2 * FIPS-180-1 compliant SHA-1 implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * The SHA-1 standard was published by NIST in 1993.
24 * http://www.itl.nist.gov/fipspubs/fip180-1.htm
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "mbedtls/config.h"
30 #include MBEDTLS_CONFIG_FILE
33 #if defined(MBEDTLS_SHA1_C)
35 #include "mbedtls/sha1.h"
39 #if defined(MBEDTLS_SELF_TEST)
40 #if defined(MBEDTLS_PLATFORM_C)
41 #include "mbedtls/platform.h"
44 #define mbedtls_printf printf
45 #endif /* MBEDTLS_PLATFORM_C */
46 #endif /* MBEDTLS_SELF_TEST */
48 #if !defined(MBEDTLS_SHA1_ALT)
50 /* Implementation that should never be optimized out by the compiler */
51 static void mbedtls_zeroize( void *v, size_t n ) {
52 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
56 * 32-bit integer manipulation macros (big endian)
59 #define GET_UINT32_BE(n,b,i) \
61 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
62 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
63 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
64 | ( (uint32_t) (b)[(i) + 3] ); \
69 #define PUT_UINT32_BE(n,b,i) \
71 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
72 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
73 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
74 (b)[(i) + 3] = (unsigned char) ( (n) ); \
78 void mbedtls_sha1_init( mbedtls_sha1_context *ctx )
80 memset( ctx, 0, sizeof( mbedtls_sha1_context ) );
83 void mbedtls_sha1_free( mbedtls_sha1_context *ctx )
88 mbedtls_zeroize( ctx, sizeof( mbedtls_sha1_context ) );
91 void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
92 const mbedtls_sha1_context *src )
100 void mbedtls_sha1_starts( mbedtls_sha1_context *ctx )
105 ctx->state[0] = 0x67452301;
106 ctx->state[1] = 0xEFCDAB89;
107 ctx->state[2] = 0x98BADCFE;
108 ctx->state[3] = 0x10325476;
109 ctx->state[4] = 0xC3D2E1F0;
112 #if !defined(MBEDTLS_SHA1_PROCESS_ALT)
113 void mbedtls_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[64] )
115 uint32_t temp, W[16], A, B, C, D, E;
117 GET_UINT32_BE( W[ 0], data, 0 );
118 GET_UINT32_BE( W[ 1], data, 4 );
119 GET_UINT32_BE( W[ 2], data, 8 );
120 GET_UINT32_BE( W[ 3], data, 12 );
121 GET_UINT32_BE( W[ 4], data, 16 );
122 GET_UINT32_BE( W[ 5], data, 20 );
123 GET_UINT32_BE( W[ 6], data, 24 );
124 GET_UINT32_BE( W[ 7], data, 28 );
125 GET_UINT32_BE( W[ 8], data, 32 );
126 GET_UINT32_BE( W[ 9], data, 36 );
127 GET_UINT32_BE( W[10], data, 40 );
128 GET_UINT32_BE( W[11], data, 44 );
129 GET_UINT32_BE( W[12], data, 48 );
130 GET_UINT32_BE( W[13], data, 52 );
131 GET_UINT32_BE( W[14], data, 56 );
132 GET_UINT32_BE( W[15], data, 60 );
134 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
138 temp = W[( t - 3 ) & 0x0F] ^ W[( t - 8 ) & 0x0F] ^ \
139 W[( t - 14 ) & 0x0F] ^ W[ t & 0x0F], \
140 ( W[t & 0x0F] = S(temp,1) ) \
143 #define P(a,b,c,d,e,x) \
145 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
154 #define F(x,y,z) (z ^ (x & (y ^ z)))
157 P( A, B, C, D, E, W[0] );
158 P( E, A, B, C, D, W[1] );
159 P( D, E, A, B, C, W[2] );
160 P( C, D, E, A, B, W[3] );
161 P( B, C, D, E, A, W[4] );
162 P( A, B, C, D, E, W[5] );
163 P( E, A, B, C, D, W[6] );
164 P( D, E, A, B, C, W[7] );
165 P( C, D, E, A, B, W[8] );
166 P( B, C, D, E, A, W[9] );
167 P( A, B, C, D, E, W[10] );
168 P( E, A, B, C, D, W[11] );
169 P( D, E, A, B, C, W[12] );
170 P( C, D, E, A, B, W[13] );
171 P( B, C, D, E, A, W[14] );
172 P( A, B, C, D, E, W[15] );
173 P( E, A, B, C, D, R(16) );
174 P( D, E, A, B, C, R(17) );
175 P( C, D, E, A, B, R(18) );
176 P( B, C, D, E, A, R(19) );
181 #define F(x,y,z) (x ^ y ^ z)
184 P( A, B, C, D, E, R(20) );
185 P( E, A, B, C, D, R(21) );
186 P( D, E, A, B, C, R(22) );
187 P( C, D, E, A, B, R(23) );
188 P( B, C, D, E, A, R(24) );
189 P( A, B, C, D, E, R(25) );
190 P( E, A, B, C, D, R(26) );
191 P( D, E, A, B, C, R(27) );
192 P( C, D, E, A, B, R(28) );
193 P( B, C, D, E, A, R(29) );
194 P( A, B, C, D, E, R(30) );
195 P( E, A, B, C, D, R(31) );
196 P( D, E, A, B, C, R(32) );
197 P( C, D, E, A, B, R(33) );
198 P( B, C, D, E, A, R(34) );
199 P( A, B, C, D, E, R(35) );
200 P( E, A, B, C, D, R(36) );
201 P( D, E, A, B, C, R(37) );
202 P( C, D, E, A, B, R(38) );
203 P( B, C, D, E, A, R(39) );
208 #define F(x,y,z) ((x & y) | (z & (x | y)))
211 P( A, B, C, D, E, R(40) );
212 P( E, A, B, C, D, R(41) );
213 P( D, E, A, B, C, R(42) );
214 P( C, D, E, A, B, R(43) );
215 P( B, C, D, E, A, R(44) );
216 P( A, B, C, D, E, R(45) );
217 P( E, A, B, C, D, R(46) );
218 P( D, E, A, B, C, R(47) );
219 P( C, D, E, A, B, R(48) );
220 P( B, C, D, E, A, R(49) );
221 P( A, B, C, D, E, R(50) );
222 P( E, A, B, C, D, R(51) );
223 P( D, E, A, B, C, R(52) );
224 P( C, D, E, A, B, R(53) );
225 P( B, C, D, E, A, R(54) );
226 P( A, B, C, D, E, R(55) );
227 P( E, A, B, C, D, R(56) );
228 P( D, E, A, B, C, R(57) );
229 P( C, D, E, A, B, R(58) );
230 P( B, C, D, E, A, R(59) );
235 #define F(x,y,z) (x ^ y ^ z)
238 P( A, B, C, D, E, R(60) );
239 P( E, A, B, C, D, R(61) );
240 P( D, E, A, B, C, R(62) );
241 P( C, D, E, A, B, R(63) );
242 P( B, C, D, E, A, R(64) );
243 P( A, B, C, D, E, R(65) );
244 P( E, A, B, C, D, R(66) );
245 P( D, E, A, B, C, R(67) );
246 P( C, D, E, A, B, R(68) );
247 P( B, C, D, E, A, R(69) );
248 P( A, B, C, D, E, R(70) );
249 P( E, A, B, C, D, R(71) );
250 P( D, E, A, B, C, R(72) );
251 P( C, D, E, A, B, R(73) );
252 P( B, C, D, E, A, R(74) );
253 P( A, B, C, D, E, R(75) );
254 P( E, A, B, C, D, R(76) );
255 P( D, E, A, B, C, R(77) );
256 P( C, D, E, A, B, R(78) );
257 P( B, C, D, E, A, R(79) );
268 #endif /* !MBEDTLS_SHA1_PROCESS_ALT */
271 * SHA-1 process buffer
273 void mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen )
281 left = ctx->total[0] & 0x3F;
284 ctx->total[0] += (uint32_t) ilen;
285 ctx->total[0] &= 0xFFFFFFFF;
287 if( ctx->total[0] < (uint32_t) ilen )
290 if( left && ilen >= fill )
292 memcpy( (void *) (ctx->buffer + left), input, fill );
293 mbedtls_sha1_process( ctx, ctx->buffer );
301 mbedtls_sha1_process( ctx, input );
307 memcpy( (void *) (ctx->buffer + left), input, ilen );
310 static const unsigned char sha1_padding[64] =
312 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
313 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
314 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
315 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
321 void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[20] )
325 unsigned char msglen[8];
327 high = ( ctx->total[0] >> 29 )
328 | ( ctx->total[1] << 3 );
329 low = ( ctx->total[0] << 3 );
331 PUT_UINT32_BE( high, msglen, 0 );
332 PUT_UINT32_BE( low, msglen, 4 );
334 last = ctx->total[0] & 0x3F;
335 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
337 mbedtls_sha1_update( ctx, sha1_padding, padn );
338 mbedtls_sha1_update( ctx, msglen, 8 );
340 PUT_UINT32_BE( ctx->state[0], output, 0 );
341 PUT_UINT32_BE( ctx->state[1], output, 4 );
342 PUT_UINT32_BE( ctx->state[2], output, 8 );
343 PUT_UINT32_BE( ctx->state[3], output, 12 );
344 PUT_UINT32_BE( ctx->state[4], output, 16 );
347 #endif /* !MBEDTLS_SHA1_ALT */
350 * output = SHA-1( input buffer )
352 void mbedtls_sha1( const unsigned char *input, size_t ilen, unsigned char output[20] )
354 mbedtls_sha1_context ctx;
356 mbedtls_sha1_init( &ctx );
357 mbedtls_sha1_starts( &ctx );
358 mbedtls_sha1_update( &ctx, input, ilen );
359 mbedtls_sha1_finish( &ctx, output );
360 mbedtls_sha1_free( &ctx );
363 #if defined(MBEDTLS_SELF_TEST)
365 * FIPS-180-1 test vectors
367 static const unsigned char sha1_test_buf[3][57] =
370 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
374 static const int sha1_test_buflen[3] =
379 static const unsigned char sha1_test_sum[3][20] =
381 { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
382 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
383 { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
384 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
385 { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
386 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
392 int mbedtls_sha1_self_test( int verbose )
394 int i, j, buflen, ret = 0;
395 unsigned char buf[1024];
396 unsigned char sha1sum[20];
397 mbedtls_sha1_context ctx;
399 mbedtls_sha1_init( &ctx );
404 for( i = 0; i < 3; i++ )
407 mbedtls_printf( " SHA-1 test #%d: ", i + 1 );
409 mbedtls_sha1_starts( &ctx );
413 memset( buf, 'a', buflen = 1000 );
415 for( j = 0; j < 1000; j++ )
416 mbedtls_sha1_update( &ctx, buf, buflen );
419 mbedtls_sha1_update( &ctx, sha1_test_buf[i],
420 sha1_test_buflen[i] );
422 mbedtls_sha1_finish( &ctx, sha1sum );
424 if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
427 mbedtls_printf( "failed\n" );
434 mbedtls_printf( "passed\n" );
438 mbedtls_printf( "\n" );
441 mbedtls_sha1_free( &ctx );
446 #endif /* MBEDTLS_SELF_TEST */
448 #endif /* MBEDTLS_SHA1_C */