2
* FIPS-180-1 compliant SHA-1 implementation
4
* Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org>
7
* Joined copyright on original XySSL code with: Christophe Devine
9
* This program is free software; you can redistribute it and/or modify
10
* it under the terms of the GNU General Public License as published by
11
* the Free Software Foundation; either version 2 of the License, or
12
* (at your option) any later version.
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License along
20
* with this program; if not, write to the Free Software Foundation, Inc.,
21
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24
* The SHA-1 standard was published by NIST in 1993.
26
* http://www.itl.nist.gov/fipspubs/fip180-1.htm
29
#include "polarssl/config.h"
31
#if defined(POLARSSL_SHA1_C)
33
#include "polarssl/sha1.h"
40
* 32-bit integer manipulation macros (big endian)
43
#define GET_ULONG_BE(n,b,i) \
45
(n) = ( (unsigned long) (b)[(i) ] << 24 ) \
46
| ( (unsigned long) (b)[(i) + 1] << 16 ) \
47
| ( (unsigned long) (b)[(i) + 2] << 8 ) \
48
| ( (unsigned long) (b)[(i) + 3] ); \
53
#define PUT_ULONG_BE(n,b,i) \
55
(b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
56
(b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
57
(b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
58
(b)[(i) + 3] = (unsigned char) ( (n) ); \
65
void sha1_starts( sha1_context *ctx )
70
ctx->state[0] = 0x67452301;
71
ctx->state[1] = 0xEFCDAB89;
72
ctx->state[2] = 0x98BADCFE;
73
ctx->state[3] = 0x10325476;
74
ctx->state[4] = 0xC3D2E1F0;
77
static void sha1_process( sha1_context *ctx, unsigned char data[64] )
79
unsigned long temp, W[16], A, B, C, D, E;
81
GET_ULONG_BE( W[ 0], data, 0 );
82
GET_ULONG_BE( W[ 1], data, 4 );
83
GET_ULONG_BE( W[ 2], data, 8 );
84
GET_ULONG_BE( W[ 3], data, 12 );
85
GET_ULONG_BE( W[ 4], data, 16 );
86
GET_ULONG_BE( W[ 5], data, 20 );
87
GET_ULONG_BE( W[ 6], data, 24 );
88
GET_ULONG_BE( W[ 7], data, 28 );
89
GET_ULONG_BE( W[ 8], data, 32 );
90
GET_ULONG_BE( W[ 9], data, 36 );
91
GET_ULONG_BE( W[10], data, 40 );
92
GET_ULONG_BE( W[11], data, 44 );
93
GET_ULONG_BE( W[12], data, 48 );
94
GET_ULONG_BE( W[13], data, 52 );
95
GET_ULONG_BE( W[14], data, 56 );
96
GET_ULONG_BE( W[15], data, 60 );
98
#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
102
temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \
103
W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \
104
( W[t & 0x0F] = S(temp,1) ) \
107
#define P(a,b,c,d,e,x) \
109
e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
118
#define F(x,y,z) (z ^ (x & (y ^ z)))
121
P( A, B, C, D, E, W[0] );
122
P( E, A, B, C, D, W[1] );
123
P( D, E, A, B, C, W[2] );
124
P( C, D, E, A, B, W[3] );
125
P( B, C, D, E, A, W[4] );
126
P( A, B, C, D, E, W[5] );
127
P( E, A, B, C, D, W[6] );
128
P( D, E, A, B, C, W[7] );
129
P( C, D, E, A, B, W[8] );
130
P( B, C, D, E, A, W[9] );
131
P( A, B, C, D, E, W[10] );
132
P( E, A, B, C, D, W[11] );
133
P( D, E, A, B, C, W[12] );
134
P( C, D, E, A, B, W[13] );
135
P( B, C, D, E, A, W[14] );
136
P( A, B, C, D, E, W[15] );
137
P( E, A, B, C, D, R(16) );
138
P( D, E, A, B, C, R(17) );
139
P( C, D, E, A, B, R(18) );
140
P( B, C, D, E, A, R(19) );
145
#define F(x,y,z) (x ^ y ^ z)
148
P( A, B, C, D, E, R(20) );
149
P( E, A, B, C, D, R(21) );
150
P( D, E, A, B, C, R(22) );
151
P( C, D, E, A, B, R(23) );
152
P( B, C, D, E, A, R(24) );
153
P( A, B, C, D, E, R(25) );
154
P( E, A, B, C, D, R(26) );
155
P( D, E, A, B, C, R(27) );
156
P( C, D, E, A, B, R(28) );
157
P( B, C, D, E, A, R(29) );
158
P( A, B, C, D, E, R(30) );
159
P( E, A, B, C, D, R(31) );
160
P( D, E, A, B, C, R(32) );
161
P( C, D, E, A, B, R(33) );
162
P( B, C, D, E, A, R(34) );
163
P( A, B, C, D, E, R(35) );
164
P( E, A, B, C, D, R(36) );
165
P( D, E, A, B, C, R(37) );
166
P( C, D, E, A, B, R(38) );
167
P( B, C, D, E, A, R(39) );
172
#define F(x,y,z) ((x & y) | (z & (x | y)))
175
P( A, B, C, D, E, R(40) );
176
P( E, A, B, C, D, R(41) );
177
P( D, E, A, B, C, R(42) );
178
P( C, D, E, A, B, R(43) );
179
P( B, C, D, E, A, R(44) );
180
P( A, B, C, D, E, R(45) );
181
P( E, A, B, C, D, R(46) );
182
P( D, E, A, B, C, R(47) );
183
P( C, D, E, A, B, R(48) );
184
P( B, C, D, E, A, R(49) );
185
P( A, B, C, D, E, R(50) );
186
P( E, A, B, C, D, R(51) );
187
P( D, E, A, B, C, R(52) );
188
P( C, D, E, A, B, R(53) );
189
P( B, C, D, E, A, R(54) );
190
P( A, B, C, D, E, R(55) );
191
P( E, A, B, C, D, R(56) );
192
P( D, E, A, B, C, R(57) );
193
P( C, D, E, A, B, R(58) );
194
P( B, C, D, E, A, R(59) );
199
#define F(x,y,z) (x ^ y ^ z)
202
P( A, B, C, D, E, R(60) );
203
P( E, A, B, C, D, R(61) );
204
P( D, E, A, B, C, R(62) );
205
P( C, D, E, A, B, R(63) );
206
P( B, C, D, E, A, R(64) );
207
P( A, B, C, D, E, R(65) );
208
P( E, A, B, C, D, R(66) );
209
P( D, E, A, B, C, R(67) );
210
P( C, D, E, A, B, R(68) );
211
P( B, C, D, E, A, R(69) );
212
P( A, B, C, D, E, R(70) );
213
P( E, A, B, C, D, R(71) );
214
P( D, E, A, B, C, R(72) );
215
P( C, D, E, A, B, R(73) );
216
P( B, C, D, E, A, R(74) );
217
P( A, B, C, D, E, R(75) );
218
P( E, A, B, C, D, R(76) );
219
P( D, E, A, B, C, R(77) );
220
P( C, D, E, A, B, R(78) );
221
P( B, C, D, E, A, R(79) );
234
* SHA-1 process buffer
236
void sha1_update( sha1_context *ctx, unsigned char *input, int ilen )
244
left = ctx->total[0] & 0x3F;
247
ctx->total[0] += ilen;
248
ctx->total[0] &= 0xFFFFFFFF;
250
if( ctx->total[0] < (unsigned long) ilen )
253
if( left && ilen >= fill )
255
memcpy( (void *) (ctx->buffer + left),
256
(void *) input, fill );
257
sha1_process( ctx, ctx->buffer );
265
sha1_process( ctx, input );
272
memcpy( (void *) (ctx->buffer + left),
273
(void *) input, ilen );
277
static const unsigned char sha1_padding[64] =
279
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
280
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
281
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
282
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
288
void sha1_finish( sha1_context *ctx, unsigned char output[20] )
290
unsigned long last, padn;
291
unsigned long high, low;
292
unsigned char msglen[8];
294
high = ( ctx->total[0] >> 29 )
295
| ( ctx->total[1] << 3 );
296
low = ( ctx->total[0] << 3 );
298
PUT_ULONG_BE( high, msglen, 0 );
299
PUT_ULONG_BE( low, msglen, 4 );
301
last = ctx->total[0] & 0x3F;
302
padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
304
sha1_update( ctx, (unsigned char *) sha1_padding, padn );
305
sha1_update( ctx, msglen, 8 );
307
PUT_ULONG_BE( ctx->state[0], output, 0 );
308
PUT_ULONG_BE( ctx->state[1], output, 4 );
309
PUT_ULONG_BE( ctx->state[2], output, 8 );
310
PUT_ULONG_BE( ctx->state[3], output, 12 );
311
PUT_ULONG_BE( ctx->state[4], output, 16 );
315
* output = SHA-1( input buffer )
317
void sha1( unsigned char *input, int ilen, unsigned char output[20] )
322
sha1_update( &ctx, input, ilen );
323
sha1_finish( &ctx, output );
325
memset( &ctx, 0, sizeof( sha1_context ) );
329
* output = SHA-1( file contents )
331
int sha1_file( char *path, unsigned char output[20] )
336
unsigned char buf[1024];
338
if( ( f = fopen( path, "rb" ) ) == NULL )
343
while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
344
sha1_update( &ctx, buf, (int) n );
346
sha1_finish( &ctx, output );
348
memset( &ctx, 0, sizeof( sha1_context ) );
350
if( ferror( f ) != 0 )
361
* SHA-1 HMAC context setup
363
void sha1_hmac_starts( sha1_context *ctx, unsigned char *key, int keylen )
366
unsigned char sum[20];
370
sha1( key, keylen, sum );
375
memset( ctx->ipad, 0x36, 64 );
376
memset( ctx->opad, 0x5C, 64 );
378
for( i = 0; i < keylen; i++ )
380
ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
381
ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
385
sha1_update( ctx, ctx->ipad, 64 );
387
memset( sum, 0, sizeof( sum ) );
391
* SHA-1 HMAC process buffer
393
void sha1_hmac_update( sha1_context *ctx, unsigned char *input, int ilen )
395
sha1_update( ctx, input, ilen );
399
* SHA-1 HMAC final digest
401
void sha1_hmac_finish( sha1_context *ctx, unsigned char output[20] )
403
unsigned char tmpbuf[20];
405
sha1_finish( ctx, tmpbuf );
407
sha1_update( ctx, ctx->opad, 64 );
408
sha1_update( ctx, tmpbuf, 20 );
409
sha1_finish( ctx, output );
411
memset( tmpbuf, 0, sizeof( tmpbuf ) );
415
* output = HMAC-SHA-1( hmac key, input buffer )
417
void sha1_hmac( unsigned char *key, int keylen,
418
unsigned char *input, int ilen,
419
unsigned char output[20] )
423
sha1_hmac_starts( &ctx, key, keylen );
424
sha1_hmac_update( &ctx, input, ilen );
425
sha1_hmac_finish( &ctx, output );
427
memset( &ctx, 0, sizeof( sha1_context ) );
430
#if defined(POLARSSL_SELF_TEST)
432
* FIPS-180-1 test vectors
434
static unsigned char sha1_test_buf[3][57] =
437
{ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
441
static const int sha1_test_buflen[3] =
446
static const unsigned char sha1_test_sum[3][20] =
448
{ 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
449
0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
450
{ 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
451
0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
452
{ 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
453
0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
457
* RFC 2202 test vectors
459
static unsigned char sha1_hmac_test_key[7][26] =
461
{ "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
462
"\x0B\x0B\x0B\x0B" },
464
{ "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
465
"\xAA\xAA\xAA\xAA" },
466
{ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
467
"\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
468
{ "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
469
"\x0C\x0C\x0C\x0C" },
470
{ "" }, /* 0xAA 80 times */
474
static const int sha1_hmac_test_keylen[7] =
476
20, 4, 20, 25, 20, 80, 80
479
static unsigned char sha1_hmac_test_buf[7][74] =
482
{ "what do ya want for nothing?" },
483
{ "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
484
"\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
485
"\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
486
"\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
487
"\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
488
{ "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
489
"\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
490
"\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
491
"\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
492
"\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
493
{ "Test With Truncation" },
494
{ "Test Using Larger Than Block-Size Key - Hash Key First" },
495
{ "Test Using Larger Than Block-Size Key and Larger"
496
" Than One Block-Size Data" }
499
static const int sha1_hmac_test_buflen[7] =
501
8, 28, 50, 50, 20, 54, 73
504
static const unsigned char sha1_hmac_test_sum[7][20] =
506
{ 0xB6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64, 0xE2, 0x8B,
507
0xC0, 0xB6, 0xFB, 0x37, 0x8C, 0x8E, 0xF1, 0x46, 0xBE, 0x00 },
508
{ 0xEF, 0xFC, 0xDF, 0x6A, 0xE5, 0xEB, 0x2F, 0xA2, 0xD2, 0x74,
509
0x16, 0xD5, 0xF1, 0x84, 0xDF, 0x9C, 0x25, 0x9A, 0x7C, 0x79 },
510
{ 0x12, 0x5D, 0x73, 0x42, 0xB9, 0xAC, 0x11, 0xCD, 0x91, 0xA3,
511
0x9A, 0xF4, 0x8A, 0xA1, 0x7B, 0x4F, 0x63, 0xF1, 0x75, 0xD3 },
512
{ 0x4C, 0x90, 0x07, 0xF4, 0x02, 0x62, 0x50, 0xC6, 0xBC, 0x84,
513
0x14, 0xF9, 0xBF, 0x50, 0xC8, 0x6C, 0x2D, 0x72, 0x35, 0xDA },
514
{ 0x4C, 0x1A, 0x03, 0x42, 0x4B, 0x55, 0xE0, 0x7F, 0xE7, 0xF2,
516
{ 0xAA, 0x4A, 0xE5, 0xE1, 0x52, 0x72, 0xD0, 0x0E, 0x95, 0x70,
517
0x56, 0x37, 0xCE, 0x8A, 0x3B, 0x55, 0xED, 0x40, 0x21, 0x12 },
518
{ 0xE8, 0xE9, 0x9D, 0x0F, 0x45, 0x23, 0x7D, 0x78, 0x6D, 0x6B,
519
0xBA, 0xA7, 0x96, 0x5C, 0x78, 0x08, 0xBB, 0xFF, 0x1A, 0x91 }
525
int sha1_self_test( int verbose )
528
unsigned char buf[1024];
529
unsigned char sha1sum[20];
535
for( i = 0; i < 3; i++ )
538
printf( " SHA-1 test #%d: ", i + 1 );
544
memset( buf, 'a', buflen = 1000 );
546
for( j = 0; j < 1000; j++ )
547
sha1_update( &ctx, buf, buflen );
550
sha1_update( &ctx, sha1_test_buf[i],
551
sha1_test_buflen[i] );
553
sha1_finish( &ctx, sha1sum );
555
if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
558
printf( "failed\n" );
564
printf( "passed\n" );
570
for( i = 0; i < 7; i++ )
573
printf( " HMAC-SHA-1 test #%d: ", i + 1 );
575
if( i == 5 || i == 6 )
577
memset( buf, '\xAA', buflen = 80 );
578
sha1_hmac_starts( &ctx, buf, buflen );
581
sha1_hmac_starts( &ctx, sha1_hmac_test_key[i],
582
sha1_hmac_test_keylen[i] );
584
sha1_hmac_update( &ctx, sha1_hmac_test_buf[i],
585
sha1_hmac_test_buflen[i] );
587
sha1_hmac_finish( &ctx, sha1sum );
589
buflen = ( i == 4 ) ? 12 : 20;
591
if( memcmp( sha1sum, sha1_hmac_test_sum[i], buflen ) != 0 )
594
printf( "failed\n" );
600
printf( "passed\n" );
added
removed
Common/Crypto/sha1.cpp
