sha1.c revision 209158 
1/*
2 * SHA1 hash implementation and interface functions
3 * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15#include "includes.h"
16
17#include "common.h"
18#include "sha1.h"
19#include "md5.h"
20#include "crypto.h"
21
22
23/**
24 * hmac_sha1_vector - HMAC-SHA1 over data vector (RFC 2104)
25 * @key: Key for HMAC operations
26 * @key_len: Length of the key in bytes
27 * @num_elem: Number of elements in the data vector
28 * @addr: Pointers to the data areas
29 * @len: Lengths of the data blocks
30 * @mac: Buffer for the hash (20 bytes)
31 */
32void hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
33		      const u8 *addr[], const size_t *len, u8 *mac)
34{
35	unsigned char k_pad[64]; /* padding - key XORd with ipad/opad */
36	unsigned char tk[20];
37	const u8 *_addr[6];
38	size_t _len[6], i;
39
40	if (num_elem > 5) {
41		/*
42		 * Fixed limit on the number of fragments to avoid having to
43		 * allocate memory (which could fail).
44		 */
45		return;
46	}
47
48        /* if key is longer than 64 bytes reset it to key = SHA1(key) */
49        if (key_len > 64) {
50		sha1_vector(1, &key, &key_len, tk);
51		key = tk;
52		key_len = 20;
53        }
54
55	/* the HMAC_SHA1 transform looks like:
56	 *
57	 * SHA1(K XOR opad, SHA1(K XOR ipad, text))
58	 *
59	 * where K is an n byte key
60	 * ipad is the byte 0x36 repeated 64 times
61	 * opad is the byte 0x5c repeated 64 times
62	 * and text is the data being protected */
63
64	/* start out by storing key in ipad */
65	os_memset(k_pad, 0, sizeof(k_pad));
66	os_memcpy(k_pad, key, key_len);
67	/* XOR key with ipad values */
68	for (i = 0; i < 64; i++)
69		k_pad[i] ^= 0x36;
70
71	/* perform inner SHA1 */
72	_addr[0] = k_pad;
73	_len[0] = 64;
74	for (i = 0; i < num_elem; i++) {
75		_addr[i + 1] = addr[i];
76		_len[i + 1] = len[i];
77	}
78	sha1_vector(1 + num_elem, _addr, _len, mac);
79
80	os_memset(k_pad, 0, sizeof(k_pad));
81	os_memcpy(k_pad, key, key_len);
82	/* XOR key with opad values */
83	for (i = 0; i < 64; i++)
84		k_pad[i] ^= 0x5c;
85
86	/* perform outer SHA1 */
87	_addr[0] = k_pad;
88	_len[0] = 64;
89	_addr[1] = mac;
90	_len[1] = SHA1_MAC_LEN;
91	sha1_vector(2, _addr, _len, mac);
92}
93
94
95/**
96 * hmac_sha1 - HMAC-SHA1 over data buffer (RFC 2104)
97 * @key: Key for HMAC operations
98 * @key_len: Length of the key in bytes
99 * @data: Pointers to the data area
100 * @data_len: Length of the data area
101 * @mac: Buffer for the hash (20 bytes)
102 */
103void hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
104	       u8 *mac)
105{
106	hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
107}
108
109
110/**
111 * sha1_prf - SHA1-based Pseudo-Random Function (PRF) (IEEE 802.11i, 8.5.1.1)
112 * @key: Key for PRF
113 * @key_len: Length of the key in bytes
114 * @label: A unique label for each purpose of the PRF
115 * @data: Extra data to bind into the key
116 * @data_len: Length of the data
117 * @buf: Buffer for the generated pseudo-random key
118 * @buf_len: Number of bytes of key to generate
119 *
120 * This function is used to derive new, cryptographically separate keys from a
121 * given key (e.g., PMK in IEEE 802.11i).
122 */
123void sha1_prf(const u8 *key, size_t key_len, const char *label,
124	      const u8 *data, size_t data_len, u8 *buf, size_t buf_len)
125{
126	u8 counter = 0;
127	size_t pos, plen;
128	u8 hash[SHA1_MAC_LEN];
129	size_t label_len = os_strlen(label) + 1;
130	const unsigned char *addr[3];
131	size_t len[3];
132
133	addr[0] = (u8 *) label;
134	len[0] = label_len;
135	addr[1] = data;
136	len[1] = data_len;
137	addr[2] = &counter;
138	len[2] = 1;
139
140	pos = 0;
141	while (pos < buf_len) {
142		plen = buf_len - pos;
143		if (plen >= SHA1_MAC_LEN) {
144			hmac_sha1_vector(key, key_len, 3, addr, len,
145					 &buf[pos]);
146			pos += SHA1_MAC_LEN;
147		} else {
148			hmac_sha1_vector(key, key_len, 3, addr, len,
149					 hash);
150			os_memcpy(&buf[pos], hash, plen);
151			break;
152		}
153		counter++;
154	}
155}
156
157
158#ifndef CONFIG_NO_T_PRF
159/**
160 * sha1_t_prf - EAP-FAST Pseudo-Random Function (T-PRF)
161 * @key: Key for PRF
162 * @key_len: Length of the key in bytes
163 * @label: A unique label for each purpose of the PRF
164 * @seed: Seed value to bind into the key
165 * @seed_len: Length of the seed
166 * @buf: Buffer for the generated pseudo-random key
167 * @buf_len: Number of bytes of key to generate
168 *
169 * This function is used to derive new, cryptographically separate keys from a
170 * given key for EAP-FAST. T-PRF is defined in RFC 4851, Section 5.5.
171 */
172void sha1_t_prf(const u8 *key, size_t key_len, const char *label,
173		const u8 *seed, size_t seed_len, u8 *buf, size_t buf_len)
174{
175	unsigned char counter = 0;
176	size_t pos, plen;
177	u8 hash[SHA1_MAC_LEN];
178	size_t label_len = os_strlen(label);
179	u8 output_len[2];
180	const unsigned char *addr[5];
181	size_t len[5];
182
183	addr[0] = hash;
184	len[0] = 0;
185	addr[1] = (unsigned char *) label;
186	len[1] = label_len + 1;
187	addr[2] = seed;
188	len[2] = seed_len;
189	addr[3] = output_len;
190	len[3] = 2;
191	addr[4] = &counter;
192	len[4] = 1;
193
194	output_len[0] = (buf_len >> 8) & 0xff;
195	output_len[1] = buf_len & 0xff;
196	pos = 0;
197	while (pos < buf_len) {
198		counter++;
199		plen = buf_len - pos;
200		hmac_sha1_vector(key, key_len, 5, addr, len, hash);
201		if (plen >= SHA1_MAC_LEN) {
202			os_memcpy(&buf[pos], hash, SHA1_MAC_LEN);
203			pos += SHA1_MAC_LEN;
204		} else {
205			os_memcpy(&buf[pos], hash, plen);
206			break;
207		}
208		len[0] = SHA1_MAC_LEN;
209	}
210}
211#endif /* CONFIG_NO_T_PRF */
212
213
214#ifndef CONFIG_NO_TLS_PRF
215/**
216 * tls_prf - Pseudo-Random Function for TLS (TLS-PRF, RFC 2246)
217 * @secret: Key for PRF
218 * @secret_len: Length of the key in bytes
219 * @label: A unique label for each purpose of the PRF
220 * @seed: Seed value to bind into the key
221 * @seed_len: Length of the seed
222 * @out: Buffer for the generated pseudo-random key
223 * @outlen: Number of bytes of key to generate
224 * Returns: 0 on success, -1 on failure.
225 *
226 * This function is used to derive new, cryptographically separate keys from a
227 * given key in TLS. This PRF is defined in RFC 2246, Chapter 5.
228 */
229int tls_prf(const u8 *secret, size_t secret_len, const char *label,
230	    const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
231{
232	size_t L_S1, L_S2, i;
233	const u8 *S1, *S2;
234	u8 A_MD5[MD5_MAC_LEN], A_SHA1[SHA1_MAC_LEN];
235	u8 P_MD5[MD5_MAC_LEN], P_SHA1[SHA1_MAC_LEN];
236	int MD5_pos, SHA1_pos;
237	const u8 *MD5_addr[3];
238	size_t MD5_len[3];
239	const unsigned char *SHA1_addr[3];
240	size_t SHA1_len[3];
241
242	if (secret_len & 1)
243		return -1;
244
245	MD5_addr[0] = A_MD5;
246	MD5_len[0] = MD5_MAC_LEN;
247	MD5_addr[1] = (unsigned char *) label;
248	MD5_len[1] = os_strlen(label);
249	MD5_addr[2] = seed;
250	MD5_len[2] = seed_len;
251
252	SHA1_addr[0] = A_SHA1;
253	SHA1_len[0] = SHA1_MAC_LEN;
254	SHA1_addr[1] = (unsigned char *) label;
255	SHA1_len[1] = os_strlen(label);
256	SHA1_addr[2] = seed;
257	SHA1_len[2] = seed_len;
258
259	/* RFC 2246, Chapter 5
260	 * A(0) = seed, A(i) = HMAC(secret, A(i-1))
261	 * P_hash = HMAC(secret, A(1) + seed) + HMAC(secret, A(2) + seed) + ..
262	 * PRF = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed)
263	 */
264
265	L_S1 = L_S2 = (secret_len + 1) / 2;
266	S1 = secret;
267	S2 = secret + L_S1;
268	if (secret_len & 1) {
269		/* The last byte of S1 will be shared with S2 */
270		S2--;
271	}
272
273	hmac_md5_vector(S1, L_S1, 2, &MD5_addr[1], &MD5_len[1], A_MD5);
274	hmac_sha1_vector(S2, L_S2, 2, &SHA1_addr[1], &SHA1_len[1], A_SHA1);
275
276	MD5_pos = MD5_MAC_LEN;
277	SHA1_pos = SHA1_MAC_LEN;
278	for (i = 0; i < outlen; i++) {
279		if (MD5_pos == MD5_MAC_LEN) {
280			hmac_md5_vector(S1, L_S1, 3, MD5_addr, MD5_len, P_MD5);
281			MD5_pos = 0;
282			hmac_md5(S1, L_S1, A_MD5, MD5_MAC_LEN, A_MD5);
283		}
284		if (SHA1_pos == SHA1_MAC_LEN) {
285			hmac_sha1_vector(S2, L_S2, 3, SHA1_addr, SHA1_len,
286					 P_SHA1);
287			SHA1_pos = 0;
288			hmac_sha1(S2, L_S2, A_SHA1, SHA1_MAC_LEN, A_SHA1);
289		}
290
291		out[i] = P_MD5[MD5_pos] ^ P_SHA1[SHA1_pos];
292
293		MD5_pos++;
294		SHA1_pos++;
295	}
296
297	return 0;
298}
299#endif /* CONFIG_NO_TLS_PRF */
300
301
302#ifndef CONFIG_NO_PBKDF2
303
304static void pbkdf2_sha1_f(const char *passphrase, const char *ssid,
305			  size_t ssid_len, int iterations, unsigned int count,
306			  u8 *digest)
307{
308	unsigned char tmp[SHA1_MAC_LEN], tmp2[SHA1_MAC_LEN];
309	int i, j;
310	unsigned char count_buf[4];
311	const u8 *addr[2];
312	size_t len[2];
313	size_t passphrase_len = os_strlen(passphrase);
314
315	addr[0] = (u8 *) ssid;
316	len[0] = ssid_len;
317	addr[1] = count_buf;
318	len[1] = 4;
319
320	/* F(P, S, c, i) = U1 xor U2 xor ... Uc
321	 * U1 = PRF(P, S || i)
322	 * U2 = PRF(P, U1)
323	 * Uc = PRF(P, Uc-1)
324	 */
325
326	count_buf[0] = (count >> 24) & 0xff;
327	count_buf[1] = (count >> 16) & 0xff;
328	count_buf[2] = (count >> 8) & 0xff;
329	count_buf[3] = count & 0xff;
330	hmac_sha1_vector((u8 *) passphrase, passphrase_len, 2, addr, len, tmp);
331	os_memcpy(digest, tmp, SHA1_MAC_LEN);
332
333	for (i = 1; i < iterations; i++) {
334		hmac_sha1((u8 *) passphrase, passphrase_len, tmp, SHA1_MAC_LEN,
335			  tmp2);
336		os_memcpy(tmp, tmp2, SHA1_MAC_LEN);
337		for (j = 0; j < SHA1_MAC_LEN; j++)
338			digest[j] ^= tmp2[j];
339	}
340}
341
342
343/**
344 * pbkdf2_sha1 - SHA1-based key derivation function (PBKDF2) for IEEE 802.11i
345 * @passphrase: ASCII passphrase
346 * @ssid: SSID
347 * @ssid_len: SSID length in bytes
348 * @iterations: Number of iterations to run
349 * @buf: Buffer for the generated key
350 * @buflen: Length of the buffer in bytes
351 *
352 * This function is used to derive PSK for WPA-PSK. For this protocol,
353 * iterations is set to 4096 and buflen to 32. This function is described in
354 * IEEE Std 802.11-2004, Clause H.4. The main construction is from PKCS#5 v2.0.
355 */
356void pbkdf2_sha1(const char *passphrase, const char *ssid, size_t ssid_len,
357		 int iterations, u8 *buf, size_t buflen)
358{
359	unsigned int count = 0;
360	unsigned char *pos = buf;
361	size_t left = buflen, plen;
362	unsigned char digest[SHA1_MAC_LEN];
363
364	while (left > 0) {
365		count++;
366		pbkdf2_sha1_f(passphrase, ssid, ssid_len, iterations, count,
367			      digest);
368		plen = left > SHA1_MAC_LEN ? SHA1_MAC_LEN : left;
369		os_memcpy(pos, digest, plen);
370		pos += plen;
371		left -= plen;
372	}
373}
374
375#endif /* CONFIG_NO_PBKDF2 */
376
377
378#ifdef INTERNAL_SHA1
379
380struct SHA1Context {
381	u32 state[5];
382	u32 count[2];
383	unsigned char buffer[64];
384};
385
386typedef struct SHA1Context SHA1_CTX;
387
388#ifndef CONFIG_CRYPTO_INTERNAL
389static void SHA1Init(struct SHA1Context *context);
390static void SHA1Update(struct SHA1Context *context, const void *data, u32 len);
391static void SHA1Final(unsigned char digest[20], struct SHA1Context *context);
392#endif /* CONFIG_CRYPTO_INTERNAL */
393static void SHA1Transform(u32 state[5], const unsigned char buffer[64]);
394
395
396/**
397 * sha1_vector - SHA-1 hash for data vector
398 * @num_elem: Number of elements in the data vector
399 * @addr: Pointers to the data areas
400 * @len: Lengths of the data blocks
401 * @mac: Buffer for the hash
402 */
403void sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len,
404		 u8 *mac)
405{
406	SHA1_CTX ctx;
407	size_t i;
408
409	SHA1Init(&ctx);
410	for (i = 0; i < num_elem; i++)
411		SHA1Update(&ctx, addr[i], len[i]);
412	SHA1Final(mac, &ctx);
413}
414
415
416#ifndef CONFIG_NO_FIPS186_2_PRF
417int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen)
418{
419	u8 xkey[64];
420	u32 t[5], _t[5];
421	int i, j, m, k;
422	u8 *xpos = x;
423	u32 carry;
424
425	if (seed_len > sizeof(xkey))
426		seed_len = sizeof(xkey);
427
428	/* FIPS 186-2 + change notice 1 */
429
430	os_memcpy(xkey, seed, seed_len);
431	os_memset(xkey + seed_len, 0, 64 - seed_len);
432	t[0] = 0x67452301;
433	t[1] = 0xEFCDAB89;
434	t[2] = 0x98BADCFE;
435	t[3] = 0x10325476;
436	t[4] = 0xC3D2E1F0;
437
438	m = xlen / 40;
439	for (j = 0; j < m; j++) {
440		/* XSEED_j = 0 */
441		for (i = 0; i < 2; i++) {
442			/* XVAL = (XKEY + XSEED_j) mod 2^b */
443
444			/* w_i = G(t, XVAL) */
445			os_memcpy(_t, t, 20);
446			SHA1Transform(_t, xkey);
447			_t[0] = host_to_be32(_t[0]);
448			_t[1] = host_to_be32(_t[1]);
449			_t[2] = host_to_be32(_t[2]);
450			_t[3] = host_to_be32(_t[3]);
451			_t[4] = host_to_be32(_t[4]);
452			os_memcpy(xpos, _t, 20);
453
454			/* XKEY = (1 + XKEY + w_i) mod 2^b */
455			carry = 1;
456			for (k = 19; k >= 0; k--) {
457				carry += xkey[k] + xpos[k];
458				xkey[k] = carry & 0xff;
459				carry >>= 8;
460			}
461
462			xpos += SHA1_MAC_LEN;
463		}
464		/* x_j = w_0|w_1 */
465	}
466
467	return 0;
468}
469#endif /* CONFIG_NO_FIPS186_2_PRF */
470
471
472/* ===== start - public domain SHA1 implementation ===== */
473
474/*
475SHA-1 in C
476By Steve Reid <sreid@sea-to-sky.net>
477100% Public Domain
478
479-----------------
480Modified 7/98
481By James H. Brown <jbrown@burgoyne.com>
482Still 100% Public Domain
483
484Corrected a problem which generated improper hash values on 16 bit machines
485Routine SHA1Update changed from
486	void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int
487len)
488to
489	void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned
490long len)
491
492The 'len' parameter was declared an int which works fine on 32 bit machines.
493However, on 16 bit machines an int is too small for the shifts being done
494against
495it.  This caused the hash function to generate incorrect values if len was
496greater than 8191 (8K - 1) due to the 'len << 3' on line 3 of SHA1Update().
497
498Since the file IO in main() reads 16K at a time, any file 8K or larger would
499be guaranteed to generate the wrong hash (e.g. Test Vector #3, a million
500"a"s).
501
502I also changed the declaration of variables i & j in SHA1Update to
503unsigned long from unsigned int for the same reason.
504
505These changes should make no difference to any 32 bit implementations since
506an
507int and a long are the same size in those environments.
508
509--
510I also corrected a few compiler warnings generated by Borland C.
5111. Added #include <process.h> for exit() prototype
5122. Removed unused variable 'j' in SHA1Final
5133. Changed exit(0) to return(0) at end of main.
514
515ALL changes I made can be located by searching for comments containing 'JHB'
516-----------------
517Modified 8/98
518By Steve Reid <sreid@sea-to-sky.net>
519Still 100% public domain
520
5211- Removed #include <process.h> and used return() instead of exit()
5222- Fixed overwriting of finalcount in SHA1Final() (discovered by Chris Hall)
5233- Changed email address from steve@edmweb.com to sreid@sea-to-sky.net
524
525-----------------
526Modified 4/01
527By Saul Kravitz <Saul.Kravitz@celera.com>
528Still 100% PD
529Modified to run on Compaq Alpha hardware.
530
531-----------------
532Modified 4/01
533By Jouni Malinen <j@w1.fi>
534Minor changes to match the coding style used in Dynamics.
535
536Modified September 24, 2004
537By Jouni Malinen <j@w1.fi>
538Fixed alignment issue in SHA1Transform when SHA1HANDSOFF is defined.
539
540*/
541
542/*
543Test Vectors (from FIPS PUB 180-1)
544"abc"
545  A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
546"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
547  84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
548A million repetitions of "a"
549  34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
550*/
551
552#define SHA1HANDSOFF
553
554#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
555
556/* blk0() and blk() perform the initial expand. */
557/* I got the idea of expanding during the round function from SSLeay */
558#ifndef WORDS_BIGENDIAN
559#define blk0(i) (block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) | \
560	(rol(block->l[i], 8) & 0x00FF00FF))
561#else
562#define blk0(i) block->l[i]
563#endif
564#define blk(i) (block->l[i & 15] = rol(block->l[(i + 13) & 15] ^ \
565	block->l[(i + 8) & 15] ^ block->l[(i + 2) & 15] ^ block->l[i & 15], 1))
566
567/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
568#define R0(v,w,x,y,z,i) \
569	z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
570	w = rol(w, 30);
571#define R1(v,w,x,y,z,i) \
572	z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
573	w = rol(w, 30);
574#define R2(v,w,x,y,z,i) \
575	z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); w = rol(w, 30);
576#define R3(v,w,x,y,z,i) \
577	z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \
578	w = rol(w, 30);
579#define R4(v,w,x,y,z,i) \
580	z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
581	w=rol(w, 30);
582
583
584#ifdef VERBOSE  /* SAK */
585void SHAPrintContext(SHA1_CTX *context, char *msg)
586{
587	printf("%s (%d,%d) %x %x %x %x %x\n",
588	       msg,
589	       context->count[0], context->count[1],
590	       context->state[0],
591	       context->state[1],
592	       context->state[2],
593	       context->state[3],
594	       context->state[4]);
595}
596#endif
597
598/* Hash a single 512-bit block. This is the core of the algorithm. */
599
600static void SHA1Transform(u32 state[5], const unsigned char buffer[64])
601{
602	u32 a, b, c, d, e;
603	typedef union {
604		unsigned char c[64];
605		u32 l[16];
606	} CHAR64LONG16;
607	CHAR64LONG16* block;
608#ifdef SHA1HANDSOFF
609	CHAR64LONG16 workspace;
610	block = &workspace;
611	os_memcpy(block, buffer, 64);
612#else
613	block = (CHAR64LONG16 *) buffer;
614#endif
615	/* Copy context->state[] to working vars */
616	a = state[0];
617	b = state[1];
618	c = state[2];
619	d = state[3];
620	e = state[4];
621	/* 4 rounds of 20 operations each. Loop unrolled. */
622	R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
623	R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
624	R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
625	R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
626	R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
627	R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
628	R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
629	R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
630	R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
631	R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
632	R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
633	R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
634	R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
635	R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
636	R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
637	R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
638	R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
639	R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
640	R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
641	R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
642	/* Add the working vars back into context.state[] */
643	state[0] += a;
644	state[1] += b;
645	state[2] += c;
646	state[3] += d;
647	state[4] += e;
648	/* Wipe variables */
649	a = b = c = d = e = 0;
650#ifdef SHA1HANDSOFF
651	os_memset(block, 0, 64);
652#endif
653}
654
655
656/* SHA1Init - Initialize new context */
657
658void SHA1Init(SHA1_CTX* context)
659{
660	/* SHA1 initialization constants */
661	context->state[0] = 0x67452301;
662	context->state[1] = 0xEFCDAB89;
663	context->state[2] = 0x98BADCFE;
664	context->state[3] = 0x10325476;
665	context->state[4] = 0xC3D2E1F0;
666	context->count[0] = context->count[1] = 0;
667}
668
669
670/* Run your data through this. */
671
672void SHA1Update(SHA1_CTX* context, const void *_data, u32 len)
673{
674	u32 i, j;
675	const unsigned char *data = _data;
676
677#ifdef VERBOSE
678	SHAPrintContext(context, "before");
679#endif
680	j = (context->count[0] >> 3) & 63;
681	if ((context->count[0] += len << 3) < (len << 3))
682		context->count[1]++;
683	context->count[1] += (len >> 29);
684	if ((j + len) > 63) {
685		os_memcpy(&context->buffer[j], data, (i = 64-j));
686		SHA1Transform(context->state, context->buffer);
687		for ( ; i + 63 < len; i += 64) {
688			SHA1Transform(context->state, &data[i]);
689		}
690		j = 0;
691	}
692	else i = 0;
693	os_memcpy(&context->buffer[j], &data[i], len - i);
694#ifdef VERBOSE
695	SHAPrintContext(context, "after ");
696#endif
697}
698
699
700/* Add padding and return the message digest. */
701
702void SHA1Final(unsigned char digest[20], SHA1_CTX* context)
703{
704	u32 i;
705	unsigned char finalcount[8];
706
707	for (i = 0; i < 8; i++) {
708		finalcount[i] = (unsigned char)
709			((context->count[(i >= 4 ? 0 : 1)] >>
710			  ((3-(i & 3)) * 8) ) & 255);  /* Endian independent */
711	}
712	SHA1Update(context, (unsigned char *) "\200", 1);
713	while ((context->count[0] & 504) != 448) {
714		SHA1Update(context, (unsigned char *) "\0", 1);
715	}
716	SHA1Update(context, finalcount, 8);  /* Should cause a SHA1Transform()
717					      */
718	for (i = 0; i < 20; i++) {
719		digest[i] = (unsigned char)
720			((context->state[i >> 2] >> ((3 - (i & 3)) * 8)) &
721			 255);
722	}
723	/* Wipe variables */
724	i = 0;
725	os_memset(context->buffer, 0, 64);
726	os_memset(context->state, 0, 20);
727	os_memset(context->count, 0, 8);
728	os_memset(finalcount, 0, 8);
729}
730
731/* ===== end - public domain SHA1 implementation ===== */
732
733#endif /* INTERNAL_SHA1 */
734