diff options
Diffstat (limited to 'src/microhttpd_ws/sha1.c')
-rw-r--r-- | src/microhttpd_ws/sha1.c | 720 |
1 files changed, 339 insertions, 381 deletions
diff --git a/src/microhttpd_ws/sha1.c b/src/microhttpd_ws/sha1.c index 910c1bdb..9888cbfe 100644 --- a/src/microhttpd_ws/sha1.c +++ b/src/microhttpd_ws/sha1.c | |||
@@ -1,420 +1,378 @@ | |||
1 | /* sha1.c - Functions to compute SHA1 message digest of files or | 1 | /* |
2 | memory blocks according to the NIST specification FIPS-180-1. | 2 | This file is part of libmicrohttpd |
3 | 3 | Copyright (C) 2019-2021 Karlson2k (Evgeny Grin) | |
4 | Copyright (C) 2000-2021 Free Software Foundation, Inc. | 4 | |
5 | 5 | libmicrohttpd is free software; you can redistribute it and/or | |
6 | This program is free software; you can redistribute it and/or modify it | 6 | modify it under the terms of the GNU Lesser General Public |
7 | under the terms of the GNU General Public License as published by the | 7 | License as published by the Free Software Foundation; either |
8 | Free Software Foundation; either version 2, or (at your option) any | 8 | version 2.1 of the License, or (at your option) any later version. |
9 | later version. | 9 | |
10 | 10 | This library is distributed in the hope that it will be useful, | |
11 | This program is distributed in the hope that it will be useful, | 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | but WITHOUT ANY WARRANTY; without even the implied warranty of | 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 13 | Lesser General Public License for more details. |
14 | GNU General Public License for more details. | 14 | |
15 | 15 | You should have received a copy of the GNU Lesser General Public | |
16 | You should have received a copy of the GNU General Public License | 16 | License along with this library. |
17 | along with this program; if not, write to the Free Software Foundation, | 17 | If not, see <http://www.gnu.org/licenses/>. |
18 | Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ | ||
19 | |||
20 | /* Written by Scott G. Miller | ||
21 | Credits: | ||
22 | Robert Klep <robert@ilse.nl> -- Expansion function fix | ||
23 | */ | 18 | */ |
24 | 19 | ||
25 | /*#include <config.h>*/ | 20 | /** |
21 | * @file microhttpd/sha1.c | ||
22 | * @brief Calculation of SHA-1 digest as defined in FIPS PUB 180-4 (2015) | ||
23 | * @author Karlson2k (Evgeny Grin) | ||
24 | */ | ||
26 | 25 | ||
27 | #include "sha1.h" | 26 | #include "sha1.h" |
28 | 27 | ||
29 | #include <stddef.h> | ||
30 | #include <string.h> | 28 | #include <string.h> |
31 | 29 | #ifdef HAVE_MEMORY_H | |
32 | #if USE_UNLOCKED_IO | 30 | #include <memory.h> |
33 | # include "unlocked-io.h" | 31 | #endif /* HAVE_MEMORY_H */ |
34 | #endif | 32 | #include "mhd_bithelpers.h" |
35 | 33 | #include "mhd_assert.h" | |
36 | #ifdef WORDS_BIGENDIAN | 34 | |
37 | # define SWAP(n) (n) | 35 | /** |
38 | #else | 36 | * Initialise structure for SHA-1 calculation. |
39 | # define SWAP(n) \ | 37 | * |
40 | (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) | 38 | * @param ctx_ must be a `struct sha1_ctx *` |
41 | #endif | 39 | */ |
42 | |||
43 | #define BLOCKSIZE 4096 | ||
44 | #if BLOCKSIZE % 64 != 0 | ||
45 | # error "invalid BLOCKSIZE" | ||
46 | #endif | ||
47 | |||
48 | /* This array contains the bytes used to pad the buffer to the next | ||
49 | 64-byte boundary. (RFC 1321, 3.1: Step 1) */ | ||
50 | static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; | ||
51 | |||
52 | |||
53 | /* Take a pointer to a 160 bit block of data (five 32 bit ints) and | ||
54 | initialize it to the start constants of the SHA1 algorithm. This | ||
55 | must be called before using hash in the call to sha1_hash. */ | ||
56 | void | 40 | void |
57 | sha1_init_ctx (struct sha1_ctx *ctx) | 41 | MHD_SHA1_init (void *ctx_) |
58 | { | 42 | { |
59 | ctx->A = 0x67452301; | 43 | struct sha1_ctx *const ctx = ctx_; |
60 | ctx->B = 0xefcdab89; | 44 | /* Initial hash values, see FIPS PUB 180-4 paragraph 5.3.1 */ |
61 | ctx->C = 0x98badcfe; | 45 | /* Just some "magic" numbers defined by standard */ |
62 | ctx->D = 0x10325476; | 46 | ctx->H[0] = UINT32_C (0x67452301); |
63 | ctx->E = 0xc3d2e1f0; | 47 | ctx->H[1] = UINT32_C (0xefcdab89); |
64 | 48 | ctx->H[2] = UINT32_C (0x98badcfe); | |
65 | ctx->total[0] = ctx->total[1] = 0; | 49 | ctx->H[3] = UINT32_C (0x10325476); |
66 | ctx->buflen = 0; | 50 | ctx->H[4] = UINT32_C (0xc3d2e1f0); |
51 | |||
52 | /* Initialise number of bytes. */ | ||
53 | ctx->count = 0; | ||
67 | } | 54 | } |
68 | 55 | ||
69 | 56 | ||
70 | /* Put result from CTX in first 20 bytes following RESBUF. The result | 57 | /** |
71 | must be in little endian byte order. | 58 | * Base of SHA-1 transformation. |
72 | 59 | * Gets full 512 bits / 64 bytes block of data and updates hash values; | |
73 | IMPORTANT: On some systems it is required that RESBUF is correctly | 60 | * @param H hash values |
74 | aligned for a 32-bit value. */ | 61 | * @param data data, must be exactly 64 bytes long |
75 | void * | 62 | */ |
76 | sha1_read_ctx (const struct sha1_ctx *ctx, void *resbuf) | 63 | static void |
64 | sha1_transform (uint32_t H[_SHA1_DIGEST_LENGTH], | ||
65 | const uint8_t data[SHA1_BLOCK_SIZE]) | ||
77 | { | 66 | { |
78 | ((sha1_uint32 *) resbuf)[0] = SWAP (ctx->A); | 67 | /* Working variables, |
79 | ((sha1_uint32 *) resbuf)[1] = SWAP (ctx->B); | 68 | see FIPS PUB 180-4 paragraph 6.1.3 */ |
80 | ((sha1_uint32 *) resbuf)[2] = SWAP (ctx->C); | 69 | uint32_t a = H[0]; |
81 | ((sha1_uint32 *) resbuf)[3] = SWAP (ctx->D); | 70 | uint32_t b = H[1]; |
82 | ((sha1_uint32 *) resbuf)[4] = SWAP (ctx->E); | 71 | uint32_t c = H[2]; |
83 | 72 | uint32_t d = H[3]; | |
84 | return resbuf; | 73 | uint32_t e = H[4]; |
74 | |||
75 | /* Data buffer, used as cyclic buffer. | ||
76 | See FIPS PUB 180-4 paragraphs 5.2.1, 6.1.3 */ | ||
77 | uint32_t W[16]; | ||
78 | |||
79 | /* 'Ch' and 'Maj' macro functions are defined with | ||
80 | widely-used optimization. | ||
81 | See FIPS PUB 180-4 formulae 4.1. */ | ||
82 | #define Ch(x,y,z) ( (z) ^ ((x) & ((y) ^ (z))) ) | ||
83 | #define Maj(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) | ||
84 | /* Unoptimized (original) versions: */ | ||
85 | /* #define Ch(x,y,z) ( ( (x) & (y) ) ^ ( ~(x) & (z) ) ) */ | ||
86 | /* #define Maj(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */ | ||
87 | #define Par(x,y,z) ( (x) ^ (y) ^ (z) ) | ||
88 | |||
89 | /* Single step of SHA-1 computation, | ||
90 | see FIPS PUB 180-4 paragraph 6.1.3 step 3. | ||
91 | * Note: instead of reassigning all working variables on each step, | ||
92 | variables are rotated for each step: | ||
93 | SHA1STEP32 (a, b, c, d, e, func, K00, W[0]); | ||
94 | SHA1STEP32 (e, a, b, c, d, func, K00, W[1]); | ||
95 | so current 'vC' will be used as 'vD' on the next step, | ||
96 | current 'vE' will be used as 'vA' on the next step. | ||
97 | * Note: 'wt' must be used exactly one time in this macro as it change other data as well | ||
98 | every time when used. */ | ||
99 | |||
100 | #define SHA1STEP32(vA,vB,vC,vD,vE,ft,kt,wt) do { \ | ||
101 | (vE) += _MHD_ROTL32 ((vA), 5) + ft ((vB), (vC), (vD)) + (kt) + (wt); \ | ||
102 | (vB) = _MHD_ROTL32 ((vB), 30); } while (0) | ||
103 | |||
104 | /* Get value of W(t) from input data buffer, | ||
105 | See FIPS PUB 180-4 paragraph 6.1.3. | ||
106 | Input data must be read in big-endian bytes order, | ||
107 | see FIPS PUB 180-4 paragraph 3.1.2. */ | ||
108 | #define GET_W_FROM_DATA(buf,t) \ | ||
109 | _MHD_GET_32BIT_BE (((const uint8_t*) (buf)) + (t) * SHA1_BYTES_IN_WORD) | ||
110 | |||
111 | #ifndef _MHD_GET_32BIT_BE_UNALIGNED | ||
112 | if (0 != (((uintptr_t) data) % _MHD_UINT32_ALIGN)) | ||
113 | { | ||
114 | /* Copy the unaligned input data to the aligned buffer */ | ||
115 | memcpy (W, data, SHA1_BLOCK_SIZE); | ||
116 | /* The W[] buffer itself will be used as the source of the data, | ||
117 | * but data will be reloaded in correct bytes order during | ||
118 | * the next steps */ | ||
119 | data = (uint8_t*) W; | ||
120 | } | ||
121 | #endif /* _MHD_GET_32BIT_BE_UNALIGNED */ | ||
122 | |||
123 | /* SHA-1 values of Kt for t=0..19, see FIPS PUB 180-4 paragraph 4.2.1. */ | ||
124 | #define K00 UINT32_C(0x5a827999) | ||
125 | /* SHA-1 values of Kt for t=20..39, see FIPS PUB 180-4 paragraph 4.2.1.*/ | ||
126 | #define K20 UINT32_C(0x6ed9eba1) | ||
127 | /* SHA-1 values of Kt for t=40..59, see FIPS PUB 180-4 paragraph 4.2.1.*/ | ||
128 | #define K40 UINT32_C(0x8f1bbcdc) | ||
129 | /* SHA-1 values of Kt for t=60..79, see FIPS PUB 180-4 paragraph 4.2.1.*/ | ||
130 | #define K60 UINT32_C(0xca62c1d6) | ||
131 | |||
132 | /* During first 16 steps, before making any calculations on each step, | ||
133 | the W element is read from input data buffer as big-endian value and | ||
134 | stored in array of W elements. */ | ||
135 | /* Note: instead of using K constants as array, all K values are specified | ||
136 | individually for each step. */ | ||
137 | SHA1STEP32 (a, b, c, d, e, Ch, K00, W[0] = GET_W_FROM_DATA (data, 0)); | ||
138 | SHA1STEP32 (e, a, b, c, d, Ch, K00, W[1] = GET_W_FROM_DATA (data, 1)); | ||
139 | SHA1STEP32 (d, e, a, b, c, Ch, K00, W[2] = GET_W_FROM_DATA (data, 2)); | ||
140 | SHA1STEP32 (c, d, e, a, b, Ch, K00, W[3] = GET_W_FROM_DATA (data, 3)); | ||
141 | SHA1STEP32 (b, c, d, e, a, Ch, K00, W[4] = GET_W_FROM_DATA (data, 4)); | ||
142 | SHA1STEP32 (a, b, c, d, e, Ch, K00, W[5] = GET_W_FROM_DATA (data, 5)); | ||
143 | SHA1STEP32 (e, a, b, c, d, Ch, K00, W[6] = GET_W_FROM_DATA (data, 6)); | ||
144 | SHA1STEP32 (d, e, a, b, c, Ch, K00, W[7] = GET_W_FROM_DATA (data, 7)); | ||
145 | SHA1STEP32 (c, d, e, a, b, Ch, K00, W[8] = GET_W_FROM_DATA (data, 8)); | ||
146 | SHA1STEP32 (b, c, d, e, a, Ch, K00, W[9] = GET_W_FROM_DATA (data, 9)); | ||
147 | SHA1STEP32 (a, b, c, d, e, Ch, K00, W[10] = GET_W_FROM_DATA (data, 10)); | ||
148 | SHA1STEP32 (e, a, b, c, d, Ch, K00, W[11] = GET_W_FROM_DATA (data, 11)); | ||
149 | SHA1STEP32 (d, e, a, b, c, Ch, K00, W[12] = GET_W_FROM_DATA (data, 12)); | ||
150 | SHA1STEP32 (c, d, e, a, b, Ch, K00, W[13] = GET_W_FROM_DATA (data, 13)); | ||
151 | SHA1STEP32 (b, c, d, e, a, Ch, K00, W[14] = GET_W_FROM_DATA (data, 14)); | ||
152 | SHA1STEP32 (a, b, c, d, e, Ch, K00, W[15] = GET_W_FROM_DATA (data, 15)); | ||
153 | |||
154 | /* 'W' generation and assignment for 16 <= t <= 79. | ||
155 | See FIPS PUB 180-4 paragraph 6.1.3. | ||
156 | As only last 16 'W' are used in calculations, it is possible to | ||
157 | use 16 elements array of W as cyclic buffer. */ | ||
158 | #define Wgen(w,t) _MHD_ROTL32((w)[(t + 13) & 0xf] ^ (w)[(t + 8) & 0xf] \ | ||
159 | ^ (w)[(t + 2) & 0xf] ^ (w)[t & 0xf], 1) | ||
160 | |||
161 | /* During last 60 steps, before making any calculations on each step, | ||
162 | W element is generated from W elements of cyclic buffer and generated value | ||
163 | stored back in cyclic buffer. */ | ||
164 | /* Note: instead of using K constants as array, all K values are specified | ||
165 | individually for each step, see FIPS PUB 180-4 paragraph 4.2.1. */ | ||
166 | SHA1STEP32 (e, a, b, c, d, Ch, K00, W[16 & 0xf] = Wgen (W, 16)); | ||
167 | SHA1STEP32 (d, e, a, b, c, Ch, K00, W[17 & 0xf] = Wgen (W, 17)); | ||
168 | SHA1STEP32 (c, d, e, a, b, Ch, K00, W[18 & 0xf] = Wgen (W, 18)); | ||
169 | SHA1STEP32 (b, c, d, e, a, Ch, K00, W[19 & 0xf] = Wgen (W, 19)); | ||
170 | SHA1STEP32 (a, b, c, d, e, Par, K20, W[20 & 0xf] = Wgen (W, 20)); | ||
171 | SHA1STEP32 (e, a, b, c, d, Par, K20, W[21 & 0xf] = Wgen (W, 21)); | ||
172 | SHA1STEP32 (d, e, a, b, c, Par, K20, W[22 & 0xf] = Wgen (W, 22)); | ||
173 | SHA1STEP32 (c, d, e, a, b, Par, K20, W[23 & 0xf] = Wgen (W, 23)); | ||
174 | SHA1STEP32 (b, c, d, e, a, Par, K20, W[24 & 0xf] = Wgen (W, 24)); | ||
175 | SHA1STEP32 (a, b, c, d, e, Par, K20, W[25 & 0xf] = Wgen (W, 25)); | ||
176 | SHA1STEP32 (e, a, b, c, d, Par, K20, W[26 & 0xf] = Wgen (W, 26)); | ||
177 | SHA1STEP32 (d, e, a, b, c, Par, K20, W[27 & 0xf] = Wgen (W, 27)); | ||
178 | SHA1STEP32 (c, d, e, a, b, Par, K20, W[28 & 0xf] = Wgen (W, 28)); | ||
179 | SHA1STEP32 (b, c, d, e, a, Par, K20, W[29 & 0xf] = Wgen (W, 29)); | ||
180 | SHA1STEP32 (a, b, c, d, e, Par, K20, W[30 & 0xf] = Wgen (W, 30)); | ||
181 | SHA1STEP32 (e, a, b, c, d, Par, K20, W[31 & 0xf] = Wgen (W, 31)); | ||
182 | SHA1STEP32 (d, e, a, b, c, Par, K20, W[32 & 0xf] = Wgen (W, 32)); | ||
183 | SHA1STEP32 (c, d, e, a, b, Par, K20, W[33 & 0xf] = Wgen (W, 33)); | ||
184 | SHA1STEP32 (b, c, d, e, a, Par, K20, W[34 & 0xf] = Wgen (W, 34)); | ||
185 | SHA1STEP32 (a, b, c, d, e, Par, K20, W[35 & 0xf] = Wgen (W, 35)); | ||
186 | SHA1STEP32 (e, a, b, c, d, Par, K20, W[36 & 0xf] = Wgen (W, 36)); | ||
187 | SHA1STEP32 (d, e, a, b, c, Par, K20, W[37 & 0xf] = Wgen (W, 37)); | ||
188 | SHA1STEP32 (c, d, e, a, b, Par, K20, W[38 & 0xf] = Wgen (W, 38)); | ||
189 | SHA1STEP32 (b, c, d, e, a, Par, K20, W[39 & 0xf] = Wgen (W, 39)); | ||
190 | SHA1STEP32 (a, b, c, d, e, Maj, K40, W[40 & 0xf] = Wgen (W, 40)); | ||
191 | SHA1STEP32 (e, a, b, c, d, Maj, K40, W[41 & 0xf] = Wgen (W, 41)); | ||
192 | SHA1STEP32 (d, e, a, b, c, Maj, K40, W[42 & 0xf] = Wgen (W, 42)); | ||
193 | SHA1STEP32 (c, d, e, a, b, Maj, K40, W[43 & 0xf] = Wgen (W, 43)); | ||
194 | SHA1STEP32 (b, c, d, e, a, Maj, K40, W[44 & 0xf] = Wgen (W, 44)); | ||
195 | SHA1STEP32 (a, b, c, d, e, Maj, K40, W[45 & 0xf] = Wgen (W, 45)); | ||
196 | SHA1STEP32 (e, a, b, c, d, Maj, K40, W[46 & 0xf] = Wgen (W, 46)); | ||
197 | SHA1STEP32 (d, e, a, b, c, Maj, K40, W[47 & 0xf] = Wgen (W, 47)); | ||
198 | SHA1STEP32 (c, d, e, a, b, Maj, K40, W[48 & 0xf] = Wgen (W, 48)); | ||
199 | SHA1STEP32 (b, c, d, e, a, Maj, K40, W[49 & 0xf] = Wgen (W, 49)); | ||
200 | SHA1STEP32 (a, b, c, d, e, Maj, K40, W[50 & 0xf] = Wgen (W, 50)); | ||
201 | SHA1STEP32 (e, a, b, c, d, Maj, K40, W[51 & 0xf] = Wgen (W, 51)); | ||
202 | SHA1STEP32 (d, e, a, b, c, Maj, K40, W[52 & 0xf] = Wgen (W, 52)); | ||
203 | SHA1STEP32 (c, d, e, a, b, Maj, K40, W[53 & 0xf] = Wgen (W, 53)); | ||
204 | SHA1STEP32 (b, c, d, e, a, Maj, K40, W[54 & 0xf] = Wgen (W, 54)); | ||
205 | SHA1STEP32 (a, b, c, d, e, Maj, K40, W[55 & 0xf] = Wgen (W, 55)); | ||
206 | SHA1STEP32 (e, a, b, c, d, Maj, K40, W[56 & 0xf] = Wgen (W, 56)); | ||
207 | SHA1STEP32 (d, e, a, b, c, Maj, K40, W[57 & 0xf] = Wgen (W, 57)); | ||
208 | SHA1STEP32 (c, d, e, a, b, Maj, K40, W[58 & 0xf] = Wgen (W, 58)); | ||
209 | SHA1STEP32 (b, c, d, e, a, Maj, K40, W[59 & 0xf] = Wgen (W, 59)); | ||
210 | SHA1STEP32 (a, b, c, d, e, Par, K60, W[60 & 0xf] = Wgen (W, 60)); | ||
211 | SHA1STEP32 (e, a, b, c, d, Par, K60, W[61 & 0xf] = Wgen (W, 61)); | ||
212 | SHA1STEP32 (d, e, a, b, c, Par, K60, W[62 & 0xf] = Wgen (W, 62)); | ||
213 | SHA1STEP32 (c, d, e, a, b, Par, K60, W[63 & 0xf] = Wgen (W, 63)); | ||
214 | SHA1STEP32 (b, c, d, e, a, Par, K60, W[64 & 0xf] = Wgen (W, 64)); | ||
215 | SHA1STEP32 (a, b, c, d, e, Par, K60, W[65 & 0xf] = Wgen (W, 65)); | ||
216 | SHA1STEP32 (e, a, b, c, d, Par, K60, W[66 & 0xf] = Wgen (W, 66)); | ||
217 | SHA1STEP32 (d, e, a, b, c, Par, K60, W[67 & 0xf] = Wgen (W, 67)); | ||
218 | SHA1STEP32 (c, d, e, a, b, Par, K60, W[68 & 0xf] = Wgen (W, 68)); | ||
219 | SHA1STEP32 (b, c, d, e, a, Par, K60, W[69 & 0xf] = Wgen (W, 69)); | ||
220 | SHA1STEP32 (a, b, c, d, e, Par, K60, W[70 & 0xf] = Wgen (W, 70)); | ||
221 | SHA1STEP32 (e, a, b, c, d, Par, K60, W[71 & 0xf] = Wgen (W, 71)); | ||
222 | SHA1STEP32 (d, e, a, b, c, Par, K60, W[72 & 0xf] = Wgen (W, 72)); | ||
223 | SHA1STEP32 (c, d, e, a, b, Par, K60, W[73 & 0xf] = Wgen (W, 73)); | ||
224 | SHA1STEP32 (b, c, d, e, a, Par, K60, W[74 & 0xf] = Wgen (W, 74)); | ||
225 | SHA1STEP32 (a, b, c, d, e, Par, K60, W[75 & 0xf] = Wgen (W, 75)); | ||
226 | SHA1STEP32 (e, a, b, c, d, Par, K60, W[76 & 0xf] = Wgen (W, 76)); | ||
227 | SHA1STEP32 (d, e, a, b, c, Par, K60, W[77 & 0xf] = Wgen (W, 77)); | ||
228 | SHA1STEP32 (c, d, e, a, b, Par, K60, W[78 & 0xf] = Wgen (W, 78)); | ||
229 | SHA1STEP32 (b, c, d, e, a, Par, K60, W[79 & 0xf] = Wgen (W, 79)); | ||
230 | |||
231 | /* Compute intermediate hash. | ||
232 | See FIPS PUB 180-4 paragraph 6.1.3 step 4. */ | ||
233 | H[0] += a; | ||
234 | H[1] += b; | ||
235 | H[2] += c; | ||
236 | H[3] += d; | ||
237 | H[4] += e; | ||
85 | } | 238 | } |
86 | 239 | ||
87 | 240 | ||
88 | /* Process the remaining bytes in the internal buffer and the usual | 241 | /** |
89 | prolog according to the standard and write the result to RESBUF. | 242 | * Process portion of bytes. |
90 | 243 | * | |
91 | IMPORTANT: On some systems it is required that RESBUF is correctly | 244 | * @param ctx_ must be a `struct sha1_ctx *` |
92 | aligned for a 32-bit value. */ | 245 | * @param data bytes to add to hash |
93 | void * | 246 | * @param length number of bytes in @a data |
94 | sha1_finish_ctx (struct sha1_ctx *ctx, void *resbuf) | 247 | */ |
248 | void | ||
249 | MHD_SHA1_update (void *ctx_, | ||
250 | const uint8_t *data, | ||
251 | size_t length) | ||
95 | { | 252 | { |
96 | /* Take yet unprocessed bytes into account. */ | 253 | struct sha1_ctx *const ctx = ctx_; |
97 | sha1_uint32 bytes = ctx->buflen; | 254 | unsigned bytes_have; /**< Number of bytes in buffer */ |
98 | size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4; | ||
99 | |||
100 | /* Now count remaining bytes. */ | ||
101 | ctx->total[0] += bytes; | ||
102 | if (ctx->total[0] < bytes) | ||
103 | ++ctx->total[1]; | ||
104 | |||
105 | /* Put the 64-bit file length in *bits* at the end of the buffer. */ | ||
106 | ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)); | ||
107 | ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3); | ||
108 | |||
109 | memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes); | ||
110 | |||
111 | /* Process last bytes. */ | ||
112 | sha1_process_block (ctx->buffer, size * 4, ctx); | ||
113 | |||
114 | return sha1_read_ctx (ctx, resbuf); | ||
115 | } | ||
116 | 255 | ||
256 | mhd_assert ((data != NULL) || (length == 0)); | ||
117 | 257 | ||
118 | /* Compute SHA1 message digest for bytes read from STREAM. The | 258 | if (0 == length) |
119 | resulting message digest number will be written into the 16 bytes | 259 | return; /* Do nothing */ |
120 | beginning at RESBLOCK. */ | ||
121 | int | ||
122 | sha1_stream (FILE *stream, void *resblock) | ||
123 | { | ||
124 | struct sha1_ctx ctx; | ||
125 | char buffer[BLOCKSIZE + 72]; | ||
126 | size_t sum; | ||
127 | 260 | ||
128 | /* Initialize the computation context. */ | 261 | /* Note: (count & (SHA1_BLOCK_SIZE-1)) |
129 | sha1_init_ctx (&ctx); | 262 | equal (count % SHA1_BLOCK_SIZE) for this block size. */ |
263 | bytes_have = (unsigned) (ctx->count & (SHA1_BLOCK_SIZE - 1)); | ||
264 | ctx->count += length; | ||
130 | 265 | ||
131 | /* Iterate over full file contents. */ | 266 | if (0 != bytes_have) |
132 | while (1) | ||
133 | { | 267 | { |
134 | /* We read the file in blocks of BLOCKSIZE bytes. One call of the | 268 | unsigned bytes_left = SHA1_BLOCK_SIZE - bytes_have; |
135 | computation function processes the whole buffer so that with the | 269 | if (length >= bytes_left) |
136 | next round of the loop another block can be read. */ | 270 | { /* Combine new data with the data in the buffer and |
137 | size_t n; | 271 | process the full block. */ |
138 | sum = 0; | 272 | memcpy (ctx->buffer + bytes_have, |
139 | 273 | data, | |
140 | /* Read block. Take care for partial reads. */ | 274 | bytes_left); |
141 | while (1) | 275 | data += bytes_left; |
142 | { | 276 | length -= bytes_left; |
143 | n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream); | 277 | sha1_transform (ctx->H, ctx->buffer); |
144 | 278 | bytes_have = 0; | |
145 | sum += n; | ||
146 | |||
147 | if (sum == BLOCKSIZE) | ||
148 | break; | ||
149 | |||
150 | if (n == 0) | ||
151 | { | ||
152 | /* Check for the error flag IFF N == 0, so that we don't | ||
153 | exit the loop after a partial read due to e.g., EAGAIN | ||
154 | or EWOULDBLOCK. */ | ||
155 | if (ferror (stream)) | ||
156 | return 1; | ||
157 | goto process_partial_block; | ||
158 | } | ||
159 | |||
160 | /* We've read at least one byte, so ignore errors. But always | ||
161 | check for EOF, since feof may be true even though N > 0. | ||
162 | Otherwise, we could end up calling fread after EOF. */ | ||
163 | if (feof (stream)) | ||
164 | goto process_partial_block; | ||
165 | } | 279 | } |
166 | |||
167 | /* Process buffer with BLOCKSIZE bytes. Note that | ||
168 | BLOCKSIZE % 64 == 0 | ||
169 | */ | ||
170 | sha1_process_block (buffer, BLOCKSIZE, &ctx); | ||
171 | } | 280 | } |
172 | 281 | ||
173 | process_partial_block:; | 282 | while (SHA1_BLOCK_SIZE <= length) |
174 | 283 | { /* Process any full blocks of new data directly, | |
175 | /* Process any remaining bytes. */ | 284 | without copying to the buffer. */ |
176 | if (sum > 0) | 285 | sha1_transform (ctx->H, data); |
177 | sha1_process_bytes (buffer, sum, &ctx); | 286 | data += SHA1_BLOCK_SIZE; |
287 | length -= SHA1_BLOCK_SIZE; | ||
288 | } | ||
178 | 289 | ||
179 | /* Construct result in desired memory. */ | 290 | if (0 != length) |
180 | sha1_finish_ctx (&ctx, resblock); | 291 | { /* Copy incomplete block of new data (if any) |
181 | return 0; | 292 | to the buffer. */ |
293 | memcpy (ctx->buffer + bytes_have, data, length); | ||
294 | } | ||
182 | } | 295 | } |
183 | 296 | ||
184 | 297 | ||
185 | /* Compute SHA1 message digest for LEN bytes beginning at BUFFER. The | 298 | /** |
186 | result is always in little endian byte order, so that a byte-wise | 299 | * Size of "length" padding addition in bytes. |
187 | output yields to the wanted ASCII representation of the message | 300 | * See FIPS PUB 180-4 paragraph 5.1.1. |
188 | digest. */ | 301 | */ |
189 | void * | 302 | #define SHA1_SIZE_OF_LEN_ADD (64 / 8) |
190 | sha1_buffer (const char *buffer, size_t len, void *resblock) | ||
191 | { | ||
192 | struct sha1_ctx ctx; | ||
193 | |||
194 | /* Initialize the computation context. */ | ||
195 | sha1_init_ctx (&ctx); | ||
196 | |||
197 | /* Process whole buffer but last len % 64 bytes. */ | ||
198 | sha1_process_bytes (buffer, len, &ctx); | ||
199 | |||
200 | /* Put result in desired memory area. */ | ||
201 | return sha1_finish_ctx (&ctx, resblock); | ||
202 | } | ||
203 | |||
204 | 303 | ||
304 | /** | ||
305 | * Finalise SHA-1 calculation, return digest. | ||
306 | * | ||
307 | * @param ctx_ must be a `struct sha1_ctx *` | ||
308 | * @param[out] digest set to the hash, must be #SHA1_DIGEST_SIZE bytes | ||
309 | */ | ||
205 | void | 310 | void |
206 | sha1_process_bytes (const void *buffer, size_t len, struct sha1_ctx *ctx) | 311 | MHD_SHA1_finish (void *ctx_, |
312 | uint8_t digest[SHA1_DIGEST_SIZE]) | ||
207 | { | 313 | { |
208 | /* When we already have some bits in our internal buffer concatenate | 314 | struct sha1_ctx *const ctx = ctx_; |
209 | both inputs first. */ | 315 | uint64_t num_bits; /**< Number of processed bits */ |
210 | if (ctx->buflen != 0) | 316 | unsigned bytes_have; /**< Number of bytes in buffer */ |
211 | { | 317 | |
212 | size_t left_over = ctx->buflen; | 318 | num_bits = ctx->count << 3; |
213 | size_t add = 128 - left_over > len ? len : 128 - left_over; | 319 | /* Note: (count & (SHA1_BLOCK_SIZE-1)) |
214 | 320 | equals (count % SHA1_BLOCK_SIZE) for this block size. */ | |
215 | memcpy (&((char *) ctx->buffer)[left_over], buffer, add); | 321 | bytes_have = (unsigned) (ctx->count & (SHA1_BLOCK_SIZE - 1)); |
216 | ctx->buflen += add; | 322 | |
217 | 323 | /* Input data must be padded with bit "1" and with length of data in bits. | |
218 | if (ctx->buflen > 64) | 324 | See FIPS PUB 180-4 paragraph 5.1.1. */ |
219 | { | 325 | /* Data is always processed in form of bytes (not by individual bits), |
220 | sha1_process_block (ctx->buffer, ctx->buflen & ~63, ctx); | 326 | therefore position of first padding bit in byte is always predefined (0x80). */ |
221 | 327 | /* Buffer always have space at least for one byte (as full buffers are | |
222 | ctx->buflen &= 63; | 328 | processed immediately). */ |
223 | /* The regions in the following copy operation cannot overlap. */ | 329 | ctx->buffer[bytes_have++] = 0x80; |
224 | memcpy (ctx->buffer, | 330 | |
225 | &((char *) ctx->buffer)[(left_over + add) & ~63], | 331 | if (SHA1_BLOCK_SIZE - bytes_have < SHA1_SIZE_OF_LEN_ADD) |
226 | ctx->buflen); | 332 | { /* No space in current block to put total length of message. |
227 | } | 333 | Pad current block with zeros and process it. */ |
228 | 334 | if (SHA1_BLOCK_SIZE > bytes_have) | |
229 | buffer = (const char *) buffer + add; | 335 | memset (ctx->buffer + bytes_have, 0, SHA1_BLOCK_SIZE - bytes_have); |
230 | len -= add; | 336 | /* Process full block. */ |
337 | sha1_transform (ctx->H, ctx->buffer); | ||
338 | /* Start new block. */ | ||
339 | bytes_have = 0; | ||
231 | } | 340 | } |
232 | 341 | ||
233 | /* Process available complete blocks. */ | 342 | /* Pad the rest of the buffer with zeros. */ |
234 | if (len >= 64) | 343 | memset (ctx->buffer + bytes_have, 0, |
344 | SHA1_BLOCK_SIZE - SHA1_SIZE_OF_LEN_ADD - bytes_have); | ||
345 | /* Put the number of bits in the processed message as a big-endian value. */ | ||
346 | _MHD_PUT_64BIT_BE_SAFE (ctx->buffer + SHA1_BLOCK_SIZE - SHA1_SIZE_OF_LEN_ADD, | ||
347 | num_bits); | ||
348 | /* Process the full final block. */ | ||
349 | sha1_transform (ctx->H, ctx->buffer); | ||
350 | |||
351 | /* Put final hash/digest in BE mode */ | ||
352 | #ifndef _MHD_PUT_32BIT_BE_UNALIGNED | ||
353 | if (0 != ((uintptr_t) digest) % _MHD_UINT32_ALIGN) | ||
235 | { | 354 | { |
236 | #if ! _STRING_ARCH_unaligned | 355 | uint32_t alig_dgst[_SHA1_DIGEST_LENGTH]; |
237 | # define alignof(type) offsetof (struct { char c; type x; }, x) | 356 | _MHD_PUT_32BIT_BE (alig_dgst + 0, ctx->H[0]); |
238 | # define UNALIGNED_P(p) (((size_t) p) % alignof (sha1_uint32) != 0) | 357 | _MHD_PUT_32BIT_BE (alig_dgst + 1, ctx->H[1]); |
239 | if (UNALIGNED_P (buffer)) | 358 | _MHD_PUT_32BIT_BE (alig_dgst + 2, ctx->H[2]); |
240 | while (len > 64) | 359 | _MHD_PUT_32BIT_BE (alig_dgst + 3, ctx->H[3]); |
241 | { | 360 | _MHD_PUT_32BIT_BE (alig_dgst + 4, ctx->H[4]); |
242 | sha1_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx); | 361 | /* Copy result to unaligned destination address */ |
243 | buffer = (const char *) buffer + 64; | 362 | memcpy (digest, alig_dgst, SHA1_DIGEST_SIZE); |
244 | len -= 64; | ||
245 | } | ||
246 | else | ||
247 | #endif | ||
248 | { | ||
249 | sha1_process_block (buffer, len & ~63, ctx); | ||
250 | buffer = (const char *) buffer + (len & ~63); | ||
251 | len &= 63; | ||
252 | } | ||
253 | } | 363 | } |
254 | 364 | else | |
255 | /* Move remaining bytes in internal buffer. */ | 365 | #else /* _MHD_PUT_32BIT_BE_UNALIGNED */ |
256 | if (len > 0) | 366 | if (1) |
367 | #endif /* _MHD_PUT_32BIT_BE_UNALIGNED */ | ||
257 | { | 368 | { |
258 | size_t left_over = ctx->buflen; | 369 | _MHD_PUT_32BIT_BE (digest + 0 * SHA1_BYTES_IN_WORD, ctx->H[0]); |
259 | 370 | _MHD_PUT_32BIT_BE (digest + 1 * SHA1_BYTES_IN_WORD, ctx->H[1]); | |
260 | memcpy (&((char *) ctx->buffer)[left_over], buffer, len); | 371 | _MHD_PUT_32BIT_BE (digest + 2 * SHA1_BYTES_IN_WORD, ctx->H[2]); |
261 | left_over += len; | 372 | _MHD_PUT_32BIT_BE (digest + 3 * SHA1_BYTES_IN_WORD, ctx->H[3]); |
262 | if (left_over >= 64) | 373 | _MHD_PUT_32BIT_BE (digest + 4 * SHA1_BYTES_IN_WORD, ctx->H[4]); |
263 | { | ||
264 | sha1_process_block (ctx->buffer, 64, ctx); | ||
265 | left_over -= 64; | ||
266 | memmove (ctx->buffer, &ctx->buffer[16], left_over); | ||
267 | } | ||
268 | ctx->buflen = left_over; | ||
269 | } | 374 | } |
270 | } | ||
271 | |||
272 | |||
273 | /* --- Code below is the primary difference between md5.c and sha1.c --- */ | ||
274 | |||
275 | /* SHA1 round constants */ | ||
276 | #define K1 0x5a827999 | ||
277 | #define K2 0x6ed9eba1 | ||
278 | #define K3 0x8f1bbcdc | ||
279 | #define K4 0xca62c1d6 | ||
280 | |||
281 | /* Round functions. Note that F2 is the same as F4. */ | ||
282 | #define F1(B,C,D) ( D ^ ( B & ( C ^ D ) ) ) | ||
283 | #define F2(B,C,D) (B ^ C ^ D) | ||
284 | #define F3(B,C,D) ( ( B & C ) | ( D & ( B | C ) ) ) | ||
285 | #define F4(B,C,D) (B ^ C ^ D) | ||
286 | |||
287 | /* Process LEN bytes of BUFFER, accumulating context into CTX. | ||
288 | It is assumed that LEN % 64 == 0. | ||
289 | Most of this code comes from GnuPG's cipher/sha1.c. */ | ||
290 | 375 | ||
291 | void | 376 | /* Erase potentially sensitive data. */ |
292 | sha1_process_block (const void *buffer, size_t len, struct sha1_ctx *ctx) | 377 | memset (ctx, 0, sizeof(struct sha1_ctx)); |
293 | { | ||
294 | const sha1_uint32 *words = (const sha1_uint32*) buffer; | ||
295 | size_t nwords = len / sizeof (sha1_uint32); | ||
296 | const sha1_uint32 *endp = words + nwords; | ||
297 | sha1_uint32 x[16]; | ||
298 | sha1_uint32 a = ctx->A; | ||
299 | sha1_uint32 b = ctx->B; | ||
300 | sha1_uint32 c = ctx->C; | ||
301 | sha1_uint32 d = ctx->D; | ||
302 | sha1_uint32 e = ctx->E; | ||
303 | |||
304 | /* First increment the byte count. RFC 1321 specifies the possible | ||
305 | length of the file up to 2^64 bits. Here we only compute the | ||
306 | number of bytes. Do a double word increment. */ | ||
307 | ctx->total[0] += len; | ||
308 | ctx->total[1] += ((len >> 31) >> 1) + (ctx->total[0] < len); | ||
309 | |||
310 | #define rol(x, n) (((x) << (n)) | ((sha1_uint32) (x) >> (32 - (n)))) | ||
311 | |||
312 | #define M(I) ( tm = x[I&0x0f] ^ x[(I-14)&0x0f] \ | ||
313 | ^ x[(I-8)&0x0f] ^ x[(I-3)&0x0f] \ | ||
314 | , (x[I&0x0f] = rol(tm, 1)) ) | ||
315 | |||
316 | #define R(A,B,C,D,E,F,K,M) do { E += rol( A, 5 ) \ | ||
317 | + F( B, C, D ) \ | ||
318 | + K \ | ||
319 | + M; \ | ||
320 | B = rol( B, 30 ); \ | ||
321 | } while(0) | ||
322 | |||
323 | while (words < endp) | ||
324 | { | ||
325 | sha1_uint32 tm; | ||
326 | int t; | ||
327 | for (t = 0; t < 16; t++) | ||
328 | { | ||
329 | x[t] = SWAP (*words); | ||
330 | words++; | ||
331 | } | ||
332 | |||
333 | R (a, b, c, d, e, F1, K1, x[ 0]); | ||
334 | R (e, a, b, c, d, F1, K1, x[ 1]); | ||
335 | R (d, e, a, b, c, F1, K1, x[ 2]); | ||
336 | R (c, d, e, a, b, F1, K1, x[ 3]); | ||
337 | R (b, c, d, e, a, F1, K1, x[ 4]); | ||
338 | R (a, b, c, d, e, F1, K1, x[ 5]); | ||
339 | R (e, a, b, c, d, F1, K1, x[ 6]); | ||
340 | R (d, e, a, b, c, F1, K1, x[ 7]); | ||
341 | R (c, d, e, a, b, F1, K1, x[ 8]); | ||
342 | R (b, c, d, e, a, F1, K1, x[ 9]); | ||
343 | R (a, b, c, d, e, F1, K1, x[10]); | ||
344 | R (e, a, b, c, d, F1, K1, x[11]); | ||
345 | R (d, e, a, b, c, F1, K1, x[12]); | ||
346 | R (c, d, e, a, b, F1, K1, x[13]); | ||
347 | R (b, c, d, e, a, F1, K1, x[14]); | ||
348 | R (a, b, c, d, e, F1, K1, x[15]); | ||
349 | R (e, a, b, c, d, F1, K1, M (16) ); | ||
350 | R (d, e, a, b, c, F1, K1, M (17) ); | ||
351 | R (c, d, e, a, b, F1, K1, M (18) ); | ||
352 | R (b, c, d, e, a, F1, K1, M (19) ); | ||
353 | R (a, b, c, d, e, F2, K2, M (20) ); | ||
354 | R (e, a, b, c, d, F2, K2, M (21) ); | ||
355 | R (d, e, a, b, c, F2, K2, M (22) ); | ||
356 | R (c, d, e, a, b, F2, K2, M (23) ); | ||
357 | R (b, c, d, e, a, F2, K2, M (24) ); | ||
358 | R (a, b, c, d, e, F2, K2, M (25) ); | ||
359 | R (e, a, b, c, d, F2, K2, M (26) ); | ||
360 | R (d, e, a, b, c, F2, K2, M (27) ); | ||
361 | R (c, d, e, a, b, F2, K2, M (28) ); | ||
362 | R (b, c, d, e, a, F2, K2, M (29) ); | ||
363 | R (a, b, c, d, e, F2, K2, M (30) ); | ||
364 | R (e, a, b, c, d, F2, K2, M (31) ); | ||
365 | R (d, e, a, b, c, F2, K2, M (32) ); | ||
366 | R (c, d, e, a, b, F2, K2, M (33) ); | ||
367 | R (b, c, d, e, a, F2, K2, M (34) ); | ||
368 | R (a, b, c, d, e, F2, K2, M (35) ); | ||
369 | R (e, a, b, c, d, F2, K2, M (36) ); | ||
370 | R (d, e, a, b, c, F2, K2, M (37) ); | ||
371 | R (c, d, e, a, b, F2, K2, M (38) ); | ||
372 | R (b, c, d, e, a, F2, K2, M (39) ); | ||
373 | R (a, b, c, d, e, F3, K3, M (40) ); | ||
374 | R (e, a, b, c, d, F3, K3, M (41) ); | ||
375 | R (d, e, a, b, c, F3, K3, M (42) ); | ||
376 | R (c, d, e, a, b, F3, K3, M (43) ); | ||
377 | R (b, c, d, e, a, F3, K3, M (44) ); | ||
378 | R (a, b, c, d, e, F3, K3, M (45) ); | ||
379 | R (e, a, b, c, d, F3, K3, M (46) ); | ||
380 | R (d, e, a, b, c, F3, K3, M (47) ); | ||
381 | R (c, d, e, a, b, F3, K3, M (48) ); | ||
382 | R (b, c, d, e, a, F3, K3, M (49) ); | ||
383 | R (a, b, c, d, e, F3, K3, M (50) ); | ||
384 | R (e, a, b, c, d, F3, K3, M (51) ); | ||
385 | R (d, e, a, b, c, F3, K3, M (52) ); | ||
386 | R (c, d, e, a, b, F3, K3, M (53) ); | ||
387 | R (b, c, d, e, a, F3, K3, M (54) ); | ||
388 | R (a, b, c, d, e, F3, K3, M (55) ); | ||
389 | R (e, a, b, c, d, F3, K3, M (56) ); | ||
390 | R (d, e, a, b, c, F3, K3, M (57) ); | ||
391 | R (c, d, e, a, b, F3, K3, M (58) ); | ||
392 | R (b, c, d, e, a, F3, K3, M (59) ); | ||
393 | R (a, b, c, d, e, F4, K4, M (60) ); | ||
394 | R (e, a, b, c, d, F4, K4, M (61) ); | ||
395 | R (d, e, a, b, c, F4, K4, M (62) ); | ||
396 | R (c, d, e, a, b, F4, K4, M (63) ); | ||
397 | R (b, c, d, e, a, F4, K4, M (64) ); | ||
398 | R (a, b, c, d, e, F4, K4, M (65) ); | ||
399 | R (e, a, b, c, d, F4, K4, M (66) ); | ||
400 | R (d, e, a, b, c, F4, K4, M (67) ); | ||
401 | R (c, d, e, a, b, F4, K4, M (68) ); | ||
402 | R (b, c, d, e, a, F4, K4, M (69) ); | ||
403 | R (a, b, c, d, e, F4, K4, M (70) ); | ||
404 | R (e, a, b, c, d, F4, K4, M (71) ); | ||
405 | R (d, e, a, b, c, F4, K4, M (72) ); | ||
406 | R (c, d, e, a, b, F4, K4, M (73) ); | ||
407 | R (b, c, d, e, a, F4, K4, M (74) ); | ||
408 | R (a, b, c, d, e, F4, K4, M (75) ); | ||
409 | R (e, a, b, c, d, F4, K4, M (76) ); | ||
410 | R (d, e, a, b, c, F4, K4, M (77) ); | ||
411 | R (c, d, e, a, b, F4, K4, M (78) ); | ||
412 | R (b, c, d, e, a, F4, K4, M (79) ); | ||
413 | |||
414 | a = ctx->A += a; | ||
415 | b = ctx->B += b; | ||
416 | c = ctx->C += c; | ||
417 | d = ctx->D += d; | ||
418 | e = ctx->E += e; | ||
419 | } | ||
420 | } | 378 | } |