1 /* Implementation of NIST's Secure Hash Algorithm (FIPS 180)
\r
2 * Lightly bummed for execution efficiency.
\r
4 * Jim Gillogly 3 May 1993
\r
6 * 27 Aug 93: imported SHA_LITTLE_ENDIAN mods from Peter Gutmann's implementation
\r
7 * 5 Jul 94: Modified for NSA fix
\r
9 * Compile: cc -O -o sha sha.c
\r
11 * To remove the test wrapper and use just the nist_hash() routine,
\r
12 * compile with -DONT_WRAP
\r
14 * To reverse byte order for little-endian machines, use -DSHA_LITTLE_ENDIAN
\r
16 * To get the original SHA definition before the 1994 fix, use -DVERSION_0
\r
18 * Usage: sha [-vt] [filename ...]
\r
20 * -v switch: output the filename as well
\r
21 * -t switch: suppress spaces between 32-bit blocks
\r
23 * If no input files are specified, process standard input.
\r
25 * Output: 40-hex-digit digest of each file specified (160 bits)
\r
27 * Synopsis of the function calls:
\r
29 * sha_file(char *filename, uint32 *buffer)
\r
30 * Filename is a file to be opened and processed.
\r
31 * buffer is a user-supplied array of 5 or more longs.
\r
32 * The 5-word buffer is filled with 160 bits of non-terminated hash.
\r
33 * Returns 0 if successful, non-zero if bad file.
\r
35 * void sha_stream(FILE *stream, uint32 *buffer)
\r
36 * Input is from already-opened stream, not file.
\r
38 * void sha_memory(char *mem, int32 length, uint32 *buffer)
\r
39 * Input is a memory block "length" bytes long.
\r
42 * Not tested for case that requires the high word of the length,
\r
43 * which would be files larger than 1/2 gig or so.
\r
46 * sha_memory (the memory block function) will deal with blocks no longer
\r
47 * than 4 gigabytes; for longer samples, the stream version will
\r
48 * probably be most convenient (e.g. perl moby_data.pl | sha).
\r
51 * The standard is defined for bit strings; I assume bytes.
\r
53 * Copyright 1993, Dr. James J. Gillogly
\r
54 * This code may be freely used in any application.
\r
57 /* #define VERSION_0 */ /* Define this to get the original SHA definition */
\r
64 # define SHA_LITTLE_ENDIAN
\r
75 int sha_file(); /* External entries */
\r
76 void sha_stream(), sha_memory();
\r
78 static void nist_guts();
\r
80 #ifdef SHA_TEST_WRAP /* make a test program */
\r
82 #define HASH_SIZE 5 /* Produces 160-bit digest of the message */
\r
88 uint32 hbuf[HASH_SIZE];
\r
90 int file_args = FALSE; /* If no files, take it from stdin */
\r
91 int verbose = FALSE;
\r
95 sha_memory("abc", 3l, hbuf); /* NIST test value from appendix A */
\r
96 if (verbose) printf("Memory:");
\r
97 if (terse) printf("%08lx%08lx%08lx%08lx%08lx\n",
\r
98 hbuf[0], hbuf[1], hbuf[2], hbuf[3], hbuf[4]);
\r
99 else printf("%08lx %08lx %08lx %08lx %08lx\n",
\r
100 hbuf[0], hbuf[1], hbuf[2], hbuf[3], hbuf[4]);
\r
103 for (++argv; --argc; ++argv) /* March down the arg list */
\r
105 if (**argv == '-') /* Process one or more flags */
\r
106 for (s = &(*argv)[1]; *s; s++) /* Obfuscated C contest entry */
\r
109 case 'v': case 'V':
\r
112 case 't': case 'T':
\r
116 fprintf(stderr, "Unrecognized flag: %c\n", *s);
\r
119 else /* Process a file */
\r
121 if (verbose) printf("%s:", *argv);
\r
122 file_args = TRUE; /* Whether or not we could read it */
\r
124 if (sha_file(*argv, hbuf) == FAILURE)
\r
125 printf("Can't open file %s.\n", *argv);
\r
127 if (terse) printf("%08lx%08lx%08lx%08lx%08lx\n",
\r
128 hbuf[0], hbuf[1], hbuf[2], hbuf[3], hbuf[4]);
\r
129 else printf("%08lx %08lx %08lx %08lx %08lx\n",
\r
130 hbuf[0], hbuf[1], hbuf[2], hbuf[3], hbuf[4]);
\r
133 if (! file_args) /* No file specified */
\r
135 if (verbose) printf("%s:", *argv);
\r
136 sha_stream(stdin, hbuf);
\r
138 if (terse) printf("%08lx%08lx%08lx%08lx%08lx\n",
\r
139 hbuf[0], hbuf[1], hbuf[2], hbuf[3], hbuf[4]);
\r
140 else printf("%08lx %08lx %08lx %08lx %08lx\n",
\r
141 hbuf[0], hbuf[1], hbuf[2], hbuf[3], hbuf[4]);
\r
148 #ifdef SHA_LITTLE_ENDIAN /* Imported from Peter Gutmann's implementation */
\r
150 /* When run on a little-endian CPU we need to perform byte reversal on an
\r
151 array of longwords. It is possible to make the code endianness-
\r
152 independant by fiddling around with data at the byte level, but this
\r
153 makes for very slow code, so we rely on the user to sort out endianness
\r
156 static void byteReverse( uint32 *buffer, int byteCount )
\r
161 byteCount /= sizeof( uint32 );
\r
162 for( count = 0; count < byteCount; count++ )
\r
164 value = ( buffer[ count ] << 16 ) | ( buffer[ count ] >> 16 );
\r
165 buffer[ count ] = ( ( value & 0xFF00FF00L ) >> 8 ) | ( ( value & 0x00FF00FFL ) << 8 );
\r
168 #endif /* SHA_LITTLE_ENDIAN */
\r
174 uint32 W[80]; /* Process 16 32-bit words at a time */
\r
175 char B[320]; /* But read them as bytes for counting */
\r
178 sha_file(filename, buffer) /* Hash a file */
\r
184 if ((infile = fopen(filename, "rb")) == NULL)
\r
188 for (i = 0; i < 5; i++)
\r
189 buffer[i] = 0xdeadbeef;
\r
192 (void) sha_stream(infile, buffer);
\r
197 void sha_memory(mem, length, buffer) /* Hash a memory block */
\r
202 nist_guts(FALSE, (FILE *) NULL, mem, length, buffer);
\r
205 void sha_stream(stream, buffer)
\r
209 nist_guts(TRUE, stream, (char *) NULL, 0l, buffer);
\r
212 #define f0(x,y,z) (z ^ (x & (y ^ z))) /* Magic functions */
\r
213 #define f1(x,y,z) (x ^ y ^ z)
\r
214 #define f2(x,y,z) ((x & y) | (z & (x | y)))
\r
215 #define f3(x,y,z) (x ^ y ^ z)
\r
217 #define K0 0x5a827999 /* Magic constants */
\r
218 #define K1 0x6ed9eba1
\r
219 #define K2 0x8f1bbcdc
\r
220 #define K3 0xca62c1d6
\r
222 #define S(n, X) ((X << n) | (X >> (32 - n))) /* Barrel roll */
\r
225 temp = S(5, A) + f(B, C, D) + E + *p0++ + K; \
\r
234 temp = S(5, A) + f(B, C, D) + E + \
\r
235 (*p0++ = *p1++ ^ *p2++ ^ *p3++ ^ *p4++) + K; \
\r
241 #else /* Version 1: Summer '94 update */
\r
243 temp = *p1++ ^ *p2++ ^ *p3++ ^ *p4++; \
\r
244 temp = S(5, A) + f(B, C, D) + E + (*p0++ = S(1,temp)) + K; \
\r
252 static void nist_guts(file_flag, stream, mem, length, buf)
\r
253 int file_flag; /* Input from memory, or from stream? */
\r
259 int i, nread, nbits;
\r
261 uint32 hi_length, lo_length;
\r
265 register uint32 *p0, *p1, *p2, *p3, *p4;
\r
266 uint32 A, B, C, D, E, temp;
\r
268 uint32 h0, h1, h2, h3, h4;
\r
270 h0 = 0x67452301; /* Accumulators */
\r
278 for (hi_length = lo_length = 0; ;) /* Process 16 longs at a time */
\r
282 nread = fread(d.B, 1, 64, stream); /* Read as 64 bytes */
\r
286 if (length < 64) nread = length;
\r
289 memcpy(d.B, s, nread);
\r
292 if (nread < 64) /* Partial block? */
\r
294 nbits = nread << 3; /* Length: bits */
\r
295 if ((lo_length += nbits) < (unsigned int)nbits)
\r
296 hi_length++; /* 64-bit integer */
\r
298 if (nread < 64 && ! padded) /* Append a single bit */
\r
300 d.B[nread++] = (char)0x80; /* Using up next byte */
\r
301 padded = TRUE; /* Single bit once */
\r
303 for (i = nread; i < 64; i++) /* Pad with nulls */
\r
305 if (nread <= 56) /* Room for length in this block */
\r
307 d.W[14] = hi_length;
\r
308 d.W[15] = lo_length;
\r
309 #ifdef SHA_LITTLE_ENDIAN
\r
310 byteReverse(d.W, 56 );
\r
311 #endif /* SHA_LITTLE_ENDIAN */
\r
313 #ifdef SHA_LITTLE_ENDIAN
\r
314 else byteReverse(d.W, 64 );
\r
315 #endif /* SHA_LITTLE_ENDIAN */
\r
317 else /* Full block -- get efficient */
\r
319 if ((lo_length += 512) < 512)
\r
320 hi_length++; /* 64-bit integer */
\r
321 #ifdef SHA_LITTLE_ENDIAN
\r
322 byteReverse(d.W, 64 );
\r
323 #endif /* SHA_LITTLE_ENDIAN */
\r
327 A = h0; B = h1; C = h2; D = h3; E = h4;
\r
329 r0(f0,K0); r0(f0,K0); r0(f0,K0); r0(f0,K0); r0(f0,K0);
\r
330 r0(f0,K0); r0(f0,K0); r0(f0,K0); r0(f0,K0); r0(f0,K0);
\r
331 r0(f0,K0); r0(f0,K0); r0(f0,K0); r0(f0,K0); r0(f0,K0);
\r
334 p1 = &d.W[13]; p2 = &d.W[8]; p3 = &d.W[2]; p4 = &d.W[0];
\r
336 r1(f0,K0); r1(f0,K0); r1(f0,K0); r1(f0,K0);
\r
337 r1(f1,K1); r1(f1,K1); r1(f1,K1); r1(f1,K1); r1(f1,K1);
\r
338 r1(f1,K1); r1(f1,K1); r1(f1,K1); r1(f1,K1); r1(f1,K1);
\r
339 r1(f1,K1); r1(f1,K1); r1(f1,K1); r1(f1,K1); r1(f1,K1);
\r
340 r1(f1,K1); r1(f1,K1); r1(f1,K1); r1(f1,K1); r1(f1,K1);
\r
341 r1(f2,K2); r1(f2,K2); r1(f2,K2); r1(f2,K2); r1(f2,K2);
\r
342 r1(f2,K2); r1(f2,K2); r1(f2,K2); r1(f2,K2); r1(f2,K2);
\r
343 r1(f2,K2); r1(f2,K2); r1(f2,K2); r1(f2,K2); r1(f2,K2);
\r
344 r1(f2,K2); r1(f2,K2); r1(f2,K2); r1(f2,K2); r1(f2,K2);
\r
345 r1(f3,K3); r1(f3,K3); r1(f3,K3); r1(f3,K3); r1(f3,K3);
\r
346 r1(f3,K3); r1(f3,K3); r1(f3,K3); r1(f3,K3); r1(f3,K3);
\r
347 r1(f3,K3); r1(f3,K3); r1(f3,K3); r1(f3,K3); r1(f3,K3);
\r
348 r1(f3,K3); r1(f3,K3); r1(f3,K3); r1(f3,K3); r1(f3,K3);
\r
350 h0 += A; h1 += B; h2 += C; h3 += D; h4 += E;
\r
352 if (nread <= 56) break; /* If it's greater, length in next block */
\r
354 buf[0] = h0; buf[1] = h1; buf[2] = h2; buf[3] = h3; buf[4] = h4;
\r