1: /* sha1.c - Functions to compute SHA1 message digest of files or
    2:    memory blocks according to the NIST specification FIPS-180-1.
    3: 
    4:    Copyright (C) 2007 Free Software Foundation, Inc.
    5: 
    6:    This file is part of the GNU Binutils.
    7: 
    8:    This program is free software; you can redistribute it and/or modify it
    9:    under the terms of the GNU General Public License as published by the
   10:    Free Software Foundation; either version 3, or (at your option) any
   11:    later version.
   12: 
   13:    This program is distributed in the hope that it will be useful,
   14:    but WITHOUT ANY WARRANTY; without even the implied warranty of
   15:    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   16:    GNU General Public License for more details.
   17: 
   18:    You should have received a copy of the GNU General Public License
   19:    along with this program; if not, write to the Free Software Foundation,
   20:    Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.  */
   21: 
   22: /* Written by Scott G. Miller
   23:    Credits:
   24:       Robert Klep <robert@ilse.nl>  -- Expansion function fix  */
   25: 
   26: #include <config.h>
   27: #include "sha1.h"
   28: #include <stddef.h>
   29: #include <string.h>
   30: 
   31: #if USE_UNLOCKED_IO
   32: # include "unlocked-io.h"
   33: #endif
   34: 
   35: #ifdef WORDS_BIGENDIAN
   36: # define SWAP(n) (n)
   37: #else
   38: # define SWAP(n) \
   39:     (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
   40: #endif
   41: 
   42: #define BLOCKSIZE 4096
   43: #if BLOCKSIZE % 64 != 0
   44: # error "invalid BLOCKSIZE"
   45: #endif
   46: 
   47: /* This array contains the bytes used to pad the buffer to the next
   48:    64-byte boundary.  (RFC 1321, 3.1: Step 1)  */
   49: static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ...  */ };
   50: 
   51: 
   52: /* Take a pointer to a 160 bit block of data (five 32 bit ints) and
   53:    initialize it to the start constants of the SHA1 algorithm.  This
   54:    must be called before using hash in the call to sha1_hash.  */
   55: 
   56: void
   57: sha1_init_ctx (struct sha1_ctx *ctx)
   58: {
   59:   ctx->A = 0x67452301;
   60:   ctx->B = 0xefcdab89;
   61:   ctx->C = 0x98badcfe;
   62:   ctx->D = 0x10325476;
   63:   ctx->E = 0xc3d2e1f0;
   64: 
   65:   ctx->total[0] = ctx->total[1] = 0;
   66:   ctx->buflen = 0;
   67: }
   68: 
   69: /* Put result from CTX in first 20 bytes following RESBUF.  The result
   70:    must be in little endian byte order.
   71: 
   72:    IMPORTANT: On some systems it is required that RESBUF is correctly
   73:    aligned for a 32-bit value.  */
   74: 
   75: void *
   76: sha1_read_ctx (const struct sha1_ctx *ctx, void *resbuf)
   77: {
   78:   ((uint32_t *) resbuf)[0] = SWAP (ctx->A);
   79:   ((uint32_t *) resbuf)[1] = SWAP (ctx->B);
   80:   ((uint32_t *) resbuf)[2] = SWAP (ctx->C);
   81:   ((uint32_t *) resbuf)[3] = SWAP (ctx->D);
   82:   ((uint32_t *) resbuf)[4] = SWAP (ctx->E);
   83: 
   84:   return resbuf;
   85: }
   86: 
   87: /* Process the remaining bytes in the internal buffer and the usual
   88:    prolog according to the standard and write the result to RESBUF.
   89: 
   90:    IMPORTANT: On some systems it is required that RESBUF is correctly
   91:    aligned for a 32-bit value.  */
   92: 
   93: void *
   94: sha1_finish_ctx (struct sha1_ctx *ctx, void *resbuf)
   95: {
   96:   /* Take yet unprocessed bytes into account.  */
   97:   uint32_t bytes = ctx->buflen;
   98:   size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
   99: 
  100:   /* Now count remaining bytes.  */
  101:   ctx->total[0] += bytes;
  102:   if (ctx->total[0] < bytes)
  103:     ++ctx->total[1];
  104: 
  105:   /* Put the 64-bit file length in *bits* at the end of the buffer.  */
  106:   ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29));
  107:   ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3);
  108: 
  109:   memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
  110: 
  111:   /* Process last bytes.  */
  112:   sha1_process_block (ctx->buffer, size * 4, ctx);
  113: 
  114:   return sha1_read_ctx (ctx, resbuf);
  115: }
  116: 
  117: /* Compute SHA1 message digest for bytes read from STREAM.  The
  118:    resulting message digest number will be written into the 16 bytes
  119:    beginning at RESBLOCK.  */
  120: 
  121: int
  122: sha1_stream (FILE *stream, void *resblock)
  123: {
  124:   struct sha1_ctx ctx;
  125:   char buffer[BLOCKSIZE + 72];
  126:   size_t sum;
  127: 
  128:   /* Initialize the computation context.  */
  129:   sha1_init_ctx (&ctx);
  130: 
  131:   /* Iterate over full file contents.  */
  132:   while (1)
  133:     {
  134:       /* We read the file in blocks of BLOCKSIZE bytes.  One call of the
  135:          computation function processes the whole buffer so that with the
  136:          next round of the loop another block can be read.  */
  137:       size_t n;
  138:       sum = 0;
  139: 
  140:       /* Read block.  Take care for partial reads.  */
  141:       while (1)
  142:         {
  143:           n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
  144: 
  145:           sum += n;
  146: 
  147:           if (sum == BLOCKSIZE)
  148:             break;
  149: 
  150:           if (n == 0)
  151:             {
  152:               /* Check for the error flag IFF N == 0, so that we don't
  153:                  exit the loop after a partial read due to e.g., EAGAIN
  154:                  or EWOULDBLOCK.  */
  155:               if (ferror (stream))
  156:                 return 1;
  157:               goto process_partial_block;
  158:             }
  159: 
  160:           /* We've read at least one byte, so ignore errors.  But always
  161:              check for EOF, since feof may be true even though N > 0.
  162:              Otherwise, we could end up calling fread after EOF.  */
  163:           if (feof (stream))
  164:             goto process_partial_block;
  165:         }
  166: 
  167:       /* Process buffer with BLOCKSIZE bytes.  Note that
  168:                         BLOCKSIZE % 64 == 0.  */
  169:       sha1_process_block (buffer, BLOCKSIZE, &ctx);
  170:     }
  171: 
  172:  process_partial_block:;
  173: 
  174:   /* Process any remaining bytes.  */
  175:   if (sum > 0)
  176:     sha1_process_bytes (buffer, sum, &ctx);
  177: 
  178:   /* Construct result in desired memory.  */
  179:   sha1_finish_ctx (&ctx, resblock);
  180:   return 0;
  181: }
  182: 
  183: /* Compute SHA1 message digest for LEN bytes beginning at BUFFER.  The
  184:    result is always in little endian byte order, so that a byte-wise
  185:    output yields to the wanted ASCII representation of the message
  186:    digest.  */
  187: 
  188: void *
  189: sha1_buffer (const char *buffer, size_t len, void *resblock)
  190: {
  191:   struct sha1_ctx ctx;
  192: 
  193:   /* Initialize the computation context.  */
  194:   sha1_init_ctx (&ctx);
  195: 
  196:   /* Process whole buffer but last len % 64 bytes.  */
  197:   sha1_process_bytes (buffer, len, &ctx);
  198: 
  199:   /* Put result in desired memory area.  */
  200:   return sha1_finish_ctx (&ctx, resblock);
  201: }
  202: 
  203: void
  204: sha1_process_bytes (const void *buffer, size_t len, struct sha1_ctx *ctx)
  205: {
  206:   /* When we already have some bits in our internal buffer concatenate
  207:      both inputs first.  */
  208:   if (ctx->buflen != 0)
  209:     {
  210:       size_t left_over = ctx->buflen;
  211:       size_t add = 128 - left_over > len ? len : 128 - left_over;
  212: 
  213:       memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
  214:       ctx->buflen += add;
  215: 
  216:       if (ctx->buflen > 64)
  217:         {
  218:           sha1_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
  219: 
  220:           ctx->buflen &= 63;
  221:           /* The regions in the following copy operation cannot overlap.  */
  222:           memcpy (ctx->buffer,
  223:                   &((char *) ctx->buffer)[(left_over + add) & ~63],
  224:                   ctx->buflen);
  225:         }
  226: 
  227:       buffer = (const char *) buffer + add;
  228:       len -= add;
  229:     }
  230: 
  231:   /* Process available complete blocks.  */
  232:   if (len >= 64)
  233:     {
  234: #if !_STRING_ARCH_unaligned
  235: # define alignof(type)  offsetof (struct { char c; type x; }, x)
  236: # define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0)
  237:       if (UNALIGNED_P (buffer))
  238:         while (len > 64)
  239:           {
  240:             sha1_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
  241:             buffer = (const char *) buffer + 64;
  242:             len -= 64;
  243:           }
  244:       else
  245: #endif
  246:         {
  247:           sha1_process_block (buffer, len & ~63, ctx);
  248:           buffer = (const char *) buffer + (len & ~63);
  249:           len &= 63;
  250:         }
  251:     }
  252: 
  253:   /* Move remaining bytes in internal buffer.  */
  254:   if (len > 0)
  255:     {
  256:       size_t left_over = ctx->buflen;
  257: 
  258:       memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
  259:       left_over += len;
  260:       if (left_over >= 64)
  261:         {
  262:           sha1_process_block (ctx->buffer, 64, ctx);
  263:           left_over -= 64;
  264:           memcpy (ctx->buffer, &ctx->buffer[16], left_over);
  265:         }
  266:       ctx->buflen = left_over;
  267:     }
  268: }
  269: 
  270: /* --- Code below is the primary difference between md5.c and sha1.c --- */
  271: 
  272: /* SHA1 round constants.  */
  273: #define K1 0x5a827999
  274: #define K2 0x6ed9eba1
  275: #define K3 0x8f1bbcdc
  276: #define K4 0xca62c1d6
  277: 
  278: /* Round functions.  Note that F2 is the same as F4.  */
  279: #define F1(B,C,D) (D ^ (B & (C ^ D)))
  280: #define F2(B,C,D) (B ^ C ^ D)
  281: #define F3(B,C,D) ((B & C) | (D & (B | C)))
  282: #define F4(B,C,D) (B ^ C ^ D)
  283: 
  284: /* Process LEN bytes of BUFFER, accumulating context into CTX.
  285:    It is assumed that LEN % 64 == 0.
  286:    Most of this code comes from GnuPG's cipher/sha1.c.  */
  287: 
  288: void
  289: sha1_process_block (const void *buffer, size_t len, struct sha1_ctx *ctx)
  290: {
  291:   const uint32_t *words = buffer;
  292:   size_t nwords = len / sizeof (uint32_t);
  293:   const uint32_t *endp = words + nwords;
  294:   uint32_t x[16];
  295:   uint32_t a = ctx->A;
  296:   uint32_t b = ctx->B;
  297:   uint32_t c = ctx->C;
  298:   uint32_t d = ctx->D;
  299:   uint32_t e = ctx->E;
  300: 
  301:   /* First increment the byte count.  RFC 1321 specifies the possible
  302:      length of the file up to 2^64 bits.  Here we only compute the
  303:      number of bytes.  Do a double word increment.  */
  304:   ctx->total[0] += len;
  305:   if (ctx->total[0] < len)
  306:     ++ctx->total[1];
  307: 
  308: #define rol(x, n) (((x) << (n)) | ((uint32_t) (x) >> (32 - (n))))
  309: 
  310: #define M(I) (tm = x[I & 0x0f]       ^ x[(I - 14) & 0x0f] \
  311:                  ^ x[(I - 8) & 0x0f] ^ x[(I - 3) & 0x0f]  \
  312:                , (x[I & 0x0f] = rol (tm, 1)))
  313: 
  314: #define R(A,B,C,D,E,F,K,M)      \
  315:   do                            \
  316:     {                           \
  317:       E += rol (A, 5)           \
  318:         + F (B, C, D)          \
  319:         + K                    \
  320:         + M;                   \
  321:       B = rol (B, 30);          \
  322:     }                           \
  323:   while (0)
  324: 
  325:   while (words < endp)
  326:     {
  327:       uint32_t tm;
  328:       int t;
  329: 
  330:       for (t = 0; t < 16; t++)
  331:         {
  332:           x[t] = SWAP (*words);
  333:           words++;
  334:         }
  335: 
  336:       R (a, b, c, d, e, F1, K1, x[ 0]);
  337:       R (e, a, b, c, d, F1, K1, x[ 1]);
  338:       R (d, e, a, b, c, F1, K1, x[ 2]);
  339:       R (c, d, e, a, b, F1, K1, x[ 3]);
  340:       R (b, c, d, e, a, F1, K1, x[ 4]);
  341:       R (a, b, c, d, e, F1, K1, x[ 5]);
  342:       R (e, a, b, c, d, F1, K1, x[ 6]);
  343:       R (d, e, a, b, c, F1, K1, x[ 7]);
  344:       R (c, d, e, a, b, F1, K1, x[ 8]);
  345:       R (b, c, d, e, a, F1, K1, x[ 9]);
  346:       R (a, b, c, d, e, F1, K1, x[10]);
  347:       R (e, a, b, c, d, F1, K1, x[11]);
  348:       R (d, e, a, b, c, F1, K1, x[12]);
  349:       R (c, d, e, a, b, F1, K1, x[13]);
  350:       R (b, c, d, e, a, F1, K1, x[14]);
  351:       R (a, b, c, d, e, F1, K1, x[15]);
  352:       R (e, a, b, c, d, F1, K1, M(16));
  353:       R (d, e, a, b, c, F1, K1, M(17));
  354:       R (c, d, e, a, b, F1, K1, M(18));
  355:       R (b, c, d, e, a, F1, K1, M(19));
  356:       R (a, b, c, d, e, F2, K2, M(20));
  357:       R (e, a, b, c, d, F2, K2, M(21));
  358:       R (d, e, a, b, c, F2, K2, M(22));
  359:       R (c, d, e, a, b, F2, K2, M(23));
  360:       R (b, c, d, e, a, F2, K2, M(24));
  361:       R (a, b, c, d, e, F2, K2, M(25));
  362:       R (e, a, b, c, d, F2, K2, M(26));
  363:       R (d, e, a, b, c, F2, K2, M(27));
  364:       R (c, d, e, a, b, F2, K2, M(28));
  365:       R (b, c, d, e, a, F2, K2, M(29));
  366:       R (a, b, c, d, e, F2, K2, M(30));
  367:       R (e, a, b, c, d, F2, K2, M(31));
  368:       R (d, e, a, b, c, F2, K2, M(32));
  369:       R (c, d, e, a, b, F2, K2, M(33));
  370:       R (b, c, d, e, a, F2, K2, M(34));
  371:       R (a, b, c, d, e, F2, K2, M(35));
  372:       R (e, a, b, c, d, F2, K2, M(36));
  373:       R (d, e, a, b, c, F2, K2, M(37));
  374:       R (c, d, e, a, b, F2, K2, M(38));
  375:       R (b, c, d, e, a, F2, K2, M(39));
  376:       R (a, b, c, d, e, F3, K3, M(40));
  377:       R (e, a, b, c, d, F3, K3, M(41));
  378:       R (d, e, a, b, c, F3, K3, M(42));
  379:       R (c, d, e, a, b, F3, K3, M(43));
  380:       R (b, c, d, e, a, F3, K3, M(44));
  381:       R (a, b, c, d, e, F3, K3, M(45));
  382:       R (e, a, b, c, d, F3, K3, M(46));
  383:       R (d, e, a, b, c, F3, K3, M(47));
  384:       R (c, d, e, a, b, F3, K3, M(48));
  385:       R (b, c, d, e, a, F3, K3, M(49));
  386:       R (a, b, c, d, e, F3, K3, M(50));
  387:       R (e, a, b, c, d, F3, K3, M(51));
  388:       R (d, e, a, b, c, F3, K3, M(52));
  389:       R (c, d, e, a, b, F3, K3, M(53));
  390:       R (b, c, d, e, a, F3, K3, M(54));
  391:       R (a, b, c, d, e, F3, K3, M(55));
  392:       R (e, a, b, c, d, F3, K3, M(56));
  393:       R (d, e, a, b, c, F3, K3, M(57));
  394:       R (c, d, e, a, b, F3, K3, M(58));
  395:       R (b, c, d, e, a, F3, K3, M(59));
  396:       R (a, b, c, d, e, F4, K4, M(60));
  397:       R (e, a, b, c, d, F4, K4, M(61));
  398:       R (d, e, a, b, c, F4, K4, M(62));
  399:       R (c, d, e, a, b, F4, K4, M(63));
  400:       R (b, c, d, e, a, F4, K4, M(64));
  401:       R (a, b, c, d, e, F4, K4, M(65));
  402:       R (e, a, b, c, d, F4, K4, M(66));
  403:       R (d, e, a, b, c, F4, K4, M(67));
  404:       R (c, d, e, a, b, F4, K4, M(68));
  405:       R (b, c, d, e, a, F4, K4, M(69));
  406:       R (a, b, c, d, e, F4, K4, M(70));
  407:       R (e, a, b, c, d, F4, K4, M(71));
  408:       R (d, e, a, b, c, F4, K4, M(72));
  409:       R (c, d, e, a, b, F4, K4, M(73));
  410:       R (b, c, d, e, a, F4, K4, M(74));
  411:       R (a, b, c, d, e, F4, K4, M(75));
  412:       R (e, a, b, c, d, F4, K4, M(76));
  413:       R (d, e, a, b, c, F4, K4, M(77));
  414:       R (c, d, e, a, b, F4, K4, M(78));
  415:       R (b, c, d, e, a, F4, K4, M(79));
  416: 
  417:       a = ctx->A += a;
  418:       b = ctx->B += b;
  419:       c = ctx->C += c;
  420:       d = ctx->D += d;
  421:       e = ctx->E += e;
  422:     }
  423: }