* Fix a typo in the dpkg changelog.
[deb_shairplay.git] / src / lib / crypto / sha1.c
CommitLineData
15c988f7
JB
1/*
2 * Copyright (c) 2007, Cameron Rich
3 *
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * * Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * * Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * * Neither the name of the axTLS project nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
22 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31/**
32 * SHA1 implementation - as defined in FIPS PUB 180-1 published April 17, 1995.
33 * This code was originally taken from RFC3174
34 */
35
36#include <string.h>
37#include "os_port.h"
38#include "crypto.h"
39
40/*
41 * Define the SHA1 circular left shift macro
42 */
43#define SHA1CircularShift(bits,word) \
44 (((word) << (bits)) | ((word) >> (32-(bits))))
45
46/* ----- static functions ----- */
47static void SHA1PadMessage(SHA1_CTX *ctx);
48static void SHA1ProcessMessageBlock(SHA1_CTX *ctx);
49
50/**
51 * Initialize the SHA1 context
52 */
53void SHA1_Init(SHA1_CTX *ctx)
54{
55 ctx->Length_Low = 0;
56 ctx->Length_High = 0;
57 ctx->Message_Block_Index = 0;
58 ctx->Intermediate_Hash[0] = 0x67452301;
59 ctx->Intermediate_Hash[1] = 0xEFCDAB89;
60 ctx->Intermediate_Hash[2] = 0x98BADCFE;
61 ctx->Intermediate_Hash[3] = 0x10325476;
62 ctx->Intermediate_Hash[4] = 0xC3D2E1F0;
63}
64
65/**
66 * Accepts an array of octets as the next portion of the message.
67 */
68void SHA1_Update(SHA1_CTX *ctx, const uint8_t *msg, int len)
69{
70 while (len--)
71 {
72 ctx->Message_Block[ctx->Message_Block_Index++] = (*msg & 0xFF);
73 ctx->Length_Low += 8;
74
75 if (ctx->Length_Low == 0)
76 ctx->Length_High++;
77
78 if (ctx->Message_Block_Index == 64)
79 SHA1ProcessMessageBlock(ctx);
80
81 msg++;
82 }
83}
84
85/**
86 * Return the 160-bit message digest into the user's array
87 */
88void SHA1_Final(uint8_t *digest, SHA1_CTX *ctx)
89{
90 int i;
91
92 SHA1PadMessage(ctx);
93 memset(ctx->Message_Block, 0, 64);
94 ctx->Length_Low = 0; /* and clear length */
95 ctx->Length_High = 0;
96
97 for (i = 0; i < SHA1_SIZE; i++)
98 {
99 digest[i] = ctx->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) );
100 }
101}
102
103/**
104 * Process the next 512 bits of the message stored in the array.
105 */
106static void SHA1ProcessMessageBlock(SHA1_CTX *ctx)
107{
108 const uint32_t K[] = { /* Constants defined in SHA-1 */
109 0x5A827999,
110 0x6ED9EBA1,
111 0x8F1BBCDC,
112 0xCA62C1D6
113 };
114 int t; /* Loop counter */
115 uint32_t temp; /* Temporary word value */
116 uint32_t W[80]; /* Word sequence */
117 uint32_t A, B, C, D, E; /* Word buffers */
118
119 /*
120 * Initialize the first 16 words in the array W
121 */
122 for (t = 0; t < 16; t++)
123 {
124 W[t] = ctx->Message_Block[t * 4] << 24;
125 W[t] |= ctx->Message_Block[t * 4 + 1] << 16;
126 W[t] |= ctx->Message_Block[t * 4 + 2] << 8;
127 W[t] |= ctx->Message_Block[t * 4 + 3];
128 }
129
130 for (t = 16; t < 80; t++)
131 {
132 W[t] = SHA1CircularShift(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
133 }
134
135 A = ctx->Intermediate_Hash[0];
136 B = ctx->Intermediate_Hash[1];
137 C = ctx->Intermediate_Hash[2];
138 D = ctx->Intermediate_Hash[3];
139 E = ctx->Intermediate_Hash[4];
140
141 for (t = 0; t < 20; t++)
142 {
143 temp = SHA1CircularShift(5,A) +
144 ((B & C) | ((~B) & D)) + E + W[t] + K[0];
145 E = D;
146 D = C;
147 C = SHA1CircularShift(30,B);
148
149 B = A;
150 A = temp;
151 }
152
153 for (t = 20; t < 40; t++)
154 {
155 temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[1];
156 E = D;
157 D = C;
158 C = SHA1CircularShift(30,B);
159 B = A;
160 A = temp;
161 }
162
163 for (t = 40; t < 60; t++)
164 {
165 temp = SHA1CircularShift(5,A) +
166 ((B & C) | (B & D) | (C & D)) + E + W[t] + K[2];
167 E = D;
168 D = C;
169 C = SHA1CircularShift(30,B);
170 B = A;
171 A = temp;
172 }
173
174 for (t = 60; t < 80; t++)
175 {
176 temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[3];
177 E = D;
178 D = C;
179 C = SHA1CircularShift(30,B);
180 B = A;
181 A = temp;
182 }
183
184 ctx->Intermediate_Hash[0] += A;
185 ctx->Intermediate_Hash[1] += B;
186 ctx->Intermediate_Hash[2] += C;
187 ctx->Intermediate_Hash[3] += D;
188 ctx->Intermediate_Hash[4] += E;
189 ctx->Message_Block_Index = 0;
190}
191
192/*
193 * According to the standard, the message must be padded to an even
194 * 512 bits. The first padding bit must be a '1'. The last 64
195 * bits represent the length of the original message. All bits in
196 * between should be 0. This function will pad the message
197 * according to those rules by filling the Message_Block array
198 * accordingly. It will also call the ProcessMessageBlock function
199 * provided appropriately. When it returns, it can be assumed that
200 * the message digest has been computed.
201 *
202 * @param ctx [in, out] The SHA1 context
203 */
204static void SHA1PadMessage(SHA1_CTX *ctx)
205{
206 /*
207 * Check to see if the current message block is too small to hold
208 * the initial padding bits and length. If so, we will pad the
209 * block, process it, and then continue padding into a second
210 * block.
211 */
212 if (ctx->Message_Block_Index > 55)
213 {
214 ctx->Message_Block[ctx->Message_Block_Index++] = 0x80;
215 while(ctx->Message_Block_Index < 64)
216 {
217 ctx->Message_Block[ctx->Message_Block_Index++] = 0;
218 }
219
220 SHA1ProcessMessageBlock(ctx);
221
222 while (ctx->Message_Block_Index < 56)
223 {
224 ctx->Message_Block[ctx->Message_Block_Index++] = 0;
225 }
226 }
227 else
228 {
229 ctx->Message_Block[ctx->Message_Block_Index++] = 0x80;
230 while(ctx->Message_Block_Index < 56)
231 {
232
233 ctx->Message_Block[ctx->Message_Block_Index++] = 0;
234 }
235 }
236
237 /*
238 * Store the message length as the last 8 octets
239 */
240 ctx->Message_Block[56] = ctx->Length_High >> 24;
241 ctx->Message_Block[57] = ctx->Length_High >> 16;
242 ctx->Message_Block[58] = ctx->Length_High >> 8;
243 ctx->Message_Block[59] = ctx->Length_High;
244 ctx->Message_Block[60] = ctx->Length_Low >> 24;
245 ctx->Message_Block[61] = ctx->Length_Low >> 16;
246 ctx->Message_Block[62] = ctx->Length_Low >> 8;
247 ctx->Message_Block[63] = ctx->Length_Low;
248 SHA1ProcessMessageBlock(ctx);
249}