1 /*!
2 * \copy
3 * Copyright (c) 1998, 2009 Paul E. Jones <paulej@packetizer.com>
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * * Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * * Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
16 * distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 *
31 */
32
33 /*
34 * Description:
35 * This file implements the Secure Hashing Standard as defined
36 * in FIPS PUB 180-1 published April 17, 1995.
37 *
38 * The Secure Hashing Standard, which uses the Secure Hashing
39 * Algorithm (SHA), produces a 160-bit message digest for a
40 * given data stream. In theory, it is highly improbable that
41 * two messages will produce the same message digest. Therefore,
42 * this algorithm can serve as a means of providing a "fingerprint"
43 * for a message.
44 *
45 * Portability Issues:
46 * SHA-1 is defined in terms of 32-bit "words". This code was
47 * written with the expectation that the processor has at least
48 * a 32-bit machine word size. If the machine word size is larger,
49 * the code should still function properly. One caveat to that
50 * is that the input functions taking characters and character
51 * arrays assume that only 8 bits of information are stored in each
52 * character.
53 *
54 * Caveats:
55 * SHA-1 is designed to work with messages less than 2^64 bits
56 * long. Although SHA-1 allows a message digest to be generated for
57 * messages of any number of bits less than 2^64, this
58 * implementation only works with messages with a length that is a
59 * multiple of the size of an 8-bit character.
60 *
61 */
62
63 #include "sha1.h"
64
65 /*
66 * Define the circular shift macro
67 */
68 #define SHA1CircularShift(bits,word) \
69 ((((word) << (bits)) & 0xFFFFFFFF) | \
70 ((word) >> (32-(bits))))
71
72 /* Function prototypes */
73 void SHA1ProcessMessageBlock(SHA1Context *);
74 void SHA1PadMessage(SHA1Context *);
75
76 /*
77 * SHA1Reset
78 *
79 * Description:
80 * This function will initialize the SHA1Context in preparation
81 * for computing a new message digest.
82 *
83 * Parameters:
84 * context: [in/out]
85 * The context to reset.
86 *
87 * Returns:
88 * Nothing.
89 *
90 * Comments:
91 *
92 */
SHA1Reset(SHA1Context * context)93 void SHA1Reset(SHA1Context *context)
94 {
95 context->Length_Low = 0;
96 context->Length_High = 0;
97 context->Message_Block_Index = 0;
98
99 context->Message_Digest[0] = 0x67452301;
100 context->Message_Digest[1] = 0xEFCDAB89;
101 context->Message_Digest[2] = 0x98BADCFE;
102 context->Message_Digest[3] = 0x10325476;
103 context->Message_Digest[4] = 0xC3D2E1F0;
104
105 context->Computed = 0;
106 context->Corrupted = 0;
107 }
108
109 /*
110 * SHA1Result
111 *
112 * Description:
113 * This function will return the 160-bit message digest into the
114 * digest array provided as a parameter.
115 *
116 * Parameters:
117 * context: [in/out]
118 * The context to use to calculate the SHA-1 hash.
119 * digest: [out]
120 * An array of characters where the digest is written.
121 *
122 * Returns:
123 * 1 if successful, 0 if it failed.
124 *
125 * Comments:
126 *
127 */
SHA1Result(SHA1Context * context,unsigned char * digest)128 int SHA1Result(SHA1Context *context, unsigned char *digest)
129 {
130 int i;
131
132 if (context->Corrupted)
133 {
134 return 0;
135 }
136
137 if (!context->Computed)
138 {
139 SHA1PadMessage(context);
140 context->Computed = 1;
141 }
142
143 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
144 digest[i] = context->Message_Digest[i / 4] >> (8 * (3 - (i % 4)));
145
146 return 1;
147 }
148
149 /*
150 * SHA1Input
151 *
152 * Description:
153 * This function accepts an array of octets as the next portion of
154 * the message.
155 *
156 * Parameters:
157 * context: [in/out]
158 * The SHA-1 context to update
159 * message_array: [in]
160 * An array of characters representing the next portion of the
161 * message.
162 * length: [in]
163 * The length of the message in message_array
164 *
165 * Returns:
166 * Nothing.
167 *
168 * Comments:
169 *
170 */
SHA1Input(SHA1Context * context,const unsigned char * message_array,unsigned length)171 void SHA1Input( SHA1Context *context,
172 const unsigned char *message_array,
173 unsigned length)
174 {
175 if (!length)
176 {
177 return;
178 }
179
180 if (context->Computed || context->Corrupted)
181 {
182 context->Corrupted = 1;
183 return;
184 }
185
186 while(length-- && !context->Corrupted)
187 {
188 context->Message_Block[context->Message_Block_Index++] =
189 (*message_array & 0xFF);
190
191 context->Length_Low += 8;
192 /* Force it to 32 bits */
193 context->Length_Low &= 0xFFFFFFFF;
194 if (context->Length_Low == 0)
195 {
196 context->Length_High++;
197 /* Force it to 32 bits */
198 context->Length_High &= 0xFFFFFFFF;
199 if (context->Length_High == 0)
200 {
201 /* Message is too long */
202 context->Corrupted = 1;
203 }
204 }
205
206 if (context->Message_Block_Index == 64)
207 {
208 SHA1ProcessMessageBlock(context);
209 }
210
211 message_array++;
212 }
213 }
214
215 /*
216 * SHA1ProcessMessageBlock
217 *
218 * Description:
219 * This function will process the next 512 bits of the message
220 * stored in the Message_Block array.
221 *
222 * Parameters:
223 * None.
224 *
225 * Returns:
226 * Nothing.
227 *
228 * Comments:
229 * Many of the variable names in the SHAContext, especially the
230 * single character names, were used because those were the names
231 * used in the publication.
232 *
233 *
234 */
SHA1ProcessMessageBlock(SHA1Context * context)235 void SHA1ProcessMessageBlock(SHA1Context *context)
236 {
237 const unsigned K[] = /* Constants defined in SHA-1 */
238 {
239 0x5A827999,
240 0x6ED9EBA1,
241 0x8F1BBCDC,
242 0xCA62C1D6
243 };
244 int t; /* Loop counter */
245 unsigned temp; /* Temporary word value */
246 unsigned W[80]; /* Word sequence */
247 unsigned A, B, C, D, E; /* Word buffers */
248
249 /*
250 * Initialize the first 16 words in the array W
251 */
252 for(t = 0; t < 16; t++)
253 {
254 W[t] = ((unsigned) context->Message_Block[t * 4]) << 24;
255 W[t] |= ((unsigned) context->Message_Block[t * 4 + 1]) << 16;
256 W[t] |= ((unsigned) context->Message_Block[t * 4 + 2]) << 8;
257 W[t] |= ((unsigned) context->Message_Block[t * 4 + 3]);
258 }
259
260 for(t = 16; t < 80; t++)
261 {
262 W[t] = SHA1CircularShift(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
263 }
264
265 A = context->Message_Digest[0];
266 B = context->Message_Digest[1];
267 C = context->Message_Digest[2];
268 D = context->Message_Digest[3];
269 E = context->Message_Digest[4];
270
271 for(t = 0; t < 20; t++)
272 {
273 temp = SHA1CircularShift(5,A) +
274 ((B & C) | ((~B) & D)) + E + W[t] + K[0];
275 temp &= 0xFFFFFFFF;
276 E = D;
277 D = C;
278 C = SHA1CircularShift(30,B);
279 B = A;
280 A = temp;
281 }
282
283 for(t = 20; t < 40; t++)
284 {
285 temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[1];
286 temp &= 0xFFFFFFFF;
287 E = D;
288 D = C;
289 C = SHA1CircularShift(30,B);
290 B = A;
291 A = temp;
292 }
293
294 for(t = 40; t < 60; t++)
295 {
296 temp = SHA1CircularShift(5,A) +
297 ((B & C) | (B & D) | (C & D)) + E + W[t] + K[2];
298 temp &= 0xFFFFFFFF;
299 E = D;
300 D = C;
301 C = SHA1CircularShift(30,B);
302 B = A;
303 A = temp;
304 }
305
306 for(t = 60; t < 80; t++)
307 {
308 temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[3];
309 temp &= 0xFFFFFFFF;
310 E = D;
311 D = C;
312 C = SHA1CircularShift(30,B);
313 B = A;
314 A = temp;
315 }
316
317 context->Message_Digest[0] =
318 (context->Message_Digest[0] + A) & 0xFFFFFFFF;
319 context->Message_Digest[1] =
320 (context->Message_Digest[1] + B) & 0xFFFFFFFF;
321 context->Message_Digest[2] =
322 (context->Message_Digest[2] + C) & 0xFFFFFFFF;
323 context->Message_Digest[3] =
324 (context->Message_Digest[3] + D) & 0xFFFFFFFF;
325 context->Message_Digest[4] =
326 (context->Message_Digest[4] + E) & 0xFFFFFFFF;
327
328 context->Message_Block_Index = 0;
329 }
330
331 /*
332 * SHA1PadMessage
333 *
334 * Description:
335 * According to the standard, the message must be padded to an even
336 * 512 bits. The first padding bit must be a '1'. The last 64
337 * bits represent the length of the original message. All bits in
338 * between should be 0. This function will pad the message
339 * according to those rules by filling the Message_Block array
340 * accordingly. It will also call SHA1ProcessMessageBlock()
341 * appropriately. When it returns, it can be assumed that the
342 * message digest has been computed.
343 *
344 * Parameters:
345 * context: [in/out]
346 * The context to pad
347 *
348 * Returns:
349 * Nothing.
350 *
351 * Comments:
352 *
353 */
SHA1PadMessage(SHA1Context * context)354 void SHA1PadMessage(SHA1Context *context)
355 {
356 /*
357 * Check to see if the current message block is too small to hold
358 * the initial padding bits and length. If so, we will pad the
359 * block, process it, and then continue padding into a second
360 * block.
361 */
362 if (context->Message_Block_Index > 55)
363 {
364 context->Message_Block[context->Message_Block_Index++] = 0x80;
365 while(context->Message_Block_Index < 64)
366 {
367 context->Message_Block[context->Message_Block_Index++] = 0;
368 }
369
370 SHA1ProcessMessageBlock(context);
371
372 while(context->Message_Block_Index < 56)
373 {
374 context->Message_Block[context->Message_Block_Index++] = 0;
375 }
376 }
377 else
378 {
379 context->Message_Block[context->Message_Block_Index++] = 0x80;
380 while(context->Message_Block_Index < 56)
381 {
382 context->Message_Block[context->Message_Block_Index++] = 0;
383 }
384 }
385
386 /*
387 * Store the message length as the last 8 octets
388 */
389 context->Message_Block[56] = (context->Length_High >> 24) & 0xFF;
390 context->Message_Block[57] = (context->Length_High >> 16) & 0xFF;
391 context->Message_Block[58] = (context->Length_High >> 8) & 0xFF;
392 context->Message_Block[59] = (context->Length_High) & 0xFF;
393 context->Message_Block[60] = (context->Length_Low >> 24) & 0xFF;
394 context->Message_Block[61] = (context->Length_Low >> 16) & 0xFF;
395 context->Message_Block[62] = (context->Length_Low >> 8) & 0xFF;
396 context->Message_Block[63] = (context->Length_Low) & 0xFF;
397
398 SHA1ProcessMessageBlock(context);
399 }
400