3
* The sha1 hash function.
6
/* nettle, low-level cryptographics library
8
* Copyright (C) 2001 Peter Gutmann, Andrew Kuchling, Niels M�ller
10
* The nettle library is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU Lesser General Public License as published by
12
* the Free Software Foundation; either version 2.1 of the License, or (at your
13
* option) any later version.
15
* The nettle library is distributed in the hope that it will be useful, but
16
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
18
* License for more details.
20
* You should have received a copy of the GNU Lesser General Public License
21
* along with the nettle library; see the file COPYING.LIB. If not, write to
22
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
26
/* Here's the first paragraph of Peter Gutmann's posting,
27
* <30ajo5$oe8@ccu2.auckland.ac.nz>:
29
* The following is my SHA (FIPS 180) code updated to allow use of the "fixed"
30
* SHA, thanks to Jim Gillogly and an anonymous contributor for the information on
31
* what's changed in the new version. The fix is a simple change which involves
32
* adding a single rotate in the initial expansion function. It is unknown
33
* whether this is an optimal solution to the problem which was discovered in the
34
* SHA or whether it's simply a bandaid which fixes the problem with a minimum of
35
* effort (for example the reengineering of a great many Capstone chips).
50
/* A block, treated as a sequence of 32-bit words. */
51
#define SHA1_DATA_LENGTH 16
53
/* SHA initial values */
55
#define h0init 0x67452301L
56
#define h1init 0xEFCDAB89L
57
#define h2init 0x98BADCFEL
58
#define h3init 0x10325476L
59
#define h4init 0xC3D2E1F0L
61
/* Initialize the SHA values */
64
sha1_init(struct sha1_ctx *ctx)
66
/* Set the h-vars to their initial values */
67
ctx->digest[ 0 ] = h0init;
68
ctx->digest[ 1 ] = h1init;
69
ctx->digest[ 2 ] = h2init;
70
ctx->digest[ 3 ] = h3init;
71
ctx->digest[ 4 ] = h4init;
73
/* Initialize bit count */
74
ctx->count_low = ctx->count_high = 0;
76
/* Initialize buffer */
80
/* Compression function, written in assembler on some systems.
81
Note that it destroys the data array. */
82
#define sha1_compress _nettle_sha1_compress
85
sha1_block(struct sha1_ctx *ctx, const uint8_t *block)
87
uint32_t data[SHA1_DATA_LENGTH];
90
/* Update block count */
91
if (!++ctx->count_low)
94
/* Endian independent conversion */
95
for (i = 0; i<SHA1_DATA_LENGTH; i++, block += 4)
96
data[i] = READ_UINT32(block);
98
sha1_compress(ctx->digest, data);
102
sha1_update(struct sha1_ctx *ctx,
103
unsigned length, const uint8_t *buffer)
106
{ /* Try to fill partial block */
107
unsigned left = SHA1_DATA_SIZE - ctx->index;
110
memcpy(ctx->block + ctx->index, buffer, length);
111
ctx->index += length;
112
return; /* Finished */
116
memcpy(ctx->block + ctx->index, buffer, left);
117
sha1_block(ctx, ctx->block);
122
while (length >= SHA1_DATA_SIZE)
124
sha1_block(ctx, buffer);
125
buffer += SHA1_DATA_SIZE;
126
length -= SHA1_DATA_SIZE;
128
if ((ctx->index = length)) /* This assignment is intended */
129
/* Buffer leftovers */
130
memcpy(ctx->block, buffer, length);
133
/* Final wrapup - pad to SHA1_DATA_SIZE-byte boundary with the bit pattern
134
1 0* (64-bit count of bits processed, MSB-first) */
137
sha1_final(struct sha1_ctx *ctx)
139
uint32_t data[SHA1_DATA_LENGTH];
145
/* Set the first char of padding to 0x80. This is safe since there is
146
always at least one byte free */
148
assert(i < SHA1_DATA_SIZE);
149
ctx->block[i++] = 0x80;
151
/* Fill rest of word */
155
/* i is now a multiple of the word size 4 */
157
for (i = 0; i < words; i++)
158
data[i] = READ_UINT32(ctx->block + 4*i);
160
if (words > (SHA1_DATA_LENGTH-2))
161
{ /* No room for length in this block. Process it and
162
* pad with another one */
163
for (i = words ; i < SHA1_DATA_LENGTH; i++)
165
sha1_compress(ctx->digest, data);
166
for (i = 0; i < (SHA1_DATA_LENGTH-2); i++)
170
for (i = words ; i < SHA1_DATA_LENGTH - 2; i++)
173
/* There are 512 = 2^9 bits in one block */
174
data[SHA1_DATA_LENGTH-2] = (ctx->count_high << 9) | (ctx->count_low >> 23);
175
data[SHA1_DATA_LENGTH-1] = (ctx->count_low << 9) | (ctx->index << 3);
176
sha1_compress(ctx->digest, data);
180
sha1_digest(struct sha1_ctx *ctx,
188
assert(length <= SHA1_DIGEST_SIZE);
193
leftover = length % 4;
195
for (i = 0; i < words; i++, digest += 4)
196
WRITE_UINT32(digest, ctx->digest[i]);
201
unsigned j = leftover;
203
assert(i < _SHA1_DIGEST_LENGTH);
205
word = ctx->digest[i];
212
digest[--j] = (word >> 8) & 0xff;
215
digest[--j] = (word >> 16) & 0xff;
218
digest[--j] = (word >> 24) & 0xff;