diff options
Diffstat (limited to 'src/microhttpd/sha1.c')
-rw-r--r-- | src/microhttpd/sha1.c | 353 |
1 files changed, 353 insertions, 0 deletions
diff --git a/src/microhttpd/sha1.c b/src/microhttpd/sha1.c new file mode 100644 index 00000000..51deabaa --- /dev/null +++ b/src/microhttpd/sha1.c | |||
@@ -0,0 +1,353 @@ | |||
1 | /* | ||
2 | This file is part of libmicrohttpd | ||
3 | Copyright (C) 2019-2021 Karlson2k (Evgeny Grin) | ||
4 | |||
5 | libmicrohttpd is free software; you can redistribute it and/or | ||
6 | modify it under the terms of the GNU Lesser General Public | ||
7 | License as published by the Free Software Foundation; either | ||
8 | version 2.1 of the License, or (at your option) any later version. | ||
9 | |||
10 | This library is distributed in the hope that it will be useful, | ||
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Lesser General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Lesser General Public | ||
16 | License along with this library. | ||
17 | If not, see <http://www.gnu.org/licenses/>. | ||
18 | */ | ||
19 | |||
20 | /** | ||
21 | * @file microhttpd/sha1.c | ||
22 | * @brief Calculation of SHA-1 digest as defined in FIPS PUB 180-4 (2015) | ||
23 | * @author Karlson2k (Evgeny Grin) | ||
24 | */ | ||
25 | |||
26 | #include "sha1.h" | ||
27 | |||
28 | #include <string.h> | ||
29 | #ifdef HAVE_MEMORY_H | ||
30 | #include <memory.h> | ||
31 | #endif /* HAVE_MEMORY_H */ | ||
32 | #include "mhd_bithelpers.h" | ||
33 | #include "mhd_assert.h" | ||
34 | |||
35 | /** | ||
36 | * Initialise structure for SHA-1 calculation. | ||
37 | * | ||
38 | * @param ctx_ must be a `struct sha1_ctx *` | ||
39 | */ | ||
40 | void | ||
41 | MHD_SHA1_init (void *ctx_) | ||
42 | { | ||
43 | struct sha1_ctx *const ctx = ctx_; | ||
44 | /* Initial hash values, see FIPS PUB 180-4 paragraph 5.3.1 */ | ||
45 | /* Just some "magic" numbers defined by standard */ | ||
46 | ctx->H[0] = 0x67452301UL; | ||
47 | ctx->H[1] = 0xefcdab89UL; | ||
48 | ctx->H[2] = 0x98badcfeUL; | ||
49 | ctx->H[3] = 0x10325476UL; | ||
50 | ctx->H[4] = 0xc3d2e1f0UL; | ||
51 | |||
52 | /* Initialise number of bytes. */ | ||
53 | ctx->count = 0; | ||
54 | } | ||
55 | |||
56 | |||
57 | /** | ||
58 | * Number of bytes in single SHA-1 word | ||
59 | */ | ||
60 | #define SHA1_BYTES_IN_WORD (32 / 8) | ||
61 | |||
62 | /** | ||
63 | * Base of SHA-1 transformation. | ||
64 | * Gets full 512 bits / 64 bytes block of data and updates hash values; | ||
65 | * @param H hash values | ||
66 | * @param data data, must be exactly 64 bytes long | ||
67 | */ | ||
68 | static void | ||
69 | sha1_transform (uint32_t H[_SHA1_DIGEST_LENGTH], | ||
70 | const uint8_t data[SHA1_BLOCK_SIZE]) | ||
71 | { | ||
72 | /* Working variables, | ||
73 | see FIPS PUB 180-4 paragraph 6.1.3 */ | ||
74 | uint32_t a = H[0]; | ||
75 | uint32_t b = H[1]; | ||
76 | uint32_t c = H[2]; | ||
77 | uint32_t d = H[3]; | ||
78 | uint32_t e = H[4]; | ||
79 | |||
80 | /* Data buffer, used as cyclic buffer. | ||
81 | See FIPS PUB 180-4 paragraphs 5.2.1, 6.1.3 */ | ||
82 | uint32_t W[16]; | ||
83 | |||
84 | /* 'Ch' and 'Maj' macro functions are defined with | ||
85 | widely-used optimization. | ||
86 | See FIPS PUB 180-4 formulae 4.1. */ | ||
87 | #define Ch(x,y,z) ( (z) ^ ((x) & ((y) ^ (z))) ) | ||
88 | #define Maj(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) | ||
89 | /* Unoptimized (original) versions: */ | ||
90 | /* #define Ch(x,y,z) ( ( (x) & (y) ) ^ ( ~(x) & (z) ) ) */ | ||
91 | /* #define Maj(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */ | ||
92 | #define Par(x,y,z) ( (x) ^ (y) ^ (z) ) | ||
93 | |||
94 | /* Single step of SHA-1 computation, | ||
95 | see FIPS PUB 180-4 paragraph 6.1.3 step 3. | ||
96 | * Note: instead of reassigning all working variables on each step, | ||
97 | variables are rotated for each step: | ||
98 | SHA1STEP32 (a, b, c, d, e, func, K00, W[0]); | ||
99 | SHA1STEP32 (e, a, b, c, d, func, K00, W[1]); | ||
100 | so current 'vC' will be used as 'vD' on the next step, | ||
101 | current 'vE' will be used as 'vA' on the next step. | ||
102 | * Note: 'wt' must be used exactly one time in this macro as it change other data as well | ||
103 | every time when used. */ | ||
104 | |||
105 | #define SHA1STEP32(vA,vB,vC,vD,vE,ft,kt,wt) do { \ | ||
106 | (vE) += _MHD_ROTL32 ((vA), 5) + ft ((vB), (vC), (vD)) + (kt) + (wt); \ | ||
107 | (vB) = _MHD_ROTL32 ((vB), 30); } while (0) | ||
108 | |||
109 | /* Get value of W(t) from input data buffer, | ||
110 | See FIPS PUB 180-4 paragraph 6.1.3. | ||
111 | Input data must be read in big-endian bytes order, | ||
112 | see FIPS PUB 180-4 paragraph 3.1.2. */ | ||
113 | #define GET_W_FROM_DATA(buf,t) \ | ||
114 | _MHD_GET_32BIT_BE (((const uint8_t*) (buf)) + (t) * SHA1_BYTES_IN_WORD) | ||
115 | |||
116 | /* SHA-1 values of Kt for t=0..19, see FIPS PUB 180-4 paragraph 4.2.1. */ | ||
117 | #define K00 0x5a827999UL | ||
118 | /* SHA-1 values of Kt for t=20..39, see FIPS PUB 180-4 paragraph 4.2.1.*/ | ||
119 | #define K20 0x6ed9eba1UL | ||
120 | /* SHA-1 values of Kt for t=40..59, see FIPS PUB 180-4 paragraph 4.2.1.*/ | ||
121 | #define K40 0x8f1bbcdcUL | ||
122 | /* SHA-1 values of Kt for t=60..79, see FIPS PUB 180-4 paragraph 4.2.1.*/ | ||
123 | #define K60 0xca62c1d6UL | ||
124 | |||
125 | /* During first 16 steps, before making any calculations on each step, | ||
126 | the W element is read from input data buffer as big-endian value and | ||
127 | stored in array of W elements. */ | ||
128 | /* Note: instead of using K constants as array, all K values are specified | ||
129 | individually for each step. */ | ||
130 | SHA1STEP32 (a, b, c, d, e, Ch, K00, W[0] = GET_W_FROM_DATA (data, 0)); | ||
131 | SHA1STEP32 (e, a, b, c, d, Ch, K00, W[1] = GET_W_FROM_DATA (data, 1)); | ||
132 | SHA1STEP32 (d, e, a, b, c, Ch, K00, W[2] = GET_W_FROM_DATA (data, 2)); | ||
133 | SHA1STEP32 (c, d, e, a, b, Ch, K00, W[3] = GET_W_FROM_DATA (data, 3)); | ||
134 | SHA1STEP32 (b, c, d, e, a, Ch, K00, W[4] = GET_W_FROM_DATA (data, 4)); | ||
135 | SHA1STEP32 (a, b, c, d, e, Ch, K00, W[5] = GET_W_FROM_DATA (data, 5)); | ||
136 | SHA1STEP32 (e, a, b, c, d, Ch, K00, W[6] = GET_W_FROM_DATA (data, 6)); | ||
137 | SHA1STEP32 (d, e, a, b, c, Ch, K00, W[7] = GET_W_FROM_DATA (data, 7)); | ||
138 | SHA1STEP32 (c, d, e, a, b, Ch, K00, W[8] = GET_W_FROM_DATA (data, 8)); | ||
139 | SHA1STEP32 (b, c, d, e, a, Ch, K00, W[9] = GET_W_FROM_DATA (data, 9)); | ||
140 | SHA1STEP32 (a, b, c, d, e, Ch, K00, W[10] = GET_W_FROM_DATA (data, 10)); | ||
141 | SHA1STEP32 (e, a, b, c, d, Ch, K00, W[11] = GET_W_FROM_DATA (data, 11)); | ||
142 | SHA1STEP32 (d, e, a, b, c, Ch, K00, W[12] = GET_W_FROM_DATA (data, 12)); | ||
143 | SHA1STEP32 (c, d, e, a, b, Ch, K00, W[13] = GET_W_FROM_DATA (data, 13)); | ||
144 | SHA1STEP32 (b, c, d, e, a, Ch, K00, W[14] = GET_W_FROM_DATA (data, 14)); | ||
145 | SHA1STEP32 (a, b, c, d, e, Ch, K00, W[15] = GET_W_FROM_DATA (data, 15)); | ||
146 | |||
147 | /* 'W' generation and assignment for 16 <= t <= 79. | ||
148 | See FIPS PUB 180-4 paragraph 6.1.3. | ||
149 | As only last 16 'W' are used in calculations, it is possible to | ||
150 | use 16 elements array of W as cyclic buffer. */ | ||
151 | #define Wgen(w,t) _MHD_ROTL32((w)[(t + 13) & 0xf] ^ (w)[(t + 8) & 0xf] \ | ||
152 | ^ (w)[(t + 2) & 0xf] ^ (w)[t & 0xf], 1) | ||
153 | |||
154 | /* During last 60 steps, before making any calculations on each step, | ||
155 | W element is generated from W elements of cyclic buffer and generated value | ||
156 | stored back in cyclic buffer. */ | ||
157 | /* Note: instead of using K constants as array, all K values are specified | ||
158 | individually for each step, see FIPS PUB 180-4 paragraph 4.2.1. */ | ||
159 | SHA1STEP32 (e, a, b, c, d, Ch, K00, W[16 & 0xf] = Wgen (W, 16)); | ||
160 | SHA1STEP32 (d, e, a, b, c, Ch, K00, W[17 & 0xf] = Wgen (W, 17)); | ||
161 | SHA1STEP32 (c, d, e, a, b, Ch, K00, W[18 & 0xf] = Wgen (W, 18)); | ||
162 | SHA1STEP32 (b, c, d, e, a, Ch, K00, W[19 & 0xf] = Wgen (W, 19)); | ||
163 | SHA1STEP32 (a, b, c, d, e, Par, K20, W[20 & 0xf] = Wgen (W, 20)); | ||
164 | SHA1STEP32 (e, a, b, c, d, Par, K20, W[21 & 0xf] = Wgen (W, 21)); | ||
165 | SHA1STEP32 (d, e, a, b, c, Par, K20, W[22 & 0xf] = Wgen (W, 22)); | ||
166 | SHA1STEP32 (c, d, e, a, b, Par, K20, W[23 & 0xf] = Wgen (W, 23)); | ||
167 | SHA1STEP32 (b, c, d, e, a, Par, K20, W[24 & 0xf] = Wgen (W, 24)); | ||
168 | SHA1STEP32 (a, b, c, d, e, Par, K20, W[25 & 0xf] = Wgen (W, 25)); | ||
169 | SHA1STEP32 (e, a, b, c, d, Par, K20, W[26 & 0xf] = Wgen (W, 26)); | ||
170 | SHA1STEP32 (d, e, a, b, c, Par, K20, W[27 & 0xf] = Wgen (W, 27)); | ||
171 | SHA1STEP32 (c, d, e, a, b, Par, K20, W[28 & 0xf] = Wgen (W, 28)); | ||
172 | SHA1STEP32 (b, c, d, e, a, Par, K20, W[29 & 0xf] = Wgen (W, 29)); | ||
173 | SHA1STEP32 (a, b, c, d, e, Par, K20, W[30 & 0xf] = Wgen (W, 30)); | ||
174 | SHA1STEP32 (e, a, b, c, d, Par, K20, W[31 & 0xf] = Wgen (W, 31)); | ||
175 | SHA1STEP32 (d, e, a, b, c, Par, K20, W[32 & 0xf] = Wgen (W, 32)); | ||
176 | SHA1STEP32 (c, d, e, a, b, Par, K20, W[33 & 0xf] = Wgen (W, 33)); | ||
177 | SHA1STEP32 (b, c, d, e, a, Par, K20, W[34 & 0xf] = Wgen (W, 34)); | ||
178 | SHA1STEP32 (a, b, c, d, e, Par, K20, W[35 & 0xf] = Wgen (W, 35)); | ||
179 | SHA1STEP32 (e, a, b, c, d, Par, K20, W[36 & 0xf] = Wgen (W, 36)); | ||
180 | SHA1STEP32 (d, e, a, b, c, Par, K20, W[37 & 0xf] = Wgen (W, 37)); | ||
181 | SHA1STEP32 (c, d, e, a, b, Par, K20, W[38 & 0xf] = Wgen (W, 38)); | ||
182 | SHA1STEP32 (b, c, d, e, a, Par, K20, W[39 & 0xf] = Wgen (W, 39)); | ||
183 | SHA1STEP32 (a, b, c, d, e, Maj, K40, W[40 & 0xf] = Wgen (W, 40)); | ||
184 | SHA1STEP32 (e, a, b, c, d, Maj, K40, W[41 & 0xf] = Wgen (W, 41)); | ||
185 | SHA1STEP32 (d, e, a, b, c, Maj, K40, W[42 & 0xf] = Wgen (W, 42)); | ||
186 | SHA1STEP32 (c, d, e, a, b, Maj, K40, W[43 & 0xf] = Wgen (W, 43)); | ||
187 | SHA1STEP32 (b, c, d, e, a, Maj, K40, W[44 & 0xf] = Wgen (W, 44)); | ||
188 | SHA1STEP32 (a, b, c, d, e, Maj, K40, W[45 & 0xf] = Wgen (W, 45)); | ||
189 | SHA1STEP32 (e, a, b, c, d, Maj, K40, W[46 & 0xf] = Wgen (W, 46)); | ||
190 | SHA1STEP32 (d, e, a, b, c, Maj, K40, W[47 & 0xf] = Wgen (W, 47)); | ||
191 | SHA1STEP32 (c, d, e, a, b, Maj, K40, W[48 & 0xf] = Wgen (W, 48)); | ||
192 | SHA1STEP32 (b, c, d, e, a, Maj, K40, W[49 & 0xf] = Wgen (W, 49)); | ||
193 | SHA1STEP32 (a, b, c, d, e, Maj, K40, W[50 & 0xf] = Wgen (W, 50)); | ||
194 | SHA1STEP32 (e, a, b, c, d, Maj, K40, W[51 & 0xf] = Wgen (W, 51)); | ||
195 | SHA1STEP32 (d, e, a, b, c, Maj, K40, W[52 & 0xf] = Wgen (W, 52)); | ||
196 | SHA1STEP32 (c, d, e, a, b, Maj, K40, W[53 & 0xf] = Wgen (W, 53)); | ||
197 | SHA1STEP32 (b, c, d, e, a, Maj, K40, W[54 & 0xf] = Wgen (W, 54)); | ||
198 | SHA1STEP32 (a, b, c, d, e, Maj, K40, W[55 & 0xf] = Wgen (W, 55)); | ||
199 | SHA1STEP32 (e, a, b, c, d, Maj, K40, W[56 & 0xf] = Wgen (W, 56)); | ||
200 | SHA1STEP32 (d, e, a, b, c, Maj, K40, W[57 & 0xf] = Wgen (W, 57)); | ||
201 | SHA1STEP32 (c, d, e, a, b, Maj, K40, W[58 & 0xf] = Wgen (W, 58)); | ||
202 | SHA1STEP32 (b, c, d, e, a, Maj, K40, W[59 & 0xf] = Wgen (W, 59)); | ||
203 | SHA1STEP32 (a, b, c, d, e, Par, K60, W[60 & 0xf] = Wgen (W, 60)); | ||
204 | SHA1STEP32 (e, a, b, c, d, Par, K60, W[61 & 0xf] = Wgen (W, 61)); | ||
205 | SHA1STEP32 (d, e, a, b, c, Par, K60, W[62 & 0xf] = Wgen (W, 62)); | ||
206 | SHA1STEP32 (c, d, e, a, b, Par, K60, W[63 & 0xf] = Wgen (W, 63)); | ||
207 | SHA1STEP32 (b, c, d, e, a, Par, K60, W[64 & 0xf] = Wgen (W, 64)); | ||
208 | SHA1STEP32 (a, b, c, d, e, Par, K60, W[65 & 0xf] = Wgen (W, 65)); | ||
209 | SHA1STEP32 (e, a, b, c, d, Par, K60, W[66 & 0xf] = Wgen (W, 66)); | ||
210 | SHA1STEP32 (d, e, a, b, c, Par, K60, W[67 & 0xf] = Wgen (W, 67)); | ||
211 | SHA1STEP32 (c, d, e, a, b, Par, K60, W[68 & 0xf] = Wgen (W, 68)); | ||
212 | SHA1STEP32 (b, c, d, e, a, Par, K60, W[69 & 0xf] = Wgen (W, 69)); | ||
213 | SHA1STEP32 (a, b, c, d, e, Par, K60, W[70 & 0xf] = Wgen (W, 70)); | ||
214 | SHA1STEP32 (e, a, b, c, d, Par, K60, W[71 & 0xf] = Wgen (W, 71)); | ||
215 | SHA1STEP32 (d, e, a, b, c, Par, K60, W[72 & 0xf] = Wgen (W, 72)); | ||
216 | SHA1STEP32 (c, d, e, a, b, Par, K60, W[73 & 0xf] = Wgen (W, 73)); | ||
217 | SHA1STEP32 (b, c, d, e, a, Par, K60, W[74 & 0xf] = Wgen (W, 74)); | ||
218 | SHA1STEP32 (a, b, c, d, e, Par, K60, W[75 & 0xf] = Wgen (W, 75)); | ||
219 | SHA1STEP32 (e, a, b, c, d, Par, K60, W[76 & 0xf] = Wgen (W, 76)); | ||
220 | SHA1STEP32 (d, e, a, b, c, Par, K60, W[77 & 0xf] = Wgen (W, 77)); | ||
221 | SHA1STEP32 (c, d, e, a, b, Par, K60, W[78 & 0xf] = Wgen (W, 78)); | ||
222 | SHA1STEP32 (b, c, d, e, a, Par, K60, W[79 & 0xf] = Wgen (W, 79)); | ||
223 | |||
224 | /* Compute intermediate hash. | ||
225 | See FIPS PUB 180-4 paragraph 6.1.3 step 4. */ | ||
226 | H[0] += a; | ||
227 | H[1] += b; | ||
228 | H[2] += c; | ||
229 | H[3] += d; | ||
230 | H[4] += e; | ||
231 | } | ||
232 | |||
233 | |||
234 | /** | ||
235 | * Process portion of bytes. | ||
236 | * | ||
237 | * @param ctx_ must be a `struct sha1_ctx *` | ||
238 | * @param data bytes to add to hash | ||
239 | * @param length number of bytes in @a data | ||
240 | */ | ||
241 | void | ||
242 | MHD_SHA1_update (void *ctx_, | ||
243 | const uint8_t *data, | ||
244 | size_t length) | ||
245 | { | ||
246 | struct sha1_ctx *const ctx = ctx_; | ||
247 | unsigned bytes_have; /**< Number of bytes in buffer */ | ||
248 | |||
249 | mhd_assert ((data != NULL) || (length == 0)); | ||
250 | |||
251 | if (0 == length) | ||
252 | return; /* Do nothing */ | ||
253 | |||
254 | /* Note: (count & (SHA1_BLOCK_SIZE-1)) | ||
255 | equal (count % SHA1_BLOCK_SIZE) for this block size. */ | ||
256 | bytes_have = (unsigned) (ctx->count & (SHA1_BLOCK_SIZE - 1)); | ||
257 | ctx->count += length; | ||
258 | |||
259 | if (0 != bytes_have) | ||
260 | { | ||
261 | unsigned bytes_left = SHA1_BLOCK_SIZE - bytes_have; | ||
262 | if (length >= bytes_left) | ||
263 | { /* Combine new data with the data in the buffer and | ||
264 | process the full block. */ | ||
265 | memcpy (ctx->buffer + bytes_have, | ||
266 | data, | ||
267 | bytes_left); | ||
268 | data += bytes_left; | ||
269 | length -= bytes_left; | ||
270 | sha1_transform (ctx->H, ctx->buffer); | ||
271 | bytes_have = 0; | ||
272 | } | ||
273 | } | ||
274 | |||
275 | while (SHA1_BLOCK_SIZE <= length) | ||
276 | { /* Process any full blocks of new data directly, | ||
277 | without copying to the buffer. */ | ||
278 | sha1_transform (ctx->H, data); | ||
279 | data += SHA1_BLOCK_SIZE; | ||
280 | length -= SHA1_BLOCK_SIZE; | ||
281 | } | ||
282 | |||
283 | if (0 != length) | ||
284 | { /* Copy incomplete block of new data (if any) | ||
285 | to the buffer. */ | ||
286 | memcpy (ctx->buffer + bytes_have, data, length); | ||
287 | } | ||
288 | } | ||
289 | |||
290 | |||
291 | /** | ||
292 | * Size of "length" padding addition in bytes. | ||
293 | * See FIPS PUB 180-4 paragraph 5.1.1. | ||
294 | */ | ||
295 | #define SHA1_SIZE_OF_LEN_ADD (64 / 8) | ||
296 | |||
297 | /** | ||
298 | * Finalise SHA-1 calculation, return digest. | ||
299 | * | ||
300 | * @param ctx_ must be a `struct sha1_ctx *` | ||
301 | * @param[out] digest set to the hash, must be #SHA1_DIGEST_SIZE bytes | ||
302 | */ | ||
303 | void | ||
304 | MHD_SHA1_finish (void *ctx_, | ||
305 | uint8_t digest[SHA1_DIGEST_SIZE]) | ||
306 | { | ||
307 | struct sha1_ctx *const ctx = ctx_; | ||
308 | uint64_t num_bits; /**< Number of processed bits */ | ||
309 | unsigned bytes_have; /**< Number of bytes in buffer */ | ||
310 | |||
311 | num_bits = ctx->count << 3; | ||
312 | /* Note: (count & (SHA1_BLOCK_SIZE-1)) | ||
313 | equal (count % SHA1_BLOCK_SIZE) for this block size. */ | ||
314 | bytes_have = (unsigned) (ctx->count & (SHA1_BLOCK_SIZE - 1)); | ||
315 | |||
316 | /* Input data must be padded with bit "1" and with length of data in bits. | ||
317 | See FIPS PUB 180-4 paragraph 5.1.1. */ | ||
318 | /* Data is always processed in form of bytes (not by individual bits), | ||
319 | therefore position of first padding bit in byte is always predefined (0x80). */ | ||
320 | /* Buffer always have space at least for one byte (as full buffers are | ||
321 | processed immediately). */ | ||
322 | ctx->buffer[bytes_have++] = 0x80; | ||
323 | |||
324 | if (SHA1_BLOCK_SIZE - bytes_have < SHA1_SIZE_OF_LEN_ADD) | ||
325 | { /* No space in current block to put total length of message. | ||
326 | Pad current block with zeros and process it. */ | ||
327 | if (SHA1_BLOCK_SIZE > bytes_have) | ||
328 | memset (ctx->buffer + bytes_have, 0, SHA1_BLOCK_SIZE - bytes_have); | ||
329 | /* Process full block. */ | ||
330 | sha1_transform (ctx->H, ctx->buffer); | ||
331 | /* Start new block. */ | ||
332 | bytes_have = 0; | ||
333 | } | ||
334 | |||
335 | /* Pad the rest of the buffer with zeros. */ | ||
336 | memset (ctx->buffer + bytes_have, 0, | ||
337 | SHA1_BLOCK_SIZE - SHA1_SIZE_OF_LEN_ADD - bytes_have); | ||
338 | /* Put the number of bits in the processed message as a big-endian value. */ | ||
339 | _MHD_PUT_64BIT_BE (ctx->buffer + SHA1_BLOCK_SIZE - SHA1_SIZE_OF_LEN_ADD, | ||
340 | num_bits); | ||
341 | /* Process the full final block. */ | ||
342 | sha1_transform (ctx->H, ctx->buffer); | ||
343 | |||
344 | /* Put final hash/digest in BE mode */ | ||
345 | _MHD_PUT_32BIT_BE (digest + 0 * SHA1_BYTES_IN_WORD, ctx->H[0]); | ||
346 | _MHD_PUT_32BIT_BE (digest + 1 * SHA1_BYTES_IN_WORD, ctx->H[1]); | ||
347 | _MHD_PUT_32BIT_BE (digest + 2 * SHA1_BYTES_IN_WORD, ctx->H[2]); | ||
348 | _MHD_PUT_32BIT_BE (digest + 3 * SHA1_BYTES_IN_WORD, ctx->H[3]); | ||
349 | _MHD_PUT_32BIT_BE (digest + 4 * SHA1_BYTES_IN_WORD, ctx->H[4]); | ||
350 | |||
351 | /* Erase potentially sensitive data. */ | ||
352 | memset (ctx, 0, sizeof(struct sha1_ctx)); | ||
353 | } | ||