1/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
2 * Use of this source code is governed by a BSD-style license that can be
3 * found in the LICENSE file.
4 *
5 * SHA-1 implementation largely based on libmincrypt in the the Android
6 * Open Source Project (platorm/system/core.git/libmincrypt/sha.c
7 */
8
9#include "sysincludes.h"
10
11#include "cryptolib.h"
12#include "utility.h"
13
14
15/* Some machines lack byteswap.h and endian.h. These have to use the
16 * slower code, even if they're little-endian.
17 */
18
19#if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN)
20
21/* This version is about 28% faster than the generic version below,
22 * but assumes little-endianness.
23 */
24static uint32_t ror27(uint32_t val) {
25  return (val >> 27) | (val << 5);
26}
27static uint32_t ror2(uint32_t val) {
28  return (val >> 2) | (val << 30);
29}
30static uint32_t ror31(uint32_t val) {
31  return (val >> 31) | (val << 1);
32}
33
34static void SHA1_Transform(SHA1_CTX* ctx) {
35  uint32_t W[80];
36  register uint32_t A, B, C, D, E;
37  int t;
38
39  A = ctx->state[0];
40  B = ctx->state[1];
41  C = ctx->state[2];
42  D = ctx->state[3];
43  E = ctx->state[4];
44
45#define SHA_F1(A,B,C,D,E,t)                     \
46  E += ror27(A) +                               \
47      (W[t] = bswap_32(ctx->buf.w[t])) +        \
48      (D^(B&(C^D))) + 0x5A827999;               \
49  B = ror2(B);
50
51  for (t = 0; t < 15; t += 5) {
52    SHA_F1(A,B,C,D,E,t + 0);
53    SHA_F1(E,A,B,C,D,t + 1);
54    SHA_F1(D,E,A,B,C,t + 2);
55    SHA_F1(C,D,E,A,B,t + 3);
56    SHA_F1(B,C,D,E,A,t + 4);
57  }
58  SHA_F1(A,B,C,D,E,t + 0);  /* 16th one, t == 15 */
59
60#undef SHA_F1
61
62#define SHA_F1(A,B,C,D,E,t)                                     \
63  E += ror27(A) +                                               \
64      (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) +     \
65      (D^(B&(C^D))) + 0x5A827999;                               \
66  B = ror2(B);
67
68  SHA_F1(E,A,B,C,D,t + 1);
69  SHA_F1(D,E,A,B,C,t + 2);
70  SHA_F1(C,D,E,A,B,t + 3);
71  SHA_F1(B,C,D,E,A,t + 4);
72
73#undef SHA_F1
74
75#define SHA_F2(A,B,C,D,E,t)                                     \
76  E += ror27(A) +                                               \
77      (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) +     \
78      (B^C^D) + 0x6ED9EBA1;                                     \
79  B = ror2(B);
80
81  for (t = 20; t < 40; t += 5) {
82    SHA_F2(A,B,C,D,E,t + 0);
83    SHA_F2(E,A,B,C,D,t + 1);
84    SHA_F2(D,E,A,B,C,t + 2);
85    SHA_F2(C,D,E,A,B,t + 3);
86    SHA_F2(B,C,D,E,A,t + 4);
87  }
88
89#undef SHA_F2
90
91#define SHA_F3(A,B,C,D,E,t)                                     \
92  E += ror27(A) +                                               \
93      (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) +     \
94      ((B&C)|(D&(B|C))) + 0x8F1BBCDC;                           \
95  B = ror2(B);
96
97  for (; t < 60; t += 5) {
98    SHA_F3(A,B,C,D,E,t + 0);
99    SHA_F3(E,A,B,C,D,t + 1);
100    SHA_F3(D,E,A,B,C,t + 2);
101    SHA_F3(C,D,E,A,B,t + 3);
102    SHA_F3(B,C,D,E,A,t + 4);
103  }
104
105#undef SHA_F3
106
107#define SHA_F4(A,B,C,D,E,t)                                     \
108  E += ror27(A) +                                               \
109      (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) +     \
110      (B^C^D) + 0xCA62C1D6;                                     \
111  B = ror2(B);
112
113  for (; t < 80; t += 5) {
114    SHA_F4(A,B,C,D,E,t + 0);
115    SHA_F4(E,A,B,C,D,t + 1);
116    SHA_F4(D,E,A,B,C,t + 2);
117    SHA_F4(C,D,E,A,B,t + 3);
118    SHA_F4(B,C,D,E,A,t + 4);
119  }
120
121#undef SHA_F4
122
123  ctx->state[0] += A;
124  ctx->state[1] += B;
125  ctx->state[2] += C;
126  ctx->state[3] += D;
127  ctx->state[4] += E;
128}
129
130void SHA1_update(SHA1_CTX* ctx, const uint8_t* data, uint64_t len) {
131  int i = ctx->count % sizeof(ctx->buf);
132  const uint8_t* p = (const uint8_t*)data;
133
134  ctx->count += len;
135
136  while (len > sizeof(ctx->buf) - i) {
137    Memcpy(&ctx->buf.b[i], p, sizeof(ctx->buf) - i);
138    len -= sizeof(ctx->buf) - i;
139    p += sizeof(ctx->buf) - i;
140    SHA1_Transform(ctx);
141    i = 0;
142  }
143
144  while (len--) {
145    ctx->buf.b[i++] = *p++;
146    if (i == sizeof(ctx->buf)) {
147      SHA1_Transform(ctx);
148      i = 0;
149    }
150  }
151}
152
153
154uint8_t* SHA1_final(SHA1_CTX* ctx) {
155  uint64_t cnt = ctx->count * 8;
156  int i;
157
158  SHA1_update(ctx, (uint8_t*)"\x80", 1);
159  while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
160    SHA1_update(ctx, (uint8_t*)"\0", 1);
161  }
162  for (i = 0; i < 8; ++i) {
163    uint8_t tmp = cnt >> ((7 - i) * 8);
164    SHA1_update(ctx, &tmp, 1);
165  }
166
167  for (i = 0; i < 5; i++) {
168    ctx->buf.w[i] = bswap_32(ctx->state[i]);
169  }
170
171  return ctx->buf.b;
172}
173
174#else   /* #if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN) */
175
176#define rol(bits, value) (((value) << (bits)) | ((value) >> (32 - (bits))))
177
178static void SHA1_transform(SHA1_CTX *ctx) {
179  uint32_t W[80];
180  uint32_t A, B, C, D, E;
181  uint8_t *p = ctx->buf;
182  int t;
183
184  for(t = 0; t < 16; ++t) {
185    uint32_t tmp =  *p++ << 24;
186    tmp |= *p++ << 16;
187    tmp |= *p++ << 8;
188    tmp |= *p++;
189    W[t] = tmp;
190  }
191
192  for(; t < 80; t++) {
193    W[t] = rol(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
194  }
195
196  A = ctx->state[0];
197  B = ctx->state[1];
198  C = ctx->state[2];
199  D = ctx->state[3];
200  E = ctx->state[4];
201
202  for(t = 0; t < 80; t++) {
203    uint32_t tmp = rol(5,A) + E + W[t];
204
205    if (t < 20)
206      tmp += (D^(B&(C^D))) + 0x5A827999;
207    else if ( t < 40)
208      tmp += (B^C^D) + 0x6ED9EBA1;
209    else if ( t < 60)
210      tmp += ((B&C)|(D&(B|C))) + 0x8F1BBCDC;
211    else
212      tmp += (B^C^D) + 0xCA62C1D6;
213
214    E = D;
215    D = C;
216    C = rol(30,B);
217    B = A;
218    A = tmp;
219  }
220
221  ctx->state[0] += A;
222  ctx->state[1] += B;
223  ctx->state[2] += C;
224  ctx->state[3] += D;
225  ctx->state[4] += E;
226}
227
228void SHA1_update(SHA1_CTX *ctx, const uint8_t *data, uint64_t len) {
229  int i = (int)(ctx->count % sizeof(ctx->buf));
230  const uint8_t* p = (const uint8_t*) data;
231
232  ctx->count += len;
233
234  while (len--) {
235    ctx->buf[i++] = *p++;
236    if (i == sizeof(ctx->buf)) {
237      SHA1_transform(ctx);
238      i = 0;
239    }
240  }
241}
242uint8_t* SHA1_final(SHA1_CTX *ctx) {
243  uint8_t *p = ctx->buf;
244  uint64_t cnt = ctx->count << 3;
245  int i;
246
247  SHA1_update(ctx, (uint8_t*)"\x80", 1);
248  while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
249    SHA1_update(ctx, (uint8_t*)"\0", 1);
250  }
251  for (i = 0; i < 8; ++i) {
252    uint8_t tmp = (uint8_t)((uint64_t)cnt >> ((7 - i) * 8));
253    SHA1_update(ctx, &tmp, 1);
254  }
255
256  for (i = 0; i < 5; i++) {
257    uint32_t tmp = ctx->state[i];
258    *p++ = (uint8_t)(tmp >> 24);
259    *p++ = (uint8_t)(tmp >> 16);
260    *p++ = (uint8_t)(tmp >> 8);
261    *p++ = (uint8_t)(tmp >> 0);
262  }
263
264  return ctx->buf;
265}
266
267#endif /* endianness */
268
269void SHA1_init(SHA1_CTX* ctx) {
270  ctx->state[0] = 0x67452301;
271  ctx->state[1] = 0xEFCDAB89;
272  ctx->state[2] = 0x98BADCFE;
273  ctx->state[3] = 0x10325476;
274  ctx->state[4] = 0xC3D2E1F0;
275  ctx->count = 0;
276}
277
278uint8_t* internal_SHA1(const uint8_t *data, uint64_t len, uint8_t *digest) {
279  const uint8_t *p;
280  int i;
281  SHA1_CTX ctx;
282  SHA1_init(&ctx);
283  SHA1_update(&ctx, data, len);
284  p = SHA1_final(&ctx);
285  for (i = 0; i < SHA1_DIGEST_SIZE; ++i) {
286    digest[i] = *p++;
287  }
288  return digest;
289}
290