sha1.c revision 1.8 1 1.1 mrg /* sha1.c - Functions to compute SHA1 message digest of files or
2 1.1 mrg memory blocks according to the NIST specification FIPS-180-1.
3 1.1 mrg
4 1.8 mrg Copyright (C) 2000-2022 Free Software Foundation, Inc.
5 1.1 mrg
6 1.1 mrg This program is free software; you can redistribute it and/or modify it
7 1.1 mrg under the terms of the GNU General Public License as published by the
8 1.1 mrg Free Software Foundation; either version 2, or (at your option) any
9 1.1 mrg later version.
10 1.1 mrg
11 1.1 mrg This program is distributed in the hope that it will be useful,
12 1.1 mrg but WITHOUT ANY WARRANTY; without even the implied warranty of
13 1.1 mrg MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 1.1 mrg GNU General Public License for more details.
15 1.1 mrg
16 1.1 mrg You should have received a copy of the GNU General Public License
17 1.1 mrg along with this program; if not, write to the Free Software Foundation,
18 1.1 mrg Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
19 1.1 mrg
20 1.1 mrg /* Written by Scott G. Miller
21 1.1 mrg Credits:
22 1.1 mrg Robert Klep <robert (at) ilse.nl> -- Expansion function fix
23 1.1 mrg */
24 1.1 mrg
25 1.1 mrg #include <config.h>
26 1.1 mrg
27 1.1 mrg #include "sha1.h"
28 1.1 mrg
29 1.1 mrg #include <stddef.h>
30 1.1 mrg #include <string.h>
31 1.1 mrg
32 1.1 mrg #if USE_UNLOCKED_IO
33 1.1 mrg # include "unlocked-io.h"
34 1.1 mrg #endif
35 1.1 mrg
36 1.1 mrg #ifdef WORDS_BIGENDIAN
37 1.1 mrg # define SWAP(n) (n)
38 1.1 mrg #else
39 1.1 mrg # define SWAP(n) \
40 1.1 mrg (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
41 1.1 mrg #endif
42 1.1 mrg
43 1.1 mrg #define BLOCKSIZE 4096
44 1.1 mrg #if BLOCKSIZE % 64 != 0
45 1.1 mrg # error "invalid BLOCKSIZE"
46 1.1 mrg #endif
47 1.1 mrg
48 1.1 mrg /* This array contains the bytes used to pad the buffer to the next
49 1.1 mrg 64-byte boundary. (RFC 1321, 3.1: Step 1) */
50 1.1 mrg static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
51 1.1 mrg
52 1.1 mrg
53 1.1 mrg /* Take a pointer to a 160 bit block of data (five 32 bit ints) and
54 1.1 mrg initialize it to the start constants of the SHA1 algorithm. This
55 1.1 mrg must be called before using hash in the call to sha1_hash. */
56 1.1 mrg void
57 1.1 mrg sha1_init_ctx (struct sha1_ctx *ctx)
58 1.1 mrg {
59 1.1 mrg ctx->A = 0x67452301;
60 1.1 mrg ctx->B = 0xefcdab89;
61 1.1 mrg ctx->C = 0x98badcfe;
62 1.1 mrg ctx->D = 0x10325476;
63 1.1 mrg ctx->E = 0xc3d2e1f0;
64 1.1 mrg
65 1.1 mrg ctx->total[0] = ctx->total[1] = 0;
66 1.1 mrg ctx->buflen = 0;
67 1.1 mrg }
68 1.1 mrg
69 1.1 mrg /* Put result from CTX in first 20 bytes following RESBUF. The result
70 1.1 mrg must be in little endian byte order.
71 1.1 mrg
72 1.1 mrg IMPORTANT: On some systems it is required that RESBUF is correctly
73 1.1 mrg aligned for a 32-bit value. */
74 1.1 mrg void *
75 1.1 mrg sha1_read_ctx (const struct sha1_ctx *ctx, void *resbuf)
76 1.1 mrg {
77 1.1 mrg ((sha1_uint32 *) resbuf)[0] = SWAP (ctx->A);
78 1.1 mrg ((sha1_uint32 *) resbuf)[1] = SWAP (ctx->B);
79 1.1 mrg ((sha1_uint32 *) resbuf)[2] = SWAP (ctx->C);
80 1.1 mrg ((sha1_uint32 *) resbuf)[3] = SWAP (ctx->D);
81 1.1 mrg ((sha1_uint32 *) resbuf)[4] = SWAP (ctx->E);
82 1.1 mrg
83 1.1 mrg return resbuf;
84 1.1 mrg }
85 1.1 mrg
86 1.1 mrg /* Process the remaining bytes in the internal buffer and the usual
87 1.1 mrg prolog according to the standard and write the result to RESBUF.
88 1.1 mrg
89 1.1 mrg IMPORTANT: On some systems it is required that RESBUF is correctly
90 1.1 mrg aligned for a 32-bit value. */
91 1.1 mrg void *
92 1.1 mrg sha1_finish_ctx (struct sha1_ctx *ctx, void *resbuf)
93 1.1 mrg {
94 1.1 mrg /* Take yet unprocessed bytes into account. */
95 1.1 mrg sha1_uint32 bytes = ctx->buflen;
96 1.1 mrg size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
97 1.1 mrg
98 1.1 mrg /* Now count remaining bytes. */
99 1.1 mrg ctx->total[0] += bytes;
100 1.1 mrg if (ctx->total[0] < bytes)
101 1.1 mrg ++ctx->total[1];
102 1.1 mrg
103 1.1 mrg /* Put the 64-bit file length in *bits* at the end of the buffer. */
104 1.1 mrg ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29));
105 1.1 mrg ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3);
106 1.1 mrg
107 1.1 mrg memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
108 1.1 mrg
109 1.1 mrg /* Process last bytes. */
110 1.1 mrg sha1_process_block (ctx->buffer, size * 4, ctx);
111 1.1 mrg
112 1.1 mrg return sha1_read_ctx (ctx, resbuf);
113 1.1 mrg }
114 1.1 mrg
115 1.1 mrg /* Compute SHA1 message digest for bytes read from STREAM. The
116 1.1 mrg resulting message digest number will be written into the 16 bytes
117 1.1 mrg beginning at RESBLOCK. */
118 1.1 mrg int
119 1.1 mrg sha1_stream (FILE *stream, void *resblock)
120 1.1 mrg {
121 1.1 mrg struct sha1_ctx ctx;
122 1.1 mrg char buffer[BLOCKSIZE + 72];
123 1.1 mrg size_t sum;
124 1.1 mrg
125 1.1 mrg /* Initialize the computation context. */
126 1.1 mrg sha1_init_ctx (&ctx);
127 1.1 mrg
128 1.1 mrg /* Iterate over full file contents. */
129 1.1 mrg while (1)
130 1.1 mrg {
131 1.1 mrg /* We read the file in blocks of BLOCKSIZE bytes. One call of the
132 1.1 mrg computation function processes the whole buffer so that with the
133 1.1 mrg next round of the loop another block can be read. */
134 1.1 mrg size_t n;
135 1.1 mrg sum = 0;
136 1.1 mrg
137 1.1 mrg /* Read block. Take care for partial reads. */
138 1.1 mrg while (1)
139 1.1 mrg {
140 1.1 mrg n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
141 1.1 mrg
142 1.1 mrg sum += n;
143 1.1 mrg
144 1.1 mrg if (sum == BLOCKSIZE)
145 1.1 mrg break;
146 1.1 mrg
147 1.1 mrg if (n == 0)
148 1.1 mrg {
149 1.1 mrg /* Check for the error flag IFF N == 0, so that we don't
150 1.1 mrg exit the loop after a partial read due to e.g., EAGAIN
151 1.1 mrg or EWOULDBLOCK. */
152 1.1 mrg if (ferror (stream))
153 1.1 mrg return 1;
154 1.1 mrg goto process_partial_block;
155 1.1 mrg }
156 1.1 mrg
157 1.1 mrg /* We've read at least one byte, so ignore errors. But always
158 1.1 mrg check for EOF, since feof may be true even though N > 0.
159 1.1 mrg Otherwise, we could end up calling fread after EOF. */
160 1.1 mrg if (feof (stream))
161 1.1 mrg goto process_partial_block;
162 1.1 mrg }
163 1.1 mrg
164 1.1 mrg /* Process buffer with BLOCKSIZE bytes. Note that
165 1.1 mrg BLOCKSIZE % 64 == 0
166 1.1 mrg */
167 1.1 mrg sha1_process_block (buffer, BLOCKSIZE, &ctx);
168 1.1 mrg }
169 1.1 mrg
170 1.1 mrg process_partial_block:;
171 1.1 mrg
172 1.1 mrg /* Process any remaining bytes. */
173 1.1 mrg if (sum > 0)
174 1.1 mrg sha1_process_bytes (buffer, sum, &ctx);
175 1.1 mrg
176 1.1 mrg /* Construct result in desired memory. */
177 1.1 mrg sha1_finish_ctx (&ctx, resblock);
178 1.1 mrg return 0;
179 1.1 mrg }
180 1.1 mrg
181 1.1 mrg /* Compute SHA1 message digest for LEN bytes beginning at BUFFER. The
182 1.1 mrg result is always in little endian byte order, so that a byte-wise
183 1.1 mrg output yields to the wanted ASCII representation of the message
184 1.1 mrg digest. */
185 1.1 mrg void *
186 1.1 mrg sha1_buffer (const char *buffer, size_t len, void *resblock)
187 1.1 mrg {
188 1.1 mrg struct sha1_ctx ctx;
189 1.1 mrg
190 1.1 mrg /* Initialize the computation context. */
191 1.1 mrg sha1_init_ctx (&ctx);
192 1.1 mrg
193 1.1 mrg /* Process whole buffer but last len % 64 bytes. */
194 1.1 mrg sha1_process_bytes (buffer, len, &ctx);
195 1.1 mrg
196 1.1 mrg /* Put result in desired memory area. */
197 1.1 mrg return sha1_finish_ctx (&ctx, resblock);
198 1.1 mrg }
199 1.1 mrg
200 1.1 mrg void
201 1.1 mrg sha1_process_bytes (const void *buffer, size_t len, struct sha1_ctx *ctx)
202 1.1 mrg {
203 1.1 mrg /* When we already have some bits in our internal buffer concatenate
204 1.1 mrg both inputs first. */
205 1.1 mrg if (ctx->buflen != 0)
206 1.1 mrg {
207 1.1 mrg size_t left_over = ctx->buflen;
208 1.1 mrg size_t add = 128 - left_over > len ? len : 128 - left_over;
209 1.1 mrg
210 1.1 mrg memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
211 1.1 mrg ctx->buflen += add;
212 1.1 mrg
213 1.1 mrg if (ctx->buflen > 64)
214 1.1 mrg {
215 1.1 mrg sha1_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
216 1.1 mrg
217 1.1 mrg ctx->buflen &= 63;
218 1.1 mrg /* The regions in the following copy operation cannot overlap. */
219 1.1 mrg memcpy (ctx->buffer,
220 1.1 mrg &((char *) ctx->buffer)[(left_over + add) & ~63],
221 1.1 mrg ctx->buflen);
222 1.1 mrg }
223 1.1 mrg
224 1.1 mrg buffer = (const char *) buffer + add;
225 1.1 mrg len -= add;
226 1.1 mrg }
227 1.1 mrg
228 1.1 mrg /* Process available complete blocks. */
229 1.1 mrg if (len >= 64)
230 1.1 mrg {
231 1.1 mrg #if !_STRING_ARCH_unaligned
232 1.5 christos # if defined(__clang__) || defined(__GNUC__)
233 1.2 christos # define alignof(type) __alignof__(type)
234 1.2 christos # else
235 1.1 mrg # define alignof(type) offsetof (struct { char c; type x; }, x)
236 1.2 christos # endif
237 1.1 mrg # define UNALIGNED_P(p) (((size_t) p) % alignof (sha1_uint32) != 0)
238 1.1 mrg if (UNALIGNED_P (buffer))
239 1.1 mrg while (len > 64)
240 1.1 mrg {
241 1.1 mrg sha1_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
242 1.1 mrg buffer = (const char *) buffer + 64;
243 1.1 mrg len -= 64;
244 1.1 mrg }
245 1.1 mrg else
246 1.1 mrg #endif
247 1.1 mrg {
248 1.1 mrg sha1_process_block (buffer, len & ~63, ctx);
249 1.1 mrg buffer = (const char *) buffer + (len & ~63);
250 1.1 mrg len &= 63;
251 1.1 mrg }
252 1.1 mrg }
253 1.1 mrg
254 1.1 mrg /* Move remaining bytes in internal buffer. */
255 1.1 mrg if (len > 0)
256 1.1 mrg {
257 1.1 mrg size_t left_over = ctx->buflen;
258 1.1 mrg
259 1.1 mrg memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
260 1.1 mrg left_over += len;
261 1.1 mrg if (left_over >= 64)
262 1.1 mrg {
263 1.1 mrg sha1_process_block (ctx->buffer, 64, ctx);
264 1.1 mrg left_over -= 64;
265 1.8 mrg memmove (ctx->buffer, &ctx->buffer[16], left_over);
266 1.1 mrg }
267 1.1 mrg ctx->buflen = left_over;
268 1.1 mrg }
269 1.1 mrg }
270 1.1 mrg
271 1.1 mrg /* --- Code below is the primary difference between md5.c and sha1.c --- */
272 1.1 mrg
273 1.1 mrg /* SHA1 round constants */
274 1.1 mrg #define K1 0x5a827999
275 1.1 mrg #define K2 0x6ed9eba1
276 1.1 mrg #define K3 0x8f1bbcdc
277 1.1 mrg #define K4 0xca62c1d6
278 1.1 mrg
279 1.1 mrg /* Round functions. Note that F2 is the same as F4. */
280 1.1 mrg #define F1(B,C,D) ( D ^ ( B & ( C ^ D ) ) )
281 1.1 mrg #define F2(B,C,D) (B ^ C ^ D)
282 1.1 mrg #define F3(B,C,D) ( ( B & C ) | ( D & ( B | C ) ) )
283 1.1 mrg #define F4(B,C,D) (B ^ C ^ D)
284 1.1 mrg
285 1.1 mrg /* Process LEN bytes of BUFFER, accumulating context into CTX.
286 1.1 mrg It is assumed that LEN % 64 == 0.
287 1.1 mrg Most of this code comes from GnuPG's cipher/sha1.c. */
288 1.1 mrg
289 1.1 mrg void
290 1.1 mrg sha1_process_block (const void *buffer, size_t len, struct sha1_ctx *ctx)
291 1.1 mrg {
292 1.1 mrg const sha1_uint32 *words = (const sha1_uint32*) buffer;
293 1.1 mrg size_t nwords = len / sizeof (sha1_uint32);
294 1.1 mrg const sha1_uint32 *endp = words + nwords;
295 1.1 mrg sha1_uint32 x[16];
296 1.1 mrg sha1_uint32 a = ctx->A;
297 1.1 mrg sha1_uint32 b = ctx->B;
298 1.1 mrg sha1_uint32 c = ctx->C;
299 1.1 mrg sha1_uint32 d = ctx->D;
300 1.1 mrg sha1_uint32 e = ctx->E;
301 1.1 mrg
302 1.1 mrg /* First increment the byte count. RFC 1321 specifies the possible
303 1.1 mrg length of the file up to 2^64 bits. Here we only compute the
304 1.1 mrg number of bytes. Do a double word increment. */
305 1.1 mrg ctx->total[0] += len;
306 1.2 christos ctx->total[1] += ((len >> 31) >> 1) + (ctx->total[0] < len);
307 1.1 mrg
308 1.1 mrg #define rol(x, n) (((x) << (n)) | ((sha1_uint32) (x) >> (32 - (n))))
309 1.1 mrg
310 1.1 mrg #define M(I) ( tm = x[I&0x0f] ^ x[(I-14)&0x0f] \
311 1.1 mrg ^ x[(I-8)&0x0f] ^ x[(I-3)&0x0f] \
312 1.1 mrg , (x[I&0x0f] = rol(tm, 1)) )
313 1.1 mrg
314 1.1 mrg #define R(A,B,C,D,E,F,K,M) do { E += rol( A, 5 ) \
315 1.1 mrg + F( B, C, D ) \
316 1.1 mrg + K \
317 1.1 mrg + M; \
318 1.1 mrg B = rol( B, 30 ); \
319 1.1 mrg } while(0)
320 1.1 mrg
321 1.1 mrg while (words < endp)
322 1.1 mrg {
323 1.1 mrg sha1_uint32 tm;
324 1.1 mrg int t;
325 1.1 mrg for (t = 0; t < 16; t++)
326 1.1 mrg {
327 1.1 mrg x[t] = SWAP (*words);
328 1.1 mrg words++;
329 1.1 mrg }
330 1.1 mrg
331 1.1 mrg R( a, b, c, d, e, F1, K1, x[ 0] );
332 1.1 mrg R( e, a, b, c, d, F1, K1, x[ 1] );
333 1.1 mrg R( d, e, a, b, c, F1, K1, x[ 2] );
334 1.1 mrg R( c, d, e, a, b, F1, K1, x[ 3] );
335 1.1 mrg R( b, c, d, e, a, F1, K1, x[ 4] );
336 1.1 mrg R( a, b, c, d, e, F1, K1, x[ 5] );
337 1.1 mrg R( e, a, b, c, d, F1, K1, x[ 6] );
338 1.1 mrg R( d, e, a, b, c, F1, K1, x[ 7] );
339 1.1 mrg R( c, d, e, a, b, F1, K1, x[ 8] );
340 1.1 mrg R( b, c, d, e, a, F1, K1, x[ 9] );
341 1.1 mrg R( a, b, c, d, e, F1, K1, x[10] );
342 1.1 mrg R( e, a, b, c, d, F1, K1, x[11] );
343 1.1 mrg R( d, e, a, b, c, F1, K1, x[12] );
344 1.1 mrg R( c, d, e, a, b, F1, K1, x[13] );
345 1.1 mrg R( b, c, d, e, a, F1, K1, x[14] );
346 1.1 mrg R( a, b, c, d, e, F1, K1, x[15] );
347 1.1 mrg R( e, a, b, c, d, F1, K1, M(16) );
348 1.1 mrg R( d, e, a, b, c, F1, K1, M(17) );
349 1.1 mrg R( c, d, e, a, b, F1, K1, M(18) );
350 1.1 mrg R( b, c, d, e, a, F1, K1, M(19) );
351 1.1 mrg R( a, b, c, d, e, F2, K2, M(20) );
352 1.1 mrg R( e, a, b, c, d, F2, K2, M(21) );
353 1.1 mrg R( d, e, a, b, c, F2, K2, M(22) );
354 1.1 mrg R( c, d, e, a, b, F2, K2, M(23) );
355 1.1 mrg R( b, c, d, e, a, F2, K2, M(24) );
356 1.1 mrg R( a, b, c, d, e, F2, K2, M(25) );
357 1.1 mrg R( e, a, b, c, d, F2, K2, M(26) );
358 1.1 mrg R( d, e, a, b, c, F2, K2, M(27) );
359 1.1 mrg R( c, d, e, a, b, F2, K2, M(28) );
360 1.1 mrg R( b, c, d, e, a, F2, K2, M(29) );
361 1.1 mrg R( a, b, c, d, e, F2, K2, M(30) );
362 1.1 mrg R( e, a, b, c, d, F2, K2, M(31) );
363 1.1 mrg R( d, e, a, b, c, F2, K2, M(32) );
364 1.1 mrg R( c, d, e, a, b, F2, K2, M(33) );
365 1.1 mrg R( b, c, d, e, a, F2, K2, M(34) );
366 1.1 mrg R( a, b, c, d, e, F2, K2, M(35) );
367 1.1 mrg R( e, a, b, c, d, F2, K2, M(36) );
368 1.1 mrg R( d, e, a, b, c, F2, K2, M(37) );
369 1.1 mrg R( c, d, e, a, b, F2, K2, M(38) );
370 1.1 mrg R( b, c, d, e, a, F2, K2, M(39) );
371 1.1 mrg R( a, b, c, d, e, F3, K3, M(40) );
372 1.1 mrg R( e, a, b, c, d, F3, K3, M(41) );
373 1.1 mrg R( d, e, a, b, c, F3, K3, M(42) );
374 1.1 mrg R( c, d, e, a, b, F3, K3, M(43) );
375 1.1 mrg R( b, c, d, e, a, F3, K3, M(44) );
376 1.1 mrg R( a, b, c, d, e, F3, K3, M(45) );
377 1.1 mrg R( e, a, b, c, d, F3, K3, M(46) );
378 1.1 mrg R( d, e, a, b, c, F3, K3, M(47) );
379 1.1 mrg R( c, d, e, a, b, F3, K3, M(48) );
380 1.1 mrg R( b, c, d, e, a, F3, K3, M(49) );
381 1.1 mrg R( a, b, c, d, e, F3, K3, M(50) );
382 1.1 mrg R( e, a, b, c, d, F3, K3, M(51) );
383 1.1 mrg R( d, e, a, b, c, F3, K3, M(52) );
384 1.1 mrg R( c, d, e, a, b, F3, K3, M(53) );
385 1.1 mrg R( b, c, d, e, a, F3, K3, M(54) );
386 1.1 mrg R( a, b, c, d, e, F3, K3, M(55) );
387 1.1 mrg R( e, a, b, c, d, F3, K3, M(56) );
388 1.1 mrg R( d, e, a, b, c, F3, K3, M(57) );
389 1.1 mrg R( c, d, e, a, b, F3, K3, M(58) );
390 1.1 mrg R( b, c, d, e, a, F3, K3, M(59) );
391 1.1 mrg R( a, b, c, d, e, F4, K4, M(60) );
392 1.1 mrg R( e, a, b, c, d, F4, K4, M(61) );
393 1.1 mrg R( d, e, a, b, c, F4, K4, M(62) );
394 1.1 mrg R( c, d, e, a, b, F4, K4, M(63) );
395 1.1 mrg R( b, c, d, e, a, F4, K4, M(64) );
396 1.1 mrg R( a, b, c, d, e, F4, K4, M(65) );
397 1.1 mrg R( e, a, b, c, d, F4, K4, M(66) );
398 1.1 mrg R( d, e, a, b, c, F4, K4, M(67) );
399 1.1 mrg R( c, d, e, a, b, F4, K4, M(68) );
400 1.1 mrg R( b, c, d, e, a, F4, K4, M(69) );
401 1.1 mrg R( a, b, c, d, e, F4, K4, M(70) );
402 1.1 mrg R( e, a, b, c, d, F4, K4, M(71) );
403 1.1 mrg R( d, e, a, b, c, F4, K4, M(72) );
404 1.1 mrg R( c, d, e, a, b, F4, K4, M(73) );
405 1.1 mrg R( b, c, d, e, a, F4, K4, M(74) );
406 1.1 mrg R( a, b, c, d, e, F4, K4, M(75) );
407 1.1 mrg R( e, a, b, c, d, F4, K4, M(76) );
408 1.1 mrg R( d, e, a, b, c, F4, K4, M(77) );
409 1.1 mrg R( c, d, e, a, b, F4, K4, M(78) );
410 1.1 mrg R( b, c, d, e, a, F4, K4, M(79) );
411 1.1 mrg
412 1.1 mrg a = ctx->A += a;
413 1.1 mrg b = ctx->B += b;
414 1.1 mrg c = ctx->C += c;
415 1.1 mrg d = ctx->D += d;
416 1.1 mrg e = ctx->E += e;
417 1.1 mrg }
418 1.1 mrg }
419