1 /* 2 * SHA1 hash implementation and interface functions 3 * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "sha1.h" 19 #include "sha1_i.h" 20 #include "md5.h" 21 #include "crypto.h" 22 23 typedef struct SHA1Context SHA1_CTX; 24 25 void SHA1Transform(u32 state[5], const unsigned char buffer[64]); 26 27 28 /** 29 * sha1_vector - SHA-1 hash for data vector 30 * @num_elem: Number of elements in the data vector 31 * @addr: Pointers to the data areas 32 * @len: Lengths of the data blocks 33 * @mac: Buffer for the hash 34 * Returns: 0 on success, -1 of failure 35 */ 36 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 37 { 38 SHA1_CTX ctx; 39 size_t i; 40 41 SHA1Init(&ctx); 42 for (i = 0; i < num_elem; i++) 43 SHA1Update(&ctx, addr[i], len[i]); 44 SHA1Final(mac, &ctx); 45 return 0; 46 } 47 48 49 /* ===== start - public domain SHA1 implementation ===== */ 50 51 /* 52 SHA-1 in C 53 By Steve Reid <sreid@sea-to-sky.net> 54 100% Public Domain 55 56 ----------------- 57 Modified 7/98 58 By James H. Brown <jbrown@burgoyne.com> 59 Still 100% Public Domain 60 61 Corrected a problem which generated improper hash values on 16 bit machines 62 Routine SHA1Update changed from 63 void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int 64 len) 65 to 66 void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned 67 long len) 68 69 The 'len' parameter was declared an int which works fine on 32 bit machines. 70 However, on 16 bit machines an int is too small for the shifts being done 71 against 72 it. This caused the hash function to generate incorrect values if len was 73 greater than 8191 (8K - 1) due to the 'len << 3' on line 3 of SHA1Update(). 74 75 Since the file IO in main() reads 16K at a time, any file 8K or larger would 76 be guaranteed to generate the wrong hash (e.g. Test Vector #3, a million 77 "a"s). 78 79 I also changed the declaration of variables i & j in SHA1Update to 80 unsigned long from unsigned int for the same reason. 81 82 These changes should make no difference to any 32 bit implementations since 83 an 84 int and a long are the same size in those environments. 85 86 -- 87 I also corrected a few compiler warnings generated by Borland C. 88 1. Added #include <process.h> for exit() prototype 89 2. Removed unused variable 'j' in SHA1Final 90 3. Changed exit(0) to return(0) at end of main. 91 92 ALL changes I made can be located by searching for comments containing 'JHB' 93 ----------------- 94 Modified 8/98 95 By Steve Reid <sreid@sea-to-sky.net> 96 Still 100% public domain 97 98 1- Removed #include <process.h> and used return() instead of exit() 99 2- Fixed overwriting of finalcount in SHA1Final() (discovered by Chris Hall) 100 3- Changed email address from steve@edmweb.com to sreid@sea-to-sky.net 101 102 ----------------- 103 Modified 4/01 104 By Saul Kravitz <Saul.Kravitz@celera.com> 105 Still 100% PD 106 Modified to run on Compaq Alpha hardware. 107 108 ----------------- 109 Modified 4/01 110 By Jouni Malinen <j@w1.fi> 111 Minor changes to match the coding style used in Dynamics. 112 113 Modified September 24, 2004 114 By Jouni Malinen <j@w1.fi> 115 Fixed alignment issue in SHA1Transform when SHA1HANDSOFF is defined. 116 117 */ 118 119 /* 120 Test Vectors (from FIPS PUB 180-1) 121 "abc" 122 A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D 123 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 124 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 125 A million repetitions of "a" 126 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F 127 */ 128 129 #define SHA1HANDSOFF 130 131 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) 132 133 /* blk0() and blk() perform the initial expand. */ 134 /* I got the idea of expanding during the round function from SSLeay */ 135 #ifndef WORDS_BIGENDIAN 136 #define blk0(i) (block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) | \ 137 (rol(block->l[i], 8) & 0x00FF00FF)) 138 #else 139 #define blk0(i) block->l[i] 140 #endif 141 #define blk(i) (block->l[i & 15] = rol(block->l[(i + 13) & 15] ^ \ 142 block->l[(i + 8) & 15] ^ block->l[(i + 2) & 15] ^ block->l[i & 15], 1)) 143 144 /* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ 145 #define R0(v,w,x,y,z,i) \ 146 z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \ 147 w = rol(w, 30); 148 #define R1(v,w,x,y,z,i) \ 149 z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \ 150 w = rol(w, 30); 151 #define R2(v,w,x,y,z,i) \ 152 z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); w = rol(w, 30); 153 #define R3(v,w,x,y,z,i) \ 154 z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \ 155 w = rol(w, 30); 156 #define R4(v,w,x,y,z,i) \ 157 z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \ 158 w=rol(w, 30); 159 160 161 #ifdef VERBOSE /* SAK */ 162 void SHAPrintContext(SHA1_CTX *context, char *msg) 163 { 164 printf("%s (%d,%d) %x %x %x %x %x\n", 165 msg, 166 context->count[0], context->count[1], 167 context->state[0], 168 context->state[1], 169 context->state[2], 170 context->state[3], 171 context->state[4]); 172 } 173 #endif 174 175 /* Hash a single 512-bit block. This is the core of the algorithm. */ 176 177 void SHA1Transform(u32 state[5], const unsigned char buffer[64]) 178 { 179 u32 a, b, c, d, e; 180 typedef union { 181 unsigned char c[64]; 182 u32 l[16]; 183 } CHAR64LONG16; 184 CHAR64LONG16* block; 185 #ifdef SHA1HANDSOFF 186 CHAR64LONG16 workspace; 187 block = &workspace; 188 os_memcpy(block, buffer, 64); 189 #else 190 block = (CHAR64LONG16 *) buffer; 191 #endif 192 /* Copy context->state[] to working vars */ 193 a = state[0]; 194 b = state[1]; 195 c = state[2]; 196 d = state[3]; 197 e = state[4]; 198 /* 4 rounds of 20 operations each. Loop unrolled. */ 199 R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); 200 R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); 201 R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); 202 R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); 203 R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); 204 R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); 205 R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); 206 R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); 207 R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); 208 R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); 209 R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); 210 R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); 211 R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); 212 R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); 213 R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); 214 R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); 215 R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); 216 R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); 217 R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); 218 R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); 219 /* Add the working vars back into context.state[] */ 220 state[0] += a; 221 state[1] += b; 222 state[2] += c; 223 state[3] += d; 224 state[4] += e; 225 /* Wipe variables */ 226 a = b = c = d = e = 0; 227 #ifdef SHA1HANDSOFF 228 os_memset(block, 0, 64); 229 #endif 230 } 231 232 233 /* SHA1Init - Initialize new context */ 234 235 void SHA1Init(SHA1_CTX* context) 236 { 237 /* SHA1 initialization constants */ 238 context->state[0] = 0x67452301; 239 context->state[1] = 0xEFCDAB89; 240 context->state[2] = 0x98BADCFE; 241 context->state[3] = 0x10325476; 242 context->state[4] = 0xC3D2E1F0; 243 context->count[0] = context->count[1] = 0; 244 } 245 246 247 /* Run your data through this. */ 248 249 void SHA1Update(SHA1_CTX* context, const void *_data, u32 len) 250 { 251 u32 i, j; 252 const unsigned char *data = _data; 253 254 #ifdef VERBOSE 255 SHAPrintContext(context, "before"); 256 #endif 257 j = (context->count[0] >> 3) & 63; 258 if ((context->count[0] += len << 3) < (len << 3)) 259 context->count[1]++; 260 context->count[1] += (len >> 29); 261 if ((j + len) > 63) { 262 os_memcpy(&context->buffer[j], data, (i = 64-j)); 263 SHA1Transform(context->state, context->buffer); 264 for ( ; i + 63 < len; i += 64) { 265 SHA1Transform(context->state, &data[i]); 266 } 267 j = 0; 268 } 269 else i = 0; 270 os_memcpy(&context->buffer[j], &data[i], len - i); 271 #ifdef VERBOSE 272 SHAPrintContext(context, "after "); 273 #endif 274 } 275 276 277 /* Add padding and return the message digest. */ 278 279 void SHA1Final(unsigned char digest[20], SHA1_CTX* context) 280 { 281 u32 i; 282 unsigned char finalcount[8]; 283 284 for (i = 0; i < 8; i++) { 285 finalcount[i] = (unsigned char) 286 ((context->count[(i >= 4 ? 0 : 1)] >> 287 ((3-(i & 3)) * 8) ) & 255); /* Endian independent */ 288 } 289 SHA1Update(context, (unsigned char *) "\200", 1); 290 while ((context->count[0] & 504) != 448) { 291 SHA1Update(context, (unsigned char *) "\0", 1); 292 } 293 SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() 294 */ 295 for (i = 0; i < 20; i++) { 296 digest[i] = (unsigned char) 297 ((context->state[i >> 2] >> ((3 - (i & 3)) * 8)) & 298 255); 299 } 300 /* Wipe variables */ 301 i = 0; 302 os_memset(context->buffer, 0, 64); 303 os_memset(context->state, 0, 20); 304 os_memset(context->count, 0, 8); 305 os_memset(finalcount, 0, 8); 306 } 307 308 /* ===== end - public domain SHA1 implementation ===== */ 309