2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
12 * COMPONENT_NAME: nsafs
17 * This module implements the Secure Hash Algorithm (SHA) as specified in
18 * the Secure Hash Standard (SHS, FIPS PUB 180.1).
21 #include <afsconfig.h>
22 #include "afs/param.h"
25 #include "afs/sysincludes.h" /* Standard vendor system headers */
27 #include "afsincludes.h" /* Afs-based standard headers */
28 #include "afs/afs_stats.h"
30 #include "afs/cellconfig.h"
32 #include "afs/nsafs.h"
34 static int big_endian
;
36 static const sha_int hashinit
[] = {
37 0x67452301, 0xEFCDAB89, 0x98BADCFE,
38 0x10325476, 0xC3D2E1F0
41 #define ROTL(n, x) (((x) << (n)) | ((x) >> (SHA_BITS_PER_INT - (n))))
43 #ifdef DISABLED_CODE_HERE
45 f(int t
, sha_int x
, sha_int y
, sha_int z
)
47 if (t
< 0 || t
>= SHA_ROUNDS
)
50 return (z
^ (x
& (y
^ z
)));
54 return ((x
& y
) | (z
& (x
| y
))); /* saves 1 boolean op */
55 return (x
^ y
^ z
); /* 60-79 same as 40-59 */
59 /* This is the "magic" function used for each round. */
60 /* Were this a C function, the interface would be: */
61 /* static sha_int f(int t, sha_int x, sha_int y, sha_int z) */
62 /* The function call version preserved above until stable */
64 #define f_a(x, y, z) (z ^ (x & (y ^ z)))
65 #define f_b(x, y, z) (x ^ y ^ z)
66 #define f_c(x, y, z) (( (x & y) | (z & (x | y))))
68 #define f(t, x, y, z) \
69 ( (t < 0 || t >= SHA_ROUNDS) ? 0 : \
70 ( (t < 20) ? f_a(x, y, z) : \
71 ( (t < 40) ? f_b(x, y, z) : \
72 ( (t < 60) ? f_c(x, y, z) : f_b(x, y, z)))))
75 *static sha_int K(int t)
77 * if (t < 0 || t >= SHA_ROUNDS) return 0;
88 /* This macro/function supplies the "magic" constant for each round. */
89 /* The function call version preserved above until stable */
91 static const sha_int k_vals
[] =
92 { 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 };
94 #define K(t) ( (t < 0 || t >= SHA_ROUNDS) ? 0 : k_vals[ t/20 ] )
97 * Update the internal state based on the given chunk.
100 transform(shaState
* shaStateP
, sha_int
* chunk
)
102 sha_int A
= shaStateP
->digest
[0];
103 sha_int B
= shaStateP
->digest
[1];
104 sha_int C
= shaStateP
->digest
[2];
105 sha_int D
= shaStateP
->digest
[3];
106 sha_int E
= shaStateP
->digest
[4];
110 sha_int W
[SHA_ROUNDS
];
112 for (t
= 0; t
< SHA_CHUNK_INTS
; t
++)
114 for (; t
< SHA_ROUNDS
; t
++) {
115 TEMP
= W
[t
- 3] ^ W
[t
- 8] ^ W
[t
- 14] ^ W
[t
- 16];
116 W
[t
] = ROTL(1, TEMP
);
119 for (t
= 0; t
< SHA_ROUNDS
; t
++) {
120 TEMP
= ROTL(5, A
) + f(t
, B
, C
, D
) + E
+ W
[t
] + K(t
);
128 shaStateP
->digest
[0] += A
;
129 shaStateP
->digest
[1] += B
;
130 shaStateP
->digest
[2] += C
;
131 shaStateP
->digest
[3] += D
;
132 shaStateP
->digest
[4] += E
;
137 * This function takes an array of SHA_CHUNK_BYTES bytes
138 * as input and produces an output array of ints that is
139 * SHA_CHUNK_INTS long.
142 buildInts(const char *data
, sha_int
* chunk
)
145 * Need to copy the data because we can't be certain that
146 * the input buffer will be aligned correctly.
148 memcpy((void *)chunk
, (void *)data
, SHA_CHUNK_BYTES
);
151 /* This loop does nothing but waste time on a big endian machine. */
154 for (i
= 0; i
< SHA_CHUNK_INTS
; i
++)
155 chunk
[i
] = ntohl(chunk
[i
]);
160 * This function updates the internal state of the hash by using
161 * buildInts to break the input up into chunks and repeatedly passing
162 * these chunks to transform().
165 sha_update(shaState
* shaStateP
, const char *buffer
, int bufferLen
)
168 sha_int chunk
[SHA_CHUNK_INTS
];
171 if (buffer
== NULL
|| bufferLen
== 0)
174 newLo
= shaStateP
->bitcountLo
+ (bufferLen
<< 3);
175 if (newLo
< shaStateP
->bitcountLo
)
176 shaStateP
->bitcountHi
++;
177 shaStateP
->bitcountLo
= newLo
;
178 shaStateP
->bitcountHi
+= ((bufferLen
>> (SHA_BITS_PER_INT
- 3)) & 0x07);
181 * If we won't have enough for a full chunk, just tack this
182 * buffer onto the leftover piece and return.
184 if (shaStateP
->leftoverLen
+ bufferLen
< SHA_CHUNK_BYTES
) {
185 memcpy((void *)&(shaStateP
->leftover
[shaStateP
->leftoverLen
]),
186 (void *)buffer
, bufferLen
);
187 shaStateP
->leftoverLen
+= bufferLen
;
191 /* If we have a leftover chunk, process it first. */
192 if (shaStateP
->leftoverLen
> 0) {
193 i
= (SHA_CHUNK_BYTES
- shaStateP
->leftoverLen
);
194 memcpy((void *)&(shaStateP
->leftover
[shaStateP
->leftoverLen
]),
198 buildInts(shaStateP
->leftover
, chunk
);
199 shaStateP
->leftoverLen
= 0;
200 transform(shaStateP
, chunk
);
203 while (bufferLen
>= SHA_CHUNK_BYTES
) {
204 buildInts(buffer
, chunk
);
205 transform(shaStateP
, chunk
);
206 buffer
+= SHA_CHUNK_BYTES
;
207 bufferLen
-= SHA_CHUNK_BYTES
;
209 assert((bufferLen
>= 0) && (bufferLen
< SHA_CHUNK_BYTES
));
212 memcpy((void *)&shaStateP
->leftover
[0], (void *)buffer
, bufferLen
);
213 shaStateP
->leftoverLen
= bufferLen
;
219 * This method updates the internal state of the hash using
220 * any leftover data plus appropriate padding and incorporation
221 * of the hash bitcount to finish the hash. The hash value
222 * is not valid until finish() has been called.
225 sha_finish(shaState
* shaStateP
)
227 sha_int chunk
[SHA_CHUNK_INTS
];
230 if (shaStateP
->leftoverLen
> (SHA_CHUNK_BYTES
- 9)) {
231 shaStateP
->leftover
[shaStateP
->leftoverLen
++] = 0x80;
232 memset(&(shaStateP
->leftover
[shaStateP
->leftoverLen
]), 0,
233 (SHA_CHUNK_BYTES
- shaStateP
->leftoverLen
));
234 buildInts(shaStateP
->leftover
, chunk
);
235 transform(shaStateP
, chunk
);
236 memset(chunk
, 0, SHA_CHUNK_BYTES
);
238 shaStateP
->leftover
[shaStateP
->leftoverLen
++] = 0x80;
239 memset(&(shaStateP
->leftover
[shaStateP
->leftoverLen
]), 0,
240 (SHA_CHUNK_BYTES
- shaStateP
->leftoverLen
));
241 buildInts(shaStateP
->leftover
, chunk
);
243 shaStateP
->leftoverLen
= 0;
245 chunk
[SHA_CHUNK_INTS
- 2] = shaStateP
->bitcountHi
;
246 chunk
[SHA_CHUNK_INTS
- 1] = shaStateP
->bitcountLo
;
247 transform(shaStateP
, chunk
);
252 * Initialize the hash to its "magic" initial value specified by the
253 * SHS standard, and clear out the bitcount and leftover vars.
254 * This should be used to initialize an shaState.
257 sha_clear(shaState
* shaStateP
)
259 big_endian
= (0x01020304 == htonl(0x01020304));
261 memcpy((void *)&shaStateP
->digest
[0], (void *)&hashinit
[0],
263 shaStateP
->bitcountLo
= shaStateP
->bitcountHi
= 0;
264 shaStateP
->leftoverLen
= 0;
269 * Hash the buffer and place the result in *shaStateP.
272 sha_hash(shaState
* shaStateP
, const char *buffer
, int bufferLen
)
274 sha_clear(shaStateP
);
275 sha_update(shaStateP
, buffer
, bufferLen
);
276 sha_finish(shaStateP
);
281 * Returns the current state of the hash as an array of 20 bytes.
282 * This will be an interim result if finish() has not yet been called.
285 sha_bytes(const shaState
* shaStateP
, char *bytes
)
287 sha_int temp
[SHA_HASH_INTS
];
290 for (i
= 0; i
< SHA_HASH_INTS
; i
++)
291 temp
[i
] = htonl(shaStateP
->digest
[i
]);
292 memcpy(bytes
, (void *)&temp
[0], SHA_HASH_BYTES
);