freeswitch/libs/libzrtp/third_party/bnlib/test/sha.c

/* --------------------------------- SHA.C ------------------------------- */
#include <string.h>

#include "sha.h"

/*
 * NIST Secure Hash Algorithm.
 *
 * Written 2 September 1992, Peter C. Gutmann.
 * This implementation placed in the public domain.
 *
 * Modified 1 June 1993, Colin Plumb.
 * Modified for the new SHS based on Peter Gutmann's work,
 * 18 July 1994, Colin Plumb.
 * Gutmann's work.
 * Renamed to SHA and comments updated a bit 1 November 1995, Colin Plumb.
 * These modifications placed in the public domain.
 *
 * Comments to pgut1@cs.aukuni.ac.nz
 */

#include <string.h>

/*
 * The SHA f()-functions.  The f1 and f3 functions can be optimized to
 * save one boolean operation each - thanks to Rich Schroeppel,
 * rcs@cs.arizona.edu for discovering this
 */
/*#define f1(x,y,z)	( (x & y) | (~x & z) )		// Rounds  0-19 */
#define f1(x,y,z)	( z ^ (x & (y ^ z) ) )		/* Rounds  0-19 */
#define f2(x,y,z)	( x ^ y ^ z )			/* Rounds 20-39 */
/*#define f3(x,y,z)	( (x & y) | (x & z) | (y & z) )	// Rounds 40-59 */
#define f3(x,y,z)	( (x & y) | (z & (x | y) ) )	/* Rounds 40-59 */
#define f4(x,y,z)	( x ^ y ^ z )			/* Rounds 60-79 */

/*
 * The SHA Mysterious Constants.
 * K1 = floor(sqrt(2) * 2^30)
 * K2 = floor(sqrt(3) * 2^30)
 * K3 = floor(sqrt(5) * 2^30)
 * K4 = floor(sqrt(10) * 2^30)
 */
#define K1	0x5A827999L	/* Rounds  0-19 */
#define K2	0x6ED9EBA1L	/* Rounds 20-39 */
#define K3	0x8F1BBCDCL	/* Rounds 40-59 */
#define K4	0xCA62C1D6L	/* Rounds 60-79 */

/* SHA initial values */

#define h0init	0x67452301L
#define h1init	0xEFCDAB89L
#define h2init	0x98BADCFEL
#define h3init	0x10325476L
#define h4init	0xC3D2E1F0L

/*
 * Note that it may be necessary to add parentheses to these macros
 * if they are to be called with expressions as arguments.
 */

/* 32-bit rotate left - kludged with shifts */

#define ROTL(n,X)  ( (X << n) | (X >> (32-n)) )

/*
 * The initial expanding function
 *
 * The hash function is defined over an 80-word expanded input array W,
 * where the first 16 are copies of the input data, and the remaining 64
 * are defined by W[i] = W[i-16] ^ W[i-14] ^ W[i-8] ^ W[i-3].  This
 * implementation generates these values on the fly in a circular buffer.
 */

#if SHA_VERSION
/* The new ("corrected") SHA, FIPS 180.1 */
/* Same as below, but then rotate left one bit */
#define expand(W,i) (W[i&15] ^= W[(i-14)&15] ^ W[(i-8)&15] ^ W[(i-3)&15], \
                     W[i&15] = ROTL(1, W[i&15]))
#else
/* The old (pre-correction) SHA, FIPS 180 */
#define expand(W,i) (W[i&15] ^= W[(i-14)&15] ^ W[(i-8)&15] ^ W[(i-3)&15])
#endif

/*
 * The prototype SHA sub-round
 *
 * The fundamental sub-round is
 * a' = e + ROTL(5,a) + f(b, c, d) + k + data;
 * b' = a;
 * c' = ROTL(30,b);
 * d' = c;
 * e' = d;
 * ... but this is implemented by unrolling the loop 5 times and renaming
 * the variables (e,a,b,c,d) = (a',b',c',d',e') each iteration.
 */
#define subRound(a, b, c, d, e, f, k, data) \
	( e += ROTL(5,a) + f(b, c, d) + k + data, b = ROTL(30, b) )
/*
 * The above code is replicated 20 times for each of the 4 functions,
 * using the next 20 values from the W[] array each time.
 */

/* Initialize the SHA values */

void
shaInit(struct SHAContext *sha)
{
	/* Set the h-vars to their initial values */
	sha->digest[0] = h0init;
	sha->digest[1] = h1init;
	sha->digest[2] = h2init;
	sha->digest[3] = h3init;
	sha->digest[4] = h4init;

	/* Initialise bit count */
#ifdef HAVE64
	sha->count = 0;
#else
	sha->countLo = sha->countHi = 0;
#endif
}

/*
 * Perform the SHA transformation.  Note that this code, like MD5, seems to
 * break some optimizing compilers due to the complexity of the expressions
 * and the size of the basic block.  It may be necessary to split it into
 * sections, e.g. based on the four subrounds
 *
 * Note that this corrupts the sha->data area.
 */
#ifndef ASM

void shaTransform(struct SHAContext *sha)
{
	register word32 A, B, C, D, E;

	/* Set up first buffer */
	A = sha->digest[0];
	B = sha->digest[1];
	C = sha->digest[2];
	D = sha->digest[3];
	E = sha->digest[4];

	/* Heavy mangling, in 4 sub-rounds of 20 interations each. */
	subRound( A, B, C, D, E, f1, K1, sha->data[ 0] );
	subRound( E, A, B, C, D, f1, K1, sha->data[ 1] );
	subRound( D, E, A, B, C, f1, K1, sha->data[ 2] );
	subRound( C, D, E, A, B, f1, K1, sha->data[ 3] );
	subRound( B, C, D, E, A, f1, K1, sha->data[ 4] );
	subRound( A, B, C, D, E, f1, K1, sha->data[ 5] );
	subRound( E, A, B, C, D, f1, K1, sha->data[ 6] );
	subRound( D, E, A, B, C, f1, K1, sha->data[ 7] );
	subRound( C, D, E, A, B, f1, K1, sha->data[ 8] );
	subRound( B, C, D, E, A, f1, K1, sha->data[ 9] );
	subRound( A, B, C, D, E, f1, K1, sha->data[10] );
	subRound( E, A, B, C, D, f1, K1, sha->data[11] );
	subRound( D, E, A, B, C, f1, K1, sha->data[12] );
	subRound( C, D, E, A, B, f1, K1, sha->data[13] );
	subRound( B, C, D, E, A, f1, K1, sha->data[14] );
	subRound( A, B, C, D, E, f1, K1, sha->data[15] );
	subRound( E, A, B, C, D, f1, K1, expand(sha->data, 16) );
	subRound( D, E, A, B, C, f1, K1, expand(sha->data, 17) );
	subRound( C, D, E, A, B, f1, K1, expand(sha->data, 18) );
	subRound( B, C, D, E, A, f1, K1, expand(sha->data, 19) );

	subRound( A, B, C, D, E, f2, K2, expand(sha->data, 20) );
	subRound( E, A, B, C, D, f2, K2, expand(sha->data, 21) );
	subRound( D, E, A, B, C, f2, K2, expand(sha->data, 22) );
	subRound( C, D, E, A, B, f2, K2, expand(sha->data, 23) );
	subRound( B, C, D, E, A, f2, K2, expand(sha->data, 24) );
	subRound( A, B, C, D, E, f2, K2, expand(sha->data, 25) );
	subRound( E, A, B, C, D, f2, K2, expand(sha->data, 26) );
	subRound( D, E, A, B, C, f2, K2, expand(sha->data, 27) );
	subRound( C, D, E, A, B, f2, K2, expand(sha->data, 28) );
	subRound( B, C, D, E, A, f2, K2, expand(sha->data, 29) );
	subRound( A, B, C, D, E, f2, K2, expand(sha->data, 30) );
	subRound( E, A, B, C, D, f2, K2, expand(sha->data, 31) );
	subRound( D, E, A, B, C, f2, K2, expand(sha->data, 32) );
	subRound( C, D, E, A, B, f2, K2, expand(sha->data, 33) );
	subRound( B, C, D, E, A, f2, K2, expand(sha->data, 34) );
	subRound( A, B, C, D, E, f2, K2, expand(sha->data, 35) );
	subRound( E, A, B, C, D, f2, K2, expand(sha->data, 36) );
	subRound( D, E, A, B, C, f2, K2, expand(sha->data, 37) );
	subRound( C, D, E, A, B, f2, K2, expand(sha->data, 38) );
	subRound( B, C, D, E, A, f2, K2, expand(sha->data, 39) );

	subRound( A, B, C, D, E, f3, K3, expand(sha->data, 40) );
	subRound( E, A, B, C, D, f3, K3, expand(sha->data, 41) );
	subRound( D, E, A, B, C, f3, K3, expand(sha->data, 42) );
	subRound( C, D, E, A, B, f3, K3, expand(sha->data, 43) );
	subRound( B, C, D, E, A, f3, K3, expand(sha->data, 44) );
	subRound( A, B, C, D, E, f3, K3, expand(sha->data, 45) );
	subRound( E, A, B, C, D, f3, K3, expand(sha->data, 46) );
	subRound( D, E, A, B, C, f3, K3, expand(sha->data, 47) );
	subRound( C, D, E, A, B, f3, K3, expand(sha->data, 48) );
	subRound( B, C, D, E, A, f3, K3, expand(sha->data, 49) );
	subRound( A, B, C, D, E, f3, K3, expand(sha->data, 50) );
	subRound( E, A, B, C, D, f3, K3, expand(sha->data, 51) );
	subRound( D, E, A, B, C, f3, K3, expand(sha->data, 52) );
	subRound( C, D, E, A, B, f3, K3, expand(sha->data, 53) );
	subRound( B, C, D, E, A, f3, K3, expand(sha->data, 54) );
	subRound( A, B, C, D, E, f3, K3, expand(sha->data, 55) );
	subRound( E, A, B, C, D, f3, K3, expand(sha->data, 56) );
	subRound( D, E, A, B, C, f3, K3, expand(sha->data, 57) );
	subRound( C, D, E, A, B, f3, K3, expand(sha->data, 58) );
	subRound( B, C, D, E, A, f3, K3, expand(sha->data, 59) );

	subRound( A, B, C, D, E, f4, K4, expand(sha->data, 60) );
	subRound( E, A, B, C, D, f4, K4, expand(sha->data, 61) );
	subRound( D, E, A, B, C, f4, K4, expand(sha->data, 62) );
	subRound( C, D, E, A, B, f4, K4, expand(sha->data, 63) );
	subRound( B, C, D, E, A, f4, K4, expand(sha->data, 64) );
	subRound( A, B, C, D, E, f4, K4, expand(sha->data, 65) );
	subRound( E, A, B, C, D, f4, K4, expand(sha->data, 66) );
	subRound( D, E, A, B, C, f4, K4, expand(sha->data, 67) );
	subRound( C, D, E, A, B, f4, K4, expand(sha->data, 68) );
	subRound( B, C, D, E, A, f4, K4, expand(sha->data, 69) );
	subRound( A, B, C, D, E, f4, K4, expand(sha->data, 70) );
	subRound( E, A, B, C, D, f4, K4, expand(sha->data, 71) );
	subRound( D, E, A, B, C, f4, K4, expand(sha->data, 72) );
	subRound( C, D, E, A, B, f4, K4, expand(sha->data, 73) );
	subRound( B, C, D, E, A, f4, K4, expand(sha->data, 74) );
	subRound( A, B, C, D, E, f4, K4, expand(sha->data, 75) );
	subRound( E, A, B, C, D, f4, K4, expand(sha->data, 76) );
	subRound( D, E, A, B, C, f4, K4, expand(sha->data, 77) );
	subRound( C, D, E, A, B, f4, K4, expand(sha->data, 78) );
	subRound( B, C, D, E, A, f4, K4, expand(sha->data, 79) );

	/* Build message digest */
	sha->digest[0] += A;
	sha->digest[1] += B;
	sha->digest[2] += C;
	sha->digest[3] += D;
	sha->digest[4] += E;
}

#endif /* !ASM */

/*
 * SHA is defined in big-endian form, so this converts the buffer from
 * bytes to words, independent of the machine's native endianness.
 *
 * Assuming a consistent byte ordering for the machine, this also
 * has the magic property of being self-inverse.  It is used as
 * such.
 */

static void byteReverse(word32 *buffer, unsigned byteCount)
{
	word32 value;

	byteCount /= sizeof(word32);
	while ( byteCount-- ) {
		value = (word32)((unsigned)((word8 *)buffer)[0] << 8 |
			                   ((word8 *)buffer)[1]) << 16 |
		                ((unsigned)((word8 *)buffer)[2] << 8 |
			                   ((word8 *)buffer)[3]);
		*buffer++ = value;
	}
}

/* Update SHA for a block of data. */

void
shaUpdate(struct SHAContext *sha, word8 const *buffer, unsigned count)
{
	word32 t;

	/* Update bitcount */

#ifdef HAVE64
	t = (word32)sha->count & 0x3f;
	sha->count += count;
#else
	t = sha->countLo;
	if ( ( sha->countLo = t + count ) < t )
		sha->countHi++;	/* Carry from low to high */

	t &= 0x3f;	/* Bytes already in sha->data */
#endif

	/* Handle any leading odd-sized chunks */

	if (t) {
		word8 *p = (word8 *)sha->data + t;

		t = 64-t;
		if (count < t) {
			memcpy(p, buffer, count);
			return;
		}
		memcpy(p, buffer, t);
		byteReverse(sha->data, SHA_BLOCKSIZE);
		shaTransform(sha);
		buffer += t;
		count -= t;
	}

	/* Process data in SHA_BLOCKSIZE chunks */

	while (count >= SHA_BLOCKSIZE) {
		memcpy(sha->data, buffer, SHA_BLOCKSIZE);
		byteReverse(sha->data, SHA_BLOCKSIZE);
		shaTransform(sha);
		buffer += SHA_BLOCKSIZE;
		count -= SHA_BLOCKSIZE;
	}

	/* Handle any remaining bytes of data. */

	memcpy(sha->data, buffer, count);
}

/* Final wrapup - pad to 64-byte boundary with the bit pattern
   1 0* (64-bit count of bits processed, MSB-first) */

void
shaFinal(struct SHAContext *sha, word8 *hash)
{
	int count;
	word8 *p;

	/* Compute number of bytes mod 64 */
#ifdef HAVE64
	count = (int)sha->count & 0x3F;
#else
	count = (int)sha->countLo & 0x3F;
#endif

	/*
	 * Set the first char of padding to 0x80.
	 * This is safe since there is always at least one byte free
	 */
	p = (word8 *)sha->data + count;
	*p++ = 0x80;

	/* Bytes of padding needed to make 64 bytes */
	count = SHA_BLOCKSIZE - 1 - count;

	/* Pad out to 56 mod 64 */
	if (count < 8) {
		/* Two lots of padding:  Pad the first block to 64 bytes */
		memset(p, 0, count);
		byteReverse(sha->data, SHA_BLOCKSIZE);
		shaTransform(sha);

		/* Now fill the next block with 56 bytes */
		memset(sha->data, 0, SHA_BLOCKSIZE-8);
	} else {
		/* Pad block to 56 bytes */
		memset(p, 0, count-8);
	}
	byteReverse(sha->data, SHA_BLOCKSIZE-8);

	/* Append length in *bits* and transform */
#if HAVE64
	sha->data[14] = (word32)(sha->count >> 29);
	sha->data[15] = (word32)sha->count << 3;
#else
	sha->data[14] = sha->countHi << 3 | sha->countLo >> 29;
	sha->data[15] = sha->countLo << 3;
#endif

	shaTransform(sha);

	/* Store output hash in buffer */
	byteReverse(sha->digest, SHA_DIGESTSIZE);
	memcpy(hash, sha->digest, SHA_DIGESTSIZE);
	memset(sha, 0, sizeof(*sha));
}

#if 0
/* ----------------------------- SHA Test code --------------------------- */
#include <stdio.h>
#include <stdlib.h>	/* For exit() */
#include <time.h>

/* Size of buffer for SHA speed test data */

#define TEST_BLOCK_SIZE	( SHA_DIGESTSIZE * 100 )

/* Number of bytes of test data to process */

#define TEST_BYTES	10000000L
#define TEST_BLOCKS	( TEST_BYTES / TEST_BLOCK_SIZE )

#if SHA_VERSION
static char const *shaTestResults[] = {
	"A9993E364706816ABA3E25717850C26C9CD0D89D",
	"84983E441C3BD26EBAAE4AA1F95129E5E54670F1",
	"34AA973CD4C4DAA4F61EEB2BDBAD27316534016F",
	"34AA973CD4C4DAA4F61EEB2BDBAD27316534016F",
	"34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" };
#else
static char const *shaTestResults[] = {
	"0164B8A914CD2A5E74C4F7FF082C4D97F1EDF880",
	"D2516EE1ACFA5BAF33DFC1C471E438449EF134C8",
	"3232AFFA48628A26653B5AAA44541FD90D690603",
	"3232AFFA48628A26653B5AAA44541FD90D690603",
	"3232AFFA48628A26653B5AAA44541FD90D690603" };
#endif

static int
compareSHAresults(word8 *hash, int level)
{
	char buf[41];
	int i;

	for (i = 0; i < SHA_DIGESTSIZE; i++)
		sprintf(buf+2*i, "%02X", hash[i]);

	if (strcmp(buf, shaTestResults[level-1]) == 0) {
		printf("Test %d passed, result = %s\n", level, buf);
		return 0;
	} else {
		printf("Error in SHA implementation: Test %d failed\n", level);
		printf("  Result = %s\n", buf);
		printf("Expected = %s\n", shaTestResults[level-1]);
		return -1;
	}
}


int
main(void)
{
	struct SHAContext sha;
	word8 data[TEST_BLOCK_SIZE];
	word8 hash[SHA_DIGESTSIZE];
	time_t seconds;
	long i;
	word32 t;

	/* Check that LITTLE_ENDIAN is set correctly */
	t = 0x12345678;

#if LITTLE_ENDIAN
    	if (*(word8 *)&t != 0x78) {
	        puts("Error: Define BIG_ENDIAN in SHA.H and recompile");
        	exit(-1);
        }
#elif BIG_ENDIAN
    	if (*(word8 *)&t != 0x12) {
	        puts("Error: Define LITTLE_ENDIAN in SHA.H and recompile");
	        exit(-1);
        }
#endif

	/*
	 * Test output data (these are the only test data given in the
	 * Secure Hash Standard document, but chances are if it works
	 * for this it'll work for anything)
	 */
	shaInit(&sha);
	shaUpdate(&sha, (word8 *)"abc", 3);
	shaFinal(&sha, hash);
	if (compareSHAresults(hash, 1) < 0)
		exit (-1);

	shaInit(&sha);
	shaUpdate(&sha, (word8 *)"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56);
	shaFinal(&sha, hash);
	if (compareSHAresults(hash, 2) < 0)
		exit (-1);

	/* 1,000,000 bytes of ASCII 'a' (0x61), by 64's */
	shaInit(&sha);
	for (i = 0; i < 15625; i++)
		shaUpdate(&sha, (word8 *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 64);
	shaFinal(&sha, hash);
	if (compareSHAresults(hash, 3) < 0)
		exit (-1);

	/* 1,000,000 bytes of ASCII 'a' (0x61), by 25's */
	shaInit(&sha);
	for (i = 0; i < 40000; i++)
		shaUpdate(&sha, (word8 *)"aaaaaaaaaaaaaaaaaaaaaaaaa", 25);
	shaFinal(&sha, hash);
	if (compareSHAresults(hash, 4) < 0)
		exit (-1);

	/* 1,000,000 bytes of ASCII 'a' (0x61), by 125's */
	shaInit(&sha);
	for (i = 0; i < 8000; i++)
		shaUpdate(&sha, (word8 *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 125);
	shaFinal(&sha, hash);
	if (compareSHAresults(hash, 5) < 0)
		exit (-1);

	/* Now perform time trial, generating MD for 10MB of data.  First,
	   initialize the test data */
	memset(data, 0, TEST_BLOCK_SIZE);

	/* Get start time */
	printf("SHA time trial.  Processing %ld characters...\n", TEST_BYTES);
	seconds = time((time_t *)0);

	/* Calculate SHA message digest in TEST_BLOCK_SIZE byte blocks */
	shaInit(&sha);
	for (i = TEST_BLOCKS; i > 0; i--)
		shaUpdate(&sha, data, TEST_BLOCK_SIZE);
	shaFinal(&sha, hash);

	/* Get finish time and print difference */
	seconds = time((time_t *)0) - seconds;
	printf("Seconds to process test input: %ld\n", seconds);
	printf("Characters processed per second: %ld\n", TEST_BYTES / seconds);

	return 0;
}
#endif /* Test driver */