4 * Implementation of the Secure Hash Algorithm version 1 (FIPS 180-1).
9 * The default SHA-1 transform is based on public domain code by Steve Reid.
11 * The author dedicates this file to the public domain.
12 * You can do whatever you want with this file.
19 #include "wimlib/endianness.h"
20 #include "wimlib/sha1.h"
22 /* Dummy SHA-1 message digest of all 0's. This is used in the WIM format to
23 * mean "SHA-1 not specified". */
24 const u8 zero_hash[20];
27 * Builds a hexadecimal string representation of a SHA-1 message digest.
29 * The output buffer must be at least 41 characters.
32 sprint_hash(const u8 hash[SHA1_HASH_SIZE], tchar strbuf[SHA1_HASH_SIZE * 2 + 1])
37 for (i = 0; i < SHA1_HASH_SIZE; i++) {
40 strbuf[i * 2 + 0] = (high < 10 ? high + '0' : high - 10 + 'a');
41 strbuf[i * 2 + 1] = (low < 10 ? low + '0' : low - 10 + 'a');
46 /* If we use libcrypto (e.g. OpenSSL) then we get all the SHA-1 functions for
47 * free. Otherwise we need to implement them ourselves. */
49 #ifndef WITH_LIBCRYPTO
51 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
53 #define blk0(i) (tmp[i] = be32_to_cpu(((const be32 *)block)[i]))
55 #define blk(i) (tmp[i & 15] = rol(tmp[(i + 13) & 15] ^ \
58 tmp[(i + 0) & 15], 1))
60 #define R0(v, w, x, y, z, i) \
61 z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
64 #define R1(v, w, x, y, z, i) \
65 z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
68 #define R2(v, w, x, y, z, i) \
69 z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); \
72 #define R3(v, w, x, y, z, i) \
73 z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \
76 #define R4(v, w, x, y, z, i) \
77 z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
80 /* Hash a single 512-bit block. This is the core of the algorithm. */
82 sha1_transform_default(u32 state[5], const u8 block[64])
87 /* Copy ctx->state[] to working vars */
94 /* 4 rounds of 20 operations each. Loop unrolled. */
95 R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
96 R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
97 R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
98 R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
99 R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
100 R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
101 R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
102 R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
103 R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
104 R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
105 R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
106 R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
107 R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
108 R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
109 R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
110 R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
111 R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
112 R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
113 R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
114 R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
116 /* Add the working vars back into context.state[] */
124 #ifdef ENABLE_SSSE3_SHA1
126 sha1_transform_blocks_ssse3(u32 state[5], const void *data, size_t num_blocks);
128 sha1_transform_blocks_default(u32 state[5], const void *data, size_t num_blocks);
129 # define sha1_transform_blocks sha1_transform_blocks_ssse3
131 # define sha1_transform_blocks sha1_transform_blocks_default
134 #ifndef ENABLE_SSSE3_SHA1
138 sha1_transform_blocks_default(u32 state[5], const void *data, size_t num_blocks)
141 sha1_transform_default(state, data);
143 } while (--num_blocks);
146 /* Initializes the specified SHA-1 context.
148 * After sha1_init(), call sha1_update() zero or more times to provide the data
149 * to be hashed. Then call sha1_final() to get the final hash. */
151 sha1_init(SHA_CTX *ctx)
155 ctx->state[0] = 0x67452301;
156 ctx->state[1] = 0xEFCDAB89;
157 ctx->state[2] = 0x98BADCFE;
158 ctx->state[3] = 0x10325476;
159 ctx->state[4] = 0xC3D2E1F0;
162 /* Updates the SHA-1 context with @len bytes of data. */
164 sha1_update(SHA_CTX *ctx, const void *data, size_t len)
166 unsigned buffered = ctx->bytecount & 63;
168 ctx->bytecount += len;
171 /* Previous block is unfinished. */
172 if (len < 64 - buffered) {
173 memcpy(&ctx->buffer[buffered], data, len);
174 /* Previous block still unfinished. */
177 memcpy(&ctx->buffer[buffered], data, 64 - buffered);
178 /* Finished the previous block. */
179 sha1_transform_blocks(ctx->state, ctx->buffer, 1);
180 data += 64 - buffered;
181 len -= 64 - buffered;
185 /* Process blocks directly from the input data. */
187 sha1_transform_blocks(ctx->state, data, len / 64);
192 /* Copy any remaining bytes to the buffer. */
194 memcpy(ctx->buffer, data, len);
197 /* Pad the message and generate the final SHA-1 message digest. */
199 sha1_final(u8 md[20], SHA_CTX *ctx)
201 /* Logically, we must append 1 bit, then a variable number of 0 bits,
202 * then the message length in bits as a big-endian integer, so that the
203 * final length is a multiple of the block size. */
204 static const u8 padding[64] = {0x80, };
205 be64 finalcount = cpu_to_be64(ctx->bytecount << 3);
206 be32 *out = (be32 *)md;
208 sha1_update(ctx, padding, 64 - ((ctx->bytecount + 8) & 63));
209 sha1_update(ctx, &finalcount, 8);
211 for (int i = 0; i < 5; i++)
212 out[i] = cpu_to_be32(ctx->state[i]);
215 /* Calculate the SHA-1 message digest of the specified buffer.
216 * @len is the buffer length in bytes. */
218 sha1_buffer(const void *buffer, size_t len, u8 md[20])
223 sha1_update(&ctx, buffer, len);
224 sha1_final(md, &ctx);
227 #endif /* !WITH_LIBCRYPTO */