1 /* sha.c - Implementation of the Secure Hash Algorithm
3 * Copyright (C) 1995, A.M. Kuchling
5 * Distribute and use freely; there are no restrictions on further
6 * dissemination and usage except those imposed by the laws of your
7 * country of residence.
9 * Adapted to pike and some cleanup by Niels Möller.
12 /* $Id: sha1.c,v 1.6 2006/01/08 09:08:29 imipak Exp $ */
14 /* SHA: NIST's Secure Hash Algorithm */
16 /* Based on SHA code originally posted to sci.crypt by Peter Gutmann
17 in message <30ajo5$oe8@ccu2.auckland.ac.nz>.
18 Modified to test for endianness on creation of SHA objects by AMK.
19 Also, the original specification of SHA was found to have a weakness
20 by NSA/NIST. This code implements the fixed version of SHA.
23 /* Here's the first paragraph of Peter Gutmann's posting:
25 The following is my SHA (FIPS 180) code updated to allow use of the "fixed"
26 SHA, thanks to Jim Gillogly and an anonymous contributor for the information on
27 what's changed in the new version. The fix is a simple change which involves
28 adding a single rotate in the initial expansion function. It is unknown
29 whether this is an optimal solution to the problem which was discovered in the
30 SHA or whether it's simply a bandaid which fixes the problem with a minimum of
31 effort (for example the reengineering of a great many Capstone chips).
37 void sha_copy(struct sha_ctx *dest, struct sha_ctx *src)
41 dest->count_l=src->count_l;
42 dest->count_h=src->count_h;
43 for(i=0; i<SHA_DIGESTLEN; i++)
45 dest->digest[i]=src->digest[i];
47 for(i=0; i < src->index; i++)
49 dest->block[i] = src->block[i];
51 dest->index = src->index;
55 /* The SHA f()-functions. The f1 and f3 functions can be optimized to
56 save one boolean operation each - thanks to Rich Schroeppel,
57 rcs@cs.arizona.edu for discovering this */
59 #define f1(x,y,z) ( z ^ ( x & ( y ^ z ) ) ) /* Rounds 0-19 */
60 #define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */
61 #define f3(x,y,z) ( ( x & y ) | ( z & ( x | y ) ) ) /* Rounds 40-59 */
62 #define f4(x,y,z) ( x ^ y ^ z ) /* Rounds 60-79 */
64 /* The SHA Mysterious Constants */
66 #define K1 0x5A827999L /* Rounds 0-19 */
67 #define K2 0x6ED9EBA1L /* Rounds 20-39 */
68 #define K3 0x8F1BBCDCL /* Rounds 40-59 */
69 #define K4 0xCA62C1D6L /* Rounds 60-79 */
71 /* SHA initial values */
73 #define h0init 0x67452301L
74 #define h1init 0xEFCDAB89L
75 #define h2init 0x98BADCFEL
76 #define h3init 0x10325476L
77 #define h4init 0xC3D2E1F0L
79 /* 32-bit rotate left - kludged with shifts */
81 #define ROTL(n,X) ( ( (X) << (n) ) | ( (X) >> ( 32 - (n) ) ) )
83 /* The initial expanding function. The hash function is defined over an
84 80-word expanded input array W, where the first 16 are copies of the input
85 data, and the remaining 64 are defined by
87 W[ i ] = W[ i - 16 ] ^ W[ i - 14 ] ^ W[ i - 8 ] ^ W[ i - 3 ]
89 This implementation generates these values on the fly in a circular
90 buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this
93 The updated SHA changes the expanding function by adding a rotate of 1
94 bit. Thanks to Jim Gillogly, jim@rand.org, and an anonymous contributor
95 for this information */
97 #define expand(W,i) ( W[ i & 15 ] = \
98 ROTL( 1, ( W[ i & 15 ] ^ W[ (i - 14) & 15 ] ^ \
99 W[ (i - 8) & 15 ] ^ W[ (i - 3) & 15 ] ) ) )
102 /* The prototype SHA sub-round. The fundamental sub-round is:
104 a' = e + ROTL( 5, a ) + f( b, c, d ) + k + data;
110 but this is implemented by unrolling the loop 5 times and renaming the
111 variables ( e, a, b, c, d ) = ( a', b', c', d', e' ) each iteration.
112 This code is then replicated 20 times for each of the 4 functions, using
113 the next 20 values from the W[] array each time */
115 #define subRound(a, b, c, d, e, f, k, data) \
116 ( e += ROTL( 5, a ) + f( b, c, d ) + k + data, b = ROTL( 30, b ) )
118 /* Initialize the SHA values */
120 void sha_init(struct sha_ctx *ctx)
122 /* Set the h-vars to their initial values */
123 ctx->digest[ 0 ] = h0init;
124 ctx->digest[ 1 ] = h1init;
125 ctx->digest[ 2 ] = h2init;
126 ctx->digest[ 3 ] = h3init;
127 ctx->digest[ 4 ] = h4init;
129 /* Initialize bit count */
130 ctx->count_l = ctx->count_h = 0;
132 /* Initialize buffer */
136 /* Perform the SHA transformation. Note that this code, like MD5, seems to
137 break some optimizing compilers due to the complexity of the expressions
138 and the size of the basic block. It may be necessary to split it into
139 sections, e.g. based on the four subrounds
141 Note that this function destroys the data area */
143 static void sha_transform(struct sha_ctx *ctx, unsigned int *data )
145 register unsigned int A, B, C, D, E; /* Local vars */
147 /* Set up first buffer and local data buffer */
154 /* Heavy mangling, in 4 sub-rounds of 20 interations each. */
155 subRound( A, B, C, D, E, f1, K1, data[ 0] );
156 subRound( E, A, B, C, D, f1, K1, data[ 1] );
157 subRound( D, E, A, B, C, f1, K1, data[ 2] );
158 subRound( C, D, E, A, B, f1, K1, data[ 3] );
159 subRound( B, C, D, E, A, f1, K1, data[ 4] );
160 subRound( A, B, C, D, E, f1, K1, data[ 5] );
161 subRound( E, A, B, C, D, f1, K1, data[ 6] );
162 subRound( D, E, A, B, C, f1, K1, data[ 7] );
163 subRound( C, D, E, A, B, f1, K1, data[ 8] );
164 subRound( B, C, D, E, A, f1, K1, data[ 9] );
165 subRound( A, B, C, D, E, f1, K1, data[10] );
166 subRound( E, A, B, C, D, f1, K1, data[11] );
167 subRound( D, E, A, B, C, f1, K1, data[12] );
168 subRound( C, D, E, A, B, f1, K1, data[13] );
169 subRound( B, C, D, E, A, f1, K1, data[14] );
170 subRound( A, B, C, D, E, f1, K1, data[15] );
171 subRound( E, A, B, C, D, f1, K1, expand( data, 16 ) );
172 subRound( D, E, A, B, C, f1, K1, expand( data, 17 ) );
173 subRound( C, D, E, A, B, f1, K1, expand( data, 18 ) );
174 subRound( B, C, D, E, A, f1, K1, expand( data, 19 ) );
176 subRound( A, B, C, D, E, f2, K2, expand( data, 20 ) );
177 subRound( E, A, B, C, D, f2, K2, expand( data, 21 ) );
178 subRound( D, E, A, B, C, f2, K2, expand( data, 22 ) );
179 subRound( C, D, E, A, B, f2, K2, expand( data, 23 ) );
180 subRound( B, C, D, E, A, f2, K2, expand( data, 24 ) );
181 subRound( A, B, C, D, E, f2, K2, expand( data, 25 ) );
182 subRound( E, A, B, C, D, f2, K2, expand( data, 26 ) );
183 subRound( D, E, A, B, C, f2, K2, expand( data, 27 ) );
184 subRound( C, D, E, A, B, f2, K2, expand( data, 28 ) );
185 subRound( B, C, D, E, A, f2, K2, expand( data, 29 ) );
186 subRound( A, B, C, D, E, f2, K2, expand( data, 30 ) );
187 subRound( E, A, B, C, D, f2, K2, expand( data, 31 ) );
188 subRound( D, E, A, B, C, f2, K2, expand( data, 32 ) );
189 subRound( C, D, E, A, B, f2, K2, expand( data, 33 ) );
190 subRound( B, C, D, E, A, f2, K2, expand( data, 34 ) );
191 subRound( A, B, C, D, E, f2, K2, expand( data, 35 ) );
192 subRound( E, A, B, C, D, f2, K2, expand( data, 36 ) );
193 subRound( D, E, A, B, C, f2, K2, expand( data, 37 ) );
194 subRound( C, D, E, A, B, f2, K2, expand( data, 38 ) );
195 subRound( B, C, D, E, A, f2, K2, expand( data, 39 ) );
197 subRound( A, B, C, D, E, f3, K3, expand( data, 40 ) );
198 subRound( E, A, B, C, D, f3, K3, expand( data, 41 ) );
199 subRound( D, E, A, B, C, f3, K3, expand( data, 42 ) );
200 subRound( C, D, E, A, B, f3, K3, expand( data, 43 ) );
201 subRound( B, C, D, E, A, f3, K3, expand( data, 44 ) );
202 subRound( A, B, C, D, E, f3, K3, expand( data, 45 ) );
203 subRound( E, A, B, C, D, f3, K3, expand( data, 46 ) );
204 subRound( D, E, A, B, C, f3, K3, expand( data, 47 ) );
205 subRound( C, D, E, A, B, f3, K3, expand( data, 48 ) );
206 subRound( B, C, D, E, A, f3, K3, expand( data, 49 ) );
207 subRound( A, B, C, D, E, f3, K3, expand( data, 50 ) );
208 subRound( E, A, B, C, D, f3, K3, expand( data, 51 ) );
209 subRound( D, E, A, B, C, f3, K3, expand( data, 52 ) );
210 subRound( C, D, E, A, B, f3, K3, expand( data, 53 ) );
211 subRound( B, C, D, E, A, f3, K3, expand( data, 54 ) );
212 subRound( A, B, C, D, E, f3, K3, expand( data, 55 ) );
213 subRound( E, A, B, C, D, f3, K3, expand( data, 56 ) );
214 subRound( D, E, A, B, C, f3, K3, expand( data, 57 ) );
215 subRound( C, D, E, A, B, f3, K3, expand( data, 58 ) );
216 subRound( B, C, D, E, A, f3, K3, expand( data, 59 ) );
218 subRound( A, B, C, D, E, f4, K4, expand( data, 60 ) );
219 subRound( E, A, B, C, D, f4, K4, expand( data, 61 ) );
220 subRound( D, E, A, B, C, f4, K4, expand( data, 62 ) );
221 subRound( C, D, E, A, B, f4, K4, expand( data, 63 ) );
222 subRound( B, C, D, E, A, f4, K4, expand( data, 64 ) );
223 subRound( A, B, C, D, E, f4, K4, expand( data, 65 ) );
224 subRound( E, A, B, C, D, f4, K4, expand( data, 66 ) );
225 subRound( D, E, A, B, C, f4, K4, expand( data, 67 ) );
226 subRound( C, D, E, A, B, f4, K4, expand( data, 68 ) );
227 subRound( B, C, D, E, A, f4, K4, expand( data, 69 ) );
228 subRound( A, B, C, D, E, f4, K4, expand( data, 70 ) );
229 subRound( E, A, B, C, D, f4, K4, expand( data, 71 ) );
230 subRound( D, E, A, B, C, f4, K4, expand( data, 72 ) );
231 subRound( C, D, E, A, B, f4, K4, expand( data, 73 ) );
232 subRound( B, C, D, E, A, f4, K4, expand( data, 74 ) );
233 subRound( A, B, C, D, E, f4, K4, expand( data, 75 ) );
234 subRound( E, A, B, C, D, f4, K4, expand( data, 76 ) );
235 subRound( D, E, A, B, C, f4, K4, expand( data, 77 ) );
236 subRound( C, D, E, A, B, f4, K4, expand( data, 78 ) );
237 subRound( B, C, D, E, A, f4, K4, expand( data, 79 ) );
239 /* Build message digest */
248 static void sha_block(struct sha_ctx *ctx, unsigned char *block)
250 unsigned int data[SHA_DATALEN];
253 /* Update block count */
259 /* Endian independent conversion */
260 for (i = 0; i<SHA_DATALEN; i++, block += 4)
262 data[i] = STRING2INT(block);
265 sha_transform(ctx, data);
268 void sha_update(struct sha_ctx *ctx, unsigned char *buffer, unsigned int len)
271 { /* Try to fill partial block */
272 unsigned int left = SHA_DATASIZE - ctx->index;
275 memcpy(ctx->block + ctx->index, buffer, len);
277 return; /* Finished */
281 memcpy(ctx->block + ctx->index, buffer, left);
282 sha_block(ctx, ctx->block);
287 while (len >= SHA_DATASIZE)
289 sha_block(ctx, buffer);
290 buffer += SHA_DATASIZE;
293 if ((ctx->index = len)) /* This assignment is intended */
295 /* Buffer leftovers */
296 memcpy(ctx->block, buffer, len);
300 /* Final wrapup - pad to SHA_DATASIZE-byte boundary with the bit pattern
301 1 0* (64-bit count of bits processed, MSB-first) */
303 void sha_final(struct sha_ctx *ctx)
305 unsigned int data[SHA_DATALEN];
310 /* Set the first char of padding to 0x80. This is safe since there is
311 always at least one byte free */
312 ctx->block[i++] = 0x80;
314 /* Fill rest of word */
319 /* i is now a multiple of the word size 4 */
321 for (i = 0; i < words; i++)
323 data[i] = STRING2INT(ctx->block + 4*i);
326 if (words > (SHA_DATALEN-2))
327 { /* No room for length in this block. Process it and
328 * pad with another one */
329 for (i = words ; i < SHA_DATALEN; i++)
333 sha_transform(ctx, data);
334 for (i = 0; i < (SHA_DATALEN-2); i++)
341 for (i = words ; i < SHA_DATALEN - 2; i++)
346 /* Theres 512 = 2^9 bits in one block */
347 data[SHA_DATALEN-2] = (ctx->count_h << 9) | (ctx->count_l >> 23);
348 data[SHA_DATALEN-1] = (ctx->count_l << 9) | (ctx->index << 3);
349 sha_transform(ctx, data);
352 void sha_digest(struct sha_ctx *ctx, unsigned char *s)
358 for (i = 0; i < SHA_DIGESTLEN; i++)
360 *s++ = ctx->digest[i] >> 24;
361 *s++ = 0xff & (ctx->digest[i] >> 16);
362 *s++ = 0xff & (ctx->digest[i] >> 8);
363 *s++ = 0xff & ctx->digest[i];
368 unsigned char *sha(unsigned char *buffer, unsigned int len)
370 static unsigned char buf[SHA_DIGESTSIZE];
373 sha_update(&s, buffer, len);