10b57cec5SDimitry Andric //====- SHA1.cpp - Private copy of the SHA1 implementation ---*- C++ -* ======// 20b57cec5SDimitry Andric // 30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information. 50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 60b57cec5SDimitry Andric // 70b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 80b57cec5SDimitry Andric // 90b57cec5SDimitry Andric // This code is taken from public domain 100b57cec5SDimitry Andric // (http://oauth.googlecode.com/svn/code/c/liboauth/src/sha1.c and 110b57cec5SDimitry Andric // http://cvsweb.netbsd.org/bsdweb.cgi/src/common/lib/libc/hash/sha1/sha1.c?rev=1.6) 120b57cec5SDimitry Andric // and modified by wrapping it in a C++ interface for LLVM, 130b57cec5SDimitry Andric // and removing unnecessary code. 140b57cec5SDimitry Andric // 150b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 160b57cec5SDimitry Andric 170b57cec5SDimitry Andric #include "llvm/Support/SHA1.h" 180b57cec5SDimitry Andric #include "llvm/ADT/ArrayRef.h" 195ffd83dbSDimitry Andric #include "llvm/ADT/StringRef.h" 20480093f4SDimitry Andric #include "llvm/Support/Endian.h" 21bdd1243dSDimitry Andric #include "llvm/Support/SwapByteOrder.h" 220b57cec5SDimitry Andric #include <string.h> 230b57cec5SDimitry Andric 245ffd83dbSDimitry Andric using namespace llvm; 255ffd83dbSDimitry Andric 26480093f4SDimitry Andric static inline uint32_t rol(uint32_t Number, int Bits) { 270b57cec5SDimitry Andric return (Number << Bits) | (Number >> (32 - Bits)); 280b57cec5SDimitry Andric } 290b57cec5SDimitry Andric 30480093f4SDimitry Andric static inline uint32_t blk0(uint32_t *Buf, int I) { return Buf[I]; } 310b57cec5SDimitry Andric 32480093f4SDimitry Andric static inline uint32_t blk(uint32_t *Buf, int I) { 330b57cec5SDimitry Andric Buf[I & 15] = rol(Buf[(I + 13) & 15] ^ Buf[(I + 8) & 15] ^ Buf[(I + 2) & 15] ^ 340b57cec5SDimitry Andric Buf[I & 15], 350b57cec5SDimitry Andric 1); 360b57cec5SDimitry Andric return Buf[I & 15]; 370b57cec5SDimitry Andric } 380b57cec5SDimitry Andric 39480093f4SDimitry Andric static inline void r0(uint32_t &A, uint32_t &B, uint32_t &C, uint32_t &D, 40480093f4SDimitry Andric uint32_t &E, int I, uint32_t *Buf) { 410b57cec5SDimitry Andric E += ((B & (C ^ D)) ^ D) + blk0(Buf, I) + 0x5A827999 + rol(A, 5); 420b57cec5SDimitry Andric B = rol(B, 30); 430b57cec5SDimitry Andric } 440b57cec5SDimitry Andric 45480093f4SDimitry Andric static inline void r1(uint32_t &A, uint32_t &B, uint32_t &C, uint32_t &D, 46480093f4SDimitry Andric uint32_t &E, int I, uint32_t *Buf) { 470b57cec5SDimitry Andric E += ((B & (C ^ D)) ^ D) + blk(Buf, I) + 0x5A827999 + rol(A, 5); 480b57cec5SDimitry Andric B = rol(B, 30); 490b57cec5SDimitry Andric } 500b57cec5SDimitry Andric 51480093f4SDimitry Andric static inline void r2(uint32_t &A, uint32_t &B, uint32_t &C, uint32_t &D, 52480093f4SDimitry Andric uint32_t &E, int I, uint32_t *Buf) { 530b57cec5SDimitry Andric E += (B ^ C ^ D) + blk(Buf, I) + 0x6ED9EBA1 + rol(A, 5); 540b57cec5SDimitry Andric B = rol(B, 30); 550b57cec5SDimitry Andric } 560b57cec5SDimitry Andric 57480093f4SDimitry Andric static inline void r3(uint32_t &A, uint32_t &B, uint32_t &C, uint32_t &D, 58480093f4SDimitry Andric uint32_t &E, int I, uint32_t *Buf) { 590b57cec5SDimitry Andric E += (((B | C) & D) | (B & C)) + blk(Buf, I) + 0x8F1BBCDC + rol(A, 5); 600b57cec5SDimitry Andric B = rol(B, 30); 610b57cec5SDimitry Andric } 620b57cec5SDimitry Andric 63480093f4SDimitry Andric static inline void r4(uint32_t &A, uint32_t &B, uint32_t &C, uint32_t &D, 64480093f4SDimitry Andric uint32_t &E, int I, uint32_t *Buf) { 650b57cec5SDimitry Andric E += (B ^ C ^ D) + blk(Buf, I) + 0xCA62C1D6 + rol(A, 5); 660b57cec5SDimitry Andric B = rol(B, 30); 670b57cec5SDimitry Andric } 680b57cec5SDimitry Andric 690b57cec5SDimitry Andric /* code */ 700b57cec5SDimitry Andric #define SHA1_K0 0x5a827999 710b57cec5SDimitry Andric #define SHA1_K20 0x6ed9eba1 720b57cec5SDimitry Andric #define SHA1_K40 0x8f1bbcdc 730b57cec5SDimitry Andric #define SHA1_K60 0xca62c1d6 740b57cec5SDimitry Andric 750b57cec5SDimitry Andric #define SEED_0 0x67452301 760b57cec5SDimitry Andric #define SEED_1 0xefcdab89 770b57cec5SDimitry Andric #define SEED_2 0x98badcfe 780b57cec5SDimitry Andric #define SEED_3 0x10325476 790b57cec5SDimitry Andric #define SEED_4 0xc3d2e1f0 800b57cec5SDimitry Andric 810b57cec5SDimitry Andric void SHA1::init() { 820b57cec5SDimitry Andric InternalState.State[0] = SEED_0; 830b57cec5SDimitry Andric InternalState.State[1] = SEED_1; 840b57cec5SDimitry Andric InternalState.State[2] = SEED_2; 850b57cec5SDimitry Andric InternalState.State[3] = SEED_3; 860b57cec5SDimitry Andric InternalState.State[4] = SEED_4; 870b57cec5SDimitry Andric InternalState.ByteCount = 0; 880b57cec5SDimitry Andric InternalState.BufferOffset = 0; 890b57cec5SDimitry Andric } 900b57cec5SDimitry Andric 910b57cec5SDimitry Andric void SHA1::hashBlock() { 920b57cec5SDimitry Andric uint32_t A = InternalState.State[0]; 930b57cec5SDimitry Andric uint32_t B = InternalState.State[1]; 940b57cec5SDimitry Andric uint32_t C = InternalState.State[2]; 950b57cec5SDimitry Andric uint32_t D = InternalState.State[3]; 960b57cec5SDimitry Andric uint32_t E = InternalState.State[4]; 970b57cec5SDimitry Andric 980b57cec5SDimitry Andric // 4 rounds of 20 operations each. Loop unrolled. 990b57cec5SDimitry Andric r0(A, B, C, D, E, 0, InternalState.Buffer.L); 1000b57cec5SDimitry Andric r0(E, A, B, C, D, 1, InternalState.Buffer.L); 1010b57cec5SDimitry Andric r0(D, E, A, B, C, 2, InternalState.Buffer.L); 1020b57cec5SDimitry Andric r0(C, D, E, A, B, 3, InternalState.Buffer.L); 1030b57cec5SDimitry Andric r0(B, C, D, E, A, 4, InternalState.Buffer.L); 1040b57cec5SDimitry Andric r0(A, B, C, D, E, 5, InternalState.Buffer.L); 1050b57cec5SDimitry Andric r0(E, A, B, C, D, 6, InternalState.Buffer.L); 1060b57cec5SDimitry Andric r0(D, E, A, B, C, 7, InternalState.Buffer.L); 1070b57cec5SDimitry Andric r0(C, D, E, A, B, 8, InternalState.Buffer.L); 1080b57cec5SDimitry Andric r0(B, C, D, E, A, 9, InternalState.Buffer.L); 1090b57cec5SDimitry Andric r0(A, B, C, D, E, 10, InternalState.Buffer.L); 1100b57cec5SDimitry Andric r0(E, A, B, C, D, 11, InternalState.Buffer.L); 1110b57cec5SDimitry Andric r0(D, E, A, B, C, 12, InternalState.Buffer.L); 1120b57cec5SDimitry Andric r0(C, D, E, A, B, 13, InternalState.Buffer.L); 1130b57cec5SDimitry Andric r0(B, C, D, E, A, 14, InternalState.Buffer.L); 1140b57cec5SDimitry Andric r0(A, B, C, D, E, 15, InternalState.Buffer.L); 1150b57cec5SDimitry Andric r1(E, A, B, C, D, 16, InternalState.Buffer.L); 1160b57cec5SDimitry Andric r1(D, E, A, B, C, 17, InternalState.Buffer.L); 1170b57cec5SDimitry Andric r1(C, D, E, A, B, 18, InternalState.Buffer.L); 1180b57cec5SDimitry Andric r1(B, C, D, E, A, 19, InternalState.Buffer.L); 1190b57cec5SDimitry Andric 1200b57cec5SDimitry Andric r2(A, B, C, D, E, 20, InternalState.Buffer.L); 1210b57cec5SDimitry Andric r2(E, A, B, C, D, 21, InternalState.Buffer.L); 1220b57cec5SDimitry Andric r2(D, E, A, B, C, 22, InternalState.Buffer.L); 1230b57cec5SDimitry Andric r2(C, D, E, A, B, 23, InternalState.Buffer.L); 1240b57cec5SDimitry Andric r2(B, C, D, E, A, 24, InternalState.Buffer.L); 1250b57cec5SDimitry Andric r2(A, B, C, D, E, 25, InternalState.Buffer.L); 1260b57cec5SDimitry Andric r2(E, A, B, C, D, 26, InternalState.Buffer.L); 1270b57cec5SDimitry Andric r2(D, E, A, B, C, 27, InternalState.Buffer.L); 1280b57cec5SDimitry Andric r2(C, D, E, A, B, 28, InternalState.Buffer.L); 1290b57cec5SDimitry Andric r2(B, C, D, E, A, 29, InternalState.Buffer.L); 1300b57cec5SDimitry Andric r2(A, B, C, D, E, 30, InternalState.Buffer.L); 1310b57cec5SDimitry Andric r2(E, A, B, C, D, 31, InternalState.Buffer.L); 1320b57cec5SDimitry Andric r2(D, E, A, B, C, 32, InternalState.Buffer.L); 1330b57cec5SDimitry Andric r2(C, D, E, A, B, 33, InternalState.Buffer.L); 1340b57cec5SDimitry Andric r2(B, C, D, E, A, 34, InternalState.Buffer.L); 1350b57cec5SDimitry Andric r2(A, B, C, D, E, 35, InternalState.Buffer.L); 1360b57cec5SDimitry Andric r2(E, A, B, C, D, 36, InternalState.Buffer.L); 1370b57cec5SDimitry Andric r2(D, E, A, B, C, 37, InternalState.Buffer.L); 1380b57cec5SDimitry Andric r2(C, D, E, A, B, 38, InternalState.Buffer.L); 1390b57cec5SDimitry Andric r2(B, C, D, E, A, 39, InternalState.Buffer.L); 1400b57cec5SDimitry Andric 1410b57cec5SDimitry Andric r3(A, B, C, D, E, 40, InternalState.Buffer.L); 1420b57cec5SDimitry Andric r3(E, A, B, C, D, 41, InternalState.Buffer.L); 1430b57cec5SDimitry Andric r3(D, E, A, B, C, 42, InternalState.Buffer.L); 1440b57cec5SDimitry Andric r3(C, D, E, A, B, 43, InternalState.Buffer.L); 1450b57cec5SDimitry Andric r3(B, C, D, E, A, 44, InternalState.Buffer.L); 1460b57cec5SDimitry Andric r3(A, B, C, D, E, 45, InternalState.Buffer.L); 1470b57cec5SDimitry Andric r3(E, A, B, C, D, 46, InternalState.Buffer.L); 1480b57cec5SDimitry Andric r3(D, E, A, B, C, 47, InternalState.Buffer.L); 1490b57cec5SDimitry Andric r3(C, D, E, A, B, 48, InternalState.Buffer.L); 1500b57cec5SDimitry Andric r3(B, C, D, E, A, 49, InternalState.Buffer.L); 1510b57cec5SDimitry Andric r3(A, B, C, D, E, 50, InternalState.Buffer.L); 1520b57cec5SDimitry Andric r3(E, A, B, C, D, 51, InternalState.Buffer.L); 1530b57cec5SDimitry Andric r3(D, E, A, B, C, 52, InternalState.Buffer.L); 1540b57cec5SDimitry Andric r3(C, D, E, A, B, 53, InternalState.Buffer.L); 1550b57cec5SDimitry Andric r3(B, C, D, E, A, 54, InternalState.Buffer.L); 1560b57cec5SDimitry Andric r3(A, B, C, D, E, 55, InternalState.Buffer.L); 1570b57cec5SDimitry Andric r3(E, A, B, C, D, 56, InternalState.Buffer.L); 1580b57cec5SDimitry Andric r3(D, E, A, B, C, 57, InternalState.Buffer.L); 1590b57cec5SDimitry Andric r3(C, D, E, A, B, 58, InternalState.Buffer.L); 1600b57cec5SDimitry Andric r3(B, C, D, E, A, 59, InternalState.Buffer.L); 1610b57cec5SDimitry Andric 1620b57cec5SDimitry Andric r4(A, B, C, D, E, 60, InternalState.Buffer.L); 1630b57cec5SDimitry Andric r4(E, A, B, C, D, 61, InternalState.Buffer.L); 1640b57cec5SDimitry Andric r4(D, E, A, B, C, 62, InternalState.Buffer.L); 1650b57cec5SDimitry Andric r4(C, D, E, A, B, 63, InternalState.Buffer.L); 1660b57cec5SDimitry Andric r4(B, C, D, E, A, 64, InternalState.Buffer.L); 1670b57cec5SDimitry Andric r4(A, B, C, D, E, 65, InternalState.Buffer.L); 1680b57cec5SDimitry Andric r4(E, A, B, C, D, 66, InternalState.Buffer.L); 1690b57cec5SDimitry Andric r4(D, E, A, B, C, 67, InternalState.Buffer.L); 1700b57cec5SDimitry Andric r4(C, D, E, A, B, 68, InternalState.Buffer.L); 1710b57cec5SDimitry Andric r4(B, C, D, E, A, 69, InternalState.Buffer.L); 1720b57cec5SDimitry Andric r4(A, B, C, D, E, 70, InternalState.Buffer.L); 1730b57cec5SDimitry Andric r4(E, A, B, C, D, 71, InternalState.Buffer.L); 1740b57cec5SDimitry Andric r4(D, E, A, B, C, 72, InternalState.Buffer.L); 1750b57cec5SDimitry Andric r4(C, D, E, A, B, 73, InternalState.Buffer.L); 1760b57cec5SDimitry Andric r4(B, C, D, E, A, 74, InternalState.Buffer.L); 1770b57cec5SDimitry Andric r4(A, B, C, D, E, 75, InternalState.Buffer.L); 1780b57cec5SDimitry Andric r4(E, A, B, C, D, 76, InternalState.Buffer.L); 1790b57cec5SDimitry Andric r4(D, E, A, B, C, 77, InternalState.Buffer.L); 1800b57cec5SDimitry Andric r4(C, D, E, A, B, 78, InternalState.Buffer.L); 1810b57cec5SDimitry Andric r4(B, C, D, E, A, 79, InternalState.Buffer.L); 1820b57cec5SDimitry Andric 1830b57cec5SDimitry Andric InternalState.State[0] += A; 1840b57cec5SDimitry Andric InternalState.State[1] += B; 1850b57cec5SDimitry Andric InternalState.State[2] += C; 1860b57cec5SDimitry Andric InternalState.State[3] += D; 1870b57cec5SDimitry Andric InternalState.State[4] += E; 1880b57cec5SDimitry Andric } 1890b57cec5SDimitry Andric 1900b57cec5SDimitry Andric void SHA1::addUncounted(uint8_t Data) { 191bdd1243dSDimitry Andric if constexpr (sys::IsBigEndianHost) 1920b57cec5SDimitry Andric InternalState.Buffer.C[InternalState.BufferOffset] = Data; 193bdd1243dSDimitry Andric else 1940b57cec5SDimitry Andric InternalState.Buffer.C[InternalState.BufferOffset ^ 3] = Data; 1950b57cec5SDimitry Andric 1960b57cec5SDimitry Andric InternalState.BufferOffset++; 1970b57cec5SDimitry Andric if (InternalState.BufferOffset == BLOCK_LENGTH) { 1980b57cec5SDimitry Andric hashBlock(); 1990b57cec5SDimitry Andric InternalState.BufferOffset = 0; 2000b57cec5SDimitry Andric } 2010b57cec5SDimitry Andric } 2020b57cec5SDimitry Andric 2030b57cec5SDimitry Andric void SHA1::writebyte(uint8_t Data) { 2040b57cec5SDimitry Andric ++InternalState.ByteCount; 2050b57cec5SDimitry Andric addUncounted(Data); 2060b57cec5SDimitry Andric } 2070b57cec5SDimitry Andric 2080b57cec5SDimitry Andric void SHA1::update(ArrayRef<uint8_t> Data) { 209480093f4SDimitry Andric InternalState.ByteCount += Data.size(); 210480093f4SDimitry Andric 211480093f4SDimitry Andric // Finish the current block. 212480093f4SDimitry Andric if (InternalState.BufferOffset > 0) { 213480093f4SDimitry Andric const size_t Remainder = std::min<size_t>( 214480093f4SDimitry Andric Data.size(), BLOCK_LENGTH - InternalState.BufferOffset); 215480093f4SDimitry Andric for (size_t I = 0; I < Remainder; ++I) 216480093f4SDimitry Andric addUncounted(Data[I]); 217480093f4SDimitry Andric Data = Data.drop_front(Remainder); 218480093f4SDimitry Andric } 219480093f4SDimitry Andric 220480093f4SDimitry Andric // Fast buffer filling for large inputs. 221480093f4SDimitry Andric while (Data.size() >= BLOCK_LENGTH) { 222480093f4SDimitry Andric assert(InternalState.BufferOffset == 0); 223bdd1243dSDimitry Andric static_assert(BLOCK_LENGTH % 4 == 0); 224480093f4SDimitry Andric constexpr size_t BLOCK_LENGTH_32 = BLOCK_LENGTH / 4; 225480093f4SDimitry Andric for (size_t I = 0; I < BLOCK_LENGTH_32; ++I) 226480093f4SDimitry Andric InternalState.Buffer.L[I] = support::endian::read32be(&Data[I * 4]); 227480093f4SDimitry Andric hashBlock(); 228480093f4SDimitry Andric Data = Data.drop_front(BLOCK_LENGTH); 229480093f4SDimitry Andric } 230480093f4SDimitry Andric 231480093f4SDimitry Andric // Finish the remainder. 232480093f4SDimitry Andric for (uint8_t C : Data) 233480093f4SDimitry Andric addUncounted(C); 2340b57cec5SDimitry Andric } 2350b57cec5SDimitry Andric 2365ffd83dbSDimitry Andric void SHA1::update(StringRef Str) { 2375ffd83dbSDimitry Andric update( 2385ffd83dbSDimitry Andric ArrayRef<uint8_t>((uint8_t *)const_cast<char *>(Str.data()), Str.size())); 2395ffd83dbSDimitry Andric } 2405ffd83dbSDimitry Andric 2410b57cec5SDimitry Andric void SHA1::pad() { 2420b57cec5SDimitry Andric // Implement SHA-1 padding (fips180-2 5.1.1) 2430b57cec5SDimitry Andric 2440b57cec5SDimitry Andric // Pad with 0x80 followed by 0x00 until the end of the block 2450b57cec5SDimitry Andric addUncounted(0x80); 2460b57cec5SDimitry Andric while (InternalState.BufferOffset != 56) 2470b57cec5SDimitry Andric addUncounted(0x00); 2480b57cec5SDimitry Andric 2490b57cec5SDimitry Andric // Append length in the last 8 bytes 2500b57cec5SDimitry Andric addUncounted(0); // We're only using 32 bit lengths 2510b57cec5SDimitry Andric addUncounted(0); // But SHA-1 supports 64 bit lengths 2520b57cec5SDimitry Andric addUncounted(0); // So zero pad the top bits 2530b57cec5SDimitry Andric addUncounted(InternalState.ByteCount >> 29); // Shifting to multiply by 8 2540b57cec5SDimitry Andric addUncounted(InternalState.ByteCount >> 2550b57cec5SDimitry Andric 21); // as SHA-1 supports bitstreams as well as 2560b57cec5SDimitry Andric addUncounted(InternalState.ByteCount >> 13); // byte. 2570b57cec5SDimitry Andric addUncounted(InternalState.ByteCount >> 5); 2580b57cec5SDimitry Andric addUncounted(InternalState.ByteCount << 3); 2590b57cec5SDimitry Andric } 2600b57cec5SDimitry Andric 26181ad6265SDimitry Andric void SHA1::final(std::array<uint32_t, HASH_LENGTH / 4> &HashResult) { 2620b57cec5SDimitry Andric // Pad to complete the last block 2630b57cec5SDimitry Andric pad(); 2640b57cec5SDimitry Andric 265bdd1243dSDimitry Andric if constexpr (sys::IsBigEndianHost) { 2660b57cec5SDimitry Andric // Just copy the current state 2670b57cec5SDimitry Andric for (int i = 0; i < 5; i++) { 2680b57cec5SDimitry Andric HashResult[i] = InternalState.State[i]; 2690b57cec5SDimitry Andric } 270bdd1243dSDimitry Andric } else { 2710b57cec5SDimitry Andric // Swap byte order back 2720b57cec5SDimitry Andric for (int i = 0; i < 5; i++) { 273*5f757f3fSDimitry Andric HashResult[i] = llvm::byteswap(InternalState.State[i]); 2740b57cec5SDimitry Andric } 275bdd1243dSDimitry Andric } 2760b57cec5SDimitry Andric } 2770b57cec5SDimitry Andric 27881ad6265SDimitry Andric std::array<uint8_t, 20> SHA1::final() { 27981ad6265SDimitry Andric union { 28081ad6265SDimitry Andric std::array<uint32_t, HASH_LENGTH / 4> HashResult; 28181ad6265SDimitry Andric std::array<uint8_t, HASH_LENGTH> ReturnResult; 28281ad6265SDimitry Andric }; 283bdd1243dSDimitry Andric static_assert(sizeof(HashResult) == sizeof(ReturnResult)); 28481ad6265SDimitry Andric final(HashResult); 28581ad6265SDimitry Andric return ReturnResult; 28681ad6265SDimitry Andric } 28781ad6265SDimitry Andric 28881ad6265SDimitry Andric std::array<uint8_t, 20> SHA1::result() { 2890b57cec5SDimitry Andric auto StateToRestore = InternalState; 2900b57cec5SDimitry Andric 2910b57cec5SDimitry Andric auto Hash = final(); 2920b57cec5SDimitry Andric 2930b57cec5SDimitry Andric // Restore the state 2940b57cec5SDimitry Andric InternalState = StateToRestore; 2950b57cec5SDimitry Andric 2960b57cec5SDimitry Andric // Return pointer to hash (20 characters) 2970b57cec5SDimitry Andric return Hash; 2980b57cec5SDimitry Andric } 2990b57cec5SDimitry Andric 3000b57cec5SDimitry Andric std::array<uint8_t, 20> SHA1::hash(ArrayRef<uint8_t> Data) { 3010b57cec5SDimitry Andric SHA1 Hash; 3020b57cec5SDimitry Andric Hash.update(Data); 30381ad6265SDimitry Andric return Hash.final(); 3040b57cec5SDimitry Andric } 305