shs1.c

Calc Software Package for Number Calc

/*
 * shs1 - implements new NIST Secure Hash Standard-1 (SHS1)
 *
 * Written 2 September 1992, Peter C. Gutmann.
 *
 * This file has been extensively modified by:
 *
 *	Landon Curt Noll
 *	http://www.isthe.com/chongo/
 *
 *	chongo <was here> /\../\
 *
 * This code has been placed in the public domain.  Please do not
 * copyright this code.
 *
 * LANDON CURT NOLL DISCLAIMS ALL WARRANTIES WITH  REGARD  TO
 * THIS	 SOFTWARE,  INCLUDING  ALL IMPLIED WARRANTIES OF MER-
 * CHANTABILITY AND FITNESS.  IN NO EVENT SHALL	 LANDON	 CURT
 * NOLL	 BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL
 * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM  LOSS  OF
 * USE,	 DATA  OR  PROFITS, WHETHER IN AN ACTION OF CONTRACT,
 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR  IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 *
 * @(#) $Revision: 29.3 $
 * @(#) $Id: shs1.c,v 29.3 2004/02/23 08:15:52 chongo Exp $
 * @(#) $Source: /usr/local/src/cmd/calc/RCS/shs1.c,v $
 *
 * This file is not covered under version 2.1 of the GNU LGPL.
 */


#include <stdio.h>
#include "longbits.h"
#include "align32.h"
#include "endian_calc.h"
#include "value.h"
#include "hash.h"
#include "shs.h"


/*
 * The SHS1 f()-functions.  The f1 and f3 functions can be optimized
 * to save one boolean operation each - thanks to Rich Schroeppel,
 * rcs@cs.arizona.edu for discovering this.
 *
 * f1: ((x&y) | (~x&z)) == (z ^ (x&(y^z)))
 * f3: ((x&y) | (x&z) | (y&z)) == ((x&y) | (z&(x|y)))
 */
#define f1(x,y,z)	(z ^ (x&(y^z)))		/* Rounds  0-19 */
#define f2(x,y,z)	(x^y^z)			/* Rounds 20-39 */
#define f3(x,y,z)	((x&y) | (z&(x|y)))	/* Rounds 40-59 */
#define f4(x,y,z)	(x^y^z)			/* Rounds 60-79 */

/* The SHS1 Mysterious Constants */
#define K1	0x5A827999L	/* Rounds  0-19 */
#define K2	0x6ED9EBA1L	/* Rounds 20-39 */
#define K3	0x8F1BBCDCL	/* Rounds 40-59 */
#define K4	0xCA62C1D6L	/* Rounds 60-79 */

/* SHS1 initial values */
#define h0init	0x67452301L
#define h1init	0xEFCDAB89L
#define h2init	0x98BADCFEL
#define h3init	0x10325476L
#define h4init	0xC3D2E1F0L

/* 32-bit rotate left - kludged with shifts */
#define LEFT_ROT(X,n)  (((X)<<(n)) | ((X)>>(32-(n))))

/*
 *
 * The initial expanding function.  The hash function is defined over an
 * 80-word expanded input array W, where the first 16 are copies of the input
 * data, and the remaining 64 are defined by
 *
 *	W[i] = LEFT_ROT(W[i-16] ^ W[i-14] ^ W[i-8] ^ W[i-3], 1)
 *
 * NOTE: The expanding function used in rounds 16 to 79 was changed from the
 *	 original SHA (in FIPS Pub 180) to one that also left circular shifted
 *	 by one bit for Secure Hash Algorithm-1 (FIPS Pub 180-1).
 */
#define exor(W,i,t) \
    (t = (W[i&15] ^ W[(i-14)&15] ^ W[(i-8)&15] ^ W[(i-3)&15]), \
     W[i&15] = LEFT_ROT(t, 1))

/*
 * The prototype SHS1 sub-round.  The fundamental sub-round is:
 *
 *	a' = e + LEFT_ROT(a,5) + f(b,c,d) + k + data;
 *	b' = a;
 *	c' = LEFT_ROT(b,30);
 *	d' = c;
 *	e' = d;
 *
 * but this is implemented by unrolling the loop 5 times and renaming the
 * variables ( e, a, b, c, d ) = ( a', b', c', d', e' ) each iteration.
 * This code is then replicated 20 times for each of the 4 functions, using
 * the next 20 values from the W[] array each time.
 */
#define subRound(a, b, c, d, e, f, k, data) \
    (e += LEFT_ROT(a,5) + f(b,c,d) + k + data, b = LEFT_ROT(b,30))

/* forward declarations */
static void shs1Init(HASH*);
static void shs1Transform(USB32*, USB32*);
static void shs1Update(HASH*, USB8*, USB32);
static void shs1Final(HASH*);
static void shs1_chkpt(HASH*);
static void shs1_note(int, HASH*);
static void shs1_type(int, HASH*);
void shs1_init_state(HASH*);
static ZVALUE shs1_final_state(HASH*);
static int shs1_cmp(HASH*, HASH*);
static void shs1_print(HASH*);


/*
 * shs1Init - initialize the SHS1 state
 */
static void
shs1Init(HASH *state)
{
	SHS1_INFO *dig = &state->h_union.h_shs1;  /* digest state */

	/* Set the h-vars to their initial values */
	dig->digest[0] = h0init;
	dig->digest[1] = h1init;
	dig->digest[2] = h2init;
	dig->digest[3] = h3init;
	dig->digest[4] = h4init;

	/* Initialise bit count */
	dig->countLo = 0;
	dig->countHi = 0;
	dig->datalen = 0;
}


/*
 * shs1Transform - perform the SHS1 transformatio
 *
 * Note that this code, like MD5, seems to break some optimizing compilers.
 * It may be necessary to split it into sections, eg based on the four
 * subrounds.  One may also want to roll each subround into a loop.
 */
static void
shs1Transform(USB32 *digest, USB32 *W)
{
	USB32 A, B, C, D, E;		/* Local vars */
	USB32 t;			/* temp storage for exor() */

	/* Set up first buffer and local data buffer */
	A = digest[0];
	B = digest[1];
	C = digest[2];
	D = digest[3];
	E = digest[4];

	/* Heavy mangling, in 4 sub-rounds of 20 interations each. */
	subRound(A, B, C, D, E, f1, K1, W[ 0]);
	subRound(E, A, B, C, D, f1, K1, W[ 1]);
	subRound(D, E, A, B, C, f1, K1, W[ 2]);
	subRound(C, D, E, A, B, f1, K1, W[ 3]);
	subRound(B, C, D, E, A, f1, K1, W[ 4]);
	subRound(A, B, C, D, E, f1, K1, W[ 5]);
	subRound(E, A, B, C, D, f1, K1, W[ 6]);
	subRound(D, E, A, B, C, f1, K1, W[ 7]);
	subRound(C, D, E, A, B, f1, K1, W[ 8]);
	subRound(B, C, D, E, A, f1, K1, W[ 9]);
	subRound(A, B, C, D, E, f1, K1, W[10]);
	subRound(E, A, B, C, D, f1, K1, W[11]);
	subRound(D, E, A, B, C, f1, K1, W[12]);
	subRound(C, D, E, A, B, f1, K1, W[13]);
	subRound(B, C, D, E, A, f1, K1, W[14]);
	subRound(A, B, C, D, E, f1, K1, W[15]);
	subRound(E, A, B, C, D, f1, K1, exor(W,16,t));
	subRound(D, E, A, B, C, f1, K1, exor(W,17,t));
	subRound(C, D, E, A, B, f1, K1, exor(W,18,t));
	subRound(B, C, D, E, A, f1, K1, exor(W,19,t));

	subRound(A, B, C, D, E, f2, K2, exor(W,20,t));
	subRound(E, A, B, C, D, f2, K2, exor(W,21,t));
	subRound(D, E, A, B, C, f2, K2, exor(W,22,t));
	subRound(C, D, E, A, B, f2, K2, exor(W,23,t));
	subRound(B, C, D, E, A, f2, K2, exor(W,24,t));
	subRound(A, B, C, D, E, f2, K2, exor(W,25,t));
	subRound(E, A, B, C, D, f2, K2, exor(W,26,t));
	subRound(D, E, A, B, C, f2, K2, exor(W,27,t));
	subRound(C, D, E, A, B, f2, K2, exor(W,28,t));
	subRound(B, C, D, E, A, f2, K2, exor(W,29,t));
	subRound(A, B, C, D, E, f2, K2, exor(W,30,t));
	subRound(E, A, B, C, D, f2, K2, exor(W,31,t));
	subRound(D, E, A, B, C, f2, K2, exor(W,32,t));
	subRound(C, D, E, A, B, f2, K2, exor(W,33,t));
	subRound(B, C, D, E, A, f2, K2, exor(W,34,t));
	subRound(A, B, C, D, E, f2, K2, exor(W,35,t));
	subRound(E, A, B, C, D, f2, K2, exor(W,36,t));
	subRound(D, E, A, B, C, f2, K2, exor(W,37,t));
	subRound(C, D, E, A, B, f2, K2, exor(W,38,t));
	subRound(B, C, D, E, A, f2, K2, exor(W,39,t));

	subRound(A, B, C, D, E, f3, K3, exor(W,40,t));
	subRound(E, A, B, C, D, f3, K3, exor(W,41,t));
	subRound(D, E, A, B, C, f3, K3, exor(W,42,t));
	subRound(C, D, E, A, B, f3, K3, exor(W,43,t));
	subRound(B, C, D, E, A, f3, K3, exor(W,44,t));
	subRound(A, B, C, D, E, f3, K3, exor(W,45,t));
	subRound(E, A, B, C, D, f3, K3, exor(W,46,t));
	subRound(D, E, A, B, C, f3, K3, exor(W,47,t));
	subRound(C, D, E, A, B, f3, K3, exor(W,48,t));
	subRound(B, C, D, E, A, f3, K3, exor(W,49,t));
	subRound(A, B, C, D, E, f3, K3, exor(W,50,t));
	subRound(E, A, B, C, D, f3, K3, exor(W,51,t));
	subRound(D, E, A, B, C, f3, K3, exor(W,52,t));
	subRound(C, D, E, A, B, f3, K3, exor(W,53,t));
	subRound(B, C, D, E, A, f3, K3, exor(W,54,t));
	subRound(A, B, C, D, E, f3, K3, exor(W,55,t));
	subRound(E, A, B, C, D, f3, K3, exor(W,56,t));
	subRound(D, E, A, B, C, f3, K3, exor(W,57,t));
	subRound(C, D, E, A, B, f3, K3, exor(W,58,t));
	subRound(B, C, D, E, A, f3, K3, exor(W,59,t));

	subRound(A, B, C, D, E, f4, K4, exor(W,60,t));
	subRound(E, A, B, C, D, f4, K4, exor(W,61,t));
	subRound(D, E, A, B, C, f4, K4, exor(W,62,t));
	subRound(C, D, E, A, B, f4, K4, exor(W,63,t));
	subRound(B, C, D, E, A, f4, K4, exor(W,64,t));
	subRound(A, B, C, D, E, f4, K4, exor(W,65,t));
	subRound(E, A, B, C, D, f4, K4, exor(W,66,t));
	subRound(D, E, A, B, C, f4, K4, exor(W,67,t));
	subRound(C, D, E, A, B, f4, K4, exor(W,68,t));
	subRound(B, C, D, E, A, f4, K4, exor(W,69,t));
	subRound(A, B, C, D, E, f4, K4, exor(W,70,t));
	subRound(E, A, B, C, D, f4, K4, exor(W,71,t));
	subRound(D, E, A, B, C, f4, K4, exor(W,72,t));
	subRound(C, D, E, A, B, f4, K4, exor(W,73,t));
	subRound(B, C, D, E, A, f4, K4, exor(W,74,t));
	subRound(A, B, C, D, E, f4, K4, exor(W,75,t));
	subRound(E, A, B, C, D, f4, K4, exor(W,76,t));
	subRound(D, E, A, B, C, f4, K4, exor(W,77,t));
	subRound(C, D, E, A, B, f4, K4, exor(W,78,t));
	subRound(B, C, D, E, A, f4, K4, exor(W,79,t));

	/* Build message digest */
	digest[0] += A;
	digest[1] += B;
	digest[2] += C;
	digest[3] += D;
	digest[4] += E;
}


/*
 * shs1Update - update SHS1 with arbitrary length data
 */
void
shs1Update(HASH *state, USB8 *buffer, USB32 count)
{
	SHS1_INFO *dig = &state->h_union.h_shs1;  /* digest state */
	USB32 datalen = dig->datalen;
	USB32 cpylen;
#if CALC_BYTE_ORDER == LITTLE_ENDIAN
	unsigned int i;
#endif

	/*
	 * Update the full count, even if some of it is buffered for later
	 */
	SHS1COUNT(dig, count);


	/* determine the size we need to copy */
	cpylen = SHS1_CHUNKSIZE - datalen;

	/* case: new data will not fill the buffer */
	if (cpylen > count) {
		memcpy((char *)dig->data+datalen,
			(char *)buffer, count);
		dig->datalen = datalen+count;
		return;
	}

	/* case: buffer will be filled */
	memcpy((char *)dig->data + datalen, (char *)buffer, cpylen);

	/*
	 * Process data in SHS1_CHUNKSIZE chunks
	 */
	for (;;) {
#if CALC_BYTE_ORDER == LITTLE_ENDIAN
		if (state->bytes) {
			for (i=0; i < SHS1_CHUNKWORDS; ++i) {
				SWAP_B8_IN_B32(dig->data+i, dig->data+i);
			}
		}
#endif
		shs1Transform(dig->digest, dig->data);
		buffer += cpylen;
		count -= cpylen;
		if (count < SHS1_CHUNKSIZE)
			break;
		cpylen = SHS1_CHUNKSIZE;
		memcpy(dig->data, buffer, cpylen);
	}

	/*
	 * Handle any remaining bytes of data.
	 * This should only happen once on the final lot of data
	 */
	if (count > 0) {
		memcpy((char *)dig->data, (char *)buffer, count);
	}
	dig->datalen = count;
}


/*
 * shs1Final - perform final SHS1 transforms
 *
 * At this point we have less than a full chunk of data remaining
 * (and possibly no data) in the shs1 state data buffer.
 *
 * First we append a final 0x80 byte.
 *
 * Next if we have more than 56 bytes, we will zero fill the remainder
 * of the chunk, transform and then zero fill the first 56 bytes.
 * If we have 56 or fewer bytes, we will zero fill out to the 56th
 * chunk byte.	Regardless, we wind up with 56 bytes data.
 *
 * Finally we append the 64 bit length on to the 56 bytes of data
 * remaining.  This final chunk is transformed.
 */

void
shs1Final(HASH *state)
{
	SHS1_INFO *dig = &state->h_union.h_shs1;	/* digest state */
	long count = (long)(dig->datalen);
	USB32 lowBitcount;
	USB32 highBitcount;
	USB8 *data = (USB8 *) dig->data;
#if CALC_BYTE_ORDER == LITTLE_ENDIAN
	unsigned int i;
#endif

	/* Pad to end of chunk */

	memset(data + count, 0, SHS1_CHUNKSIZE - count);

	/*
	 * If processing bytes, set the first byte of padding to 0x80.
	 * if processing words: on a big-endian machine set the first