Path: blob/trunk/third_party/closure/goog/crypt/sha2.js
2868 views
// Copyright 2012 The Closure Library Authors. All Rights Reserved.1//2// Licensed under the Apache License, Version 2.0 (the "License");3// you may not use this file except in compliance with the License.4// You may obtain a copy of the License at5//6// http://www.apache.org/licenses/LICENSE-2.07//8// Unless required by applicable law or agreed to in writing, software9// distributed under the License is distributed on an "AS-IS" BASIS,10// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.11// See the License for the specific language governing permissions and12// limitations under the License.1314/**15* @fileoverview Base class for SHA-2 cryptographic hash.16*17* Variable names follow the notation in FIPS PUB 180-3:18* http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf.19*20* Some code similar to SHA1 are borrowed from sha1.js written by mschilder@.21*22*/2324goog.provide('goog.crypt.Sha2');2526goog.require('goog.array');27goog.require('goog.asserts');28goog.require('goog.crypt.Hash');29303132/**33* SHA-2 cryptographic hash constructor.34* This constructor should not be used directly to create the object. Rather,35* one should use the constructor of the sub-classes.36* @param {number} numHashBlocks The size of output in 16-byte blocks.37* @param {!Array<number>} initHashBlocks The hash-specific initialization38* @constructor39* @extends {goog.crypt.Hash}40* @struct41*/42goog.crypt.Sha2 = function(numHashBlocks, initHashBlocks) {43goog.crypt.Sha2.base(this, 'constructor');4445this.blockSize = goog.crypt.Sha2.BLOCKSIZE_;4647/**48* A chunk holding the currently processed message bytes. Once the chunk has49* 64 bytes, we feed it into computeChunk_ function and reset this.chunk_.50* @private {!Array<number>|!Uint8Array}51*/52this.chunk_ = goog.global['Uint8Array'] ? new Uint8Array(this.blockSize) :53new Array(this.blockSize);5455/**56* Current number of bytes in this.chunk_.57* @private {number}58*/59this.inChunk_ = 0;6061/**62* Total number of bytes in currently processed message.63* @private {number}64*/65this.total_ = 0;666768/**69* Holds the previous values of accumulated hash a-h in the computeChunk_70* function.71* @private {!Array<number>|!Int32Array}72*/73this.hash_ = [];7475/**76* The number of output hash blocks (each block is 4 bytes long).77* @private {number}78*/79this.numHashBlocks_ = numHashBlocks;8081/**82* @private {!Array<number>} initHashBlocks83*/84this.initHashBlocks_ = initHashBlocks;8586/**87* Temporary array used in chunk computation. Allocate here as a88* member rather than as a local within computeChunk_() as a89* performance optimization to reduce the number of allocations and90* reduce garbage collection.91* @private {!Int32Array|!Array<number>}92*/93this.w_ = goog.global['Int32Array'] ? new Int32Array(64) : new Array(64);9495if (!goog.isDef(goog.crypt.Sha2.Kx_)) {96// This is the first time this constructor has been called.97if (goog.global['Int32Array']) {98// Typed arrays exist99goog.crypt.Sha2.Kx_ = new Int32Array(goog.crypt.Sha2.K_);100} else {101// Typed arrays do not exist102goog.crypt.Sha2.Kx_ = goog.crypt.Sha2.K_;103}104}105106this.reset();107};108goog.inherits(goog.crypt.Sha2, goog.crypt.Hash);109110111/**112* The block size113* @private {number}114*/115goog.crypt.Sha2.BLOCKSIZE_ = 512 / 8;116117118/**119* Contains data needed to pad messages less than BLOCK_SIZE_ bytes.120* @private {!Array<number>}121*/122goog.crypt.Sha2.PADDING_ = goog.array.concat(123128, goog.array.repeat(0, goog.crypt.Sha2.BLOCKSIZE_ - 1));124125126/** @override */127goog.crypt.Sha2.prototype.reset = function() {128this.inChunk_ = 0;129this.total_ = 0;130this.hash_ = goog.global['Int32Array'] ?131new Int32Array(this.initHashBlocks_) :132goog.array.clone(this.initHashBlocks_);133};134135136/**137* Helper function to compute the hashes for a given 512-bit message chunk.138* @private139*/140goog.crypt.Sha2.prototype.computeChunk_ = function() {141var chunk = this.chunk_;142goog.asserts.assert(chunk.length == this.blockSize);143var rounds = 64;144145// Divide the chunk into 16 32-bit-words.146var w = this.w_;147var index = 0;148var offset = 0;149while (offset < chunk.length) {150w[index++] = (chunk[offset] << 24) | (chunk[offset + 1] << 16) |151(chunk[offset + 2] << 8) | (chunk[offset + 3]);152offset = index * 4;153}154155// Extend the w[] array to be the number of rounds.156for (var i = 16; i < rounds; i++) {157var w_15 = w[i - 15] | 0;158var s0 = ((w_15 >>> 7) | (w_15 << 25)) ^ ((w_15 >>> 18) | (w_15 << 14)) ^159(w_15 >>> 3);160var w_2 = w[i - 2] | 0;161var s1 = ((w_2 >>> 17) | (w_2 << 15)) ^ ((w_2 >>> 19) | (w_2 << 13)) ^162(w_2 >>> 10);163164// As a performance optimization, construct the sum a pair at a time165// with casting to integer (bitwise OR) to eliminate unnecessary166// double<->integer conversions.167var partialSum1 = ((w[i - 16] | 0) + s0) | 0;168var partialSum2 = ((w[i - 7] | 0) + s1) | 0;169w[i] = (partialSum1 + partialSum2) | 0;170}171172var a = this.hash_[0] | 0;173var b = this.hash_[1] | 0;174var c = this.hash_[2] | 0;175var d = this.hash_[3] | 0;176var e = this.hash_[4] | 0;177var f = this.hash_[5] | 0;178var g = this.hash_[6] | 0;179var h = this.hash_[7] | 0;180for (var i = 0; i < rounds; i++) {181var S0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^182((a >>> 22) | (a << 10));183var maj = ((a & b) ^ (a & c) ^ (b & c));184var t2 = (S0 + maj) | 0;185var S1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^186((e >>> 25) | (e << 7));187var ch = ((e & f) ^ ((~e) & g));188189// As a performance optimization, construct the sum a pair at a time190// with casting to integer (bitwise OR) to eliminate unnecessary191// double<->integer conversions.192var partialSum1 = (h + S1) | 0;193var partialSum2 = (ch + (goog.crypt.Sha2.Kx_[i] | 0)) | 0;194var partialSum3 = (partialSum2 + (w[i] | 0)) | 0;195var t1 = (partialSum1 + partialSum3) | 0;196197h = g;198g = f;199f = e;200e = (d + t1) | 0;201d = c;202c = b;203b = a;204a = (t1 + t2) | 0;205}206207this.hash_[0] = (this.hash_[0] + a) | 0;208this.hash_[1] = (this.hash_[1] + b) | 0;209this.hash_[2] = (this.hash_[2] + c) | 0;210this.hash_[3] = (this.hash_[3] + d) | 0;211this.hash_[4] = (this.hash_[4] + e) | 0;212this.hash_[5] = (this.hash_[5] + f) | 0;213this.hash_[6] = (this.hash_[6] + g) | 0;214this.hash_[7] = (this.hash_[7] + h) | 0;215};216217218/** @override */219goog.crypt.Sha2.prototype.update = function(message, opt_length) {220if (!goog.isDef(opt_length)) {221opt_length = message.length;222}223// Process the message from left to right up to |opt_length| bytes.224// When we get a 512-bit chunk, compute the hash of it and reset225// this.chunk_. The message might not be multiple of 512 bits so we226// might end up with a chunk that is less than 512 bits. We store227// such partial chunk in this.chunk_ and it will be filled up later228// in digest().229var n = 0;230var inChunk = this.inChunk_;231232// The input message could be either byte array of string.233if (goog.isString(message)) {234while (n < opt_length) {235this.chunk_[inChunk++] = message.charCodeAt(n++);236if (inChunk == this.blockSize) {237this.computeChunk_();238inChunk = 0;239}240}241} else if (goog.isArrayLike(message)) {242while (n < opt_length) {243var b = message[n++];244if (!('number' == typeof b && 0 <= b && 255 >= b && b == (b | 0))) {245throw Error('message must be a byte array');246}247this.chunk_[inChunk++] = b;248if (inChunk == this.blockSize) {249this.computeChunk_();250inChunk = 0;251}252}253} else {254throw Error('message must be string or array');255}256257// Record the current bytes in chunk to support partial update.258this.inChunk_ = inChunk;259260// Record total message bytes we have processed so far.261this.total_ += opt_length;262};263264265/** @override */266goog.crypt.Sha2.prototype.digest = function() {267var digest = [];268var totalBits = this.total_ * 8;269270// Append pad 0x80 0x00*.271if (this.inChunk_ < 56) {272this.update(goog.crypt.Sha2.PADDING_, 56 - this.inChunk_);273} else {274this.update(275goog.crypt.Sha2.PADDING_, this.blockSize - (this.inChunk_ - 56));276}277278// Append # bits in the 64-bit big-endian format.279for (var i = 63; i >= 56; i--) {280this.chunk_[i] = totalBits & 255;281totalBits /= 256; // Don't use bit-shifting here!282}283this.computeChunk_();284285// Finally, output the result digest.286var n = 0;287for (var i = 0; i < this.numHashBlocks_; i++) {288for (var j = 24; j >= 0; j -= 8) {289digest[n++] = ((this.hash_[i] >> j) & 255);290}291}292return digest;293};294295296/**297* Constants used in SHA-2.298* @const299* @private {!Array<number>}300*/301goog.crypt.Sha2.K_ = [3020x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,3030x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,3040x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,3050x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,3060x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,3070x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,3080x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,3090xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,3100x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,3110x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,3120x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2313];314315316/**317* Sha2.K as an Int32Array if this JS supports typed arrays; otherwise,318* the same array as Sha2.K.319*320* The compiler cannot remove an Int32Array, even if it is not needed321* (There are certain cases where creating an Int32Array is not322* side-effect free). Instead, the first time we construct a Sha2323* instance, we convert or assign Sha2.K as appropriate.324* @private {undefined|!Array<number>|!Int32Array}325*/326goog.crypt.Sha2.Kx_;327328329