1/* $OpenBSD: sha1.c,v 1.15 2024/06/01 07:36:16 tb Exp $ */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59#include <stdlib.h> 60#include <string.h> 61 62#include <openssl/opensslconf.h> 63 64#include <openssl/crypto.h> 65#include <openssl/sha.h> 66 67#include "crypto_internal.h" 68 69#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA) 70 71/* Ensure that SHA_LONG and uint32_t are equivalent sizes. */ 72CTASSERT(sizeof(SHA_LONG) == sizeof(uint32_t)); 73 74#ifdef SHA1_ASM 75void sha1_block_data_order(SHA_CTX *ctx, const void *p, size_t num); 76#endif 77 78#ifndef SHA1_ASM 79static inline SHA_LONG 80Ch(SHA_LONG x, SHA_LONG y, SHA_LONG z) 81{ 82 return (x & y) ^ (~x & z); 83} 84 85static inline SHA_LONG 86Parity(SHA_LONG x, SHA_LONG y, SHA_LONG z) 87{ 88 return x ^ y ^ z; 89} 90 91static inline SHA_LONG 92Maj(SHA_LONG x, SHA_LONG y, SHA_LONG z) 93{ 94 return (x & y) ^ (x & z) ^ (y & z); 95} 96 97static inline void 98sha1_msg_schedule_update(SHA_LONG *W0, SHA_LONG W2, SHA_LONG W8, SHA_LONG W13) 99{ 100 *W0 = crypto_rol_u32(W13 ^ W8 ^ W2 ^ *W0, 1); 101} 102 103static inline void 104sha1_round1(SHA_LONG *a, SHA_LONG *b, SHA_LONG *c, SHA_LONG *d, SHA_LONG *e, 105 SHA_LONG Wt) 106{ 107 SHA_LONG Kt, T; 108 109 Kt = 0x5a827999UL; 110 T = crypto_rol_u32(*a, 5) + Ch(*b, *c, *d) + *e + Kt + Wt; 111 112 *e = *d; 113 *d = *c; 114 *c = crypto_rol_u32(*b, 30); 115 *b = *a; 116 *a = T; 117} 118 119static inline void 120sha1_round2(SHA_LONG *a, SHA_LONG *b, SHA_LONG *c, SHA_LONG *d, SHA_LONG *e, 121 SHA_LONG Wt) 122{ 123 SHA_LONG Kt, T; 124 125 Kt = 0x6ed9eba1UL; 126 T = crypto_rol_u32(*a, 5) + Parity(*b, *c, *d) + *e + Kt + Wt; 127 128 *e = *d; 129 *d = *c; 130 *c = crypto_rol_u32(*b, 30); 131 *b = *a; 132 *a = T; 133} 134 135static inline void 136sha1_round3(SHA_LONG *a, SHA_LONG *b, SHA_LONG *c, SHA_LONG *d, SHA_LONG *e, 137 SHA_LONG Wt) 138{ 139 SHA_LONG Kt, T; 140 141 Kt = 0x8f1bbcdcUL; 142 T = crypto_rol_u32(*a, 5) + Maj(*b, *c, *d) + *e + Kt + Wt; 143 144 *e = *d; 145 *d = *c; 146 *c = crypto_rol_u32(*b, 30); 147 *b = *a; 148 *a = T; 149} 150 151static inline void 152sha1_round4(SHA_LONG *a, SHA_LONG *b, SHA_LONG *c, SHA_LONG *d, SHA_LONG *e, 153 SHA_LONG Wt) 154{ 155 SHA_LONG Kt, T; 156 157 Kt = 0xca62c1d6UL; 158 T = crypto_rol_u32(*a, 5) + Parity(*b, *c, *d) + *e + Kt + Wt; 159 160 *e = *d; 161 *d = *c; 162 *c = crypto_rol_u32(*b, 30); 163 *b = *a; 164 *a = T; 165} 166 167static void 168sha1_block_data_order(SHA_CTX *ctx, const void *_in, size_t num) 169{ 170 const uint8_t *in = _in; 171 const SHA_LONG *in32; 172 unsigned int a, b, c, d, e; 173 unsigned int X0, X1, X2, X3, X4, X5, X6, X7, 174 X8, X9, X10, X11, X12, X13, X14, X15; 175 176 while (num--) { 177 a = ctx->h0; 178 b = ctx->h1; 179 c = ctx->h2; 180 d = ctx->h3; 181 e = ctx->h4; 182 183 if ((size_t)in % 4 == 0) { 184 /* Input is 32 bit aligned. */ 185 in32 = (const SHA_LONG *)in; 186 X0 = be32toh(in32[0]); 187 X1 = be32toh(in32[1]); 188 X2 = be32toh(in32[2]); 189 X3 = be32toh(in32[3]); 190 X4 = be32toh(in32[4]); 191 X5 = be32toh(in32[5]); 192 X6 = be32toh(in32[6]); 193 X7 = be32toh(in32[7]); 194 X8 = be32toh(in32[8]); 195 X9 = be32toh(in32[9]); 196 X10 = be32toh(in32[10]); 197 X11 = be32toh(in32[11]); 198 X12 = be32toh(in32[12]); 199 X13 = be32toh(in32[13]); 200 X14 = be32toh(in32[14]); 201 X15 = be32toh(in32[15]); 202 } else { 203 /* Input is not 32 bit aligned. */ 204 X0 = crypto_load_be32toh(&in[0 * 4]); 205 X1 = crypto_load_be32toh(&in[1 * 4]); 206 X2 = crypto_load_be32toh(&in[2 * 4]); 207 X3 = crypto_load_be32toh(&in[3 * 4]); 208 X4 = crypto_load_be32toh(&in[4 * 4]); 209 X5 = crypto_load_be32toh(&in[5 * 4]); 210 X6 = crypto_load_be32toh(&in[6 * 4]); 211 X7 = crypto_load_be32toh(&in[7 * 4]); 212 X8 = crypto_load_be32toh(&in[8 * 4]); 213 X9 = crypto_load_be32toh(&in[9 * 4]); 214 X10 = crypto_load_be32toh(&in[10 * 4]); 215 X11 = crypto_load_be32toh(&in[11 * 4]); 216 X12 = crypto_load_be32toh(&in[12 * 4]); 217 X13 = crypto_load_be32toh(&in[13 * 4]); 218 X14 = crypto_load_be32toh(&in[14 * 4]); 219 X15 = crypto_load_be32toh(&in[15 * 4]); 220 } 221 in += SHA_CBLOCK; 222 223 sha1_round1(&a, &b, &c, &d, &e, X0); 224 sha1_round1(&a, &b, &c, &d, &e, X1); 225 sha1_round1(&a, &b, &c, &d, &e, X2); 226 sha1_round1(&a, &b, &c, &d, &e, X3); 227 sha1_round1(&a, &b, &c, &d, &e, X4); 228 sha1_round1(&a, &b, &c, &d, &e, X5); 229 sha1_round1(&a, &b, &c, &d, &e, X6); 230 sha1_round1(&a, &b, &c, &d, &e, X7); 231 sha1_round1(&a, &b, &c, &d, &e, X8); 232 sha1_round1(&a, &b, &c, &d, &e, X9); 233 sha1_round1(&a, &b, &c, &d, &e, X10); 234 sha1_round1(&a, &b, &c, &d, &e, X11); 235 sha1_round1(&a, &b, &c, &d, &e, X12); 236 sha1_round1(&a, &b, &c, &d, &e, X13); 237 sha1_round1(&a, &b, &c, &d, &e, X14); 238 sha1_round1(&a, &b, &c, &d, &e, X15); 239 240 sha1_msg_schedule_update(&X0, X2, X8, X13); 241 sha1_msg_schedule_update(&X1, X3, X9, X14); 242 sha1_msg_schedule_update(&X2, X4, X10, X15); 243 sha1_msg_schedule_update(&X3, X5, X11, X0); 244 sha1_msg_schedule_update(&X4, X6, X12, X1); 245 sha1_msg_schedule_update(&X5, X7, X13, X2); 246 sha1_msg_schedule_update(&X6, X8, X14, X3); 247 sha1_msg_schedule_update(&X7, X9, X15, X4); 248 sha1_msg_schedule_update(&X8, X10, X0, X5); 249 sha1_msg_schedule_update(&X9, X11, X1, X6); 250 sha1_msg_schedule_update(&X10, X12, X2, X7); 251 sha1_msg_schedule_update(&X11, X13, X3, X8); 252 sha1_msg_schedule_update(&X12, X14, X4, X9); 253 sha1_msg_schedule_update(&X13, X15, X5, X10); 254 sha1_msg_schedule_update(&X14, X0, X6, X11); 255 sha1_msg_schedule_update(&X15, X1, X7, X12); 256 257 sha1_round1(&a, &b, &c, &d, &e, X0); 258 sha1_round1(&a, &b, &c, &d, &e, X1); 259 sha1_round1(&a, &b, &c, &d, &e, X2); 260 sha1_round1(&a, &b, &c, &d, &e, X3); 261 sha1_round2(&a, &b, &c, &d, &e, X4); 262 sha1_round2(&a, &b, &c, &d, &e, X5); 263 sha1_round2(&a, &b, &c, &d, &e, X6); 264 sha1_round2(&a, &b, &c, &d, &e, X7); 265 sha1_round2(&a, &b, &c, &d, &e, X8); 266 sha1_round2(&a, &b, &c, &d, &e, X9); 267 sha1_round2(&a, &b, &c, &d, &e, X10); 268 sha1_round2(&a, &b, &c, &d, &e, X11); 269 sha1_round2(&a, &b, &c, &d, &e, X12); 270 sha1_round2(&a, &b, &c, &d, &e, X13); 271 sha1_round2(&a, &b, &c, &d, &e, X14); 272 sha1_round2(&a, &b, &c, &d, &e, X15); 273 274 sha1_msg_schedule_update(&X0, X2, X8, X13); 275 sha1_msg_schedule_update(&X1, X3, X9, X14); 276 sha1_msg_schedule_update(&X2, X4, X10, X15); 277 sha1_msg_schedule_update(&X3, X5, X11, X0); 278 sha1_msg_schedule_update(&X4, X6, X12, X1); 279 sha1_msg_schedule_update(&X5, X7, X13, X2); 280 sha1_msg_schedule_update(&X6, X8, X14, X3); 281 sha1_msg_schedule_update(&X7, X9, X15, X4); 282 sha1_msg_schedule_update(&X8, X10, X0, X5); 283 sha1_msg_schedule_update(&X9, X11, X1, X6); 284 sha1_msg_schedule_update(&X10, X12, X2, X7); 285 sha1_msg_schedule_update(&X11, X13, X3, X8); 286 sha1_msg_schedule_update(&X12, X14, X4, X9); 287 sha1_msg_schedule_update(&X13, X15, X5, X10); 288 sha1_msg_schedule_update(&X14, X0, X6, X11); 289 sha1_msg_schedule_update(&X15, X1, X7, X12); 290 291 sha1_round2(&a, &b, &c, &d, &e, X0); 292 sha1_round2(&a, &b, &c, &d, &e, X1); 293 sha1_round2(&a, &b, &c, &d, &e, X2); 294 sha1_round2(&a, &b, &c, &d, &e, X3); 295 sha1_round2(&a, &b, &c, &d, &e, X4); 296 sha1_round2(&a, &b, &c, &d, &e, X5); 297 sha1_round2(&a, &b, &c, &d, &e, X6); 298 sha1_round2(&a, &b, &c, &d, &e, X7); 299 sha1_round3(&a, &b, &c, &d, &e, X8); 300 sha1_round3(&a, &b, &c, &d, &e, X9); 301 sha1_round3(&a, &b, &c, &d, &e, X10); 302 sha1_round3(&a, &b, &c, &d, &e, X11); 303 sha1_round3(&a, &b, &c, &d, &e, X12); 304 sha1_round3(&a, &b, &c, &d, &e, X13); 305 sha1_round3(&a, &b, &c, &d, &e, X14); 306 sha1_round3(&a, &b, &c, &d, &e, X15); 307 308 sha1_msg_schedule_update(&X0, X2, X8, X13); 309 sha1_msg_schedule_update(&X1, X3, X9, X14); 310 sha1_msg_schedule_update(&X2, X4, X10, X15); 311 sha1_msg_schedule_update(&X3, X5, X11, X0); 312 sha1_msg_schedule_update(&X4, X6, X12, X1); 313 sha1_msg_schedule_update(&X5, X7, X13, X2); 314 sha1_msg_schedule_update(&X6, X8, X14, X3); 315 sha1_msg_schedule_update(&X7, X9, X15, X4); 316 sha1_msg_schedule_update(&X8, X10, X0, X5); 317 sha1_msg_schedule_update(&X9, X11, X1, X6); 318 sha1_msg_schedule_update(&X10, X12, X2, X7); 319 sha1_msg_schedule_update(&X11, X13, X3, X8); 320 sha1_msg_schedule_update(&X12, X14, X4, X9); 321 sha1_msg_schedule_update(&X13, X15, X5, X10); 322 sha1_msg_schedule_update(&X14, X0, X6, X11); 323 sha1_msg_schedule_update(&X15, X1, X7, X12); 324 325 sha1_round3(&a, &b, &c, &d, &e, X0); 326 sha1_round3(&a, &b, &c, &d, &e, X1); 327 sha1_round3(&a, &b, &c, &d, &e, X2); 328 sha1_round3(&a, &b, &c, &d, &e, X3); 329 sha1_round3(&a, &b, &c, &d, &e, X4); 330 sha1_round3(&a, &b, &c, &d, &e, X5); 331 sha1_round3(&a, &b, &c, &d, &e, X6); 332 sha1_round3(&a, &b, &c, &d, &e, X7); 333 sha1_round3(&a, &b, &c, &d, &e, X8); 334 sha1_round3(&a, &b, &c, &d, &e, X9); 335 sha1_round3(&a, &b, &c, &d, &e, X10); 336 sha1_round3(&a, &b, &c, &d, &e, X11); 337 sha1_round4(&a, &b, &c, &d, &e, X12); 338 sha1_round4(&a, &b, &c, &d, &e, X13); 339 sha1_round4(&a, &b, &c, &d, &e, X14); 340 sha1_round4(&a, &b, &c, &d, &e, X15); 341 342 sha1_msg_schedule_update(&X0, X2, X8, X13); 343 sha1_msg_schedule_update(&X1, X3, X9, X14); 344 sha1_msg_schedule_update(&X2, X4, X10, X15); 345 sha1_msg_schedule_update(&X3, X5, X11, X0); 346 sha1_msg_schedule_update(&X4, X6, X12, X1); 347 sha1_msg_schedule_update(&X5, X7, X13, X2); 348 sha1_msg_schedule_update(&X6, X8, X14, X3); 349 sha1_msg_schedule_update(&X7, X9, X15, X4); 350 sha1_msg_schedule_update(&X8, X10, X0, X5); 351 sha1_msg_schedule_update(&X9, X11, X1, X6); 352 sha1_msg_schedule_update(&X10, X12, X2, X7); 353 sha1_msg_schedule_update(&X11, X13, X3, X8); 354 sha1_msg_schedule_update(&X12, X14, X4, X9); 355 sha1_msg_schedule_update(&X13, X15, X5, X10); 356 sha1_msg_schedule_update(&X14, X0, X6, X11); 357 sha1_msg_schedule_update(&X15, X1, X7, X12); 358 359 sha1_round4(&a, &b, &c, &d, &e, X0); 360 sha1_round4(&a, &b, &c, &d, &e, X1); 361 sha1_round4(&a, &b, &c, &d, &e, X2); 362 sha1_round4(&a, &b, &c, &d, &e, X3); 363 sha1_round4(&a, &b, &c, &d, &e, X4); 364 sha1_round4(&a, &b, &c, &d, &e, X5); 365 sha1_round4(&a, &b, &c, &d, &e, X6); 366 sha1_round4(&a, &b, &c, &d, &e, X7); 367 sha1_round4(&a, &b, &c, &d, &e, X8); 368 sha1_round4(&a, &b, &c, &d, &e, X9); 369 sha1_round4(&a, &b, &c, &d, &e, X10); 370 sha1_round4(&a, &b, &c, &d, &e, X11); 371 sha1_round4(&a, &b, &c, &d, &e, X12); 372 sha1_round4(&a, &b, &c, &d, &e, X13); 373 sha1_round4(&a, &b, &c, &d, &e, X14); 374 sha1_round4(&a, &b, &c, &d, &e, X15); 375 376 ctx->h0 += a; 377 ctx->h1 += b; 378 ctx->h2 += c; 379 ctx->h3 += d; 380 ctx->h4 += e; 381 } 382} 383#endif 384 385int 386SHA1_Init(SHA_CTX *c) 387{ 388 memset(c, 0, sizeof(*c)); 389 390 c->h0 = 0x67452301UL; 391 c->h1 = 0xefcdab89UL; 392 c->h2 = 0x98badcfeUL; 393 c->h3 = 0x10325476UL; 394 c->h4 = 0xc3d2e1f0UL; 395 396 return 1; 397} 398LCRYPTO_ALIAS(SHA1_Init); 399 400int 401SHA1_Update(SHA_CTX *c, const void *data_, size_t len) 402{ 403 const unsigned char *data = data_; 404 unsigned char *p; 405 SHA_LONG l; 406 size_t n; 407 408 if (len == 0) 409 return 1; 410 411 l = (c->Nl + (((SHA_LONG)len) << 3))&0xffffffffUL; 412 /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to 413 * Wei Dai <weidai@eskimo.com> for pointing it out. */ 414 if (l < c->Nl) /* overflow */ 415 c->Nh++; 416 c->Nh+=(SHA_LONG)(len>>29); /* might cause compiler warning on 16-bit */ 417 c->Nl = l; 418 419 n = c->num; 420 if (n != 0) { 421 p = (unsigned char *)c->data; 422 423 if (len >= SHA_CBLOCK || len + n >= SHA_CBLOCK) { 424 memcpy(p + n, data, SHA_CBLOCK - n); 425 sha1_block_data_order(c, p, 1); 426 n = SHA_CBLOCK - n; 427 data += n; 428 len -= n; 429 c->num = 0; 430 memset(p,0,SHA_CBLOCK); /* keep it zeroed */ 431 } else { 432 memcpy(p + n, data, len); 433 c->num += (unsigned int)len; 434 return 1; 435 } 436 } 437 438 n = len/SHA_CBLOCK; 439 if (n > 0) { 440 sha1_block_data_order(c, data, n); 441 n *= SHA_CBLOCK; 442 data += n; 443 len -= n; 444 } 445 446 if (len != 0) { 447 p = (unsigned char *)c->data; 448 c->num = (unsigned int)len; 449 memcpy(p, data, len); 450 } 451 return 1; 452} 453LCRYPTO_ALIAS(SHA1_Update); 454 455void 456SHA1_Transform(SHA_CTX *c, const unsigned char *data) 457{ 458 sha1_block_data_order(c, data, 1); 459} 460LCRYPTO_ALIAS(SHA1_Transform); 461 462int 463SHA1_Final(unsigned char *md, SHA_CTX *c) 464{ 465 unsigned char *p = (unsigned char *)c->data; 466 size_t n = c->num; 467 468 p[n] = 0x80; /* there is always room for one */ 469 n++; 470 471 if (n > (SHA_CBLOCK - 8)) { 472 memset(p + n, 0, SHA_CBLOCK - n); 473 n = 0; 474 sha1_block_data_order(c, p, 1); 475 } 476 477 memset(p + n, 0, SHA_CBLOCK - 8 - n); 478 c->data[SHA_LBLOCK - 2] = htobe32(c->Nh); 479 c->data[SHA_LBLOCK - 1] = htobe32(c->Nl); 480 481 sha1_block_data_order(c, p, 1); 482 c->num = 0; 483 memset(p, 0, SHA_CBLOCK); 484 485 crypto_store_htobe32(&md[0 * 4], c->h0); 486 crypto_store_htobe32(&md[1 * 4], c->h1); 487 crypto_store_htobe32(&md[2 * 4], c->h2); 488 crypto_store_htobe32(&md[3 * 4], c->h3); 489 crypto_store_htobe32(&md[4 * 4], c->h4); 490 491 return 1; 492} 493LCRYPTO_ALIAS(SHA1_Final); 494 495unsigned char * 496SHA1(const unsigned char *d, size_t n, unsigned char *md) 497{ 498 SHA_CTX c; 499 500 if (!SHA1_Init(&c)) 501 return NULL; 502 SHA1_Update(&c, d, n); 503 SHA1_Final(md, &c); 504 505 explicit_bzero(&c, sizeof(c)); 506 507 return (md); 508} 509LCRYPTO_ALIAS(SHA1); 510 511#endif 512