1 /* ===================================================================
2 *
3 * Copyright (c) 2018, Helder Eijs <helderijs@gmail.com>
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
18 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
19 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
20 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
21 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
23 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
27 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 * ===================================================================
30 */
31
32 #include <stdio.h>
33 #include "common.h"
34 #include "endianess.h"
35
36 FAKE_INIT(SHA1)
37
38 /**
39 * SHA-1 as defined in FIPS 180-4 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
40 */
41
42 #define CH(x,y,z) ((x & y) ^ (~x & z)) /** 0 <= t <= 19 **/
43 #define PARITY(x,y,z) (x ^ y ^ z) /** 20 <= t <= 39 and 60 <= t <= 79 **/
44 #define MAJ(x,y,z) ((x & y) ^ (x & z) ^ (y & z)) /** 40 <= t <= 59 **/
45
46 #define ROTL1(x) (((x)<<1) | ((x)>>(32-1)))
47 #define ROTL5(x) (((x)<<5) | ((x)>>(32-5)))
48 #define ROTL30(x) (((x)<<30) | ((x)>>(32-30)))
49
50 #define Kx 0x5a827999 /** 0 <= t <= 19 **/
51 #define Ky 0x6ed9eba1 /** 20 <= t <= 39 **/
52 #define Kz 0x8f1bbcdc /** 40 <= t <= 59 **/
53 #define Kw 0xca62c1d6 /** 60 <= t <= 79 **/
54
55 /** Compute and update W[t] for t>=16 **/
56 #define SCHED(t) (W[t&15]=ROTL1(W[(t-3)&15] ^ W[(t-8)&15] ^ W[(t-14)&15] ^ W[t&15]))
57
58 #define ROUND_0_15(t) { \
59 uint32_t T; \
60 T = ROTL5(a) + CH(b,c,d) + e + Kx + W[t]; \
61 e = d; \
62 d = c; \
63 c = ROTL30(b); \
64 b = a; \
65 a = T; }
66
67 #define ROUND_16_19(t) { \
68 uint32_t T; \
69 T = ROTL5(a) + CH(b,c,d) + e + Kx + SCHED(t); \
70 e = d; \
71 d = c; \
72 c = ROTL30(b); \
73 b = a; \
74 a = T; }
75
76 #define ROUND_20_39(t) { \
77 uint32_t T; \
78 T = ROTL5(a) + PARITY(b,c,d) + e + Ky + SCHED(t); \
79 e = d; \
80 d = c; \
81 c = ROTL30(b); \
82 b = a; \
83 a = T; }
84
85 #define ROUND_40_59(t) { \
86 uint32_t T; \
87 T = ROTL5(a) + MAJ(b,c,d) + e + Kz + SCHED(t); \
88 e = d; \
89 d = c; \
90 c = ROTL30(b); \
91 b = a; \
92 a = T; }
93
94 #define ROUND_60_79(t) { \
95 uint32_t T; \
96 T = ROTL5(a) + PARITY(b,c,d) + e + Kw + SCHED(t); \
97 e = d; \
98 d = c; \
99 c = ROTL30(b); \
100 b = a; \
101 a = T; }
102
103 #define BLOCK_SIZE 64
104
105 #define DIGEST_SIZE (160/8)
106
107 typedef struct t_hash_state {
108 uint32_t h[5];
109 uint8_t buf[BLOCK_SIZE]; /** 64 bytes == 512 bits == sixteen 32-bit words **/
110 unsigned curlen; /** Useful message bytes in buf[] (leftmost) **/
111 uint64_t totbits; /** Total message length in bits **/
112 } hash_state;
113
add_bits(hash_state * hs,unsigned bits)114 static int add_bits(hash_state *hs, unsigned bits)
115 {
116 /** Maximum message length for SHA-1 is 2**64 bits **/
117 hs->totbits += bits;
118 return (hs->totbits < bits) ? ERR_MAX_DATA : 0;
119 }
120
sha_compress(hash_state * hs)121 static void sha_compress(hash_state * hs)
122 {
123 uint32_t a, b, c, d, e;
124 uint32_t W[16];
125 int i;
126
127 /** Words flow in in big-endian mode **/
128 for (i=0; i<16; i++) {
129 W[i] = LOAD_U32_BIG(&hs->buf[i*4]);
130 }
131
132 a = hs->h[0];
133 b = hs->h[1];
134 c = hs->h[2];
135 d = hs->h[3];
136 e = hs->h[4];
137
138 /** 0 <= t <= 15 **/
139 ROUND_0_15(0);
140 ROUND_0_15(1);
141 ROUND_0_15(2);
142 ROUND_0_15(3);
143 ROUND_0_15(4);
144 ROUND_0_15(5);
145 ROUND_0_15(6);
146 ROUND_0_15(7);
147 ROUND_0_15(8);
148 ROUND_0_15(9);
149 ROUND_0_15(10);
150 ROUND_0_15(11);
151 ROUND_0_15(12);
152 ROUND_0_15(13);
153 ROUND_0_15(14);
154 ROUND_0_15(15);
155 /** 16 <= t <= 19 **/
156 ROUND_16_19(16);
157 ROUND_16_19(17);
158 ROUND_16_19(18);
159 ROUND_16_19(19);
160 /** 20 <= t <= 39 **/
161 ROUND_20_39(20);
162 ROUND_20_39(21);
163 ROUND_20_39(22);
164 ROUND_20_39(23);
165 ROUND_20_39(24);
166 ROUND_20_39(25);
167 ROUND_20_39(26);
168 ROUND_20_39(27);
169 ROUND_20_39(28);
170 ROUND_20_39(29);
171 ROUND_20_39(30);
172 ROUND_20_39(31);
173 ROUND_20_39(32);
174 ROUND_20_39(33);
175 ROUND_20_39(34);
176 ROUND_20_39(35);
177 ROUND_20_39(36);
178 ROUND_20_39(37);
179 ROUND_20_39(38);
180 ROUND_20_39(39);
181 /** 40 <= t <= 59 **/
182 ROUND_40_59(40);
183 ROUND_40_59(41);
184 ROUND_40_59(42);
185 ROUND_40_59(43);
186 ROUND_40_59(44);
187 ROUND_40_59(45);
188 ROUND_40_59(46);
189 ROUND_40_59(47);
190 ROUND_40_59(48);
191 ROUND_40_59(49);
192 ROUND_40_59(50);
193 ROUND_40_59(51);
194 ROUND_40_59(52);
195 ROUND_40_59(53);
196 ROUND_40_59(54);
197 ROUND_40_59(55);
198 ROUND_40_59(56);
199 ROUND_40_59(57);
200 ROUND_40_59(58);
201 ROUND_40_59(59);
202 /** 60 <= t <= 79 **/
203 ROUND_60_79(60);
204 ROUND_60_79(61);
205 ROUND_60_79(62);
206 ROUND_60_79(63);
207 ROUND_60_79(64);
208 ROUND_60_79(65);
209 ROUND_60_79(66);
210 ROUND_60_79(67);
211 ROUND_60_79(68);
212 ROUND_60_79(69);
213 ROUND_60_79(70);
214 ROUND_60_79(71);
215 ROUND_60_79(72);
216 ROUND_60_79(73);
217 ROUND_60_79(74);
218 ROUND_60_79(75);
219 ROUND_60_79(76);
220 ROUND_60_79(77);
221 ROUND_60_79(78);
222 ROUND_60_79(79);
223
224 /** compute new intermediate hash **/
225 hs->h[0] += a;
226 hs->h[1] += b;
227 hs->h[2] += c;
228 hs->h[3] += d;
229 hs->h[4] += e;
230 }
231
SHA1_init(hash_state ** shaState)232 EXPORT_SYM int SHA1_init(hash_state **shaState)
233 {
234 hash_state *hs;
235
236 if (NULL == shaState) {
237 return ERR_NULL;
238 }
239
240 *shaState = hs = (hash_state*) calloc(1, sizeof(hash_state));
241 if (NULL == hs)
242 return ERR_MEMORY;
243
244 hs->curlen = 0;
245 hs->totbits = 0;
246
247 /** Initial intermediate hash value **/
248 hs->h[0] = 0x67452301;
249 hs->h[1] = 0xefcdab89;
250 hs->h[2] = 0x98badcfe;
251 hs->h[3] = 0x10325476;
252 hs->h[4] = 0xc3d2e1f0;
253
254 return 0;
255 }
256
SHA1_destroy(hash_state * shaState)257 EXPORT_SYM int SHA1_destroy (hash_state *shaState)
258 {
259 free(shaState);
260 return 0;
261 }
262
SHA1_update(hash_state * hs,const uint8_t * buf,size_t len)263 EXPORT_SYM int SHA1_update(hash_state *hs, const uint8_t *buf, size_t len)
264 {
265 if (NULL == hs || NULL == buf) {
266 return ERR_NULL;
267 }
268
269 assert(hs->curlen < BLOCK_SIZE);
270
271 while (len>0) {
272 unsigned btc, left;
273
274 left = BLOCK_SIZE - hs->curlen;
275 btc = (unsigned)MIN(left, len);
276 memcpy(&hs->buf[hs->curlen], buf, btc);
277 buf += btc;
278 hs->curlen += btc;
279 len -= btc;
280
281 if (hs->curlen == BLOCK_SIZE) {
282 sha_compress(hs);
283 hs->curlen = 0;
284 if (add_bits(hs, BLOCK_SIZE*8)) {
285 return ERR_MAX_DATA;
286 }
287 }
288 }
289
290 return 0;
291 }
292
sha_finalize(hash_state * hs,uint8_t * hash)293 static int sha_finalize(hash_state *hs, uint8_t *hash /** [DIGEST_SIZE] **/)
294 {
295 unsigned left, i;
296 uint32_t lo, high;
297
298 assert(hs->curlen < BLOCK_SIZE);
299
300 /* remaining length of the message */
301 if (add_bits(hs, hs->curlen*8)) {
302 return ERR_MAX_DATA;
303 }
304
305 /* append the '1' bit */
306 /* buf[] is guaranteed to have at least 1 byte free */
307 hs->buf[hs->curlen++] = 0x80;
308
309 /** if there are less then 64 bits lef, just pad with zeroes and compress **/
310 left = BLOCK_SIZE - hs->curlen;
311 if (left < 8) {
312 memset(&hs->buf[hs->curlen], 0, left);
313 sha_compress(hs);
314 hs->curlen = 0;
315 }
316
317 /**
318 * pad with zeroes and close the block with the bit length
319 * encoded as 64-bit integer big endian.
320 **/
321 left = BLOCK_SIZE - hs->curlen;
322 memset(&hs->buf[hs->curlen], 0, left);
323 lo = (uint32_t)(hs->totbits >> 32);
324 high = (uint32_t)hs->totbits;
325 STORE_U32_BIG(&hs->buf[BLOCK_SIZE-8], lo);
326 STORE_U32_BIG(&hs->buf[BLOCK_SIZE-4], high);
327
328 /** compress one last time **/
329 sha_compress(hs);
330
331 /** create final hash **/
332 for (i=0; i<5; i++) {
333 STORE_U32_BIG(hash, hs->h[i]);
334 hash += 4;
335 }
336
337 return 0;
338 }
339
SHA1_digest(const hash_state * shaState,uint8_t digest[DIGEST_SIZE])340 EXPORT_SYM int SHA1_digest(const hash_state *shaState, uint8_t digest[DIGEST_SIZE])
341 {
342 hash_state temp;
343
344 if (NULL == shaState) {
345 return ERR_NULL;
346 }
347
348 temp = *shaState;
349 sha_finalize(&temp, digest);
350 return 0;
351 }
352
SHA1_copy(const hash_state * src,hash_state * dst)353 EXPORT_SYM int SHA1_copy(const hash_state *src, hash_state *dst)
354 {
355 if (NULL == src || NULL == dst) {
356 return ERR_NULL;
357 }
358
359 *dst = *src;
360 return 0;
361 }
362
363 /**
364 * This is a specialized function to efficiently perform the inner loop of PBKDF2-HMAC.
365 *
366 * - inner, the hash after the inner padded secret has been absorbed
367 * - outer, the hash after the outer padded secret has been absorbed
368 * - first_hmac, the output of the first HMAC iteration (with salt and counter)
369 * - result, the XOR of the HMACs from all iterations
370 * - iterations, the total number of PBKDF2 iterations (>0)
371 *
372 * This function does not change the state of either hash.
373 */
SHA1_pbkdf2_hmac_assist(const hash_state * inner,const hash_state * outer,const uint8_t first_hmac[DIGEST_SIZE],uint8_t result[DIGEST_SIZE],size_t iterations)374 EXPORT_SYM int SHA1_pbkdf2_hmac_assist(const hash_state *inner, const hash_state *outer,
375 const uint8_t first_hmac[DIGEST_SIZE],
376 uint8_t result[DIGEST_SIZE],
377 size_t iterations)
378 {
379 hash_state inner_temp, outer_temp;
380 size_t i;
381 uint8_t last_hmac[DIGEST_SIZE];
382
383 if (NULL == inner || NULL == outer || NULL == first_hmac || NULL == result) {
384 return ERR_NULL;
385 }
386
387 if (iterations == 0) {
388 return ERR_NR_ROUNDS;
389 }
390
391 memcpy(result, first_hmac, DIGEST_SIZE);
392 memcpy(last_hmac, first_hmac, DIGEST_SIZE);
393
394 for (i=1; i<iterations; i++) {
395 int j;
396
397 inner_temp = *inner;
398 outer_temp = *outer;
399
400 SHA1_update(&inner_temp, last_hmac, DIGEST_SIZE);
401 sha_finalize(&inner_temp, last_hmac);
402
403 /** last_hmac is now the intermediate digest **/
404
405 SHA1_update(&outer_temp, last_hmac, DIGEST_SIZE);
406 sha_finalize(&outer_temp, last_hmac);
407
408 for (j=0; j<DIGEST_SIZE; j++) {
409 result[j] ^= last_hmac[j];
410 }
411 }
412
413 return 0;
414 }
415
416 #ifdef MAIN
main(void)417 int main(void)
418 {
419 hash_state *hs;
420 const uint8_t tv[] = "The quick brown fox jumps over the lazy dog";
421 uint8_t result[DIGEST_SIZE];
422 int i;
423
424 SHA1_init(&hs);
425 SHA1_update(hs, tv, sizeof tv - 1);
426 SHA1_digest(hs, result);
427 SHA1_destroy(hs);
428
429 for (i=0; i<sizeof result; i++) {
430 printf("%02X", result[i]);
431 }
432 printf("\n");
433
434 SHA1_init(&hs);
435 SHA1_digest(hs, result);
436 SHA1_destroy(hs);
437
438 for (i=0; i<sizeof result; i++) {
439 printf("%02X", result[i]);
440 }
441 printf("\n");
442
443 SHA1_init(&hs);
444 for (i=0; i<10000000; i++) {
445 SHA1_update(hs, tv, sizeof tv - 1);
446 }
447 SHA1_destroy(hs);
448
449 printf("\n");
450 }
451 #endif
452