CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/ext/libkirk/SHA1.c
Views: 1401
/* sha1.c : Implementation of the Secure Hash Algorithm */12/* SHA: NIST's Secure Hash Algorithm */34/* This version written November 2000 by David Ireland of5DI Management Services Pty Limited <[email protected]>67Adapted from code in the Python Cryptography Toolkit,8version 1.0.0 by A.M. Kuchling 1995.9*/1011/* AM Kuchling's posting:-12Based on SHA code originally posted to sci.crypt by Peter Gutmann13in message <[email protected]>.14Modified to test for endianness on creation of SHA objects by AMK.15Also, the original specification of SHA was found to have a weakness16by NSA/NIST. This code implements the fixed version of SHA.17*/1819/* Here's the first paragraph of Peter Gutmann's posting:2021The following is my SHA (FIPS 180) code updated to allow use of the "fixed"22SHA, thanks to Jim Gillogly and an anonymous contributor for the information on23what's changed in the new version. The fix is a simple change which involves24adding a single rotate in the initial expansion function. It is unknown25whether this is an optimal solution to the problem which was discovered in the26SHA or whether it's simply a bandaid which fixes the problem with a minimum of27effort (for example the reengineering of a great many Capstone chips).28*/2930/* h files included here to make this just one file ... */3132/* global.h */33343536/* sha.c */37#include "SHA1.h"3839#include <stdio.h>40#include <string.h>4142static void SHAtoByte(BYTE *output, UINT4 *input, unsigned int len);4344/* The SHS block size and message digest sizes, in bytes */4546#define SHS_DATASIZE 6447#define SHS_DIGESTSIZE 20484950/* The SHS f()-functions. The f1 and f3 functions can be optimized to51save one boolean operation each - thanks to Rich Schroeppel,52[email protected] for discovering this */5354/*#define f1(x,y,z) ( ( x & y ) | ( ~x & z ) ) // Rounds 0-19 */55#define f1(x,y,z) ( z ^ ( x & ( y ^ z ) ) ) /* Rounds 0-19 */56#define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */57/*#define f3(x,y,z) ( ( x & y ) | ( x & z ) | ( y & z ) ) // Rounds 40-59 */58#define f3(x,y,z) ( ( x & y ) | ( z & ( x | y ) ) ) /* Rounds 40-59 */59#define f4(x,y,z) ( x ^ y ^ z ) /* Rounds 60-79 */6061/* The SHS Mysterious Constants */6263#define K1 0x5A827999L /* Rounds 0-19 */64#define K2 0x6ED9EBA1L /* Rounds 20-39 */65#define K3 0x8F1BBCDCL /* Rounds 40-59 */66#define K4 0xCA62C1D6L /* Rounds 60-79 */6768/* SHS initial values */6970#define h0init 0x67452301L71#define h1init 0xEFCDAB89L72#define h2init 0x98BADCFEL73#define h3init 0x10325476L74#define h4init 0xC3D2E1F0L7576/* Note that it may be necessary to add parentheses to these macros if they77are to be called with expressions as arguments */78/* 32-bit rotate left - kludged with shifts */7980#define ROTL(n,X) ( ( ( X ) << n ) | ( ( X ) >> ( 32 - n ) ) )8182/* The initial expanding function. The hash function is defined over an8380-UINT2 expanded input array W, where the first 16 are copies of the input84data, and the remaining 64 are defined by8586W[ i ] = W[ i - 16 ] ^ W[ i - 14 ] ^ W[ i - 8 ] ^ W[ i - 3 ]8788This implementation generates these values on the fly in a circular89buffer - thanks to Colin Plumb, [email protected] for this90optimization.9192The updated SHS changes the expanding function by adding a rotate of 193bit. Thanks to Jim Gillogly, [email protected], and an anonymous contributor94for this information */9596#define expand(W,i) ( W[ i & 15 ] = ROTL( 1, ( W[ i & 15 ] ^ W[ (i - 14) & 15 ] ^ \97W[ (i - 8) & 15 ] ^ W[ (i - 3) & 15 ] ) ) )9899100/* The prototype SHS sub-round. The fundamental sub-round is:101102a' = e + ROTL( 5, a ) + f( b, c, d ) + k + data;103b' = a;104c' = ROTL( 30, b );105d' = c;106e' = d;107108but this is implemented by unrolling the loop 5 times and renaming the109variables ( e, a, b, c, d ) = ( a', b', c', d', e' ) each iteration.110This code is then replicated 20 times for each of the 4 functions, using111the next 20 values from the W[] array each time */112113#define subRound(a, b, c, d, e, f, k, data) \114( e += ROTL( 5, a ) + f( b, c, d ) + k + data, b = ROTL( 30, b ) )115116/* Initialize the SHS values */117118void SHAInit(SHA_CTX *shsInfo)119{120endianTest(&shsInfo->Endianness);121/* Set the h-vars to their initial values */122shsInfo->digest[ 0 ] = h0init;123shsInfo->digest[ 1 ] = h1init;124shsInfo->digest[ 2 ] = h2init;125shsInfo->digest[ 3 ] = h3init;126shsInfo->digest[ 4 ] = h4init;127128/* Initialise bit count */129shsInfo->countLo = shsInfo->countHi = 0;130}131132133/* Perform the SHS transformation. Note that this code, like MD5, seems to134break some optimizing compilers due to the complexity of the expressions135and the size of the basic block. It may be necessary to split it into136sections, e.g. based on the four subrounds137138Note that this corrupts the shsInfo->data area */139140static void SHSTransform( UINT4 *digest, UINT4 *data )141{142UINT4 A, B, C, D, E; /* Local vars */143UINT4 eData[ 16 ]; /* Expanded data */144145/* Set up first buffer and local data buffer */146A = digest[ 0 ];147B = digest[ 1 ];148C = digest[ 2 ];149D = digest[ 3 ];150E = digest[ 4 ];151memcpy( (POINTER)eData, (POINTER)data, SHS_DATASIZE );152153/* Heavy mangling, in 4 sub-rounds of 20 interations each. */154subRound( A, B, C, D, E, f1, K1, eData[ 0 ] );155subRound( E, A, B, C, D, f1, K1, eData[ 1 ] );156subRound( D, E, A, B, C, f1, K1, eData[ 2 ] );157subRound( C, D, E, A, B, f1, K1, eData[ 3 ] );158subRound( B, C, D, E, A, f1, K1, eData[ 4 ] );159subRound( A, B, C, D, E, f1, K1, eData[ 5 ] );160subRound( E, A, B, C, D, f1, K1, eData[ 6 ] );161subRound( D, E, A, B, C, f1, K1, eData[ 7 ] );162subRound( C, D, E, A, B, f1, K1, eData[ 8 ] );163subRound( B, C, D, E, A, f1, K1, eData[ 9 ] );164subRound( A, B, C, D, E, f1, K1, eData[ 10 ] );165subRound( E, A, B, C, D, f1, K1, eData[ 11 ] );166subRound( D, E, A, B, C, f1, K1, eData[ 12 ] );167subRound( C, D, E, A, B, f1, K1, eData[ 13 ] );168subRound( B, C, D, E, A, f1, K1, eData[ 14 ] );169subRound( A, B, C, D, E, f1, K1, eData[ 15 ] );170subRound( E, A, B, C, D, f1, K1, expand( eData, 16 ) );171subRound( D, E, A, B, C, f1, K1, expand( eData, 17 ) );172subRound( C, D, E, A, B, f1, K1, expand( eData, 18 ) );173subRound( B, C, D, E, A, f1, K1, expand( eData, 19 ) );174175subRound( A, B, C, D, E, f2, K2, expand( eData, 20 ) );176subRound( E, A, B, C, D, f2, K2, expand( eData, 21 ) );177subRound( D, E, A, B, C, f2, K2, expand( eData, 22 ) );178subRound( C, D, E, A, B, f2, K2, expand( eData, 23 ) );179subRound( B, C, D, E, A, f2, K2, expand( eData, 24 ) );180subRound( A, B, C, D, E, f2, K2, expand( eData, 25 ) );181subRound( E, A, B, C, D, f2, K2, expand( eData, 26 ) );182subRound( D, E, A, B, C, f2, K2, expand( eData, 27 ) );183subRound( C, D, E, A, B, f2, K2, expand( eData, 28 ) );184subRound( B, C, D, E, A, f2, K2, expand( eData, 29 ) );185subRound( A, B, C, D, E, f2, K2, expand( eData, 30 ) );186subRound( E, A, B, C, D, f2, K2, expand( eData, 31 ) );187subRound( D, E, A, B, C, f2, K2, expand( eData, 32 ) );188subRound( C, D, E, A, B, f2, K2, expand( eData, 33 ) );189subRound( B, C, D, E, A, f2, K2, expand( eData, 34 ) );190subRound( A, B, C, D, E, f2, K2, expand( eData, 35 ) );191subRound( E, A, B, C, D, f2, K2, expand( eData, 36 ) );192subRound( D, E, A, B, C, f2, K2, expand( eData, 37 ) );193subRound( C, D, E, A, B, f2, K2, expand( eData, 38 ) );194subRound( B, C, D, E, A, f2, K2, expand( eData, 39 ) );195196subRound( A, B, C, D, E, f3, K3, expand( eData, 40 ) );197subRound( E, A, B, C, D, f3, K3, expand( eData, 41 ) );198subRound( D, E, A, B, C, f3, K3, expand( eData, 42 ) );199subRound( C, D, E, A, B, f3, K3, expand( eData, 43 ) );200subRound( B, C, D, E, A, f3, K3, expand( eData, 44 ) );201subRound( A, B, C, D, E, f3, K3, expand( eData, 45 ) );202subRound( E, A, B, C, D, f3, K3, expand( eData, 46 ) );203subRound( D, E, A, B, C, f3, K3, expand( eData, 47 ) );204subRound( C, D, E, A, B, f3, K3, expand( eData, 48 ) );205subRound( B, C, D, E, A, f3, K3, expand( eData, 49 ) );206subRound( A, B, C, D, E, f3, K3, expand( eData, 50 ) );207subRound( E, A, B, C, D, f3, K3, expand( eData, 51 ) );208subRound( D, E, A, B, C, f3, K3, expand( eData, 52 ) );209subRound( C, D, E, A, B, f3, K3, expand( eData, 53 ) );210subRound( B, C, D, E, A, f3, K3, expand( eData, 54 ) );211subRound( A, B, C, D, E, f3, K3, expand( eData, 55 ) );212subRound( E, A, B, C, D, f3, K3, expand( eData, 56 ) );213subRound( D, E, A, B, C, f3, K3, expand( eData, 57 ) );214subRound( C, D, E, A, B, f3, K3, expand( eData, 58 ) );215subRound( B, C, D, E, A, f3, K3, expand( eData, 59 ) );216217subRound( A, B, C, D, E, f4, K4, expand( eData, 60 ) );218subRound( E, A, B, C, D, f4, K4, expand( eData, 61 ) );219subRound( D, E, A, B, C, f4, K4, expand( eData, 62 ) );220subRound( C, D, E, A, B, f4, K4, expand( eData, 63 ) );221subRound( B, C, D, E, A, f4, K4, expand( eData, 64 ) );222subRound( A, B, C, D, E, f4, K4, expand( eData, 65 ) );223subRound( E, A, B, C, D, f4, K4, expand( eData, 66 ) );224subRound( D, E, A, B, C, f4, K4, expand( eData, 67 ) );225subRound( C, D, E, A, B, f4, K4, expand( eData, 68 ) );226subRound( B, C, D, E, A, f4, K4, expand( eData, 69 ) );227subRound( A, B, C, D, E, f4, K4, expand( eData, 70 ) );228subRound( E, A, B, C, D, f4, K4, expand( eData, 71 ) );229subRound( D, E, A, B, C, f4, K4, expand( eData, 72 ) );230subRound( C, D, E, A, B, f4, K4, expand( eData, 73 ) );231subRound( B, C, D, E, A, f4, K4, expand( eData, 74 ) );232subRound( A, B, C, D, E, f4, K4, expand( eData, 75 ) );233subRound( E, A, B, C, D, f4, K4, expand( eData, 76 ) );234subRound( D, E, A, B, C, f4, K4, expand( eData, 77 ) );235subRound( C, D, E, A, B, f4, K4, expand( eData, 78 ) );236subRound( B, C, D, E, A, f4, K4, expand( eData, 79 ) );237238/* Build message digest */239digest[ 0 ] += A;240digest[ 1 ] += B;241digest[ 2 ] += C;242digest[ 3 ] += D;243digest[ 4 ] += E;244}245246/* When run on a little-endian CPU we need to perform byte reversal on an247array of long words. */248249static void longReverse(UINT4 *buffer, int byteCount, int Endianness )250{251UINT4 value;252253if (Endianness==TRUE) return;254byteCount /= sizeof( UINT4 );255while( byteCount-- )256{257value = *buffer;258value = ( ( value & 0xFF00FF00L ) >> 8 ) | \259( ( value & 0x00FF00FFL ) << 8 );260*buffer++ = ( value << 16 ) | ( value >> 16 );261}262}263264/* Update SHS for a block of data */265266void SHAUpdate(SHA_CTX *shsInfo, BYTE *buffer, int count)267{268UINT4 tmp;269int dataCount;270271/* Update bitcount */272tmp = shsInfo->countLo;273if ( ( shsInfo->countLo = tmp + ( ( UINT4 ) count << 3 ) ) < tmp )274shsInfo->countHi++; /* Carry from low to high */275shsInfo->countHi += count >> 29;276277/* Get count of bytes already in data */278dataCount = ( int ) ( tmp >> 3 ) & 0x3F;279280/* Handle any leading odd-sized chunks */281if( dataCount )282{283BYTE *p = ( BYTE * ) shsInfo->data + dataCount;284285dataCount = SHS_DATASIZE - dataCount;286if( count < dataCount )287{288memcpy( p, buffer, count );289return;290}291memcpy( p, buffer, dataCount );292longReverse( shsInfo->data, SHS_DATASIZE, shsInfo->Endianness);293SHSTransform( shsInfo->digest, shsInfo->data );294buffer += dataCount;295count -= dataCount;296}297298/* Process data in SHS_DATASIZE chunks */299while( count >= SHS_DATASIZE )300{301memcpy( (POINTER)shsInfo->data, (POINTER)buffer, SHS_DATASIZE );302longReverse( shsInfo->data, SHS_DATASIZE, shsInfo->Endianness );303SHSTransform( shsInfo->digest, shsInfo->data );304buffer += SHS_DATASIZE;305count -= SHS_DATASIZE;306}307308/* Handle any remaining bytes of data. */309memcpy( (POINTER)shsInfo->data, (POINTER)buffer, count );310}311312/* Final wrapup - pad to SHS_DATASIZE-byte boundary with the bit pattern3131 0* (64-bit count of bits processed, MSB-first) */314315void SHAFinal(BYTE *output, SHA_CTX *shsInfo)316{317int count;318BYTE *dataPtr;319320/* Compute number of bytes mod 64 */321count = ( int ) shsInfo->countLo;322count = ( count >> 3 ) & 0x3F;323324/* Set the first char of padding to 0x80. This is safe since there is325always at least one byte free */326dataPtr = ( BYTE * ) shsInfo->data + count;327*dataPtr++ = 0x80;328329/* Bytes of padding needed to make 64 bytes */330count = SHS_DATASIZE - 1 - count;331332/* Pad out to 56 mod 64 */333if( count < 8 )334{335/* Two lots of padding: Pad the first block to 64 bytes */336memset( dataPtr, 0, count );337longReverse( shsInfo->data, SHS_DATASIZE, shsInfo->Endianness );338SHSTransform( shsInfo->digest, shsInfo->data );339340/* Now fill the next block with 56 bytes */341memset( (POINTER)shsInfo->data, 0, SHS_DATASIZE - 8 );342}343else344/* Pad block to 56 bytes */345memset( dataPtr, 0, count - 8 );346347/* Append length in bits and transform */348shsInfo->data[ 14 ] = shsInfo->countHi;349shsInfo->data[ 15 ] = shsInfo->countLo;350351longReverse( shsInfo->data, SHS_DATASIZE - 8, shsInfo->Endianness );352SHSTransform( shsInfo->digest, shsInfo->data );353354/* Output to an array of bytes */355SHAtoByte(output, shsInfo->digest, SHS_DIGESTSIZE);356357/* Zeroise sensitive stuff */358memset((POINTER)shsInfo, 0, sizeof(*shsInfo));359}360361static void SHAtoByte(BYTE *output, UINT4 *input, unsigned int len)362{ /* Output SHA digest in byte array */363unsigned int i, j;364365for(i = 0, j = 0; j < len; i++, j += 4)366{367output[j+3] = (BYTE)( input[i] & 0xff);368output[j+2] = (BYTE)((input[i] >> 8 ) & 0xff);369output[j+1] = (BYTE)((input[i] >> 16) & 0xff);370output[j ] = (BYTE)((input[i] >> 24) & 0xff);371}372}373374375376377/* endian.c */378379void endianTest(int *endian_ness)380{381if((*(unsigned short *) ("#S") >> 8) == '#')382{383/* printf("Big endian = no change\n"); */384*endian_ness = !(0);385}386else387{388/* printf("Little endian = swap\n"); */389*endian_ness = 0;390}391}392393394