1 |
|
|
/* $OpenBSD: sha1.c,v 1.26 2015/09/11 09:18:27 guenther Exp $ */ |
2 |
|
|
|
3 |
|
|
/* |
4 |
|
|
* SHA-1 in C |
5 |
|
|
* By Steve Reid <steve@edmweb.com> |
6 |
|
|
* 100% Public Domain |
7 |
|
|
* |
8 |
|
|
* Test Vectors (from FIPS PUB 180-1) |
9 |
|
|
* "abc" |
10 |
|
|
* A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D |
11 |
|
|
* "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" |
12 |
|
|
* 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 |
13 |
|
|
* A million repetitions of "a" |
14 |
|
|
* 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F |
15 |
|
|
*/ |
16 |
|
|
|
17 |
|
|
#include <sys/types.h> |
18 |
|
|
#include <string.h> |
19 |
|
|
#include <sha1.h> |
20 |
|
|
|
21 |
|
|
#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) |
22 |
|
|
|
23 |
|
|
/* |
24 |
|
|
* blk0() and blk() perform the initial expand. |
25 |
|
|
* I got the idea of expanding during the round function from SSLeay |
26 |
|
|
*/ |
27 |
|
|
#if BYTE_ORDER == LITTLE_ENDIAN |
28 |
|
|
# define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ |
29 |
|
|
|(rol(block->l[i],8)&0x00FF00FF)) |
30 |
|
|
#else |
31 |
|
|
# define blk0(i) block->l[i] |
32 |
|
|
#endif |
33 |
|
|
#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ |
34 |
|
|
^block->l[(i+2)&15]^block->l[i&15],1)) |
35 |
|
|
|
36 |
|
|
/* |
37 |
|
|
* (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1 |
38 |
|
|
*/ |
39 |
|
|
#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30); |
40 |
|
|
#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30); |
41 |
|
|
#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30); |
42 |
|
|
#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30); |
43 |
|
|
#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30); |
44 |
|
|
|
45 |
|
|
typedef union { |
46 |
|
|
u_int8_t c[64]; |
47 |
|
|
u_int32_t l[16]; |
48 |
|
|
} CHAR64LONG16; |
49 |
|
|
|
50 |
|
|
/* |
51 |
|
|
* Hash a single 512-bit block. This is the core of the algorithm. |
52 |
|
|
*/ |
53 |
|
|
void |
54 |
|
|
SHA1Transform(u_int32_t state[5], const u_int8_t buffer[SHA1_BLOCK_LENGTH]) |
55 |
|
|
{ |
56 |
|
|
u_int32_t a, b, c, d, e; |
57 |
|
|
u_int8_t workspace[SHA1_BLOCK_LENGTH]; |
58 |
|
|
CHAR64LONG16 *block = (CHAR64LONG16 *)workspace; |
59 |
|
|
|
60 |
|
312740 |
(void)memcpy(block, buffer, SHA1_BLOCK_LENGTH); |
61 |
|
|
|
62 |
|
|
/* Copy context->state[] to working vars */ |
63 |
|
156370 |
a = state[0]; |
64 |
|
156370 |
b = state[1]; |
65 |
|
156370 |
c = state[2]; |
66 |
|
156370 |
d = state[3]; |
67 |
|
156370 |
e = state[4]; |
68 |
|
|
|
69 |
|
|
/* 4 rounds of 20 operations each. Loop unrolled. */ |
70 |
|
156370 |
R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); |
71 |
|
156370 |
R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); |
72 |
|
156370 |
R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); |
73 |
|
156370 |
R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); |
74 |
|
156370 |
R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); |
75 |
|
156370 |
R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); |
76 |
|
156370 |
R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); |
77 |
|
156370 |
R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); |
78 |
|
156370 |
R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); |
79 |
|
156370 |
R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); |
80 |
|
156370 |
R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); |
81 |
|
156370 |
R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); |
82 |
|
156370 |
R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); |
83 |
|
156370 |
R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); |
84 |
|
156370 |
R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); |
85 |
|
156370 |
R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); |
86 |
|
156370 |
R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); |
87 |
|
156370 |
R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); |
88 |
|
156370 |
R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); |
89 |
|
156370 |
R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); |
90 |
|
|
|
91 |
|
|
/* Add the working vars back into context.state[] */ |
92 |
|
156370 |
state[0] += a; |
93 |
|
156370 |
state[1] += b; |
94 |
|
156370 |
state[2] += c; |
95 |
|
156370 |
state[3] += d; |
96 |
|
156370 |
state[4] += e; |
97 |
|
|
|
98 |
|
|
/* Wipe variables */ |
99 |
|
|
a = b = c = d = e = 0; |
100 |
|
156370 |
} |
101 |
|
|
DEF_WEAK(SHA1Transform); |
102 |
|
|
|
103 |
|
|
|
104 |
|
|
/* |
105 |
|
|
* SHA1Init - Initialize new context |
106 |
|
|
*/ |
107 |
|
|
void |
108 |
|
|
SHA1Init(SHA1_CTX *context) |
109 |
|
|
{ |
110 |
|
|
|
111 |
|
|
/* SHA1 initialization constants */ |
112 |
|
180 |
context->count = 0; |
113 |
|
90 |
context->state[0] = 0x67452301; |
114 |
|
90 |
context->state[1] = 0xEFCDAB89; |
115 |
|
90 |
context->state[2] = 0x98BADCFE; |
116 |
|
90 |
context->state[3] = 0x10325476; |
117 |
|
90 |
context->state[4] = 0xC3D2E1F0; |
118 |
|
90 |
} |
119 |
|
|
DEF_WEAK(SHA1Init); |
120 |
|
|
|
121 |
|
|
|
122 |
|
|
/* |
123 |
|
|
* Run your data through this. |
124 |
|
|
*/ |
125 |
|
|
void |
126 |
|
|
SHA1Update(SHA1_CTX *context, const u_int8_t *data, size_t len) |
127 |
|
|
{ |
128 |
|
|
size_t i, j; |
129 |
|
|
|
130 |
|
29420 |
j = (size_t)((context->count >> 3) & 63); |
131 |
|
14710 |
context->count += (len << 3); |
132 |
✓✓ |
14710 |
if ((j + len) > 63) { |
133 |
|
10120 |
(void)memcpy(&context->buffer[j], data, (i = 64-j)); |
134 |
|
10120 |
SHA1Transform(context->state, context->buffer); |
135 |
✓✓ |
312740 |
for ( ; i + 63 < len; i += 64) |
136 |
|
146250 |
SHA1Transform(context->state, (u_int8_t *)&data[i]); |
137 |
|
|
j = 0; |
138 |
|
10120 |
} else { |
139 |
|
|
i = 0; |
140 |
|
|
} |
141 |
|
14710 |
(void)memcpy(&context->buffer[j], &data[i], len - i); |
142 |
|
14710 |
} |
143 |
|
|
DEF_WEAK(SHA1Update); |
144 |
|
|
|
145 |
|
|
|
146 |
|
|
/* |
147 |
|
|
* Add padding and return the message digest. |
148 |
|
|
*/ |
149 |
|
|
void |
150 |
|
|
SHA1Pad(SHA1_CTX *context) |
151 |
|
|
{ |
152 |
|
180 |
u_int8_t finalcount[8]; |
153 |
|
|
u_int i; |
154 |
|
|
|
155 |
✓✓ |
1620 |
for (i = 0; i < 8; i++) { |
156 |
|
2160 |
finalcount[i] = (u_int8_t)((context->count >> |
157 |
|
1440 |
((7 - (i & 7)) * 8)) & 255); /* Endian independent */ |
158 |
|
|
} |
159 |
|
90 |
SHA1Update(context, (u_int8_t *)"\200", 1); |
160 |
✓✓ |
9080 |
while ((context->count & 504) != 448) |
161 |
|
4450 |
SHA1Update(context, (u_int8_t *)"\0", 1); |
162 |
|
90 |
SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */ |
163 |
|
90 |
} |
164 |
|
|
DEF_WEAK(SHA1Pad); |
165 |
|
|
|
166 |
|
|
void |
167 |
|
|
SHA1Final(u_int8_t digest[SHA1_DIGEST_LENGTH], SHA1_CTX *context) |
168 |
|
|
{ |
169 |
|
|
u_int i; |
170 |
|
|
|
171 |
|
180 |
SHA1Pad(context); |
172 |
✓✓ |
3780 |
for (i = 0; i < SHA1_DIGEST_LENGTH; i++) { |
173 |
|
1800 |
digest[i] = (u_int8_t) |
174 |
|
1800 |
((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255); |
175 |
|
|
} |
176 |
|
90 |
explicit_bzero(context, sizeof(*context)); |
177 |
|
90 |
} |
178 |
|
|
DEF_WEAK(SHA1Final); |