RFC 4634
US Secure Hash Algorithms (SHA and HMAC-SHA)
7. SHA-Based HMACs
HMAC is a method for computing a keyed MAC (message authentication code) using a hash function as described in [RFC2104]. It uses a key to mix in with the input text to produce the final hash. Sample code is also provided, in Section 8.3 below, to perform HMAC based on any of the SHA algorithms described herein. The sample code found in [RFC2104] was written in terms of a specified text size. Since SHA is defined in terms of an arbitrary number of bits, the sample HMAC code has been written to allow the text input to HMAC to have an arbitrary number of octets and bits. A fixed-length interface is also provided.8. C Code for SHAs
Below is a demonstration implementation of these secure hash functions in C. Section 8.1 contains the header file sha.h, which declares all constants, structures, and functions used by the sha and hmac functions. Section 8.2 contains the C code for sha1.c, sha224-256.c, sha384-512.c, and usha.c along with sha-private.h, which provides some declarations common to all the sha functions. Section 8.3 contains the C code for the hmac functions. Section 8.4 contains a test driver to exercise the code.
For each of the digest length $$$, there is the following set of
constants, a structure, and functions:
Constants:
SHA$$$HashSize number of octets in the hash
SHA$$$HashSizeBits number of bits in the hash
SHA$$$_Message_Block_Size
number of octets used in the intermediate
message blocks
shaSuccess = 0 constant returned by each function on success
shaNull = 1 constant returned by each function when
presented with a null pointer parameter
shaInputTooLong = 2 constant returned by each function when the
input data is too long
shaStateError constant returned by each function when
SHA$$$Input is called after SHA$$$FinalBits or
SHA$$$Result.
Structure:
typedef SHA$$$Context
an opaque structure holding the complete state
for producing the hash
Functions:
int SHA$$$Reset(SHA$$$Context *);
Reset the hash context state
int SHA$$$Input(SHA$$$Context *, const uint8_t *octets,
unsigned int bytecount);
Incorporate bytecount octets into the hash.
int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet,
unsigned int bitcount);
Incorporate bitcount bits into the hash. The bits are in
the upper portion of the octet. SHA$$$Input() cannot be
called after this.
int SHA$$$Result(SHA$$$Context *,
uint8_t Message_Digest[SHA$$$HashSize]);
Do the final calculations on the hash and copy the value
into Message_Digest.
In addition, functions with the prefix USHA are provided that take a
SHAversion value (SHA$$$) to select the SHA function suite. They add
the following constants, structure, and functions:
Constants:
shaBadParam constant returned by USHA functions when
presented with a bad SHAversion (SHA$$$)
parameter
SHA$$$ SHAversion enumeration values, used by usha
and hmac functions to select the SHA function
suite
Structure:
typedef USHAContext
an opaque structure holding the complete state
for producing the hash
Functions:
int USHAReset(USHAContext *, SHAversion whichSha);
Reset the hash context state.
int USHAInput(USHAContext *,
const uint8_t *bytes, unsigned int bytecount);
Incorporate bytecount octets into the hash.
int USHAFinalBits(USHAContext *,
const uint8_t bits, unsigned int bitcount);
Incorporate bitcount bits into the hash.
int USHAResult(USHAContext *,
uint8_t Message_Digest[USHAMaxHashSize]);
Do the final calculations on the hash and copy the value
into Message_Digest. Octets in Message_Digest beyond
USHAHashSize(whichSha) are left untouched.
int USHAHashSize(enum SHAversion whichSha);
The number of octets in the given hash.
int USHAHashSizeBits(enum SHAversion whichSha);
The number of bits in the given hash.
int USHABlockSize(enum SHAversion whichSha);
The internal block size for the given hash.
The hmac functions follow the same pattern to allow any length of
text input to be used.
Structure:
typedef HMACContext an opaque structure holding the complete state
for producing the hash
Functions:
int hmacReset(HMACContext *ctx, enum SHAversion whichSha,
const unsigned char *key, int key_len);
Reset the hash context state.
int hmacInput(HMACContext *ctx, const unsigned char *text,
int text_len);
Incorporate text_len octets into the hash.
int hmacFinalBits(HMACContext *ctx, const uint8_t bits,
unsigned int bitcount);
Incorporate bitcount bits into the hash.
int hmacResult(HMACContext *ctx,
uint8_t Message_Digest[USHAMaxHashSize]);
Do the final calculations on the hash and copy the value
into Message_Digest. Octets in Message_Digest beyond
USHAHashSize(whichSha) are left untouched.
In addition, a combined interface is provided, similar to that shown
in RFC 2104, that allows a fixed-length text input to be used.
int hmac(SHAversion whichSha,
const unsigned char *text, int text_len,
const unsigned char *key, int key_len,
uint8_t Message_Digest[USHAMaxHashSize]);
Calculate the given digest for the given text and key, and
return the resulting hash. Octets in Message_Digest beyond
USHAHashSize(whichSha) are left untouched.
8.1. The .h File
/**************************** sha.h ****************************/
/******************* See RFC 4634 for details ******************/
#ifndef _SHA_H_
#define _SHA_H_
/*
* Description:
* This file implements the Secure Hash Signature Standard
* algorithms as defined in the National Institute of Standards
* and Technology Federal Information Processing Standards
* Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
* published on August 1, 2002, and the FIPS PUB 180-2 Change
* Notice published on February 28, 2004.
*
* A combined document showing all algorithms is available at
* http://csrc.nist.gov/publications/fips/
* fips180-2/fips180-2withchangenotice.pdf
*
* The five hashes are defined in these sizes:
* SHA-1 20 byte / 160 bit
* SHA-224 28 byte / 224 bit
* SHA-256 32 byte / 256 bit
* SHA-384 48 byte / 384 bit
* SHA-512 64 byte / 512 bit
*/
#include <stdint.h>
/*
* If you do not have the ISO standard stdint.h header file, then you
* must typedef the following:
* name meaning
* uint64_t unsigned 64 bit integer
* uint32_t unsigned 32 bit integer
* uint8_t unsigned 8 bit integer (i.e., unsigned char)
* int_least16_t integer of >= 16 bits
*
*/
#ifndef _SHA_enum_
#define _SHA_enum_
/*
* All SHA functions return one of these values.
*/
enum {
shaSuccess = 0,
shaNull, /* Null pointer parameter */
shaInputTooLong, /* input data too long */
shaStateError, /* called Input after FinalBits or Result */
shaBadParam /* passed a bad parameter */
};
#endif /* _SHA_enum_ */
/*
* These constants hold size information for each of the SHA
* hashing operations
*/
enum {
SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64,
SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128,
SHA512_Message_Block_Size = 128,
USHA_Max_Message_Block_Size = SHA512_Message_Block_Size,
SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32,
SHA384HashSize = 48, SHA512HashSize = 64,
USHAMaxHashSize = SHA512HashSize,
SHA1HashSizeBits = 160, SHA224HashSizeBits = 224,
SHA256HashSizeBits = 256, SHA384HashSizeBits = 384,
SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits
};
/*
* These constants are used in the USHA (unified sha) functions.
*/
typedef enum SHAversion {
SHA1, SHA224, SHA256, SHA384, SHA512
} SHAversion;
/*
* This structure will hold context information for the SHA-1
* hashing operation.
*/
typedef struct SHA1Context {
uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */
uint32_t Length_Low; /* Message length in bits */
uint32_t Length_High; /* Message length in bits */
int_least16_t Message_Block_Index; /* Message_Block array index */
/* 512-bit message blocks */
uint8_t Message_Block[SHA1_Message_Block_Size];
int Computed; /* Is the digest computed? */
int Corrupted; /* Is the digest corrupted? */
} SHA1Context;
/*
* This structure will hold context information for the SHA-256
* hashing operation.
*/
typedef struct SHA256Context {
uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */
uint32_t Length_Low; /* Message length in bits */
uint32_t Length_High; /* Message length in bits */
int_least16_t Message_Block_Index; /* Message_Block array index */
/* 512-bit message blocks */
uint8_t Message_Block[SHA256_Message_Block_Size];
int Computed; /* Is the digest computed? */
int Corrupted; /* Is the digest corrupted? */
} SHA256Context;
/*
* This structure will hold context information for the SHA-512
* hashing operation.
*/
typedef struct SHA512Context {
#ifdef USE_32BIT_ONLY
uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */
uint32_t Length[4]; /* Message length in bits */
#else /* !USE_32BIT_ONLY */
uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */
uint64_t Length_Low, Length_High; /* Message length in bits */
#endif /* USE_32BIT_ONLY */
int_least16_t Message_Block_Index; /* Message_Block array index */
/* 1024-bit message blocks */
uint8_t Message_Block[SHA512_Message_Block_Size];
int Computed; /* Is the digest computed?*/
int Corrupted; /* Is the digest corrupted? */
} SHA512Context;
/*
* This structure will hold context information for the SHA-224
* hashing operation. It uses the SHA-256 structure for computation.
*/
typedef struct SHA256Context SHA224Context;
/*
* This structure will hold context information for the SHA-384
* hashing operation. It uses the SHA-512 structure for computation.
*/
typedef struct SHA512Context SHA384Context;
/*
* This structure holds context information for all SHA
* hashing operations.
*/
typedef struct USHAContext {
int whichSha; /* which SHA is being used */
union {
SHA1Context sha1Context;
SHA224Context sha224Context; SHA256Context sha256Context;
SHA384Context sha384Context; SHA512Context sha512Context;
} ctx;
} USHAContext;
/*
* This structure will hold context information for the HMAC
* keyed hashing operation.
*/
typedef struct HMACContext {
int whichSha; /* which SHA is being used */
int hashSize; /* hash size of SHA being used */
int blockSize; /* block size of SHA being used */
USHAContext shaContext; /* SHA context */
unsigned char k_opad[USHA_Max_Message_Block_Size];
/* outer padding - key XORd with opad */
} HMACContext;
/*
* Function Prototypes
*/
/* SHA-1 */
extern int SHA1Reset(SHA1Context *);
extern int SHA1Input(SHA1Context *, const uint8_t *bytes,
unsigned int bytecount);
extern int SHA1FinalBits(SHA1Context *, const uint8_t bits,
unsigned int bitcount);
extern int SHA1Result(SHA1Context *,
uint8_t Message_Digest[SHA1HashSize]);
/* SHA-224 */
extern int SHA224Reset(SHA224Context *);
extern int SHA224Input(SHA224Context *, const uint8_t *bytes,
unsigned int bytecount);
extern int SHA224FinalBits(SHA224Context *, const uint8_t bits,
unsigned int bitcount);
extern int SHA224Result(SHA224Context *,
uint8_t Message_Digest[SHA224HashSize]);
/* SHA-256 */
extern int SHA256Reset(SHA256Context *);
extern int SHA256Input(SHA256Context *, const uint8_t *bytes,
unsigned int bytecount);
extern int SHA256FinalBits(SHA256Context *, const uint8_t bits,
unsigned int bitcount);
extern int SHA256Result(SHA256Context *,
uint8_t Message_Digest[SHA256HashSize]);
/* SHA-384 */
extern int SHA384Reset(SHA384Context *);
extern int SHA384Input(SHA384Context *, const uint8_t *bytes,
unsigned int bytecount);
extern int SHA384FinalBits(SHA384Context *, const uint8_t bits,
unsigned int bitcount);
extern int SHA384Result(SHA384Context *,
uint8_t Message_Digest[SHA384HashSize]);
/* SHA-512 */
extern int SHA512Reset(SHA512Context *);
extern int SHA512Input(SHA512Context *, const uint8_t *bytes,
unsigned int bytecount);
extern int SHA512FinalBits(SHA512Context *, const uint8_t bits,
unsigned int bitcount);
extern int SHA512Result(SHA512Context *,
uint8_t Message_Digest[SHA512HashSize]);
/* Unified SHA functions, chosen by whichSha */
extern int USHAReset(USHAContext *, SHAversion whichSha);
extern int USHAInput(USHAContext *,
const uint8_t *bytes, unsigned int bytecount);
extern int USHAFinalBits(USHAContext *,
const uint8_t bits, unsigned int bitcount);
extern int USHAResult(USHAContext *,
uint8_t Message_Digest[USHAMaxHashSize]);
extern int USHABlockSize(enum SHAversion whichSha);
extern int USHAHashSize(enum SHAversion whichSha);
extern int USHAHashSizeBits(enum SHAversion whichSha);
/*
* HMAC Keyed-Hashing for Message Authentication, RFC2104,
* for all SHAs.
* This interface allows a fixed-length text input to be used.
*/
extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */
const unsigned char *text, /* pointer to data stream */
int text_len, /* length of data stream */
const unsigned char *key, /* pointer to authentication key */
int key_len, /* length of authentication key */
uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */
/*
* HMAC Keyed-Hashing for Message Authentication, RFC2104,
* for all SHAs.
* This interface allows any length of text input to be used.
*/
extern int hmacReset(HMACContext *ctx, enum SHAversion whichSha,
const unsigned char *key, int key_len);
extern int hmacInput(HMACContext *ctx, const unsigned char *text,
int text_len);
extern int hmacFinalBits(HMACContext *ctx, const uint8_t bits,
unsigned int bitcount);
extern int hmacResult(HMACContext *ctx,
uint8_t digest[USHAMaxHashSize]);
#endif /* _SHA_H_ */
8.2. The SHA Code
This code is primarily intended as expository and could be optimized further. For example, the assignment rotations through the variables a, b, ..., h could be treated as a cycle and the loop unrolled, rather than doing the explicit copying. Note that there are alternative representations of the Ch() and Maj() functions controlled by an ifdef.8.2.1. sha1.c
/**************************** sha1.c ****************************/ /******************** See RFC 4634 for details ******************/ /* * Description: * This file implements the Secure Hash Signature Standard * algorithms as defined in the National Institute of Standards * and Technology Federal Information Processing Standards * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 * published on August 1, 2002, and the FIPS PUB 180-2 Change * Notice published on February 28, 2004. * * A combined document showing all algorithms is available at * http://csrc.nist.gov/publications/fips/ * fips180-2/fips180-2withchangenotice.pdf * * The SHA-1 algorithm produces a 160-bit message digest for a * given data stream. It should take about 2**n steps to find a * message with the same digest as a given message and * 2**(n/2) to find any two messages with the same digest, * when n is the digest size in bits. Therefore, this * algorithm can serve as a means of providing a * "fingerprint" for a message. * * Portability Issues: * SHA-1 is defined in terms of 32-bit "words". This code * uses <stdint.h> (included via "sha.h") to define 32 and 8 * bit unsigned integer types. If your C compiler does not * support 32 bit unsigned integers, this code is not * appropriate. * * Caveats: * SHA-1 is designed to work with messages less than 2^64 bits * long. This implementation uses SHA1Input() to hash the bits * that are a multiple of the size of an 8-bit character, and then * uses SHA1FinalBits() to hash the final few bits of the input. */
#include "sha.h"
#include "sha-private.h"
/*
* Define the SHA1 circular left shift macro
*/
#define SHA1_ROTL(bits,word) \
(((word) << (bits)) | ((word) >> (32-(bits))))
/*
* add "length" to the length
*/
static uint32_t addTemp;
#define SHA1AddLength(context, length) \
(addTemp = (context)->Length_Low, \
(context)->Corrupted = \
(((context)->Length_Low += (length)) < addTemp) && \
(++(context)->Length_High == 0) ? 1 : 0)
/* Local Function Prototypes */
static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte);
static void SHA1PadMessage(SHA1Context *, uint8_t Pad_Byte);
static void SHA1ProcessMessageBlock(SHA1Context *);
/*
* SHA1Reset
*
* Description:
* This function will initialize the SHA1Context in preparation
* for computing a new SHA1 message digest.
*
* Parameters:
* context: [in/out]
* The context to reset.
*
* Returns:
* sha Error Code.
*
*/
int SHA1Reset(SHA1Context *context)
{
if (!context)
return shaNull;
context->Length_Low = 0;
context->Length_High = 0;
context->Message_Block_Index = 0;
/* Initial Hash Values: FIPS-180-2 section 5.3.1 */
context->Intermediate_Hash[0] = 0x67452301;
context->Intermediate_Hash[1] = 0xEFCDAB89;
context->Intermediate_Hash[2] = 0x98BADCFE;
context->Intermediate_Hash[3] = 0x10325476;
context->Intermediate_Hash[4] = 0xC3D2E1F0;
context->Computed = 0;
context->Corrupted = 0;
return shaSuccess;
}
/*
* SHA1Input
*
* Description:
* This function accepts an array of octets as the next portion
* of the message.
*
* Parameters:
* context: [in/out]
* The SHA context to update
* message_array: [in]
* An array of characters representing the next portion of
* the message.
* length: [in]
* The length of the message in message_array
*
* Returns:
* sha Error Code.
*
*/
int SHA1Input(SHA1Context *context,
const uint8_t *message_array, unsigned length)
{
if (!length)
return shaSuccess;
if (!context || !message_array)
return shaNull;
if (context->Computed) {
context->Corrupted = shaStateError;
return shaStateError;
}
if (context->Corrupted)
return context->Corrupted;
while (length-- && !context->Corrupted) {
context->Message_Block[context->Message_Block_Index++] =
(*message_array & 0xFF);
if (!SHA1AddLength(context, 8) &&
(context->Message_Block_Index == SHA1_Message_Block_Size))
SHA1ProcessMessageBlock(context);
message_array++;
}
return shaSuccess;
}
/*
* SHA1FinalBits
*
* Description:
* This function will add in any final bits of the message.
*
* Parameters:
* context: [in/out]
* The SHA context to update
* message_bits: [in]
* The final bits of the message, in the upper portion of the
* byte. (Use 0b###00000 instead of 0b00000### to input the
* three bits ###.)
* length: [in]
* The number of bits in message_bits, between 1 and 7.
*
* Returns:
* sha Error Code.
*/
int SHA1FinalBits(SHA1Context *context, const uint8_t message_bits,
unsigned int length)
{
uint8_t masks[8] = {
/* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
/* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
/* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
/* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
};
uint8_t markbit[8] = {
/* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
/* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
/* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
/* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
};
if (!length)
return shaSuccess;
if (!context)
return shaNull;
if (context->Computed || (length >= 8) || (length == 0)) {
context->Corrupted = shaStateError;
return shaStateError;
}
if (context->Corrupted)
return context->Corrupted;
SHA1AddLength(context, length);
SHA1Finalize(context,
(uint8_t) ((message_bits & masks[length]) | markbit[length]));
return shaSuccess;
}
/*
* SHA1Result
*
* Description:
* This function will return the 160-bit message digest into the
* Message_Digest array provided by the caller.
* NOTE: The first octet of hash is stored in the 0th element,
* the last octet of hash in the 19th element.
*
* Parameters:
* context: [in/out]
* The context to use to calculate the SHA-1 hash.
* Message_Digest: [out]
* Where the digest is returned.
*
* Returns:
* sha Error Code.
*
*/
int SHA1Result(SHA1Context *context,
uint8_t Message_Digest[SHA1HashSize])
{
int i;
if (!context || !Message_Digest)
return shaNull;
if (context->Corrupted)
return context->Corrupted;
if (!context->Computed)
SHA1Finalize(context, 0x80);
for (i = 0; i < SHA1HashSize; ++i)
Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2]
>> 8 * ( 3 - ( i & 0x03 ) ));
return shaSuccess;
}
/*
* SHA1Finalize
*
* Description:
* This helper function finishes off the digest calculations.
*
* Parameters:
* context: [in/out]
* The SHA context to update
* Pad_Byte: [in]
* The last byte to add to the digest before the 0-padding
* and length. This will contain the last bits of the message
* followed by another single bit. If the message was an
* exact multiple of 8-bits long, Pad_Byte will be 0x80.
*
* Returns:
* sha Error Code.
*
*/
static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte)
{
int i;
SHA1PadMessage(context, Pad_Byte);
/* message may be sensitive, clear it out */
for (i = 0; i < SHA1_Message_Block_Size; ++i)
context->Message_Block[i] = 0;
context->Length_Low = 0; /* and clear length */
context->Length_High = 0;
context->Computed = 1;
}
/*
* SHA1PadMessage
*
* Description:
* According to the standard, the message must be padded to an
* even 512 bits. The first padding bit must be a '1'. The last
* 64 bits represent the length of the original message. All bits
* in between should be 0. This helper function will pad the
* message according to those rules by filling the Message_Block
* array accordingly. When it returns, it can be assumed that the
* message digest has been computed.
*
* Parameters:
* context: [in/out]
* The context to pad
* Pad_Byte: [in]
* The last byte to add to the digest before the 0-padding
* and length. This will contain the last bits of the message
* followed by another single bit. If the message was an
* exact multiple of 8-bits long, Pad_Byte will be 0x80.
*
* Returns:
* Nothing.
*/
static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte)
{
/*
* Check to see if the current message block is too small to hold
* the initial padding bits and length. If so, we will pad the
* block, process it, and then continue padding into a second
* block.
*/
if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) {
context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
while (context->Message_Block_Index < SHA1_Message_Block_Size)
context->Message_Block[context->Message_Block_Index++] = 0;
SHA1ProcessMessageBlock(context);
} else
context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8))
context->Message_Block[context->Message_Block_Index++] = 0;
/*
* Store the message length as the last 8 octets
*/
context->Message_Block[56] = (uint8_t) (context->Length_High >> 24);
context->Message_Block[57] = (uint8_t) (context->Length_High >> 16);
context->Message_Block[58] = (uint8_t) (context->Length_High >> 8);
context->Message_Block[59] = (uint8_t) (context->Length_High);
context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24);
context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16);
context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8);
context->Message_Block[63] = (uint8_t) (context->Length_Low);
SHA1ProcessMessageBlock(context);
}
/*
* SHA1ProcessMessageBlock
*
* Description:
* This helper function will process the next 512 bits of the
* message stored in the Message_Block array.
*
* Parameters:
* None.
*
* Returns:
* Nothing.
*
* Comments:
* Many of the variable names in this code, especially the
* single character names, were used because those were the
* names used in the publication.
*/
static void SHA1ProcessMessageBlock(SHA1Context *context)
{
/* Constants defined in FIPS-180-2, section 4.2.1 */
const uint32_t K[4] = {
0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6
};
int t; /* Loop counter */
uint32_t temp; /* Temporary word value */
uint32_t W[80]; /* Word sequence */
uint32_t A, B, C, D, E; /* Word buffers */
/*
* Initialize the first 16 words in the array W
*/
for (t = 0; t < 16; t++) {
W[t] = ((uint32_t)context->Message_Block[t * 4]) << 24;
W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16;
W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8;
W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]);
}
for (t = 16; t < 80; t++)
W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
A = context->Intermediate_Hash[0];
B = context->Intermediate_Hash[1];
C = context->Intermediate_Hash[2];
D = context->Intermediate_Hash[3];
E = context->Intermediate_Hash[4];
for (t = 0; t < 20; t++) {
temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0];
E = D;
D = C;
C = SHA1_ROTL(30,B);
B = A;
A = temp;
}
for (t = 20; t < 40; t++) {
temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1];
E = D;
D = C;
C = SHA1_ROTL(30,B);
B = A;
A = temp;
}
for (t = 40; t < 60; t++) {
temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2];
E = D;
D = C;
C = SHA1_ROTL(30,B);
B = A;
A = temp;
}
for (t = 60; t < 80; t++) {
temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3];
E = D;
D = C;
C = SHA1_ROTL(30,B);
B = A;
A = temp;
}
context->Intermediate_Hash[0] += A;
context->Intermediate_Hash[1] += B;
context->Intermediate_Hash[2] += C;
context->Intermediate_Hash[3] += D; context->Intermediate_Hash[4] += E; context->Message_Block_Index = 0; }
(page 33 continued on part 3)
