2 * FIPS-180-1 compliant SHA-1 implementation
4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
5 * This file is part of mbed TLS (https://tls.mbed.org)
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 * The SHA-1 standard was published by NIST in 1993.
24 * http://www.itl.nist.gov/fipspubs/fip180-1.htm
27 #if !defined(POLARSSL_CONFIG_FILE)
28 //#include "polarssl/config.h"
29 #define POLARSSL_SHA1_C
32 #include POLARSSL_CONFIG_FILE
35 #if defined(POLARSSL_SHA1_C)
41 #if defined(POLARSSL_FS_IO)
45 #if defined(POLARSSL_SELF_TEST)
46 #if defined(POLARSSL_PLATFORM_C)
47 #include "polarssl/platform.h"
50 #define polarssl_printf printf
51 #endif /* POLARSSL_PLATFORM_C */
52 #endif /* POLARSSL_SELF_TEST */
54 /* Implementation that should never be optimized out by the compiler */
55 static void polarssl_zeroize( void *v
, size_t n
) {
56 volatile unsigned char *p
= v
; while( n
-- ) *p
++ = 0;
59 #if !defined(POLARSSL_SHA1_ALT)
62 * 32-bit integer manipulation macros (big endian)
65 #define GET_UINT32_BE(n,b,i) \
67 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
68 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
69 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
70 | ( (uint32_t) (b)[(i) + 3] ); \
75 #define PUT_UINT32_BE(n,b,i) \
77 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
78 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
79 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
80 (b)[(i) + 3] = (unsigned char) ( (n) ); \
84 void sha1_init( sha1_context
*ctx
)
86 memset( ctx
, 0, sizeof( sha1_context
) );
89 void sha1_free( sha1_context
*ctx
)
94 polarssl_zeroize( ctx
, sizeof( sha1_context
) );
100 void sha1_starts( sha1_context
*ctx
)
105 ctx
->state
[0] = 0x67452301;
106 ctx
->state
[1] = 0xEFCDAB89;
107 ctx
->state
[2] = 0x98BADCFE;
108 ctx
->state
[3] = 0x10325476;
109 ctx
->state
[4] = 0xC3D2E1F0;
112 void sha1_process( sha1_context
*ctx
, const unsigned char data
[64] )
114 uint32_t temp
, W
[16], A
, B
, C
, D
, E
;
116 GET_UINT32_BE( W
[ 0], data
, 0 );
117 GET_UINT32_BE( W
[ 1], data
, 4 );
118 GET_UINT32_BE( W
[ 2], data
, 8 );
119 GET_UINT32_BE( W
[ 3], data
, 12 );
120 GET_UINT32_BE( W
[ 4], data
, 16 );
121 GET_UINT32_BE( W
[ 5], data
, 20 );
122 GET_UINT32_BE( W
[ 6], data
, 24 );
123 GET_UINT32_BE( W
[ 7], data
, 28 );
124 GET_UINT32_BE( W
[ 8], data
, 32 );
125 GET_UINT32_BE( W
[ 9], data
, 36 );
126 GET_UINT32_BE( W
[10], data
, 40 );
127 GET_UINT32_BE( W
[11], data
, 44 );
128 GET_UINT32_BE( W
[12], data
, 48 );
129 GET_UINT32_BE( W
[13], data
, 52 );
130 GET_UINT32_BE( W
[14], data
, 56 );
131 GET_UINT32_BE( W
[15], data
, 60 );
133 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
137 temp = W[( t - 3 ) & 0x0F] ^ W[( t - 8 ) & 0x0F] ^ \
138 W[( t - 14 ) & 0x0F] ^ W[ t & 0x0F], \
139 ( W[t & 0x0F] = S(temp,1) ) \
142 #define P(a,b,c,d,e,x) \
144 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
153 #define F(x,y,z) (z ^ (x & (y ^ z)))
156 P( A
, B
, C
, D
, E
, W
[0] );
157 P( E
, A
, B
, C
, D
, W
[1] );
158 P( D
, E
, A
, B
, C
, W
[2] );
159 P( C
, D
, E
, A
, B
, W
[3] );
160 P( B
, C
, D
, E
, A
, W
[4] );
161 P( A
, B
, C
, D
, E
, W
[5] );
162 P( E
, A
, B
, C
, D
, W
[6] );
163 P( D
, E
, A
, B
, C
, W
[7] );
164 P( C
, D
, E
, A
, B
, W
[8] );
165 P( B
, C
, D
, E
, A
, W
[9] );
166 P( A
, B
, C
, D
, E
, W
[10] );
167 P( E
, A
, B
, C
, D
, W
[11] );
168 P( D
, E
, A
, B
, C
, W
[12] );
169 P( C
, D
, E
, A
, B
, W
[13] );
170 P( B
, C
, D
, E
, A
, W
[14] );
171 P( A
, B
, C
, D
, E
, W
[15] );
172 P( E
, A
, B
, C
, D
, R(16) );
173 P( D
, E
, A
, B
, C
, R(17) );
174 P( C
, D
, E
, A
, B
, R(18) );
175 P( B
, C
, D
, E
, A
, R(19) );
180 #define F(x,y,z) (x ^ y ^ z)
183 P( A
, B
, C
, D
, E
, R(20) );
184 P( E
, A
, B
, C
, D
, R(21) );
185 P( D
, E
, A
, B
, C
, R(22) );
186 P( C
, D
, E
, A
, B
, R(23) );
187 P( B
, C
, D
, E
, A
, R(24) );
188 P( A
, B
, C
, D
, E
, R(25) );
189 P( E
, A
, B
, C
, D
, R(26) );
190 P( D
, E
, A
, B
, C
, R(27) );
191 P( C
, D
, E
, A
, B
, R(28) );
192 P( B
, C
, D
, E
, A
, R(29) );
193 P( A
, B
, C
, D
, E
, R(30) );
194 P( E
, A
, B
, C
, D
, R(31) );
195 P( D
, E
, A
, B
, C
, R(32) );
196 P( C
, D
, E
, A
, B
, R(33) );
197 P( B
, C
, D
, E
, A
, R(34) );
198 P( A
, B
, C
, D
, E
, R(35) );
199 P( E
, A
, B
, C
, D
, R(36) );
200 P( D
, E
, A
, B
, C
, R(37) );
201 P( C
, D
, E
, A
, B
, R(38) );
202 P( B
, C
, D
, E
, A
, R(39) );
207 #define F(x,y,z) ((x & y) | (z & (x | y)))
210 P( A
, B
, C
, D
, E
, R(40) );
211 P( E
, A
, B
, C
, D
, R(41) );
212 P( D
, E
, A
, B
, C
, R(42) );
213 P( C
, D
, E
, A
, B
, R(43) );
214 P( B
, C
, D
, E
, A
, R(44) );
215 P( A
, B
, C
, D
, E
, R(45) );
216 P( E
, A
, B
, C
, D
, R(46) );
217 P( D
, E
, A
, B
, C
, R(47) );
218 P( C
, D
, E
, A
, B
, R(48) );
219 P( B
, C
, D
, E
, A
, R(49) );
220 P( A
, B
, C
, D
, E
, R(50) );
221 P( E
, A
, B
, C
, D
, R(51) );
222 P( D
, E
, A
, B
, C
, R(52) );
223 P( C
, D
, E
, A
, B
, R(53) );
224 P( B
, C
, D
, E
, A
, R(54) );
225 P( A
, B
, C
, D
, E
, R(55) );
226 P( E
, A
, B
, C
, D
, R(56) );
227 P( D
, E
, A
, B
, C
, R(57) );
228 P( C
, D
, E
, A
, B
, R(58) );
229 P( B
, C
, D
, E
, A
, R(59) );
234 #define F(x,y,z) (x ^ y ^ z)
237 P( A
, B
, C
, D
, E
, R(60) );
238 P( E
, A
, B
, C
, D
, R(61) );
239 P( D
, E
, A
, B
, C
, R(62) );
240 P( C
, D
, E
, A
, B
, R(63) );
241 P( B
, C
, D
, E
, A
, R(64) );
242 P( A
, B
, C
, D
, E
, R(65) );
243 P( E
, A
, B
, C
, D
, R(66) );
244 P( D
, E
, A
, B
, C
, R(67) );
245 P( C
, D
, E
, A
, B
, R(68) );
246 P( B
, C
, D
, E
, A
, R(69) );
247 P( A
, B
, C
, D
, E
, R(70) );
248 P( E
, A
, B
, C
, D
, R(71) );
249 P( D
, E
, A
, B
, C
, R(72) );
250 P( C
, D
, E
, A
, B
, R(73) );
251 P( B
, C
, D
, E
, A
, R(74) );
252 P( A
, B
, C
, D
, E
, R(75) );
253 P( E
, A
, B
, C
, D
, R(76) );
254 P( D
, E
, A
, B
, C
, R(77) );
255 P( C
, D
, E
, A
, B
, R(78) );
256 P( B
, C
, D
, E
, A
, R(79) );
269 * SHA-1 process buffer
271 void sha1_update( sha1_context
*ctx
, const unsigned char *input
, size_t ilen
)
279 left
= ctx
->total
[0] & 0x3F;
282 ctx
->total
[0] += (uint32_t) ilen
;
283 ctx
->total
[0] &= 0xFFFFFFFF;
285 if( ctx
->total
[0] < (uint32_t) ilen
)
288 if( left
&& ilen
>= fill
)
290 memcpy( (void *) (ctx
->buffer
+ left
), input
, fill
);
291 sha1_process( ctx
, ctx
->buffer
);
299 sha1_process( ctx
, input
);
305 memcpy( (void *) (ctx
->buffer
+ left
), input
, ilen
);
308 static const unsigned char sha1_padding
[64] =
310 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
311 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
312 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
313 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
319 void sha1_finish( sha1_context
*ctx
, unsigned char output
[20] )
323 unsigned char msglen
[8];
325 high
= ( ctx
->total
[0] >> 29 )
326 | ( ctx
->total
[1] << 3 );
327 low
= ( ctx
->total
[0] << 3 );
329 PUT_UINT32_BE( high
, msglen
, 0 );
330 PUT_UINT32_BE( low
, msglen
, 4 );
332 last
= ctx
->total
[0] & 0x3F;
333 padn
= ( last
< 56 ) ? ( 56 - last
) : ( 120 - last
);
335 sha1_update( ctx
, sha1_padding
, padn
);
336 sha1_update( ctx
, msglen
, 8 );
338 PUT_UINT32_BE( ctx
->state
[0], output
, 0 );
339 PUT_UINT32_BE( ctx
->state
[1], output
, 4 );
340 PUT_UINT32_BE( ctx
->state
[2], output
, 8 );
341 PUT_UINT32_BE( ctx
->state
[3], output
, 12 );
342 PUT_UINT32_BE( ctx
->state
[4], output
, 16 );
345 #endif /* !POLARSSL_SHA1_ALT */
348 * output = SHA-1( input buffer )
350 void sha1( const unsigned char *input
, size_t ilen
, unsigned char output
[20] )
356 sha1_update( &ctx
, input
, ilen
);
357 sha1_finish( &ctx
, output
);
361 #if defined(POLARSSL_FS_IO)
363 * output = SHA-1( file contents )
365 int sha1_file( const char *path
, unsigned char output
[20] )
370 unsigned char buf
[1024];
372 if( ( f
= fopen( path
, "rb" ) ) == NULL
)
373 return( POLARSSL_ERR_SHA1_FILE_IO_ERROR
);
378 while( ( n
= fread( buf
, 1, sizeof( buf
), f
) ) > 0 )
379 sha1_update( &ctx
, buf
, n
);
381 sha1_finish( &ctx
, output
);
384 if( ferror( f
) != 0 )
387 return( POLARSSL_ERR_SHA1_FILE_IO_ERROR
);
393 #endif /* POLARSSL_FS_IO */
396 * SHA-1 HMAC context setup
398 void sha1_hmac_starts( sha1_context
*ctx
, const unsigned char *key
,
402 unsigned char sum
[20];
406 sha1( key
, keylen
, sum
);
411 memset( ctx
->ipad
, 0x36, 64 );
412 memset( ctx
->opad
, 0x5C, 64 );
414 for( i
= 0; i
< keylen
; i
++ )
416 ctx
->ipad
[i
] = (unsigned char)( ctx
->ipad
[i
] ^ key
[i
] );
417 ctx
->opad
[i
] = (unsigned char)( ctx
->opad
[i
] ^ key
[i
] );
421 sha1_update( ctx
, ctx
->ipad
, 64 );
423 polarssl_zeroize( sum
, sizeof( sum
) );
427 * SHA-1 HMAC process buffer
429 void sha1_hmac_update( sha1_context
*ctx
, const unsigned char *input
,
432 sha1_update( ctx
, input
, ilen
);
436 * SHA-1 HMAC final digest
438 void sha1_hmac_finish( sha1_context
*ctx
, unsigned char output
[20] )
440 unsigned char tmpbuf
[20];
442 sha1_finish( ctx
, tmpbuf
);
444 sha1_update( ctx
, ctx
->opad
, 64 );
445 sha1_update( ctx
, tmpbuf
, 20 );
446 sha1_finish( ctx
, output
);
448 polarssl_zeroize( tmpbuf
, sizeof( tmpbuf
) );
452 * SHA1 HMAC context reset
454 void sha1_hmac_reset( sha1_context
*ctx
)
457 sha1_update( ctx
, ctx
->ipad
, 64 );
461 * output = HMAC-SHA-1( hmac key, input buffer )
463 void sha1_hmac( const unsigned char *key
, size_t keylen
,
464 const unsigned char *input
, size_t ilen
,
465 unsigned char output
[20] )
470 sha1_hmac_starts( &ctx
, key
, keylen
);
471 sha1_hmac_update( &ctx
, input
, ilen
);
472 sha1_hmac_finish( &ctx
, output
);
476 #if defined(POLARSSL_SELF_TEST)
478 * FIPS-180-1 test vectors
480 static const unsigned char sha1_test_buf
[3][57] =
483 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
487 static const int sha1_test_buflen
[3] =
492 static const unsigned char sha1_test_sum
[3][20] =
494 { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
495 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
496 { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
497 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
498 { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
499 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
503 * RFC 2202 test vectors
505 static const unsigned char sha1_hmac_test_key
[7][26] =
507 { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
508 "\x0B\x0B\x0B\x0B" },
510 { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
511 "\xAA\xAA\xAA\xAA" },
512 { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
513 "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
514 { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
515 "\x0C\x0C\x0C\x0C" },
516 { "" }, /* 0xAA 80 times */
520 static const int sha1_hmac_test_keylen
[7] =
522 20, 4, 20, 25, 20, 80, 80
525 static const unsigned char sha1_hmac_test_buf
[7][74] =
528 { "what do ya want for nothing?" },
529 { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
530 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
531 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
532 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
533 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
534 { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
535 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
536 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
537 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
538 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
539 { "Test With Truncation" },
540 { "Test Using Larger Than Block-Size Key - Hash Key First" },
541 { "Test Using Larger Than Block-Size Key and Larger"
542 " Than One Block-Size Data" }
545 static const int sha1_hmac_test_buflen
[7] =
547 8, 28, 50, 50, 20, 54, 73
550 static const unsigned char sha1_hmac_test_sum
[7][20] =
552 { 0xB6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64, 0xE2, 0x8B,
553 0xC0, 0xB6, 0xFB, 0x37, 0x8C, 0x8E, 0xF1, 0x46, 0xBE, 0x00 },
554 { 0xEF, 0xFC, 0xDF, 0x6A, 0xE5, 0xEB, 0x2F, 0xA2, 0xD2, 0x74,
555 0x16, 0xD5, 0xF1, 0x84, 0xDF, 0x9C, 0x25, 0x9A, 0x7C, 0x79 },
556 { 0x12, 0x5D, 0x73, 0x42, 0xB9, 0xAC, 0x11, 0xCD, 0x91, 0xA3,
557 0x9A, 0xF4, 0x8A, 0xA1, 0x7B, 0x4F, 0x63, 0xF1, 0x75, 0xD3 },
558 { 0x4C, 0x90, 0x07, 0xF4, 0x02, 0x62, 0x50, 0xC6, 0xBC, 0x84,
559 0x14, 0xF9, 0xBF, 0x50, 0xC8, 0x6C, 0x2D, 0x72, 0x35, 0xDA },
560 { 0x4C, 0x1A, 0x03, 0x42, 0x4B, 0x55, 0xE0, 0x7F, 0xE7, 0xF2,
562 { 0xAA, 0x4A, 0xE5, 0xE1, 0x52, 0x72, 0xD0, 0x0E, 0x95, 0x70,
563 0x56, 0x37, 0xCE, 0x8A, 0x3B, 0x55, 0xED, 0x40, 0x21, 0x12 },
564 { 0xE8, 0xE9, 0x9D, 0x0F, 0x45, 0x23, 0x7D, 0x78, 0x6D, 0x6B,
565 0xBA, 0xA7, 0x96, 0x5C, 0x78, 0x08, 0xBB, 0xFF, 0x1A, 0x91 }
571 int sha1_self_test( int verbose
)
573 int i
, j
, buflen
, ret
= 0;
574 unsigned char buf
[1024];
575 unsigned char sha1sum
[20];
583 for( i
= 0; i
< 3; i
++ )
586 polarssl_printf( " SHA-1 test #%d: ", i
+ 1 );
592 memset( buf
, 'a', buflen
= 1000 );
594 for( j
= 0; j
< 1000; j
++ )
595 sha1_update( &ctx
, buf
, buflen
);
598 sha1_update( &ctx
, sha1_test_buf
[i
],
599 sha1_test_buflen
[i
] );
601 sha1_finish( &ctx
, sha1sum
);
603 if( memcmp( sha1sum
, sha1_test_sum
[i
], 20 ) != 0 )
606 polarssl_printf( "failed\n" );
613 polarssl_printf( "passed\n" );
617 polarssl_printf( "\n" );
619 for( i
= 0; i
< 7; i
++ )
622 polarssl_printf( " HMAC-SHA-1 test #%d: ", i
+ 1 );
624 if( i
== 5 || i
== 6 )
626 memset( buf
, 0xAA, buflen
= 80 );
627 sha1_hmac_starts( &ctx
, buf
, buflen
);
630 sha1_hmac_starts( &ctx
, sha1_hmac_test_key
[i
],
631 sha1_hmac_test_keylen
[i
] );
633 sha1_hmac_update( &ctx
, sha1_hmac_test_buf
[i
],
634 sha1_hmac_test_buflen
[i
] );
636 sha1_hmac_finish( &ctx
, sha1sum
);
638 buflen
= ( i
== 4 ) ? 12 : 20;
640 if( memcmp( sha1sum
, sha1_hmac_test_sum
[i
], buflen
) != 0 )
643 polarssl_printf( "failed\n" );
650 polarssl_printf( "passed\n" );
654 polarssl_printf( "\n" );
662 #endif /* POLARSSL_SELF_TEST */
664 #endif /* POLARSSL_SHA1_C */