1/*
2 * SHA1 hash implementation and interface functions
3 * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15#include "includes.h"
16
17#include "common.h"
18#include "sha1.h"
19#include "sha1_i.h"
20#include "md5.h"
21#include "crypto.h"
22
23typedef struct SHA1Context SHA1_CTX;
24
25void SHA1Transform(u32 state[5], const unsigned char buffer[64]);
26
27
28/**
29 * sha1_vector - SHA-1 hash for data vector
30 * @num_elem: Number of elements in the data vector
31 * @addr: Pointers to the data areas
32 * @len: Lengths of the data blocks
33 * @mac: Buffer for the hash
34 * Returns: 0 on success, -1 of failure
35 */
36int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
37{
38	SHA1_CTX ctx;
39	size_t i;
40
41	SHA1Init(&ctx);
42	for (i = 0; i < num_elem; i++)
43		SHA1Update(&ctx, addr[i], len[i]);
44	SHA1Final(mac, &ctx);
45	return 0;
46}
47
48
49/* ===== start - public domain SHA1 implementation ===== */
50
51/*
52SHA-1 in C
53By Steve Reid <sreid@sea-to-sky.net>
54100% Public Domain
55
56-----------------
57Modified 7/98
58By James H. Brown <jbrown@burgoyne.com>
59Still 100% Public Domain
60
61Corrected a problem which generated improper hash values on 16 bit machines
62Routine SHA1Update changed from
63	void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int
64len)
65to
66	void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned
67long len)
68
69The 'len' parameter was declared an int which works fine on 32 bit machines.
70However, on 16 bit machines an int is too small for the shifts being done
71against
72it.  This caused the hash function to generate incorrect values if len was
73greater than 8191 (8K - 1) due to the 'len << 3' on line 3 of SHA1Update().
74
75Since the file IO in main() reads 16K at a time, any file 8K or larger would
76be guaranteed to generate the wrong hash (e.g. Test Vector #3, a million
77"a"s).
78
79I also changed the declaration of variables i & j in SHA1Update to
80unsigned long from unsigned int for the same reason.
81
82These changes should make no difference to any 32 bit implementations since
83an
84int and a long are the same size in those environments.
85
86--
87I also corrected a few compiler warnings generated by Borland C.
881. Added #include <process.h> for exit() prototype
892. Removed unused variable 'j' in SHA1Final
903. Changed exit(0) to return(0) at end of main.
91
92ALL changes I made can be located by searching for comments containing 'JHB'
93-----------------
94Modified 8/98
95By Steve Reid <sreid@sea-to-sky.net>
96Still 100% public domain
97
981- Removed #include <process.h> and used return() instead of exit()
992- Fixed overwriting of finalcount in SHA1Final() (discovered by Chris Hall)
1003- Changed email address from steve@edmweb.com to sreid@sea-to-sky.net
101
102-----------------
103Modified 4/01
104By Saul Kravitz <Saul.Kravitz@celera.com>
105Still 100% PD
106Modified to run on Compaq Alpha hardware.
107
108-----------------
109Modified 4/01
110By Jouni Malinen <j@w1.fi>
111Minor changes to match the coding style used in Dynamics.
112
113Modified September 24, 2004
114By Jouni Malinen <j@w1.fi>
115Fixed alignment issue in SHA1Transform when SHA1HANDSOFF is defined.
116
117*/
118
119/*
120Test Vectors (from FIPS PUB 180-1)
121"abc"
122  A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
123"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
124  84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
125A million repetitions of "a"
126  34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
127*/
128
129#define SHA1HANDSOFF
130
131#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
132
133/* blk0() and blk() perform the initial expand. */
134/* I got the idea of expanding during the round function from SSLeay */
135#ifndef WORDS_BIGENDIAN
136#define blk0(i) (block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) | \
137	(rol(block->l[i], 8) & 0x00FF00FF))
138#else
139#define blk0(i) block->l[i]
140#endif
141#define blk(i) (block->l[i & 15] = rol(block->l[(i + 13) & 15] ^ \
142	block->l[(i + 8) & 15] ^ block->l[(i + 2) & 15] ^ block->l[i & 15], 1))
143
144/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
145#define R0(v,w,x,y,z,i) \
146	z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
147	w = rol(w, 30);
148#define R1(v,w,x,y,z,i) \
149	z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
150	w = rol(w, 30);
151#define R2(v,w,x,y,z,i) \
152	z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); w = rol(w, 30);
153#define R3(v,w,x,y,z,i) \
154	z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \
155	w = rol(w, 30);
156#define R4(v,w,x,y,z,i) \
157	z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
158	w=rol(w, 30);
159
160
161#ifdef VERBOSE  /* SAK */
162void SHAPrintContext(SHA1_CTX *context, char *msg)
163{
164	printf("%s (%d,%d) %x %x %x %x %x\n",
165	       msg,
166	       context->count[0], context->count[1],
167	       context->state[0],
168	       context->state[1],
169	       context->state[2],
170	       context->state[3],
171	       context->state[4]);
172}
173#endif
174
175/* Hash a single 512-bit block. This is the core of the algorithm. */
176
177void SHA1Transform(u32 state[5], const unsigned char buffer[64])
178{
179	u32 a, b, c, d, e;
180	typedef union {
181		unsigned char c[64];
182		u32 l[16];
183	} CHAR64LONG16;
184	CHAR64LONG16* block;
185#ifdef SHA1HANDSOFF
186	CHAR64LONG16 workspace;
187	block = &workspace;
188	os_memcpy(block, buffer, 64);
189#else
190	block = (CHAR64LONG16 *) buffer;
191#endif
192	/* Copy context->state[] to working vars */
193	a = state[0];
194	b = state[1];
195	c = state[2];
196	d = state[3];
197	e = state[4];
198	/* 4 rounds of 20 operations each. Loop unrolled. */
199	R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
200	R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
201	R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
202	R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
203	R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
204	R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
205	R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
206	R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
207	R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
208	R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
209	R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
210	R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
211	R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
212	R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
213	R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
214	R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
215	R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
216	R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
217	R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
218	R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
219	/* Add the working vars back into context.state[] */
220	state[0] += a;
221	state[1] += b;
222	state[2] += c;
223	state[3] += d;
224	state[4] += e;
225	/* Wipe variables */
226	a = b = c = d = e = 0;
227#ifdef SHA1HANDSOFF
228	os_memset(block, 0, 64);
229#endif
230}
231
232
233/* SHA1Init - Initialize new context */
234
235void SHA1Init(SHA1_CTX* context)
236{
237	/* SHA1 initialization constants */
238	context->state[0] = 0x67452301;
239	context->state[1] = 0xEFCDAB89;
240	context->state[2] = 0x98BADCFE;
241	context->state[3] = 0x10325476;
242	context->state[4] = 0xC3D2E1F0;
243	context->count[0] = context->count[1] = 0;
244}
245
246
247/* Run your data through this. */
248
249void SHA1Update(SHA1_CTX* context, const void *_data, u32 len)
250{
251	u32 i, j;
252	const unsigned char *data = _data;
253
254#ifdef VERBOSE
255	SHAPrintContext(context, "before");
256#endif
257	j = (context->count[0] >> 3) & 63;
258	if ((context->count[0] += len << 3) < (len << 3))
259		context->count[1]++;
260	context->count[1] += (len >> 29);
261	if ((j + len) > 63) {
262		os_memcpy(&context->buffer[j], data, (i = 64-j));
263		SHA1Transform(context->state, context->buffer);
264		for ( ; i + 63 < len; i += 64) {
265			SHA1Transform(context->state, &data[i]);
266		}
267		j = 0;
268	}
269	else i = 0;
270	os_memcpy(&context->buffer[j], &data[i], len - i);
271#ifdef VERBOSE
272	SHAPrintContext(context, "after ");
273#endif
274}
275
276
277/* Add padding and return the message digest. */
278
279void SHA1Final(unsigned char digest[20], SHA1_CTX* context)
280{
281	u32 i;
282	unsigned char finalcount[8];
283
284	for (i = 0; i < 8; i++) {
285		finalcount[i] = (unsigned char)
286			((context->count[(i >= 4 ? 0 : 1)] >>
287			  ((3-(i & 3)) * 8) ) & 255);  /* Endian independent */
288	}
289	SHA1Update(context, (unsigned char *) "\200", 1);
290	while ((context->count[0] & 504) != 448) {
291		SHA1Update(context, (unsigned char *) "\0", 1);
292	}
293	SHA1Update(context, finalcount, 8);  /* Should cause a SHA1Transform()
294					      */
295	for (i = 0; i < 20; i++) {
296		digest[i] = (unsigned char)
297			((context->state[i >> 2] >> ((3 - (i & 3)) * 8)) &
298			 255);
299	}
300	/* Wipe variables */
301	i = 0;
302	os_memset(context->buffer, 0, 64);
303	os_memset(context->state, 0, 20);
304	os_memset(context->count, 0, 8);
305	os_memset(finalcount, 0, 8);
306}
307
308/* ===== end - public domain SHA1 implementation ===== */
309