1 /* $OpenBSD: sha1.c,v 1.12 2023/08/10 07:15:23 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdlib.h> 60 #include <string.h> 61 62 #include <openssl/opensslconf.h> 63 64 #include <openssl/crypto.h> 65 #include <openssl/sha.h> 66 67 #if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA) 68 69 #define DATA_ORDER_IS_BIG_ENDIAN 70 71 #define HASH_LONG SHA_LONG 72 #define HASH_CTX SHA_CTX 73 #define HASH_CBLOCK SHA_CBLOCK 74 75 #define HASH_BLOCK_DATA_ORDER sha1_block_data_order 76 #define Xupdate(a, ix, ia, ib, ic, id) ( (a)=(ia^ib^ic^id), \ 77 ix=(a)=ROTATE((a),1) \ 78 ) 79 80 #ifndef SHA1_ASM 81 static 82 #endif 83 void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num); 84 85 #define HASH_NO_UPDATE 86 #define HASH_NO_TRANSFORM 87 #define HASH_NO_FINAL 88 89 #include "md32_common.h" 90 91 #define K_00_19 0x5a827999UL 92 #define K_20_39 0x6ed9eba1UL 93 #define K_40_59 0x8f1bbcdcUL 94 #define K_60_79 0xca62c1d6UL 95 96 /* As pointed out by Wei Dai <weidai@eskimo.com>, F() below can be 97 * simplified to the code in F_00_19. Wei attributes these optimisations 98 * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel. 99 * #define F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) 100 * I've just become aware of another tweak to be made, again from Wei Dai, 101 * in F_40_59, (x&a)|(y&a) -> (x|y)&a 102 */ 103 #define F_00_19(b, c, d) ((((c) ^ (d)) & (b)) ^ (d)) 104 #define F_20_39(b, c, d) ((b) ^ (c) ^ (d)) 105 #define F_40_59(b, c, d) (((b) & (c)) | (((b)|(c)) & (d))) 106 #define F_60_79(b, c, d) F_20_39(b, c, d) 107 108 109 #define BODY_00_15(i, a, b, c, d, e, f, xi) \ 110 (f)=xi+(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ 111 (b)=ROTATE((b),30); 112 113 #define BODY_16_19(i, a, b, c, d, e, f, xi, xa, xb, xc, xd) \ 114 Xupdate(f, xi, xa, xb, xc, xd); \ 115 (f)+=(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ 116 (b)=ROTATE((b),30); 117 118 #define BODY_20_31(i, a, b, c, d, e, f, xi, xa, xb, xc, xd) \ 119 Xupdate(f, xi, xa, xb, xc, xd); \ 120 (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ 121 (b)=ROTATE((b),30); 122 123 #define BODY_32_39(i, a, b, c, d, e, f, xa, xb, xc, xd) \ 124 Xupdate(f, xa, xa, xb, xc, xd); \ 125 (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ 126 (b)=ROTATE((b),30); 127 128 #define BODY_40_59(i, a, b, c, d, e, f, xa, xb, xc, xd) \ 129 Xupdate(f, xa, xa, xb, xc, xd); \ 130 (f)+=(e)+K_40_59+ROTATE((a),5)+F_40_59((b),(c),(d)); \ 131 (b)=ROTATE((b),30); 132 133 #define BODY_60_79(i, a, b, c, d, e, f, xa, xb, xc, xd) \ 134 Xupdate(f, xa, xa, xb, xc, xd); \ 135 (f)=xa+(e)+K_60_79+ROTATE((a),5)+F_60_79((b),(c),(d)); \ 136 (b)=ROTATE((b),30); 137 138 #if !defined(SHA1_ASM) 139 #include <endian.h> 140 static void 141 sha1_block_data_order(SHA_CTX *c, const void *p, size_t num) 142 { 143 const unsigned char *data = p; 144 unsigned int A, B, C, D, E, T, l; 145 unsigned int X0, X1, X2, X3, X4, X5, X6, X7, 146 X8, X9, X10, X11, X12, X13, X14, X15; 147 148 A = c->h0; 149 B = c->h1; 150 C = c->h2; 151 D = c->h3; 152 E = c->h4; 153 154 for (;;) { 155 156 if (BYTE_ORDER != LITTLE_ENDIAN && 157 sizeof(SHA_LONG) == 4 && ((size_t)p % 4) == 0) { 158 const SHA_LONG *W = (const SHA_LONG *)data; 159 160 X0 = W[0]; 161 X1 = W[1]; 162 BODY_00_15( 0, A, B, C, D, E, T, X0); 163 X2 = W[2]; 164 BODY_00_15( 1, T, A, B, C, D, E, X1); 165 X3 = W[3]; 166 BODY_00_15( 2, E, T, A, B, C, D, X2); 167 X4 = W[4]; 168 BODY_00_15( 3, D, E, T, A, B, C, X3); 169 X5 = W[5]; 170 BODY_00_15( 4, C, D, E, T, A, B, X4); 171 X6 = W[6]; 172 BODY_00_15( 5, B, C, D, E, T, A, X5); 173 X7 = W[7]; 174 BODY_00_15( 6, A, B, C, D, E, T, X6); 175 X8 = W[8]; 176 BODY_00_15( 7, T, A, B, C, D, E, X7); 177 X9 = W[9]; 178 BODY_00_15( 8, E, T, A, B, C, D, X8); 179 X10 = W[10]; 180 BODY_00_15( 9, D, E, T, A, B, C, X9); 181 X11 = W[11]; 182 BODY_00_15(10, C, D, E, T, A, B, X10); 183 X12 = W[12]; 184 BODY_00_15(11, B, C, D, E, T, A, X11); 185 X13 = W[13]; 186 BODY_00_15(12, A, B, C, D, E, T, X12); 187 X14 = W[14]; 188 BODY_00_15(13, T, A, B, C, D, E, X13); 189 X15 = W[15]; 190 BODY_00_15(14, E, T, A, B, C, D, X14); 191 BODY_00_15(15, D, E, T, A, B, C, X15); 192 193 data += SHA_CBLOCK; 194 } else { 195 HOST_c2l(data, l); 196 X0 = l; 197 HOST_c2l(data, l); 198 X1 = l; 199 BODY_00_15( 0, A, B, C, D, E, T, X0); 200 HOST_c2l(data, l); 201 X2 = l; 202 BODY_00_15( 1, T, A, B, C, D, E, X1); 203 HOST_c2l(data, l); 204 X3 = l; 205 BODY_00_15( 2, E, T, A, B, C, D, X2); 206 HOST_c2l(data, l); 207 X4 = l; 208 BODY_00_15( 3, D, E, T, A, B, C, X3); 209 HOST_c2l(data, l); 210 X5 = l; 211 BODY_00_15( 4, C, D, E, T, A, B, X4); 212 HOST_c2l(data, l); 213 X6 = l; 214 BODY_00_15( 5, B, C, D, E, T, A, X5); 215 HOST_c2l(data, l); 216 X7 = l; 217 BODY_00_15( 6, A, B, C, D, E, T, X6); 218 HOST_c2l(data, l); 219 X8 = l; 220 BODY_00_15( 7, T, A, B, C, D, E, X7); 221 HOST_c2l(data, l); 222 X9 = l; 223 BODY_00_15( 8, E, T, A, B, C, D, X8); 224 HOST_c2l(data, l); 225 X10 = l; 226 BODY_00_15( 9, D, E, T, A, B, C, X9); 227 HOST_c2l(data, l); 228 X11 = l; 229 BODY_00_15(10, C, D, E, T, A, B, X10); 230 HOST_c2l(data, l); 231 X12 = l; 232 BODY_00_15(11, B, C, D, E, T, A, X11); 233 HOST_c2l(data, l); 234 X13 = l; 235 BODY_00_15(12, A, B, C, D, E, T, X12); 236 HOST_c2l(data, l); 237 X14 = l; 238 BODY_00_15(13, T, A, B, C, D, E, X13); 239 HOST_c2l(data, l); 240 X15 = l; 241 BODY_00_15(14, E, T, A, B, C, D, X14); 242 BODY_00_15(15, D, E, T, A, B, C, X15); 243 } 244 245 BODY_16_19(16, C, D, E, T, A, B, X0, X0, X2, X8, X13); 246 BODY_16_19(17, B, C, D, E, T, A, X1, X1, X3, X9, X14); 247 BODY_16_19(18, A, B, C, D, E, T, X2, X2, X4, X10, X15); 248 BODY_16_19(19, T, A, B, C, D, E, X3, X3, X5, X11, X0); 249 250 BODY_20_31(20, E, T, A, B, C, D, X4, X4, X6, X12, X1); 251 BODY_20_31(21, D, E, T, A, B, C, X5, X5, X7, X13, X2); 252 BODY_20_31(22, C, D, E, T, A, B, X6, X6, X8, X14, X3); 253 BODY_20_31(23, B, C, D, E, T, A, X7, X7, X9, X15, X4); 254 BODY_20_31(24, A, B, C, D, E, T, X8, X8, X10, X0, X5); 255 BODY_20_31(25, T, A, B, C, D, E, X9, X9, X11, X1, X6); 256 BODY_20_31(26, E, T, A, B, C, D, X10, X10, X12, X2, X7); 257 BODY_20_31(27, D, E, T, A, B, C, X11, X11, X13, X3, X8); 258 BODY_20_31(28, C, D, E, T, A, B, X12, X12, X14, X4, X9); 259 BODY_20_31(29, B, C, D, E, T, A, X13, X13, X15, X5, X10); 260 BODY_20_31(30, A, B, C, D, E, T, X14, X14, X0, X6, X11); 261 BODY_20_31(31, T, A, B, C, D, E, X15, X15, X1, X7, X12); 262 263 BODY_32_39(32, E, T, A, B, C, D, X0, X2, X8, X13); 264 BODY_32_39(33, D, E, T, A, B, C, X1, X3, X9, X14); 265 BODY_32_39(34, C, D, E, T, A, B, X2, X4, X10, X15); 266 BODY_32_39(35, B, C, D, E, T, A, X3, X5, X11, X0); 267 BODY_32_39(36, A, B, C, D, E, T, X4, X6, X12, X1); 268 BODY_32_39(37, T, A, B, C, D, E, X5, X7, X13, X2); 269 BODY_32_39(38, E, T, A, B, C, D, X6, X8, X14, X3); 270 BODY_32_39(39, D, E, T, A, B, C, X7, X9, X15, X4); 271 272 BODY_40_59(40, C, D, E, T, A, B, X8, X10, X0, X5); 273 BODY_40_59(41, B, C, D, E, T, A, X9, X11, X1, X6); 274 BODY_40_59(42, A, B, C, D, E, T, X10, X12, X2, X7); 275 BODY_40_59(43, T, A, B, C, D, E, X11, X13, X3, X8); 276 BODY_40_59(44, E, T, A, B, C, D, X12, X14, X4, X9); 277 BODY_40_59(45, D, E, T, A, B, C, X13, X15, X5, X10); 278 BODY_40_59(46, C, D, E, T, A, B, X14, X0, X6, X11); 279 BODY_40_59(47, B, C, D, E, T, A, X15, X1, X7, X12); 280 BODY_40_59(48, A, B, C, D, E, T, X0, X2, X8, X13); 281 BODY_40_59(49, T, A, B, C, D, E, X1, X3, X9, X14); 282 BODY_40_59(50, E, T, A, B, C, D, X2, X4, X10, X15); 283 BODY_40_59(51, D, E, T, A, B, C, X3, X5, X11, X0); 284 BODY_40_59(52, C, D, E, T, A, B, X4, X6, X12, X1); 285 BODY_40_59(53, B, C, D, E, T, A, X5, X7, X13, X2); 286 BODY_40_59(54, A, B, C, D, E, T, X6, X8, X14, X3); 287 BODY_40_59(55, T, A, B, C, D, E, X7, X9, X15, X4); 288 BODY_40_59(56, E, T, A, B, C, D, X8, X10, X0, X5); 289 BODY_40_59(57, D, E, T, A, B, C, X9, X11, X1, X6); 290 BODY_40_59(58, C, D, E, T, A, B, X10, X12, X2, X7); 291 BODY_40_59(59, B, C, D, E, T, A, X11, X13, X3, X8); 292 293 BODY_60_79(60, A, B, C, D, E, T, X12, X14, X4, X9); 294 BODY_60_79(61, T, A, B, C, D, E, X13, X15, X5, X10); 295 BODY_60_79(62, E, T, A, B, C, D, X14, X0, X6, X11); 296 BODY_60_79(63, D, E, T, A, B, C, X15, X1, X7, X12); 297 BODY_60_79(64, C, D, E, T, A, B, X0, X2, X8, X13); 298 BODY_60_79(65, B, C, D, E, T, A, X1, X3, X9, X14); 299 BODY_60_79(66, A, B, C, D, E, T, X2, X4, X10, X15); 300 BODY_60_79(67, T, A, B, C, D, E, X3, X5, X11, X0); 301 BODY_60_79(68, E, T, A, B, C, D, X4, X6, X12, X1); 302 BODY_60_79(69, D, E, T, A, B, C, X5, X7, X13, X2); 303 BODY_60_79(70, C, D, E, T, A, B, X6, X8, X14, X3); 304 BODY_60_79(71, B, C, D, E, T, A, X7, X9, X15, X4); 305 BODY_60_79(72, A, B, C, D, E, T, X8, X10, X0, X5); 306 BODY_60_79(73, T, A, B, C, D, E, X9, X11, X1, X6); 307 BODY_60_79(74, E, T, A, B, C, D, X10, X12, X2, X7); 308 BODY_60_79(75, D, E, T, A, B, C, X11, X13, X3, X8); 309 BODY_60_79(76, C, D, E, T, A, B, X12, X14, X4, X9); 310 BODY_60_79(77, B, C, D, E, T, A, X13, X15, X5, X10); 311 BODY_60_79(78, A, B, C, D, E, T, X14, X0, X6, X11); 312 BODY_60_79(79, T, A, B, C, D, E, X15, X1, X7, X12); 313 314 c->h0 = (c->h0 + E)&0xffffffffL; 315 c->h1 = (c->h1 + T)&0xffffffffL; 316 c->h2 = (c->h2 + A)&0xffffffffL; 317 c->h3 = (c->h3 + B)&0xffffffffL; 318 c->h4 = (c->h4 + C)&0xffffffffL; 319 320 if (--num == 0) 321 break; 322 323 A = c->h0; 324 B = c->h1; 325 C = c->h2; 326 D = c->h3; 327 E = c->h4; 328 329 } 330 } 331 #endif 332 333 334 int 335 SHA1_Init(SHA_CTX *c) 336 { 337 memset(c, 0, sizeof(*c)); 338 339 c->h0 = 0x67452301UL; 340 c->h1 = 0xefcdab89UL; 341 c->h2 = 0x98badcfeUL; 342 c->h3 = 0x10325476UL; 343 c->h4 = 0xc3d2e1f0UL; 344 345 return 1; 346 } 347 LCRYPTO_ALIAS(SHA1_Init); 348 349 int 350 SHA1_Update(SHA_CTX *c, const void *data_, size_t len) 351 { 352 const unsigned char *data = data_; 353 unsigned char *p; 354 SHA_LONG l; 355 size_t n; 356 357 if (len == 0) 358 return 1; 359 360 l = (c->Nl + (((SHA_LONG)len) << 3))&0xffffffffUL; 361 /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to 362 * Wei Dai <weidai@eskimo.com> for pointing it out. */ 363 if (l < c->Nl) /* overflow */ 364 c->Nh++; 365 c->Nh+=(SHA_LONG)(len>>29); /* might cause compiler warning on 16-bit */ 366 c->Nl = l; 367 368 n = c->num; 369 if (n != 0) { 370 p = (unsigned char *)c->data; 371 372 if (len >= SHA_CBLOCK || len + n >= SHA_CBLOCK) { 373 memcpy(p + n, data, SHA_CBLOCK - n); 374 sha1_block_data_order(c, p, 1); 375 n = SHA_CBLOCK - n; 376 data += n; 377 len -= n; 378 c->num = 0; 379 memset(p,0,SHA_CBLOCK); /* keep it zeroed */ 380 } else { 381 memcpy(p + n, data, len); 382 c->num += (unsigned int)len; 383 return 1; 384 } 385 } 386 387 n = len/SHA_CBLOCK; 388 if (n > 0) { 389 sha1_block_data_order(c, data, n); 390 n *= SHA_CBLOCK; 391 data += n; 392 len -= n; 393 } 394 395 if (len != 0) { 396 p = (unsigned char *)c->data; 397 c->num = (unsigned int)len; 398 memcpy(p, data, len); 399 } 400 return 1; 401 } 402 LCRYPTO_ALIAS(SHA1_Update); 403 404 void 405 SHA1_Transform(SHA_CTX *c, const unsigned char *data) 406 { 407 sha1_block_data_order(c, data, 1); 408 } 409 LCRYPTO_ALIAS(SHA1_Transform); 410 411 int 412 SHA1_Final(unsigned char *md, SHA_CTX *c) 413 { 414 unsigned char *p = (unsigned char *)c->data; 415 unsigned long ll; 416 size_t n = c->num; 417 418 p[n] = 0x80; /* there is always room for one */ 419 n++; 420 421 if (n > (SHA_CBLOCK - 8)) { 422 memset(p + n, 0, SHA_CBLOCK - n); 423 n = 0; 424 sha1_block_data_order(c, p, 1); 425 } 426 memset(p + n, 0, SHA_CBLOCK - 8 - n); 427 428 p += SHA_CBLOCK - 8; 429 #if defined(DATA_ORDER_IS_BIG_ENDIAN) 430 HOST_l2c(c->Nh, p); 431 HOST_l2c(c->Nl, p); 432 #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) 433 HOST_l2c(c->Nl, p); 434 HOST_l2c(c->Nh, p); 435 #endif 436 p -= SHA_CBLOCK; 437 sha1_block_data_order(c, p, 1); 438 c->num = 0; 439 memset(p, 0, SHA_CBLOCK); 440 441 ll = c->h0; 442 HOST_l2c(ll, md); 443 ll = c->h1; 444 HOST_l2c(ll, md); 445 ll = c->h2; 446 HOST_l2c(ll, md); 447 ll = c->h3; 448 HOST_l2c(ll, md); 449 ll = c->h4; 450 HOST_l2c(ll, md); 451 452 return 1; 453 } 454 LCRYPTO_ALIAS(SHA1_Final); 455 456 unsigned char * 457 SHA1(const unsigned char *d, size_t n, unsigned char *md) 458 { 459 SHA_CTX c; 460 static unsigned char m[SHA_DIGEST_LENGTH]; 461 462 if (md == NULL) 463 md = m; 464 465 if (!SHA1_Init(&c)) 466 return NULL; 467 SHA1_Update(&c, d, n); 468 SHA1_Final(md, &c); 469 470 explicit_bzero(&c, sizeof(c)); 471 472 return (md); 473 } 474 LCRYPTO_ALIAS(SHA1); 475 476 #endif 477