sha1.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463
  1. /*
  2. * sha1.c
  3. *
  4. * an implementation of the Secure Hash Algorithm v.1 (SHA-1),
  5. * specified in FIPS 180-1
  6. *
  7. * David A. McGrew
  8. * Cisco Systems, Inc.
  9. */
  10. /*
  11. *
  12. * Copyright (c) 2001-2017, Cisco Systems, Inc.
  13. * All rights reserved.
  14. *
  15. * Redistribution and use in source and binary forms, with or without
  16. * modification, are permitted provided that the following conditions
  17. * are met:
  18. *
  19. * Redistributions of source code must retain the above copyright
  20. * notice, this list of conditions and the following disclaimer.
  21. *
  22. * Redistributions in binary form must reproduce the above
  23. * copyright notice, this list of conditions and the following
  24. * disclaimer in the documentation and/or other materials provided
  25. * with the distribution.
  26. *
  27. * Neither the name of the Cisco Systems, Inc. nor the names of its
  28. * contributors may be used to endorse or promote products derived
  29. * from this software without specific prior written permission.
  30. *
  31. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  32. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  33. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  34. * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
  35. * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
  36. * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  37. * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  38. * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  39. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  40. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  41. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  42. * OF THE POSSIBILITY OF SUCH DAMAGE.
  43. *
  44. */
  45. #ifdef HAVE_CONFIG_H
  46. #include <config.h>
  47. #endif
  48. #include "sha1.h"
  49. srtp_debug_module_t srtp_mod_sha1 = {
  50. 0, /* debugging is off by default */
  51. "sha-1" /* printable module name */
  52. };
  53. /* SN == Rotate left N bits */
  54. #define S1(X) ((X << 1) | (X >> 31))
  55. #define S5(X) ((X << 5) | (X >> 27))
  56. #define S30(X) ((X << 30) | (X >> 2))
  57. #define f0(B, C, D) ((B & C) | (~B & D))
  58. #define f1(B, C, D) (B ^ C ^ D)
  59. #define f2(B, C, D) ((B & C) | (B & D) | (C & D))
  60. #define f3(B, C, D) (B ^ C ^ D)
  61. /*
  62. * nota bene: the variable K0 appears in the curses library, so we
  63. * give longer names to these variables to avoid spurious warnings
  64. * on systems that uses curses
  65. */
  66. uint32_t SHA_K0 = 0x5A827999; /* Kt for 0 <= t <= 19 */
  67. uint32_t SHA_K1 = 0x6ED9EBA1; /* Kt for 20 <= t <= 39 */
  68. uint32_t SHA_K2 = 0x8F1BBCDC; /* Kt for 40 <= t <= 59 */
  69. uint32_t SHA_K3 = 0xCA62C1D6; /* Kt for 60 <= t <= 79 */
  70. /*
  71. * srtp_sha1_core(M, H) computes the core compression function, where M is
  72. * the next part of the message (in network byte order) and H is the
  73. * intermediate state { H0, H1, ...} (in host byte order)
  74. *
  75. * this function does not do any of the padding required in the
  76. * complete SHA1 function
  77. *
  78. * this function is used in the SEAL 3.0 key setup routines
  79. * (crypto/cipher/seal.c)
  80. */
  81. void srtp_sha1_core(const uint32_t M[16], uint32_t hash_value[5])
  82. {
  83. uint32_t H0;
  84. uint32_t H1;
  85. uint32_t H2;
  86. uint32_t H3;
  87. uint32_t H4;
  88. uint32_t W[80];
  89. uint32_t A, B, C, D, E, TEMP;
  90. int t;
  91. /* copy hash_value into H0, H1, H2, H3, H4 */
  92. H0 = hash_value[0];
  93. H1 = hash_value[1];
  94. H2 = hash_value[2];
  95. H3 = hash_value[3];
  96. H4 = hash_value[4];
  97. /* copy/xor message into array */
  98. W[0] = be32_to_cpu(M[0]);
  99. W[1] = be32_to_cpu(M[1]);
  100. W[2] = be32_to_cpu(M[2]);
  101. W[3] = be32_to_cpu(M[3]);
  102. W[4] = be32_to_cpu(M[4]);
  103. W[5] = be32_to_cpu(M[5]);
  104. W[6] = be32_to_cpu(M[6]);
  105. W[7] = be32_to_cpu(M[7]);
  106. W[8] = be32_to_cpu(M[8]);
  107. W[9] = be32_to_cpu(M[9]);
  108. W[10] = be32_to_cpu(M[10]);
  109. W[11] = be32_to_cpu(M[11]);
  110. W[12] = be32_to_cpu(M[12]);
  111. W[13] = be32_to_cpu(M[13]);
  112. W[14] = be32_to_cpu(M[14]);
  113. W[15] = be32_to_cpu(M[15]);
  114. TEMP = W[13] ^ W[8] ^ W[2] ^ W[0];
  115. W[16] = S1(TEMP);
  116. TEMP = W[14] ^ W[9] ^ W[3] ^ W[1];
  117. W[17] = S1(TEMP);
  118. TEMP = W[15] ^ W[10] ^ W[4] ^ W[2];
  119. W[18] = S1(TEMP);
  120. TEMP = W[16] ^ W[11] ^ W[5] ^ W[3];
  121. W[19] = S1(TEMP);
  122. TEMP = W[17] ^ W[12] ^ W[6] ^ W[4];
  123. W[20] = S1(TEMP);
  124. TEMP = W[18] ^ W[13] ^ W[7] ^ W[5];
  125. W[21] = S1(TEMP);
  126. TEMP = W[19] ^ W[14] ^ W[8] ^ W[6];
  127. W[22] = S1(TEMP);
  128. TEMP = W[20] ^ W[15] ^ W[9] ^ W[7];
  129. W[23] = S1(TEMP);
  130. TEMP = W[21] ^ W[16] ^ W[10] ^ W[8];
  131. W[24] = S1(TEMP);
  132. TEMP = W[22] ^ W[17] ^ W[11] ^ W[9];
  133. W[25] = S1(TEMP);
  134. TEMP = W[23] ^ W[18] ^ W[12] ^ W[10];
  135. W[26] = S1(TEMP);
  136. TEMP = W[24] ^ W[19] ^ W[13] ^ W[11];
  137. W[27] = S1(TEMP);
  138. TEMP = W[25] ^ W[20] ^ W[14] ^ W[12];
  139. W[28] = S1(TEMP);
  140. TEMP = W[26] ^ W[21] ^ W[15] ^ W[13];
  141. W[29] = S1(TEMP);
  142. TEMP = W[27] ^ W[22] ^ W[16] ^ W[14];
  143. W[30] = S1(TEMP);
  144. TEMP = W[28] ^ W[23] ^ W[17] ^ W[15];
  145. W[31] = S1(TEMP);
  146. /* process the remainder of the array */
  147. for (t = 32; t < 80; t++) {
  148. TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16];
  149. W[t] = S1(TEMP);
  150. }
  151. A = H0;
  152. B = H1;
  153. C = H2;
  154. D = H3;
  155. E = H4;
  156. for (t = 0; t < 20; t++) {
  157. TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0;
  158. E = D;
  159. D = C;
  160. C = S30(B);
  161. B = A;
  162. A = TEMP;
  163. }
  164. for (; t < 40; t++) {
  165. TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1;
  166. E = D;
  167. D = C;
  168. C = S30(B);
  169. B = A;
  170. A = TEMP;
  171. }
  172. for (; t < 60; t++) {
  173. TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2;
  174. E = D;
  175. D = C;
  176. C = S30(B);
  177. B = A;
  178. A = TEMP;
  179. }
  180. for (; t < 80; t++) {
  181. TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3;
  182. E = D;
  183. D = C;
  184. C = S30(B);
  185. B = A;
  186. A = TEMP;
  187. }
  188. hash_value[0] = H0 + A;
  189. hash_value[1] = H1 + B;
  190. hash_value[2] = H2 + C;
  191. hash_value[3] = H3 + D;
  192. hash_value[4] = H4 + E;
  193. return;
  194. }
  195. void srtp_sha1_init(srtp_sha1_ctx_t *ctx)
  196. {
  197. /* initialize state vector */
  198. ctx->H[0] = 0x67452301;
  199. ctx->H[1] = 0xefcdab89;
  200. ctx->H[2] = 0x98badcfe;
  201. ctx->H[3] = 0x10325476;
  202. ctx->H[4] = 0xc3d2e1f0;
  203. /* indicate that message buffer is empty */
  204. ctx->octets_in_buffer = 0;
  205. /* reset message bit-count to zero */
  206. ctx->num_bits_in_msg = 0;
  207. }
  208. void srtp_sha1_update(srtp_sha1_ctx_t *ctx,
  209. const uint8_t *msg,
  210. int octets_in_msg)
  211. {
  212. int i;
  213. uint8_t *buf = (uint8_t *)ctx->M;
  214. /* update message bit-count */
  215. ctx->num_bits_in_msg += octets_in_msg * 8;
  216. /* loop over 16-word blocks of M */
  217. while (octets_in_msg > 0) {
  218. if (octets_in_msg + ctx->octets_in_buffer >= 64) {
  219. /*
  220. * copy words of M into msg buffer until that buffer is full,
  221. * converting them into host byte order as needed
  222. */
  223. octets_in_msg -= (64 - ctx->octets_in_buffer);
  224. for (i = ctx->octets_in_buffer; i < 64; i++) {
  225. buf[i] = *msg++;
  226. }
  227. ctx->octets_in_buffer = 0;
  228. /* process a whole block */
  229. debug_print0(srtp_mod_sha1, "(update) running srtp_sha1_core()");
  230. srtp_sha1_core(ctx->M, ctx->H);
  231. } else {
  232. debug_print0(srtp_mod_sha1,
  233. "(update) not running srtp_sha1_core()");
  234. for (i = ctx->octets_in_buffer;
  235. i < (ctx->octets_in_buffer + octets_in_msg); i++) {
  236. buf[i] = *msg++;
  237. }
  238. ctx->octets_in_buffer += octets_in_msg;
  239. octets_in_msg = 0;
  240. }
  241. }
  242. }
  243. /*
  244. * srtp_sha1_final(ctx, output) computes the result for ctx and copies it
  245. * into the twenty octets located at *output
  246. */
  247. void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t output[5])
  248. {
  249. uint32_t A, B, C, D, E, TEMP;
  250. uint32_t W[80];
  251. int i, t;
  252. /*
  253. * process the remaining octets_in_buffer, padding and terminating as
  254. * necessary
  255. */
  256. {
  257. int tail = ctx->octets_in_buffer % 4;
  258. /* copy/xor message into array */
  259. for (i = 0; i < (ctx->octets_in_buffer + 3) / 4; i++) {
  260. W[i] = be32_to_cpu(ctx->M[i]);
  261. }
  262. /* set the high bit of the octet immediately following the message */
  263. switch (tail) {
  264. case (3):
  265. W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xffffff00) | 0x80;
  266. W[i] = 0x0;
  267. break;
  268. case (2):
  269. W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xffff0000) | 0x8000;
  270. W[i] = 0x0;
  271. break;
  272. case (1):
  273. W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xff000000) | 0x800000;
  274. W[i] = 0x0;
  275. break;
  276. case (0):
  277. W[i] = 0x80000000;
  278. break;
  279. }
  280. /* zeroize remaining words */
  281. for (i++; i < 15; i++) {
  282. W[i] = 0x0;
  283. }
  284. /*
  285. * if there is room at the end of the word array, then set the
  286. * last word to the bit-length of the message; otherwise, set that
  287. * word to zero and then we need to do one more run of the
  288. * compression algo.
  289. */
  290. if (ctx->octets_in_buffer < 56) {
  291. W[15] = ctx->num_bits_in_msg;
  292. } else if (ctx->octets_in_buffer < 60) {
  293. W[15] = 0x0;
  294. }
  295. /* process the word array */
  296. for (t = 16; t < 80; t++) {
  297. TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16];
  298. W[t] = S1(TEMP);
  299. }
  300. A = ctx->H[0];
  301. B = ctx->H[1];
  302. C = ctx->H[2];
  303. D = ctx->H[3];
  304. E = ctx->H[4];
  305. for (t = 0; t < 20; t++) {
  306. TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0;
  307. E = D;
  308. D = C;
  309. C = S30(B);
  310. B = A;
  311. A = TEMP;
  312. }
  313. for (; t < 40; t++) {
  314. TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1;
  315. E = D;
  316. D = C;
  317. C = S30(B);
  318. B = A;
  319. A = TEMP;
  320. }
  321. for (; t < 60; t++) {
  322. TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2;
  323. E = D;
  324. D = C;
  325. C = S30(B);
  326. B = A;
  327. A = TEMP;
  328. }
  329. for (; t < 80; t++) {
  330. TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3;
  331. E = D;
  332. D = C;
  333. C = S30(B);
  334. B = A;
  335. A = TEMP;
  336. }
  337. ctx->H[0] += A;
  338. ctx->H[1] += B;
  339. ctx->H[2] += C;
  340. ctx->H[3] += D;
  341. ctx->H[4] += E;
  342. }
  343. debug_print0(srtp_mod_sha1, "(final) running srtp_sha1_core()");
  344. if (ctx->octets_in_buffer >= 56) {
  345. debug_print0(srtp_mod_sha1, "(final) running srtp_sha1_core() again");
  346. /* we need to do one final run of the compression algo */
  347. /*
  348. * set initial part of word array to zeros, and set the
  349. * final part to the number of bits in the message
  350. */
  351. for (i = 0; i < 15; i++) {
  352. W[i] = 0x0;
  353. }
  354. W[15] = ctx->num_bits_in_msg;
  355. /* process the word array */
  356. for (t = 16; t < 80; t++) {
  357. TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16];
  358. W[t] = S1(TEMP);
  359. }
  360. A = ctx->H[0];
  361. B = ctx->H[1];
  362. C = ctx->H[2];
  363. D = ctx->H[3];
  364. E = ctx->H[4];
  365. for (t = 0; t < 20; t++) {
  366. TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0;
  367. E = D;
  368. D = C;
  369. C = S30(B);
  370. B = A;
  371. A = TEMP;
  372. }
  373. for (; t < 40; t++) {
  374. TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1;
  375. E = D;
  376. D = C;
  377. C = S30(B);
  378. B = A;
  379. A = TEMP;
  380. }
  381. for (; t < 60; t++) {
  382. TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2;
  383. E = D;
  384. D = C;
  385. C = S30(B);
  386. B = A;
  387. A = TEMP;
  388. }
  389. for (; t < 80; t++) {
  390. TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3;
  391. E = D;
  392. D = C;
  393. C = S30(B);
  394. B = A;
  395. A = TEMP;
  396. }
  397. ctx->H[0] += A;
  398. ctx->H[1] += B;
  399. ctx->H[2] += C;
  400. ctx->H[3] += D;
  401. ctx->H[4] += E;
  402. }
  403. /* copy result into output buffer */
  404. output[0] = be32_to_cpu(ctx->H[0]);
  405. output[1] = be32_to_cpu(ctx->H[1]);
  406. output[2] = be32_to_cpu(ctx->H[2]);
  407. output[3] = be32_to_cpu(ctx->H[3]);
  408. output[4] = be32_to_cpu(ctx->H[4]);
  409. /* indicate that message buffer in context is empty */
  410. ctx->octets_in_buffer = 0;
  411. return;
  412. }