Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
5191 | serge | 1 | /* sha1.c - Functions to compute SHA1 message digest of files or |
2 | memory blocks according to the NIST specification FIPS-180-1. |
||
3 | |||
4 | Copyright (C) 2000, 2001, 2003, 2004, 2005, 2006, 2008 Free Software |
||
5 | Foundation, Inc. |
||
6 | |||
7 | This program is free software; you can redistribute it and/or modify it |
||
8 | under the terms of the GNU General Public License as published by the |
||
9 | Free Software Foundation; either version 2, or (at your option) any |
||
10 | later version. |
||
11 | |||
12 | This program is distributed in the hope that it will be useful, |
||
13 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
15 | GNU General Public License for more details. |
||
16 | |||
17 | You should have received a copy of the GNU General Public License |
||
18 | along with this program; if not, write to the Free Software Foundation, |
||
19 | Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ |
||
20 | |||
21 | /* Written by Scott G. Miller |
||
22 | Credits: |
||
23 | Robert Klep |
||
24 | */ |
||
25 | |||
26 | #include |
||
27 | |||
28 | #include "sha1.h" |
||
29 | |||
30 | #include |
||
31 | #include |
||
32 | |||
33 | #if USE_UNLOCKED_IO |
||
34 | # include "unlocked-io.h" |
||
35 | #endif |
||
36 | |||
37 | #ifdef WORDS_BIGENDIAN |
||
38 | # define SWAP(n) (n) |
||
39 | #else |
||
40 | # define SWAP(n) \ |
||
41 | (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) |
||
42 | #endif |
||
43 | |||
44 | #define BLOCKSIZE 4096 |
||
45 | #if BLOCKSIZE % 64 != 0 |
||
46 | # error "invalid BLOCKSIZE" |
||
47 | #endif |
||
48 | |||
49 | /* This array contains the bytes used to pad the buffer to the next |
||
50 | 64-byte boundary. (RFC 1321, 3.1: Step 1) */ |
||
51 | static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; |
||
52 | |||
53 | |||
54 | /* Take a pointer to a 160 bit block of data (five 32 bit ints) and |
||
55 | initialize it to the start constants of the SHA1 algorithm. This |
||
56 | must be called before using hash in the call to sha1_hash. */ |
||
57 | void |
||
58 | sha1_init_ctx (struct sha1_ctx *ctx) |
||
59 | { |
||
60 | ctx->A = 0x67452301; |
||
61 | ctx->B = 0xefcdab89; |
||
62 | ctx->C = 0x98badcfe; |
||
63 | ctx->D = 0x10325476; |
||
64 | ctx->E = 0xc3d2e1f0; |
||
65 | |||
66 | ctx->total[0] = ctx->total[1] = 0; |
||
67 | ctx->buflen = 0; |
||
68 | } |
||
69 | |||
70 | /* Put result from CTX in first 20 bytes following RESBUF. The result |
||
71 | must be in little endian byte order. |
||
72 | |||
73 | IMPORTANT: On some systems it is required that RESBUF is correctly |
||
74 | aligned for a 32-bit value. */ |
||
75 | void * |
||
76 | sha1_read_ctx (const struct sha1_ctx *ctx, void *resbuf) |
||
77 | { |
||
78 | ((sha1_uint32 *) resbuf)[0] = SWAP (ctx->A); |
||
79 | ((sha1_uint32 *) resbuf)[1] = SWAP (ctx->B); |
||
80 | ((sha1_uint32 *) resbuf)[2] = SWAP (ctx->C); |
||
81 | ((sha1_uint32 *) resbuf)[3] = SWAP (ctx->D); |
||
82 | ((sha1_uint32 *) resbuf)[4] = SWAP (ctx->E); |
||
83 | |||
84 | return resbuf; |
||
85 | } |
||
86 | |||
87 | /* Process the remaining bytes in the internal buffer and the usual |
||
88 | prolog according to the standard and write the result to RESBUF. |
||
89 | |||
90 | IMPORTANT: On some systems it is required that RESBUF is correctly |
||
91 | aligned for a 32-bit value. */ |
||
92 | void * |
||
93 | sha1_finish_ctx (struct sha1_ctx *ctx, void *resbuf) |
||
94 | { |
||
95 | /* Take yet unprocessed bytes into account. */ |
||
96 | sha1_uint32 bytes = ctx->buflen; |
||
97 | size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4; |
||
98 | |||
99 | /* Now count remaining bytes. */ |
||
100 | ctx->total[0] += bytes; |
||
101 | if (ctx->total[0] < bytes) |
||
102 | ++ctx->total[1]; |
||
103 | |||
104 | /* Put the 64-bit file length in *bits* at the end of the buffer. */ |
||
105 | ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)); |
||
106 | ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3); |
||
107 | |||
108 | memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes); |
||
109 | |||
110 | /* Process last bytes. */ |
||
111 | sha1_process_block (ctx->buffer, size * 4, ctx); |
||
112 | |||
113 | return sha1_read_ctx (ctx, resbuf); |
||
114 | } |
||
115 | |||
116 | /* Compute SHA1 message digest for bytes read from STREAM. The |
||
117 | resulting message digest number will be written into the 16 bytes |
||
118 | beginning at RESBLOCK. */ |
||
119 | int |
||
120 | sha1_stream (FILE *stream, void *resblock) |
||
121 | { |
||
122 | struct sha1_ctx ctx; |
||
123 | char buffer[BLOCKSIZE + 72]; |
||
124 | size_t sum; |
||
125 | |||
126 | /* Initialize the computation context. */ |
||
127 | sha1_init_ctx (&ctx); |
||
128 | |||
129 | /* Iterate over full file contents. */ |
||
130 | while (1) |
||
131 | { |
||
132 | /* We read the file in blocks of BLOCKSIZE bytes. One call of the |
||
133 | computation function processes the whole buffer so that with the |
||
134 | next round of the loop another block can be read. */ |
||
135 | size_t n; |
||
136 | sum = 0; |
||
137 | |||
138 | /* Read block. Take care for partial reads. */ |
||
139 | while (1) |
||
140 | { |
||
141 | n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream); |
||
142 | |||
143 | sum += n; |
||
144 | |||
145 | if (sum == BLOCKSIZE) |
||
146 | break; |
||
147 | |||
148 | if (n == 0) |
||
149 | { |
||
150 | /* Check for the error flag IFF N == 0, so that we don't |
||
151 | exit the loop after a partial read due to e.g., EAGAIN |
||
152 | or EWOULDBLOCK. */ |
||
153 | if (ferror (stream)) |
||
154 | return 1; |
||
155 | goto process_partial_block; |
||
156 | } |
||
157 | |||
158 | /* We've read at least one byte, so ignore errors. But always |
||
159 | check for EOF, since feof may be true even though N > 0. |
||
160 | Otherwise, we could end up calling fread after EOF. */ |
||
161 | if (feof (stream)) |
||
162 | goto process_partial_block; |
||
163 | } |
||
164 | |||
165 | /* Process buffer with BLOCKSIZE bytes. Note that |
||
166 | BLOCKSIZE % 64 == 0 |
||
167 | */ |
||
168 | sha1_process_block (buffer, BLOCKSIZE, &ctx); |
||
169 | } |
||
170 | |||
171 | process_partial_block:; |
||
172 | |||
173 | /* Process any remaining bytes. */ |
||
174 | if (sum > 0) |
||
175 | sha1_process_bytes (buffer, sum, &ctx); |
||
176 | |||
177 | /* Construct result in desired memory. */ |
||
178 | sha1_finish_ctx (&ctx, resblock); |
||
179 | return 0; |
||
180 | } |
||
181 | |||
182 | /* Compute SHA1 message digest for LEN bytes beginning at BUFFER. The |
||
183 | result is always in little endian byte order, so that a byte-wise |
||
184 | output yields to the wanted ASCII representation of the message |
||
185 | digest. */ |
||
186 | void * |
||
187 | sha1_buffer (const char *buffer, size_t len, void *resblock) |
||
188 | { |
||
189 | struct sha1_ctx ctx; |
||
190 | |||
191 | /* Initialize the computation context. */ |
||
192 | sha1_init_ctx (&ctx); |
||
193 | |||
194 | /* Process whole buffer but last len % 64 bytes. */ |
||
195 | sha1_process_bytes (buffer, len, &ctx); |
||
196 | |||
197 | /* Put result in desired memory area. */ |
||
198 | return sha1_finish_ctx (&ctx, resblock); |
||
199 | } |
||
200 | |||
201 | void |
||
202 | sha1_process_bytes (const void *buffer, size_t len, struct sha1_ctx *ctx) |
||
203 | { |
||
204 | /* When we already have some bits in our internal buffer concatenate |
||
205 | both inputs first. */ |
||
206 | if (ctx->buflen != 0) |
||
207 | { |
||
208 | size_t left_over = ctx->buflen; |
||
209 | size_t add = 128 - left_over > len ? len : 128 - left_over; |
||
210 | |||
211 | memcpy (&((char *) ctx->buffer)[left_over], buffer, add); |
||
212 | ctx->buflen += add; |
||
213 | |||
214 | if (ctx->buflen > 64) |
||
215 | { |
||
216 | sha1_process_block (ctx->buffer, ctx->buflen & ~63, ctx); |
||
217 | |||
218 | ctx->buflen &= 63; |
||
219 | /* The regions in the following copy operation cannot overlap. */ |
||
220 | memcpy (ctx->buffer, |
||
221 | &((char *) ctx->buffer)[(left_over + add) & ~63], |
||
222 | ctx->buflen); |
||
223 | } |
||
224 | |||
225 | buffer = (const char *) buffer + add; |
||
226 | len -= add; |
||
227 | } |
||
228 | |||
229 | /* Process available complete blocks. */ |
||
230 | if (len >= 64) |
||
231 | { |
||
232 | #if !_STRING_ARCH_unaligned |
||
233 | # define alignof(type) offsetof (struct { char c; type x; }, x) |
||
234 | # define UNALIGNED_P(p) (((size_t) p) % alignof (sha1_uint32) != 0) |
||
235 | if (UNALIGNED_P (buffer)) |
||
236 | while (len > 64) |
||
237 | { |
||
238 | sha1_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx); |
||
239 | buffer = (const char *) buffer + 64; |
||
240 | len -= 64; |
||
241 | } |
||
242 | else |
||
243 | #endif |
||
244 | { |
||
245 | sha1_process_block (buffer, len & ~63, ctx); |
||
246 | buffer = (const char *) buffer + (len & ~63); |
||
247 | len &= 63; |
||
248 | } |
||
249 | } |
||
250 | |||
251 | /* Move remaining bytes in internal buffer. */ |
||
252 | if (len > 0) |
||
253 | { |
||
254 | size_t left_over = ctx->buflen; |
||
255 | |||
256 | memcpy (&((char *) ctx->buffer)[left_over], buffer, len); |
||
257 | left_over += len; |
||
258 | if (left_over >= 64) |
||
259 | { |
||
260 | sha1_process_block (ctx->buffer, 64, ctx); |
||
261 | left_over -= 64; |
||
262 | memcpy (ctx->buffer, &ctx->buffer[16], left_over); |
||
263 | } |
||
264 | ctx->buflen = left_over; |
||
265 | } |
||
266 | } |
||
267 | |||
268 | /* --- Code below is the primary difference between md5.c and sha1.c --- */ |
||
269 | |||
270 | /* SHA1 round constants */ |
||
271 | #define K1 0x5a827999 |
||
272 | #define K2 0x6ed9eba1 |
||
273 | #define K3 0x8f1bbcdc |
||
274 | #define K4 0xca62c1d6 |
||
275 | |||
276 | /* Round functions. Note that F2 is the same as F4. */ |
||
277 | #define F1(B,C,D) ( D ^ ( B & ( C ^ D ) ) ) |
||
278 | #define F2(B,C,D) (B ^ C ^ D) |
||
279 | #define F3(B,C,D) ( ( B & C ) | ( D & ( B | C ) ) ) |
||
280 | #define F4(B,C,D) (B ^ C ^ D) |
||
281 | |||
282 | /* Process LEN bytes of BUFFER, accumulating context into CTX. |
||
283 | It is assumed that LEN % 64 == 0. |
||
284 | Most of this code comes from GnuPG's cipher/sha1.c. */ |
||
285 | |||
286 | void |
||
287 | sha1_process_block (const void *buffer, size_t len, struct sha1_ctx *ctx) |
||
288 | { |
||
289 | const sha1_uint32 *words = (const sha1_uint32*) buffer; |
||
290 | size_t nwords = len / sizeof (sha1_uint32); |
||
291 | const sha1_uint32 *endp = words + nwords; |
||
292 | sha1_uint32 x[16]; |
||
293 | sha1_uint32 a = ctx->A; |
||
294 | sha1_uint32 b = ctx->B; |
||
295 | sha1_uint32 c = ctx->C; |
||
296 | sha1_uint32 d = ctx->D; |
||
297 | sha1_uint32 e = ctx->E; |
||
298 | |||
299 | /* First increment the byte count. RFC 1321 specifies the possible |
||
300 | length of the file up to 2^64 bits. Here we only compute the |
||
301 | number of bytes. Do a double word increment. */ |
||
302 | ctx->total[0] += len; |
||
303 | ctx->total[1] += ((len >> 31) >> 1) + (ctx->total[0] < len); |
||
304 | |||
305 | #define rol(x, n) (((x) << (n)) | ((sha1_uint32) (x) >> (32 - (n)))) |
||
306 | |||
307 | #define M(I) ( tm = x[I&0x0f] ^ x[(I-14)&0x0f] \ |
||
308 | ^ x[(I-8)&0x0f] ^ x[(I-3)&0x0f] \ |
||
309 | , (x[I&0x0f] = rol(tm, 1)) ) |
||
310 | |||
311 | #define R(A,B,C,D,E,F,K,M) do { E += rol( A, 5 ) \ |
||
312 | + F( B, C, D ) \ |
||
313 | + K \ |
||
314 | + M; \ |
||
315 | B = rol( B, 30 ); \ |
||
316 | } while(0) |
||
317 | |||
318 | while (words < endp) |
||
319 | { |
||
320 | sha1_uint32 tm; |
||
321 | int t; |
||
322 | for (t = 0; t < 16; t++) |
||
323 | { |
||
324 | x[t] = SWAP (*words); |
||
325 | words++; |
||
326 | } |
||
327 | |||
328 | R( a, b, c, d, e, F1, K1, x[ 0] ); |
||
329 | R( e, a, b, c, d, F1, K1, x[ 1] ); |
||
330 | R( d, e, a, b, c, F1, K1, x[ 2] ); |
||
331 | R( c, d, e, a, b, F1, K1, x[ 3] ); |
||
332 | R( b, c, d, e, a, F1, K1, x[ 4] ); |
||
333 | R( a, b, c, d, e, F1, K1, x[ 5] ); |
||
334 | R( e, a, b, c, d, F1, K1, x[ 6] ); |
||
335 | R( d, e, a, b, c, F1, K1, x[ 7] ); |
||
336 | R( c, d, e, a, b, F1, K1, x[ 8] ); |
||
337 | R( b, c, d, e, a, F1, K1, x[ 9] ); |
||
338 | R( a, b, c, d, e, F1, K1, x[10] ); |
||
339 | R( e, a, b, c, d, F1, K1, x[11] ); |
||
340 | R( d, e, a, b, c, F1, K1, x[12] ); |
||
341 | R( c, d, e, a, b, F1, K1, x[13] ); |
||
342 | R( b, c, d, e, a, F1, K1, x[14] ); |
||
343 | R( a, b, c, d, e, F1, K1, x[15] ); |
||
344 | R( e, a, b, c, d, F1, K1, M(16) ); |
||
345 | R( d, e, a, b, c, F1, K1, M(17) ); |
||
346 | R( c, d, e, a, b, F1, K1, M(18) ); |
||
347 | R( b, c, d, e, a, F1, K1, M(19) ); |
||
348 | R( a, b, c, d, e, F2, K2, M(20) ); |
||
349 | R( e, a, b, c, d, F2, K2, M(21) ); |
||
350 | R( d, e, a, b, c, F2, K2, M(22) ); |
||
351 | R( c, d, e, a, b, F2, K2, M(23) ); |
||
352 | R( b, c, d, e, a, F2, K2, M(24) ); |
||
353 | R( a, b, c, d, e, F2, K2, M(25) ); |
||
354 | R( e, a, b, c, d, F2, K2, M(26) ); |
||
355 | R( d, e, a, b, c, F2, K2, M(27) ); |
||
356 | R( c, d, e, a, b, F2, K2, M(28) ); |
||
357 | R( b, c, d, e, a, F2, K2, M(29) ); |
||
358 | R( a, b, c, d, e, F2, K2, M(30) ); |
||
359 | R( e, a, b, c, d, F2, K2, M(31) ); |
||
360 | R( d, e, a, b, c, F2, K2, M(32) ); |
||
361 | R( c, d, e, a, b, F2, K2, M(33) ); |
||
362 | R( b, c, d, e, a, F2, K2, M(34) ); |
||
363 | R( a, b, c, d, e, F2, K2, M(35) ); |
||
364 | R( e, a, b, c, d, F2, K2, M(36) ); |
||
365 | R( d, e, a, b, c, F2, K2, M(37) ); |
||
366 | R( c, d, e, a, b, F2, K2, M(38) ); |
||
367 | R( b, c, d, e, a, F2, K2, M(39) ); |
||
368 | R( a, b, c, d, e, F3, K3, M(40) ); |
||
369 | R( e, a, b, c, d, F3, K3, M(41) ); |
||
370 | R( d, e, a, b, c, F3, K3, M(42) ); |
||
371 | R( c, d, e, a, b, F3, K3, M(43) ); |
||
372 | R( b, c, d, e, a, F3, K3, M(44) ); |
||
373 | R( a, b, c, d, e, F3, K3, M(45) ); |
||
374 | R( e, a, b, c, d, F3, K3, M(46) ); |
||
375 | R( d, e, a, b, c, F3, K3, M(47) ); |
||
376 | R( c, d, e, a, b, F3, K3, M(48) ); |
||
377 | R( b, c, d, e, a, F3, K3, M(49) ); |
||
378 | R( a, b, c, d, e, F3, K3, M(50) ); |
||
379 | R( e, a, b, c, d, F3, K3, M(51) ); |
||
380 | R( d, e, a, b, c, F3, K3, M(52) ); |
||
381 | R( c, d, e, a, b, F3, K3, M(53) ); |
||
382 | R( b, c, d, e, a, F3, K3, M(54) ); |
||
383 | R( a, b, c, d, e, F3, K3, M(55) ); |
||
384 | R( e, a, b, c, d, F3, K3, M(56) ); |
||
385 | R( d, e, a, b, c, F3, K3, M(57) ); |
||
386 | R( c, d, e, a, b, F3, K3, M(58) ); |
||
387 | R( b, c, d, e, a, F3, K3, M(59) ); |
||
388 | R( a, b, c, d, e, F4, K4, M(60) ); |
||
389 | R( e, a, b, c, d, F4, K4, M(61) ); |
||
390 | R( d, e, a, b, c, F4, K4, M(62) ); |
||
391 | R( c, d, e, a, b, F4, K4, M(63) ); |
||
392 | R( b, c, d, e, a, F4, K4, M(64) ); |
||
393 | R( a, b, c, d, e, F4, K4, M(65) ); |
||
394 | R( e, a, b, c, d, F4, K4, M(66) ); |
||
395 | R( d, e, a, b, c, F4, K4, M(67) ); |
||
396 | R( c, d, e, a, b, F4, K4, M(68) ); |
||
397 | R( b, c, d, e, a, F4, K4, M(69) ); |
||
398 | R( a, b, c, d, e, F4, K4, M(70) ); |
||
399 | R( e, a, b, c, d, F4, K4, M(71) ); |
||
400 | R( d, e, a, b, c, F4, K4, M(72) ); |
||
401 | R( c, d, e, a, b, F4, K4, M(73) ); |
||
402 | R( b, c, d, e, a, F4, K4, M(74) ); |
||
403 | R( a, b, c, d, e, F4, K4, M(75) ); |
||
404 | R( e, a, b, c, d, F4, K4, M(76) ); |
||
405 | R( d, e, a, b, c, F4, K4, M(77) ); |
||
406 | R( c, d, e, a, b, F4, K4, M(78) ); |
||
407 | R( b, c, d, e, a, F4, K4, M(79) ); |
||
408 | |||
409 | a = ctx->A += a; |
||
410 | b = ctx->B += b; |
||
411 | c = ctx->C += c; |
||
412 | d = ctx->D += d; |
||
413 | e = ctx->E += e; |
||
414 | } |
||
415 | }>>><>>><>><>>>><>><> |