Home | History | Annotate | Download | only in cryptolib 
      1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
      2  * Use of this source code is governed by a BSD-style license that can be
      3  * found in the LICENSE file.
      4  *
      5  * SHA-1 implementation largely based on libmincrypt in the the Android
      6  * Open Source Project (platorm/system/core.git/libmincrypt/sha.c
      7  */
      8 
      9 #include "sysincludes.h"
     10 
     11 #include "cryptolib.h"
     12 #include "utility.h"
     13 
     14 
     15 /* Some machines lack byteswap.h and endian.h. These have to use the
     16  * slower code, even if they're little-endian.
     17  */
     18 
     19 #if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN)
     20 
     21 /* This version is about 28% faster than the generic version below,
     22  * but assumes little-endianness.
     23  */
     24 static uint32_t ror27(uint32_t val) {
     25   return (val >> 27) | (val << 5);
     26 }
     27 static uint32_t ror2(uint32_t val) {
     28   return (val >> 2) | (val << 30);
     29 }
     30 static uint32_t ror31(uint32_t val) {
     31   return (val >> 31) | (val << 1);
     32 }
     33 
     34 static void SHA1_Transform(SHA1_CTX* ctx) {
     35   uint32_t W[80];
     36   register uint32_t A, B, C, D, E;
     37   int t;
     38 
     39   A = ctx->state[0];
     40   B = ctx->state[1];
     41   C = ctx->state[2];
     42   D = ctx->state[3];
     43   E = ctx->state[4];
     44 
     45 #define SHA_F1(A,B,C,D,E,t)                     \
     46   E += ror27(A) +                               \
     47       (W[t] = bswap_32(ctx->buf.w[t])) +        \
     48       (D^(B&(C^D))) + 0x5A827999;               \
     49   B = ror2(B);
     50 
     51   for (t = 0; t < 15; t += 5) {
     52     SHA_F1(A,B,C,D,E,t + 0);
     53     SHA_F1(E,A,B,C,D,t + 1);
     54     SHA_F1(D,E,A,B,C,t + 2);
     55     SHA_F1(C,D,E,A,B,t + 3);
     56     SHA_F1(B,C,D,E,A,t + 4);
     57   }
     58   SHA_F1(A,B,C,D,E,t + 0);  /* 16th one, t == 15 */
     59 
     60 #undef SHA_F1
     61 
     62 #define SHA_F1(A,B,C,D,E,t)                                     \
     63   E += ror27(A) +                                               \
     64       (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) +     \
     65       (D^(B&(C^D))) + 0x5A827999;                               \
     66   B = ror2(B);
     67 
     68   SHA_F1(E,A,B,C,D,t + 1);
     69   SHA_F1(D,E,A,B,C,t + 2);
     70   SHA_F1(C,D,E,A,B,t + 3);
     71   SHA_F1(B,C,D,E,A,t + 4);
     72 
     73 #undef SHA_F1
     74 
     75 #define SHA_F2(A,B,C,D,E,t)                                     \
     76   E += ror27(A) +                                               \
     77       (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) +     \
     78       (B^C^D) + 0x6ED9EBA1;                                     \
     79   B = ror2(B);
     80 
     81   for (t = 20; t < 40; t += 5) {
     82     SHA_F2(A,B,C,D,E,t + 0);
     83     SHA_F2(E,A,B,C,D,t + 1);
     84     SHA_F2(D,E,A,B,C,t + 2);
     85     SHA_F2(C,D,E,A,B,t + 3);
     86     SHA_F2(B,C,D,E,A,t + 4);
     87   }
     88 
     89 #undef SHA_F2
     90 
     91 #define SHA_F3(A,B,C,D,E,t)                                     \
     92   E += ror27(A) +                                               \
     93       (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) +     \
     94       ((B&C)|(D&(B|C))) + 0x8F1BBCDC;                           \
     95   B = ror2(B);
     96 
     97   for (; t < 60; t += 5) {
     98     SHA_F3(A,B,C,D,E,t + 0);
     99     SHA_F3(E,A,B,C,D,t + 1);
    100     SHA_F3(D,E,A,B,C,t + 2);
    101     SHA_F3(C,D,E,A,B,t + 3);
    102     SHA_F3(B,C,D,E,A,t + 4);
    103   }
    104 
    105 #undef SHA_F3
    106 
    107 #define SHA_F4(A,B,C,D,E,t)                                     \
    108   E += ror27(A) +                                               \
    109       (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) +     \
    110       (B^C^D) + 0xCA62C1D6;                                     \
    111   B = ror2(B);
    112 
    113   for (; t < 80; t += 5) {
    114     SHA_F4(A,B,C,D,E,t + 0);
    115     SHA_F4(E,A,B,C,D,t + 1);
    116     SHA_F4(D,E,A,B,C,t + 2);
    117     SHA_F4(C,D,E,A,B,t + 3);
    118     SHA_F4(B,C,D,E,A,t + 4);
    119   }
    120 
    121 #undef SHA_F4
    122 
    123   ctx->state[0] += A;
    124   ctx->state[1] += B;
    125   ctx->state[2] += C;
    126   ctx->state[3] += D;
    127   ctx->state[4] += E;
    128 }
    129 
    130 void SHA1_update(SHA1_CTX* ctx, const uint8_t* data, uint64_t len) {
    131   int i = ctx->count % sizeof(ctx->buf);
    132   const uint8_t* p = (const uint8_t*)data;
    133 
    134   ctx->count += len;
    135 
    136   while (len > sizeof(ctx->buf) - i) {
    137     Memcpy(&ctx->buf.b[i], p, sizeof(ctx->buf) - i);
    138     len -= sizeof(ctx->buf) - i;
    139     p += sizeof(ctx->buf) - i;
    140     SHA1_Transform(ctx);
    141     i = 0;
    142   }
    143 
    144   while (len--) {
    145     ctx->buf.b[i++] = *p++;
    146     if (i == sizeof(ctx->buf)) {
    147       SHA1_Transform(ctx);
    148       i = 0;
    149     }
    150   }
    151 }
    152 
    153 
    154 uint8_t* SHA1_final(SHA1_CTX* ctx) {
    155   uint64_t cnt = ctx->count * 8;
    156   int i;
    157 
    158   SHA1_update(ctx, (uint8_t*)"\x80", 1);
    159   while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
    160     SHA1_update(ctx, (uint8_t*)"\0", 1);
    161   }
    162   for (i = 0; i < 8; ++i) {
    163     uint8_t tmp = cnt >> ((7 - i) * 8);
    164     SHA1_update(ctx, &tmp, 1);
    165   }
    166 
    167   for (i = 0; i < 5; i++) {
    168     ctx->buf.w[i] = bswap_32(ctx->state[i]);
    169   }
    170 
    171   return ctx->buf.b;
    172 }
    173 
    174 #else   /* #if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN) */
    175 
    176 #define rol(bits, value) (((value) << (bits)) | ((value) >> (32 - (bits))))
    177 
    178 static void SHA1_transform(SHA1_CTX *ctx) {
    179   uint32_t W[80];
    180   uint32_t A, B, C, D, E;
    181   uint8_t *p = ctx->buf;
    182   int t;
    183 
    184   for(t = 0; t < 16; ++t) {
    185     uint32_t tmp =  *p++ << 24;
    186     tmp |= *p++ << 16;
    187     tmp |= *p++ << 8;
    188     tmp |= *p++;
    189     W[t] = tmp;
    190   }
    191 
    192   for(; t < 80; t++) {
    193     W[t] = rol(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
    194   }
    195 
    196   A = ctx->state[0];
    197   B = ctx->state[1];
    198   C = ctx->state[2];
    199   D = ctx->state[3];
    200   E = ctx->state[4];
    201 
    202   for(t = 0; t < 80; t++) {
    203     uint32_t tmp = rol(5,A) + E + W[t];
    204 
    205     if (t < 20)
    206       tmp += (D^(B&(C^D))) + 0x5A827999;
    207     else if ( t < 40)
    208       tmp += (B^C^D) + 0x6ED9EBA1;
    209     else if ( t < 60)
    210       tmp += ((B&C)|(D&(B|C))) + 0x8F1BBCDC;
    211     else
    212       tmp += (B^C^D) + 0xCA62C1D6;
    213 
    214     E = D;
    215     D = C;
    216     C = rol(30,B);
    217     B = A;
    218     A = tmp;
    219   }
    220 
    221   ctx->state[0] += A;
    222   ctx->state[1] += B;
    223   ctx->state[2] += C;
    224   ctx->state[3] += D;
    225   ctx->state[4] += E;
    226 }
    227 
    228 void SHA1_update(SHA1_CTX *ctx, const uint8_t *data, uint64_t len) {
    229   int i = (int)(ctx->count % sizeof(ctx->buf));
    230   const uint8_t* p = (const uint8_t*) data;
    231 
    232   ctx->count += len;
    233 
    234   while (len--) {
    235     ctx->buf[i++] = *p++;
    236     if (i == sizeof(ctx->buf)) {
    237       SHA1_transform(ctx);
    238       i = 0;
    239     }
    240   }
    241 }
    242 uint8_t* SHA1_final(SHA1_CTX *ctx) {
    243   uint8_t *p = ctx->buf;
    244   uint64_t cnt = ctx->count << 3;
    245   int i;
    246 
    247   SHA1_update(ctx, (uint8_t*)"\x80", 1);
    248   while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
    249     SHA1_update(ctx, (uint8_t*)"\0", 1);
    250   }
    251   for (i = 0; i < 8; ++i) {
    252     uint8_t tmp = (uint8_t)((uint64_t)cnt >> ((7 - i) * 8));
    253     SHA1_update(ctx, &tmp, 1);
    254   }
    255 
    256   for (i = 0; i < 5; i++) {
    257     uint32_t tmp = ctx->state[i];
    258     *p++ = (uint8_t)(tmp >> 24);
    259     *p++ = (uint8_t)(tmp >> 16);
    260     *p++ = (uint8_t)(tmp >> 8);
    261     *p++ = (uint8_t)(tmp >> 0);
    262   }
    263 
    264   return ctx->buf;
    265 }
    266 
    267 #endif /* endianness */
    268 
    269 void SHA1_init(SHA1_CTX* ctx) {
    270   ctx->state[0] = 0x67452301;
    271   ctx->state[1] = 0xEFCDAB89;
    272   ctx->state[2] = 0x98BADCFE;
    273   ctx->state[3] = 0x10325476;
    274   ctx->state[4] = 0xC3D2E1F0;
    275   ctx->count = 0;
    276 }
    277 
    278 uint8_t* internal_SHA1(const uint8_t *data, uint64_t len, uint8_t *digest) {
    279   const uint8_t *p;
    280   int i;
    281   SHA1_CTX ctx;
    282   SHA1_init(&ctx);
    283   SHA1_update(&ctx, data, len);
    284   p = SHA1_final(&ctx);
    285   for (i = 0; i < SHA1_DIGEST_SIZE; ++i) {
    286     digest[i] = *p++;
    287   }
    288   return digest;
    289 }
    290