| /* sha1.c - Functions to compute SHA1 message digest of files or |
| memory blocks according to the NIST specification FIPS-180-1. |
| |
| Copyright (C) 2007 Free Software Foundation, Inc. |
| |
| This file is part of the GNU Binutils. |
| |
| This program is free software; you can redistribute it and/or modify it |
| under the terms of the GNU General Public License as published by the |
| Free Software Foundation; either version 3, or (at your option) any |
| later version. |
| |
| This program is distributed in the hope that it will be useful, |
| but WITHOUT ANY WARRANTY; without even the implied warranty of |
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| GNU General Public License for more details. |
| |
| You should have received a copy of the GNU General Public License |
| along with this program; if not, write to the Free Software Foundation, |
| Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ |
| |
| /* Written by Scott G. Miller |
| Credits: |
| Robert Klep <robert@ilse.nl> -- Expansion function fix */ |
| |
| #include <config.h> |
| #include "sha1.h" |
| #include <stddef.h> |
| #include <string.h> |
| |
| #if USE_UNLOCKED_IO |
| # include "unlocked-io.h" |
| #endif |
| |
| #ifdef WORDS_BIGENDIAN |
| # define SWAP(n) (n) |
| #else |
| # define SWAP(n) \ |
| (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) |
| #endif |
| |
| #define BLOCKSIZE 4096 |
| #if BLOCKSIZE % 64 != 0 |
| # error "invalid BLOCKSIZE" |
| #endif |
| |
| /* This array contains the bytes used to pad the buffer to the next |
| 64-byte boundary. (RFC 1321, 3.1: Step 1) */ |
| static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; |
| |
| |
| /* Take a pointer to a 160 bit block of data (five 32 bit ints) and |
| initialize it to the start constants of the SHA1 algorithm. This |
| must be called before using hash in the call to sha1_hash. */ |
| |
| void |
| sha1_init_ctx (struct sha1_ctx *ctx) |
| { |
| ctx->A = 0x67452301; |
| ctx->B = 0xefcdab89; |
| ctx->C = 0x98badcfe; |
| ctx->D = 0x10325476; |
| ctx->E = 0xc3d2e1f0; |
| |
| ctx->total[0] = ctx->total[1] = 0; |
| ctx->buflen = 0; |
| } |
| |
| /* Put result from CTX in first 20 bytes following RESBUF. The result |
| must be in little endian byte order. |
| |
| IMPORTANT: On some systems it is required that RESBUF is correctly |
| aligned for a 32-bit value. */ |
| |
| void * |
| sha1_read_ctx (const struct sha1_ctx *ctx, void *resbuf) |
| { |
| ((uint32_t *) resbuf)[0] = SWAP (ctx->A); |
| ((uint32_t *) resbuf)[1] = SWAP (ctx->B); |
| ((uint32_t *) resbuf)[2] = SWAP (ctx->C); |
| ((uint32_t *) resbuf)[3] = SWAP (ctx->D); |
| ((uint32_t *) resbuf)[4] = SWAP (ctx->E); |
| |
| return resbuf; |
| } |
| |
| /* Process the remaining bytes in the internal buffer and the usual |
| prolog according to the standard and write the result to RESBUF. |
| |
| IMPORTANT: On some systems it is required that RESBUF is correctly |
| aligned for a 32-bit value. */ |
| |
| void * |
| sha1_finish_ctx (struct sha1_ctx *ctx, void *resbuf) |
| { |
| /* Take yet unprocessed bytes into account. */ |
| uint32_t bytes = ctx->buflen; |
| size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4; |
| |
| /* Now count remaining bytes. */ |
| ctx->total[0] += bytes; |
| if (ctx->total[0] < bytes) |
| ++ctx->total[1]; |
| |
| /* Put the 64-bit file length in *bits* at the end of the buffer. */ |
| ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)); |
| ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3); |
| |
| memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes); |
| |
| /* Process last bytes. */ |
| sha1_process_block (ctx->buffer, size * 4, ctx); |
| |
| return sha1_read_ctx (ctx, resbuf); |
| } |
| |
| /* Compute SHA1 message digest for bytes read from STREAM. The |
| resulting message digest number will be written into the 16 bytes |
| beginning at RESBLOCK. */ |
| |
| int |
| sha1_stream (FILE *stream, void *resblock) |
| { |
| struct sha1_ctx ctx; |
| char buffer[BLOCKSIZE + 72]; |
| size_t sum; |
| |
| /* Initialize the computation context. */ |
| sha1_init_ctx (&ctx); |
| |
| /* Iterate over full file contents. */ |
| while (1) |
| { |
| /* We read the file in blocks of BLOCKSIZE bytes. One call of the |
| computation function processes the whole buffer so that with the |
| next round of the loop another block can be read. */ |
| size_t n; |
| sum = 0; |
| |
| /* Read block. Take care for partial reads. */ |
| while (1) |
| { |
| n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream); |
| |
| sum += n; |
| |
| if (sum == BLOCKSIZE) |
| break; |
| |
| if (n == 0) |
| { |
| /* Check for the error flag IFF N == 0, so that we don't |
| exit the loop after a partial read due to e.g., EAGAIN |
| or EWOULDBLOCK. */ |
| if (ferror (stream)) |
| return 1; |
| goto process_partial_block; |
| } |
| |
| /* We've read at least one byte, so ignore errors. But always |
| check for EOF, since feof may be true even though N > 0. |
| Otherwise, we could end up calling fread after EOF. */ |
| if (feof (stream)) |
| goto process_partial_block; |
| } |
| |
| /* Process buffer with BLOCKSIZE bytes. Note that |
| BLOCKSIZE % 64 == 0. */ |
| sha1_process_block (buffer, BLOCKSIZE, &ctx); |
| } |
| |
| process_partial_block:; |
| |
| /* Process any remaining bytes. */ |
| if (sum > 0) |
| sha1_process_bytes (buffer, sum, &ctx); |
| |
| /* Construct result in desired memory. */ |
| sha1_finish_ctx (&ctx, resblock); |
| return 0; |
| } |
| |
| /* Compute SHA1 message digest for LEN bytes beginning at BUFFER. The |
| result is always in little endian byte order, so that a byte-wise |
| output yields to the wanted ASCII representation of the message |
| digest. */ |
| |
| void * |
| sha1_buffer (const char *buffer, size_t len, void *resblock) |
| { |
| struct sha1_ctx ctx; |
| |
| /* Initialize the computation context. */ |
| sha1_init_ctx (&ctx); |
| |
| /* Process whole buffer but last len % 64 bytes. */ |
| sha1_process_bytes (buffer, len, &ctx); |
| |
| /* Put result in desired memory area. */ |
| return sha1_finish_ctx (&ctx, resblock); |
| } |
| |
| void |
| sha1_process_bytes (const void *buffer, size_t len, struct sha1_ctx *ctx) |
| { |
| /* When we already have some bits in our internal buffer concatenate |
| both inputs first. */ |
| if (ctx->buflen != 0) |
| { |
| size_t left_over = ctx->buflen; |
| size_t add = 128 - left_over > len ? len : 128 - left_over; |
| |
| memcpy (&((char *) ctx->buffer)[left_over], buffer, add); |
| ctx->buflen += add; |
| |
| if (ctx->buflen > 64) |
| { |
| sha1_process_block (ctx->buffer, ctx->buflen & ~63, ctx); |
| |
| ctx->buflen &= 63; |
| /* The regions in the following copy operation cannot overlap. */ |
| memcpy (ctx->buffer, |
| &((char *) ctx->buffer)[(left_over + add) & ~63], |
| ctx->buflen); |
| } |
| |
| buffer = (const char *) buffer + add; |
| len -= add; |
| } |
| |
| /* Process available complete blocks. */ |
| if (len >= 64) |
| { |
| #if !_STRING_ARCH_unaligned |
| # define alignof(type) offsetof (struct { char c; type x; }, x) |
| # define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0) |
| if (UNALIGNED_P (buffer)) |
| while (len > 64) |
| { |
| sha1_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx); |
| buffer = (const char *) buffer + 64; |
| len -= 64; |
| } |
| else |
| #endif |
| { |
| sha1_process_block (buffer, len & ~63, ctx); |
| buffer = (const char *) buffer + (len & ~63); |
| len &= 63; |
| } |
| } |
| |
| /* Move remaining bytes in internal buffer. */ |
| if (len > 0) |
| { |
| size_t left_over = ctx->buflen; |
| |
| memcpy (&((char *) ctx->buffer)[left_over], buffer, len); |
| left_over += len; |
| if (left_over >= 64) |
| { |
| sha1_process_block (ctx->buffer, 64, ctx); |
| left_over -= 64; |
| memcpy (ctx->buffer, &ctx->buffer[16], left_over); |
| } |
| ctx->buflen = left_over; |
| } |
| } |
| |
| /* --- Code below is the primary difference between md5.c and sha1.c --- */ |
| |
| /* SHA1 round constants. */ |
| #define K1 0x5a827999 |
| #define K2 0x6ed9eba1 |
| #define K3 0x8f1bbcdc |
| #define K4 0xca62c1d6 |
| |
| /* Round functions. Note that F2 is the same as F4. */ |
| #define F1(B,C,D) (D ^ (B & (C ^ D))) |
| #define F2(B,C,D) (B ^ C ^ D) |
| #define F3(B,C,D) ((B & C) | (D & (B | C))) |
| #define F4(B,C,D) (B ^ C ^ D) |
| |
| /* Process LEN bytes of BUFFER, accumulating context into CTX. |
| It is assumed that LEN % 64 == 0. |
| Most of this code comes from GnuPG's cipher/sha1.c. */ |
| |
| void |
| sha1_process_block (const void *buffer, size_t len, struct sha1_ctx *ctx) |
| { |
| const uint32_t *words = buffer; |
| size_t nwords = len / sizeof (uint32_t); |
| const uint32_t *endp = words + nwords; |
| uint32_t x[16]; |
| uint32_t a = ctx->A; |
| uint32_t b = ctx->B; |
| uint32_t c = ctx->C; |
| uint32_t d = ctx->D; |
| uint32_t e = ctx->E; |
| |
| /* First increment the byte count. RFC 1321 specifies the possible |
| length of the file up to 2^64 bits. Here we only compute the |
| number of bytes. Do a double word increment. */ |
| ctx->total[0] += len; |
| if (ctx->total[0] < len) |
| ++ctx->total[1]; |
| |
| #define rol(x, n) (((x) << (n)) | ((uint32_t) (x) >> (32 - (n)))) |
| |
| #define M(I) (tm = x[I & 0x0f] ^ x[(I - 14) & 0x0f] \ |
| ^ x[(I - 8) & 0x0f] ^ x[(I - 3) & 0x0f] \ |
| , (x[I & 0x0f] = rol (tm, 1))) |
| |
| #define R(A,B,C,D,E,F,K,M) \ |
| do \ |
| { \ |
| E += rol (A, 5) \ |
| + F (B, C, D) \ |
| + K \ |
| + M; \ |
| B = rol (B, 30); \ |
| } \ |
| while (0) |
| |
| while (words < endp) |
| { |
| uint32_t tm; |
| int t; |
| |
| for (t = 0; t < 16; t++) |
| { |
| x[t] = SWAP (*words); |
| words++; |
| } |
| |
| R (a, b, c, d, e, F1, K1, x[ 0]); |
| R (e, a, b, c, d, F1, K1, x[ 1]); |
| R (d, e, a, b, c, F1, K1, x[ 2]); |
| R (c, d, e, a, b, F1, K1, x[ 3]); |
| R (b, c, d, e, a, F1, K1, x[ 4]); |
| R (a, b, c, d, e, F1, K1, x[ 5]); |
| R (e, a, b, c, d, F1, K1, x[ 6]); |
| R (d, e, a, b, c, F1, K1, x[ 7]); |
| R (c, d, e, a, b, F1, K1, x[ 8]); |
| R (b, c, d, e, a, F1, K1, x[ 9]); |
| R (a, b, c, d, e, F1, K1, x[10]); |
| R (e, a, b, c, d, F1, K1, x[11]); |
| R (d, e, a, b, c, F1, K1, x[12]); |
| R (c, d, e, a, b, F1, K1, x[13]); |
| R (b, c, d, e, a, F1, K1, x[14]); |
| R (a, b, c, d, e, F1, K1, x[15]); |
| R (e, a, b, c, d, F1, K1, M(16)); |
| R (d, e, a, b, c, F1, K1, M(17)); |
| R (c, d, e, a, b, F1, K1, M(18)); |
| R (b, c, d, e, a, F1, K1, M(19)); |
| R (a, b, c, d, e, F2, K2, M(20)); |
| R (e, a, b, c, d, F2, K2, M(21)); |
| R (d, e, a, b, c, F2, K2, M(22)); |
| R (c, d, e, a, b, F2, K2, M(23)); |
| R (b, c, d, e, a, F2, K2, M(24)); |
| R (a, b, c, d, e, F2, K2, M(25)); |
| R (e, a, b, c, d, F2, K2, M(26)); |
| R (d, e, a, b, c, F2, K2, M(27)); |
| R (c, d, e, a, b, F2, K2, M(28)); |
| R (b, c, d, e, a, F2, K2, M(29)); |
| R (a, b, c, d, e, F2, K2, M(30)); |
| R (e, a, b, c, d, F2, K2, M(31)); |
| R (d, e, a, b, c, F2, K2, M(32)); |
| R (c, d, e, a, b, F2, K2, M(33)); |
| R (b, c, d, e, a, F2, K2, M(34)); |
| R (a, b, c, d, e, F2, K2, M(35)); |
| R (e, a, b, c, d, F2, K2, M(36)); |
| R (d, e, a, b, c, F2, K2, M(37)); |
| R (c, d, e, a, b, F2, K2, M(38)); |
| R (b, c, d, e, a, F2, K2, M(39)); |
| R (a, b, c, d, e, F3, K3, M(40)); |
| R (e, a, b, c, d, F3, K3, M(41)); |
| R (d, e, a, b, c, F3, K3, M(42)); |
| R (c, d, e, a, b, F3, K3, M(43)); |
| R (b, c, d, e, a, F3, K3, M(44)); |
| R (a, b, c, d, e, F3, K3, M(45)); |
| R (e, a, b, c, d, F3, K3, M(46)); |
| R (d, e, a, b, c, F3, K3, M(47)); |
| R (c, d, e, a, b, F3, K3, M(48)); |
| R (b, c, d, e, a, F3, K3, M(49)); |
| R (a, b, c, d, e, F3, K3, M(50)); |
| R (e, a, b, c, d, F3, K3, M(51)); |
| R (d, e, a, b, c, F3, K3, M(52)); |
| R (c, d, e, a, b, F3, K3, M(53)); |
| R (b, c, d, e, a, F3, K3, M(54)); |
| R (a, b, c, d, e, F3, K3, M(55)); |
| R (e, a, b, c, d, F3, K3, M(56)); |
| R (d, e, a, b, c, F3, K3, M(57)); |
| R (c, d, e, a, b, F3, K3, M(58)); |
| R (b, c, d, e, a, F3, K3, M(59)); |
| R (a, b, c, d, e, F4, K4, M(60)); |
| R (e, a, b, c, d, F4, K4, M(61)); |
| R (d, e, a, b, c, F4, K4, M(62)); |
| R (c, d, e, a, b, F4, K4, M(63)); |
| R (b, c, d, e, a, F4, K4, M(64)); |
| R (a, b, c, d, e, F4, K4, M(65)); |
| R (e, a, b, c, d, F4, K4, M(66)); |
| R (d, e, a, b, c, F4, K4, M(67)); |
| R (c, d, e, a, b, F4, K4, M(68)); |
| R (b, c, d, e, a, F4, K4, M(69)); |
| R (a, b, c, d, e, F4, K4, M(70)); |
| R (e, a, b, c, d, F4, K4, M(71)); |
| R (d, e, a, b, c, F4, K4, M(72)); |
| R (c, d, e, a, b, F4, K4, M(73)); |
| R (b, c, d, e, a, F4, K4, M(74)); |
| R (a, b, c, d, e, F4, K4, M(75)); |
| R (e, a, b, c, d, F4, K4, M(76)); |
| R (d, e, a, b, c, F4, K4, M(77)); |
| R (c, d, e, a, b, F4, K4, M(78)); |
| R (b, c, d, e, a, F4, K4, M(79)); |
| |
| a = ctx->A += a; |
| b = ctx->B += b; |
| c = ctx->C += c; |
| d = ctx->D += d; |
| e = ctx->E += e; |
| } |
| } |