1/* 2 * SHA1 hash implementation and interface functions 3 * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "sha1.h" 13#include "sha1_i.h" 14#include "md5.h" 15#include "crypto.h" 16 17typedef struct SHA1Context SHA1_CTX; 18 19void SHA1Transform(u32 state[5], const unsigned char buffer[64]); 20 21 22#ifdef CONFIG_CRYPTO_INTERNAL 23/** 24 * sha1_vector - SHA-1 hash for data vector 25 * @num_elem: Number of elements in the data vector 26 * @addr: Pointers to the data areas 27 * @len: Lengths of the data blocks 28 * @mac: Buffer for the hash 29 * Returns: 0 on success, -1 of failure 30 */ 31int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 32{ 33 SHA1_CTX ctx; 34 size_t i; 35 36 SHA1Init(&ctx); 37 for (i = 0; i < num_elem; i++) 38 SHA1Update(&ctx, addr[i], len[i]); 39 SHA1Final(mac, &ctx); 40 return 0; 41} 42#endif /* CONFIG_CRYPTO_INTERNAL */ 43 44 45/* ===== start - public domain SHA1 implementation ===== */ 46 47/* 48SHA-1 in C 49By Steve Reid <sreid@sea-to-sky.net> 50100% Public Domain 51 52----------------- 53Modified 7/98 54By James H. Brown <jbrown@burgoyne.com> 55Still 100% Public Domain 56 57Corrected a problem which generated improper hash values on 16 bit machines 58Routine SHA1Update changed from 59 void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int 60len) 61to 62 void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned 63long len) 64 65The 'len' parameter was declared an int which works fine on 32 bit machines. 66However, on 16 bit machines an int is too small for the shifts being done 67against 68it. This caused the hash function to generate incorrect values if len was 69greater than 8191 (8K - 1) due to the 'len << 3' on line 3 of SHA1Update(). 70 71Since the file IO in main() reads 16K at a time, any file 8K or larger would 72be guaranteed to generate the wrong hash (e.g. Test Vector #3, a million 73"a"s). 74 75I also changed the declaration of variables i & j in SHA1Update to 76unsigned long from unsigned int for the same reason. 77 78These changes should make no difference to any 32 bit implementations since 79an 80int and a long are the same size in those environments. 81 82-- 83I also corrected a few compiler warnings generated by Borland C. 841. Added #include <process.h> for exit() prototype 852. Removed unused variable 'j' in SHA1Final 863. Changed exit(0) to return(0) at end of main. 87 88ALL changes I made can be located by searching for comments containing 'JHB' 89----------------- 90Modified 8/98 91By Steve Reid <sreid@sea-to-sky.net> 92Still 100% public domain 93 941- Removed #include <process.h> and used return() instead of exit() 952- Fixed overwriting of finalcount in SHA1Final() (discovered by Chris Hall) 963- Changed email address from steve@edmweb.com to sreid@sea-to-sky.net 97 98----------------- 99Modified 4/01 100By Saul Kravitz <Saul.Kravitz@celera.com> 101Still 100% PD 102Modified to run on Compaq Alpha hardware. 103 104----------------- 105Modified 4/01 106By Jouni Malinen <j@w1.fi> 107Minor changes to match the coding style used in Dynamics. 108 109Modified September 24, 2004 110By Jouni Malinen <j@w1.fi> 111Fixed alignment issue in SHA1Transform when SHA1HANDSOFF is defined. 112 113*/ 114 115/* 116Test Vectors (from FIPS PUB 180-1) 117"abc" 118 A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D 119"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 120 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 121A million repetitions of "a" 122 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F 123*/ 124 125#define SHA1HANDSOFF 126 127#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) 128 129/* blk0() and blk() perform the initial expand. */ 130/* I got the idea of expanding during the round function from SSLeay */ 131#ifndef WORDS_BIGENDIAN 132#define blk0(i) (block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) | \ 133 (rol(block->l[i], 8) & 0x00FF00FF)) 134#else 135#define blk0(i) block->l[i] 136#endif 137#define blk(i) (block->l[i & 15] = rol(block->l[(i + 13) & 15] ^ \ 138 block->l[(i + 8) & 15] ^ block->l[(i + 2) & 15] ^ block->l[i & 15], 1)) 139 140/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ 141#define R0(v,w,x,y,z,i) \ 142 z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \ 143 w = rol(w, 30); 144#define R1(v,w,x,y,z,i) \ 145 z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \ 146 w = rol(w, 30); 147#define R2(v,w,x,y,z,i) \ 148 z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); w = rol(w, 30); 149#define R3(v,w,x,y,z,i) \ 150 z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \ 151 w = rol(w, 30); 152#define R4(v,w,x,y,z,i) \ 153 z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \ 154 w=rol(w, 30); 155 156 157#ifdef VERBOSE /* SAK */ 158void SHAPrintContext(SHA1_CTX *context, char *msg) 159{ 160 printf("%s (%d,%d) %x %x %x %x %x\n", 161 msg, 162 context->count[0], context->count[1], 163 context->state[0], 164 context->state[1], 165 context->state[2], 166 context->state[3], 167 context->state[4]); 168} 169#endif 170 171/* Hash a single 512-bit block. This is the core of the algorithm. */ 172 173void SHA1Transform(u32 state[5], const unsigned char buffer[64]) 174{ 175 u32 a, b, c, d, e; 176 typedef union { 177 unsigned char c[64]; 178 u32 l[16]; 179 } CHAR64LONG16; 180 CHAR64LONG16* block; 181#ifdef SHA1HANDSOFF 182 CHAR64LONG16 workspace; 183 block = &workspace; 184 os_memcpy(block, buffer, 64); 185#else 186 block = (CHAR64LONG16 *) buffer; 187#endif 188 /* Copy context->state[] to working vars */ 189 a = state[0]; 190 b = state[1]; 191 c = state[2]; 192 d = state[3]; 193 e = state[4]; 194 /* 4 rounds of 20 operations each. Loop unrolled. */ 195 R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); 196 R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); 197 R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); 198 R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); 199 R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); 200 R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); 201 R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); 202 R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); 203 R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); 204 R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); 205 R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); 206 R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); 207 R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); 208 R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); 209 R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); 210 R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); 211 R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); 212 R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); 213 R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); 214 R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); 215 /* Add the working vars back into context.state[] */ 216 state[0] += a; 217 state[1] += b; 218 state[2] += c; 219 state[3] += d; 220 state[4] += e; 221 /* Wipe variables */ 222 a = b = c = d = e = 0; 223#ifdef SHA1HANDSOFF 224 os_memset(block, 0, 64); 225#endif 226} 227 228 229/* SHA1Init - Initialize new context */ 230 231void SHA1Init(SHA1_CTX* context) 232{ 233 /* SHA1 initialization constants */ 234 context->state[0] = 0x67452301; 235 context->state[1] = 0xEFCDAB89; 236 context->state[2] = 0x98BADCFE; 237 context->state[3] = 0x10325476; 238 context->state[4] = 0xC3D2E1F0; 239 context->count[0] = context->count[1] = 0; 240} 241 242 243/* Run your data through this. */ 244 245void SHA1Update(SHA1_CTX* context, const void *_data, u32 len) 246{ 247 u32 i, j; 248 const unsigned char *data = _data; 249 250#ifdef VERBOSE 251 SHAPrintContext(context, "before"); 252#endif 253 j = (context->count[0] >> 3) & 63; 254 if ((context->count[0] += len << 3) < (len << 3)) 255 context->count[1]++; 256 context->count[1] += (len >> 29); 257 if ((j + len) > 63) { 258 os_memcpy(&context->buffer[j], data, (i = 64-j)); 259 SHA1Transform(context->state, context->buffer); 260 for ( ; i + 63 < len; i += 64) { 261 SHA1Transform(context->state, &data[i]); 262 } 263 j = 0; 264 } 265 else i = 0; 266 os_memcpy(&context->buffer[j], &data[i], len - i); 267#ifdef VERBOSE 268 SHAPrintContext(context, "after "); 269#endif 270} 271 272 273/* Add padding and return the message digest. */ 274 275void SHA1Final(unsigned char digest[20], SHA1_CTX* context) 276{ 277 u32 i; 278 unsigned char finalcount[8]; 279 280 for (i = 0; i < 8; i++) { 281 finalcount[i] = (unsigned char) 282 ((context->count[(i >= 4 ? 0 : 1)] >> 283 ((3-(i & 3)) * 8) ) & 255); /* Endian independent */ 284 } 285 SHA1Update(context, (unsigned char *) "\200", 1); 286 while ((context->count[0] & 504) != 448) { 287 SHA1Update(context, (unsigned char *) "\0", 1); 288 } 289 SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() 290 */ 291 for (i = 0; i < 20; i++) { 292 digest[i] = (unsigned char) 293 ((context->state[i >> 2] >> ((3 - (i & 3)) * 8)) & 294 255); 295 } 296 /* Wipe variables */ 297 i = 0; 298 os_memset(context->buffer, 0, 64); 299 os_memset(context->state, 0, 20); 300 os_memset(context->count, 0, 8); 301 os_memset(finalcount, 0, 8); 302} 303 304/* ===== end - public domain SHA1 implementation ===== */ 305