2 * FIPS-180-1 compliant SHA-1 implementation
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 * The SHA-1 standard was published by NIST in 1993.
25 * http://www.itl.nist.gov/fipspubs/fip180-1.htm
28 /* $Cambridge: exim/src/src/pdkim/sha1.c,v 1.2 2009/06/10 07:34:05 tom Exp $ */
36 * 32-bit integer manipulation macros (big endian)
39 #define GET_ULONG_BE(n,b,i) \
41 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
42 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
43 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
44 | ( (unsigned long) (b)[(i) + 3] ); \
49 #define PUT_ULONG_BE(n,b,i) \
51 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
52 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
53 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
54 (b)[(i) + 3] = (unsigned char) ( (n) ); \
61 void sha1_starts( sha1_context *ctx )
66 ctx->state[0] = 0x67452301;
67 ctx->state[1] = 0xEFCDAB89;
68 ctx->state[2] = 0x98BADCFE;
69 ctx->state[3] = 0x10325476;
70 ctx->state[4] = 0xC3D2E1F0;
73 static void sha1_process( sha1_context *ctx, unsigned char data[64] )
75 unsigned long temp, W[16], A, B, C, D, E;
77 GET_ULONG_BE( W[ 0], data, 0 );
78 GET_ULONG_BE( W[ 1], data, 4 );
79 GET_ULONG_BE( W[ 2], data, 8 );
80 GET_ULONG_BE( W[ 3], data, 12 );
81 GET_ULONG_BE( W[ 4], data, 16 );
82 GET_ULONG_BE( W[ 5], data, 20 );
83 GET_ULONG_BE( W[ 6], data, 24 );
84 GET_ULONG_BE( W[ 7], data, 28 );
85 GET_ULONG_BE( W[ 8], data, 32 );
86 GET_ULONG_BE( W[ 9], data, 36 );
87 GET_ULONG_BE( W[10], data, 40 );
88 GET_ULONG_BE( W[11], data, 44 );
89 GET_ULONG_BE( W[12], data, 48 );
90 GET_ULONG_BE( W[13], data, 52 );
91 GET_ULONG_BE( W[14], data, 56 );
92 GET_ULONG_BE( W[15], data, 60 );
94 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
98 temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \
99 W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \
100 ( W[t & 0x0F] = S(temp,1) ) \
103 #define P(a,b,c,d,e,x) \
105 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
114 #define F(x,y,z) (z ^ (x & (y ^ z)))
117 P( A, B, C, D, E, W[0] );
118 P( E, A, B, C, D, W[1] );
119 P( D, E, A, B, C, W[2] );
120 P( C, D, E, A, B, W[3] );
121 P( B, C, D, E, A, W[4] );
122 P( A, B, C, D, E, W[5] );
123 P( E, A, B, C, D, W[6] );
124 P( D, E, A, B, C, W[7] );
125 P( C, D, E, A, B, W[8] );
126 P( B, C, D, E, A, W[9] );
127 P( A, B, C, D, E, W[10] );
128 P( E, A, B, C, D, W[11] );
129 P( D, E, A, B, C, W[12] );
130 P( C, D, E, A, B, W[13] );
131 P( B, C, D, E, A, W[14] );
132 P( A, B, C, D, E, W[15] );
133 P( E, A, B, C, D, R(16) );
134 P( D, E, A, B, C, R(17) );
135 P( C, D, E, A, B, R(18) );
136 P( B, C, D, E, A, R(19) );
141 #define F(x,y,z) (x ^ y ^ z)
144 P( A, B, C, D, E, R(20) );
145 P( E, A, B, C, D, R(21) );
146 P( D, E, A, B, C, R(22) );
147 P( C, D, E, A, B, R(23) );
148 P( B, C, D, E, A, R(24) );
149 P( A, B, C, D, E, R(25) );
150 P( E, A, B, C, D, R(26) );
151 P( D, E, A, B, C, R(27) );
152 P( C, D, E, A, B, R(28) );
153 P( B, C, D, E, A, R(29) );
154 P( A, B, C, D, E, R(30) );
155 P( E, A, B, C, D, R(31) );
156 P( D, E, A, B, C, R(32) );
157 P( C, D, E, A, B, R(33) );
158 P( B, C, D, E, A, R(34) );
159 P( A, B, C, D, E, R(35) );
160 P( E, A, B, C, D, R(36) );
161 P( D, E, A, B, C, R(37) );
162 P( C, D, E, A, B, R(38) );
163 P( B, C, D, E, A, R(39) );
168 #define F(x,y,z) ((x & y) | (z & (x | y)))
171 P( A, B, C, D, E, R(40) );
172 P( E, A, B, C, D, R(41) );
173 P( D, E, A, B, C, R(42) );
174 P( C, D, E, A, B, R(43) );
175 P( B, C, D, E, A, R(44) );
176 P( A, B, C, D, E, R(45) );
177 P( E, A, B, C, D, R(46) );
178 P( D, E, A, B, C, R(47) );
179 P( C, D, E, A, B, R(48) );
180 P( B, C, D, E, A, R(49) );
181 P( A, B, C, D, E, R(50) );
182 P( E, A, B, C, D, R(51) );
183 P( D, E, A, B, C, R(52) );
184 P( C, D, E, A, B, R(53) );
185 P( B, C, D, E, A, R(54) );
186 P( A, B, C, D, E, R(55) );
187 P( E, A, B, C, D, R(56) );
188 P( D, E, A, B, C, R(57) );
189 P( C, D, E, A, B, R(58) );
190 P( B, C, D, E, A, R(59) );
195 #define F(x,y,z) (x ^ y ^ z)
198 P( A, B, C, D, E, R(60) );
199 P( E, A, B, C, D, R(61) );
200 P( D, E, A, B, C, R(62) );
201 P( C, D, E, A, B, R(63) );
202 P( B, C, D, E, A, R(64) );
203 P( A, B, C, D, E, R(65) );
204 P( E, A, B, C, D, R(66) );
205 P( D, E, A, B, C, R(67) );
206 P( C, D, E, A, B, R(68) );
207 P( B, C, D, E, A, R(69) );
208 P( A, B, C, D, E, R(70) );
209 P( E, A, B, C, D, R(71) );
210 P( D, E, A, B, C, R(72) );
211 P( C, D, E, A, B, R(73) );
212 P( B, C, D, E, A, R(74) );
213 P( A, B, C, D, E, R(75) );
214 P( E, A, B, C, D, R(76) );
215 P( D, E, A, B, C, R(77) );
216 P( C, D, E, A, B, R(78) );
217 P( B, C, D, E, A, R(79) );
230 * SHA-1 process buffer
232 void sha1_update( sha1_context *ctx, unsigned char *input, int ilen )
240 left = ctx->total[0] & 0x3F;
243 ctx->total[0] += ilen;
244 ctx->total[0] &= 0xFFFFFFFF;
246 if( ctx->total[0] < (unsigned long) ilen )
249 if( left && ilen >= fill )
251 memcpy( (void *) (ctx->buffer + left),
252 (void *) input, fill );
253 sha1_process( ctx, ctx->buffer );
261 sha1_process( ctx, input );
268 memcpy( (void *) (ctx->buffer + left),
269 (void *) input, ilen );
273 static const unsigned char sha1_padding[64] =
275 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
276 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
277 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
278 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
284 void sha1_finish( sha1_context *ctx, unsigned char output[20] )
286 unsigned long last, padn;
287 unsigned long high, low;
288 unsigned char msglen[8];
290 high = ( ctx->total[0] >> 29 )
291 | ( ctx->total[1] << 3 );
292 low = ( ctx->total[0] << 3 );
294 PUT_ULONG_BE( high, msglen, 0 );
295 PUT_ULONG_BE( low, msglen, 4 );
297 last = ctx->total[0] & 0x3F;
298 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
300 sha1_update( ctx, (unsigned char *) sha1_padding, padn );
301 sha1_update( ctx, msglen, 8 );
303 PUT_ULONG_BE( ctx->state[0], output, 0 );
304 PUT_ULONG_BE( ctx->state[1], output, 4 );
305 PUT_ULONG_BE( ctx->state[2], output, 8 );
306 PUT_ULONG_BE( ctx->state[3], output, 12 );
307 PUT_ULONG_BE( ctx->state[4], output, 16 );
311 * output = SHA-1( input buffer )
313 void sha1_oneshot( unsigned char *input, int ilen, unsigned char output[20] )
318 sha1_update( &ctx, input, ilen );
319 sha1_finish( &ctx, output );
321 memset( &ctx, 0, sizeof( sha1_context ) );
325 * output = SHA-1( file contents )
327 int sha1_file( char *path, unsigned char output[20] )
332 unsigned char buf[1024];
334 if( ( f = fopen( path, "rb" ) ) == NULL )
339 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
340 sha1_update( &ctx, buf, (int) n );
342 sha1_finish( &ctx, output );
344 memset( &ctx, 0, sizeof( sha1_context ) );
346 if( ferror( f ) != 0 )
357 * SHA-1 HMAC context setup
359 void sha1_hmac_starts( sha1_context *ctx, unsigned char *key, int keylen )
362 unsigned char sum[20];
366 sha1_oneshot( key, keylen, sum );
371 memset( ctx->ipad, 0x36, 64 );
372 memset( ctx->opad, 0x5C, 64 );
374 for( i = 0; i < keylen; i++ )
376 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
377 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
381 sha1_update( ctx, ctx->ipad, 64 );
383 memset( sum, 0, sizeof( sum ) );
387 * SHA-1 HMAC process buffer
389 void sha1_hmac_update( sha1_context *ctx, unsigned char *input, int ilen )
391 sha1_update( ctx, input, ilen );
395 * SHA-1 HMAC final digest
397 void sha1_hmac_finish( sha1_context *ctx, unsigned char output[20] )
399 unsigned char tmpbuf[20];
401 sha1_finish( ctx, tmpbuf );
403 sha1_update( ctx, ctx->opad, 64 );
404 sha1_update( ctx, tmpbuf, 20 );
405 sha1_finish( ctx, output );
407 memset( tmpbuf, 0, sizeof( tmpbuf ) );
411 * output = HMAC-SHA-1( hmac key, input buffer )
413 void sha1_hmac( unsigned char *key, int keylen,
414 unsigned char *input, int ilen,
415 unsigned char output[20] )
419 sha1_hmac_starts( &ctx, key, keylen );
420 sha1_hmac_update( &ctx, input, ilen );
421 sha1_hmac_finish( &ctx, output );
423 memset( &ctx, 0, sizeof( sha1_context ) );