1 /* $OpenBSD: sha1.c,v 1.26 2015/09/11 09:18:27 guenther Exp $ */
5 * By Steve Reid <steve@edmweb.com>
8 * Test Vectors (from FIPS PUB 180-1)
10 * A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
11 * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
12 * 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
13 * A million repetitions of "a"
14 * 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
22 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
25 * blk0() and blk() perform the initial expand.
26 * I got the idea of expanding during the round function from SSLeay
28 #if UTIL_ARCH_LITTLE_ENDIAN
29 # define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
30 |(rol(block->l[i],8)&0x00FF00FF))
32 # define blk0(i) block->l[i]
34 #define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
35 ^block->l[(i+2)&15]^block->l[i&15],1))
38 * (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1
40 #define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
41 #define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
42 #define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
43 #define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
44 #define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
52 * Hash a single 512-bit block. This is the core of the algorithm.
55 SHA1Transform(uint32_t state
[5], const uint8_t buffer
[SHA1_BLOCK_LENGTH
])
57 uint32_t a
, b
, c
, d
, e
;
58 uint8_t workspace
[SHA1_BLOCK_LENGTH
];
59 CHAR64LONG16
*block
= (CHAR64LONG16
*)workspace
;
61 (void)memcpy(block
, buffer
, SHA1_BLOCK_LENGTH
);
63 /* Copy context->state[] to working vars */
70 /* 4 rounds of 20 operations each. Loop unrolled. */
71 R0(a
,b
,c
,d
,e
, 0); R0(e
,a
,b
,c
,d
, 1); R0(d
,e
,a
,b
,c
, 2); R0(c
,d
,e
,a
,b
, 3);
72 R0(b
,c
,d
,e
,a
, 4); R0(a
,b
,c
,d
,e
, 5); R0(e
,a
,b
,c
,d
, 6); R0(d
,e
,a
,b
,c
, 7);
73 R0(c
,d
,e
,a
,b
, 8); R0(b
,c
,d
,e
,a
, 9); R0(a
,b
,c
,d
,e
,10); R0(e
,a
,b
,c
,d
,11);
74 R0(d
,e
,a
,b
,c
,12); R0(c
,d
,e
,a
,b
,13); R0(b
,c
,d
,e
,a
,14); R0(a
,b
,c
,d
,e
,15);
75 R1(e
,a
,b
,c
,d
,16); R1(d
,e
,a
,b
,c
,17); R1(c
,d
,e
,a
,b
,18); R1(b
,c
,d
,e
,a
,19);
76 R2(a
,b
,c
,d
,e
,20); R2(e
,a
,b
,c
,d
,21); R2(d
,e
,a
,b
,c
,22); R2(c
,d
,e
,a
,b
,23);
77 R2(b
,c
,d
,e
,a
,24); R2(a
,b
,c
,d
,e
,25); R2(e
,a
,b
,c
,d
,26); R2(d
,e
,a
,b
,c
,27);
78 R2(c
,d
,e
,a
,b
,28); R2(b
,c
,d
,e
,a
,29); R2(a
,b
,c
,d
,e
,30); R2(e
,a
,b
,c
,d
,31);
79 R2(d
,e
,a
,b
,c
,32); R2(c
,d
,e
,a
,b
,33); R2(b
,c
,d
,e
,a
,34); R2(a
,b
,c
,d
,e
,35);
80 R2(e
,a
,b
,c
,d
,36); R2(d
,e
,a
,b
,c
,37); R2(c
,d
,e
,a
,b
,38); R2(b
,c
,d
,e
,a
,39);
81 R3(a
,b
,c
,d
,e
,40); R3(e
,a
,b
,c
,d
,41); R3(d
,e
,a
,b
,c
,42); R3(c
,d
,e
,a
,b
,43);
82 R3(b
,c
,d
,e
,a
,44); R3(a
,b
,c
,d
,e
,45); R3(e
,a
,b
,c
,d
,46); R3(d
,e
,a
,b
,c
,47);
83 R3(c
,d
,e
,a
,b
,48); R3(b
,c
,d
,e
,a
,49); R3(a
,b
,c
,d
,e
,50); R3(e
,a
,b
,c
,d
,51);
84 R3(d
,e
,a
,b
,c
,52); R3(c
,d
,e
,a
,b
,53); R3(b
,c
,d
,e
,a
,54); R3(a
,b
,c
,d
,e
,55);
85 R3(e
,a
,b
,c
,d
,56); R3(d
,e
,a
,b
,c
,57); R3(c
,d
,e
,a
,b
,58); R3(b
,c
,d
,e
,a
,59);
86 R4(a
,b
,c
,d
,e
,60); R4(e
,a
,b
,c
,d
,61); R4(d
,e
,a
,b
,c
,62); R4(c
,d
,e
,a
,b
,63);
87 R4(b
,c
,d
,e
,a
,64); R4(a
,b
,c
,d
,e
,65); R4(e
,a
,b
,c
,d
,66); R4(d
,e
,a
,b
,c
,67);
88 R4(c
,d
,e
,a
,b
,68); R4(b
,c
,d
,e
,a
,69); R4(a
,b
,c
,d
,e
,70); R4(e
,a
,b
,c
,d
,71);
89 R4(d
,e
,a
,b
,c
,72); R4(c
,d
,e
,a
,b
,73); R4(b
,c
,d
,e
,a
,74); R4(a
,b
,c
,d
,e
,75);
90 R4(e
,a
,b
,c
,d
,76); R4(d
,e
,a
,b
,c
,77); R4(c
,d
,e
,a
,b
,78); R4(b
,c
,d
,e
,a
,79);
92 /* Add the working vars back into context.state[] */
100 a
= b
= c
= d
= e
= 0;
105 * SHA1Init - Initialize new context
108 SHA1Init(SHA1_CTX
*context
)
111 /* SHA1 initialization constants */
113 context
->state
[0] = 0x67452301;
114 context
->state
[1] = 0xEFCDAB89;
115 context
->state
[2] = 0x98BADCFE;
116 context
->state
[3] = 0x10325476;
117 context
->state
[4] = 0xC3D2E1F0;
122 * Run your data through this.
125 SHA1Update(SHA1_CTX
*context
, const uint8_t *data
, size_t len
)
129 j
= (size_t)((context
->count
>> 3) & 63);
130 context
->count
+= (len
<< 3);
131 if ((j
+ len
) > 63) {
132 (void)memcpy(&context
->buffer
[j
], data
, (i
= 64-j
));
133 SHA1Transform(context
->state
, context
->buffer
);
134 for ( ; i
+ 63 < len
; i
+= 64)
135 SHA1Transform(context
->state
, (uint8_t *)&data
[i
]);
140 (void)memcpy(&context
->buffer
[j
], &data
[i
], len
- i
);
145 * Add padding and return the message digest.
148 SHA1Pad(SHA1_CTX
*context
)
150 uint8_t finalcount
[8];
153 for (i
= 0; i
< 8; i
++) {
154 finalcount
[i
] = (uint8_t)((context
->count
>>
155 ((7 - (i
& 7)) * 8)) & 255); /* Endian independent */
157 SHA1Update(context
, (uint8_t *)"\200", 1);
158 while ((context
->count
& 504) != 448)
159 SHA1Update(context
, (uint8_t *)"\0", 1);
160 SHA1Update(context
, finalcount
, 8); /* Should cause a SHA1Transform() */
164 SHA1Final(uint8_t digest
[SHA1_DIGEST_LENGTH
], SHA1_CTX
*context
)
169 for (i
= 0; i
< SHA1_DIGEST_LENGTH
; i
++) {
170 digest
[i
] = (uint8_t)
171 ((context
->state
[i
>>2] >> ((3-(i
& 3)) * 8) ) & 255);
173 memset(context
, 0, sizeof(*context
));