2 * Copyright (C) 2007-2009 Andre Noll <maan@tuebingen.mpg.de>
4 * Licensed under the GPL v2. For licencing details see COPYING.
7 /** \file sha1.c Secure Hash Algorithm, taken from the git source code 2009/11. */
12 * SHA1 routine optimized to do word accesses rather than byte accesses,
13 * and to avoid unnecessary copies into the context array.
15 * This was initially based on the Mozilla SHA1 implementation, although
16 * none of the original Mozilla code remains.
19 #include <arpa/inet.h>
24 unsigned long long size;
27 #if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__))
30 * Force usage of rol or ror by selecting the one with the smaller constant.
31 * It _can_ generate slightly smaller code (a constant of 1 is special), but
32 * perhaps more importantly it's possibly faster on any uarch that does a
36 #define SHA_ASM(op, x, n) ({ unsigned int __res; __asm__(op " %1,%0":"=r" (__res):"i" (n), "0" (x)); __res; })
37 #define SHA_ROL(x,n) SHA_ASM("rol", x, n)
38 #define SHA_ROR(x,n) SHA_ASM("ror", x, n)
42 #define SHA_ROT(X,l,r) (((X) << (l)) | ((X) >> (r)))
43 #define SHA_ROL(X,n) SHA_ROT(X,n,32-(n))
44 #define SHA_ROR(X,n) SHA_ROT(X,32-(n),n)
49 * If you have 32 registers or more, the compiler can (and should)
50 * try to change the array[] accesses into registers. However, on
51 * machines with less than ~25 registers, that won't really work,
52 * and at least gcc will make an unholy mess of it.
54 * So to avoid that mess which just slows things down, we force
55 * the stores to memory to actually happen (we might be better off
56 * with a 'W(t)=(val);asm("":"+m" (W(t))' there instead, as
57 * suggested by Artur Skawina - that will also make gcc unable to
58 * try to do the silly "optimize away loads" part because it won't
59 * see what the value will be).
61 * Ben Herrenschmidt reports that on PPC, the C version comes close
62 * to the optimized asm with this (ie on PPC you don't want that
63 * 'volatile', since there are lots of registers).
65 * On ARM we get the best code generation by forcing a full memory barrier
66 * between each SHA_ROUND, otherwise gcc happily get wild with spilling and
67 * the stack frame size simply explode and performance goes down the drain.
70 #if defined(__i386__) || defined(__x86_64__)
71 #define setW(x, val) (*(volatile unsigned int *)&W(x) = (val))
72 #elif defined(__GNUC__) && defined(__arm__)
73 #define setW(x, val) do { W(x) = (val); __asm__("":::"memory"); } while (0)
75 #define setW(x, val) (W(x) = (val))
79 * Performance might be improved if the CPU architecture is OK with
80 * unaligned 32-bit loads and a fast ntohl() is available.
81 * Otherwise fall back to byte loads and shifts which is portable,
82 * and is faster on architectures with memory alignment issues.
85 #if defined(__i386__) || defined(__x86_64__) || \
86 defined(__ppc__) || defined(__ppc64__) || \
87 defined(__powerpc__) || defined(__powerpc64__) || \
88 defined(__s390__) || defined(__s390x__)
90 #define get_be32(p) ntohl(*(unsigned int *)(p))
91 #define put_be32(p, v) do { *(unsigned int *)(p) = htonl(v); } while (0)
95 #define get_be32(p) ( \
96 (*((unsigned char *)(p) + 0) << 24) | \
97 (*((unsigned char *)(p) + 1) << 16) | \
98 (*((unsigned char *)(p) + 2) << 8) | \
99 (*((unsigned char *)(p) + 3) << 0) )
100 #define put_be32(p, v) do { \
101 unsigned int __v = (v); \
102 *((unsigned char *)(p) + 0) = __v >> 24; \
103 *((unsigned char *)(p) + 1) = __v >> 16; \
104 *((unsigned char *)(p) + 2) = __v >> 8; \
105 *((unsigned char *)(p) + 3) = __v >> 0; } while (0)
109 /* This "rolls" over the 512-bit array */
110 #define W(x) (array[(x)&15])
113 * Where do we get the source from? The first 16 iterations get it from
114 * the input data, the next mix it from the 512-bit array.
116 #define SHA_SRC(t) get_be32(data + t)
117 #define SHA_MIX(t) SHA_ROL(W(t+13) ^ W(t+8) ^ W(t+2) ^ W(t), 1)
119 #define SHA_ROUND(t, input, fn, constant, A, B, C, D, E) do { \
120 unsigned int TEMP = input(t); setW(t, TEMP); \
121 E += TEMP + SHA_ROL(A,5) + (fn) + (constant); \
122 B = SHA_ROR(B, 2); } while (0)
124 #define T_0_15(t, A, B, C, D, E) SHA_ROUND(t, SHA_SRC, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
125 #define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
126 #define T_20_39(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0x6ed9eba1, A, B, C, D, E )
127 #define T_40_59(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, ((B&C)+(D&(B^C))) , 0x8f1bbcdc, A, B, C, D, E )
128 #define T_60_79(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0xca62c1d6, A, B, C, D, E )
130 static void blk_SHA1_Block(blk_SHA_CTX *ctx, const unsigned int *data)
132 unsigned int A,B,C,D,E;
133 unsigned int array[16];
141 /* Round 1 - iterations 0-16 take their input from 'data' */
142 T_0_15( 0, A, B, C, D, E);
143 T_0_15( 1, E, A, B, C, D);
144 T_0_15( 2, D, E, A, B, C);
145 T_0_15( 3, C, D, E, A, B);
146 T_0_15( 4, B, C, D, E, A);
147 T_0_15( 5, A, B, C, D, E);
148 T_0_15( 6, E, A, B, C, D);
149 T_0_15( 7, D, E, A, B, C);
150 T_0_15( 8, C, D, E, A, B);
151 T_0_15( 9, B, C, D, E, A);
152 T_0_15(10, A, B, C, D, E);
153 T_0_15(11, E, A, B, C, D);
154 T_0_15(12, D, E, A, B, C);
155 T_0_15(13, C, D, E, A, B);
156 T_0_15(14, B, C, D, E, A);
157 T_0_15(15, A, B, C, D, E);
159 /* Round 1 - tail. Input from 512-bit mixing array */
160 T_16_19(16, E, A, B, C, D);
161 T_16_19(17, D, E, A, B, C);
162 T_16_19(18, C, D, E, A, B);
163 T_16_19(19, B, C, D, E, A);
166 T_20_39(20, A, B, C, D, E);
167 T_20_39(21, E, A, B, C, D);
168 T_20_39(22, D, E, A, B, C);
169 T_20_39(23, C, D, E, A, B);
170 T_20_39(24, B, C, D, E, A);
171 T_20_39(25, A, B, C, D, E);
172 T_20_39(26, E, A, B, C, D);
173 T_20_39(27, D, E, A, B, C);
174 T_20_39(28, C, D, E, A, B);
175 T_20_39(29, B, C, D, E, A);
176 T_20_39(30, A, B, C, D, E);
177 T_20_39(31, E, A, B, C, D);
178 T_20_39(32, D, E, A, B, C);
179 T_20_39(33, C, D, E, A, B);
180 T_20_39(34, B, C, D, E, A);
181 T_20_39(35, A, B, C, D, E);
182 T_20_39(36, E, A, B, C, D);
183 T_20_39(37, D, E, A, B, C);
184 T_20_39(38, C, D, E, A, B);
185 T_20_39(39, B, C, D, E, A);
188 T_40_59(40, A, B, C, D, E);
189 T_40_59(41, E, A, B, C, D);
190 T_40_59(42, D, E, A, B, C);
191 T_40_59(43, C, D, E, A, B);
192 T_40_59(44, B, C, D, E, A);
193 T_40_59(45, A, B, C, D, E);
194 T_40_59(46, E, A, B, C, D);
195 T_40_59(47, D, E, A, B, C);
196 T_40_59(48, C, D, E, A, B);
197 T_40_59(49, B, C, D, E, A);
198 T_40_59(50, A, B, C, D, E);
199 T_40_59(51, E, A, B, C, D);
200 T_40_59(52, D, E, A, B, C);
201 T_40_59(53, C, D, E, A, B);
202 T_40_59(54, B, C, D, E, A);
203 T_40_59(55, A, B, C, D, E);
204 T_40_59(56, E, A, B, C, D);
205 T_40_59(57, D, E, A, B, C);
206 T_40_59(58, C, D, E, A, B);
207 T_40_59(59, B, C, D, E, A);
210 T_60_79(60, A, B, C, D, E);
211 T_60_79(61, E, A, B, C, D);
212 T_60_79(62, D, E, A, B, C);
213 T_60_79(63, C, D, E, A, B);
214 T_60_79(64, B, C, D, E, A);
215 T_60_79(65, A, B, C, D, E);
216 T_60_79(66, E, A, B, C, D);
217 T_60_79(67, D, E, A, B, C);
218 T_60_79(68, C, D, E, A, B);
219 T_60_79(69, B, C, D, E, A);
220 T_60_79(70, A, B, C, D, E);
221 T_60_79(71, E, A, B, C, D);
222 T_60_79(72, D, E, A, B, C);
223 T_60_79(73, C, D, E, A, B);
224 T_60_79(74, B, C, D, E, A);
225 T_60_79(75, A, B, C, D, E);
226 T_60_79(76, E, A, B, C, D);
227 T_60_79(77, D, E, A, B, C);
228 T_60_79(78, C, D, E, A, B);
229 T_60_79(79, B, C, D, E, A);
238 static void blk_SHA1_Init(blk_SHA_CTX *ctx)
242 /* Initialize H with the magic constants (see FIPS180 for constants) */
243 ctx->H[0] = 0x67452301;
244 ctx->H[1] = 0xefcdab89;
245 ctx->H[2] = 0x98badcfe;
246 ctx->H[3] = 0x10325476;
247 ctx->H[4] = 0xc3d2e1f0;
250 static void blk_SHA1_Update(blk_SHA_CTX *ctx, const void *data, unsigned long len)
252 unsigned lenW = ctx->size & 63;
256 /* Read the data into W and process blocks as they get full */
258 unsigned left = 64 - lenW;
261 memcpy(lenW + (char *)ctx->W, data, left);
262 lenW = (lenW + left) & 63;
264 data = ((const char *)data + left);
267 blk_SHA1_Block(ctx, ctx->W);
270 blk_SHA1_Block(ctx, data);
271 data = ((const char *)data + 64);
275 memcpy(ctx->W, data, len);
278 static void blk_SHA1_Final(unsigned char hashout[20], blk_SHA_CTX *ctx)
280 static const unsigned char pad[64] = { 0x80 };
281 unsigned int padlen[2];
284 /* Pad with a binary 1 (ie 0x80), then zeroes, then length */
285 padlen[0] = htonl(ctx->size >> 29);
286 padlen[1] = htonl(ctx->size << 3);
289 blk_SHA1_Update(ctx, pad, 1+ (63 & (55 - i)));
290 blk_SHA1_Update(ctx, padlen, 8);
293 for (i = 0; i < 5; i++)
294 put_be32(hashout + i*4, ctx->H[i]);
298 * Compute the sha1 hash.
300 * \param data Pointer to the data to compute the hash value from.
301 * \param len The length of \a data in bytes.
302 * \param sha1 Result pointer.
304 * \a sha1 must point to an area at least 20 bytes large.
306 * \sa sha(3), openssl(1).
308 void sha1_hash(const char *data, unsigned long len, unsigned char *sha1)
312 blk_SHA1_Update(&c, data, len);
313 blk_SHA1_Final(sha1, &c);