diff options
author | Todd C. Miller <millert@cvs.openbsd.org> | 1997-07-10 22:53:02 +0000 |
---|---|---|
committer | Todd C. Miller <millert@cvs.openbsd.org> | 1997-07-10 22:53:02 +0000 |
commit | 7f713d9ace4c5809f5dff75d423f0ba82b6b351e (patch) | |
tree | 5ab3a515992ceaef652754b6533277498feb3612 /lib/libc/hash/sha1.c | |
parent | 4edac6ae5359b2e8b2bba77d0c4498c7afc8de45 (diff) |
Different sha1 functions (taken from netinet's if_sha1.c) that
are more consistent with md4/md5 functions.
Diffstat (limited to 'lib/libc/hash/sha1.c')
-rw-r--r-- | lib/libc/hash/sha1.c | 501 |
1 files changed, 157 insertions, 344 deletions
diff --git a/lib/libc/hash/sha1.c b/lib/libc/hash/sha1.c index 269a078f0fb..d4d6c8f780f 100644 --- a/lib/libc/hash/sha1.c +++ b/lib/libc/hash/sha1.c @@ -1,365 +1,178 @@ -#if defined(LIBC_SCCS) && !defined(lint) -static char rcsid[] = "$OpenBSD: sha1.c,v 1.4 1996/09/30 23:27:05 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ +/* $OpenBSD: sha1.c,v 1.5 1997/07/10 22:52:59 millert Exp $ */ /* - * sha1.c - * - * signature function hook for SHA1. - * - * Gene Kim - * Purdue University - * August 10, 1993 + * SHA-1 in C + * By Steve Reid <steve@edmweb.com> + * 100% Public Domain + * + * Test Vectors (from FIPS PUB 180-1) + * "abc" + * A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D + * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" + * 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 + * A million repetitions of "a" + * 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F */ -/* --------------------------------- SHA1.C ------------------------------- */ +#define SHA1HANDSOFF /* Copies data before messing with it. */ -/* NIST proposed Secure Hash Standard. - - Written 2 September 1992, Peter C. Gutmann. - This implementation placed in the public domain. - - Comments to pgut1@cs.aukuni.ac.nz */ - -#include <stdio.h> -#include <stdlib.h> +#include <sys/param.h> #include <string.h> -#include <sys/types.h> -#include <sha1.h> -#ifdef TEST -#include <time.h> -#endif - -/* Useful defines/typedefs */ - -typedef unsigned char BYTE; -typedef u_int32_t LONG; - -/* The SHA1 f()-functions */ - -#define f1(x,y,z) ( ( x & y ) | ( ~x & z ) ) /* Rounds 0-19 */ -#define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */ -#define f3(x,y,z) ( ( x & y ) | ( x & z ) | ( y & z ) ) /* Rounds 40-59 */ -#define f4(x,y,z) ( x ^ y ^ z ) /* Rounds 60-79 */ - -/* The SHA1 Mysterious Constants */ - -#define K1 0x5A827999L /* Rounds 0-19 */ -#define K2 0x6ED9EBA1L /* Rounds 20-39 */ -#define K3 0x8F1BBCDCL /* Rounds 40-59 */ -#define K4 0xCA62C1D6L /* Rounds 60-79 */ - -/* SHA1 initial values */ +#include "sha1.h" -#define h0init 0x67452301L -#define h1init 0xEFCDAB89L -#define h2init 0x98BADCFEL -#define h3init 0x10325476L -#define h4init 0xC3D2E1F0L +#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) -/* 32-bit rotate - kludged with shifts */ - -#define S(n,X) ( ( X << n ) | ( X >> ( 32 - n ) ) ) - -/* The initial expanding function */ - -#ifdef NEW_SHA1 -#define expand(count) temp = W[ count - 3 ] ^ W[ count - 8 ] ^ W[ count - 14 ] ^ W[ count - 16 ];W[ count ] = S(1, temp) +/* + * blk0() and blk() perform the initial expand. + * I got the idea of expanding during the round function from SSLeay + */ +#if BYTE_ORDER == LITTLE_ENDIAN +# define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ + |(rol(block->l[i],8)&0x00FF00FF)) #else -#define expand(count) W[ count ] = W[ count - 3 ] ^ W[ count - 8 ] ^ W[ count - 14 ] ^ W[ count - 16 ] +# define blk0(i) block->l[i] #endif +#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ + ^block->l[(i+2)&15]^block->l[i&15],1)) -/* The four SHA1 sub-rounds */ - -#define subRound1(count) \ - { \ - temp = S( 5, A ) + f1( B, C, D ) + E + W[ count ] + K1; \ - E = D; \ - D = C; \ - C = S( 30, B ); \ - B = A; \ - A = temp; \ - } - -#define subRound2(count) \ - { \ - temp = S( 5, A ) + f2( B, C, D ) + E + W[ count ] + K2; \ - E = D; \ - D = C; \ - C = S( 30, B ); \ - B = A; \ - A = temp; \ - } - -#define subRound3(count) \ - { \ - temp = S( 5, A ) + f3( B, C, D ) + E + W[ count ] + K3; \ - E = D; \ - D = C; \ - C = S( 30, B ); \ - B = A; \ - A = temp; \ - } - -#define subRound4(count) \ - { \ - temp = S( 5, A ) + f4( B, C, D ) + E + W[ count ] + K4; \ - E = D; \ - D = C; \ - C = S( 30, B ); \ - B = A; \ - A = temp; \ - } - -/* The two buffers of 5 32-bit words */ - -LONG h0, h1, h2, h3, h4; -LONG A, B, C, D, E; - -/* Initialize the SHA1 values */ - -void sha1Init(sha1Info) - SHA1_INFO *sha1Info; - { - /* Set the h-vars to their initial values */ - sha1Info->digest[ 0 ] = h0init; - sha1Info->digest[ 1 ] = h1init; - sha1Info->digest[ 2 ] = h2init; - sha1Info->digest[ 3 ] = h3init; - sha1Info->digest[ 4 ] = h4init; - - /* Initialise bit count */ - sha1Info->countLo = sha1Info->countHi = 0L; - } - -/* Perform the SHA1 transformation. Note that this code, like MD5, seems to - break some optimizing compilers - it may be necessary to split it into - sections, eg based on the four subrounds */ - -void sha1Transform(sha1Info) - SHA1_INFO *sha1Info; - { - LONG W[ 80 ], temp; - int i; - - /* Step A. Copy the data buffer into the local work buffer */ - for( i = 0; i < 16; i++ ) - W[ i ] = sha1Info->data[ i ]; - - /* Step B. Expand the 16 words into 64 temporary data words */ - expand( 16 ); expand( 17 ); expand( 18 ); expand( 19 ); expand( 20 ); - expand( 21 ); expand( 22 ); expand( 23 ); expand( 24 ); expand( 25 ); - expand( 26 ); expand( 27 ); expand( 28 ); expand( 29 ); expand( 30 ); - expand( 31 ); expand( 32 ); expand( 33 ); expand( 34 ); expand( 35 ); - expand( 36 ); expand( 37 ); expand( 38 ); expand( 39 ); expand( 40 ); - expand( 41 ); expand( 42 ); expand( 43 ); expand( 44 ); expand( 45 ); - expand( 46 ); expand( 47 ); expand( 48 ); expand( 49 ); expand( 50 ); - expand( 51 ); expand( 52 ); expand( 53 ); expand( 54 ); expand( 55 ); - expand( 56 ); expand( 57 ); expand( 58 ); expand( 59 ); expand( 60 ); - expand( 61 ); expand( 62 ); expand( 63 ); expand( 64 ); expand( 65 ); - expand( 66 ); expand( 67 ); expand( 68 ); expand( 69 ); expand( 70 ); - expand( 71 ); expand( 72 ); expand( 73 ); expand( 74 ); expand( 75 ); - expand( 76 ); expand( 77 ); expand( 78 ); expand( 79 ); - - /* Step C. Set up first buffer */ - A = sha1Info->digest[ 0 ]; - B = sha1Info->digest[ 1 ]; - C = sha1Info->digest[ 2 ]; - D = sha1Info->digest[ 3 ]; - E = sha1Info->digest[ 4 ]; - - /* Step D. Serious mangling, divided into four sub-rounds */ - subRound1( 0 ); subRound1( 1 ); subRound1( 2 ); subRound1( 3 ); - subRound1( 4 ); subRound1( 5 ); subRound1( 6 ); subRound1( 7 ); - subRound1( 8 ); subRound1( 9 ); subRound1( 10 ); subRound1( 11 ); - subRound1( 12 ); subRound1( 13 ); subRound1( 14 ); subRound1( 15 ); - subRound1( 16 ); subRound1( 17 ); subRound1( 18 ); subRound1( 19 ); - subRound2( 20 ); subRound2( 21 ); subRound2( 22 ); subRound2( 23 ); - subRound2( 24 ); subRound2( 25 ); subRound2( 26 ); subRound2( 27 ); - subRound2( 28 ); subRound2( 29 ); subRound2( 30 ); subRound2( 31 ); - subRound2( 32 ); subRound2( 33 ); subRound2( 34 ); subRound2( 35 ); - subRound2( 36 ); subRound2( 37 ); subRound2( 38 ); subRound2( 39 ); - subRound3( 40 ); subRound3( 41 ); subRound3( 42 ); subRound3( 43 ); - subRound3( 44 ); subRound3( 45 ); subRound3( 46 ); subRound3( 47 ); - subRound3( 48 ); subRound3( 49 ); subRound3( 50 ); subRound3( 51 ); - subRound3( 52 ); subRound3( 53 ); subRound3( 54 ); subRound3( 55 ); - subRound3( 56 ); subRound3( 57 ); subRound3( 58 ); subRound3( 59 ); - subRound4( 60 ); subRound4( 61 ); subRound4( 62 ); subRound4( 63 ); - subRound4( 64 ); subRound4( 65 ); subRound4( 66 ); subRound4( 67 ); - subRound4( 68 ); subRound4( 69 ); subRound4( 70 ); subRound4( 71 ); - subRound4( 72 ); subRound4( 73 ); subRound4( 74 ); subRound4( 75 ); - subRound4( 76 ); subRound4( 77 ); subRound4( 78 ); subRound4( 79 ); - - /* Step E. Build message digest */ - sha1Info->digest[ 0 ] += A; - sha1Info->digest[ 1 ] += B; - sha1Info->digest[ 2 ] += C; - sha1Info->digest[ 3 ] += D; - sha1Info->digest[ 4 ] += E; - } - -#if BYTE_ORDER == LITTLE_ENDIAN - -/* When run on a little-endian CPU we need to perform byte reversal on an - array of longwords. It is possible to make the code endianness- - independant by fiddling around with data at the byte level, but this - makes for very slow code, so we rely on the user to sort out endianness - at compile time */ - -void sha1ByteReverse(buffer, byteCount) - LONG *buffer; - int byteCount; - { - LONG value; - int count; +/* + * (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1 + */ +#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30); +#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30); +#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30); + + +/* Hash a single 512-bit block. This is the core of the algorithm. */ + +void SHA1Transform(state, buffer) + u_int32_t state[5]; + u_char buffer[64]; +{ + u_int32_t a, b, c, d, e; + typedef union { + u_char c[64]; + u_int l[16]; + } CHAR64LONG16; + CHAR64LONG16* block; + +#ifdef SHA1HANDSOFF + static u_char workspace[64]; + block = (CHAR64LONG16*)workspace; + memcpy(block, buffer, 64); +#else + block = (CHAR64LONG16*)buffer; +#endif - byteCount /= sizeof( LONG ); - for( count = 0; count < byteCount; count++ ) - { - value = ( buffer[ count ] << 16 ) | ( buffer[ count ] >> 16 ); - buffer[ count ] = ( ( value & 0xFF00FF00L ) >> 8 ) | ( ( value & 0x00FF00FFL ) << 8 ); - } - } -#endif /* LITTLE_ENDIAN */ + /* Copy context->state[] to working vars */ + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + + /* 4 rounds of 20 operations each. Loop unrolled. */ + R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); + R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); + R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); + R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); + R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); + R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); + R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); + R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); + R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); + R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); + R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); + R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); + R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); + R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); + R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); + R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); + R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); + R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); + R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); + R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); + + /* Add the working vars back into context.state[] */ + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + + /* Wipe variables */ + a = b = c = d = e = 0; +} -/* Update SHA1 for a block of data. This code assumes that the buffer size - is a multiple of SHA1_BLOCKSIZE bytes long, which makes the code a lot - more efficient since it does away with the need to handle partial blocks - between calls to sha1Update() */ -void sha1Update(sha1Info, buffer, count) - SHA1_INFO *sha1Info; - BYTE *buffer; - int count; - { - /* Update bitcount */ - if( ( sha1Info->countLo + ( ( LONG ) count << 3 ) ) < sha1Info->countLo ) - sha1Info->countHi++; /* Carry from low to high bitCount */ - sha1Info->countLo += ( ( LONG ) count << 3 ); - sha1Info->countHi += ( ( LONG ) count >> 29 ); +/* + * SHA1Init - Initialize new context + */ +void SHA1Init(context) + SHA1_CTX *context; +{ + /* SHA1 initialization constants */ + context->state[0] = 0x67452301; + context->state[1] = 0xEFCDAB89; + context->state[2] = 0x98BADCFE; + context->state[3] = 0x10325476; + context->state[4] = 0xC3D2E1F0; + context->count[0] = context->count[1] = 0; +} - /* Process data in SHA1_BLOCKSIZE chunks */ - while( count >= SHA1_BLOCKSIZE ) - { - memcpy( (void *) sha1Info->data, (void *) buffer, SHA1_BLOCKSIZE ); -#if BYTE_ORDER == LITTLE_ENDIAN - sha1ByteReverse( sha1Info->data, SHA1_BLOCKSIZE ); -#endif /* LITTLE_ENDIAN */ - sha1Transform( sha1Info ); - buffer += SHA1_BLOCKSIZE; - count -= SHA1_BLOCKSIZE; - } - /* Handle any remaining bytes of data. This should only happen once - on the final lot of data */ - memcpy( (void *) sha1Info->data, (void *) buffer, count ); +/* + * Run your data through this. + */ +void SHA1Update(context, data, len) + SHA1_CTX *context; + u_char *data; + u_int len; +{ + u_int i; + u_int j; + + j = context->count[0]; + if ((context->count[0] += len << 3) < j) + context->count[1] += (len>>29)+1; + j = (j >> 3) & 63; + if ((j + len) > 63) { + memcpy(&context->buffer[j], data, (i = 64-j)); + SHA1Transform(context->state, context->buffer); + for ( ; i + 63 < len; i += 64) + SHA1Transform(context->state, &data[i]); + j = 0; + } else { + i = 0; } + memcpy(&context->buffer[j], &data[i], len - i); +} -void sha1Final(sha1Info) - SHA1_INFO *sha1Info; - { - int count; - LONG lowBitcount = sha1Info->countLo, highBitcount = sha1Info->countHi; - - /* Compute number of bytes mod 64 */ - count = ( int ) ( ( sha1Info->countLo >> 3 ) & 0x3F ); - - /* Set the first char of padding to 0x80. This is safe since there is - always at least one byte free */ - ( ( BYTE * ) sha1Info->data )[ count++ ] = 0x80; - - /* Pad out to 56 mod 64 */ - if( count > 56 ) - { - /* Two lots of padding: Pad the first block to 64 bytes */ - memset( ( char * ) sha1Info->data + count, 0, 64 - count ); -#if BYTE_ORDER == LITTLE_ENDIAN - sha1ByteReverse( sha1Info->data, SHA1_BLOCKSIZE ); -#endif /* LITTLE_ENDIAN */ - sha1Transform( sha1Info ); - - /* Now fill the next block with 56 bytes */ - memset( (void *) sha1Info->data, 0, 56 ); - } - else - /* Pad block to 56 bytes */ - memset( ( char * ) sha1Info->data + count, 0, 56 - count ); -#if BYTE_ORDER == LITTLE_ENDIAN - sha1ByteReverse( sha1Info->data, SHA1_BLOCKSIZE ); -#endif /* LITTLE_ENDIAN */ - - /* Append length in bits and transform */ - sha1Info->data[ 14 ] = highBitcount; - sha1Info->data[ 15 ] = lowBitcount; - sha1Transform( sha1Info ); -#if BYTE_ORDER == LITTLE_ENDIAN - sha1ByteReverse( sha1Info->data, SHA1_DIGESTSIZE ); -#endif /* LITTLE_ENDIAN */ +/* + * Add padding and return the message digest. + */ +void SHA1Final(digest, context) + u_char digest[20]; + SHA1_CTX* context; +{ + u_int i; + u_char finalcount[8]; + + for (i = 0; i < 8; i++) { + finalcount[i] = (u_char)((context->count[(i >= 4 ? 0 : 1)] + >> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */ } - -#ifdef TEST - -/* ----------------------------- SHA1 Test code --------------------------- */ - -/* Size of buffer for SHA1 speed test data */ - -#define TEST_BLOCK_SIZE ( SHA1_DIGESTSIZE * 100 ) - -/* Number of bytes of test data to process */ - -#define TEST_BYTES 10000000L -#define TEST_BLOCKS ( TEST_BYTES / TEST_BLOCK_SIZE ) - -void main() - { - SHA1_INFO sha1Info; - time_t endTime, startTime; - BYTE data[ TEST_BLOCK_SIZE ]; - long i; - - /* Test output data (this is the only test data given in the SHA1 - document, but chances are if it works for this it'll work for - anything) */ - sha1Init( &sha1Info ); - sha1Update( &sha1Info, ( BYTE * ) "abc", 3 ); - sha1Final( &sha1Info ); -#ifdef NEW_SHA1 - if( sha1Info.digest[ 0 ] != 0xA9993E36L || - sha1Info.digest[ 1 ] != 0x4706816AL || - sha1Info.digest[ 2 ] != 0xBA3E2571L || - sha1Info.digest[ 3 ] != 0x7850C26CL || - sha1Info.digest[ 4 ] != 0x9CD0D89DL ) -#else - if( sha1Info.digest[ 0 ] != 0x0164B8A9L || - sha1Info.digest[ 1 ] != 0x14CD2A5EL || - sha1Info.digest[ 2 ] != 0x74C4F7FFL || - sha1Info.digest[ 3 ] != 0x082C4D97L || - sha1Info.digest[ 4 ] != 0xF1EDF880L ) -#endif - { - puts( "Error in SHA1 implementation" ); - exit( -1 ); - } - - /* Now perform time trial, generating MD for 10MB of data. First, - initialize the test data */ - memset( ( void * ) data, 0, TEST_BLOCK_SIZE ); - - /* Get start time */ - printf( "SHA1 time trial. Processing %ld characters...\n", TEST_BYTES ); - time( &startTime ); - - /* Calculate SHA1 message digest in TEST_BLOCK_SIZE byte blocks */ - sha1Init( &sha1Info ); - for( i = TEST_BLOCKS; i > 0; i-- ) - sha1Update( &sha1Info, data, TEST_BLOCK_SIZE ); - sha1Final( &sha1Info ); - - /* Get finish time and time difference */ - time( &endTime ); - printf( "Seconds to process test input: %ld\n", endTime - startTime ); - printf( "Characters processed per second: %ld\n", TEST_BYTES / ( endTime - startTime ) ); + SHA1Update(context, (u_char *)"\200", 1); + while ((context->count[0] & 504) != 448) + SHA1Update(context, (u_char *)"\0", 1); + SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */ + + if (digest) { + for (i = 0; i < 20; i++) + digest[i] = (u_char) + ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255); } - -#endif +} |