1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
2 /* SPDX-License-Identifier: Unlicense */
3 #include "tomcrypt_private.h"
4 
5 /**
6   @file sha1.c
7   LTC_SHA1 code by Tom St Denis
8 */
9 
10 
11 #ifdef LTC_SHA1
12 
13 const struct ltc_hash_descriptor sha1_desc =
14 {
15     "sha1",
16     2,
17     20,
18     64,
19 
20     /* OID */
21    { 1, 3, 14, 3, 2, 26,  },
22    6,
23 
24     &sha1_init,
25     &sha1_process,
26     &sha1_done,
27     &sha1_test,
28     NULL
29 };
30 
31 #define F0(x,y,z)  (z ^ (x & (y ^ z)))
32 #define F1(x,y,z)  (x ^ y ^ z)
33 #define F2(x,y,z)  ((x & y) | (z & (x | y)))
34 #define F3(x,y,z)  (x ^ y ^ z)
35 
36 #ifdef LTC_CLEAN_STACK
ss_sha1_compress(hash_state * md,const unsigned char * buf)37 static int ss_sha1_compress(hash_state *md, const unsigned char *buf)
38 #else
39 static int  s_sha1_compress(hash_state *md, const unsigned char *buf)
40 #endif
41 {
42     ulong32 a,b,c,d,e,W[80],i;
43 #ifdef LTC_SMALL_CODE
44     ulong32 t;
45 #endif
46 
47     /* copy the state into 512-bits into W[0..15] */
48     for (i = 0; i < 16; i++) {
49         LOAD32H(W[i], buf + (4*i));
50     }
51 
52     /* copy state */
53     a = md->sha1.state[0];
54     b = md->sha1.state[1];
55     c = md->sha1.state[2];
56     d = md->sha1.state[3];
57     e = md->sha1.state[4];
58 
59     /* expand it */
60     for (i = 16; i < 80; i++) {
61         W[i] = ROL(W[i-3] ^ W[i-8] ^ W[i-14] ^ W[i-16], 1);
62     }
63 
64     /* compress */
65     /* round one */
66     #define FF0(a,b,c,d,e,i) e = (ROLc(a, 5) + F0(b,c,d) + e + W[i] + 0x5a827999UL); b = ROLc(b, 30);
67     #define FF1(a,b,c,d,e,i) e = (ROLc(a, 5) + F1(b,c,d) + e + W[i] + 0x6ed9eba1UL); b = ROLc(b, 30);
68     #define FF2(a,b,c,d,e,i) e = (ROLc(a, 5) + F2(b,c,d) + e + W[i] + 0x8f1bbcdcUL); b = ROLc(b, 30);
69     #define FF3(a,b,c,d,e,i) e = (ROLc(a, 5) + F3(b,c,d) + e + W[i] + 0xca62c1d6UL); b = ROLc(b, 30);
70 
71 #ifdef LTC_SMALL_CODE
72 
73     for (i = 0; i < 20; ) {
74        FF0(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
75     }
76 
77     for (; i < 40; ) {
78        FF1(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
79     }
80 
81     for (; i < 60; ) {
82        FF2(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
83     }
84 
85     for (; i < 80; ) {
86        FF3(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
87     }
88 
89 #else
90 
91     for (i = 0; i < 20; ) {
92        FF0(a,b,c,d,e,i++);
93        FF0(e,a,b,c,d,i++);
94        FF0(d,e,a,b,c,i++);
95        FF0(c,d,e,a,b,i++);
96        FF0(b,c,d,e,a,i++);
97     }
98 
99     /* round two */
100     for (; i < 40; )  {
101        FF1(a,b,c,d,e,i++);
102        FF1(e,a,b,c,d,i++);
103        FF1(d,e,a,b,c,i++);
104        FF1(c,d,e,a,b,i++);
105        FF1(b,c,d,e,a,i++);
106     }
107 
108     /* round three */
109     for (; i < 60; )  {
110        FF2(a,b,c,d,e,i++);
111        FF2(e,a,b,c,d,i++);
112        FF2(d,e,a,b,c,i++);
113        FF2(c,d,e,a,b,i++);
114        FF2(b,c,d,e,a,i++);
115     }
116 
117     /* round four */
118     for (; i < 80; )  {
119        FF3(a,b,c,d,e,i++);
120        FF3(e,a,b,c,d,i++);
121        FF3(d,e,a,b,c,i++);
122        FF3(c,d,e,a,b,i++);
123        FF3(b,c,d,e,a,i++);
124     }
125 #endif
126 
127     #undef FF0
128     #undef FF1
129     #undef FF2
130     #undef FF3
131 
132     /* store */
133     md->sha1.state[0] = md->sha1.state[0] + a;
134     md->sha1.state[1] = md->sha1.state[1] + b;
135     md->sha1.state[2] = md->sha1.state[2] + c;
136     md->sha1.state[3] = md->sha1.state[3] + d;
137     md->sha1.state[4] = md->sha1.state[4] + e;
138 
139     return CRYPT_OK;
140 }
141 
142 #ifdef LTC_CLEAN_STACK
s_sha1_compress(hash_state * md,const unsigned char * buf)143 static int s_sha1_compress(hash_state *md, const unsigned char *buf)
144 {
145    int err;
146    err = ss_sha1_compress(md, buf);
147    burn_stack(sizeof(ulong32) * 87);
148    return err;
149 }
150 #endif
151 
152 /**
153    Initialize the hash state
154    @param md   The hash state you wish to initialize
155    @return CRYPT_OK if successful
156 */
sha1_init(hash_state * md)157 int sha1_init(hash_state * md)
158 {
159    LTC_ARGCHK(md != NULL);
160    md->sha1.state[0] = 0x67452301UL;
161    md->sha1.state[1] = 0xefcdab89UL;
162    md->sha1.state[2] = 0x98badcfeUL;
163    md->sha1.state[3] = 0x10325476UL;
164    md->sha1.state[4] = 0xc3d2e1f0UL;
165    md->sha1.curlen = 0;
166    md->sha1.length = 0;
167    return CRYPT_OK;
168 }
169 
170 /**
171    Process a block of memory though the hash
172    @param md     The hash state
173    @param in     The data to hash
174    @param inlen  The length of the data (octets)
175    @return CRYPT_OK if successful
176 */
177 HASH_PROCESS(sha1_process, s_sha1_compress, sha1, 64)
178 
179 /**
180    Terminate the hash to get the digest
181    @param md  The hash state
182    @param out [out] The destination of the hash (20 bytes)
183    @return CRYPT_OK if successful
184 */
sha1_done(hash_state * md,unsigned char * out)185 int sha1_done(hash_state * md, unsigned char *out)
186 {
187     int i;
188 
189     LTC_ARGCHK(md  != NULL);
190     LTC_ARGCHK(out != NULL);
191 
192     if (md->sha1.curlen >= sizeof(md->sha1.buf)) {
193        return CRYPT_INVALID_ARG;
194     }
195 
196     /* increase the length of the message */
197     md->sha1.length += md->sha1.curlen * 8;
198 
199     /* append the '1' bit */
200     md->sha1.buf[md->sha1.curlen++] = (unsigned char)0x80;
201 
202     /* if the length is currently above 56 bytes we append zeros
203      * then compress.  Then we can fall back to padding zeros and length
204      * encoding like normal.
205      */
206     if (md->sha1.curlen > 56) {
207         while (md->sha1.curlen < 64) {
208             md->sha1.buf[md->sha1.curlen++] = (unsigned char)0;
209         }
210         s_sha1_compress(md, md->sha1.buf);
211         md->sha1.curlen = 0;
212     }
213 
214     /* pad upto 56 bytes of zeroes */
215     while (md->sha1.curlen < 56) {
216         md->sha1.buf[md->sha1.curlen++] = (unsigned char)0;
217     }
218 
219     /* store length */
220     STORE64H(md->sha1.length, md->sha1.buf+56);
221     s_sha1_compress(md, md->sha1.buf);
222 
223     /* copy output */
224     for (i = 0; i < 5; i++) {
225         STORE32H(md->sha1.state[i], out+(4*i));
226     }
227 #ifdef LTC_CLEAN_STACK
228     zeromem(md, sizeof(hash_state));
229 #endif
230     return CRYPT_OK;
231 }
232 
233 /**
234   Self-test the hash
235   @return CRYPT_OK if successful, CRYPT_NOP if self-tests have been disabled
236 */
sha1_test(void)237 int  sha1_test(void)
238 {
239  #ifndef LTC_TEST
240     return CRYPT_NOP;
241  #else
242   static const struct {
243       const char *msg;
244       unsigned char hash[20];
245   } tests[] = {
246     { "abc",
247       { 0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a,
248         0xba, 0x3e, 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c,
249         0x9c, 0xd0, 0xd8, 0x9d }
250     },
251     { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
252       { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E,
253         0xBA, 0xAE, 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5,
254         0xE5, 0x46, 0x70, 0xF1 }
255     }
256   };
257 
258   int i;
259   unsigned char tmp[20];
260   hash_state md;
261 
262   for (i = 0; i < (int)(sizeof(tests) / sizeof(tests[0]));  i++) {
263       sha1_init(&md);
264       sha1_process(&md, (unsigned char*)tests[i].msg, (unsigned long)XSTRLEN(tests[i].msg));
265       sha1_done(&md, tmp);
266       if (compare_testvector(tmp, sizeof(tmp), tests[i].hash, sizeof(tests[i].hash), "SHA1", i)) {
267          return CRYPT_FAIL_TESTVECTOR;
268       }
269   }
270   return CRYPT_OK;
271   #endif
272 }
273 
274 #endif
275 
276 
277