Home Explore Help
Register Sign In
Shiqi
/
ImageProcess
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 2be75c9f01
Branches Tags
ImageProcess
/
node_modules
/
node-forge
/
lib
/
sha512.js

sha512.js 17 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561 
  1. /**
    2. 

  2.  * Secure Hash Algorithm with a 1024-bit block size implementation.
    3. 

  3.  *
    4. 

  4.  * This includes: SHA-512, SHA-384, SHA-512/224, and SHA-512/256. For
    5. 

  5.  * SHA-256 (block size 512 bits), see sha256.js.
    6. 

  6.  *
    7. 

  7.  * See FIPS 180-4 for details.
    8. 

  8.  *
    9. 

  9.  * @author Dave Longley
    10. 

  10.  *
    11. 

  11.  * Copyright (c) 2014-2015 Digital Bazaar, Inc.
    12. 

  12.  */
    13. 

  13. var forge = require('./forge');
    14. 

  14. require('./md');
    15. 

  15. require('./util');
    16. 

  16. 

  17. var sha512 = module.exports = forge.sha512 = forge.sha512 || {};
    18. 

  18. 

  19. // SHA-512
    20. 

  20. forge.md.sha512 = forge.md.algorithms.sha512 = sha512;
    21. 

  21. 

  22. // SHA-384
    23. 

  23. var sha384 = forge.sha384 = forge.sha512.sha384 = forge.sha512.sha384 || {};
    24. 

  24. sha384.create = function() {
    25. 

  25.   return sha512.create('SHA-384');
    26. 

  26. };
    27. 

  27. forge.md.sha384 = forge.md.algorithms.sha384 = sha384;
    28. 

  28. 

  29. // SHA-512/256
    30. 

  30. forge.sha512.sha256 = forge.sha512.sha256 || {
    31. 

  31.   create: function() {
    32. 

  32.     return sha512.create('SHA-512/256');
    33. 

  33.   }
    34. 

  34. };
    35. 

  35. forge.md['sha512/256'] = forge.md.algorithms['sha512/256'] =
    36. 

  36.   forge.sha512.sha256;
    37. 

  37. 

  38. // SHA-512/224
    39. 

  39. forge.sha512.sha224 = forge.sha512.sha224 || {
    40. 

  40.   create: function() {
    41. 

  41.     return sha512.create('SHA-512/224');
    42. 

  42.   }
    43. 

  43. };
    44. 

  44. forge.md['sha512/224'] = forge.md.algorithms['sha512/224'] =
    45. 

  45.   forge.sha512.sha224;
    46. 

  46. 

  47. /**
    48. 

  48.  * Creates a SHA-2 message digest object.
    49. 

  49.  *
    50. 

  50.  * @param algorithm the algorithm to use (SHA-512, SHA-384, SHA-512/224,
    51. 

  51.  *          SHA-512/256).
    52. 

  52.  *
    53. 

  53.  * @return a message digest object.
    54. 

  54.  */
    55. 

  55. sha512.create = function(algorithm) {
    56. 

  56.   // do initialization as necessary
    57. 

  57.   if(!_initialized) {
    58. 

  58.     _init();
    59. 

  59.   }
    60. 

  60. 

  61.   if(typeof algorithm === 'undefined') {
    62. 

  62.     algorithm = 'SHA-512';
    63. 

  63.   }
    64. 

  64. 

  65.   if(!(algorithm in _states)) {
    66. 

  66.     throw new Error('Invalid SHA-512 algorithm: ' + algorithm);
    67. 

  67.   }
    68. 

  68. 

  69.   // SHA-512 state contains eight 64-bit integers (each as two 32-bit ints)
    70. 

  70.   var _state = _states[algorithm];
    71. 

  71.   var _h = null;
    72. 

  72. 

  73.   // input buffer
    74. 

  74.   var _input = forge.util.createBuffer();
    75. 

  75. 

  76.   // used for 64-bit word storage
    77. 

  77.   var _w = new Array(80);
    78. 

  78.   for(var wi = 0; wi < 80; ++wi) {
    79. 

  79.     _w[wi] = new Array(2);
    80. 

  80.   }
    81. 

  81. 

  82.   // determine digest length by algorithm name (default)
    83. 

  83.   var digestLength = 64;
    84. 

  84.   switch(algorithm) {
    85. 

  85.     case 'SHA-384':
    86. 

  86.       digestLength = 48;
    87. 

  87.       break;
    88. 

  88.     case 'SHA-512/256':
    89. 

  89.       digestLength = 32;
    90. 

  90.       break;
    91. 

  91.     case 'SHA-512/224':
    92. 

  92.       digestLength = 28;
    93. 

  93.       break;
    94. 

  94.   }
    95. 

  95. 

  96.   // message digest object
    97. 

  97.   var md = {
    98. 

  98.     // SHA-512 => sha512
    99. 

  99.     algorithm: algorithm.replace('-', '').toLowerCase(),
    100. 

  100.     blockLength: 128,
    101. 

  101.     digestLength: digestLength,
    102. 

  102.     // 56-bit length of message so far (does not including padding)
    103. 

  103.     messageLength: 0,
    104. 

  104.     // true message length
    105. 

  105.     fullMessageLength: null,
    106. 

  106.     // size of message length in bytes
    107. 

  107.     messageLengthSize: 16
    108. 

  108.   };
    109. 

  109. 

  110.   /**
    111. 

  111.    * Starts the digest.
    112. 

  112.    *
    113. 

  113.    * @return this digest object.
    114. 

  114.    */
    115. 

  115.   md.start = function() {
    116. 

  116.     // up to 56-bit message length for convenience
    117. 

  117.     md.messageLength = 0;
    118. 

  118. 

  119.     // full message length (set md.messageLength128 for backwards-compatibility)
    120. 

  120.     md.fullMessageLength = md.messageLength128 = [];
    121. 

  121.     var int32s = md.messageLengthSize / 4;
    122. 

  122.     for(var i = 0; i < int32s; ++i) {
    123. 

  123.       md.fullMessageLength.push(0);
    124. 

  124.     }
    125. 

  125.     _input = forge.util.createBuffer();
    126. 

  126.     _h = new Array(_state.length);
    127. 

  127.     for(var i = 0; i < _state.length; ++i) {
    128. 

  128.       _h[i] = _state[i].slice(0);
    129. 

  129.     }
    130. 

  130.     return md;
    131. 

  131.   };
    132. 

  132.   // start digest automatically for first time
    133. 

  133.   md.start();
    134. 

  134. 

  135.   /**
    136. 

  136.    * Updates the digest with the given message input. The given input can
    137. 

  137.    * treated as raw input (no encoding will be applied) or an encoding of
    138. 

  138.    * 'utf8' maybe given to encode the input using UTF-8.
    139. 

  139.    *
    140. 

  140.    * @param msg the message input to update with.
    141. 

  141.    * @param encoding the encoding to use (default: 'raw', other: 'utf8').
    142. 

  142.    *
    143. 

  143.    * @return this digest object.
    144. 

  144.    */
    145. 

  145.   md.update = function(msg, encoding) {
    146. 

  146.     if(encoding === 'utf8') {
    147. 

  147.       msg = forge.util.encodeUtf8(msg);
    148. 

  148.     }
    149. 

  149. 

  150.     // update message length
    151. 

  151.     var len = msg.length;
    152. 

  152.     md.messageLength += len;
    153. 

  153.     len = [(len / 0x100000000) >>> 0, len >>> 0];
    154. 

  154.     for(var i = md.fullMessageLength.length - 1; i >= 0; --i) {
    155. 

  155.       md.fullMessageLength[i] += len[1];
    156. 

  156.       len[1] = len[0] + ((md.fullMessageLength[i] / 0x100000000) >>> 0);
    157. 

  157.       md.fullMessageLength[i] = md.fullMessageLength[i] >>> 0;
    158. 

  158.       len[0] = ((len[1] / 0x100000000) >>> 0);
    159. 

  159.     }
    160. 

  160. 

  161.     // add bytes to input buffer
    162. 

  162.     _input.putBytes(msg);
    163. 

  163. 

  164.     // process bytes
    165. 

  165.     _update(_h, _w, _input);
    166. 

  166. 

  167.     // compact input buffer every 2K or if empty
    168. 

  168.     if(_input.read > 2048 || _input.length() === 0) {
    169. 

  169.       _input.compact();
    170. 

  170.     }
    171. 

  171. 

  172.     return md;
    173. 

  173.   };
    174. 

  174. 

  175.   /**
    176. 

  176.    * Produces the digest.
    177. 

  177.    *
    178. 

  178.    * @return a byte buffer containing the digest value.
    179. 

  179.    */
    180. 

  180.   md.digest = function() {
    181. 

  181.     /* Note: Here we copy the remaining bytes in the input buffer and
    182. 

  182.     add the appropriate SHA-512 padding. Then we do the final update
    183. 

  183.     on a copy of the state so that if the user wants to get
    184. 

  184.     intermediate digests they can do so. */
    185. 

  185. 

  186.     /* Determine the number of bytes that must be added to the message
    187. 

  187.     to ensure its length is congruent to 896 mod 1024. In other words,
    188. 

  188.     the data to be digested must be a multiple of 1024 bits (or 128 bytes).
    189. 

  189.     This data includes the message, some padding, and the length of the
    190. 

  190.     message. Since the length of the message will be encoded as 16 bytes (128
    191. 

  191.     bits), that means that the last segment of the data must have 112 bytes
    192. 

  192.     (896 bits) of message and padding. Therefore, the length of the message
    193. 

  193.     plus the padding must be congruent to 896 mod 1024 because
    194. 

  194.     1024 - 128 = 896.
    195. 

  195. 

  196.     In order to fill up the message length it must be filled with
    197. 

  197.     padding that begins with 1 bit followed by all 0 bits. Padding
    198. 

  198.     must *always* be present, so if the message length is already
    199. 

  199.     congruent to 896 mod 1024, then 1024 padding bits must be added. */
    200. 

  200. 

  201.     var finalBlock = forge.util.createBuffer();
    202. 

  202.     finalBlock.putBytes(_input.bytes());
    203. 

  203. 

  204.     // compute remaining size to be digested (include message length size)
    205. 

  205.     var remaining = (
    206. 

  206.       md.fullMessageLength[md.fullMessageLength.length - 1] +
    207. 

  207.       md.messageLengthSize);
    208. 

  208. 

  209.     // add padding for overflow blockSize - overflow
    210. 

  210.     // _padding starts with 1 byte with first bit is set (byte value 128), then
    211. 

  211.     // there may be up to (blockSize - 1) other pad bytes
    212. 

  212.     var overflow = remaining & (md.blockLength - 1);
    213. 

  213.     finalBlock.putBytes(_padding.substr(0, md.blockLength - overflow));
    214. 

  214. 

  215.     // serialize message length in bits in big-endian order; since length
    216. 

  216.     // is stored in bytes we multiply by 8 and add carry from next int
    217. 

  217.     var next, carry;
    218. 

  218.     var bits = md.fullMessageLength[0] * 8;
    219. 

  219.     for(var i = 0; i < md.fullMessageLength.length - 1; ++i) {
    220. 

  220.       next = md.fullMessageLength[i + 1] * 8;
    221. 

  221.       carry = (next / 0x100000000) >>> 0;
    222. 

  222.       bits += carry;
    223. 

  223.       finalBlock.putInt32(bits >>> 0);
    224. 

  224.       bits = next >>> 0;
    225. 

  225.     }
    226. 

  226.     finalBlock.putInt32(bits);
    227. 

  227. 

  228.     var h = new Array(_h.length);
    229. 

  229.     for(var i = 0; i < _h.length; ++i) {
    230. 

  230.       h[i] = _h[i].slice(0);
    231. 

  231.     }
    232. 

  232.     _update(h, _w, finalBlock);
    233. 

  233.     var rval = forge.util.createBuffer();
    234. 

  234.     var hlen;
    235. 

  235.     if(algorithm === 'SHA-512') {
    236. 

  236.       hlen = h.length;
    237. 

  237.     } else if(algorithm === 'SHA-384') {
    238. 

  238.       hlen = h.length - 2;
    239. 

  239.     } else {
    240. 

  240.       hlen = h.length - 4;
    241. 

  241.     }
    242. 

  242.     for(var i = 0; i < hlen; ++i) {
    243. 

  243.       rval.putInt32(h[i][0]);
    244. 

  244.       if(i !== hlen - 1 || algorithm !== 'SHA-512/224') {
    245. 

  245.         rval.putInt32(h[i][1]);
    246. 

  246.       }
    247. 

  247.     }
    248. 

  248.     return rval;
    249. 

  249.   };
    250. 

  250. 

  251.   return md;
    252. 

  252. };
    253. 

  253. 

  254. // sha-512 padding bytes not initialized yet
    255. 

  255. var _padding = null;
    256. 

  256. var _initialized = false;
    257. 

  257. 

  258. // table of constants
    259. 

  259. var _k = null;
    260. 

  260. 

  261. // initial hash states
    262. 

  262. var _states = null;
    263. 

  263. 

  264. /**
    265. 

  265.  * Initializes the constant tables.
    266. 

  266.  */
    267. 

  267. function _init() {
    268. 

  268.   // create padding
    269. 

  269.   _padding = String.fromCharCode(128);
    270. 

  270.   _padding += forge.util.fillString(String.fromCharCode(0x00), 128);
    271. 

  271. 

  272.   // create K table for SHA-512
    273. 

  273.   _k = [
    274. 

  274.     [0x428a2f98, 0xd728ae22], [0x71374491, 0x23ef65cd],
    275. 

  275.     [0xb5c0fbcf, 0xec4d3b2f], [0xe9b5dba5, 0x8189dbbc],
    276. 

  276.     [0x3956c25b, 0xf348b538], [0x59f111f1, 0xb605d019],
    277. 

  277.     [0x923f82a4, 0xaf194f9b], [0xab1c5ed5, 0xda6d8118],
    278. 

  278.     [0xd807aa98, 0xa3030242], [0x12835b01, 0x45706fbe],
    279. 

  279.     [0x243185be, 0x4ee4b28c], [0x550c7dc3, 0xd5ffb4e2],
    280. 

  280.     [0x72be5d74, 0xf27b896f], [0x80deb1fe, 0x3b1696b1],
    281. 

  281.     [0x9bdc06a7, 0x25c71235], [0xc19bf174, 0xcf692694],
    282. 

  282.     [0xe49b69c1, 0x9ef14ad2], [0xefbe4786, 0x384f25e3],
    283. 

  283.     [0x0fc19dc6, 0x8b8cd5b5], [0x240ca1cc, 0x77ac9c65],
    284. 

  284.     [0x2de92c6f, 0x592b0275], [0x4a7484aa, 0x6ea6e483],
    285. 

  285.     [0x5cb0a9dc, 0xbd41fbd4], [0x76f988da, 0x831153b5],
    286. 

  286.     [0x983e5152, 0xee66dfab], [0xa831c66d, 0x2db43210],
    287. 

  287.     [0xb00327c8, 0x98fb213f], [0xbf597fc7, 0xbeef0ee4],
    288. 

  288.     [0xc6e00bf3, 0x3da88fc2], [0xd5a79147, 0x930aa725],
    289. 

  289.     [0x06ca6351, 0xe003826f], [0x14292967, 0x0a0e6e70],
    290. 

  290.     [0x27b70a85, 0x46d22ffc], [0x2e1b2138, 0x5c26c926],
    291. 

  291.     [0x4d2c6dfc, 0x5ac42aed], [0x53380d13, 0x9d95b3df],
    292. 

  292.     [0x650a7354, 0x8baf63de], [0x766a0abb, 0x3c77b2a8],
    293. 

  293.     [0x81c2c92e, 0x47edaee6], [0x92722c85, 0x1482353b],
    294. 

  294.     [0xa2bfe8a1, 0x4cf10364], [0xa81a664b, 0xbc423001],
    295. 

  295.     [0xc24b8b70, 0xd0f89791], [0xc76c51a3, 0x0654be30],
    296. 

  296.     [0xd192e819, 0xd6ef5218], [0xd6990624, 0x5565a910],
    297. 

  297.     [0xf40e3585, 0x5771202a], [0x106aa070, 0x32bbd1b8],
    298. 

  298.     [0x19a4c116, 0xb8d2d0c8], [0x1e376c08, 0x5141ab53],
    299. 

  299.     [0x2748774c, 0xdf8eeb99], [0x34b0bcb5, 0xe19b48a8],
    300. 

  300.     [0x391c0cb3, 0xc5c95a63], [0x4ed8aa4a, 0xe3418acb],
    301. 

  301.     [0x5b9cca4f, 0x7763e373], [0x682e6ff3, 0xd6b2b8a3],
    302. 

  302.     [0x748f82ee, 0x5defb2fc], [0x78a5636f, 0x43172f60],
    303. 

  303.     [0x84c87814, 0xa1f0ab72], [0x8cc70208, 0x1a6439ec],
    304. 

  304.     [0x90befffa, 0x23631e28], [0xa4506ceb, 0xde82bde9],
    305. 

  305.     [0xbef9a3f7, 0xb2c67915], [0xc67178f2, 0xe372532b],
    306. 

  306.     [0xca273ece, 0xea26619c], [0xd186b8c7, 0x21c0c207],
    307. 

  307.     [0xeada7dd6, 0xcde0eb1e], [0xf57d4f7f, 0xee6ed178],
    308. 

  308.     [0x06f067aa, 0x72176fba], [0x0a637dc5, 0xa2c898a6],
    309. 

  309.     [0x113f9804, 0xbef90dae], [0x1b710b35, 0x131c471b],
    310. 

  310.     [0x28db77f5, 0x23047d84], [0x32caab7b, 0x40c72493],
    311. 

  311.     [0x3c9ebe0a, 0x15c9bebc], [0x431d67c4, 0x9c100d4c],
    312. 

  312.     [0x4cc5d4be, 0xcb3e42b6], [0x597f299c, 0xfc657e2a],
    313. 

  313.     [0x5fcb6fab, 0x3ad6faec], [0x6c44198c, 0x4a475817]
    314. 

  314.   ];
    315. 

  315. 

  316.   // initial hash states
    317. 

  317.   _states = {};
    318. 

  318.   _states['SHA-512'] = [
    319. 

  319.     [0x6a09e667, 0xf3bcc908],
    320. 

  320.     [0xbb67ae85, 0x84caa73b],
    321. 

  321.     [0x3c6ef372, 0xfe94f82b],
    322. 

  322.     [0xa54ff53a, 0x5f1d36f1],
    323. 

  323.     [0x510e527f, 0xade682d1],
    324. 

  324.     [0x9b05688c, 0x2b3e6c1f],
    325. 

  325.     [0x1f83d9ab, 0xfb41bd6b],
    326. 

  326.     [0x5be0cd19, 0x137e2179]
    327. 

  327.   ];
    328. 

  328.   _states['SHA-384'] = [
    329. 

  329.     [0xcbbb9d5d, 0xc1059ed8],
    330. 

  330.     [0x629a292a, 0x367cd507],
    331. 

  331.     [0x9159015a, 0x3070dd17],
    332. 

  332.     [0x152fecd8, 0xf70e5939],
    333. 

  333.     [0x67332667, 0xffc00b31],
    334. 

  334.     [0x8eb44a87, 0x68581511],
    335. 

  335.     [0xdb0c2e0d, 0x64f98fa7],
    336. 

  336.     [0x47b5481d, 0xbefa4fa4]
    337. 

  337.   ];
    338. 

  338.   _states['SHA-512/256'] = [
    339. 

  339.     [0x22312194, 0xFC2BF72C],
    340. 

  340.     [0x9F555FA3, 0xC84C64C2],
    341. 

  341.     [0x2393B86B, 0x6F53B151],
    342. 

  342.     [0x96387719, 0x5940EABD],
    343. 

  343.     [0x96283EE2, 0xA88EFFE3],
    344. 

  344.     [0xBE5E1E25, 0x53863992],
    345. 

  345.     [0x2B0199FC, 0x2C85B8AA],
    346. 

  346.     [0x0EB72DDC, 0x81C52CA2]
    347. 

  347.   ];
    348. 

  348.   _states['SHA-512/224'] = [
    349. 

  349.     [0x8C3D37C8, 0x19544DA2],
    350. 

  350.     [0x73E19966, 0x89DCD4D6],
    351. 

  351.     [0x1DFAB7AE, 0x32FF9C82],
    352. 

  352.     [0x679DD514, 0x582F9FCF],
    353. 

  353.     [0x0F6D2B69, 0x7BD44DA8],
    354. 

  354.     [0x77E36F73, 0x04C48942],
    355. 

  355.     [0x3F9D85A8, 0x6A1D36C8],
    356. 

  356.     [0x1112E6AD, 0x91D692A1]
    357. 

  357.   ];
    358. 

  358. 

  359.   // now initialized
    360. 

  360.   _initialized = true;
    361. 

  361. }
    362. 

  362. 

  363. /**
    364. 

  364.  * Updates a SHA-512 state with the given byte buffer.
    365. 

  365.  *
    366. 

  366.  * @param s the SHA-512 state to update.
    367. 

  367.  * @param w the array to use to store words.
    368. 

  368.  * @param bytes the byte buffer to update with.
    369. 

  369.  */
    370. 

  370. function _update(s, w, bytes) {
    371. 

  371.   // consume 512 bit (128 byte) chunks
    372. 

  372.   var t1_hi, t1_lo;
    373. 

  373.   var t2_hi, t2_lo;
    374. 

  374.   var s0_hi, s0_lo;
    375. 

  375.   var s1_hi, s1_lo;
    376. 

  376.   var ch_hi, ch_lo;
    377. 

  377.   var maj_hi, maj_lo;
    378. 

  378.   var a_hi, a_lo;
    379. 

  379.   var b_hi, b_lo;
    380. 

  380.   var c_hi, c_lo;
    381. 

  381.   var d_hi, d_lo;
    382. 

  382.   var e_hi, e_lo;
    383. 

  383.   var f_hi, f_lo;
    384. 

  384.   var g_hi, g_lo;
    385. 

  385.   var h_hi, h_lo;
    386. 

  386.   var i, hi, lo, w2, w7, w15, w16;
    387. 

  387.   var len = bytes.length();
    388. 

  388.   while(len >= 128) {
    389. 

  389.     // the w array will be populated with sixteen 64-bit big-endian words
    390. 

  390.     // and then extended into 64 64-bit words according to SHA-512
    391. 

  391.     for(i = 0; i < 16; ++i) {
    392. 

  392.       w[i][0] = bytes.getInt32() >>> 0;
    393. 

  393.       w[i][1] = bytes.getInt32() >>> 0;
    394. 

  394.     }
    395. 

  395.     for(; i < 80; ++i) {
    396. 

  396.       // for word 2 words ago: ROTR 19(x) ^ ROTR 61(x) ^ SHR 6(x)
    397. 

  397.       w2 = w[i - 2];
    398. 

  398.       hi = w2[0];
    399. 

  399.       lo = w2[1];
    400. 

  400. 

  401.       // high bits
    402. 

  402.       t1_hi = (
    403. 

  403.         ((hi >>> 19) | (lo << 13)) ^ // ROTR 19
    404. 

  404.         ((lo >>> 29) | (hi << 3)) ^ // ROTR 61/(swap + ROTR 29)
    405. 

  405.         (hi >>> 6)) >>> 0; // SHR 6
    406. 

  406.       // low bits
    407. 

  407.       t1_lo = (
    408. 

  408.         ((hi << 13) | (lo >>> 19)) ^ // ROTR 19
    409. 

  409.         ((lo << 3) | (hi >>> 29)) ^ // ROTR 61/(swap + ROTR 29)
    410. 

  410.         ((hi << 26) | (lo >>> 6))) >>> 0; // SHR 6
    411. 

  411. 

  412.       // for word 15 words ago: ROTR 1(x) ^ ROTR 8(x) ^ SHR 7(x)
    413. 

  413.       w15 = w[i - 15];
    414. 

  414.       hi = w15[0];
    415. 

  415.       lo = w15[1];
    416. 

  416. 

  417.       // high bits
    418. 

  418.       t2_hi = (
    419. 

  419.         ((hi >>> 1) | (lo << 31)) ^ // ROTR 1
    420. 

  420.         ((hi >>> 8) | (lo << 24)) ^ // ROTR 8
    421. 

  421.         (hi >>> 7)) >>> 0; // SHR 7
    422. 

  422.       // low bits
    423. 

  423.       t2_lo = (
    424. 

  424.         ((hi << 31) | (lo >>> 1)) ^ // ROTR 1
    425. 

  425.         ((hi << 24) | (lo >>> 8)) ^ // ROTR 8
    426. 

  426.         ((hi << 25) | (lo >>> 7))) >>> 0; // SHR 7
    427. 

  427. 

  428.       // sum(t1, word 7 ago, t2, word 16 ago) modulo 2^64 (carry lo overflow)
    429. 

  429.       w7 = w[i - 7];
    430. 

  430.       w16 = w[i - 16];
    431. 

  431.       lo = (t1_lo + w7[1] + t2_lo + w16[1]);
    432. 

  432.       w[i][0] = (t1_hi + w7[0] + t2_hi + w16[0] +
    433. 

  433.         ((lo / 0x100000000) >>> 0)) >>> 0;
    434. 

  434.       w[i][1] = lo >>> 0;
    435. 

  435.     }
    436. 

  436. 

  437.     // initialize hash value for this chunk
    438. 

  438.     a_hi = s[0][0];
    439. 

  439.     a_lo = s[0][1];
    440. 

  440.     b_hi = s[1][0];
    441. 

  441.     b_lo = s[1][1];
    442. 

  442.     c_hi = s[2][0];
    443. 

  443.     c_lo = s[2][1];
    444. 

  444.     d_hi = s[3][0];
    445. 

  445.     d_lo = s[3][1];
    446. 

  446.     e_hi = s[4][0];
    447. 

  447.     e_lo = s[4][1];
    448. 

  448.     f_hi = s[5][0];
    449. 

  449.     f_lo = s[5][1];
    450. 

  450.     g_hi = s[6][0];
    451. 

  451.     g_lo = s[6][1];
    452. 

  452.     h_hi = s[7][0];
    453. 

  453.     h_lo = s[7][1];
    454. 

  454. 

  455.     // round function
    456. 

  456.     for(i = 0; i < 80; ++i) {
    457. 

  457.       // Sum1(e) = ROTR 14(e) ^ ROTR 18(e) ^ ROTR 41(e)
    458. 

  458.       s1_hi = (
    459. 

  459.         ((e_hi >>> 14) | (e_lo << 18)) ^ // ROTR 14
    460. 

  460.         ((e_hi >>> 18) | (e_lo << 14)) ^ // ROTR 18
    461. 

  461.         ((e_lo >>> 9) | (e_hi << 23))) >>> 0; // ROTR 41/(swap + ROTR 9)
    462. 

  462.       s1_lo = (
    463. 

  463.         ((e_hi << 18) | (e_lo >>> 14)) ^ // ROTR 14
    464. 

  464.         ((e_hi << 14) | (e_lo >>> 18)) ^ // ROTR 18
    465. 

  465.         ((e_lo << 23) | (e_hi >>> 9))) >>> 0; // ROTR 41/(swap + ROTR 9)
    466. 

  466. 

  467.       // Ch(e, f, g) (optimized the same way as SHA-1)
    468. 

  468.       ch_hi = (g_hi ^ (e_hi & (f_hi ^ g_hi))) >>> 0;
    469. 

  469.       ch_lo = (g_lo ^ (e_lo & (f_lo ^ g_lo))) >>> 0;
    470. 

  470. 

  471.       // Sum0(a) = ROTR 28(a) ^ ROTR 34(a) ^ ROTR 39(a)
    472. 

  472.       s0_hi = (
    473. 

  473.         ((a_hi >>> 28) | (a_lo << 4)) ^ // ROTR 28
    474. 

  474.         ((a_lo >>> 2) | (a_hi << 30)) ^ // ROTR 34/(swap + ROTR 2)
    475. 

  475.         ((a_lo >>> 7) | (a_hi << 25))) >>> 0; // ROTR 39/(swap + ROTR 7)
    476. 

  476.       s0_lo = (
    477. 

  477.         ((a_hi << 4) | (a_lo >>> 28)) ^ // ROTR 28
    478. 

  478.         ((a_lo << 30) | (a_hi >>> 2)) ^ // ROTR 34/(swap + ROTR 2)
    479. 

  479.         ((a_lo << 25) | (a_hi >>> 7))) >>> 0; // ROTR 39/(swap + ROTR 7)
    480. 

  480. 

  481.       // Maj(a, b, c) (optimized the same way as SHA-1)
    482. 

  482.       maj_hi = ((a_hi & b_hi) | (c_hi & (a_hi ^ b_hi))) >>> 0;
    483. 

  483.       maj_lo = ((a_lo & b_lo) | (c_lo & (a_lo ^ b_lo))) >>> 0;
    484. 

  484. 

  485.       // main algorithm
    486. 

  486.       // t1 = (h + s1 + ch + _k[i] + _w[i]) modulo 2^64 (carry lo overflow)
    487. 

  487.       lo = (h_lo + s1_lo + ch_lo + _k[i][1] + w[i][1]);
    488. 

  488.       t1_hi = (h_hi + s1_hi + ch_hi + _k[i][0] + w[i][0] +
    489. 

  489.         ((lo / 0x100000000) >>> 0)) >>> 0;
    490. 

  490.       t1_lo = lo >>> 0;
    491. 

  491. 

  492.       // t2 = s0 + maj modulo 2^64 (carry lo overflow)
    493. 

  493.       lo = s0_lo + maj_lo;
    494. 

  494.       t2_hi = (s0_hi + maj_hi + ((lo / 0x100000000) >>> 0)) >>> 0;
    495. 

  495.       t2_lo = lo >>> 0;
    496. 

  496. 

  497.       h_hi = g_hi;
    498. 

  498.       h_lo = g_lo;
    499. 

  499. 

  500.       g_hi = f_hi;
    501. 

  501.       g_lo = f_lo;
    502. 

  502. 

  503.       f_hi = e_hi;
    504. 

  504.       f_lo = e_lo;
    505. 

  505. 

  506.       // e = (d + t1) modulo 2^64 (carry lo overflow)
    507. 

  507.       lo = d_lo + t1_lo;
    508. 

  508.       e_hi = (d_hi + t1_hi + ((lo / 0x100000000) >>> 0)) >>> 0;
    509. 

  509.       e_lo = lo >>> 0;
    510. 

  510. 

  511.       d_hi = c_hi;
    512. 

  512.       d_lo = c_lo;
    513. 

  513. 

  514.       c_hi = b_hi;
    515. 

  515.       c_lo = b_lo;
    516. 

  516. 

  517.       b_hi = a_hi;
    518. 

  518.       b_lo = a_lo;
    519. 

  519. 

  520.       // a = (t1 + t2) modulo 2^64 (carry lo overflow)
    521. 

  521.       lo = t1_lo + t2_lo;
    522. 

  522.       a_hi = (t1_hi + t2_hi + ((lo / 0x100000000) >>> 0)) >>> 0;
    523. 

  523.       a_lo = lo >>> 0;
    524. 

  524.     }
    525. 

  525. 

  526.     // update hash state (additional modulo 2^64)
    527. 

  527.     lo = s[0][1] + a_lo;
    528. 

  528.     s[0][0] = (s[0][0] + a_hi + ((lo / 0x100000000) >>> 0)) >>> 0;
    529. 

  529.     s[0][1] = lo >>> 0;
    530. 

  530. 

  531.     lo = s[1][1] + b_lo;
    532. 

  532.     s[1][0] = (s[1][0] + b_hi + ((lo / 0x100000000) >>> 0)) >>> 0;
    533. 

  533.     s[1][1] = lo >>> 0;
    534. 

  534. 

  535.     lo = s[2][1] + c_lo;
    536. 

  536.     s[2][0] = (s[2][0] + c_hi + ((lo / 0x100000000) >>> 0)) >>> 0;
    537. 

  537.     s[2][1] = lo >>> 0;
    538. 

  538. 

  539.     lo = s[3][1] + d_lo;
    540. 

  540.     s[3][0] = (s[3][0] + d_hi + ((lo / 0x100000000) >>> 0)) >>> 0;
    541. 

  541.     s[3][1] = lo >>> 0;
    542. 

  542. 

  543.     lo = s[4][1] + e_lo;
    544. 

  544.     s[4][0] = (s[4][0] + e_hi + ((lo / 0x100000000) >>> 0)) >>> 0;
    545. 

  545.     s[4][1] = lo >>> 0;
    546. 

  546. 

  547.     lo = s[5][1] + f_lo;
    548. 

  548.     s[5][0] = (s[5][0] + f_hi + ((lo / 0x100000000) >>> 0)) >>> 0;
    549. 

  549.     s[5][1] = lo >>> 0;
    550. 

  550. 

  551.     lo = s[6][1] + g_lo;
    552. 

  552.     s[6][0] = (s[6][0] + g_hi + ((lo / 0x100000000) >>> 0)) >>> 0;
    553. 

  553.     s[6][1] = lo >>> 0;
    554. 

  554. 

  555.     lo = s[7][1] + h_lo;
    556. 

  556.     s[7][0] = (s[7][0] + h_hi + ((lo / 0x100000000) >>> 0)) >>> 0;
    557. 

  557.     s[7][1] = lo >>> 0;
    558. 

  558. 

  559.     len -= 128;
    560. 

  560.   }
    561. 

  561. }
    562.