| 5191 |
serge |
1 |
/* sha1.c - Functions to compute SHA1 message digest of files or |
|
|
2 |
memory blocks according to the NIST specification FIPS-180-1. |
|
|
3 |
|
|
|
4 |
Copyright (C) 2000, 2001, 2003, 2004, 2005, 2006, 2008 Free Software |
|
|
5 |
Foundation, Inc. |
|
|
6 |
|
|
|
7 |
This program is free software; you can redistribute it and/or modify it |
|
|
8 |
under the terms of the GNU General Public License as published by the |
|
|
9 |
Free Software Foundation; either version 2, or (at your option) any |
|
|
10 |
later version. |
|
|
11 |
|
|
|
12 |
This program is distributed in the hope that it will be useful, |
|
|
13 |
but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
|
14 |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
|
15 |
GNU General Public License for more details. |
|
|
16 |
|
|
|
17 |
You should have received a copy of the GNU General Public License |
|
|
18 |
along with this program; if not, write to the Free Software Foundation, |
|
|
19 |
Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ |
|
|
20 |
|
|
|
21 |
/* Written by Scott G. Miller |
|
|
22 |
Credits: |
|
|
23 |
Robert Klep -- Expansion function fix |
|
|
24 |
*/ |
|
|
25 |
|
|
|
26 |
#include |
|
|
27 |
|
|
|
28 |
#include "sha1.h" |
|
|
29 |
|
|
|
30 |
#include |
|
|
31 |
#include |
|
|
32 |
|
|
|
33 |
#if USE_UNLOCKED_IO |
|
|
34 |
# include "unlocked-io.h" |
|
|
35 |
#endif |
|
|
36 |
|
|
|
37 |
#ifdef WORDS_BIGENDIAN |
|
|
38 |
# define SWAP(n) (n) |
|
|
39 |
#else |
|
|
40 |
# define SWAP(n) \ |
|
|
41 |
(((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) |
|
|
42 |
#endif |
|
|
43 |
|
|
|
44 |
#define BLOCKSIZE 4096 |
|
|
45 |
#if BLOCKSIZE % 64 != 0 |
|
|
46 |
# error "invalid BLOCKSIZE" |
|
|
47 |
#endif |
|
|
48 |
|
|
|
49 |
/* This array contains the bytes used to pad the buffer to the next |
|
|
50 |
64-byte boundary. (RFC 1321, 3.1: Step 1) */ |
|
|
51 |
static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; |
|
|
52 |
|
|
|
53 |
|
|
|
54 |
/* Take a pointer to a 160 bit block of data (five 32 bit ints) and |
|
|
55 |
initialize it to the start constants of the SHA1 algorithm. This |
|
|
56 |
must be called before using hash in the call to sha1_hash. */ |
|
|
57 |
void |
|
|
58 |
sha1_init_ctx (struct sha1_ctx *ctx) |
|
|
59 |
{ |
|
|
60 |
ctx->A = 0x67452301; |
|
|
61 |
ctx->B = 0xefcdab89; |
|
|
62 |
ctx->C = 0x98badcfe; |
|
|
63 |
ctx->D = 0x10325476; |
|
|
64 |
ctx->E = 0xc3d2e1f0; |
|
|
65 |
|
|
|
66 |
ctx->total[0] = ctx->total[1] = 0; |
|
|
67 |
ctx->buflen = 0; |
|
|
68 |
} |
|
|
69 |
|
|
|
70 |
/* Put result from CTX in first 20 bytes following RESBUF. The result |
|
|
71 |
must be in little endian byte order. |
|
|
72 |
|
|
|
73 |
IMPORTANT: On some systems it is required that RESBUF is correctly |
|
|
74 |
aligned for a 32-bit value. */ |
|
|
75 |
void * |
|
|
76 |
sha1_read_ctx (const struct sha1_ctx *ctx, void *resbuf) |
|
|
77 |
{ |
|
|
78 |
((sha1_uint32 *) resbuf)[0] = SWAP (ctx->A); |
|
|
79 |
((sha1_uint32 *) resbuf)[1] = SWAP (ctx->B); |
|
|
80 |
((sha1_uint32 *) resbuf)[2] = SWAP (ctx->C); |
|
|
81 |
((sha1_uint32 *) resbuf)[3] = SWAP (ctx->D); |
|
|
82 |
((sha1_uint32 *) resbuf)[4] = SWAP (ctx->E); |
|
|
83 |
|
|
|
84 |
return resbuf; |
|
|
85 |
} |
|
|
86 |
|
|
|
87 |
/* Process the remaining bytes in the internal buffer and the usual |
|
|
88 |
prolog according to the standard and write the result to RESBUF. |
|
|
89 |
|
|
|
90 |
IMPORTANT: On some systems it is required that RESBUF is correctly |
|
|
91 |
aligned for a 32-bit value. */ |
|
|
92 |
void * |
|
|
93 |
sha1_finish_ctx (struct sha1_ctx *ctx, void *resbuf) |
|
|
94 |
{ |
|
|
95 |
/* Take yet unprocessed bytes into account. */ |
|
|
96 |
sha1_uint32 bytes = ctx->buflen; |
|
|
97 |
size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4; |
|
|
98 |
|
|
|
99 |
/* Now count remaining bytes. */ |
|
|
100 |
ctx->total[0] += bytes; |
|
|
101 |
if (ctx->total[0] < bytes) |
|
|
102 |
++ctx->total[1]; |
|
|
103 |
|
|
|
104 |
/* Put the 64-bit file length in *bits* at the end of the buffer. */ |
|
|
105 |
ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)); |
|
|
106 |
ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3); |
|
|
107 |
|
|
|
108 |
memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes); |
|
|
109 |
|
|
|
110 |
/* Process last bytes. */ |
|
|
111 |
sha1_process_block (ctx->buffer, size * 4, ctx); |
|
|
112 |
|
|
|
113 |
return sha1_read_ctx (ctx, resbuf); |
|
|
114 |
} |
|
|
115 |
|
|
|
116 |
/* Compute SHA1 message digest for bytes read from STREAM. The |
|
|
117 |
resulting message digest number will be written into the 16 bytes |
|
|
118 |
beginning at RESBLOCK. */ |
|
|
119 |
int |
|
|
120 |
sha1_stream (FILE *stream, void *resblock) |
|
|
121 |
{ |
|
|
122 |
struct sha1_ctx ctx; |
|
|
123 |
char buffer[BLOCKSIZE + 72]; |
|
|
124 |
size_t sum; |
|
|
125 |
|
|
|
126 |
/* Initialize the computation context. */ |
|
|
127 |
sha1_init_ctx (&ctx); |
|
|
128 |
|
|
|
129 |
/* Iterate over full file contents. */ |
|
|
130 |
while (1) |
|
|
131 |
{ |
|
|
132 |
/* We read the file in blocks of BLOCKSIZE bytes. One call of the |
|
|
133 |
computation function processes the whole buffer so that with the |
|
|
134 |
next round of the loop another block can be read. */ |
|
|
135 |
size_t n; |
|
|
136 |
sum = 0; |
|
|
137 |
|
|
|
138 |
/* Read block. Take care for partial reads. */ |
|
|
139 |
while (1) |
|
|
140 |
{ |
|
|
141 |
n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream); |
|
|
142 |
|
|
|
143 |
sum += n; |
|
|
144 |
|
|
|
145 |
if (sum == BLOCKSIZE) |
|
|
146 |
break; |
|
|
147 |
|
|
|
148 |
if (n == 0) |
|
|
149 |
{ |
|
|
150 |
/* Check for the error flag IFF N == 0, so that we don't |
|
|
151 |
exit the loop after a partial read due to e.g., EAGAIN |
|
|
152 |
or EWOULDBLOCK. */ |
|
|
153 |
if (ferror (stream)) |
|
|
154 |
return 1; |
|
|
155 |
goto process_partial_block; |
|
|
156 |
} |
|
|
157 |
|
|
|
158 |
/* We've read at least one byte, so ignore errors. But always |
|
|
159 |
check for EOF, since feof may be true even though N > 0. |
|
|
160 |
Otherwise, we could end up calling fread after EOF. */ |
|
|
161 |
if (feof (stream)) |
|
|
162 |
goto process_partial_block; |
|
|
163 |
} |
|
|
164 |
|
|
|
165 |
/* Process buffer with BLOCKSIZE bytes. Note that |
|
|
166 |
BLOCKSIZE % 64 == 0 |
|
|
167 |
*/ |
|
|
168 |
sha1_process_block (buffer, BLOCKSIZE, &ctx); |
|
|
169 |
} |
|
|
170 |
|
|
|
171 |
process_partial_block:; |
|
|
172 |
|
|
|
173 |
/* Process any remaining bytes. */ |
|
|
174 |
if (sum > 0) |
|
|
175 |
sha1_process_bytes (buffer, sum, &ctx); |
|
|
176 |
|
|
|
177 |
/* Construct result in desired memory. */ |
|
|
178 |
sha1_finish_ctx (&ctx, resblock); |
|
|
179 |
return 0; |
|
|
180 |
} |
|
|
181 |
|
|
|
182 |
/* Compute SHA1 message digest for LEN bytes beginning at BUFFER. The |
|
|
183 |
result is always in little endian byte order, so that a byte-wise |
|
|
184 |
output yields to the wanted ASCII representation of the message |
|
|
185 |
digest. */ |
|
|
186 |
void * |
|
|
187 |
sha1_buffer (const char *buffer, size_t len, void *resblock) |
|
|
188 |
{ |
|
|
189 |
struct sha1_ctx ctx; |
|
|
190 |
|
|
|
191 |
/* Initialize the computation context. */ |
|
|
192 |
sha1_init_ctx (&ctx); |
|
|
193 |
|
|
|
194 |
/* Process whole buffer but last len % 64 bytes. */ |
|
|
195 |
sha1_process_bytes (buffer, len, &ctx); |
|
|
196 |
|
|
|
197 |
/* Put result in desired memory area. */ |
|
|
198 |
return sha1_finish_ctx (&ctx, resblock); |
|
|
199 |
} |
|
|
200 |
|
|
|
201 |
void |
|
|
202 |
sha1_process_bytes (const void *buffer, size_t len, struct sha1_ctx *ctx) |
|
|
203 |
{ |
|
|
204 |
/* When we already have some bits in our internal buffer concatenate |
|
|
205 |
both inputs first. */ |
|
|
206 |
if (ctx->buflen != 0) |
|
|
207 |
{ |
|
|
208 |
size_t left_over = ctx->buflen; |
|
|
209 |
size_t add = 128 - left_over > len ? len : 128 - left_over; |
|
|
210 |
|
|
|
211 |
memcpy (&((char *) ctx->buffer)[left_over], buffer, add); |
|
|
212 |
ctx->buflen += add; |
|
|
213 |
|
|
|
214 |
if (ctx->buflen > 64) |
|
|
215 |
{ |
|
|
216 |
sha1_process_block (ctx->buffer, ctx->buflen & ~63, ctx); |
|
|
217 |
|
|
|
218 |
ctx->buflen &= 63; |
|
|
219 |
/* The regions in the following copy operation cannot overlap. */ |
|
|
220 |
memcpy (ctx->buffer, |
|
|
221 |
&((char *) ctx->buffer)[(left_over + add) & ~63], |
|
|
222 |
ctx->buflen); |
|
|
223 |
} |
|
|
224 |
|
|
|
225 |
buffer = (const char *) buffer + add; |
|
|
226 |
len -= add; |
|
|
227 |
} |
|
|
228 |
|
|
|
229 |
/* Process available complete blocks. */ |
|
|
230 |
if (len >= 64) |
|
|
231 |
{ |
|
|
232 |
#if !_STRING_ARCH_unaligned |
|
|
233 |
# define alignof(type) offsetof (struct { char c; type x; }, x) |
|
|
234 |
# define UNALIGNED_P(p) (((size_t) p) % alignof (sha1_uint32) != 0) |
|
|
235 |
if (UNALIGNED_P (buffer)) |
|
|
236 |
while (len > 64) |
|
|
237 |
{ |
|
|
238 |
sha1_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx); |
|
|
239 |
buffer = (const char *) buffer + 64; |
|
|
240 |
len -= 64; |
|
|
241 |
} |
|
|
242 |
else |
|
|
243 |
#endif |
|
|
244 |
{ |
|
|
245 |
sha1_process_block (buffer, len & ~63, ctx); |
|
|
246 |
buffer = (const char *) buffer + (len & ~63); |
|
|
247 |
len &= 63; |
|
|
248 |
} |
|
|
249 |
} |
|
|
250 |
|
|
|
251 |
/* Move remaining bytes in internal buffer. */ |
|
|
252 |
if (len > 0) |
|
|
253 |
{ |
|
|
254 |
size_t left_over = ctx->buflen; |
|
|
255 |
|
|
|
256 |
memcpy (&((char *) ctx->buffer)[left_over], buffer, len); |
|
|
257 |
left_over += len; |
|
|
258 |
if (left_over >= 64) |
|
|
259 |
{ |
|
|
260 |
sha1_process_block (ctx->buffer, 64, ctx); |
|
|
261 |
left_over -= 64; |
|
|
262 |
memcpy (ctx->buffer, &ctx->buffer[16], left_over); |
|
|
263 |
} |
|
|
264 |
ctx->buflen = left_over; |
|
|
265 |
} |
|
|
266 |
} |
|
|
267 |
|
|
|
268 |
/* --- Code below is the primary difference between md5.c and sha1.c --- */ |
|
|
269 |
|
|
|
270 |
/* SHA1 round constants */ |
|
|
271 |
#define K1 0x5a827999 |
|
|
272 |
#define K2 0x6ed9eba1 |
|
|
273 |
#define K3 0x8f1bbcdc |
|
|
274 |
#define K4 0xca62c1d6 |
|
|
275 |
|
|
|
276 |
/* Round functions. Note that F2 is the same as F4. */ |
|
|
277 |
#define F1(B,C,D) ( D ^ ( B & ( C ^ D ) ) ) |
|
|
278 |
#define F2(B,C,D) (B ^ C ^ D) |
|
|
279 |
#define F3(B,C,D) ( ( B & C ) | ( D & ( B | C ) ) ) |
|
|
280 |
#define F4(B,C,D) (B ^ C ^ D) |
|
|
281 |
|
|
|
282 |
/* Process LEN bytes of BUFFER, accumulating context into CTX. |
|
|
283 |
It is assumed that LEN % 64 == 0. |
|
|
284 |
Most of this code comes from GnuPG's cipher/sha1.c. */ |
|
|
285 |
|
|
|
286 |
void |
|
|
287 |
sha1_process_block (const void *buffer, size_t len, struct sha1_ctx *ctx) |
|
|
288 |
{ |
|
|
289 |
const sha1_uint32 *words = (const sha1_uint32*) buffer; |
|
|
290 |
size_t nwords = len / sizeof (sha1_uint32); |
|
|
291 |
const sha1_uint32 *endp = words + nwords; |
|
|
292 |
sha1_uint32 x[16]; |
|
|
293 |
sha1_uint32 a = ctx->A; |
|
|
294 |
sha1_uint32 b = ctx->B; |
|
|
295 |
sha1_uint32 c = ctx->C; |
|
|
296 |
sha1_uint32 d = ctx->D; |
|
|
297 |
sha1_uint32 e = ctx->E; |
|
|
298 |
|
|
|
299 |
/* First increment the byte count. RFC 1321 specifies the possible |
|
|
300 |
length of the file up to 2^64 bits. Here we only compute the |
|
|
301 |
number of bytes. Do a double word increment. */ |
|
|
302 |
ctx->total[0] += len; |
|
|
303 |
ctx->total[1] += ((len >> 31) >> 1) + (ctx->total[0] < len); |
|
|
304 |
|
|
|
305 |
#define rol(x, n) (((x) << (n)) | ((sha1_uint32) (x) >> (32 - (n)))) |
|
|
306 |
|
|
|
307 |
#define M(I) ( tm = x[I&0x0f] ^ x[(I-14)&0x0f] \ |
|
|
308 |
^ x[(I-8)&0x0f] ^ x[(I-3)&0x0f] \ |
|
|
309 |
, (x[I&0x0f] = rol(tm, 1)) ) |
|
|
310 |
|
|
|
311 |
#define R(A,B,C,D,E,F,K,M) do { E += rol( A, 5 ) \ |
|
|
312 |
+ F( B, C, D ) \ |
|
|
313 |
+ K \ |
|
|
314 |
+ M; \ |
|
|
315 |
B = rol( B, 30 ); \ |
|
|
316 |
} while(0) |
|
|
317 |
|
|
|
318 |
while (words < endp) |
|
|
319 |
{ |
|
|
320 |
sha1_uint32 tm; |
|
|
321 |
int t; |
|
|
322 |
for (t = 0; t < 16; t++) |
|
|
323 |
{ |
|
|
324 |
x[t] = SWAP (*words); |
|
|
325 |
words++; |
|
|
326 |
} |
|
|
327 |
|
|
|
328 |
R( a, b, c, d, e, F1, K1, x[ 0] ); |
|
|
329 |
R( e, a, b, c, d, F1, K1, x[ 1] ); |
|
|
330 |
R( d, e, a, b, c, F1, K1, x[ 2] ); |
|
|
331 |
R( c, d, e, a, b, F1, K1, x[ 3] ); |
|
|
332 |
R( b, c, d, e, a, F1, K1, x[ 4] ); |
|
|
333 |
R( a, b, c, d, e, F1, K1, x[ 5] ); |
|
|
334 |
R( e, a, b, c, d, F1, K1, x[ 6] ); |
|
|
335 |
R( d, e, a, b, c, F1, K1, x[ 7] ); |
|
|
336 |
R( c, d, e, a, b, F1, K1, x[ 8] ); |
|
|
337 |
R( b, c, d, e, a, F1, K1, x[ 9] ); |
|
|
338 |
R( a, b, c, d, e, F1, K1, x[10] ); |
|
|
339 |
R( e, a, b, c, d, F1, K1, x[11] ); |
|
|
340 |
R( d, e, a, b, c, F1, K1, x[12] ); |
|
|
341 |
R( c, d, e, a, b, F1, K1, x[13] ); |
|
|
342 |
R( b, c, d, e, a, F1, K1, x[14] ); |
|
|
343 |
R( a, b, c, d, e, F1, K1, x[15] ); |
|
|
344 |
R( e, a, b, c, d, F1, K1, M(16) ); |
|
|
345 |
R( d, e, a, b, c, F1, K1, M(17) ); |
|
|
346 |
R( c, d, e, a, b, F1, K1, M(18) ); |
|
|
347 |
R( b, c, d, e, a, F1, K1, M(19) ); |
|
|
348 |
R( a, b, c, d, e, F2, K2, M(20) ); |
|
|
349 |
R( e, a, b, c, d, F2, K2, M(21) ); |
|
|
350 |
R( d, e, a, b, c, F2, K2, M(22) ); |
|
|
351 |
R( c, d, e, a, b, F2, K2, M(23) ); |
|
|
352 |
R( b, c, d, e, a, F2, K2, M(24) ); |
|
|
353 |
R( a, b, c, d, e, F2, K2, M(25) ); |
|
|
354 |
R( e, a, b, c, d, F2, K2, M(26) ); |
|
|
355 |
R( d, e, a, b, c, F2, K2, M(27) ); |
|
|
356 |
R( c, d, e, a, b, F2, K2, M(28) ); |
|
|
357 |
R( b, c, d, e, a, F2, K2, M(29) ); |
|
|
358 |
R( a, b, c, d, e, F2, K2, M(30) ); |
|
|
359 |
R( e, a, b, c, d, F2, K2, M(31) ); |
|
|
360 |
R( d, e, a, b, c, F2, K2, M(32) ); |
|
|
361 |
R( c, d, e, a, b, F2, K2, M(33) ); |
|
|
362 |
R( b, c, d, e, a, F2, K2, M(34) ); |
|
|
363 |
R( a, b, c, d, e, F2, K2, M(35) ); |
|
|
364 |
R( e, a, b, c, d, F2, K2, M(36) ); |
|
|
365 |
R( d, e, a, b, c, F2, K2, M(37) ); |
|
|
366 |
R( c, d, e, a, b, F2, K2, M(38) ); |
|
|
367 |
R( b, c, d, e, a, F2, K2, M(39) ); |
|
|
368 |
R( a, b, c, d, e, F3, K3, M(40) ); |
|
|
369 |
R( e, a, b, c, d, F3, K3, M(41) ); |
|
|
370 |
R( d, e, a, b, c, F3, K3, M(42) ); |
|
|
371 |
R( c, d, e, a, b, F3, K3, M(43) ); |
|
|
372 |
R( b, c, d, e, a, F3, K3, M(44) ); |
|
|
373 |
R( a, b, c, d, e, F3, K3, M(45) ); |
|
|
374 |
R( e, a, b, c, d, F3, K3, M(46) ); |
|
|
375 |
R( d, e, a, b, c, F3, K3, M(47) ); |
|
|
376 |
R( c, d, e, a, b, F3, K3, M(48) ); |
|
|
377 |
R( b, c, d, e, a, F3, K3, M(49) ); |
|
|
378 |
R( a, b, c, d, e, F3, K3, M(50) ); |
|
|
379 |
R( e, a, b, c, d, F3, K3, M(51) ); |
|
|
380 |
R( d, e, a, b, c, F3, K3, M(52) ); |
|
|
381 |
R( c, d, e, a, b, F3, K3, M(53) ); |
|
|
382 |
R( b, c, d, e, a, F3, K3, M(54) ); |
|
|
383 |
R( a, b, c, d, e, F3, K3, M(55) ); |
|
|
384 |
R( e, a, b, c, d, F3, K3, M(56) ); |
|
|
385 |
R( d, e, a, b, c, F3, K3, M(57) ); |
|
|
386 |
R( c, d, e, a, b, F3, K3, M(58) ); |
|
|
387 |
R( b, c, d, e, a, F3, K3, M(59) ); |
|
|
388 |
R( a, b, c, d, e, F4, K4, M(60) ); |
|
|
389 |
R( e, a, b, c, d, F4, K4, M(61) ); |
|
|
390 |
R( d, e, a, b, c, F4, K4, M(62) ); |
|
|
391 |
R( c, d, e, a, b, F4, K4, M(63) ); |
|
|
392 |
R( b, c, d, e, a, F4, K4, M(64) ); |
|
|
393 |
R( a, b, c, d, e, F4, K4, M(65) ); |
|
|
394 |
R( e, a, b, c, d, F4, K4, M(66) ); |
|
|
395 |
R( d, e, a, b, c, F4, K4, M(67) ); |
|
|
396 |
R( c, d, e, a, b, F4, K4, M(68) ); |
|
|
397 |
R( b, c, d, e, a, F4, K4, M(69) ); |
|
|
398 |
R( a, b, c, d, e, F4, K4, M(70) ); |
|
|
399 |
R( e, a, b, c, d, F4, K4, M(71) ); |
|
|
400 |
R( d, e, a, b, c, F4, K4, M(72) ); |
|
|
401 |
R( c, d, e, a, b, F4, K4, M(73) ); |
|
|
402 |
R( b, c, d, e, a, F4, K4, M(74) ); |
|
|
403 |
R( a, b, c, d, e, F4, K4, M(75) ); |
|
|
404 |
R( e, a, b, c, d, F4, K4, M(76) ); |
|
|
405 |
R( d, e, a, b, c, F4, K4, M(77) ); |
|
|
406 |
R( c, d, e, a, b, F4, K4, M(78) ); |
|
|
407 |
R( b, c, d, e, a, F4, K4, M(79) ); |
|
|
408 |
|
|
|
409 |
a = ctx->A += a; |
|
|
410 |
b = ctx->B += b; |
|
|
411 |
c = ctx->C += c; |
|
|
412 |
d = ctx->D += d; |
|
|
413 |
e = ctx->E += e; |
|
|
414 |
} |
|
|
415 |
} |