1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * FIPS-180-1 compliant SHA-1 implementation 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * The SHA-1 standard was published by NIST in 1993. 23 * 24 * http://www.itl.nist.gov/fipspubs/fip180-1.htm 25 */ 26 27 #if !defined(MBEDTLS_CONFIG_FILE) 28 #include "mbedtls/config.h" 29 #else 30 #include MBEDTLS_CONFIG_FILE 31 #endif 32 33 #if defined(MBEDTLS_SHA1_C) 34 35 #include "mbedtls/sha1.h" 36 #include "mbedtls/platform_util.h" 37 #include "mbedtls/error.h" 38 39 #include <string.h> 40 41 #if defined(MBEDTLS_SELF_TEST) 42 #if defined(MBEDTLS_PLATFORM_C) 43 #include "mbedtls/platform.h" 44 #else 45 #include <stdio.h> 46 #define mbedtls_printf printf 47 #endif /* MBEDTLS_PLATFORM_C */ 48 #endif /* MBEDTLS_SELF_TEST */ 49 50 #define SHA1_VALIDATE_RET(cond) \ 51 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA1_BAD_INPUT_DATA ) 52 53 #define SHA1_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond ) 54 55 #if !defined(MBEDTLS_SHA1_ALT) 56 57 /* 58 * 32-bit integer manipulation macros (big endian) 59 */ 60 #ifndef GET_UINT32_BE 61 #define GET_UINT32_BE(n,b,i) \ 62 { \ 63 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 64 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 65 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 66 | ( (uint32_t) (b)[(i) + 3] ); \ 67 } 68 #endif 69 70 #ifndef PUT_UINT32_BE 71 #define PUT_UINT32_BE(n,b,i) \ 72 { \ 73 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 74 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 75 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 76 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 77 } 78 #endif 79 80 void mbedtls_sha1_init( mbedtls_sha1_context *ctx ) 81 { 82 SHA1_VALIDATE( ctx != NULL ); 83 84 memset( ctx, 0, sizeof( mbedtls_sha1_context ) ); 85 } 86 87 void mbedtls_sha1_free( mbedtls_sha1_context *ctx ) 88 { 89 if( ctx == NULL ) 90 return; 91 92 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha1_context ) ); 93 } 94 95 void mbedtls_sha1_clone( mbedtls_sha1_context *dst, 96 const mbedtls_sha1_context *src ) 97 { 98 SHA1_VALIDATE( dst != NULL ); 99 SHA1_VALIDATE( src != NULL ); 100 101 *dst = *src; 102 } 103 104 /* 105 * SHA-1 context setup 106 */ 107 int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx ) 108 { 109 SHA1_VALIDATE_RET( ctx != NULL ); 110 111 ctx->total[0] = 0; 112 ctx->total[1] = 0; 113 114 ctx->state[0] = 0x67452301; 115 ctx->state[1] = 0xEFCDAB89; 116 ctx->state[2] = 0x98BADCFE; 117 ctx->state[3] = 0x10325476; 118 ctx->state[4] = 0xC3D2E1F0; 119 120 return( 0 ); 121 } 122 123 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 124 void mbedtls_sha1_starts( mbedtls_sha1_context *ctx ) 125 { 126 mbedtls_sha1_starts_ret( ctx ); 127 } 128 #endif 129 130 #if !defined(MBEDTLS_SHA1_PROCESS_ALT) 131 int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, 132 const unsigned char data[64] ) 133 { 134 uint32_t temp, W[16], A, B, C, D, E; 135 136 SHA1_VALIDATE_RET( ctx != NULL ); 137 SHA1_VALIDATE_RET( (const unsigned char *)data != NULL ); 138 139 GET_UINT32_BE( W[ 0], data, 0 ); 140 GET_UINT32_BE( W[ 1], data, 4 ); 141 GET_UINT32_BE( W[ 2], data, 8 ); 142 GET_UINT32_BE( W[ 3], data, 12 ); 143 GET_UINT32_BE( W[ 4], data, 16 ); 144 GET_UINT32_BE( W[ 5], data, 20 ); 145 GET_UINT32_BE( W[ 6], data, 24 ); 146 GET_UINT32_BE( W[ 7], data, 28 ); 147 GET_UINT32_BE( W[ 8], data, 32 ); 148 GET_UINT32_BE( W[ 9], data, 36 ); 149 GET_UINT32_BE( W[10], data, 40 ); 150 GET_UINT32_BE( W[11], data, 44 ); 151 GET_UINT32_BE( W[12], data, 48 ); 152 GET_UINT32_BE( W[13], data, 52 ); 153 GET_UINT32_BE( W[14], data, 56 ); 154 GET_UINT32_BE( W[15], data, 60 ); 155 156 #define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n)))) 157 158 #define R(t) \ 159 ( \ 160 temp = W[( (t) - 3 ) & 0x0F] ^ W[( (t) - 8 ) & 0x0F] ^ \ 161 W[( (t) - 14 ) & 0x0F] ^ W[ (t) & 0x0F], \ 162 ( W[(t) & 0x0F] = S(temp,1) ) \ 163 ) 164 165 #define P(a,b,c,d,e,x) \ 166 do \ 167 { \ 168 (e) += S((a),5) + F((b),(c),(d)) + K + (x); \ 169 (b) = S((b),30); \ 170 } while( 0 ) 171 172 A = ctx->state[0]; 173 B = ctx->state[1]; 174 C = ctx->state[2]; 175 D = ctx->state[3]; 176 E = ctx->state[4]; 177 178 #define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) 179 #define K 0x5A827999 180 181 P( A, B, C, D, E, W[0] ); 182 P( E, A, B, C, D, W[1] ); 183 P( D, E, A, B, C, W[2] ); 184 P( C, D, E, A, B, W[3] ); 185 P( B, C, D, E, A, W[4] ); 186 P( A, B, C, D, E, W[5] ); 187 P( E, A, B, C, D, W[6] ); 188 P( D, E, A, B, C, W[7] ); 189 P( C, D, E, A, B, W[8] ); 190 P( B, C, D, E, A, W[9] ); 191 P( A, B, C, D, E, W[10] ); 192 P( E, A, B, C, D, W[11] ); 193 P( D, E, A, B, C, W[12] ); 194 P( C, D, E, A, B, W[13] ); 195 P( B, C, D, E, A, W[14] ); 196 P( A, B, C, D, E, W[15] ); 197 P( E, A, B, C, D, R(16) ); 198 P( D, E, A, B, C, R(17) ); 199 P( C, D, E, A, B, R(18) ); 200 P( B, C, D, E, A, R(19) ); 201 202 #undef K 203 #undef F 204 205 #define F(x,y,z) ((x) ^ (y) ^ (z)) 206 #define K 0x6ED9EBA1 207 208 P( A, B, C, D, E, R(20) ); 209 P( E, A, B, C, D, R(21) ); 210 P( D, E, A, B, C, R(22) ); 211 P( C, D, E, A, B, R(23) ); 212 P( B, C, D, E, A, R(24) ); 213 P( A, B, C, D, E, R(25) ); 214 P( E, A, B, C, D, R(26) ); 215 P( D, E, A, B, C, R(27) ); 216 P( C, D, E, A, B, R(28) ); 217 P( B, C, D, E, A, R(29) ); 218 P( A, B, C, D, E, R(30) ); 219 P( E, A, B, C, D, R(31) ); 220 P( D, E, A, B, C, R(32) ); 221 P( C, D, E, A, B, R(33) ); 222 P( B, C, D, E, A, R(34) ); 223 P( A, B, C, D, E, R(35) ); 224 P( E, A, B, C, D, R(36) ); 225 P( D, E, A, B, C, R(37) ); 226 P( C, D, E, A, B, R(38) ); 227 P( B, C, D, E, A, R(39) ); 228 229 #undef K 230 #undef F 231 232 #define F(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) 233 #define K 0x8F1BBCDC 234 235 P( A, B, C, D, E, R(40) ); 236 P( E, A, B, C, D, R(41) ); 237 P( D, E, A, B, C, R(42) ); 238 P( C, D, E, A, B, R(43) ); 239 P( B, C, D, E, A, R(44) ); 240 P( A, B, C, D, E, R(45) ); 241 P( E, A, B, C, D, R(46) ); 242 P( D, E, A, B, C, R(47) ); 243 P( C, D, E, A, B, R(48) ); 244 P( B, C, D, E, A, R(49) ); 245 P( A, B, C, D, E, R(50) ); 246 P( E, A, B, C, D, R(51) ); 247 P( D, E, A, B, C, R(52) ); 248 P( C, D, E, A, B, R(53) ); 249 P( B, C, D, E, A, R(54) ); 250 P( A, B, C, D, E, R(55) ); 251 P( E, A, B, C, D, R(56) ); 252 P( D, E, A, B, C, R(57) ); 253 P( C, D, E, A, B, R(58) ); 254 P( B, C, D, E, A, R(59) ); 255 256 #undef K 257 #undef F 258 259 #define F(x,y,z) ((x) ^ (y) ^ (z)) 260 #define K 0xCA62C1D6 261 262 P( A, B, C, D, E, R(60) ); 263 P( E, A, B, C, D, R(61) ); 264 P( D, E, A, B, C, R(62) ); 265 P( C, D, E, A, B, R(63) ); 266 P( B, C, D, E, A, R(64) ); 267 P( A, B, C, D, E, R(65) ); 268 P( E, A, B, C, D, R(66) ); 269 P( D, E, A, B, C, R(67) ); 270 P( C, D, E, A, B, R(68) ); 271 P( B, C, D, E, A, R(69) ); 272 P( A, B, C, D, E, R(70) ); 273 P( E, A, B, C, D, R(71) ); 274 P( D, E, A, B, C, R(72) ); 275 P( C, D, E, A, B, R(73) ); 276 P( B, C, D, E, A, R(74) ); 277 P( A, B, C, D, E, R(75) ); 278 P( E, A, B, C, D, R(76) ); 279 P( D, E, A, B, C, R(77) ); 280 P( C, D, E, A, B, R(78) ); 281 P( B, C, D, E, A, R(79) ); 282 283 #undef K 284 #undef F 285 286 ctx->state[0] += A; 287 ctx->state[1] += B; 288 ctx->state[2] += C; 289 ctx->state[3] += D; 290 ctx->state[4] += E; 291 292 return( 0 ); 293 } 294 295 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 296 void mbedtls_sha1_process( mbedtls_sha1_context *ctx, 297 const unsigned char data[64] ) 298 { 299 mbedtls_internal_sha1_process( ctx, data ); 300 } 301 #endif 302 #endif /* !MBEDTLS_SHA1_PROCESS_ALT */ 303 304 /* 305 * SHA-1 process buffer 306 */ 307 int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx, 308 const unsigned char *input, 309 size_t ilen ) 310 { 311 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 312 size_t fill; 313 uint32_t left; 314 315 SHA1_VALIDATE_RET( ctx != NULL ); 316 SHA1_VALIDATE_RET( ilen == 0 || input != NULL ); 317 318 if( ilen == 0 ) 319 return( 0 ); 320 321 left = ctx->total[0] & 0x3F; 322 fill = 64 - left; 323 324 ctx->total[0] += (uint32_t) ilen; 325 ctx->total[0] &= 0xFFFFFFFF; 326 327 if( ctx->total[0] < (uint32_t) ilen ) 328 ctx->total[1]++; 329 330 if( left && ilen >= fill ) 331 { 332 memcpy( (void *) (ctx->buffer + left), input, fill ); 333 334 if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 ) 335 return( ret ); 336 337 input += fill; 338 ilen -= fill; 339 left = 0; 340 } 341 342 while( ilen >= 64 ) 343 { 344 if( ( ret = mbedtls_internal_sha1_process( ctx, input ) ) != 0 ) 345 return( ret ); 346 347 input += 64; 348 ilen -= 64; 349 } 350 351 if( ilen > 0 ) 352 memcpy( (void *) (ctx->buffer + left), input, ilen ); 353 354 return( 0 ); 355 } 356 357 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 358 void mbedtls_sha1_update( mbedtls_sha1_context *ctx, 359 const unsigned char *input, 360 size_t ilen ) 361 { 362 mbedtls_sha1_update_ret( ctx, input, ilen ); 363 } 364 #endif 365 366 /* 367 * SHA-1 final digest 368 */ 369 int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx, 370 unsigned char output[20] ) 371 { 372 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 373 uint32_t used; 374 uint32_t high, low; 375 376 SHA1_VALIDATE_RET( ctx != NULL ); 377 SHA1_VALIDATE_RET( (unsigned char *)output != NULL ); 378 379 /* 380 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length 381 */ 382 used = ctx->total[0] & 0x3F; 383 384 ctx->buffer[used++] = 0x80; 385 386 if( used <= 56 ) 387 { 388 /* Enough room for padding + length in current block */ 389 memset( ctx->buffer + used, 0, 56 - used ); 390 } 391 else 392 { 393 /* We'll need an extra block */ 394 memset( ctx->buffer + used, 0, 64 - used ); 395 396 if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 ) 397 return( ret ); 398 399 memset( ctx->buffer, 0, 56 ); 400 } 401 402 /* 403 * Add message length 404 */ 405 high = ( ctx->total[0] >> 29 ) 406 | ( ctx->total[1] << 3 ); 407 low = ( ctx->total[0] << 3 ); 408 409 PUT_UINT32_BE( high, ctx->buffer, 56 ); 410 PUT_UINT32_BE( low, ctx->buffer, 60 ); 411 412 if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 ) 413 return( ret ); 414 415 /* 416 * Output final state 417 */ 418 PUT_UINT32_BE( ctx->state[0], output, 0 ); 419 PUT_UINT32_BE( ctx->state[1], output, 4 ); 420 PUT_UINT32_BE( ctx->state[2], output, 8 ); 421 PUT_UINT32_BE( ctx->state[3], output, 12 ); 422 PUT_UINT32_BE( ctx->state[4], output, 16 ); 423 424 return( 0 ); 425 } 426 427 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 428 void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, 429 unsigned char output[20] ) 430 { 431 mbedtls_sha1_finish_ret( ctx, output ); 432 } 433 #endif 434 435 #endif /* !MBEDTLS_SHA1_ALT */ 436 437 /* 438 * output = SHA-1( input buffer ) 439 */ 440 int mbedtls_sha1_ret( const unsigned char *input, 441 size_t ilen, 442 unsigned char output[20] ) 443 { 444 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 445 mbedtls_sha1_context ctx; 446 447 SHA1_VALIDATE_RET( ilen == 0 || input != NULL ); 448 SHA1_VALIDATE_RET( (unsigned char *)output != NULL ); 449 450 mbedtls_sha1_init( &ctx ); 451 452 if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 ) 453 goto exit; 454 455 if( ( ret = mbedtls_sha1_update_ret( &ctx, input, ilen ) ) != 0 ) 456 goto exit; 457 458 if( ( ret = mbedtls_sha1_finish_ret( &ctx, output ) ) != 0 ) 459 goto exit; 460 461 exit: 462 mbedtls_sha1_free( &ctx ); 463 464 return( ret ); 465 } 466 467 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 468 void mbedtls_sha1( const unsigned char *input, 469 size_t ilen, 470 unsigned char output[20] ) 471 { 472 mbedtls_sha1_ret( input, ilen, output ); 473 } 474 #endif 475 476 #if defined(MBEDTLS_SELF_TEST) 477 /* 478 * FIPS-180-1 test vectors 479 */ 480 static const unsigned char sha1_test_buf[3][57] = 481 { 482 { "abc" }, 483 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" }, 484 { "" } 485 }; 486 487 static const size_t sha1_test_buflen[3] = 488 { 489 3, 56, 1000 490 }; 491 492 static const unsigned char sha1_test_sum[3][20] = 493 { 494 { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E, 495 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D }, 496 { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE, 497 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 }, 498 { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E, 499 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F } 500 }; 501 502 /* 503 * Checkup routine 504 */ 505 int mbedtls_sha1_self_test( int verbose ) 506 { 507 int i, j, buflen, ret = 0; 508 unsigned char buf[1024]; 509 unsigned char sha1sum[20]; 510 mbedtls_sha1_context ctx; 511 512 mbedtls_sha1_init( &ctx ); 513 514 /* 515 * SHA-1 516 */ 517 for( i = 0; i < 3; i++ ) 518 { 519 if( verbose != 0 ) 520 mbedtls_printf( " SHA-1 test #%d: ", i + 1 ); 521 522 if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 ) 523 goto fail; 524 525 if( i == 2 ) 526 { 527 memset( buf, 'a', buflen = 1000 ); 528 529 for( j = 0; j < 1000; j++ ) 530 { 531 ret = mbedtls_sha1_update_ret( &ctx, buf, buflen ); 532 if( ret != 0 ) 533 goto fail; 534 } 535 } 536 else 537 { 538 ret = mbedtls_sha1_update_ret( &ctx, sha1_test_buf[i], 539 sha1_test_buflen[i] ); 540 if( ret != 0 ) 541 goto fail; 542 } 543 544 if( ( ret = mbedtls_sha1_finish_ret( &ctx, sha1sum ) ) != 0 ) 545 goto fail; 546 547 if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 ) 548 { 549 ret = 1; 550 goto fail; 551 } 552 553 if( verbose != 0 ) 554 mbedtls_printf( "passed\n" ); 555 } 556 557 if( verbose != 0 ) 558 mbedtls_printf( "\n" ); 559 560 goto exit; 561 562 fail: 563 if( verbose != 0 ) 564 mbedtls_printf( "failed\n" ); 565 566 exit: 567 mbedtls_sha1_free( &ctx ); 568 569 return( ret ); 570 } 571 572 #endif /* MBEDTLS_SELF_TEST */ 573 574 #endif /* MBEDTLS_SHA1_C */ 575