1/* vi: set sw=4 ts=4: */ 2/* 3 * Based on shasum from http://www.netsw.org/crypto/hash/ 4 * Majorly hacked up to use Dr Brian Gladman's sha1 code 5 * 6 * Copyright (C) 2002 Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK. 7 * Copyright (C) 2003 Glenn L. McGrath 8 * Copyright (C) 2003 Erik Andersen 9 * 10 * Licensed under GPLv2 or later, see file LICENSE in this tarball for details. 11 * 12 * --------------------------------------------------------------------------- 13 * Issue Date: 10/11/2002 14 * 15 * This is a byte oriented version of SHA1 that operates on arrays of bytes 16 * stored in memory. It runs at 22 cycles per byte on a Pentium P4 processor 17 */ 18 19#include "libbb.h" 20 21#define SHA1_BLOCK_SIZE 64 22#define SHA1_DIGEST_SIZE 20 23#define SHA1_HASH_SIZE SHA1_DIGEST_SIZE 24#define SHA2_GOOD 0 25#define SHA2_BAD 1 26 27#define rotl32(x,n) (((x) << n) | ((x) >> (32 - n))) 28 29#define SHA1_MASK (SHA1_BLOCK_SIZE - 1) 30 31/* reverse byte order in 32-bit words */ 32#define ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) 33#define parity(x,y,z) ((x) ^ (y) ^ (z)) 34#define maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) 35 36/* A normal version as set out in the FIPS. This version uses */ 37/* partial loop unrolling and is optimised for the Pentium 4 */ 38#define rnd(f,k) \ 39 do { \ 40 t = a; a = rotl32(a,5) + f(b,c,d) + e + k + w[i]; \ 41 e = d; d = c; c = rotl32(b, 30); b = t; \ 42 } while (0) 43 44static void sha1_compile(sha1_ctx_t *ctx) 45{ 46 uint32_t w[80], i, a, b, c, d, e, t; 47 48 /* note that words are compiled from the buffer into 32-bit */ 49 /* words in big-endian order so an order reversal is needed */ 50 /* here on little endian machines */ 51 for (i = 0; i < SHA1_BLOCK_SIZE / 4; ++i) 52 w[i] = htonl(ctx->wbuf[i]); 53 54 for (i = SHA1_BLOCK_SIZE / 4; i < 80; ++i) 55 w[i] = rotl32(w[i - 3] ^ w[i - 8] ^ w[i - 14] ^ w[i - 16], 1); 56 57 a = ctx->hash[0]; 58 b = ctx->hash[1]; 59 c = ctx->hash[2]; 60 d = ctx->hash[3]; 61 e = ctx->hash[4]; 62 63 for (i = 0; i < 20; ++i) { 64 rnd(ch, 0x5a827999); 65 } 66 67 for (i = 20; i < 40; ++i) { 68 rnd(parity, 0x6ed9eba1); 69 } 70 71 for (i = 40; i < 60; ++i) { 72 rnd(maj, 0x8f1bbcdc); 73 } 74 75 for (i = 60; i < 80; ++i) { 76 rnd(parity, 0xca62c1d6); 77 } 78 79 ctx->hash[0] += a; 80 ctx->hash[1] += b; 81 ctx->hash[2] += c; 82 ctx->hash[3] += d; 83 ctx->hash[4] += e; 84} 85 86void sha1_begin(sha1_ctx_t *ctx) 87{ 88 ctx->count[0] = ctx->count[1] = 0; 89 ctx->hash[0] = 0x67452301; 90 ctx->hash[1] = 0xefcdab89; 91 ctx->hash[2] = 0x98badcfe; 92 ctx->hash[3] = 0x10325476; 93 ctx->hash[4] = 0xc3d2e1f0; 94} 95 96/* SHA1 hash data in an array of bytes into hash buffer and call the */ 97/* hash_compile function as required. */ 98void sha1_hash(const void *data, size_t length, sha1_ctx_t *ctx) 99{ 100 uint32_t pos = (uint32_t) (ctx->count[0] & SHA1_MASK); 101 uint32_t freeb = SHA1_BLOCK_SIZE - pos; 102 const unsigned char *sp = data; 103 104 if ((ctx->count[0] += length) < length) 105 ++(ctx->count[1]); 106 107 while (length >= freeb) { /* tranfer whole blocks while possible */ 108 memcpy(((unsigned char *) ctx->wbuf) + pos, sp, freeb); 109 sp += freeb; 110 length -= freeb; 111 freeb = SHA1_BLOCK_SIZE; 112 pos = 0; 113 sha1_compile(ctx); 114 } 115 116 memcpy(((unsigned char *) ctx->wbuf) + pos, sp, length); 117} 118 119void *sha1_end(void *resbuf, sha1_ctx_t *ctx) 120{ 121 /* SHA1 Final padding and digest calculation */ 122#if BB_BIG_ENDIAN 123 static uint32_t mask[4] = { 0x00000000, 0xff000000, 0xffff0000, 0xffffff00 }; 124 static uint32_t bits[4] = { 0x80000000, 0x00800000, 0x00008000, 0x00000080 }; 125#else 126 static uint32_t mask[4] = { 0x00000000, 0x000000ff, 0x0000ffff, 0x00ffffff }; 127 static uint32_t bits[4] = { 0x00000080, 0x00008000, 0x00800000, 0x80000000 }; 128#endif 129 130 uint8_t *hval = resbuf; 131 uint32_t i, cnt = (uint32_t) (ctx->count[0] & SHA1_MASK); 132 133 /* mask out the rest of any partial 32-bit word and then set */ 134 /* the next byte to 0x80. On big-endian machines any bytes in */ 135 /* the buffer will be at the top end of 32 bit words, on little */ 136 /* endian machines they will be at the bottom. Hence the AND */ 137 /* and OR masks above are reversed for little endian systems */ 138 ctx->wbuf[cnt >> 2] = 139 (ctx->wbuf[cnt >> 2] & mask[cnt & 3]) | bits[cnt & 3]; 140 141 /* we need 9 or more empty positions, one for the padding byte */ 142 /* (above) and eight for the length count. If there is not */ 143 /* enough space pad and empty the buffer */ 144 if (cnt > SHA1_BLOCK_SIZE - 9) { 145 if (cnt < 60) 146 ctx->wbuf[15] = 0; 147 sha1_compile(ctx); 148 cnt = 0; 149 } else /* compute a word index for the empty buffer positions */ 150 cnt = (cnt >> 2) + 1; 151 152 while (cnt < 14) /* and zero pad all but last two positions */ 153 ctx->wbuf[cnt++] = 0; 154 155 /* assemble the eight byte counter in the buffer in big-endian */ 156 /* format */ 157 158 ctx->wbuf[14] = htonl((ctx->count[1] << 3) | (ctx->count[0] >> 29)); 159 ctx->wbuf[15] = htonl(ctx->count[0] << 3); 160 161 sha1_compile(ctx); 162 163 /* extract the hash value as bytes in case the hash buffer is */ 164 /* misaligned for 32-bit words */ 165 166 for (i = 0; i < SHA1_DIGEST_SIZE; ++i) 167 hval[i] = (unsigned char) (ctx->hash[i >> 2] >> 8 * (~i & 3)); 168 169 return resbuf; 170} 171