1 /* 2 * SHA1 hash implementation and interface functions 3 * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "sha1.h" 13 #include "sha1_i.h" 14 #include "md5.h" 15 #include "crypto.h" 16 17 typedef struct SHA1Context SHA1_CTX; 18 19 void SHA1Transform(u32 state[5], const unsigned char buffer[64]); 20 21 22 /** 23 * sha1_vector - SHA-1 hash for data vector 24 * @num_elem: Number of elements in the data vector 25 * @addr: Pointers to the data areas 26 * @len: Lengths of the data blocks 27 * @mac: Buffer for the hash 28 * Returns: 0 on success, -1 of failure 29 */ 30 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 31 { 32 SHA1_CTX ctx; 33 size_t i; 34 35 SHA1Init(&ctx); 36 for (i = 0; i < num_elem; i++) 37 SHA1Update(&ctx, addr[i], len[i]); 38 SHA1Final(mac, &ctx); 39 return 0; 40 } 41 42 43 /* ===== start - public domain SHA1 implementation ===== */ 44 45 /* 46 SHA-1 in C 47 By Steve Reid <sreid@sea-to-sky.net> 48 100% Public Domain 49 50 ----------------- 51 Modified 7/98 52 By James H. Brown <jbrown@burgoyne.com> 53 Still 100% Public Domain 54 55 Corrected a problem which generated improper hash values on 16 bit machines 56 Routine SHA1Update changed from 57 void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int 58 len) 59 to 60 void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned 61 long len) 62 63 The 'len' parameter was declared an int which works fine on 32 bit machines. 64 However, on 16 bit machines an int is too small for the shifts being done 65 against 66 it. This caused the hash function to generate incorrect values if len was 67 greater than 8191 (8K - 1) due to the 'len << 3' on line 3 of SHA1Update(). 68 69 Since the file IO in main() reads 16K at a time, any file 8K or larger would 70 be guaranteed to generate the wrong hash (e.g. Test Vector #3, a million 71 "a"s). 72 73 I also changed the declaration of variables i & j in SHA1Update to 74 unsigned long from unsigned int for the same reason. 75 76 These changes should make no difference to any 32 bit implementations since 77 an 78 int and a long are the same size in those environments. 79 80 -- 81 I also corrected a few compiler warnings generated by Borland C. 82 1. Added #include <process.h> for exit() prototype 83 2. Removed unused variable 'j' in SHA1Final 84 3. Changed exit(0) to return(0) at end of main. 85 86 ALL changes I made can be located by searching for comments containing 'JHB' 87 ----------------- 88 Modified 8/98 89 By Steve Reid <sreid@sea-to-sky.net> 90 Still 100% public domain 91 92 1- Removed #include <process.h> and used return() instead of exit() 93 2- Fixed overwriting of finalcount in SHA1Final() (discovered by Chris Hall) 94 3- Changed email address from steve@edmweb.com to sreid@sea-to-sky.net 95 96 ----------------- 97 Modified 4/01 98 By Saul Kravitz <Saul.Kravitz@celera.com> 99 Still 100% PD 100 Modified to run on Compaq Alpha hardware. 101 102 ----------------- 103 Modified 4/01 104 By Jouni Malinen <j@w1.fi> 105 Minor changes to match the coding style used in Dynamics. 106 107 Modified September 24, 2004 108 By Jouni Malinen <j@w1.fi> 109 Fixed alignment issue in SHA1Transform when SHA1HANDSOFF is defined. 110 111 */ 112 113 /* 114 Test Vectors (from FIPS PUB 180-1) 115 "abc" 116 A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D 117 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 118 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 119 A million repetitions of "a" 120 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F 121 */ 122 123 #define SHA1HANDSOFF 124 125 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) 126 127 /* blk0() and blk() perform the initial expand. */ 128 /* I got the idea of expanding during the round function from SSLeay */ 129 #ifndef WORDS_BIGENDIAN 130 #define blk0(i) (block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) | \ 131 (rol(block->l[i], 8) & 0x00FF00FF)) 132 #else 133 #define blk0(i) block->l[i] 134 #endif 135 #define blk(i) (block->l[i & 15] = rol(block->l[(i + 13) & 15] ^ \ 136 block->l[(i + 8) & 15] ^ block->l[(i + 2) & 15] ^ block->l[i & 15], 1)) 137 138 /* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ 139 #define R0(v,w,x,y,z,i) \ 140 z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \ 141 w = rol(w, 30); 142 #define R1(v,w,x,y,z,i) \ 143 z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \ 144 w = rol(w, 30); 145 #define R2(v,w,x,y,z,i) \ 146 z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); w = rol(w, 30); 147 #define R3(v,w,x,y,z,i) \ 148 z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \ 149 w = rol(w, 30); 150 #define R4(v,w,x,y,z,i) \ 151 z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \ 152 w=rol(w, 30); 153 154 155 #ifdef VERBOSE /* SAK */ 156 void SHAPrintContext(SHA1_CTX *context, char *msg) 157 { 158 printf("%s (%d,%d) %x %x %x %x %x\n", 159 msg, 160 context->count[0], context->count[1], 161 context->state[0], 162 context->state[1], 163 context->state[2], 164 context->state[3], 165 context->state[4]); 166 } 167 #endif 168 169 /* Hash a single 512-bit block. This is the core of the algorithm. */ 170 171 void SHA1Transform(u32 state[5], const unsigned char buffer[64]) 172 { 173 u32 a, b, c, d, e; 174 typedef union { 175 unsigned char c[64]; 176 u32 l[16]; 177 } CHAR64LONG16; 178 CHAR64LONG16* block; 179 #ifdef SHA1HANDSOFF 180 CHAR64LONG16 workspace; 181 block = &workspace; 182 os_memcpy(block, buffer, 64); 183 #else 184 block = (CHAR64LONG16 *) buffer; 185 #endif 186 /* Copy context->state[] to working vars */ 187 a = state[0]; 188 b = state[1]; 189 c = state[2]; 190 d = state[3]; 191 e = state[4]; 192 /* 4 rounds of 20 operations each. Loop unrolled. */ 193 R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); 194 R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); 195 R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); 196 R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); 197 R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); 198 R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); 199 R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); 200 R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); 201 R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); 202 R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); 203 R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); 204 R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); 205 R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); 206 R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); 207 R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); 208 R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); 209 R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); 210 R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); 211 R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); 212 R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); 213 /* Add the working vars back into context.state[] */ 214 state[0] += a; 215 state[1] += b; 216 state[2] += c; 217 state[3] += d; 218 state[4] += e; 219 /* Wipe variables */ 220 a = b = c = d = e = 0; 221 #ifdef SHA1HANDSOFF 222 os_memset(block, 0, 64); 223 #endif 224 } 225 226 227 /* SHA1Init - Initialize new context */ 228 229 void SHA1Init(SHA1_CTX* context) 230 { 231 /* SHA1 initialization constants */ 232 context->state[0] = 0x67452301; 233 context->state[1] = 0xEFCDAB89; 234 context->state[2] = 0x98BADCFE; 235 context->state[3] = 0x10325476; 236 context->state[4] = 0xC3D2E1F0; 237 context->count[0] = context->count[1] = 0; 238 } 239 240 241 /* Run your data through this. */ 242 243 void SHA1Update(SHA1_CTX* context, const void *_data, u32 len) 244 { 245 u32 i, j; 246 const unsigned char *data = _data; 247 248 #ifdef VERBOSE 249 SHAPrintContext(context, "before"); 250 #endif 251 j = (context->count[0] >> 3) & 63; 252 if ((context->count[0] += len << 3) < (len << 3)) 253 context->count[1]++; 254 context->count[1] += (len >> 29); 255 if ((j + len) > 63) { 256 os_memcpy(&context->buffer[j], data, (i = 64-j)); 257 SHA1Transform(context->state, context->buffer); 258 for ( ; i + 63 < len; i += 64) { 259 SHA1Transform(context->state, &data[i]); 260 } 261 j = 0; 262 } 263 else i = 0; 264 os_memcpy(&context->buffer[j], &data[i], len - i); 265 #ifdef VERBOSE 266 SHAPrintContext(context, "after "); 267 #endif 268 } 269 270 271 /* Add padding and return the message digest. */ 272 273 void SHA1Final(unsigned char digest[20], SHA1_CTX* context) 274 { 275 u32 i; 276 unsigned char finalcount[8]; 277 278 for (i = 0; i < 8; i++) { 279 finalcount[i] = (unsigned char) 280 ((context->count[(i >= 4 ? 0 : 1)] >> 281 ((3-(i & 3)) * 8) ) & 255); /* Endian independent */ 282 } 283 SHA1Update(context, (unsigned char *) "\200", 1); 284 while ((context->count[0] & 504) != 448) { 285 SHA1Update(context, (unsigned char *) "\0", 1); 286 } 287 SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() 288 */ 289 for (i = 0; i < 20; i++) { 290 digest[i] = (unsigned char) 291 ((context->state[i >> 2] >> ((3 - (i & 3)) * 8)) & 292 255); 293 } 294 /* Wipe variables */ 295 i = 0; 296 os_memset(context->buffer, 0, 64); 297 os_memset(context->state, 0, 20); 298 os_memset(context->count, 0, 8); 299 os_memset(finalcount, 0, 8); 300 } 301 302 /* ===== end - public domain SHA1 implementation ===== */ 303