1 /* sha1.c - Functions to compute SHA1 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-1.
4 Copyright (C) 2000, 2001, 2003, 2004, 2005 Free Software Foundation, Inc.
6 This program is free software; you can redistribute it and/or modify it
7 under the terms of the GNU General Public License as published by the
8 Free Software Foundation; either version 2, or (at your option) any
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software Foundation,
18 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
20 /* Written by Scott G. Miller
22 Robert Klep <robert@ilse.nl> -- Expansion function fix
30 /* SWAP does an endian swap on architectures that are little-endian,
31 as SHA1 needs some data in a big-endian form. */
33 #ifdef WORDS_BIGENDIAN
37 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
40 #define BLOCKSIZE 4096
41 #if BLOCKSIZE % 64 != 0
42 # error "invalid BLOCKSIZE"
45 /* This array contains the bytes used to pad the buffer to the next
46 64-byte boundary. (RFC 1321, 3.1: Step 1) */
47 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
51 Takes a pointer to a 160 bit block of data (five 32 bit ints) and
52 intializes it to the start constants of the SHA1 algorithm. This
53 must be called before using hash in the call to sha1_hash.
56 sha1_init_ctx (struct sha1_ctx *ctx)
64 ctx->total[0] = ctx->total[1] = 0;
68 /* Put result from CTX in first 20 bytes following RESBUF. The result
69 must be in little endian byte order.
71 IMPORTANT: On some systems it is required that RESBUF is correctly
72 aligned for a 32 bits value. */
74 sha1_read_ctx (const struct sha1_ctx *ctx, void *resbuf)
76 ((md5_uint32 *) resbuf)[0] = SWAP (ctx->A);
77 ((md5_uint32 *) resbuf)[1] = SWAP (ctx->B);
78 ((md5_uint32 *) resbuf)[2] = SWAP (ctx->C);
79 ((md5_uint32 *) resbuf)[3] = SWAP (ctx->D);
80 ((md5_uint32 *) resbuf)[4] = SWAP (ctx->E);
85 /* Process the remaining bytes in the internal buffer and the usual
86 prolog according to the standard and write the result to RESBUF.
88 IMPORTANT: On some systems it is required that RESBUF is correctly
89 aligned for a 32 bits value. */
91 sha1_finish_ctx (struct sha1_ctx *ctx, void *resbuf)
93 /* Take yet unprocessed bytes into account. */
94 md5_uint32 bytes = ctx->buflen;
97 /* Now count remaining bytes. */
98 ctx->total[0] += bytes;
99 if (ctx->total[0] < bytes)
102 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
103 memcpy (&ctx->buffer[bytes], fillbuf, pad);
105 /* Put the 64-bit file length in *bits* at the end of the buffer. */
106 *(md5_uint32 *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
107 *(md5_uint32 *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
108 (ctx->total[0] >> 29));
110 /* Process last bytes. */
111 sha1_process_block (ctx->buffer, bytes + pad + 8, ctx);
113 return sha1_read_ctx (ctx, resbuf);
116 /* Compute SHA1 message digest for bytes read from STREAM. The
117 resulting message digest number will be written into the 16 bytes
118 beginning at RESBLOCK. */
120 sha1_stream (FILE *stream, void *resblock)
123 char buffer[BLOCKSIZE + 72];
126 /* Initialize the computation context. */
127 sha1_init_ctx (&ctx);
129 /* Iterate over full file contents. */
132 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
133 computation function processes the whole buffer so that with the
134 next round of the loop another block can be read. */
138 /* Read block. Take care for partial reads. */
141 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
145 if (sum == BLOCKSIZE)
150 /* Check for the error flag IFF N == 0, so that we don't
151 exit the loop after a partial read due to e.g., EAGAIN
155 goto process_partial_block;
158 /* We've read at least one byte, so ignore errors. But always
159 check for EOF, since feof may be true even though N > 0.
160 Otherwise, we could end up calling fread after EOF. */
162 goto process_partial_block;
165 /* Process buffer with BLOCKSIZE bytes. Note that
168 sha1_process_block (buffer, BLOCKSIZE, &ctx);
171 process_partial_block:;
173 /* Process any remaining bytes. */
175 sha1_process_bytes (buffer, sum, &ctx);
177 /* Construct result in desired memory. */
178 sha1_finish_ctx (&ctx, resblock);
182 /* Compute MD5 message digest for LEN bytes beginning at BUFFER. The
183 result is always in little endian byte order, so that a byte-wise
184 output yields to the wanted ASCII representation of the message
187 sha1_buffer (const char *buffer, size_t len, void *resblock)
191 /* Initialize the computation context. */
192 sha1_init_ctx (&ctx);
194 /* Process whole buffer but last len % 64 bytes. */
195 sha1_process_bytes (buffer, len, &ctx);
197 /* Put result in desired memory area. */
198 return sha1_finish_ctx (&ctx, resblock);
202 sha1_process_bytes (const void *buffer, size_t len, struct sha1_ctx *ctx)
204 /* When we already have some bits in our internal buffer concatenate
205 both inputs first. */
206 if (ctx->buflen != 0)
208 size_t left_over = ctx->buflen;
209 size_t add = 128 - left_over > len ? len : 128 - left_over;
211 memcpy (&ctx->buffer[left_over], buffer, add);
214 if (ctx->buflen > 64)
216 sha1_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
219 /* The regions in the following copy operation cannot overlap. */
220 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
224 buffer = (const char *) buffer + add;
228 /* Process available complete blocks. */
231 #if !_STRING_ARCH_unaligned
232 # define alignof(type) offsetof (struct { char c; type x; }, x)
233 # define UNALIGNED_P(p) (((size_t) p) % alignof (md5_uint32) != 0)
234 if (UNALIGNED_P (buffer))
237 sha1_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
238 buffer = (const char *) buffer + 64;
244 sha1_process_block (buffer, len & ~63, ctx);
245 buffer = (const char *) buffer + (len & ~63);
250 /* Move remaining bytes in internal buffer. */
253 size_t left_over = ctx->buflen;
255 memcpy (&ctx->buffer[left_over], buffer, len);
259 sha1_process_block (ctx->buffer, 64, ctx);
261 memcpy (ctx->buffer, &ctx->buffer[64], left_over);
263 ctx->buflen = left_over;
267 /* --- Code below is the primary difference between md5.c and sha1.c --- */
269 /* SHA1 round constants */
270 #define K1 0x5a827999L
271 #define K2 0x6ed9eba1L
272 #define K3 0x8f1bbcdcL
273 #define K4 0xca62c1d6L
275 /* Round functions. Note that F2 is the same as F4. */
276 #define F1(B,C,D) ( D ^ ( B & ( C ^ D ) ) )
277 #define F2(B,C,D) (B ^ C ^ D)
278 #define F3(B,C,D) ( ( B & C ) | ( D & ( B | C ) ) )
279 #define F4(B,C,D) (B ^ C ^ D)
281 /* Process LEN bytes of BUFFER, accumulating context into CTX.
282 It is assumed that LEN % 64 == 0.
283 Most of this code comes from GnuPG's cipher/sha1.c. */
286 sha1_process_block (const void *buffer, size_t len, struct sha1_ctx *ctx)
288 const md5_uint32 *words = buffer;
289 size_t nwords = len / sizeof (md5_uint32);
290 const md5_uint32 *endp = words + nwords;
292 md5_uint32 a = ctx->A;
293 md5_uint32 b = ctx->B;
294 md5_uint32 c = ctx->C;
295 md5_uint32 d = ctx->D;
296 md5_uint32 e = ctx->E;
298 /* First increment the byte count. RFC 1321 specifies the possible
299 length of the file up to 2^64 bits. Here we only compute the
300 number of bytes. Do a double word increment. */
301 ctx->total[0] += len;
302 if (ctx->total[0] < len)
305 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
307 #define M(I) ( tm = x[I&0x0f] ^ x[(I-14)&0x0f] \
308 ^ x[(I-8)&0x0f] ^ x[(I-3)&0x0f] \
309 , (x[I&0x0f] = rol(tm, 1)) )
311 #define R(A,B,C,D,E,F,K,M) do { E += rol( A, 5 ) \
322 for (t = 0; t < 16; t++)
324 x[t] = SWAP (*words);
328 R( a, b, c, d, e, F1, K1, x[ 0] );
329 R( e, a, b, c, d, F1, K1, x[ 1] );
330 R( d, e, a, b, c, F1, K1, x[ 2] );
331 R( c, d, e, a, b, F1, K1, x[ 3] );
332 R( b, c, d, e, a, F1, K1, x[ 4] );
333 R( a, b, c, d, e, F1, K1, x[ 5] );
334 R( e, a, b, c, d, F1, K1, x[ 6] );
335 R( d, e, a, b, c, F1, K1, x[ 7] );
336 R( c, d, e, a, b, F1, K1, x[ 8] );
337 R( b, c, d, e, a, F1, K1, x[ 9] );
338 R( a, b, c, d, e, F1, K1, x[10] );
339 R( e, a, b, c, d, F1, K1, x[11] );
340 R( d, e, a, b, c, F1, K1, x[12] );
341 R( c, d, e, a, b, F1, K1, x[13] );
342 R( b, c, d, e, a, F1, K1, x[14] );
343 R( a, b, c, d, e, F1, K1, x[15] );
344 R( e, a, b, c, d, F1, K1, M(16) );
345 R( d, e, a, b, c, F1, K1, M(17) );
346 R( c, d, e, a, b, F1, K1, M(18) );
347 R( b, c, d, e, a, F1, K1, M(19) );
348 R( a, b, c, d, e, F2, K2, M(20) );
349 R( e, a, b, c, d, F2, K2, M(21) );
350 R( d, e, a, b, c, F2, K2, M(22) );
351 R( c, d, e, a, b, F2, K2, M(23) );
352 R( b, c, d, e, a, F2, K2, M(24) );
353 R( a, b, c, d, e, F2, K2, M(25) );
354 R( e, a, b, c, d, F2, K2, M(26) );
355 R( d, e, a, b, c, F2, K2, M(27) );
356 R( c, d, e, a, b, F2, K2, M(28) );
357 R( b, c, d, e, a, F2, K2, M(29) );
358 R( a, b, c, d, e, F2, K2, M(30) );
359 R( e, a, b, c, d, F2, K2, M(31) );
360 R( d, e, a, b, c, F2, K2, M(32) );
361 R( c, d, e, a, b, F2, K2, M(33) );
362 R( b, c, d, e, a, F2, K2, M(34) );
363 R( a, b, c, d, e, F2, K2, M(35) );
364 R( e, a, b, c, d, F2, K2, M(36) );
365 R( d, e, a, b, c, F2, K2, M(37) );
366 R( c, d, e, a, b, F2, K2, M(38) );
367 R( b, c, d, e, a, F2, K2, M(39) );
368 R( a, b, c, d, e, F3, K3, M(40) );
369 R( e, a, b, c, d, F3, K3, M(41) );
370 R( d, e, a, b, c, F3, K3, M(42) );
371 R( c, d, e, a, b, F3, K3, M(43) );
372 R( b, c, d, e, a, F3, K3, M(44) );
373 R( a, b, c, d, e, F3, K3, M(45) );
374 R( e, a, b, c, d, F3, K3, M(46) );
375 R( d, e, a, b, c, F3, K3, M(47) );
376 R( c, d, e, a, b, F3, K3, M(48) );
377 R( b, c, d, e, a, F3, K3, M(49) );
378 R( a, b, c, d, e, F3, K3, M(50) );
379 R( e, a, b, c, d, F3, K3, M(51) );
380 R( d, e, a, b, c, F3, K3, M(52) );
381 R( c, d, e, a, b, F3, K3, M(53) );
382 R( b, c, d, e, a, F3, K3, M(54) );
383 R( a, b, c, d, e, F3, K3, M(55) );
384 R( e, a, b, c, d, F3, K3, M(56) );
385 R( d, e, a, b, c, F3, K3, M(57) );
386 R( c, d, e, a, b, F3, K3, M(58) );
387 R( b, c, d, e, a, F3, K3, M(59) );
388 R( a, b, c, d, e, F4, K4, M(60) );
389 R( e, a, b, c, d, F4, K4, M(61) );
390 R( d, e, a, b, c, F4, K4, M(62) );
391 R( c, d, e, a, b, F4, K4, M(63) );
392 R( b, c, d, e, a, F4, K4, M(64) );
393 R( a, b, c, d, e, F4, K4, M(65) );
394 R( e, a, b, c, d, F4, K4, M(66) );
395 R( d, e, a, b, c, F4, K4, M(67) );
396 R( c, d, e, a, b, F4, K4, M(68) );
397 R( b, c, d, e, a, F4, K4, M(69) );
398 R( a, b, c, d, e, F4, K4, M(70) );
399 R( e, a, b, c, d, F4, K4, M(71) );
400 R( d, e, a, b, c, F4, K4, M(72) );
401 R( c, d, e, a, b, F4, K4, M(73) );
402 R( b, c, d, e, a, F4, K4, M(74) );
403 R( a, b, c, d, e, F4, K4, M(75) );
404 R( e, a, b, c, d, F4, K4, M(76) );
405 R( d, e, a, b, c, F4, K4, M(77) );
406 R( c, d, e, a, b, F4, K4, M(78) );
407 R( b, c, d, e, a, F4, K4, M(79) );