1 /* 2 * Copyright (c) 2007, Cameron Rich 3 * 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions are met: 8 * 9 * * Redistributions of source code must retain the above copyright notice, 10 * this list of conditions and the following disclaimer. 11 * * Redistributions in binary form must reproduce the above copyright notice, 12 * this list of conditions and the following disclaimer in the documentation 13 * and/or other materials provided with the distribution. 14 * * Neither the name of the axTLS project nor the names of its contributors 15 * may be used to endorse or promote products derived from this software 16 * without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 22 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 23 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 24 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 25 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 26 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 27 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 28 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 /** 32 * SHA1 implementation - as defined in FIPS PUB 180-1 published April 17, 1995. 33 * This code was originally taken from RFC3174 34 */ 35 36 #include <string.h> 37 #include "os_port.h" 38 #include "crypto.h" 39 40 /* 41 * Define the SHA1 circular left shift macro 42 */ 43 #define SHA1CircularShift(bits,word) \ 44 (((word) << (bits)) | ((word) >> (32-(bits)))) 45 46 /* ----- static functions ----- */ 47 static void SHA1PadMessage(SHA1_CTX *ctx); 48 static void SHA1ProcessMessageBlock(SHA1_CTX *ctx); 49 50 /** 51 * Initialize the SHA1 context 52 */ 53 void SHA1_Init(SHA1_CTX *ctx) 54 { 55 ctx->Length_Low = 0; 56 ctx->Length_High = 0; 57 ctx->Message_Block_Index = 0; 58 ctx->Intermediate_Hash[0] = 0x67452301; 59 ctx->Intermediate_Hash[1] = 0xEFCDAB89; 60 ctx->Intermediate_Hash[2] = 0x98BADCFE; 61 ctx->Intermediate_Hash[3] = 0x10325476; 62 ctx->Intermediate_Hash[4] = 0xC3D2E1F0; 63 } 64 65 /** 66 * Accepts an array of octets as the next portion of the message. 67 */ 68 void SHA1_Update(SHA1_CTX *ctx, const uint8_t *msg, int len) 69 { 70 while (len--) 71 { 72 ctx->Message_Block[ctx->Message_Block_Index++] = (*msg & 0xFF); 73 ctx->Length_Low += 8; 74 75 if (ctx->Length_Low == 0) 76 ctx->Length_High++; 77 78 if (ctx->Message_Block_Index == 64) 79 SHA1ProcessMessageBlock(ctx); 80 81 msg++; 82 } 83 } extend_sign(val: u64, nbytes: usize) -> i6484 85 /** 86 * Return the 160-bit message digest into the user's array 87 */ 88 void SHA1_Final(uint8_t *digest, SHA1_CTX *ctx) 89 { 90 int i; 91 92 SHA1PadMessage(ctx); 93 memset(ctx->Message_Block, 0, 64); 94 ctx->Length_Low = 0; /* and clear length */ 95 ctx->Length_High = 0; 96 97 for (i = 0; i < SHA1_SIZE; i++) 98 { 99 digest[i] = ctx->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) ); 100 } 101 } unextend_sign128(val: i128, nbytes: usize) -> u128102 103 /** 104 * Process the next 512 bits of the message stored in the array. 105 */ 106 static void SHA1ProcessMessageBlock(SHA1_CTX *ctx) 107 { 108 const uint32_t K[] = { /* Constants defined in SHA-1 */ 109 0x5A827999, 110 0x6ED9EBA1, 111 0x8F1BBCDC, 112 0xCA62C1D6 113 }; 114 int t; /* Loop counter */ 115 uint32_t temp; /* Temporary word value */ 116 uint32_t W[80]; /* Word sequence */ 117 uint32_t A, B, C, D, E; /* Word buffers */ 118 119 /* 120 * Initialize the first 16 words in the array W 121 */ 122 for (t = 0; t < 16; t++) 123 { 124 W[t] = ctx->Message_Block[t * 4] << 24; 125 W[t] |= ctx->Message_Block[t * 4 + 1] << 16; 126 W[t] |= ctx->Message_Block[t * 4 + 2] << 8; 127 W[t] |= ctx->Message_Block[t * 4 + 3]; 128 } 129 130 for (t = 16; t < 80; t++) 131 { 132 W[t] = SHA1CircularShift(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); 133 } 134 135 A = ctx->Intermediate_Hash[0]; 136 B = ctx->Intermediate_Hash[1]; 137 C = ctx->Intermediate_Hash[2]; 138 D = ctx->Intermediate_Hash[3]; 139 E = ctx->Intermediate_Hash[4]; 140 141 for (t = 0; t < 20; t++) 142 { 143 temp = SHA1CircularShift(5,A) + 144 ((B & C) | ((~B) & D)) + E + W[t] + K[0]; 145 E = D; 146 D = C; 147 C = SHA1CircularShift(30,B); 148 149 B = A; 150 A = temp; 151 } 152 153 for (t = 20; t < 40; t++) 154 { 155 temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[1]; 156 E = D; 157 D = C; 158 C = SHA1CircularShift(30,B); 159 B = A; 160 A = temp; 161 } 162 163 for (t = 40; t < 60; t++) 164 { 165 temp = SHA1CircularShift(5,A) + 166 ((B & C) | (B & D) | (C & D)) + E + W[t] + K[2]; 167 E = D; 168 D = C; 169 C = SHA1CircularShift(30,B); 170 B = A; 171 A = temp; 172 } 173 174 for (t = 60; t < 80; t++) 175 { 176 temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[3]; 177 E = D; 178 D = C; 179 C = SHA1CircularShift(30,B); 180 B = A; 181 A = temp; 182 } 183 184 ctx->Intermediate_Hash[0] += A; 185 ctx->Intermediate_Hash[1] += B; 186 ctx->Intermediate_Hash[2] += C; 187 ctx->Intermediate_Hash[3] += D; 188 ctx->Intermediate_Hash[4] += E; 189 ctx->Message_Block_Index = 0; 190 } 191 192 /* 193 * According to the standard, the message must be padded to an even 194 * 512 bits. The first padding bit must be a '1'. The last 64 195 * bits represent the length of the original message. All bits in 196 * between should be 0. This function will pad the message 197 * according to those rules by filling the Message_Block array 198 * accordingly. It will also call the ProcessMessageBlock function 199 * provided appropriately. When it returns, it can be assumed that 200 * the message digest has been computed. 201 * 202 * @param ctx [in, out] The SHA1 context 203 */ 204 static void SHA1PadMessage(SHA1_CTX *ctx) 205 { 206 /* 207 * Check to see if the current message block is too small to hold 208 * the initial padding bits and length. If so, we will pad the 209 * block, process it, and then continue padding into a second 210 * block. 211 */ 212 if (ctx->Message_Block_Index > 55) 213 { 214 ctx->Message_Block[ctx->Message_Block_Index++] = 0x80; 215 while(ctx->Message_Block_Index < 64) 216 { 217 ctx->Message_Block[ctx->Message_Block_Index++] = 0; 218 } 219 220 SHA1ProcessMessageBlock(ctx); 221 222 while (ctx->Message_Block_Index < 56) 223 { 224 ctx->Message_Block[ctx->Message_Block_Index++] = 0; read_u16(buf: &[u8]) -> u16225 } 226 } 227 else 228 { 229 ctx->Message_Block[ctx->Message_Block_Index++] = 0x80; 230 while(ctx->Message_Block_Index < 56) 231 { 232 233 ctx->Message_Block[ctx->Message_Block_Index++] = 0; 234 } 235 } 236 237 /* 238 * Store the message length as the last 8 octets 239 */ 240 ctx->Message_Block[56] = ctx->Length_High >> 24; 241 ctx->Message_Block[57] = ctx->Length_High >> 16; 242 ctx->Message_Block[58] = ctx->Length_High >> 8; 243 ctx->Message_Block[59] = ctx->Length_High; read_u24(buf: &[u8]) -> u32244 ctx->Message_Block[60] = ctx->Length_Low >> 24; 245 ctx->Message_Block[61] = ctx->Length_Low >> 16; 246 ctx->Message_Block[62] = ctx->Length_Low >> 8; 247 ctx->Message_Block[63] = ctx->Length_Low; 248 SHA1ProcessMessageBlock(ctx); 249 } 250