Merge pull request #143 from marshmellow42/master
[legacy-proxmark3.git] / common / sha1.c
blobd20c54a429288cef97fc178ae8b55c4d4d770c94
1 /*
2 * FIPS-180-1 compliant SHA-1 implementation
4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
5 * This file is part of mbed TLS (https://tls.mbed.org)
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 * The SHA-1 standard was published by NIST in 1993.
24 * http://www.itl.nist.gov/fipspubs/fip180-1.htm
27 #if !defined(POLARSSL_CONFIG_FILE)
28 //#include "polarssl/config.h"
29 #define POLARSSL_SHA1_C
31 #else
32 #include POLARSSL_CONFIG_FILE
33 #endif
35 #if defined(POLARSSL_SHA1_C)
37 #include "sha1.h"
39 #include <string.h>
41 #if defined(POLARSSL_FS_IO)
42 #include <stdio.h>
43 #endif
45 #if defined(POLARSSL_SELF_TEST)
46 #if defined(POLARSSL_PLATFORM_C)
47 #include "polarssl/platform.h"
48 #else
49 #include <stdio.h>
50 #define polarssl_printf printf
51 #endif /* POLARSSL_PLATFORM_C */
52 #endif /* POLARSSL_SELF_TEST */
54 /* Implementation that should never be optimized out by the compiler */
55 static void polarssl_zeroize( void *v, size_t n ) {
56 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
59 #if !defined(POLARSSL_SHA1_ALT)
62 * 32-bit integer manipulation macros (big endian)
64 #ifndef GET_UINT32_BE
65 #define GET_UINT32_BE(n,b,i) \
66 { \
67 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
68 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
69 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
70 | ( (uint32_t) (b)[(i) + 3] ); \
72 #endif
74 #ifndef PUT_UINT32_BE
75 #define PUT_UINT32_BE(n,b,i) \
76 { \
77 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
78 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
79 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
80 (b)[(i) + 3] = (unsigned char) ( (n) ); \
82 #endif
84 void sha1_init( sha1_context *ctx )
86 memset( ctx, 0, sizeof( sha1_context ) );
89 void sha1_free( sha1_context *ctx )
91 if( ctx == NULL )
92 return;
94 polarssl_zeroize( ctx, sizeof( sha1_context ) );
98 * SHA-1 context setup
100 void sha1_starts( sha1_context *ctx )
102 ctx->total[0] = 0;
103 ctx->total[1] = 0;
105 ctx->state[0] = 0x67452301;
106 ctx->state[1] = 0xEFCDAB89;
107 ctx->state[2] = 0x98BADCFE;
108 ctx->state[3] = 0x10325476;
109 ctx->state[4] = 0xC3D2E1F0;
112 void sha1_process( sha1_context *ctx, const unsigned char data[64] )
114 uint32_t temp, W[16], A, B, C, D, E;
116 GET_UINT32_BE( W[ 0], data, 0 );
117 GET_UINT32_BE( W[ 1], data, 4 );
118 GET_UINT32_BE( W[ 2], data, 8 );
119 GET_UINT32_BE( W[ 3], data, 12 );
120 GET_UINT32_BE( W[ 4], data, 16 );
121 GET_UINT32_BE( W[ 5], data, 20 );
122 GET_UINT32_BE( W[ 6], data, 24 );
123 GET_UINT32_BE( W[ 7], data, 28 );
124 GET_UINT32_BE( W[ 8], data, 32 );
125 GET_UINT32_BE( W[ 9], data, 36 );
126 GET_UINT32_BE( W[10], data, 40 );
127 GET_UINT32_BE( W[11], data, 44 );
128 GET_UINT32_BE( W[12], data, 48 );
129 GET_UINT32_BE( W[13], data, 52 );
130 GET_UINT32_BE( W[14], data, 56 );
131 GET_UINT32_BE( W[15], data, 60 );
133 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
135 #define R(t) \
137 temp = W[( t - 3 ) & 0x0F] ^ W[( t - 8 ) & 0x0F] ^ \
138 W[( t - 14 ) & 0x0F] ^ W[ t & 0x0F], \
139 ( W[t & 0x0F] = S(temp,1) ) \
142 #define P(a,b,c,d,e,x) \
144 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
147 A = ctx->state[0];
148 B = ctx->state[1];
149 C = ctx->state[2];
150 D = ctx->state[3];
151 E = ctx->state[4];
153 #define F(x,y,z) (z ^ (x & (y ^ z)))
154 #define K 0x5A827999
156 P( A, B, C, D, E, W[0] );
157 P( E, A, B, C, D, W[1] );
158 P( D, E, A, B, C, W[2] );
159 P( C, D, E, A, B, W[3] );
160 P( B, C, D, E, A, W[4] );
161 P( A, B, C, D, E, W[5] );
162 P( E, A, B, C, D, W[6] );
163 P( D, E, A, B, C, W[7] );
164 P( C, D, E, A, B, W[8] );
165 P( B, C, D, E, A, W[9] );
166 P( A, B, C, D, E, W[10] );
167 P( E, A, B, C, D, W[11] );
168 P( D, E, A, B, C, W[12] );
169 P( C, D, E, A, B, W[13] );
170 P( B, C, D, E, A, W[14] );
171 P( A, B, C, D, E, W[15] );
172 P( E, A, B, C, D, R(16) );
173 P( D, E, A, B, C, R(17) );
174 P( C, D, E, A, B, R(18) );
175 P( B, C, D, E, A, R(19) );
177 #undef K
178 #undef F
180 #define F(x,y,z) (x ^ y ^ z)
181 #define K 0x6ED9EBA1
183 P( A, B, C, D, E, R(20) );
184 P( E, A, B, C, D, R(21) );
185 P( D, E, A, B, C, R(22) );
186 P( C, D, E, A, B, R(23) );
187 P( B, C, D, E, A, R(24) );
188 P( A, B, C, D, E, R(25) );
189 P( E, A, B, C, D, R(26) );
190 P( D, E, A, B, C, R(27) );
191 P( C, D, E, A, B, R(28) );
192 P( B, C, D, E, A, R(29) );
193 P( A, B, C, D, E, R(30) );
194 P( E, A, B, C, D, R(31) );
195 P( D, E, A, B, C, R(32) );
196 P( C, D, E, A, B, R(33) );
197 P( B, C, D, E, A, R(34) );
198 P( A, B, C, D, E, R(35) );
199 P( E, A, B, C, D, R(36) );
200 P( D, E, A, B, C, R(37) );
201 P( C, D, E, A, B, R(38) );
202 P( B, C, D, E, A, R(39) );
204 #undef K
205 #undef F
207 #define F(x,y,z) ((x & y) | (z & (x | y)))
208 #define K 0x8F1BBCDC
210 P( A, B, C, D, E, R(40) );
211 P( E, A, B, C, D, R(41) );
212 P( D, E, A, B, C, R(42) );
213 P( C, D, E, A, B, R(43) );
214 P( B, C, D, E, A, R(44) );
215 P( A, B, C, D, E, R(45) );
216 P( E, A, B, C, D, R(46) );
217 P( D, E, A, B, C, R(47) );
218 P( C, D, E, A, B, R(48) );
219 P( B, C, D, E, A, R(49) );
220 P( A, B, C, D, E, R(50) );
221 P( E, A, B, C, D, R(51) );
222 P( D, E, A, B, C, R(52) );
223 P( C, D, E, A, B, R(53) );
224 P( B, C, D, E, A, R(54) );
225 P( A, B, C, D, E, R(55) );
226 P( E, A, B, C, D, R(56) );
227 P( D, E, A, B, C, R(57) );
228 P( C, D, E, A, B, R(58) );
229 P( B, C, D, E, A, R(59) );
231 #undef K
232 #undef F
234 #define F(x,y,z) (x ^ y ^ z)
235 #define K 0xCA62C1D6
237 P( A, B, C, D, E, R(60) );
238 P( E, A, B, C, D, R(61) );
239 P( D, E, A, B, C, R(62) );
240 P( C, D, E, A, B, R(63) );
241 P( B, C, D, E, A, R(64) );
242 P( A, B, C, D, E, R(65) );
243 P( E, A, B, C, D, R(66) );
244 P( D, E, A, B, C, R(67) );
245 P( C, D, E, A, B, R(68) );
246 P( B, C, D, E, A, R(69) );
247 P( A, B, C, D, E, R(70) );
248 P( E, A, B, C, D, R(71) );
249 P( D, E, A, B, C, R(72) );
250 P( C, D, E, A, B, R(73) );
251 P( B, C, D, E, A, R(74) );
252 P( A, B, C, D, E, R(75) );
253 P( E, A, B, C, D, R(76) );
254 P( D, E, A, B, C, R(77) );
255 P( C, D, E, A, B, R(78) );
256 P( B, C, D, E, A, R(79) );
258 #undef K
259 #undef F
261 ctx->state[0] += A;
262 ctx->state[1] += B;
263 ctx->state[2] += C;
264 ctx->state[3] += D;
265 ctx->state[4] += E;
269 * SHA-1 process buffer
271 void sha1_update( sha1_context *ctx, const unsigned char *input, size_t ilen )
273 size_t fill;
274 uint32_t left;
276 if( ilen == 0 )
277 return;
279 left = ctx->total[0] & 0x3F;
280 fill = 64 - left;
282 ctx->total[0] += (uint32_t) ilen;
283 ctx->total[0] &= 0xFFFFFFFF;
285 if( ctx->total[0] < (uint32_t) ilen )
286 ctx->total[1]++;
288 if( left && ilen >= fill )
290 memcpy( (void *) (ctx->buffer + left), input, fill );
291 sha1_process( ctx, ctx->buffer );
292 input += fill;
293 ilen -= fill;
294 left = 0;
297 while( ilen >= 64 )
299 sha1_process( ctx, input );
300 input += 64;
301 ilen -= 64;
304 if( ilen > 0 )
305 memcpy( (void *) (ctx->buffer + left), input, ilen );
308 static const unsigned char sha1_padding[64] =
310 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
311 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
312 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
313 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
317 * SHA-1 final digest
319 void sha1_finish( sha1_context *ctx, unsigned char output[20] )
321 uint32_t last, padn;
322 uint32_t high, low;
323 unsigned char msglen[8];
325 high = ( ctx->total[0] >> 29 )
326 | ( ctx->total[1] << 3 );
327 low = ( ctx->total[0] << 3 );
329 PUT_UINT32_BE( high, msglen, 0 );
330 PUT_UINT32_BE( low, msglen, 4 );
332 last = ctx->total[0] & 0x3F;
333 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
335 sha1_update( ctx, sha1_padding, padn );
336 sha1_update( ctx, msglen, 8 );
338 PUT_UINT32_BE( ctx->state[0], output, 0 );
339 PUT_UINT32_BE( ctx->state[1], output, 4 );
340 PUT_UINT32_BE( ctx->state[2], output, 8 );
341 PUT_UINT32_BE( ctx->state[3], output, 12 );
342 PUT_UINT32_BE( ctx->state[4], output, 16 );
345 #endif /* !POLARSSL_SHA1_ALT */
348 * output = SHA-1( input buffer )
350 void sha1( const unsigned char *input, size_t ilen, unsigned char output[20] )
352 sha1_context ctx;
354 sha1_init( &ctx );
355 sha1_starts( &ctx );
356 sha1_update( &ctx, input, ilen );
357 sha1_finish( &ctx, output );
358 sha1_free( &ctx );
361 #if defined(POLARSSL_FS_IO)
363 * output = SHA-1( file contents )
365 int sha1_file( const char *path, unsigned char output[20] )
367 FILE *f;
368 size_t n;
369 sha1_context ctx;
370 unsigned char buf[1024];
372 if( ( f = fopen( path, "rb" ) ) == NULL )
373 return( POLARSSL_ERR_SHA1_FILE_IO_ERROR );
375 sha1_init( &ctx );
376 sha1_starts( &ctx );
378 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
379 sha1_update( &ctx, buf, n );
381 sha1_finish( &ctx, output );
382 sha1_free( &ctx );
384 if( ferror( f ) != 0 )
386 fclose( f );
387 return( POLARSSL_ERR_SHA1_FILE_IO_ERROR );
390 fclose( f );
391 return( 0 );
393 #endif /* POLARSSL_FS_IO */
396 * SHA-1 HMAC context setup
398 void sha1_hmac_starts( sha1_context *ctx, const unsigned char *key,
399 size_t keylen )
401 size_t i;
402 unsigned char sum[20];
404 if( keylen > 64 )
406 sha1( key, keylen, sum );
407 keylen = 20;
408 key = sum;
411 memset( ctx->ipad, 0x36, 64 );
412 memset( ctx->opad, 0x5C, 64 );
414 for( i = 0; i < keylen; i++ )
416 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
417 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
420 sha1_starts( ctx );
421 sha1_update( ctx, ctx->ipad, 64 );
423 polarssl_zeroize( sum, sizeof( sum ) );
427 * SHA-1 HMAC process buffer
429 void sha1_hmac_update( sha1_context *ctx, const unsigned char *input,
430 size_t ilen )
432 sha1_update( ctx, input, ilen );
436 * SHA-1 HMAC final digest
438 void sha1_hmac_finish( sha1_context *ctx, unsigned char output[20] )
440 unsigned char tmpbuf[20];
442 sha1_finish( ctx, tmpbuf );
443 sha1_starts( ctx );
444 sha1_update( ctx, ctx->opad, 64 );
445 sha1_update( ctx, tmpbuf, 20 );
446 sha1_finish( ctx, output );
448 polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) );
452 * SHA1 HMAC context reset
454 void sha1_hmac_reset( sha1_context *ctx )
456 sha1_starts( ctx );
457 sha1_update( ctx, ctx->ipad, 64 );
461 * output = HMAC-SHA-1( hmac key, input buffer )
463 void sha1_hmac( const unsigned char *key, size_t keylen,
464 const unsigned char *input, size_t ilen,
465 unsigned char output[20] )
467 sha1_context ctx;
469 sha1_init( &ctx );
470 sha1_hmac_starts( &ctx, key, keylen );
471 sha1_hmac_update( &ctx, input, ilen );
472 sha1_hmac_finish( &ctx, output );
473 sha1_free( &ctx );
476 #if defined(POLARSSL_SELF_TEST)
478 * FIPS-180-1 test vectors
480 static const unsigned char sha1_test_buf[3][57] =
482 { "abc" },
483 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
484 { "" }
487 static const int sha1_test_buflen[3] =
489 3, 56, 1000
492 static const unsigned char sha1_test_sum[3][20] =
494 { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
495 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
496 { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
497 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
498 { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
499 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
503 * RFC 2202 test vectors
505 static const unsigned char sha1_hmac_test_key[7][26] =
507 { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
508 "\x0B\x0B\x0B\x0B" },
509 { "Jefe" },
510 { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
511 "\xAA\xAA\xAA\xAA" },
512 { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
513 "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
514 { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
515 "\x0C\x0C\x0C\x0C" },
516 { "" }, /* 0xAA 80 times */
517 { "" }
520 static const int sha1_hmac_test_keylen[7] =
522 20, 4, 20, 25, 20, 80, 80
525 static const unsigned char sha1_hmac_test_buf[7][74] =
527 { "Hi There" },
528 { "what do ya want for nothing?" },
529 { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
530 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
531 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
532 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
533 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
534 { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
535 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
536 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
537 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
538 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
539 { "Test With Truncation" },
540 { "Test Using Larger Than Block-Size Key - Hash Key First" },
541 { "Test Using Larger Than Block-Size Key and Larger"
542 " Than One Block-Size Data" }
545 static const int sha1_hmac_test_buflen[7] =
547 8, 28, 50, 50, 20, 54, 73
550 static const unsigned char sha1_hmac_test_sum[7][20] =
552 { 0xB6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64, 0xE2, 0x8B,
553 0xC0, 0xB6, 0xFB, 0x37, 0x8C, 0x8E, 0xF1, 0x46, 0xBE, 0x00 },
554 { 0xEF, 0xFC, 0xDF, 0x6A, 0xE5, 0xEB, 0x2F, 0xA2, 0xD2, 0x74,
555 0x16, 0xD5, 0xF1, 0x84, 0xDF, 0x9C, 0x25, 0x9A, 0x7C, 0x79 },
556 { 0x12, 0x5D, 0x73, 0x42, 0xB9, 0xAC, 0x11, 0xCD, 0x91, 0xA3,
557 0x9A, 0xF4, 0x8A, 0xA1, 0x7B, 0x4F, 0x63, 0xF1, 0x75, 0xD3 },
558 { 0x4C, 0x90, 0x07, 0xF4, 0x02, 0x62, 0x50, 0xC6, 0xBC, 0x84,
559 0x14, 0xF9, 0xBF, 0x50, 0xC8, 0x6C, 0x2D, 0x72, 0x35, 0xDA },
560 { 0x4C, 0x1A, 0x03, 0x42, 0x4B, 0x55, 0xE0, 0x7F, 0xE7, 0xF2,
561 0x7B, 0xE1 },
562 { 0xAA, 0x4A, 0xE5, 0xE1, 0x52, 0x72, 0xD0, 0x0E, 0x95, 0x70,
563 0x56, 0x37, 0xCE, 0x8A, 0x3B, 0x55, 0xED, 0x40, 0x21, 0x12 },
564 { 0xE8, 0xE9, 0x9D, 0x0F, 0x45, 0x23, 0x7D, 0x78, 0x6D, 0x6B,
565 0xBA, 0xA7, 0x96, 0x5C, 0x78, 0x08, 0xBB, 0xFF, 0x1A, 0x91 }
569 * Checkup routine
571 int sha1_self_test( int verbose )
573 int i, j, buflen, ret = 0;
574 unsigned char buf[1024];
575 unsigned char sha1sum[20];
576 sha1_context ctx;
578 sha1_init( &ctx );
581 * SHA-1
583 for( i = 0; i < 3; i++ )
585 if( verbose != 0 )
586 polarssl_printf( " SHA-1 test #%d: ", i + 1 );
588 sha1_starts( &ctx );
590 if( i == 2 )
592 memset( buf, 'a', buflen = 1000 );
594 for( j = 0; j < 1000; j++ )
595 sha1_update( &ctx, buf, buflen );
597 else
598 sha1_update( &ctx, sha1_test_buf[i],
599 sha1_test_buflen[i] );
601 sha1_finish( &ctx, sha1sum );
603 if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
605 if( verbose != 0 )
606 polarssl_printf( "failed\n" );
608 ret = 1;
609 goto exit;
612 if( verbose != 0 )
613 polarssl_printf( "passed\n" );
616 if( verbose != 0 )
617 polarssl_printf( "\n" );
619 for( i = 0; i < 7; i++ )
621 if( verbose != 0 )
622 polarssl_printf( " HMAC-SHA-1 test #%d: ", i + 1 );
624 if( i == 5 || i == 6 )
626 memset( buf, 0xAA, buflen = 80 );
627 sha1_hmac_starts( &ctx, buf, buflen );
629 else
630 sha1_hmac_starts( &ctx, sha1_hmac_test_key[i],
631 sha1_hmac_test_keylen[i] );
633 sha1_hmac_update( &ctx, sha1_hmac_test_buf[i],
634 sha1_hmac_test_buflen[i] );
636 sha1_hmac_finish( &ctx, sha1sum );
638 buflen = ( i == 4 ) ? 12 : 20;
640 if( memcmp( sha1sum, sha1_hmac_test_sum[i], buflen ) != 0 )
642 if( verbose != 0 )
643 polarssl_printf( "failed\n" );
645 ret = 1;
646 goto exit;
649 if( verbose != 0 )
650 polarssl_printf( "passed\n" );
653 if( verbose != 0 )
654 polarssl_printf( "\n" );
656 exit:
657 sha1_free( &ctx );
659 return( ret );
662 #endif /* POLARSSL_SELF_TEST */
664 #endif /* POLARSSL_SHA1_C */