3 ** Copyright 2008, The Android Open Source Project
5 ** Redistribution and use in source and binary forms, with or without
6 ** modification, are permitted provided that the following conditions are met:
7 ** * Redistributions of source code must retain the above copyright
8 ** notice, this list of conditions and the following disclaimer.
9 ** * Redistributions in binary form must reproduce the above copyright
10 ** notice, this list of conditions and the following disclaimer in the
11 ** documentation and/or other materials provided with the distribution.
12 ** * Neither the name of Google Inc. nor the names of its contributors may
13 ** be used to endorse or promote products derived from this software
14 ** without specific prior written permission.
16 ** THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
17 ** IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
18 ** MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
19 ** EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
20 ** SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
21 ** PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
22 ** OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
23 ** WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24 ** OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
25 ** ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #include "mincrypt/sha.h"
30 // Some machines lack byteswap.h and endian.h. These have to use the
31 // slower code, even if they're little-endian.
33 #if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN)
38 // This version is about 28% faster than the generic version below,
39 // but assumes little-endianness.
41 static inline uint32_t ror27(uint32_t val) {
42 return (val >> 27) | (val << 5);
44 static inline uint32_t ror2(uint32_t val) {
45 return (val >> 2) | (val << 30);
47 static inline uint32_t ror31(uint32_t val) {
48 return (val >> 31) | (val << 1);
51 static void SHA1_Transform(SHA_CTX* ctx) {
53 register uint32_t A, B, C, D, E;
62 #define SHA_F1(A,B,C,D,E,t) \
64 (W[t] = bswap_32(ctx->buf.w[t])) + \
65 (D^(B&(C^D))) + 0x5A827999; \
68 for (t = 0; t < 15; t += 5) {
69 SHA_F1(A,B,C,D,E,t + 0);
70 SHA_F1(E,A,B,C,D,t + 1);
71 SHA_F1(D,E,A,B,C,t + 2);
72 SHA_F1(C,D,E,A,B,t + 3);
73 SHA_F1(B,C,D,E,A,t + 4);
75 SHA_F1(A,B,C,D,E,t + 0); // 16th one, t == 15
79 #define SHA_F1(A,B,C,D,E,t) \
81 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
82 (D^(B&(C^D))) + 0x5A827999; \
85 SHA_F1(E,A,B,C,D,t + 1);
86 SHA_F1(D,E,A,B,C,t + 2);
87 SHA_F1(C,D,E,A,B,t + 3);
88 SHA_F1(B,C,D,E,A,t + 4);
92 #define SHA_F2(A,B,C,D,E,t) \
94 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
95 (B^C^D) + 0x6ED9EBA1; \
98 for (t = 20; t < 40; t += 5) {
99 SHA_F2(A,B,C,D,E,t + 0);
100 SHA_F2(E,A,B,C,D,t + 1);
101 SHA_F2(D,E,A,B,C,t + 2);
102 SHA_F2(C,D,E,A,B,t + 3);
103 SHA_F2(B,C,D,E,A,t + 4);
108 #define SHA_F3(A,B,C,D,E,t) \
110 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
111 ((B&C)|(D&(B|C))) + 0x8F1BBCDC; \
114 for (; t < 60; t += 5) {
115 SHA_F3(A,B,C,D,E,t + 0);
116 SHA_F3(E,A,B,C,D,t + 1);
117 SHA_F3(D,E,A,B,C,t + 2);
118 SHA_F3(C,D,E,A,B,t + 3);
119 SHA_F3(B,C,D,E,A,t + 4);
124 #define SHA_F4(A,B,C,D,E,t) \
126 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
127 (B^C^D) + 0xCA62C1D6; \
130 for (; t < 80; t += 5) {
131 SHA_F4(A,B,C,D,E,t + 0);
132 SHA_F4(E,A,B,C,D,t + 1);
133 SHA_F4(D,E,A,B,C,t + 2);
134 SHA_F4(C,D,E,A,B,t + 3);
135 SHA_F4(B,C,D,E,A,t + 4);
147 void SHA_update(SHA_CTX* ctx, const void* data, int len) {
148 int i = ctx->count % sizeof(ctx->buf);
149 const uint8_t* p = (const uint8_t*)data;
153 while (len > sizeof(ctx->buf) - i) {
154 memcpy(&ctx->buf.b[i], p, sizeof(ctx->buf) - i);
155 len -= sizeof(ctx->buf) - i;
156 p += sizeof(ctx->buf) - i;
162 ctx->buf.b[i++] = *p++;
163 if (i == sizeof(ctx->buf)) {
171 const uint8_t* SHA_final(SHA_CTX* ctx) {
172 uint64_t cnt = ctx->count * 8;
175 SHA_update(ctx, (uint8_t*)"\x80", 1);
176 while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
177 SHA_update(ctx, (uint8_t*)"\0", 1);
179 for (i = 0; i < 8; ++i) {
180 uint8_t tmp = cnt >> ((7 - i) * 8);
181 SHA_update(ctx, &tmp, 1);
184 for (i = 0; i < 5; i++) {
185 ctx->buf.w[i] = bswap_32(ctx->state[i]);
191 #else // #if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN)
193 #define rol(bits, value) (((value) << (bits)) | ((value) >> (32 - (bits))))
195 static void SHA1_transform(SHA_CTX *ctx) {
197 uint32_t A, B, C, D, E;
198 uint8_t *p = ctx->buf;
201 for(t = 0; t < 16; ++t) {
202 uint32_t tmp = *p++ << 24;
210 W[t] = rol(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
219 for(t = 0; t < 80; t++) {
220 uint32_t tmp = rol(5,A) + E + W[t];
223 tmp += (D^(B&(C^D))) + 0x5A827999;
225 tmp += (B^C^D) + 0x6ED9EBA1;
227 tmp += ((B&C)|(D&(B|C))) + 0x8F1BBCDC;
229 tmp += (B^C^D) + 0xCA62C1D6;
245 void SHA_update(SHA_CTX *ctx, const void *data, int len) {
246 int i = ctx->count % sizeof(ctx->buf);
247 const uint8_t* p = (const uint8_t*)data;
252 ctx->buf[i++] = *p++;
253 if (i == sizeof(ctx->buf)) {
259 const uint8_t *SHA_final(SHA_CTX *ctx) {
260 uint8_t *p = ctx->buf;
261 uint64_t cnt = ctx->count * 8;
264 SHA_update(ctx, (uint8_t*)"\x80", 1);
265 while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
266 SHA_update(ctx, (uint8_t*)"\0", 1);
268 for (i = 0; i < 8; ++i) {
269 uint8_t tmp = cnt >> ((7 - i) * 8);
270 SHA_update(ctx, &tmp, 1);
273 for (i = 0; i < 5; i++) {
274 uint32_t tmp = ctx->state[i];
286 void SHA_init(SHA_CTX* ctx) {
287 ctx->state[0] = 0x67452301;
288 ctx->state[1] = 0xEFCDAB89;
289 ctx->state[2] = 0x98BADCFE;
290 ctx->state[3] = 0x10325476;
291 ctx->state[4] = 0xC3D2E1F0;
295 /* Convenience function */
296 const uint8_t* SHA(const void *data, int len, uint8_t *digest) {
301 SHA_update(&ctx, data, len);
303 for (i = 0; i < SHA_DIGEST_SIZE; ++i) {