1 /*
2  *  FIPS-180-1 compliant SHA-1 implementation
3  *
4  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  *
19  *  This file is part of mbed TLS (https://tls.mbed.org)
20  */
21 /*
22  *  The SHA-1 standard was published by NIST in 1993.
23  *
24  *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
25  */
26 
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "mbedtls/config.h"
29 #else
30 #include MBEDTLS_CONFIG_FILE
31 #endif
32 
33 #if defined(MBEDTLS_SHA1_C)
34 
35 #include "mbedtls/sha1.h"
36 
37 #include <string.h>
38 
39 #if defined(MBEDTLS_SELF_TEST)
40 #if defined(MBEDTLS_PLATFORM_C)
41 #include "mbedtls/platform.h"
42 #else
43 #include <stdio.h>
44 #define mbedtls_printf printf
45 #endif /* MBEDTLS_PLATFORM_C */
46 #endif /* MBEDTLS_SELF_TEST */
47 
48 #if !defined(MBEDTLS_SHA1_ALT)
49 
50 /* Implementation that should never be optimized out by the compiler */
mbedtls_zeroize(void * v,size_t n)51 static void mbedtls_zeroize( void *v, size_t n ) {
52     volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
53 }
54 
55 /*
56  * 32-bit integer manipulation macros (big endian)
57  */
58 #ifndef GET_UINT32_BE
59 #define GET_UINT32_BE(n,b,i)                            \
60 {                                                       \
61     (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
62         | ( (uint32_t) (b)[(i) + 1] << 16 )             \
63         | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
64         | ( (uint32_t) (b)[(i) + 3]       );            \
65 }
66 #endif
67 
68 #ifndef PUT_UINT32_BE
69 #define PUT_UINT32_BE(n,b,i)                            \
70 {                                                       \
71     (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
72     (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
73     (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
74     (b)[(i) + 3] = (unsigned char) ( (n)       );       \
75 }
76 #endif
77 
mbedtls_sha1_init(mbedtls_sha1_context * ctx)78 void mbedtls_sha1_init( mbedtls_sha1_context *ctx )
79 {
80     memset( ctx, 0, sizeof( mbedtls_sha1_context ) );
81 }
82 
mbedtls_sha1_free(mbedtls_sha1_context * ctx)83 void mbedtls_sha1_free( mbedtls_sha1_context *ctx )
84 {
85     if( ctx == NULL )
86         return;
87 
88     mbedtls_zeroize( ctx, sizeof( mbedtls_sha1_context ) );
89 }
90 
mbedtls_sha1_clone(mbedtls_sha1_context * dst,const mbedtls_sha1_context * src)91 void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
92                          const mbedtls_sha1_context *src )
93 {
94     *dst = *src;
95 }
96 
97 /*
98  * SHA-1 context setup
99  */
mbedtls_sha1_starts(mbedtls_sha1_context * ctx)100 void mbedtls_sha1_starts( mbedtls_sha1_context *ctx )
101 {
102     ctx->total[0] = 0;
103     ctx->total[1] = 0;
104 
105     ctx->state[0] = 0x67452301;
106     ctx->state[1] = 0xEFCDAB89;
107     ctx->state[2] = 0x98BADCFE;
108     ctx->state[3] = 0x10325476;
109     ctx->state[4] = 0xC3D2E1F0;
110 }
111 
112 #if !defined(MBEDTLS_SHA1_PROCESS_ALT)
mbedtls_sha1_process(mbedtls_sha1_context * ctx,const unsigned char data[64])113 void mbedtls_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[64] )
114 {
115     uint32_t temp, W[16], A, B, C, D, E;
116 
117     GET_UINT32_BE( W[ 0], data,  0 );
118     GET_UINT32_BE( W[ 1], data,  4 );
119     GET_UINT32_BE( W[ 2], data,  8 );
120     GET_UINT32_BE( W[ 3], data, 12 );
121     GET_UINT32_BE( W[ 4], data, 16 );
122     GET_UINT32_BE( W[ 5], data, 20 );
123     GET_UINT32_BE( W[ 6], data, 24 );
124     GET_UINT32_BE( W[ 7], data, 28 );
125     GET_UINT32_BE( W[ 8], data, 32 );
126     GET_UINT32_BE( W[ 9], data, 36 );
127     GET_UINT32_BE( W[10], data, 40 );
128     GET_UINT32_BE( W[11], data, 44 );
129     GET_UINT32_BE( W[12], data, 48 );
130     GET_UINT32_BE( W[13], data, 52 );
131     GET_UINT32_BE( W[14], data, 56 );
132     GET_UINT32_BE( W[15], data, 60 );
133 
134 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
135 
136 #define R(t)                                            \
137 (                                                       \
138     temp = W[( t -  3 ) & 0x0F] ^ W[( t - 8 ) & 0x0F] ^ \
139            W[( t - 14 ) & 0x0F] ^ W[  t       & 0x0F],  \
140     ( W[t & 0x0F] = S(temp,1) )                         \
141 )
142 
143 #define P(a,b,c,d,e,x)                                  \
144 {                                                       \
145     e += S(a,5) + F(b,c,d) + K + x; b = S(b,30);        \
146 }
147 
148     A = ctx->state[0];
149     B = ctx->state[1];
150     C = ctx->state[2];
151     D = ctx->state[3];
152     E = ctx->state[4];
153 
154 #define F(x,y,z) (z ^ (x & (y ^ z)))
155 #define K 0x5A827999
156 
157     P( A, B, C, D, E, W[0]  );
158     P( E, A, B, C, D, W[1]  );
159     P( D, E, A, B, C, W[2]  );
160     P( C, D, E, A, B, W[3]  );
161     P( B, C, D, E, A, W[4]  );
162     P( A, B, C, D, E, W[5]  );
163     P( E, A, B, C, D, W[6]  );
164     P( D, E, A, B, C, W[7]  );
165     P( C, D, E, A, B, W[8]  );
166     P( B, C, D, E, A, W[9]  );
167     P( A, B, C, D, E, W[10] );
168     P( E, A, B, C, D, W[11] );
169     P( D, E, A, B, C, W[12] );
170     P( C, D, E, A, B, W[13] );
171     P( B, C, D, E, A, W[14] );
172     P( A, B, C, D, E, W[15] );
173     P( E, A, B, C, D, R(16) );
174     P( D, E, A, B, C, R(17) );
175     P( C, D, E, A, B, R(18) );
176     P( B, C, D, E, A, R(19) );
177 
178 #undef K
179 #undef F
180 
181 #define F(x,y,z) (x ^ y ^ z)
182 #define K 0x6ED9EBA1
183 
184     P( A, B, C, D, E, R(20) );
185     P( E, A, B, C, D, R(21) );
186     P( D, E, A, B, C, R(22) );
187     P( C, D, E, A, B, R(23) );
188     P( B, C, D, E, A, R(24) );
189     P( A, B, C, D, E, R(25) );
190     P( E, A, B, C, D, R(26) );
191     P( D, E, A, B, C, R(27) );
192     P( C, D, E, A, B, R(28) );
193     P( B, C, D, E, A, R(29) );
194     P( A, B, C, D, E, R(30) );
195     P( E, A, B, C, D, R(31) );
196     P( D, E, A, B, C, R(32) );
197     P( C, D, E, A, B, R(33) );
198     P( B, C, D, E, A, R(34) );
199     P( A, B, C, D, E, R(35) );
200     P( E, A, B, C, D, R(36) );
201     P( D, E, A, B, C, R(37) );
202     P( C, D, E, A, B, R(38) );
203     P( B, C, D, E, A, R(39) );
204 
205 #undef K
206 #undef F
207 
208 #define F(x,y,z) ((x & y) | (z & (x | y)))
209 #define K 0x8F1BBCDC
210 
211     P( A, B, C, D, E, R(40) );
212     P( E, A, B, C, D, R(41) );
213     P( D, E, A, B, C, R(42) );
214     P( C, D, E, A, B, R(43) );
215     P( B, C, D, E, A, R(44) );
216     P( A, B, C, D, E, R(45) );
217     P( E, A, B, C, D, R(46) );
218     P( D, E, A, B, C, R(47) );
219     P( C, D, E, A, B, R(48) );
220     P( B, C, D, E, A, R(49) );
221     P( A, B, C, D, E, R(50) );
222     P( E, A, B, C, D, R(51) );
223     P( D, E, A, B, C, R(52) );
224     P( C, D, E, A, B, R(53) );
225     P( B, C, D, E, A, R(54) );
226     P( A, B, C, D, E, R(55) );
227     P( E, A, B, C, D, R(56) );
228     P( D, E, A, B, C, R(57) );
229     P( C, D, E, A, B, R(58) );
230     P( B, C, D, E, A, R(59) );
231 
232 #undef K
233 #undef F
234 
235 #define F(x,y,z) (x ^ y ^ z)
236 #define K 0xCA62C1D6
237 
238     P( A, B, C, D, E, R(60) );
239     P( E, A, B, C, D, R(61) );
240     P( D, E, A, B, C, R(62) );
241     P( C, D, E, A, B, R(63) );
242     P( B, C, D, E, A, R(64) );
243     P( A, B, C, D, E, R(65) );
244     P( E, A, B, C, D, R(66) );
245     P( D, E, A, B, C, R(67) );
246     P( C, D, E, A, B, R(68) );
247     P( B, C, D, E, A, R(69) );
248     P( A, B, C, D, E, R(70) );
249     P( E, A, B, C, D, R(71) );
250     P( D, E, A, B, C, R(72) );
251     P( C, D, E, A, B, R(73) );
252     P( B, C, D, E, A, R(74) );
253     P( A, B, C, D, E, R(75) );
254     P( E, A, B, C, D, R(76) );
255     P( D, E, A, B, C, R(77) );
256     P( C, D, E, A, B, R(78) );
257     P( B, C, D, E, A, R(79) );
258 
259 #undef K
260 #undef F
261 
262     ctx->state[0] += A;
263     ctx->state[1] += B;
264     ctx->state[2] += C;
265     ctx->state[3] += D;
266     ctx->state[4] += E;
267 }
268 #endif /* !MBEDTLS_SHA1_PROCESS_ALT */
269 
270 /*
271  * SHA-1 process buffer
272  */
mbedtls_sha1_update(mbedtls_sha1_context * ctx,const unsigned char * input,size_t ilen)273 void mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen )
274 {
275     size_t fill;
276     uint32_t left;
277 
278     if( ilen == 0 )
279         return;
280 
281     left = ctx->total[0] & 0x3F;
282     fill = 64 - left;
283 
284     ctx->total[0] += (uint32_t) ilen;
285     ctx->total[0] &= 0xFFFFFFFF;
286 
287     if( ctx->total[0] < (uint32_t) ilen )
288         ctx->total[1]++;
289 
290     if( left && ilen >= fill )
291     {
292         memcpy( (void *) (ctx->buffer + left), input, fill );
293         mbedtls_sha1_process( ctx, ctx->buffer );
294         input += fill;
295         ilen  -= fill;
296         left = 0;
297     }
298 
299     while( ilen >= 64 )
300     {
301         mbedtls_sha1_process( ctx, input );
302         input += 64;
303         ilen  -= 64;
304     }
305 
306     if( ilen > 0 )
307         memcpy( (void *) (ctx->buffer + left), input, ilen );
308 }
309 
310 static const unsigned char sha1_padding[64] =
311 {
312  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
313     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
314     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
315     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
316 };
317 
318 /*
319  * SHA-1 final digest
320  */
mbedtls_sha1_finish(mbedtls_sha1_context * ctx,unsigned char output[20])321 void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[20] )
322 {
323     uint32_t last, padn;
324     uint32_t high, low;
325     unsigned char msglen[8];
326 
327     high = ( ctx->total[0] >> 29 )
328          | ( ctx->total[1] <<  3 );
329     low  = ( ctx->total[0] <<  3 );
330 
331     PUT_UINT32_BE( high, msglen, 0 );
332     PUT_UINT32_BE( low,  msglen, 4 );
333 
334     last = ctx->total[0] & 0x3F;
335     padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
336 
337     mbedtls_sha1_update( ctx, sha1_padding, padn );
338     mbedtls_sha1_update( ctx, msglen, 8 );
339 
340     PUT_UINT32_BE( ctx->state[0], output,  0 );
341     PUT_UINT32_BE( ctx->state[1], output,  4 );
342     PUT_UINT32_BE( ctx->state[2], output,  8 );
343     PUT_UINT32_BE( ctx->state[3], output, 12 );
344     PUT_UINT32_BE( ctx->state[4], output, 16 );
345 }
346 
347 #endif /* !MBEDTLS_SHA1_ALT */
348 
349 /*
350  * output = SHA-1( input buffer )
351  */
mbedtls_sha1(const unsigned char * input,size_t ilen,unsigned char output[20])352 void mbedtls_sha1( const unsigned char *input, size_t ilen, unsigned char output[20] )
353 {
354     mbedtls_sha1_context ctx;
355 
356     mbedtls_sha1_init( &ctx );
357     mbedtls_sha1_starts( &ctx );
358     mbedtls_sha1_update( &ctx, input, ilen );
359     mbedtls_sha1_finish( &ctx, output );
360     mbedtls_sha1_free( &ctx );
361 }
362 
363 #if defined(MBEDTLS_SELF_TEST)
364 /*
365  * FIPS-180-1 test vectors
366  */
367 static const unsigned char sha1_test_buf[3][57] =
368 {
369     { "abc" },
370     { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
371     { "" }
372 };
373 
374 static const int sha1_test_buflen[3] =
375 {
376     3, 56, 1000
377 };
378 
379 static const unsigned char sha1_test_sum[3][20] =
380 {
381     { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
382       0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
383     { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
384       0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
385     { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
386       0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
387 };
388 
389 /*
390  * Checkup routine
391  */
mbedtls_sha1_self_test(int verbose)392 int mbedtls_sha1_self_test( int verbose )
393 {
394     int i, j, buflen, ret = 0;
395     unsigned char buf[1024];
396     unsigned char sha1sum[20];
397     mbedtls_sha1_context ctx;
398 
399     mbedtls_sha1_init( &ctx );
400 
401     /*
402      * SHA-1
403      */
404     for( i = 0; i < 3; i++ )
405     {
406         if( verbose != 0 )
407             mbedtls_printf( "  SHA-1 test #%d: ", i + 1 );
408 
409         mbedtls_sha1_starts( &ctx );
410 
411         if( i == 2 )
412         {
413             memset( buf, 'a', buflen = 1000 );
414 
415             for( j = 0; j < 1000; j++ )
416                 mbedtls_sha1_update( &ctx, buf, buflen );
417         }
418         else
419             mbedtls_sha1_update( &ctx, sha1_test_buf[i],
420                                sha1_test_buflen[i] );
421 
422         mbedtls_sha1_finish( &ctx, sha1sum );
423 
424         if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
425         {
426             if( verbose != 0 )
427                 mbedtls_printf( "failed\n" );
428 
429             ret = 1;
430             goto exit;
431         }
432 
433         if( verbose != 0 )
434             mbedtls_printf( "passed\n" );
435     }
436 
437     if( verbose != 0 )
438         mbedtls_printf( "\n" );
439 
440 exit:
441     mbedtls_sha1_free( &ctx );
442 
443     return( ret );
444 }
445 
446 #endif /* MBEDTLS_SELF_TEST */
447 
448 #endif /* MBEDTLS_SHA1_C */
449