1 /* sha.c
2 **
3 ** Copyright 2008, The Android Open Source Project
4 **
5 ** Redistribution and use in source and binary forms, with or without
6 ** modification, are permitted provided that the following conditions are met:
7 ** * Redistributions of source code must retain the above copyright
8 ** notice, this list of conditions and the following disclaimer.
9 ** * Redistributions in binary form must reproduce the above copyright
10 ** notice, this list of conditions and the following disclaimer in the
11 ** documentation and/or other materials provided with the distribution.
12 ** * Neither the name of Google Inc. nor the names of its contributors may
13 ** be used to endorse or promote products derived from this software
14 ** without specific prior written permission.
15 **
16 ** THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
17 ** IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
18 ** MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
19 ** EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
20 ** SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
21 ** PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
22 ** OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
23 ** WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24 ** OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
25 ** ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 #include "mincrypt/sha.h"
29
30 // Some machines lack byteswap.h and endian.h. These have to use the
31 // slower code, even if they're little-endian.
32
33 #if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN)
34
35 #include <byteswap.h>
36 #include <memory.h>
37
38 // This version is about 28% faster than the generic version below,
39 // but assumes little-endianness.
40
ror27(uint32_t val)41 static inline uint32_t ror27(uint32_t val) {
42 return (val >> 27) | (val << 5);
43 }
ror2(uint32_t val)44 static inline uint32_t ror2(uint32_t val) {
45 return (val >> 2) | (val << 30);
46 }
ror31(uint32_t val)47 static inline uint32_t ror31(uint32_t val) {
48 return (val >> 31) | (val << 1);
49 }
50
SHA1_Transform(SHA_CTX * ctx)51 static void SHA1_Transform(SHA_CTX* ctx) {
52 uint32_t W[80];
53 register uint32_t A, B, C, D, E;
54 int t;
55
56 A = ctx->state[0];
57 B = ctx->state[1];
58 C = ctx->state[2];
59 D = ctx->state[3];
60 E = ctx->state[4];
61
62 #define SHA_F1(A,B,C,D,E,t) \
63 E += ror27(A) + \
64 (W[t] = bswap_32(ctx->buf.w[t])) + \
65 (D^(B&(C^D))) + 0x5A827999; \
66 B = ror2(B);
67
68 for (t = 0; t < 15; t += 5) {
69 SHA_F1(A,B,C,D,E,t + 0);
70 SHA_F1(E,A,B,C,D,t + 1);
71 SHA_F1(D,E,A,B,C,t + 2);
72 SHA_F1(C,D,E,A,B,t + 3);
73 SHA_F1(B,C,D,E,A,t + 4);
74 }
75 SHA_F1(A,B,C,D,E,t + 0); // 16th one, t == 15
76
77 #undef SHA_F1
78
79 #define SHA_F1(A,B,C,D,E,t) \
80 E += ror27(A) + \
81 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
82 (D^(B&(C^D))) + 0x5A827999; \
83 B = ror2(B);
84
85 SHA_F1(E,A,B,C,D,t + 1);
86 SHA_F1(D,E,A,B,C,t + 2);
87 SHA_F1(C,D,E,A,B,t + 3);
88 SHA_F1(B,C,D,E,A,t + 4);
89
90 #undef SHA_F1
91
92 #define SHA_F2(A,B,C,D,E,t) \
93 E += ror27(A) + \
94 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
95 (B^C^D) + 0x6ED9EBA1; \
96 B = ror2(B);
97
98 for (t = 20; t < 40; t += 5) {
99 SHA_F2(A,B,C,D,E,t + 0);
100 SHA_F2(E,A,B,C,D,t + 1);
101 SHA_F2(D,E,A,B,C,t + 2);
102 SHA_F2(C,D,E,A,B,t + 3);
103 SHA_F2(B,C,D,E,A,t + 4);
104 }
105
106 #undef SHA_F2
107
108 #define SHA_F3(A,B,C,D,E,t) \
109 E += ror27(A) + \
110 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
111 ((B&C)|(D&(B|C))) + 0x8F1BBCDC; \
112 B = ror2(B);
113
114 for (; t < 60; t += 5) {
115 SHA_F3(A,B,C,D,E,t + 0);
116 SHA_F3(E,A,B,C,D,t + 1);
117 SHA_F3(D,E,A,B,C,t + 2);
118 SHA_F3(C,D,E,A,B,t + 3);
119 SHA_F3(B,C,D,E,A,t + 4);
120 }
121
122 #undef SHA_F3
123
124 #define SHA_F4(A,B,C,D,E,t) \
125 E += ror27(A) + \
126 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
127 (B^C^D) + 0xCA62C1D6; \
128 B = ror2(B);
129
130 for (; t < 80; t += 5) {
131 SHA_F4(A,B,C,D,E,t + 0);
132 SHA_F4(E,A,B,C,D,t + 1);
133 SHA_F4(D,E,A,B,C,t + 2);
134 SHA_F4(C,D,E,A,B,t + 3);
135 SHA_F4(B,C,D,E,A,t + 4);
136 }
137
138 #undef SHA_F4
139
140 ctx->state[0] += A;
141 ctx->state[1] += B;
142 ctx->state[2] += C;
143 ctx->state[3] += D;
144 ctx->state[4] += E;
145 }
146
SHA_update(SHA_CTX * ctx,const void * data,int len)147 void SHA_update(SHA_CTX* ctx, const void* data, int len) {
148 int i = ctx->count % sizeof(ctx->buf);
149 const uint8_t* p = (const uint8_t*)data;
150
151 ctx->count += len;
152
153 while (len > sizeof(ctx->buf) - i) {
154 memcpy(&ctx->buf.b[i], p, sizeof(ctx->buf) - i);
155 len -= sizeof(ctx->buf) - i;
156 p += sizeof(ctx->buf) - i;
157 SHA1_Transform(ctx);
158 i = 0;
159 }
160
161 while (len--) {
162 ctx->buf.b[i++] = *p++;
163 if (i == sizeof(ctx->buf)) {
164 SHA1_Transform(ctx);
165 i = 0;
166 }
167 }
168 }
169
170
SHA_final(SHA_CTX * ctx)171 const uint8_t* SHA_final(SHA_CTX* ctx) {
172 uint64_t cnt = ctx->count * 8;
173 int i;
174
175 SHA_update(ctx, (uint8_t*)"\x80", 1);
176 while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
177 SHA_update(ctx, (uint8_t*)"\0", 1);
178 }
179 for (i = 0; i < 8; ++i) {
180 uint8_t tmp = cnt >> ((7 - i) * 8);
181 SHA_update(ctx, &tmp, 1);
182 }
183
184 for (i = 0; i < 5; i++) {
185 ctx->buf.w[i] = bswap_32(ctx->state[i]);
186 }
187
188 return ctx->buf.b;
189 }
190
191 #else // #if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN)
192
193 #define rol(bits, value) (((value) << (bits)) | ((value) >> (32 - (bits))))
194
SHA1_transform(SHA_CTX * ctx)195 static void SHA1_transform(SHA_CTX *ctx) {
196 uint32_t W[80];
197 uint32_t A, B, C, D, E;
198 uint8_t *p = ctx->buf;
199 int t;
200
201 for(t = 0; t < 16; ++t) {
202 uint32_t tmp = *p++ << 24;
203 tmp |= *p++ << 16;
204 tmp |= *p++ << 8;
205 tmp |= *p++;
206 W[t] = tmp;
207 }
208
209 for(; t < 80; t++) {
210 W[t] = rol(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
211 }
212
213 A = ctx->state[0];
214 B = ctx->state[1];
215 C = ctx->state[2];
216 D = ctx->state[3];
217 E = ctx->state[4];
218
219 for(t = 0; t < 80; t++) {
220 uint32_t tmp = rol(5,A) + E + W[t];
221
222 if (t < 20)
223 tmp += (D^(B&(C^D))) + 0x5A827999;
224 else if ( t < 40)
225 tmp += (B^C^D) + 0x6ED9EBA1;
226 else if ( t < 60)
227 tmp += ((B&C)|(D&(B|C))) + 0x8F1BBCDC;
228 else
229 tmp += (B^C^D) + 0xCA62C1D6;
230
231 E = D;
232 D = C;
233 C = rol(30,B);
234 B = A;
235 A = tmp;
236 }
237
238 ctx->state[0] += A;
239 ctx->state[1] += B;
240 ctx->state[2] += C;
241 ctx->state[3] += D;
242 ctx->state[4] += E;
243 }
244
SHA_update(SHA_CTX * ctx,const void * data,int len)245 void SHA_update(SHA_CTX *ctx, const void *data, int len) {
246 int i = ctx->count % sizeof(ctx->buf);
247 const uint8_t* p = (const uint8_t*)data;
248
249 ctx->count += len;
250
251 while (len--) {
252 ctx->buf[i++] = *p++;
253 if (i == sizeof(ctx->buf)) {
254 SHA1_transform(ctx);
255 i = 0;
256 }
257 }
258 }
SHA_final(SHA_CTX * ctx)259 const uint8_t *SHA_final(SHA_CTX *ctx) {
260 uint8_t *p = ctx->buf;
261 uint64_t cnt = ctx->count * 8;
262 int i;
263
264 SHA_update(ctx, (uint8_t*)"\x80", 1);
265 while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
266 SHA_update(ctx, (uint8_t*)"\0", 1);
267 }
268 for (i = 0; i < 8; ++i) {
269 uint8_t tmp = cnt >> ((7 - i) * 8);
270 SHA_update(ctx, &tmp, 1);
271 }
272
273 for (i = 0; i < 5; i++) {
274 uint32_t tmp = ctx->state[i];
275 *p++ = tmp >> 24;
276 *p++ = tmp >> 16;
277 *p++ = tmp >> 8;
278 *p++ = tmp >> 0;
279 }
280
281 return ctx->buf;
282 }
283
284 #endif // endianness
285
SHA_init(SHA_CTX * ctx)286 void SHA_init(SHA_CTX* ctx) {
287 ctx->state[0] = 0x67452301;
288 ctx->state[1] = 0xEFCDAB89;
289 ctx->state[2] = 0x98BADCFE;
290 ctx->state[3] = 0x10325476;
291 ctx->state[4] = 0xC3D2E1F0;
292 ctx->count = 0;
293 }
294
295 /* Convenience function */
SHA(const void * data,int len,uint8_t * digest)296 const uint8_t* SHA(const void *data, int len, uint8_t *digest) {
297 const uint8_t *p;
298 int i;
299 SHA_CTX ctx;
300 SHA_init(&ctx);
301 SHA_update(&ctx, data, len);
302 p = SHA_final(&ctx);
303 for (i = 0; i < SHA_DIGEST_SIZE; ++i) {
304 digest[i] = *p++;
305 }
306 return digest;
307 }
308