1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
2 * Use of this source code is governed by a BSD-style license that can be
3 * found in the LICENSE file.
4 *
5 * SHA-1 implementation largely based on libmincrypt in the the Android
6 * Open Source Project (platorm/system/core.git/libmincrypt/sha.c
7 */
8
9 #include "sysincludes.h"
10
11 #include "cryptolib.h"
12 #include "utility.h"
13
14
15 /* Some machines lack byteswap.h and endian.h. These have to use the
16 * slower code, even if they're little-endian.
17 */
18
19 #if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN)
20
21 /* This version is about 28% faster than the generic version below,
22 * but assumes little-endianness.
23 */
ror27(uint32_t val)24 static uint32_t ror27(uint32_t val) {
25 return (val >> 27) | (val << 5);
26 }
ror2(uint32_t val)27 static uint32_t ror2(uint32_t val) {
28 return (val >> 2) | (val << 30);
29 }
ror31(uint32_t val)30 static uint32_t ror31(uint32_t val) {
31 return (val >> 31) | (val << 1);
32 }
33
SHA1_Transform(SHA1_CTX * ctx)34 static void SHA1_Transform(SHA1_CTX* ctx) {
35 uint32_t W[80];
36 register uint32_t A, B, C, D, E;
37 int t;
38
39 A = ctx->state[0];
40 B = ctx->state[1];
41 C = ctx->state[2];
42 D = ctx->state[3];
43 E = ctx->state[4];
44
45 #define SHA_F1(A,B,C,D,E,t) \
46 E += ror27(A) + \
47 (W[t] = bswap_32(ctx->buf.w[t])) + \
48 (D^(B&(C^D))) + 0x5A827999; \
49 B = ror2(B);
50
51 for (t = 0; t < 15; t += 5) {
52 SHA_F1(A,B,C,D,E,t + 0);
53 SHA_F1(E,A,B,C,D,t + 1);
54 SHA_F1(D,E,A,B,C,t + 2);
55 SHA_F1(C,D,E,A,B,t + 3);
56 SHA_F1(B,C,D,E,A,t + 4);
57 }
58 SHA_F1(A,B,C,D,E,t + 0); /* 16th one, t == 15 */
59
60 #undef SHA_F1
61
62 #define SHA_F1(A,B,C,D,E,t) \
63 E += ror27(A) + \
64 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
65 (D^(B&(C^D))) + 0x5A827999; \
66 B = ror2(B);
67
68 SHA_F1(E,A,B,C,D,t + 1);
69 SHA_F1(D,E,A,B,C,t + 2);
70 SHA_F1(C,D,E,A,B,t + 3);
71 SHA_F1(B,C,D,E,A,t + 4);
72
73 #undef SHA_F1
74
75 #define SHA_F2(A,B,C,D,E,t) \
76 E += ror27(A) + \
77 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
78 (B^C^D) + 0x6ED9EBA1; \
79 B = ror2(B);
80
81 for (t = 20; t < 40; t += 5) {
82 SHA_F2(A,B,C,D,E,t + 0);
83 SHA_F2(E,A,B,C,D,t + 1);
84 SHA_F2(D,E,A,B,C,t + 2);
85 SHA_F2(C,D,E,A,B,t + 3);
86 SHA_F2(B,C,D,E,A,t + 4);
87 }
88
89 #undef SHA_F2
90
91 #define SHA_F3(A,B,C,D,E,t) \
92 E += ror27(A) + \
93 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
94 ((B&C)|(D&(B|C))) + 0x8F1BBCDC; \
95 B = ror2(B);
96
97 for (; t < 60; t += 5) {
98 SHA_F3(A,B,C,D,E,t + 0);
99 SHA_F3(E,A,B,C,D,t + 1);
100 SHA_F3(D,E,A,B,C,t + 2);
101 SHA_F3(C,D,E,A,B,t + 3);
102 SHA_F3(B,C,D,E,A,t + 4);
103 }
104
105 #undef SHA_F3
106
107 #define SHA_F4(A,B,C,D,E,t) \
108 E += ror27(A) + \
109 (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
110 (B^C^D) + 0xCA62C1D6; \
111 B = ror2(B);
112
113 for (; t < 80; t += 5) {
114 SHA_F4(A,B,C,D,E,t + 0);
115 SHA_F4(E,A,B,C,D,t + 1);
116 SHA_F4(D,E,A,B,C,t + 2);
117 SHA_F4(C,D,E,A,B,t + 3);
118 SHA_F4(B,C,D,E,A,t + 4);
119 }
120
121 #undef SHA_F4
122
123 ctx->state[0] += A;
124 ctx->state[1] += B;
125 ctx->state[2] += C;
126 ctx->state[3] += D;
127 ctx->state[4] += E;
128 }
129
SHA1_update(SHA1_CTX * ctx,const uint8_t * data,uint64_t len)130 void SHA1_update(SHA1_CTX* ctx, const uint8_t* data, uint64_t len) {
131 int i = ctx->count % sizeof(ctx->buf);
132 const uint8_t* p = (const uint8_t*)data;
133
134 ctx->count += len;
135
136 while (len > sizeof(ctx->buf) - i) {
137 Memcpy(&ctx->buf.b[i], p, sizeof(ctx->buf) - i);
138 len -= sizeof(ctx->buf) - i;
139 p += sizeof(ctx->buf) - i;
140 SHA1_Transform(ctx);
141 i = 0;
142 }
143
144 while (len--) {
145 ctx->buf.b[i++] = *p++;
146 if (i == sizeof(ctx->buf)) {
147 SHA1_Transform(ctx);
148 i = 0;
149 }
150 }
151 }
152
153
SHA1_final(SHA1_CTX * ctx)154 uint8_t* SHA1_final(SHA1_CTX* ctx) {
155 uint64_t cnt = ctx->count * 8;
156 int i;
157
158 SHA1_update(ctx, (uint8_t*)"\x80", 1);
159 while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
160 SHA1_update(ctx, (uint8_t*)"\0", 1);
161 }
162 for (i = 0; i < 8; ++i) {
163 uint8_t tmp = cnt >> ((7 - i) * 8);
164 SHA1_update(ctx, &tmp, 1);
165 }
166
167 for (i = 0; i < 5; i++) {
168 ctx->buf.w[i] = bswap_32(ctx->state[i]);
169 }
170
171 return ctx->buf.b;
172 }
173
174 #else /* #if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN) */
175
176 #define rol(bits, value) (((value) << (bits)) | ((value) >> (32 - (bits))))
177
SHA1_transform(SHA1_CTX * ctx)178 static void SHA1_transform(SHA1_CTX *ctx) {
179 uint32_t W[80];
180 uint32_t A, B, C, D, E;
181 uint8_t *p = ctx->buf;
182 int t;
183
184 for(t = 0; t < 16; ++t) {
185 uint32_t tmp = *p++ << 24;
186 tmp |= *p++ << 16;
187 tmp |= *p++ << 8;
188 tmp |= *p++;
189 W[t] = tmp;
190 }
191
192 for(; t < 80; t++) {
193 W[t] = rol(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
194 }
195
196 A = ctx->state[0];
197 B = ctx->state[1];
198 C = ctx->state[2];
199 D = ctx->state[3];
200 E = ctx->state[4];
201
202 for(t = 0; t < 80; t++) {
203 uint32_t tmp = rol(5,A) + E + W[t];
204
205 if (t < 20)
206 tmp += (D^(B&(C^D))) + 0x5A827999;
207 else if ( t < 40)
208 tmp += (B^C^D) + 0x6ED9EBA1;
209 else if ( t < 60)
210 tmp += ((B&C)|(D&(B|C))) + 0x8F1BBCDC;
211 else
212 tmp += (B^C^D) + 0xCA62C1D6;
213
214 E = D;
215 D = C;
216 C = rol(30,B);
217 B = A;
218 A = tmp;
219 }
220
221 ctx->state[0] += A;
222 ctx->state[1] += B;
223 ctx->state[2] += C;
224 ctx->state[3] += D;
225 ctx->state[4] += E;
226 }
227
SHA1_update(SHA1_CTX * ctx,const uint8_t * data,uint64_t len)228 void SHA1_update(SHA1_CTX *ctx, const uint8_t *data, uint64_t len) {
229 int i = (int)(ctx->count % sizeof(ctx->buf));
230 const uint8_t* p = (const uint8_t*) data;
231
232 ctx->count += len;
233
234 while (len--) {
235 ctx->buf[i++] = *p++;
236 if (i == sizeof(ctx->buf)) {
237 SHA1_transform(ctx);
238 i = 0;
239 }
240 }
241 }
SHA1_final(SHA1_CTX * ctx)242 uint8_t* SHA1_final(SHA1_CTX *ctx) {
243 uint8_t *p = ctx->buf;
244 uint64_t cnt = ctx->count << 3;
245 int i;
246
247 SHA1_update(ctx, (uint8_t*)"\x80", 1);
248 while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
249 SHA1_update(ctx, (uint8_t*)"\0", 1);
250 }
251 for (i = 0; i < 8; ++i) {
252 uint8_t tmp = (uint8_t)((uint64_t)cnt >> ((7 - i) * 8));
253 SHA1_update(ctx, &tmp, 1);
254 }
255
256 for (i = 0; i < 5; i++) {
257 uint32_t tmp = ctx->state[i];
258 *p++ = (uint8_t)(tmp >> 24);
259 *p++ = (uint8_t)(tmp >> 16);
260 *p++ = (uint8_t)(tmp >> 8);
261 *p++ = (uint8_t)(tmp >> 0);
262 }
263
264 return ctx->buf;
265 }
266
267 #endif /* endianness */
268
SHA1_init(SHA1_CTX * ctx)269 void SHA1_init(SHA1_CTX* ctx) {
270 ctx->state[0] = 0x67452301;
271 ctx->state[1] = 0xEFCDAB89;
272 ctx->state[2] = 0x98BADCFE;
273 ctx->state[3] = 0x10325476;
274 ctx->state[4] = 0xC3D2E1F0;
275 ctx->count = 0;
276 }
277
internal_SHA1(const uint8_t * data,uint64_t len,uint8_t * digest)278 uint8_t* internal_SHA1(const uint8_t *data, uint64_t len, uint8_t *digest) {
279 const uint8_t *p;
280 int i;
281 SHA1_CTX ctx;
282 SHA1_init(&ctx);
283 SHA1_update(&ctx, data, len);
284 p = SHA1_final(&ctx);
285 for (i = 0; i < SHA1_DIGEST_SIZE; ++i) {
286 digest[i] = *p++;
287 }
288 return digest;
289 }
290