1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * FIPS-180-1 compliant SHA-1 implementation 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * The SHA-1 standard was published by NIST in 1993. 23 * 24 * http://www.itl.nist.gov/fipspubs/fip180-1.htm 25 */ 26 27 #if !defined(MBEDTLS_CONFIG_FILE) 28 #include "mbedtls/config.h" 29 #else 30 #include MBEDTLS_CONFIG_FILE 31 #endif 32 33 #if defined(MBEDTLS_SHA1_C) 34 35 #include "mbedtls/sha1.h" 36 37 #include <string.h> 38 39 #if defined(MBEDTLS_SELF_TEST) 40 #if defined(MBEDTLS_PLATFORM_C) 41 #include "mbedtls/platform.h" 42 #else 43 #include <stdio.h> 44 #define mbedtls_printf printf 45 #endif /* MBEDTLS_PLATFORM_C */ 46 #endif /* MBEDTLS_SELF_TEST */ 47 48 #if !defined(MBEDTLS_SHA1_ALT) 49 50 /* Implementation that should never be optimized out by the compiler */ 51 static void mbedtls_zeroize( void *v, size_t n ) { 52 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; 53 } 54 55 /* 56 * 32-bit integer manipulation macros (big endian) 57 */ 58 #ifndef GET_UINT32_BE 59 #define GET_UINT32_BE(n,b,i) \ 60 { \ 61 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 62 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 63 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 64 | ( (uint32_t) (b)[(i) + 3] ); \ 65 } 66 #endif 67 68 #ifndef PUT_UINT32_BE 69 #define PUT_UINT32_BE(n,b,i) \ 70 { \ 71 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 72 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 73 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 74 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 75 } 76 #endif 77 78 void mbedtls_sha1_init( mbedtls_sha1_context *ctx ) 79 { 80 memset( ctx, 0, sizeof( mbedtls_sha1_context ) ); 81 } 82 83 void mbedtls_sha1_free( mbedtls_sha1_context *ctx ) 84 { 85 if( ctx == NULL ) 86 return; 87 88 mbedtls_zeroize( ctx, sizeof( mbedtls_sha1_context ) ); 89 } 90 91 void mbedtls_sha1_clone( mbedtls_sha1_context *dst, 92 const mbedtls_sha1_context *src ) 93 { 94 *dst = *src; 95 } 96 97 /* 98 * SHA-1 context setup 99 */ 100 void mbedtls_sha1_starts( mbedtls_sha1_context *ctx ) 101 { 102 ctx->total[0] = 0; 103 ctx->total[1] = 0; 104 105 ctx->state[0] = 0x67452301; 106 ctx->state[1] = 0xEFCDAB89; 107 ctx->state[2] = 0x98BADCFE; 108 ctx->state[3] = 0x10325476; 109 ctx->state[4] = 0xC3D2E1F0; 110 } 111 112 #if !defined(MBEDTLS_SHA1_PROCESS_ALT) 113 void mbedtls_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[64] ) 114 { 115 uint32_t temp, W[16], A, B, C, D, E; 116 117 GET_UINT32_BE( W[ 0], data, 0 ); 118 GET_UINT32_BE( W[ 1], data, 4 ); 119 GET_UINT32_BE( W[ 2], data, 8 ); 120 GET_UINT32_BE( W[ 3], data, 12 ); 121 GET_UINT32_BE( W[ 4], data, 16 ); 122 GET_UINT32_BE( W[ 5], data, 20 ); 123 GET_UINT32_BE( W[ 6], data, 24 ); 124 GET_UINT32_BE( W[ 7], data, 28 ); 125 GET_UINT32_BE( W[ 8], data, 32 ); 126 GET_UINT32_BE( W[ 9], data, 36 ); 127 GET_UINT32_BE( W[10], data, 40 ); 128 GET_UINT32_BE( W[11], data, 44 ); 129 GET_UINT32_BE( W[12], data, 48 ); 130 GET_UINT32_BE( W[13], data, 52 ); 131 GET_UINT32_BE( W[14], data, 56 ); 132 GET_UINT32_BE( W[15], data, 60 ); 133 134 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n))) 135 136 #define R(t) \ 137 ( \ 138 temp = W[( t - 3 ) & 0x0F] ^ W[( t - 8 ) & 0x0F] ^ \ 139 W[( t - 14 ) & 0x0F] ^ W[ t & 0x0F], \ 140 ( W[t & 0x0F] = S(temp,1) ) \ 141 ) 142 143 #define P(a,b,c,d,e,x) \ 144 { \ 145 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \ 146 } 147 148 A = ctx->state[0]; 149 B = ctx->state[1]; 150 C = ctx->state[2]; 151 D = ctx->state[3]; 152 E = ctx->state[4]; 153 154 #define F(x,y,z) (z ^ (x & (y ^ z))) 155 #define K 0x5A827999 156 157 P( A, B, C, D, E, W[0] ); 158 P( E, A, B, C, D, W[1] ); 159 P( D, E, A, B, C, W[2] ); 160 P( C, D, E, A, B, W[3] ); 161 P( B, C, D, E, A, W[4] ); 162 P( A, B, C, D, E, W[5] ); 163 P( E, A, B, C, D, W[6] ); 164 P( D, E, A, B, C, W[7] ); 165 P( C, D, E, A, B, W[8] ); 166 P( B, C, D, E, A, W[9] ); 167 P( A, B, C, D, E, W[10] ); 168 P( E, A, B, C, D, W[11] ); 169 P( D, E, A, B, C, W[12] ); 170 P( C, D, E, A, B, W[13] ); 171 P( B, C, D, E, A, W[14] ); 172 P( A, B, C, D, E, W[15] ); 173 P( E, A, B, C, D, R(16) ); 174 P( D, E, A, B, C, R(17) ); 175 P( C, D, E, A, B, R(18) ); 176 P( B, C, D, E, A, R(19) ); 177 178 #undef K 179 #undef F 180 181 #define F(x,y,z) (x ^ y ^ z) 182 #define K 0x6ED9EBA1 183 184 P( A, B, C, D, E, R(20) ); 185 P( E, A, B, C, D, R(21) ); 186 P( D, E, A, B, C, R(22) ); 187 P( C, D, E, A, B, R(23) ); 188 P( B, C, D, E, A, R(24) ); 189 P( A, B, C, D, E, R(25) ); 190 P( E, A, B, C, D, R(26) ); 191 P( D, E, A, B, C, R(27) ); 192 P( C, D, E, A, B, R(28) ); 193 P( B, C, D, E, A, R(29) ); 194 P( A, B, C, D, E, R(30) ); 195 P( E, A, B, C, D, R(31) ); 196 P( D, E, A, B, C, R(32) ); 197 P( C, D, E, A, B, R(33) ); 198 P( B, C, D, E, A, R(34) ); 199 P( A, B, C, D, E, R(35) ); 200 P( E, A, B, C, D, R(36) ); 201 P( D, E, A, B, C, R(37) ); 202 P( C, D, E, A, B, R(38) ); 203 P( B, C, D, E, A, R(39) ); 204 205 #undef K 206 #undef F 207 208 #define F(x,y,z) ((x & y) | (z & (x | y))) 209 #define K 0x8F1BBCDC 210 211 P( A, B, C, D, E, R(40) ); 212 P( E, A, B, C, D, R(41) ); 213 P( D, E, A, B, C, R(42) ); 214 P( C, D, E, A, B, R(43) ); 215 P( B, C, D, E, A, R(44) ); 216 P( A, B, C, D, E, R(45) ); 217 P( E, A, B, C, D, R(46) ); 218 P( D, E, A, B, C, R(47) ); 219 P( C, D, E, A, B, R(48) ); 220 P( B, C, D, E, A, R(49) ); 221 P( A, B, C, D, E, R(50) ); 222 P( E, A, B, C, D, R(51) ); 223 P( D, E, A, B, C, R(52) ); 224 P( C, D, E, A, B, R(53) ); 225 P( B, C, D, E, A, R(54) ); 226 P( A, B, C, D, E, R(55) ); 227 P( E, A, B, C, D, R(56) ); 228 P( D, E, A, B, C, R(57) ); 229 P( C, D, E, A, B, R(58) ); 230 P( B, C, D, E, A, R(59) ); 231 232 #undef K 233 #undef F 234 235 #define F(x,y,z) (x ^ y ^ z) 236 #define K 0xCA62C1D6 237 238 P( A, B, C, D, E, R(60) ); 239 P( E, A, B, C, D, R(61) ); 240 P( D, E, A, B, C, R(62) ); 241 P( C, D, E, A, B, R(63) ); 242 P( B, C, D, E, A, R(64) ); 243 P( A, B, C, D, E, R(65) ); 244 P( E, A, B, C, D, R(66) ); 245 P( D, E, A, B, C, R(67) ); 246 P( C, D, E, A, B, R(68) ); 247 P( B, C, D, E, A, R(69) ); 248 P( A, B, C, D, E, R(70) ); 249 P( E, A, B, C, D, R(71) ); 250 P( D, E, A, B, C, R(72) ); 251 P( C, D, E, A, B, R(73) ); 252 P( B, C, D, E, A, R(74) ); 253 P( A, B, C, D, E, R(75) ); 254 P( E, A, B, C, D, R(76) ); 255 P( D, E, A, B, C, R(77) ); 256 P( C, D, E, A, B, R(78) ); 257 P( B, C, D, E, A, R(79) ); 258 259 #undef K 260 #undef F 261 262 ctx->state[0] += A; 263 ctx->state[1] += B; 264 ctx->state[2] += C; 265 ctx->state[3] += D; 266 ctx->state[4] += E; 267 } 268 #endif /* !MBEDTLS_SHA1_PROCESS_ALT */ 269 270 /* 271 * SHA-1 process buffer 272 */ 273 void mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen ) 274 { 275 size_t fill; 276 uint32_t left; 277 278 if( ilen == 0 ) 279 return; 280 281 left = ctx->total[0] & 0x3F; 282 fill = 64 - left; 283 284 ctx->total[0] += (uint32_t) ilen; 285 ctx->total[0] &= 0xFFFFFFFF; 286 287 if( ctx->total[0] < (uint32_t) ilen ) 288 ctx->total[1]++; 289 290 if( left && ilen >= fill ) 291 { 292 memcpy( (void *) (ctx->buffer + left), input, fill ); 293 mbedtls_sha1_process( ctx, ctx->buffer ); 294 input += fill; 295 ilen -= fill; 296 left = 0; 297 } 298 299 while( ilen >= 64 ) 300 { 301 mbedtls_sha1_process( ctx, input ); 302 input += 64; 303 ilen -= 64; 304 } 305 306 if( ilen > 0 ) 307 memcpy( (void *) (ctx->buffer + left), input, ilen ); 308 } 309 310 static const unsigned char sha1_padding[64] = 311 { 312 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 313 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 314 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 315 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 316 }; 317 318 /* 319 * SHA-1 final digest 320 */ 321 void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[20] ) 322 { 323 uint32_t last, padn; 324 uint32_t high, low; 325 unsigned char msglen[8]; 326 327 high = ( ctx->total[0] >> 29 ) 328 | ( ctx->total[1] << 3 ); 329 low = ( ctx->total[0] << 3 ); 330 331 PUT_UINT32_BE( high, msglen, 0 ); 332 PUT_UINT32_BE( low, msglen, 4 ); 333 334 last = ctx->total[0] & 0x3F; 335 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); 336 337 mbedtls_sha1_update( ctx, sha1_padding, padn ); 338 mbedtls_sha1_update( ctx, msglen, 8 ); 339 340 PUT_UINT32_BE( ctx->state[0], output, 0 ); 341 PUT_UINT32_BE( ctx->state[1], output, 4 ); 342 PUT_UINT32_BE( ctx->state[2], output, 8 ); 343 PUT_UINT32_BE( ctx->state[3], output, 12 ); 344 PUT_UINT32_BE( ctx->state[4], output, 16 ); 345 } 346 347 #endif /* !MBEDTLS_SHA1_ALT */ 348 349 /* 350 * output = SHA-1( input buffer ) 351 */ 352 void mbedtls_sha1( const unsigned char *input, size_t ilen, unsigned char output[20] ) 353 { 354 mbedtls_sha1_context ctx; 355 356 mbedtls_sha1_init( &ctx ); 357 mbedtls_sha1_starts( &ctx ); 358 mbedtls_sha1_update( &ctx, input, ilen ); 359 mbedtls_sha1_finish( &ctx, output ); 360 mbedtls_sha1_free( &ctx ); 361 } 362 363 #if defined(MBEDTLS_SELF_TEST) 364 /* 365 * FIPS-180-1 test vectors 366 */ 367 static const unsigned char sha1_test_buf[3][57] = 368 { 369 { "abc" }, 370 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" }, 371 { "" } 372 }; 373 374 static const int sha1_test_buflen[3] = 375 { 376 3, 56, 1000 377 }; 378 379 static const unsigned char sha1_test_sum[3][20] = 380 { 381 { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E, 382 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D }, 383 { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE, 384 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 }, 385 { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E, 386 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F } 387 }; 388 389 /* 390 * Checkup routine 391 */ 392 int mbedtls_sha1_self_test( int verbose ) 393 { 394 int i, j, buflen, ret = 0; 395 unsigned char buf[1024]; 396 unsigned char sha1sum[20]; 397 mbedtls_sha1_context ctx; 398 399 mbedtls_sha1_init( &ctx ); 400 401 /* 402 * SHA-1 403 */ 404 for( i = 0; i < 3; i++ ) 405 { 406 if( verbose != 0 ) 407 mbedtls_printf( " SHA-1 test #%d: ", i + 1 ); 408 409 mbedtls_sha1_starts( &ctx ); 410 411 if( i == 2 ) 412 { 413 memset( buf, 'a', buflen = 1000 ); 414 415 for( j = 0; j < 1000; j++ ) 416 mbedtls_sha1_update( &ctx, buf, buflen ); 417 } 418 else 419 mbedtls_sha1_update( &ctx, sha1_test_buf[i], 420 sha1_test_buflen[i] ); 421 422 mbedtls_sha1_finish( &ctx, sha1sum ); 423 424 if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 ) 425 { 426 if( verbose != 0 ) 427 mbedtls_printf( "failed\n" ); 428 429 ret = 1; 430 goto exit; 431 } 432 433 if( verbose != 0 ) 434 mbedtls_printf( "passed\n" ); 435 } 436 437 if( verbose != 0 ) 438 mbedtls_printf( "\n" ); 439 440 exit: 441 mbedtls_sha1_free( &ctx ); 442 443 return( ret ); 444 } 445 446 #endif /* MBEDTLS_SELF_TEST */ 447 448 #endif /* MBEDTLS_SHA1_C */ 449