  489. work = (work & b) ^ d;
  490. if (j <= 3)
  491. goto ge16;
  492. /* Used to do SWAP_BE32 here, but this
  493. * requires ctx (see comment above) */
  494. work += W[cnt];
  495. } else {
  496. if (i == 2)
  497. work = ((b | c) & d) | (b & c);
  498. else /* i = 1 or 3 */
  499. work ^= b;
  500. ge16:
  501. W[cnt] = W[cnt+16] = rotl32(W[cnt+13] ^ W[cnt+8] ^ W[cnt+2] ^ W[cnt], 1);
  502. work += W[cnt];
  503. }
  504. work += e + rotl32(a, 5) + rconsts[i];
  505. /* Rotate by one for next time */
  506. e = d;
  507. d = c;
  508. c = /* b = */ rotl32(b, 30);
  509. b = a;
  510. a = work;
  511. cnt = (cnt + 1) & 15;
  512. } while (--j >= 0);
  513. }
  514. ctx->hash[0] += a;
  515. ctx->hash[1] += b;
  516. ctx->hash[2] += c;
  517. ctx->hash[3] += d;
  518. ctx->hash[4] += e;
  519. }
  520. /* Constants for SHA512 from FIPS 180-2:4.2.3.
  521. * SHA256 constants from FIPS 180-2:4.2.2
  522. * are the most significant half of first 64 elements
  523. * of the same array.
  524. */
  525. static const uint64_t sha_K[80] = {
  526. 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
  527. 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
  528. 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
  529. 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
  530. 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
  531. 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
  532. 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
  533. 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
  534. 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
  535. 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
  536. 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
  537. 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
  538. 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
  539. 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
  540. 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
  541. 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
  542. 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
  543. 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
  544. 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
  545. 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
  546. 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
  547. 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
  548. 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
  549. 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
  550. 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
  551. 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
  552. 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
  553. 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
  554. 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
  555. 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
  556. 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
  557. 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
  558. 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, /* [64]+ are used for sha512 only */
  559. 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
  560. 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
  561. 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
  562. 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
  563. 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
  564. 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
  565. 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
  566. };
  567. #undef Ch
  568. #undef Maj
  569. #undef S0
  570. #undef S1
  571. #undef R0
  572. #undef R1
  573. static void FAST_FUNC sha256_process_block64(sha256_ctx_t *ctx)
  574. {
  575. unsigned t;
  576. uint32_t W[64], a, b, c, d, e, f, g, h;
  577. const uint32_t *words = (uint32_t*) ctx->wbuffer;
  578. /* Operators defined in FIPS 180-2:4.1.2. */
  579. #define Ch(x, y, z) ((x & y) ^ (~x & z))
  580. #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
  581. #define S0(x) (rotr32(x, 2) ^ rotr32(x, 13) ^ rotr32(x, 22))
  582. #define S1(x) (rotr32(x, 6) ^ rotr32(x, 11) ^ rotr32(x, 25))
  583. #define R0(x) (rotr32(x, 7) ^ rotr32(x, 18) ^ (x >> 3))
  584. #define R1(x) (rotr32(x, 17) ^ rotr32(x, 19) ^ (x >> 10))
  585. /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
  586. for (t = 0; t < 16; ++t)
  587. W[t] = SWAP_BE32(words[t]);
  588. for (/*t = 16*/; t < 64; ++t)
  589. W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
  590. a = ctx->hash[0];
  591. b = ctx->hash[1];
  592. c = ctx->hash[2];
  593. d = ctx->hash[3];
  594. e = ctx->hash[4];
  595. f = ctx->hash[5];
  596. g = ctx->hash[6];
  597. h = ctx->hash[7];
  598. /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
  599. for (t = 0; t < 64; ++t) {
  600. /* Need to fetch upper half of sha_K[t]
  601. * (I hope compiler is clever enough to just fetch
  602. * upper half)
  603. */
  604. uint32_t K_t = sha_K[t] >> 32;
  605. uint32_t T1 = h + S1(e) + Ch(e, f, g) + K_t + W[t];
  606. uint32_t T2 = S0(a) + Maj(a, b, c);
  607. h = g;
  608. g = f;
  609. f = e;
  610. e = d + T1;
  611. d = c;
  612. c = b;
  613. b = a;
  614. a = T1 + T2;
  615. }
  616. #undef Ch
  617. #undef Maj
  618. #undef S0
  619. #undef S1
  620. #undef R0
  621. #undef R1
  622. /* Add the starting values of the context according to FIPS 180-2:6.2.2
  623. step 4. */
  624. ctx->hash[0] += a;
  625. ctx->hash[1] += b;
  626. ctx->hash[2] += c;
  627. ctx->hash[3] += d;
  628. ctx->hash[4] += e;
  629. ctx->hash[5] += f;
  630. ctx->hash[6] += g;
  631. ctx->hash[7] += h;
  632. }
  633. static void FAST_FUNC sha512_process_block128(sha512_ctx_t *ctx)
  634. {
  635. unsigned t;
  636. uint64_t W[80];
  637. /* On i386, having assignments here (not later as sha256 does)
  638. * produces 99 bytes smaller code with gcc 4.3.1
  639. */
  640. uint64_t a = ctx->hash[0];
  641. uint64_t b = ctx->hash[1];
  642. uint64_t c = ctx->hash[2];
  643. uint64_t d = ctx->hash[3];
  644. uint64_t e = ctx->hash[4];
  645. uint64_t f = ctx->hash[5];
  646. uint64_t g = ctx->hash[6];
  647. uint64_t h = ctx->hash[7];
  648. const uint64_t *words = (uint64_t*) ctx->wbuffer;
  649. /* Operators defined in FIPS 180-2:4.1.2. */
  650. #define Ch(x, y, z) ((x & y) ^ (~x & z))
  651. #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
  652. #define S0(x) (rotr64(x, 28) ^ rotr64(x, 34) ^ rotr64(x, 39))
  653. #define S1(x) (rotr64(x, 14) ^ rotr64(x, 18) ^ rotr64(x, 41))
  654. #define R0(x) (rotr64(x, 1) ^ rotr64(x, 8) ^ (x >> 7))
  655. #define R1(x) (rotr64(x, 19) ^ rotr64(x, 61) ^ (x >> 6))
  656. /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
  657. for (t = 0; t < 16; ++t)
  658. W[t] = SWAP_BE64(words[t]);
  659. for (/*t = 16*/; t < 80; ++t)
  660. W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
  661. /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
  662. for (t = 0; t < 80; ++t) {
  663. uint64_t T1 = h + S1(e) + Ch(e, f, g) + sha_K[t] + W[t];
  664. uint64_t T2 = S0(a) + Maj(a, b, c);
  665. h = g;
  666. g = f;
  667. f = e;
  668. e = d + T1;
  669. d = c;
  670. c = b;
  671. b = a;
  672. a = T1 + T2;
  673. }
  674. #undef Ch
  675. #undef Maj
  676. #undef S0
  677. #undef S1
  678. #undef R0
  679. #undef R1
  680. /* Add the starting values of the context according to FIPS 180-2:6.3.2
  681. step 4. */
  682. ctx->hash[0] += a;
  683. ctx->hash[1] += b;
  684. ctx->hash[2] += c;
  685. ctx->hash[3] += d;
  686. ctx->hash[4] += e;
  687. ctx->hash[5] += f;
  688. ctx->hash[6] += g;
  689. ctx->hash[7] += h;
  690. }
  691. void FAST_FUNC sha1_begin(sha1_ctx_t *ctx)
  692. {
  693. ctx->hash[0] = 0x67452301;
  694. ctx->hash[1] = 0xefcdab89;
  695. ctx->hash[2] = 0x98badcfe;
  696. ctx->hash[3] = 0x10325476;
  697. ctx->hash[4] = 0xc3d2e1f0;
  698. ctx->total64 = 0;
  699. ctx->process_block = sha1_process_block64;
  700. }
  701. static const uint32_t init256[] = {
  702. 0,
  703. 0,
  704. 0x6a09e667,
  705. 0xbb67ae85,
  706. 0x3c6ef372,
  707. 0xa54ff53a,
  708. 0x510e527f,
  709. 0x9b05688c,
  710. 0x1f83d9ab,
  711. 0x5be0cd19,
  712. };
  713. static const uint32_t init512_lo[] = {
  714. 0,
  715. 0,
  716. 0xf3bcc908,
  717. 0x84caa73b,
  718. 0xfe94f82b,
  719. 0x5f1d36f1,
  720. 0xade682d1,
  721. 0x2b3e6c1f,
  722. 0xfb41bd6b,
  723. 0x137e2179,
  724. };
  725. /* Initialize structure containing state of computation.
  726. (FIPS 180-2:5.3.2) */
  727. void FAST_FUNC sha256_begin(sha256_ctx_t *ctx)
  728. {
  729. memcpy(&ctx->total64, init256, sizeof(init256));
  730. /*ctx->total64 = 0; - done by prepending two 32-bit zeros to init256 */
  731. ctx->process_block = sha256_process_block64;
  732. }
  733. /* Initialize structure containing state of computation.
  734. (FIPS 180-2:5.3.3) */
  735. void FAST_FUNC sha512_begin(sha512_ctx_t *ctx)
  736. {
  737. int i;
  738. /* Two extra iterations zero out ctx->total64[2] */
  739. uint64_t *tp = ctx->total64;
  740. for (i = 0; i < 2+8; i++)
  741. tp[i] = ((uint64_t)(init256[i]) << 32) + init512_lo[i];
  742. /*ctx->total64[0] = ctx->total64[1] = 0; - already done */
  743. }
  744. void FAST_FUNC sha512_hash(sha512_ctx_t *ctx, const void *buffer, size_t len)
  745. {
  746. unsigned bufpos = ctx->total64[0] & 127;
  747. unsigned remaining;
  748. /* First increment the byte count. FIPS 180-2 specifies the possible
  749. length of the file up to 2^128 _bits_.
  750. We compute the number of _bytes_ and convert to bits later. */
  751. ctx->total64[0] += len;
  752. if (ctx->total64[0] < len)
  753. ctx->total64[1]++;
  754. #if 0
  755. remaining = 128 - bufpos;
  756. /* Hash whole blocks */
  757. while (len >= remaining) {
  758. memcpy(ctx->wbuffer + bufpos, buffer, remaining);
  759. buffer = (const char *)buffer + remaining;
  760. len -= remaining;
  761. remaining = 128;
  762. bufpos = 0;
  763. sha512_process_block128(ctx);
  764. }
  765. /* Save last, partial blosk */
  766. memcpy(ctx->wbuffer + bufpos, buffer, len);
  767. #else
  768. while (1) {
  769. remaining = 128 - bufpos;
  770. if (remaining > len)
  771. remaining = len;
  772. /* Copy data into aligned buffer */
  773. memcpy(ctx->wbuffer + bufpos, buffer, remaining);
  774. len -= remaining;
  775. buffer = (const char *)buffer + remaining;
  776. bufpos += remaining;
  777. /* clever way to do "if (bufpos != 128) break; ... ; bufpos = 0;" */
  778. bufpos -= 128;
  779. if (bufpos != 0)
  780. break;
  781. /* Buffer is filled up, process it */
  782. sha512_process_block128(ctx);
  783. /*bufpos = 0; - already is */
  784. }
  785. #endif
  786. }
  787. /* Used also for sha256 */
  788. void FAST_FUNC sha1_end(sha1_ctx_t *ctx, void *resbuf)
  789. {
  790. unsigned hash_size;
  791. /* SHA stores total in BE, need to swap on LE arches: */
  792. common64_end(ctx, /*swap_needed:*/ BB_LITTLE_ENDIAN);
  793. hash_size = (ctx->process_block == sha1_process_block64) ? 5 : 8;
  794. /* This way we do not impose alignment constraints on resbuf: */
  795. if (BB_LITTLE_ENDIAN) {
  796. unsigned i;
  797. for (i = 0; i < hash_size; ++i)
  798. ctx->hash[i] = SWAP_BE32(ctx->hash[i]);
  799. }
  800. memcpy(resbuf, ctx->hash, sizeof(ctx->hash[0]) * hash_size);
  801. }
  802. void FAST_FUNC sha512_end(sha512_ctx_t *ctx, void *resbuf)
  803. {
  804. unsigned bufpos = ctx->total64[0] & 127;
  805. /* Pad the buffer to the next 128-byte boundary with 0x80,0,0,0... */
  806. ctx->wbuffer[bufpos++] = 0x80;
  807. while (1) {
  808. unsigned remaining = 128 - bufpos;
  809. memset(ctx->wbuffer + bufpos, 0, remaining);
  810. if (remaining >= 16) {
  811. /* Store the 128-bit counter of bits in the buffer in BE format */
  812. uint64_t t;
  813. t = ctx->total64[0] << 3;
  814. t = SWAP_BE64(t);
  815. *(uint64_t *) (&ctx->wbuffer[128 - 8]) = t;
  816. t = (ctx->total64[1] << 3) | (ctx->total64[0] >> 61);
  817. t = SWAP_BE64(t);
  818. *(uint64_t *) (&ctx->wbuffer[128 - 16]) = t;
  819. }
  820. sha512_process_block128(ctx);
  821. if (remaining >= 16)
  822. break;
  823. bufpos = 0;
  824. }
  825. if (BB_LITTLE_ENDIAN) {
  826. unsigned i;
  827. for (i = 0; i < ARRAY_SIZE(ctx->hash); ++i)
  828. ctx->hash[i] = SWAP_BE64(ctx->hash[i]);
  829. }
  830. memcpy(resbuf, ctx->hash, sizeof(ctx->hash));
  831. }