4
* an implementation of the Secure Hash Algorithm v.1 (SHA-1),
5
* specified in FIPS 180-1
13
* Copyright (c) 2001-2006, Cisco Systems, Inc.
14
* All rights reserved.
16
* Redistribution and use in source and binary forms, with or without
17
* modification, are permitted provided that the following conditions
20
* Redistributions of source code must retain the above copyright
21
* notice, this list of conditions and the following disclaimer.
23
* Redistributions in binary form must reproduce the above
24
* copyright notice, this list of conditions and the following
25
* disclaimer in the documentation and/or other materials provided
26
* with the distribution.
28
* Neither the name of the Cisco Systems, Inc. nor the names of its
29
* contributors may be used to endorse or promote products derived
30
* from this software without specific prior written permission.
32
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
33
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
34
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
35
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
36
* COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
37
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
38
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
39
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
40
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
41
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
42
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
43
* OF THE POSSIBILITY OF SUCH DAMAGE.
50
debug_module_t mod_sha1 = {
51
0, /* debugging is off by default */
52
"sha-1" /* printable module name */
55
/* SN == Rotate left N bits */
56
#define S1(X) ((X << 1) | (X >> 31))
57
#define S5(X) ((X << 5) | (X >> 27))
58
#define S30(X) ((X << 30) | (X >> 2))
60
#define f0(B,C,D) ((B & C) | (~B & D))
61
#define f1(B,C,D) (B ^ C ^ D)
62
#define f2(B,C,D) ((B & C) | (B & D) | (C & D))
63
#define f3(B,C,D) (B ^ C ^ D)
66
* nota bene: the variable K0 appears in the curses library, so we
67
* give longer names to these variables to avoid spurious warnings
68
* on systems that uses curses
71
uint32_t SHA_K0 = 0x5A827999; /* Kt for 0 <= t <= 19 */
72
uint32_t SHA_K1 = 0x6ED9EBA1; /* Kt for 20 <= t <= 39 */
73
uint32_t SHA_K2 = 0x8F1BBCDC; /* Kt for 40 <= t <= 59 */
74
uint32_t SHA_K3 = 0xCA62C1D6; /* Kt for 60 <= t <= 79 */
77
sha1(const uint8_t *msg, int octets_in_msg, uint32_t hash_value[5]) {
81
sha1_update(&ctx, msg, octets_in_msg);
82
sha1_final(&ctx, hash_value);
87
* sha1_core(M, H) computes the core compression function, where M is
88
* the next part of the message (in network byte order) and H is the
89
* intermediate state { H0, H1, ...} (in host byte order)
91
* this function does not do any of the padding required in the
92
* complete SHA1 function
94
* this function is used in the SEAL 3.0 key setup routines
95
* (crypto/cipher/seal.c)
99
sha1_core(const uint32_t M[16], uint32_t hash_value[5]) {
106
uint32_t A, B, C, D, E, TEMP;
109
/* copy hash_value into H0, H1, H2, H3, H4 */
116
/* copy/xor message into array */
118
W[0] = be32_to_cpu(M[0]);
119
W[1] = be32_to_cpu(M[1]);
120
W[2] = be32_to_cpu(M[2]);
121
W[3] = be32_to_cpu(M[3]);
122
W[4] = be32_to_cpu(M[4]);
123
W[5] = be32_to_cpu(M[5]);
124
W[6] = be32_to_cpu(M[6]);
125
W[7] = be32_to_cpu(M[7]);
126
W[8] = be32_to_cpu(M[8]);
127
W[9] = be32_to_cpu(M[9]);
128
W[10] = be32_to_cpu(M[10]);
129
W[11] = be32_to_cpu(M[11]);
130
W[12] = be32_to_cpu(M[12]);
131
W[13] = be32_to_cpu(M[13]);
132
W[14] = be32_to_cpu(M[14]);
133
W[15] = be32_to_cpu(M[15]);
134
TEMP = W[13] ^ W[8] ^ W[2] ^ W[0]; W[16] = S1(TEMP);
135
TEMP = W[14] ^ W[9] ^ W[3] ^ W[1]; W[17] = S1(TEMP);
136
TEMP = W[15] ^ W[10] ^ W[4] ^ W[2]; W[18] = S1(TEMP);
137
TEMP = W[16] ^ W[11] ^ W[5] ^ W[3]; W[19] = S1(TEMP);
138
TEMP = W[17] ^ W[12] ^ W[6] ^ W[4]; W[20] = S1(TEMP);
139
TEMP = W[18] ^ W[13] ^ W[7] ^ W[5]; W[21] = S1(TEMP);
140
TEMP = W[19] ^ W[14] ^ W[8] ^ W[6]; W[22] = S1(TEMP);
141
TEMP = W[20] ^ W[15] ^ W[9] ^ W[7]; W[23] = S1(TEMP);
142
TEMP = W[21] ^ W[16] ^ W[10] ^ W[8]; W[24] = S1(TEMP);
143
TEMP = W[22] ^ W[17] ^ W[11] ^ W[9]; W[25] = S1(TEMP);
144
TEMP = W[23] ^ W[18] ^ W[12] ^ W[10]; W[26] = S1(TEMP);
145
TEMP = W[24] ^ W[19] ^ W[13] ^ W[11]; W[27] = S1(TEMP);
146
TEMP = W[25] ^ W[20] ^ W[14] ^ W[12]; W[28] = S1(TEMP);
147
TEMP = W[26] ^ W[21] ^ W[15] ^ W[13]; W[29] = S1(TEMP);
148
TEMP = W[27] ^ W[22] ^ W[16] ^ W[14]; W[30] = S1(TEMP);
149
TEMP = W[28] ^ W[23] ^ W[17] ^ W[15]; W[31] = S1(TEMP);
151
/* process the remainder of the array */
152
for (t=32; t < 80; t++) {
153
TEMP = W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16];
157
A = H0; B = H1; C = H2; D = H3; E = H4;
159
for (t=0; t < 20; t++) {
160
TEMP = S5(A) + f0(B,C,D) + E + W[t] + SHA_K0;
161
E = D; D = C; C = S30(B); B = A; A = TEMP;
163
for ( ; t < 40; t++) {
164
TEMP = S5(A) + f1(B,C,D) + E + W[t] + SHA_K1;
165
E = D; D = C; C = S30(B); B = A; A = TEMP;
167
for ( ; t < 60; t++) {
168
TEMP = S5(A) + f2(B,C,D) + E + W[t] + SHA_K2;
169
E = D; D = C; C = S30(B); B = A; A = TEMP;
171
for ( ; t < 80; t++) {
172
TEMP = S5(A) + f3(B,C,D) + E + W[t] + SHA_K3;
173
E = D; D = C; C = S30(B); B = A; A = TEMP;
176
hash_value[0] = H0 + A;
177
hash_value[1] = H1 + B;
178
hash_value[2] = H2 + C;
179
hash_value[3] = H3 + D;
180
hash_value[4] = H4 + E;
186
sha1_init(sha1_ctx_t *ctx) {
188
/* initialize state vector */
189
ctx->H[0] = 0x67452301;
190
ctx->H[1] = 0xefcdab89;
191
ctx->H[2] = 0x98badcfe;
192
ctx->H[3] = 0x10325476;
193
ctx->H[4] = 0xc3d2e1f0;
195
/* indicate that message buffer is empty */
196
ctx->octets_in_buffer = 0;
198
/* reset message bit-count to zero */
199
ctx->num_bits_in_msg = 0;
204
sha1_update(sha1_ctx_t *ctx, const uint8_t *msg, int octets_in_msg) {
206
uint8_t *buf = (uint8_t *)ctx->M;
208
/* update message bit-count */
209
ctx->num_bits_in_msg += octets_in_msg * 8;
211
/* loop over 16-word blocks of M */
212
while (octets_in_msg > 0) {
214
if (octets_in_msg + ctx->octets_in_buffer >= 64) {
217
* copy words of M into msg buffer until that buffer is full,
218
* converting them into host byte order as needed
220
octets_in_msg -= (64 - ctx->octets_in_buffer);
221
for (i=ctx->octets_in_buffer; i < 64; i++)
223
ctx->octets_in_buffer = 0;
225
/* process a whole block */
227
debug_print(mod_sha1, "(update) running sha1_core()", NULL);
229
sha1_core(ctx->M, ctx->H);
233
debug_print(mod_sha1, "(update) not running sha1_core()", NULL);
235
for (i=ctx->octets_in_buffer;
236
i < (ctx->octets_in_buffer + octets_in_msg); i++)
238
ctx->octets_in_buffer += octets_in_msg;
247
* sha1_final(ctx, output) computes the result for ctx and copies it
248
* into the twenty octets located at *output
252
sha1_final(sha1_ctx_t *ctx, uint32_t *output) {
253
uint32_t A, B, C, D, E, TEMP;
258
* process the remaining octets_in_buffer, padding and terminating as
262
int tail = ctx->octets_in_buffer % 4;
264
/* copy/xor message into array */
265
for (i=0; i < (ctx->octets_in_buffer+3)/4; i++)
266
W[i] = be32_to_cpu(ctx->M[i]);
268
/* set the high bit of the octet immediately following the message */
271
W[i-1] = (be32_to_cpu(ctx->M[i-1]) & 0xffffff00) | 0x80;
275
W[i-1] = (be32_to_cpu(ctx->M[i-1]) & 0xffff0000) | 0x8000;
279
W[i-1] = (be32_to_cpu(ctx->M[i-1]) & 0xff000000) | 0x800000;
287
/* zeroize remaining words */
288
for (i++ ; i < 15; i++)
292
* if there is room at the end of the word array, then set the
293
* last word to the bit-length of the message; otherwise, set that
294
* word to zero and then we need to do one more run of the
297
if (ctx->octets_in_buffer < 56)
298
W[15] = ctx->num_bits_in_msg;
299
else if (ctx->octets_in_buffer < 60)
302
/* process the word array */ for (t=16; t < 80; t++) {
303
TEMP = W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16];
313
for (t=0; t < 20; t++) {
314
TEMP = S5(A) + f0(B,C,D) + E + W[t] + SHA_K0;
315
E = D; D = C; C = S30(B); B = A; A = TEMP;
317
for ( ; t < 40; t++) {
318
TEMP = S5(A) + f1(B,C,D) + E + W[t] + SHA_K1;
319
E = D; D = C; C = S30(B); B = A; A = TEMP;
321
for ( ; t < 60; t++) {
322
TEMP = S5(A) + f2(B,C,D) + E + W[t] + SHA_K2;
323
E = D; D = C; C = S30(B); B = A; A = TEMP;
325
for ( ; t < 80; t++) {
326
TEMP = S5(A) + f3(B,C,D) + E + W[t] + SHA_K3;
327
E = D; D = C; C = S30(B); B = A; A = TEMP;
338
debug_print(mod_sha1, "(final) running sha1_core()", NULL);
340
if (ctx->octets_in_buffer >= 56) {
342
debug_print(mod_sha1, "(final) running sha1_core() again", NULL);
344
/* we need to do one final run of the compression algo */
347
* set initial part of word array to zeros, and set the
348
* final part to the number of bits in the message
350
for (i=0; i < 15; i++)
352
W[15] = ctx->num_bits_in_msg;
354
/* process the word array */
355
for (t=16; t < 80; t++) {
356
TEMP = W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16];
366
for (t=0; t < 20; t++) {
367
TEMP = S5(A) + f0(B,C,D) + E + W[t] + SHA_K0;
368
E = D; D = C; C = S30(B); B = A; A = TEMP;
370
for ( ; t < 40; t++) {
371
TEMP = S5(A) + f1(B,C,D) + E + W[t] + SHA_K1;
372
E = D; D = C; C = S30(B); B = A; A = TEMP;
374
for ( ; t < 60; t++) {
375
TEMP = S5(A) + f2(B,C,D) + E + W[t] + SHA_K2;
376
E = D; D = C; C = S30(B); B = A; A = TEMP;
378
for ( ; t < 80; t++) {
379
TEMP = S5(A) + f3(B,C,D) + E + W[t] + SHA_K3;
380
E = D; D = C; C = S30(B); B = A; A = TEMP;
390
/* copy result into output buffer */
391
output[0] = be32_to_cpu(ctx->H[0]);
392
output[1] = be32_to_cpu(ctx->H[1]);
393
output[2] = be32_to_cpu(ctx->H[2]);
394
output[3] = be32_to_cpu(ctx->H[3]);
395
output[4] = be32_to_cpu(ctx->H[4]);
397
/* indicate that message buffer in context is empty */
398
ctx->octets_in_buffer = 0;