4 * Implementation of the Secure Hash Algorithm version 1 (FIPS 180-1).
9 * The default SHA-1 transform is based on public domain code by Steve Reid.
11 * The author dedicates this file to the public domain.
12 * You can do whatever you want with this file.
19 #include "wimlib/endianness.h"
20 #include "wimlib/sha1.h"
22 /* Dummy SHA-1 message digest of all 0's. This is used in the WIM format to
23 * mean "SHA-1 not specified". */
24 const u8 zero_hash[20];
26 /* If we use libcrypto (e.g. OpenSSL) then we get all the SHA-1 functions for
27 * free. Otherwise we need to implement them ourselves. */
29 #ifndef WITH_LIBCRYPTO
31 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
33 #define blk0(i) (tmp[i] = be32_to_cpu(((const be32 *)block)[i]))
35 #define blk(i) (tmp[i & 15] = rol(tmp[(i + 13) & 15] ^ \
38 tmp[(i + 0) & 15], 1))
40 #define R0(v, w, x, y, z, i) \
41 z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
44 #define R1(v, w, x, y, z, i) \
45 z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
48 #define R2(v, w, x, y, z, i) \
49 z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); \
52 #define R3(v, w, x, y, z, i) \
53 z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \
56 #define R4(v, w, x, y, z, i) \
57 z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
60 /* Hash a single 512-bit block. This is the core of the algorithm. */
62 sha1_transform_default(u32 state[5], const u8 block[64])
67 /* Copy ctx->state[] to working vars */
74 /* 4 rounds of 20 operations each. Loop unrolled. */
75 R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
76 R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
77 R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
78 R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
79 R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
80 R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
81 R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
82 R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
83 R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
84 R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
85 R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
86 R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
87 R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
88 R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
89 R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
90 R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
91 R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
92 R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
93 R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
94 R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
96 /* Add the working vars back into context.state[] */
104 #ifdef ENABLE_SSSE3_SHA1
106 sha1_transform_blocks_ssse3(u32 state[5], const void *data, size_t num_blocks);
108 sha1_transform_blocks_default(u32 state[5], const void *data, size_t num_blocks);
109 # define sha1_transform_blocks sha1_transform_blocks_ssse3
111 # define sha1_transform_blocks sha1_transform_blocks_default
114 #ifndef ENABLE_SSSE3_SHA1
118 sha1_transform_blocks_default(u32 state[5], const void *data, size_t num_blocks)
121 sha1_transform_default(state, data);
123 } while (--num_blocks);
126 /* Initializes the specified SHA-1 context.
128 * After sha1_init(), call sha1_update() zero or more times to provide the data
129 * to be hashed. Then call sha1_final() to get the final hash. */
131 sha1_init(SHA_CTX *ctx)
135 ctx->state[0] = 0x67452301;
136 ctx->state[1] = 0xEFCDAB89;
137 ctx->state[2] = 0x98BADCFE;
138 ctx->state[3] = 0x10325476;
139 ctx->state[4] = 0xC3D2E1F0;
142 /* Updates the SHA-1 context with @len bytes of data. */
144 sha1_update(SHA_CTX *ctx, const void *data, size_t len)
146 unsigned buffered = ctx->bytecount & 63;
148 ctx->bytecount += len;
151 /* Previous block is unfinished. */
152 if (len < 64 - buffered) {
153 memcpy(&ctx->buffer[buffered], data, len);
154 /* Previous block still unfinished. */
157 memcpy(&ctx->buffer[buffered], data, 64 - buffered);
158 /* Finished the previous block. */
159 sha1_transform_blocks(ctx->state, ctx->buffer, 1);
160 data += 64 - buffered;
161 len -= 64 - buffered;
165 /* Process blocks directly from the input data. */
167 sha1_transform_blocks(ctx->state, data, len / 64);
172 /* Copy any remaining bytes to the buffer. */
174 memcpy(ctx->buffer, data, len);
177 /* Pad the message and generate the final SHA-1 message digest. */
179 sha1_final(u8 md[20], SHA_CTX *ctx)
181 /* Logically, we must append 1 bit, then a variable number of 0 bits,
182 * then the message length in bits as a big-endian integer, so that the
183 * final length is a multiple of the block size. */
184 static const u8 padding[64] = {0x80, };
185 be64 finalcount = cpu_to_be64(ctx->bytecount << 3);
186 be32 *out = (be32 *)md;
188 sha1_update(ctx, padding, 64 - ((ctx->bytecount + 8) & 63));
189 sha1_update(ctx, &finalcount, 8);
191 for (int i = 0; i < 5; i++)
192 out[i] = cpu_to_be32(ctx->state[i]);
195 /* Calculate the SHA-1 message digest of the specified buffer.
196 * @len is the buffer length in bytes. */
198 sha1_buffer(const void *buffer, size_t len, u8 md[20])
203 sha1_update(&ctx, buffer, len);
204 sha1_final(md, &ctx);
207 #endif /* !WITH_LIBCRYPTO */