sha1.c (12804B)
1 /* 2 * sha1.c 3 * 4 * an implementation of the Secure Hash Algorithm v.1 (SHA-1), 5 * specified in FIPS 180-1 6 * 7 * David A. McGrew 8 * Cisco Systems, Inc. 9 */ 10 11 /* 12 * 13 * Copyright (c) 2001-2017, Cisco Systems, Inc. 14 * All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 20 * Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 23 * Redistributions in binary form must reproduce the above 24 * copyright notice, this list of conditions and the following 25 * disclaimer in the documentation and/or other materials provided 26 * with the distribution. 27 * 28 * Neither the name of the Cisco Systems, Inc. nor the names of its 29 * contributors may be used to endorse or promote products derived 30 * from this software without specific prior written permission. 31 * 32 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 33 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 34 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 35 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 36 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 37 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 38 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 39 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 40 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 41 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 42 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 43 * OF THE POSSIBILITY OF SUCH DAMAGE. 44 * 45 */ 46 47 #ifdef HAVE_CONFIG_H 48 #include <config.h> 49 #endif 50 51 #include "sha1.h" 52 53 srtp_debug_module_t srtp_mod_sha1 = { 54 0, /* debugging is off by default */ 55 "sha-1" /* printable module name */ 56 }; 57 58 /* SN == Rotate left N bits */ 59 #define S1(X) ((X << 1) | (X >> 31)) 60 #define S5(X) ((X << 5) | (X >> 27)) 61 #define S30(X) ((X << 30) | (X >> 2)) 62 63 #define f0(B, C, D) ((B & C) | (~B & D)) 64 #define f1(B, C, D) (B ^ C ^ D) 65 #define f2(B, C, D) ((B & C) | (B & D) | (C & D)) 66 #define f3(B, C, D) (B ^ C ^ D) 67 68 /* 69 * nota bene: the variable K0 appears in the curses library, so we 70 * give longer names to these variables to avoid spurious warnings 71 * on systems that uses curses 72 */ 73 74 uint32_t SHA_K0 = 0x5A827999; /* Kt for 0 <= t <= 19 */ 75 uint32_t SHA_K1 = 0x6ED9EBA1; /* Kt for 20 <= t <= 39 */ 76 uint32_t SHA_K2 = 0x8F1BBCDC; /* Kt for 40 <= t <= 59 */ 77 uint32_t SHA_K3 = 0xCA62C1D6; /* Kt for 60 <= t <= 79 */ 78 79 /* 80 * srtp_sha1_core(M, H) computes the core compression function, where M is 81 * the next part of the message (in network byte order) and H is the 82 * intermediate state { H0, H1, ...} (in host byte order) 83 * 84 * this function does not do any of the padding required in the 85 * complete SHA1 function 86 * 87 * this function is used in the SEAL 3.0 key setup routines 88 * (crypto/cipher/seal.c) 89 */ 90 91 void srtp_sha1_core(const uint32_t M[16], uint32_t hash_value[5]) 92 { 93 uint32_t H0; 94 uint32_t H1; 95 uint32_t H2; 96 uint32_t H3; 97 uint32_t H4; 98 uint32_t W[80]; 99 uint32_t A, B, C, D, E, TEMP; 100 int t; 101 102 /* copy hash_value into H0, H1, H2, H3, H4 */ 103 H0 = hash_value[0]; 104 H1 = hash_value[1]; 105 H2 = hash_value[2]; 106 H3 = hash_value[3]; 107 H4 = hash_value[4]; 108 109 /* copy/xor message into array */ 110 111 W[0] = be32_to_cpu(M[0]); 112 W[1] = be32_to_cpu(M[1]); 113 W[2] = be32_to_cpu(M[2]); 114 W[3] = be32_to_cpu(M[3]); 115 W[4] = be32_to_cpu(M[4]); 116 W[5] = be32_to_cpu(M[5]); 117 W[6] = be32_to_cpu(M[6]); 118 W[7] = be32_to_cpu(M[7]); 119 W[8] = be32_to_cpu(M[8]); 120 W[9] = be32_to_cpu(M[9]); 121 W[10] = be32_to_cpu(M[10]); 122 W[11] = be32_to_cpu(M[11]); 123 W[12] = be32_to_cpu(M[12]); 124 W[13] = be32_to_cpu(M[13]); 125 W[14] = be32_to_cpu(M[14]); 126 W[15] = be32_to_cpu(M[15]); 127 TEMP = W[13] ^ W[8] ^ W[2] ^ W[0]; 128 W[16] = S1(TEMP); 129 TEMP = W[14] ^ W[9] ^ W[3] ^ W[1]; 130 W[17] = S1(TEMP); 131 TEMP = W[15] ^ W[10] ^ W[4] ^ W[2]; 132 W[18] = S1(TEMP); 133 TEMP = W[16] ^ W[11] ^ W[5] ^ W[3]; 134 W[19] = S1(TEMP); 135 TEMP = W[17] ^ W[12] ^ W[6] ^ W[4]; 136 W[20] = S1(TEMP); 137 TEMP = W[18] ^ W[13] ^ W[7] ^ W[5]; 138 W[21] = S1(TEMP); 139 TEMP = W[19] ^ W[14] ^ W[8] ^ W[6]; 140 W[22] = S1(TEMP); 141 TEMP = W[20] ^ W[15] ^ W[9] ^ W[7]; 142 W[23] = S1(TEMP); 143 TEMP = W[21] ^ W[16] ^ W[10] ^ W[8]; 144 W[24] = S1(TEMP); 145 TEMP = W[22] ^ W[17] ^ W[11] ^ W[9]; 146 W[25] = S1(TEMP); 147 TEMP = W[23] ^ W[18] ^ W[12] ^ W[10]; 148 W[26] = S1(TEMP); 149 TEMP = W[24] ^ W[19] ^ W[13] ^ W[11]; 150 W[27] = S1(TEMP); 151 TEMP = W[25] ^ W[20] ^ W[14] ^ W[12]; 152 W[28] = S1(TEMP); 153 TEMP = W[26] ^ W[21] ^ W[15] ^ W[13]; 154 W[29] = S1(TEMP); 155 TEMP = W[27] ^ W[22] ^ W[16] ^ W[14]; 156 W[30] = S1(TEMP); 157 TEMP = W[28] ^ W[23] ^ W[17] ^ W[15]; 158 W[31] = S1(TEMP); 159 160 /* process the remainder of the array */ 161 for (t = 32; t < 80; t++) { 162 TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16]; 163 W[t] = S1(TEMP); 164 } 165 166 A = H0; 167 B = H1; 168 C = H2; 169 D = H3; 170 E = H4; 171 172 for (t = 0; t < 20; t++) { 173 TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; 174 E = D; 175 D = C; 176 C = S30(B); 177 B = A; 178 A = TEMP; 179 } 180 for (; t < 40; t++) { 181 TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; 182 E = D; 183 D = C; 184 C = S30(B); 185 B = A; 186 A = TEMP; 187 } 188 for (; t < 60; t++) { 189 TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; 190 E = D; 191 D = C; 192 C = S30(B); 193 B = A; 194 A = TEMP; 195 } 196 for (; t < 80; t++) { 197 TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; 198 E = D; 199 D = C; 200 C = S30(B); 201 B = A; 202 A = TEMP; 203 } 204 205 hash_value[0] = H0 + A; 206 hash_value[1] = H1 + B; 207 hash_value[2] = H2 + C; 208 hash_value[3] = H3 + D; 209 hash_value[4] = H4 + E; 210 211 return; 212 } 213 214 void srtp_sha1_init(srtp_sha1_ctx_t *ctx) 215 { 216 /* initialize state vector */ 217 ctx->H[0] = 0x67452301; 218 ctx->H[1] = 0xefcdab89; 219 ctx->H[2] = 0x98badcfe; 220 ctx->H[3] = 0x10325476; 221 ctx->H[4] = 0xc3d2e1f0; 222 223 /* indicate that message buffer is empty */ 224 ctx->octets_in_buffer = 0; 225 226 /* reset message bit-count to zero */ 227 ctx->num_bits_in_msg = 0; 228 } 229 230 void srtp_sha1_update(srtp_sha1_ctx_t *ctx, 231 const uint8_t *msg, 232 int octets_in_msg) 233 { 234 int i; 235 uint8_t *buf = (uint8_t *)ctx->M; 236 237 /* update message bit-count */ 238 ctx->num_bits_in_msg += octets_in_msg * 8; 239 240 /* loop over 16-word blocks of M */ 241 while (octets_in_msg > 0) { 242 if (octets_in_msg + ctx->octets_in_buffer >= 64) { 243 /* 244 * copy words of M into msg buffer until that buffer is full, 245 * converting them into host byte order as needed 246 */ 247 octets_in_msg -= (64 - ctx->octets_in_buffer); 248 for (i = ctx->octets_in_buffer; i < 64; i++) { 249 buf[i] = *msg++; 250 } 251 ctx->octets_in_buffer = 0; 252 253 /* process a whole block */ 254 255 debug_print0(srtp_mod_sha1, "(update) running srtp_sha1_core()"); 256 257 srtp_sha1_core(ctx->M, ctx->H); 258 259 } else { 260 debug_print0(srtp_mod_sha1, 261 "(update) not running srtp_sha1_core()"); 262 263 for (i = ctx->octets_in_buffer; 264 i < (ctx->octets_in_buffer + octets_in_msg); i++) { 265 buf[i] = *msg++; 266 } 267 ctx->octets_in_buffer += octets_in_msg; 268 octets_in_msg = 0; 269 } 270 } 271 } 272 273 /* 274 * srtp_sha1_final(ctx, output) computes the result for ctx and copies it 275 * into the twenty octets located at *output 276 */ 277 278 void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t output[5]) 279 { 280 uint32_t A, B, C, D, E, TEMP; 281 uint32_t W[80]; 282 int i, t; 283 284 /* 285 * process the remaining octets_in_buffer, padding and terminating as 286 * necessary 287 */ 288 { 289 int tail = ctx->octets_in_buffer % 4; 290 291 /* copy/xor message into array */ 292 for (i = 0; i < (ctx->octets_in_buffer + 3) / 4; i++) { 293 W[i] = be32_to_cpu(ctx->M[i]); 294 } 295 296 /* set the high bit of the octet immediately following the message */ 297 switch (tail) { 298 case (3): 299 W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xffffff00) | 0x80; 300 W[i] = 0x0; 301 break; 302 case (2): 303 W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xffff0000) | 0x8000; 304 W[i] = 0x0; 305 break; 306 case (1): 307 W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xff000000) | 0x800000; 308 W[i] = 0x0; 309 break; 310 case (0): 311 W[i] = 0x80000000; 312 break; 313 } 314 315 /* zeroize remaining words */ 316 for (i++; i < 15; i++) { 317 W[i] = 0x0; 318 } 319 320 /* 321 * if there is room at the end of the word array, then set the 322 * last word to the bit-length of the message; otherwise, set that 323 * word to zero and then we need to do one more run of the 324 * compression algo. 325 */ 326 if (ctx->octets_in_buffer < 56) { 327 W[15] = ctx->num_bits_in_msg; 328 } else if (ctx->octets_in_buffer < 60) { 329 W[15] = 0x0; 330 } 331 332 /* process the word array */ 333 for (t = 16; t < 80; t++) { 334 TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16]; 335 W[t] = S1(TEMP); 336 } 337 338 A = ctx->H[0]; 339 B = ctx->H[1]; 340 C = ctx->H[2]; 341 D = ctx->H[3]; 342 E = ctx->H[4]; 343 344 for (t = 0; t < 20; t++) { 345 TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; 346 E = D; 347 D = C; 348 C = S30(B); 349 B = A; 350 A = TEMP; 351 } 352 for (; t < 40; t++) { 353 TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; 354 E = D; 355 D = C; 356 C = S30(B); 357 B = A; 358 A = TEMP; 359 } 360 for (; t < 60; t++) { 361 TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; 362 E = D; 363 D = C; 364 C = S30(B); 365 B = A; 366 A = TEMP; 367 } 368 for (; t < 80; t++) { 369 TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; 370 E = D; 371 D = C; 372 C = S30(B); 373 B = A; 374 A = TEMP; 375 } 376 377 ctx->H[0] += A; 378 ctx->H[1] += B; 379 ctx->H[2] += C; 380 ctx->H[3] += D; 381 ctx->H[4] += E; 382 } 383 384 debug_print0(srtp_mod_sha1, "(final) running srtp_sha1_core()"); 385 386 if (ctx->octets_in_buffer >= 56) { 387 debug_print0(srtp_mod_sha1, "(final) running srtp_sha1_core() again"); 388 389 /* we need to do one final run of the compression algo */ 390 391 /* 392 * set initial part of word array to zeros, and set the 393 * final part to the number of bits in the message 394 */ 395 for (i = 0; i < 15; i++) { 396 W[i] = 0x0; 397 } 398 W[15] = ctx->num_bits_in_msg; 399 400 /* process the word array */ 401 for (t = 16; t < 80; t++) { 402 TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16]; 403 W[t] = S1(TEMP); 404 } 405 406 A = ctx->H[0]; 407 B = ctx->H[1]; 408 C = ctx->H[2]; 409 D = ctx->H[3]; 410 E = ctx->H[4]; 411 412 for (t = 0; t < 20; t++) { 413 TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; 414 E = D; 415 D = C; 416 C = S30(B); 417 B = A; 418 A = TEMP; 419 } 420 for (; t < 40; t++) { 421 TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; 422 E = D; 423 D = C; 424 C = S30(B); 425 B = A; 426 A = TEMP; 427 } 428 for (; t < 60; t++) { 429 TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; 430 E = D; 431 D = C; 432 C = S30(B); 433 B = A; 434 A = TEMP; 435 } 436 for (; t < 80; t++) { 437 TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; 438 E = D; 439 D = C; 440 C = S30(B); 441 B = A; 442 A = TEMP; 443 } 444 445 ctx->H[0] += A; 446 ctx->H[1] += B; 447 ctx->H[2] += C; 448 ctx->H[3] += D; 449 ctx->H[4] += E; 450 } 451 452 /* copy result into output buffer */ 453 output[0] = be32_to_cpu(ctx->H[0]); 454 output[1] = be32_to_cpu(ctx->H[1]); 455 output[2] = be32_to_cpu(ctx->H[2]); 456 output[3] = be32_to_cpu(ctx->H[3]); 457 output[4] = be32_to_cpu(ctx->H[4]); 458 459 /* indicate that message buffer in context is empty */ 460 ctx->octets_in_buffer = 0; 461 462 return; 463 }