1 /*
2 * FIPS-180-1 compliant SHA-1 implementation
3 *
4 * Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org>
5 * All rights reserved.
6 *
7 * Joined copyright on original XySSL code with: Christophe Devine
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23 /*
24 * The SHA-1 standard was published by NIST in 1993.
25 *
26 * http://www.itl.nist.gov/fipspubs/fip180-1.htm
27 */
28 /*
29 #include "polarssl/config.h"
30
31 #if defined(POLARSSL_SHA1_C)
32
33 #include "polarssl/sha1.h"
34 */
35 #include "sha1.h"
36 #include <string.h>
37 #include <stdio.h>
38
39 /*
40 * 32-bit integer manipulation macros (big endian)
41 */
42 #ifndef GET_ULONG_BE
43 #define GET_ULONG_BE(n,b,i) \
44 { \
45 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
46 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
47 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
48 | ( (unsigned long) (b)[(i) + 3] ); \
49 }
50 #endif
51
52 #ifndef PUT_ULONG_BE
53 #define PUT_ULONG_BE(n,b,i) \
54 { \
55 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
56 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
57 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
58 (b)[(i) + 3] = (unsigned char) ( (n) ); \
59 }
60 #endif
61
62 /*
63 * SHA-1 context setup
64 */
sha1_starts(sha1_context * ctx)65 void sha1_starts( sha1_context *ctx )
66 {
67 ctx->total[0] = 0;
68 ctx->total[1] = 0;
69
70 ctx->state[0] = 0x67452301;
71 ctx->state[1] = 0xEFCDAB89;
72 ctx->state[2] = 0x98BADCFE;
73 ctx->state[3] = 0x10325476;
74 ctx->state[4] = 0xC3D2E1F0;
75 }
76
sha1_process(sha1_context * ctx,unsigned char data[64])77 static void sha1_process( sha1_context *ctx, unsigned char data[64] )
78 {
79 unsigned long temp, W[16], A, B, C, D, E;
80
81 GET_ULONG_BE( W[ 0], data, 0 );
82 GET_ULONG_BE( W[ 1], data, 4 );
83 GET_ULONG_BE( W[ 2], data, 8 );
84 GET_ULONG_BE( W[ 3], data, 12 );
85 GET_ULONG_BE( W[ 4], data, 16 );
86 GET_ULONG_BE( W[ 5], data, 20 );
87 GET_ULONG_BE( W[ 6], data, 24 );
88 GET_ULONG_BE( W[ 7], data, 28 );
89 GET_ULONG_BE( W[ 8], data, 32 );
90 GET_ULONG_BE( W[ 9], data, 36 );
91 GET_ULONG_BE( W[10], data, 40 );
92 GET_ULONG_BE( W[11], data, 44 );
93 GET_ULONG_BE( W[12], data, 48 );
94 GET_ULONG_BE( W[13], data, 52 );
95 GET_ULONG_BE( W[14], data, 56 );
96 GET_ULONG_BE( W[15], data, 60 );
97
98 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
99
100 #define R(t) \
101 ( \
102 temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \
103 W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \
104 ( W[t & 0x0F] = S(temp,1) ) \
105 )
106
107 #define P(a,b,c,d,e,x) \
108 { \
109 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
110 }
111
112 A = ctx->state[0];
113 B = ctx->state[1];
114 C = ctx->state[2];
115 D = ctx->state[3];
116 E = ctx->state[4];
117
118 #define F(x,y,z) (z ^ (x & (y ^ z)))
119 #define K 0x5A827999
120
121 P( A, B, C, D, E, W[0] );
122 P( E, A, B, C, D, W[1] );
123 P( D, E, A, B, C, W[2] );
124 P( C, D, E, A, B, W[3] );
125 P( B, C, D, E, A, W[4] );
126 P( A, B, C, D, E, W[5] );
127 P( E, A, B, C, D, W[6] );
128 P( D, E, A, B, C, W[7] );
129 P( C, D, E, A, B, W[8] );
130 P( B, C, D, E, A, W[9] );
131 P( A, B, C, D, E, W[10] );
132 P( E, A, B, C, D, W[11] );
133 P( D, E, A, B, C, W[12] );
134 P( C, D, E, A, B, W[13] );
135 P( B, C, D, E, A, W[14] );
136 P( A, B, C, D, E, W[15] );
137 P( E, A, B, C, D, R(16) );
138 P( D, E, A, B, C, R(17) );
139 P( C, D, E, A, B, R(18) );
140 P( B, C, D, E, A, R(19) );
141
142 #undef K
143 #undef F
144
145 #define F(x,y,z) (x ^ y ^ z)
146 #define K 0x6ED9EBA1
147
148 P( A, B, C, D, E, R(20) );
149 P( E, A, B, C, D, R(21) );
150 P( D, E, A, B, C, R(22) );
151 P( C, D, E, A, B, R(23) );
152 P( B, C, D, E, A, R(24) );
153 P( A, B, C, D, E, R(25) );
154 P( E, A, B, C, D, R(26) );
155 P( D, E, A, B, C, R(27) );
156 P( C, D, E, A, B, R(28) );
157 P( B, C, D, E, A, R(29) );
158 P( A, B, C, D, E, R(30) );
159 P( E, A, B, C, D, R(31) );
160 P( D, E, A, B, C, R(32) );
161 P( C, D, E, A, B, R(33) );
162 P( B, C, D, E, A, R(34) );
163 P( A, B, C, D, E, R(35) );
164 P( E, A, B, C, D, R(36) );
165 P( D, E, A, B, C, R(37) );
166 P( C, D, E, A, B, R(38) );
167 P( B, C, D, E, A, R(39) );
168
169 #undef K
170 #undef F
171
172 #define F(x,y,z) ((x & y) | (z & (x | y)))
173 #define K 0x8F1BBCDC
174
175 P( A, B, C, D, E, R(40) );
176 P( E, A, B, C, D, R(41) );
177 P( D, E, A, B, C, R(42) );
178 P( C, D, E, A, B, R(43) );
179 P( B, C, D, E, A, R(44) );
180 P( A, B, C, D, E, R(45) );
181 P( E, A, B, C, D, R(46) );
182 P( D, E, A, B, C, R(47) );
183 P( C, D, E, A, B, R(48) );
184 P( B, C, D, E, A, R(49) );
185 P( A, B, C, D, E, R(50) );
186 P( E, A, B, C, D, R(51) );
187 P( D, E, A, B, C, R(52) );
188 P( C, D, E, A, B, R(53) );
189 P( B, C, D, E, A, R(54) );
190 P( A, B, C, D, E, R(55) );
191 P( E, A, B, C, D, R(56) );
192 P( D, E, A, B, C, R(57) );
193 P( C, D, E, A, B, R(58) );
194 P( B, C, D, E, A, R(59) );
195
196 #undef K
197 #undef F
198
199 #define F(x,y,z) (x ^ y ^ z)
200 #define K 0xCA62C1D6
201
202 P( A, B, C, D, E, R(60) );
203 P( E, A, B, C, D, R(61) );
204 P( D, E, A, B, C, R(62) );
205 P( C, D, E, A, B, R(63) );
206 P( B, C, D, E, A, R(64) );
207 P( A, B, C, D, E, R(65) );
208 P( E, A, B, C, D, R(66) );
209 P( D, E, A, B, C, R(67) );
210 P( C, D, E, A, B, R(68) );
211 P( B, C, D, E, A, R(69) );
212 P( A, B, C, D, E, R(70) );
213 P( E, A, B, C, D, R(71) );
214 P( D, E, A, B, C, R(72) );
215 P( C, D, E, A, B, R(73) );
216 P( B, C, D, E, A, R(74) );
217 P( A, B, C, D, E, R(75) );
218 P( E, A, B, C, D, R(76) );
219 P( D, E, A, B, C, R(77) );
220 P( C, D, E, A, B, R(78) );
221 P( B, C, D, E, A, R(79) );
222
223 #undef K
224 #undef F
225
226 ctx->state[0] += A;
227 ctx->state[1] += B;
228 ctx->state[2] += C;
229 ctx->state[3] += D;
230 ctx->state[4] += E;
231 }
232
233 /*
234 * SHA-1 process buffer
235 */
sha1_update(sha1_context * ctx,unsigned char * input,int ilen)236 void sha1_update( sha1_context *ctx, unsigned char *input, int ilen )
237 {
238 int fill;
239 unsigned long left;
240
241 if( ilen <= 0 )
242 return;
243
244 left = ctx->total[0] & 0x3F;
245 fill = 64 - left;
246
247 ctx->total[0] += ilen;
248 ctx->total[0] &= 0xFFFFFFFF;
249
250 if( ctx->total[0] < (unsigned long) ilen )
251 ctx->total[1]++;
252
253 if( left && ilen >= fill )
254 {
255 memcpy( (void *) (ctx->buffer + left),
256 (void *) input, fill );
257 sha1_process( ctx, ctx->buffer );
258 input += fill;
259 ilen -= fill;
260 left = 0;
261 }
262
263 while( ilen >= 64 )
264 {
265 sha1_process( ctx, input );
266 input += 64;
267 ilen -= 64;
268 }
269
270 if( ilen > 0 )
271 {
272 memcpy( (void *) (ctx->buffer + left),
273 (void *) input, ilen );
274 }
275 }
276
277 static const unsigned char sha1_padding[64] =
278 {
279 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
280 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
281 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
282 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
283 };
284
285 /*
286 * SHA-1 final digest
287 */
sha1_finish(sha1_context * ctx,unsigned char output[20])288 void sha1_finish( sha1_context *ctx, unsigned char output[20] )
289 {
290 unsigned long last, padn;
291 unsigned long high, low;
292 unsigned char msglen[8];
293
294 high = ( ctx->total[0] >> 29 )
295 | ( ctx->total[1] << 3 );
296 low = ( ctx->total[0] << 3 );
297
298 PUT_ULONG_BE( high, msglen, 0 );
299 PUT_ULONG_BE( low, msglen, 4 );
300
301 last = ctx->total[0] & 0x3F;
302 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
303
304 sha1_update( ctx, (unsigned char *) sha1_padding, padn );
305 sha1_update( ctx, msglen, 8 );
306
307 PUT_ULONG_BE( ctx->state[0], output, 0 );
308 PUT_ULONG_BE( ctx->state[1], output, 4 );
309 PUT_ULONG_BE( ctx->state[2], output, 8 );
310 PUT_ULONG_BE( ctx->state[3], output, 12 );
311 PUT_ULONG_BE( ctx->state[4], output, 16 );
312 }
313
314 /*
315 * output = SHA-1( input buffer )
316 */
sha1(unsigned char * input,int ilen,unsigned char output[20])317 void sha1( unsigned char *input, int ilen, unsigned char output[20] )
318 {
319 sha1_context ctx;
320
321 sha1_starts( &ctx );
322 sha1_update( &ctx, input, ilen );
323 sha1_finish( &ctx, output );
324
325 memset( &ctx, 0, sizeof( sha1_context ) );
326 }
327
328 /*
329 * SHA-1 HMAC context setup
330 */
sha1_hmac_starts(sha1_context * ctx,unsigned char * key,int keylen)331 void sha1_hmac_starts( sha1_context *ctx, unsigned char *key, int keylen )
332 {
333 int i;
334 unsigned char sum[20];
335
336 if( keylen > 64 )
337 {
338 sha1( key, keylen, sum );
339 keylen = 20;
340 key = sum;
341 }
342
343 memset( ctx->ipad, 0x36, 64 );
344 memset( ctx->opad, 0x5C, 64 );
345
346 for( i = 0; i < keylen; i++ )
347 {
348 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
349 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
350 }
351
352 sha1_starts( ctx );
353 sha1_update( ctx, ctx->ipad, 64 );
354
355 memset( sum, 0, sizeof( sum ) );
356 }
357
358 /*
359 * SHA-1 HMAC process buffer
360 */
sha1_hmac_update(sha1_context * ctx,unsigned char * input,int ilen)361 void sha1_hmac_update( sha1_context *ctx, unsigned char *input, int ilen )
362 {
363 sha1_update( ctx, input, ilen );
364 }
365
366 /*
367 * SHA-1 HMAC final digest
368 */
sha1_hmac_finish(sha1_context * ctx,unsigned char output[20])369 void sha1_hmac_finish( sha1_context *ctx, unsigned char output[20] )
370 {
371 unsigned char tmpbuf[20];
372
373 sha1_finish( ctx, tmpbuf );
374 sha1_starts( ctx );
375 sha1_update( ctx, ctx->opad, 64 );
376 sha1_update( ctx, tmpbuf, 20 );
377 sha1_finish( ctx, output );
378
379 memset( tmpbuf, 0, sizeof( tmpbuf ) );
380 }
381
382 /*
383 * output = HMAC-SHA-1( hmac key, input buffer )
384 */
sha1_hmac(unsigned char * key,int keylen,unsigned char * input,int ilen,unsigned char output[20])385 void sha1_hmac( unsigned char *key, int keylen,
386 unsigned char *input, int ilen,
387 unsigned char output[20] )
388 {
389 sha1_context ctx;
390
391 sha1_hmac_starts( &ctx, key, keylen );
392 sha1_hmac_update( &ctx, input, ilen );
393 sha1_hmac_finish( &ctx, output );
394
395 memset( &ctx, 0, sizeof( sha1_context ) );
396 }
397
398 #if defined(POLARSSL_SELF_TEST)
399 /*
400 * FIPS-180-1 test vectors
401 */
402 static unsigned char sha1_test_buf[3][57] =
403 {
404 { "abc" },
405 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
406 { "" }
407 };
408
409 static const int sha1_test_buflen[3] =
410 {
411 3, 56, 1000
412 };
413
414 static const unsigned char sha1_test_sum[3][20] =
415 {
416 { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
417 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
418 { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
419 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
420 { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
421 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
422 };
423
424 /*
425 * RFC 2202 test vectors
426 */
427 static unsigned char sha1_hmac_test_key[7][26] =
428 {
429 { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
430 "\x0B\x0B\x0B\x0B" },
431 { "Jefe" },
432 { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
433 "\xAA\xAA\xAA\xAA" },
434 { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
435 "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
436 { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
437 "\x0C\x0C\x0C\x0C" },
438 { "" }, /* 0xAA 80 times */
439 { "" }
440 };
441
442 static const int sha1_hmac_test_keylen[7] =
443 {
444 20, 4, 20, 25, 20, 80, 80
445 };
446
447 static unsigned char sha1_hmac_test_buf[7][74] =
448 {
449 { "Hi There" },
450 { "what do ya want for nothing?" },
451 { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
452 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
453 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
454 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
455 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
456 { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
457 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
458 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
459 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
460 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
461 { "Test With Truncation" },
462 { "Test Using Larger Than Block-Size Key - Hash Key First" },
463 { "Test Using Larger Than Block-Size Key and Larger"
464 " Than One Block-Size Data" }
465 };
466
467 static const int sha1_hmac_test_buflen[7] =
468 {
469 8, 28, 50, 50, 20, 54, 73
470 };
471
472 static const unsigned char sha1_hmac_test_sum[7][20] =
473 {
474 { 0xB6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64, 0xE2, 0x8B,
475 0xC0, 0xB6, 0xFB, 0x37, 0x8C, 0x8E, 0xF1, 0x46, 0xBE, 0x00 },
476 { 0xEF, 0xFC, 0xDF, 0x6A, 0xE5, 0xEB, 0x2F, 0xA2, 0xD2, 0x74,
477 0x16, 0xD5, 0xF1, 0x84, 0xDF, 0x9C, 0x25, 0x9A, 0x7C, 0x79 },
478 { 0x12, 0x5D, 0x73, 0x42, 0xB9, 0xAC, 0x11, 0xCD, 0x91, 0xA3,
479 0x9A, 0xF4, 0x8A, 0xA1, 0x7B, 0x4F, 0x63, 0xF1, 0x75, 0xD3 },
480 { 0x4C, 0x90, 0x07, 0xF4, 0x02, 0x62, 0x50, 0xC6, 0xBC, 0x84,
481 0x14, 0xF9, 0xBF, 0x50, 0xC8, 0x6C, 0x2D, 0x72, 0x35, 0xDA },
482 { 0x4C, 0x1A, 0x03, 0x42, 0x4B, 0x55, 0xE0, 0x7F, 0xE7, 0xF2,
483 0x7B, 0xE1 },
484 { 0xAA, 0x4A, 0xE5, 0xE1, 0x52, 0x72, 0xD0, 0x0E, 0x95, 0x70,
485 0x56, 0x37, 0xCE, 0x8A, 0x3B, 0x55, 0xED, 0x40, 0x21, 0x12 },
486 { 0xE8, 0xE9, 0x9D, 0x0F, 0x45, 0x23, 0x7D, 0x78, 0x6D, 0x6B,
487 0xBA, 0xA7, 0x96, 0x5C, 0x78, 0x08, 0xBB, 0xFF, 0x1A, 0x91 }
488 };
489
490 /*
491 * Checkup routine
492 */
sha1_self_test(int verbose)493 int sha1_self_test( int verbose )
494 {
495 int i, j, buflen;
496 unsigned char buf[1024];
497 unsigned char sha1sum[20];
498 sha1_context ctx;
499
500 /*
501 * SHA-1
502 */
503 for( i = 0; i < 3; i++ )
504 {
505 if( verbose != 0 )
506 printf( " SHA-1 test #%d: ", i + 1 );
507
508 sha1_starts( &ctx );
509
510 if( i == 2 )
511 {
512 memset( buf, 'a', buflen = 1000 );
513
514 for( j = 0; j < 1000; j++ )
515 sha1_update( &ctx, buf, buflen );
516 }
517 else
518 sha1_update( &ctx, sha1_test_buf[i],
519 sha1_test_buflen[i] );
520
521 sha1_finish( &ctx, sha1sum );
522
523 if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
524 {
525 if( verbose != 0 )
526 printf( "failed\n" );
527
528 return( 1 );
529 }
530
531 if( verbose != 0 )
532 printf( "passed\n" );
533 }
534
535 if( verbose != 0 )
536 printf( "\n" );
537
538 for( i = 0; i < 7; i++ )
539 {
540 if( verbose != 0 )
541 printf( " HMAC-SHA-1 test #%d: ", i + 1 );
542
543 if( i == 5 || i == 6 )
544 {
545 memset( buf, '\xAA', buflen = 80 );
546 sha1_hmac_starts( &ctx, buf, buflen );
547 }
548 else
549 sha1_hmac_starts( &ctx, sha1_hmac_test_key[i],
550 sha1_hmac_test_keylen[i] );
551
552 sha1_hmac_update( &ctx, sha1_hmac_test_buf[i],
553 sha1_hmac_test_buflen[i] );
554
555 sha1_hmac_finish( &ctx, sha1sum );
556
557 buflen = ( i == 4 ) ? 12 : 20;
558
559 if( memcmp( sha1sum, sha1_hmac_test_sum[i], buflen ) != 0 )
560 {
561 if( verbose != 0 )
562 printf( "failed\n" );
563
564 return( 1 );
565 }
566
567 if( verbose != 0 )
568 printf( "passed\n" );
569 }
570
571 if( verbose != 0 )
572 printf( "\n" );
573
574 return( 0 );
575 }
576
577 #endif
578
579 //#endif
580