/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- shaByteSwap
- shaByteSwap
- SHAInit
- SHATransform
- SHAUpdate
- SHAFinal
1 /*
2 * sha.c - NIST Secure Hash Algorithm, FIPS PUB 180 and 180.1.
3 * The algorithm is by spook(s) unknown at the U.S. National Security Agency.
4 *
5 * Written 2 September 1992, Peter C. Gutmann.
6 * This implementation placed in the public domain.
7 *
8 * Modified 1 June 1993, Colin Plumb.
9 * Modified for the new SHS based on Peter Gutmann's work,
10 * 18 July 1994, Colin Plumb.
11 *
12 * Renamed to SHA and comments updated a bit 1 November 1995, Colin Plumb.
13 * These modifications placed in the public domain.
14 *
15 * Comments to pgut1@cs.aukuni.ac.nz
16 *
17 * Hacked for use in libmd by Martin Hinner <mhi@penguin.cz>
18 */
19
20 #include <string.h>
21 #include "sha.h"
22
23 #if defined(WORDS_BIGENDIAN)
24 /* On big-endian machines, we can use memcpy. */
25 static void
26 shaByteSwap (uint32_t * dest, u_char const *src, unsigned int words)
27 {
28 if ((const void *)dest != (const void*)src) {
29 memcpy(dest, src, words*sizeof(uint32_t));
30 }
31 }
32 #else
33 /*
34 Shuffle the bytes into big-endian order within words, as per the
35 SHA spec.
36 */
37 static void
38 shaByteSwap (uint32_t * dest, u_char const *src, unsigned int words)
39 {
40 do
41 {
42 *dest++ = (uint32_t) ((unsigned) src[0] << 8 | src[1]) << 16 |
43 ((unsigned) src[2] << 8 | src[3]);
44 src += 4;
45 }
46 while (--words);
47 }
48 #endif /*!WORDS_BIGENDIAN*/
49
50 /* Initialize the SHA values */
51 void
52 SHAInit (SHA_CTX * ctx)
53 {
54
55 /* Set the h-vars to their initial values */
56 ctx->iv[0] = 0x67452301;
57 ctx->iv[1] = 0xEFCDAB89;
58 ctx->iv[2] = 0x98BADCFE;
59 ctx->iv[3] = 0x10325476;
60 ctx->iv[4] = 0xC3D2E1F0;
61
62 /* Initialise bit count */
63 #ifdef HAVE64
64 ctx->bytes = 0;
65 #else
66 ctx->bytesHi = 0;
67 ctx->bytesLo = 0;
68 #endif
69 }
70
71 /*
72 The SHA f()-functions. The f1 and f3 functions can be optimized to
73 save one boolean operation each - thanks to Rich Schroeppel,
74 rcs@cs.arizona.edu for discovering this.
75 The f3 function can be modified to use an addition to combine the
76 two halves rather than OR, allowing more opportunity for using
77 associativity in optimization. (Colin Plumb)
78
79 Note that it may be necessary to add parentheses to these macros
80 if they are to be called with expressions as arguments.
81 */
82 #define f1(x,y,z) ( z ^ (x & (y ^ z) ) ) /* Rounds 0-19 */
83 #define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */
84 #define f3(x,y,z) ( (x & y) + (z & (x ^ y) ) ) /* Rounds 40-59 */
85 #define f4(x,y,z) ( x ^ y ^ z ) /* Rounds 60-79 */
86
87 /* The SHA Mysterious Constants. */
88 #define K2 0x5A827999L /* Rounds 0 -19 - floor(sqrt(2) * 2^30) */
89 #define K3 0x6ED9EBA1L /* Rounds 20-39 - floor(sqrt(3) * 2^30) */
90 #define K5 0x8F1BBCDCL /* Rounds 40-59 - floor(sqrt(5) * 2^30) */
91 #define K10 0xCA62C1D6L /* Rounds 60-79 - floor(sqrt(10) * 2^30) */
92
93 /* 32-bit rotate left - kludged with shifts */
94 #define ROTL(n,X) ( (X << n) | (X >> (32-n)) )
95
96 /*
97 The initial expanding function
98
99 The hash function is defined over an 80-word expanded input array W,
100 where the first 16 are copies of the input data, and the remaining 64
101 are defined by W[i] = W[i-16] ^ W[i-14] ^ W[i-8] ^ W[i-3]. This
102 implementation generates these values on the fly in a circular buffer.
103
104 The new "corrected" FIPS 180.1 added a 1-bit left rotate to this
105 computation of W[i].
106
107 The expandx() version doesn't write the result back, which can be
108 used for the last three rounds since those outputs are never used.
109 */
110 #if SHA_VERSION /* FIPS 180.1 */
111
112 #define expandx(W,i) (t = W[i&15] ^ W[(i-14)&15] ^ W[(i-8)&15] ^ W[(i-3)&15],\
113 ROTL(1, t))
114 #define expand(W,i) (W[i&15] = expandx(W,i))
115
116 #else /* Old FIPS 180 */
117
118 #define expandx(W,i) (W[i&15] ^ W[(i-14)&15] ^ W[(i-8)&15] ^ W[(i-3)&15])
119 #define expand(W,i) (W[i&15] ^= W[(i-14)&15] ^ W[(i-8)&15] ^ W[(i-3)&15])a
120
121 #endif /* SHA_VERSION */
122
123 /*
124 The prototype SHA sub-round
125
126 The fundamental sub-round is
127 a' = e + ROTL(5,a) + f(b, c, d) + k + data;
128 b' = a;
129 c' = ROTL(30,b);
130 d' = c;
131 e' = d;
132 ... but this is implemented by unrolling the loop 5 times and renaming
133 the variables (e,a,b,c,d) = (a',b',c',d',e') each iteration.
134 */
135 #define subRound(a, b, c, d, e, f, k, data) \
136 ( e += ROTL(5,a) + f(b, c, d) + k + data, b = ROTL(30, b) )
137 /*
138 The above code is replicated 20 times for each of the 4 functions,
139 using the next 20 values from the W[] array for "data" each time.
140 */
141
142 /*
143 Perform the SHA transformation. Note that this code, like MD5, seems to
144 break some optimizing compilers due to the complexity of the expressions
145 and the size of the basic block. It may be necessary to split it into
146 sections, e.g. based on the four subrounds
147
148 Note that this corrupts the sha->key area.
149 */
150 static void
151 SHATransform (struct SHAContext *sha)
152 {
153 register uint32_t A, B, C, D, E;
154 #if SHA_VERSION
155 register uint32_t t;
156 #endif
157
158 /* Set up first buffer */
159 A = sha->iv[0];
160 B = sha->iv[1];
161 C = sha->iv[2];
162 D = sha->iv[3];
163 E = sha->iv[4];
164
165 /* Heavy mangling, in 4 sub-rounds of 20 interations each. */
166 subRound (A, B, C, D, E, f1, K2, sha->key[0]);
167 subRound (E, A, B, C, D, f1, K2, sha->key[1]);
168 subRound (D, E, A, B, C, f1, K2, sha->key[2]);
169 subRound (C, D, E, A, B, f1, K2, sha->key[3]);
170 subRound (B, C, D, E, A, f1, K2, sha->key[4]);
171 subRound (A, B, C, D, E, f1, K2, sha->key[5]);
172 subRound (E, A, B, C, D, f1, K2, sha->key[6]);
173 subRound (D, E, A, B, C, f1, K2, sha->key[7]);
174 subRound (C, D, E, A, B, f1, K2, sha->key[8]);
175 subRound (B, C, D, E, A, f1, K2, sha->key[9]);
176 subRound (A, B, C, D, E, f1, K2, sha->key[10]);
177 subRound (E, A, B, C, D, f1, K2, sha->key[11]);
178 subRound (D, E, A, B, C, f1, K2, sha->key[12]);
179 subRound (C, D, E, A, B, f1, K2, sha->key[13]);
180 subRound (B, C, D, E, A, f1, K2, sha->key[14]);
181 subRound (A, B, C, D, E, f1, K2, sha->key[15]);
182 subRound (E, A, B, C, D, f1, K2, expand (sha->key, 16));
183 subRound (D, E, A, B, C, f1, K2, expand (sha->key, 17));
184 subRound (C, D, E, A, B, f1, K2, expand (sha->key, 18));
185 subRound (B, C, D, E, A, f1, K2, expand (sha->key, 19));
186
187 subRound (A, B, C, D, E, f2, K3, expand (sha->key, 20));
188 subRound (E, A, B, C, D, f2, K3, expand (sha->key, 21));
189 subRound (D, E, A, B, C, f2, K3, expand (sha->key, 22));
190 subRound (C, D, E, A, B, f2, K3, expand (sha->key, 23));
191 subRound (B, C, D, E, A, f2, K3, expand (sha->key, 24));
192 subRound (A, B, C, D, E, f2, K3, expand (sha->key, 25));
193 subRound (E, A, B, C, D, f2, K3, expand (sha->key, 26));
194 subRound (D, E, A, B, C, f2, K3, expand (sha->key, 27));
195 subRound (C, D, E, A, B, f2, K3, expand (sha->key, 28));
196 subRound (B, C, D, E, A, f2, K3, expand (sha->key, 29));
197 subRound (A, B, C, D, E, f2, K3, expand (sha->key, 30));
198 subRound (E, A, B, C, D, f2, K3, expand (sha->key, 31));
199 subRound (D, E, A, B, C, f2, K3, expand (sha->key, 32));
200 subRound (C, D, E, A, B, f2, K3, expand (sha->key, 33));
201 subRound (B, C, D, E, A, f2, K3, expand (sha->key, 34));
202 subRound (A, B, C, D, E, f2, K3, expand (sha->key, 35));
203 subRound (E, A, B, C, D, f2, K3, expand (sha->key, 36));
204 subRound (D, E, A, B, C, f2, K3, expand (sha->key, 37));
205 subRound (C, D, E, A, B, f2, K3, expand (sha->key, 38));
206 subRound (B, C, D, E, A, f2, K3, expand (sha->key, 39));
207
208 subRound (A, B, C, D, E, f3, K5, expand (sha->key, 40));
209 subRound (E, A, B, C, D, f3, K5, expand (sha->key, 41));
210 subRound (D, E, A, B, C, f3, K5, expand (sha->key, 42));
211 subRound (C, D, E, A, B, f3, K5, expand (sha->key, 43));
212 subRound (B, C, D, E, A, f3, K5, expand (sha->key, 44));
213 subRound (A, B, C, D, E, f3, K5, expand (sha->key, 45));
214 subRound (E, A, B, C, D, f3, K5, expand (sha->key, 46));
215 subRound (D, E, A, B, C, f3, K5, expand (sha->key, 47));
216 subRound (C, D, E, A, B, f3, K5, expand (sha->key, 48));
217 subRound (B, C, D, E, A, f3, K5, expand (sha->key, 49));
218 subRound (A, B, C, D, E, f3, K5, expand (sha->key, 50));
219 subRound (E, A, B, C, D, f3, K5, expand (sha->key, 51));
220 subRound (D, E, A, B, C, f3, K5, expand (sha->key, 52));
221 subRound (C, D, E, A, B, f3, K5, expand (sha->key, 53));
222 subRound (B, C, D, E, A, f3, K5, expand (sha->key, 54));
223 subRound (A, B, C, D, E, f3, K5, expand (sha->key, 55));
224 subRound (E, A, B, C, D, f3, K5, expand (sha->key, 56));
225 subRound (D, E, A, B, C, f3, K5, expand (sha->key, 57));
226 subRound (C, D, E, A, B, f3, K5, expand (sha->key, 58));
227 subRound (B, C, D, E, A, f3, K5, expand (sha->key, 59));
228
229 subRound (A, B, C, D, E, f4, K10, expand (sha->key, 60));
230 subRound (E, A, B, C, D, f4, K10, expand (sha->key, 61));
231 subRound (D, E, A, B, C, f4, K10, expand (sha->key, 62));
232 subRound (C, D, E, A, B, f4, K10, expand (sha->key, 63));
233 subRound (B, C, D, E, A, f4, K10, expand (sha->key, 64));
234 subRound (A, B, C, D, E, f4, K10, expand (sha->key, 65));
235 subRound (E, A, B, C, D, f4, K10, expand (sha->key, 66));
236 subRound (D, E, A, B, C, f4, K10, expand (sha->key, 67));
237 subRound (C, D, E, A, B, f4, K10, expand (sha->key, 68));
238 subRound (B, C, D, E, A, f4, K10, expand (sha->key, 69));
239 subRound (A, B, C, D, E, f4, K10, expand (sha->key, 70));
240 subRound (E, A, B, C, D, f4, K10, expand (sha->key, 71));
241 subRound (D, E, A, B, C, f4, K10, expand (sha->key, 72));
242 subRound (C, D, E, A, B, f4, K10, expand (sha->key, 73));
243 subRound (B, C, D, E, A, f4, K10, expand (sha->key, 74));
244 subRound (A, B, C, D, E, f4, K10, expand (sha->key, 75));
245 subRound (E, A, B, C, D, f4, K10, expand (sha->key, 76));
246 subRound (D, E, A, B, C, f4, K10, expandx (sha->key, 77));
247 subRound (C, D, E, A, B, f4, K10, expandx (sha->key, 78));
248 subRound (B, C, D, E, A, f4, K10, expandx (sha->key, 79));
249
250 /* Build message digest */
251 sha->iv[0] += A;
252 sha->iv[1] += B;
253 sha->iv[2] += C;
254 sha->iv[3] += D;
255 sha->iv[4] += E;
256 }
257
258 /* Update SHA for a block of data. */
259 void
260 SHAUpdate (SHA_CTX * ctx, const unsigned char *buf, unsigned int len)
261 {
262 unsigned i;
263
264 /* Update bitcount */
265
266 #ifdef HAVE64
267 i = (unsigned) ctx->bytes % SHA_BLOCKBYTES;
268 ctx->bytes += len;
269 #else
270 uint32_t t = ctx->bytesLo;
271 if ((ctx->bytesLo = t + len) < t)
272 ctx->bytesHi++; /* Carry from low to high */
273
274 i = (unsigned) t % SHA_BLOCKBYTES; /* Bytes already in ctx->key */
275 #endif
276
277 /* i is always less than SHA_BLOCKBYTES. */
278 if (SHA_BLOCKBYTES - i > len)
279 {
280 memcpy ((u_char *) ctx->key + i, buf, len);
281 return;
282 }
283
284 if (i)
285 { /* First chunk is an odd size */
286 memcpy ((u_char *) ctx->key + i, buf, SHA_BLOCKBYTES - i);
287 shaByteSwap (ctx->key, (u_char *) ctx->key, SHA_BLOCKWORDS);
288 SHATransform (ctx);
289 buf += SHA_BLOCKBYTES - i;
290 len -= SHA_BLOCKBYTES - i;
291 }
292
293 /* Process data in 64-byte chunks */
294 while (len >= SHA_BLOCKBYTES)
295 {
296 shaByteSwap (ctx->key, buf, SHA_BLOCKWORDS);
297 SHATransform (ctx);
298 buf += SHA_BLOCKBYTES;
299 len -= SHA_BLOCKBYTES;
300 }
301
302 /* Handle any remaining bytes of data. */
303 if (len)
304 memcpy (ctx->key, buf, len);
305 }
306
307 /*
308 * Final wrapup - pad to 64-byte boundary with the bit pattern
309 * 1 0* (64-bit count of bits processed, MSB-first)
310 */
311
312 void
313 SHAFinal (unsigned char digest[20], SHA_CTX * ctx)
314 {
315 #if HAVE64
316 unsigned i = (unsigned) ctx->bytes % SHA_BLOCKBYTES;
317 #else
318 unsigned i = (unsigned) ctx->bytesLo % SHA_BLOCKBYTES;
319 #endif
320 u_char *p = (u_char *) ctx->key + i; /* First unused byte */
321 uint32_t t;
322
323 /* Set the first char of padding to 0x80. There is always room. */
324 *p++ = 0x80;
325
326 /* Bytes of padding needed to make 64 bytes (0..63) */
327 i = SHA_BLOCKBYTES - 1 - i;
328
329 if (i < 8)
330 { /* Padding forces an extra block */
331 memset (p, 0, i);
332 shaByteSwap (ctx->key, (u_char *) ctx->key, 16);
333 SHATransform (ctx);
334 p = (u_char *) ctx->key;
335 i = 64;
336 }
337 memset (p, 0, i - 8);
338 shaByteSwap (ctx->key, (u_char *) ctx->key, 14);
339
340 /* Append length in bits and transform */
341 #if HAVE64
342 ctx->key[14] = (uint32_t) (ctx->bytes >> 29);
343 ctx->key[15] = (uint32_t) ctx->bytes << 3;
344 #else
345 ctx->key[14] = ctx->bytesHi << 3 | ctx->bytesLo >> 29;
346 ctx->key[15] = ctx->bytesLo << 3;
347 #endif
348 SHATransform (ctx);
349
350 /* memcpy (digest, ctx->iv, sizeof (digest));*/
351 for (i = 0; i < SHA_HASHWORDS; i++)
352 {
353 t = ctx->iv[i];
354 digest[i * 4 + 0] = (u_char) (t >> 24);
355 digest[i * 4 + 1] = (u_char) (t >> 16);
356 digest[i * 4 + 2] = (u_char) (t >> 8);
357 digest[i * 4 + 3] = (u_char) t;
358 }
359
360 memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */
361 }