/src/libsrtp/crypto/hash/sha1.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * sha1.c |
3 | | * |
4 | | * an implementation of the Secure Hash Algorithm v.1 (SHA-1), |
5 | | * specified in FIPS 180-1 |
6 | | * |
7 | | * David A. McGrew |
8 | | * Cisco Systems, Inc. |
9 | | */ |
10 | | |
11 | | /* |
12 | | * |
13 | | * Copyright (c) 2001-2017, Cisco Systems, Inc. |
14 | | * All rights reserved. |
15 | | * |
16 | | * Redistribution and use in source and binary forms, with or without |
17 | | * modification, are permitted provided that the following conditions |
18 | | * are met: |
19 | | * |
20 | | * Redistributions of source code must retain the above copyright |
21 | | * notice, this list of conditions and the following disclaimer. |
22 | | * |
23 | | * Redistributions in binary form must reproduce the above |
24 | | * copyright notice, this list of conditions and the following |
25 | | * disclaimer in the documentation and/or other materials provided |
26 | | * with the distribution. |
27 | | * |
28 | | * Neither the name of the Cisco Systems, Inc. nor the names of its |
29 | | * contributors may be used to endorse or promote products derived |
30 | | * from this software without specific prior written permission. |
31 | | * |
32 | | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
33 | | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
34 | | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS |
35 | | * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
36 | | * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, |
37 | | * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
38 | | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
39 | | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
40 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
41 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
42 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
43 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
44 | | * |
45 | | */ |
46 | | |
47 | | #ifdef HAVE_CONFIG_H |
48 | | #include <config.h> |
49 | | #endif |
50 | | |
51 | | #include "sha1.h" |
52 | | |
53 | | srtp_debug_module_t srtp_mod_sha1 = { |
54 | | false, /* debugging is off by default */ |
55 | | "sha-1" /* printable module name */ |
56 | | }; |
57 | | |
58 | | /* SN == Rotate left N bits */ |
59 | 9.78M | #define S1(X) ((X << 1) | (X >> 31)) |
60 | 12.2M | #define S5(X) ((X << 5) | (X >> 27)) |
61 | 12.2M | #define S30(X) ((X << 30) | (X >> 2)) |
62 | | |
63 | 3.05M | #define f0(B, C, D) ((B & C) | (~B & D)) |
64 | 3.05M | #define f1(B, C, D) (B ^ C ^ D) |
65 | 3.05M | #define f2(B, C, D) ((B & C) | (B & D) | (C & D)) |
66 | 3.05M | #define f3(B, C, D) (B ^ C ^ D) |
67 | | |
68 | | /* |
69 | | * nota bene: the variable K0 appears in the curses library, so we |
70 | | * give longer names to these variables to avoid spurious warnings |
71 | | * on systems that uses curses |
72 | | */ |
73 | | |
74 | | uint32_t SHA_K0 = 0x5A827999; /* Kt for 0 <= t <= 19 */ |
75 | | uint32_t SHA_K1 = 0x6ED9EBA1; /* Kt for 20 <= t <= 39 */ |
76 | | uint32_t SHA_K2 = 0x8F1BBCDC; /* Kt for 40 <= t <= 59 */ |
77 | | uint32_t SHA_K3 = 0xCA62C1D6; /* Kt for 60 <= t <= 79 */ |
78 | | |
79 | | /* |
80 | | * srtp_sha1_core(M, H) computes the core compression function, where M is |
81 | | * the next part of the message (in network byte order) and H is the |
82 | | * intermediate state { H0, H1, ...} (in host byte order) |
83 | | * |
84 | | * this function does not do any of the padding required in the |
85 | | * complete SHA1 function |
86 | | * |
87 | | * this function is used in the SEAL 3.0 key setup routines |
88 | | * (crypto/cipher/seal.c) |
89 | | */ |
90 | | |
91 | | void srtp_sha1_core(const uint32_t M[16], uint32_t hash_value[5]) |
92 | 104k | { |
93 | 104k | uint32_t H0; |
94 | 104k | uint32_t H1; |
95 | 104k | uint32_t H2; |
96 | 104k | uint32_t H3; |
97 | 104k | uint32_t H4; |
98 | 104k | uint32_t W[80]; |
99 | 104k | uint32_t A, B, C, D, E, TEMP; |
100 | 104k | size_t t; |
101 | | |
102 | | /* copy hash_value into H0, H1, H2, H3, H4 */ |
103 | 104k | H0 = hash_value[0]; |
104 | 104k | H1 = hash_value[1]; |
105 | 104k | H2 = hash_value[2]; |
106 | 104k | H3 = hash_value[3]; |
107 | 104k | H4 = hash_value[4]; |
108 | | |
109 | | /* copy/xor message into array */ |
110 | | |
111 | 104k | W[0] = be32_to_cpu(M[0]); |
112 | 104k | W[1] = be32_to_cpu(M[1]); |
113 | 104k | W[2] = be32_to_cpu(M[2]); |
114 | 104k | W[3] = be32_to_cpu(M[3]); |
115 | 104k | W[4] = be32_to_cpu(M[4]); |
116 | 104k | W[5] = be32_to_cpu(M[5]); |
117 | 104k | W[6] = be32_to_cpu(M[6]); |
118 | 104k | W[7] = be32_to_cpu(M[7]); |
119 | 104k | W[8] = be32_to_cpu(M[8]); |
120 | 104k | W[9] = be32_to_cpu(M[9]); |
121 | 104k | W[10] = be32_to_cpu(M[10]); |
122 | 104k | W[11] = be32_to_cpu(M[11]); |
123 | 104k | W[12] = be32_to_cpu(M[12]); |
124 | 104k | W[13] = be32_to_cpu(M[13]); |
125 | 104k | W[14] = be32_to_cpu(M[14]); |
126 | 104k | W[15] = be32_to_cpu(M[15]); |
127 | 104k | TEMP = W[13] ^ W[8] ^ W[2] ^ W[0]; |
128 | 104k | W[16] = S1(TEMP); |
129 | 104k | TEMP = W[14] ^ W[9] ^ W[3] ^ W[1]; |
130 | 104k | W[17] = S1(TEMP); |
131 | 104k | TEMP = W[15] ^ W[10] ^ W[4] ^ W[2]; |
132 | 104k | W[18] = S1(TEMP); |
133 | 104k | TEMP = W[16] ^ W[11] ^ W[5] ^ W[3]; |
134 | 104k | W[19] = S1(TEMP); |
135 | 104k | TEMP = W[17] ^ W[12] ^ W[6] ^ W[4]; |
136 | 104k | W[20] = S1(TEMP); |
137 | 104k | TEMP = W[18] ^ W[13] ^ W[7] ^ W[5]; |
138 | 104k | W[21] = S1(TEMP); |
139 | 104k | TEMP = W[19] ^ W[14] ^ W[8] ^ W[6]; |
140 | 104k | W[22] = S1(TEMP); |
141 | 104k | TEMP = W[20] ^ W[15] ^ W[9] ^ W[7]; |
142 | 104k | W[23] = S1(TEMP); |
143 | 104k | TEMP = W[21] ^ W[16] ^ W[10] ^ W[8]; |
144 | 104k | W[24] = S1(TEMP); |
145 | 104k | TEMP = W[22] ^ W[17] ^ W[11] ^ W[9]; |
146 | 104k | W[25] = S1(TEMP); |
147 | 104k | TEMP = W[23] ^ W[18] ^ W[12] ^ W[10]; |
148 | 104k | W[26] = S1(TEMP); |
149 | 104k | TEMP = W[24] ^ W[19] ^ W[13] ^ W[11]; |
150 | 104k | W[27] = S1(TEMP); |
151 | 104k | TEMP = W[25] ^ W[20] ^ W[14] ^ W[12]; |
152 | 104k | W[28] = S1(TEMP); |
153 | 104k | TEMP = W[26] ^ W[21] ^ W[15] ^ W[13]; |
154 | 104k | W[29] = S1(TEMP); |
155 | 104k | TEMP = W[27] ^ W[22] ^ W[16] ^ W[14]; |
156 | 104k | W[30] = S1(TEMP); |
157 | 104k | TEMP = W[28] ^ W[23] ^ W[17] ^ W[15]; |
158 | 104k | W[31] = S1(TEMP); |
159 | | |
160 | | /* process the remainder of the array */ |
161 | 5.13M | for (t = 32; t < 80; t++) { |
162 | 5.02M | TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16]; |
163 | 5.02M | W[t] = S1(TEMP); |
164 | 5.02M | } |
165 | | |
166 | 104k | A = H0; |
167 | 104k | B = H1; |
168 | 104k | C = H2; |
169 | 104k | D = H3; |
170 | 104k | E = H4; |
171 | | |
172 | 2.19M | for (t = 0; t < 20; t++) { |
173 | 2.09M | TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; |
174 | 2.09M | E = D; |
175 | 2.09M | D = C; |
176 | 2.09M | C = S30(B); |
177 | 2.09M | B = A; |
178 | 2.09M | A = TEMP; |
179 | 2.09M | } |
180 | 2.19M | for (; t < 40; t++) { |
181 | 2.09M | TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; |
182 | 2.09M | E = D; |
183 | 2.09M | D = C; |
184 | 2.09M | C = S30(B); |
185 | 2.09M | B = A; |
186 | 2.09M | A = TEMP; |
187 | 2.09M | } |
188 | 2.19M | for (; t < 60; t++) { |
189 | 2.09M | TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; |
190 | 2.09M | E = D; |
191 | 2.09M | D = C; |
192 | 2.09M | C = S30(B); |
193 | 2.09M | B = A; |
194 | 2.09M | A = TEMP; |
195 | 2.09M | } |
196 | 2.19M | for (; t < 80; t++) { |
197 | 2.09M | TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; |
198 | 2.09M | E = D; |
199 | 2.09M | D = C; |
200 | 2.09M | C = S30(B); |
201 | 2.09M | B = A; |
202 | 2.09M | A = TEMP; |
203 | 2.09M | } |
204 | | |
205 | 104k | hash_value[0] = H0 + A; |
206 | 104k | hash_value[1] = H1 + B; |
207 | 104k | hash_value[2] = H2 + C; |
208 | 104k | hash_value[3] = H3 + D; |
209 | 104k | hash_value[4] = H4 + E; |
210 | | |
211 | 104k | return; |
212 | 104k | } |
213 | | |
214 | | void srtp_sha1_init(srtp_sha1_ctx_t *ctx) |
215 | 26.7k | { |
216 | | /* initialize state vector */ |
217 | 26.7k | ctx->H[0] = 0x67452301; |
218 | 26.7k | ctx->H[1] = 0xefcdab89; |
219 | 26.7k | ctx->H[2] = 0x98badcfe; |
220 | 26.7k | ctx->H[3] = 0x10325476; |
221 | 26.7k | ctx->H[4] = 0xc3d2e1f0; |
222 | | |
223 | | /* indicate that message buffer is empty */ |
224 | 26.7k | ctx->octets_in_buffer = 0; |
225 | | |
226 | | /* reset message bit-count to zero */ |
227 | 26.7k | ctx->num_bits_in_msg = 0; |
228 | 26.7k | } |
229 | | |
230 | | void srtp_sha1_update(srtp_sha1_ctx_t *ctx, |
231 | | const uint8_t *msg, |
232 | | size_t octets_in_msg) |
233 | 87.5k | { |
234 | 87.5k | size_t i; |
235 | 87.5k | uint8_t *buf = (uint8_t *)ctx->M; |
236 | | |
237 | | /* update message bit-count */ |
238 | 87.5k | ctx->num_bits_in_msg += (uint32_t)octets_in_msg * 8; |
239 | | |
240 | | /* loop over 16-word blocks of M */ |
241 | 252k | while (octets_in_msg > 0) { |
242 | 165k | if (octets_in_msg + ctx->octets_in_buffer >= 64) { |
243 | | /* |
244 | | * copy words of M into msg buffer until that buffer is full, |
245 | | * converting them into host byte order as needed |
246 | | */ |
247 | 104k | octets_in_msg -= (64 - ctx->octets_in_buffer); |
248 | 6.79M | for (i = ctx->octets_in_buffer; i < 64; i++) { |
249 | 6.69M | buf[i] = *msg++; |
250 | 6.69M | } |
251 | 104k | ctx->octets_in_buffer = 0; |
252 | | |
253 | | /* process a whole block */ |
254 | | |
255 | 104k | debug_print0(srtp_mod_sha1, "(update) running srtp_sha1_core()"); |
256 | | |
257 | 104k | srtp_sha1_core(ctx->M, ctx->H); |
258 | | |
259 | 104k | } else { |
260 | 60.4k | debug_print0(srtp_mod_sha1, |
261 | 60.4k | "(update) not running srtp_sha1_core()"); |
262 | | |
263 | 60.4k | for (i = ctx->octets_in_buffer; |
264 | 1.09M | i < (ctx->octets_in_buffer + octets_in_msg); i++) { |
265 | 1.03M | buf[i] = *msg++; |
266 | 1.03M | } |
267 | 60.4k | ctx->octets_in_buffer += octets_in_msg; |
268 | 60.4k | octets_in_msg = 0; |
269 | 60.4k | } |
270 | 165k | } |
271 | 87.5k | } |
272 | | |
273 | | /* |
274 | | * srtp_sha1_final(ctx, output) computes the result for ctx and copies it |
275 | | * into the twenty octets located at *output |
276 | | */ |
277 | | |
278 | | void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t output[5]) |
279 | 46.0k | { |
280 | 46.0k | uint32_t A, B, C, D, E, TEMP; |
281 | 46.0k | uint32_t W[80]; |
282 | 46.0k | size_t i, t; |
283 | | |
284 | | /* |
285 | | * process the remaining octets_in_buffer, padding and terminating as |
286 | | * necessary |
287 | | */ |
288 | 46.0k | { |
289 | 46.0k | size_t tail = ctx->octets_in_buffer % 4; |
290 | | |
291 | | /* copy/xor message into array */ |
292 | 305k | for (i = 0; i < (ctx->octets_in_buffer + 3) / 4; i++) { |
293 | 258k | W[i] = be32_to_cpu(ctx->M[i]); |
294 | 258k | } |
295 | | |
296 | | /* set the high bit of the octet immediately following the message */ |
297 | 46.0k | switch (tail) { |
298 | 0 | case (3): |
299 | 0 | W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xffffff00) | 0x80; |
300 | 0 | W[i] = 0x0; |
301 | 0 | break; |
302 | 5.65k | case (2): |
303 | 5.65k | W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xffff0000) | 0x8000; |
304 | 5.65k | W[i] = 0x0; |
305 | 5.65k | break; |
306 | 0 | case (1): |
307 | 0 | W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xff000000) | 0x800000; |
308 | 0 | W[i] = 0x0; |
309 | 0 | break; |
310 | 40.4k | case (0): |
311 | 40.4k | W[i] = 0x80000000; |
312 | 40.4k | break; |
313 | 46.0k | } |
314 | | |
315 | | /* zeroize remaining words */ |
316 | 433k | for (i++; i < 15; i++) { |
317 | 387k | W[i] = 0x0; |
318 | 387k | } |
319 | | |
320 | | /* |
321 | | * if there is room at the end of the word array, then set the |
322 | | * last word to the bit-length of the message; otherwise, set that |
323 | | * word to zero and then we need to do one more run of the |
324 | | * compression algo. |
325 | | */ |
326 | 46.0k | if (ctx->octets_in_buffer < 56) { |
327 | 44.0k | W[15] = ctx->num_bits_in_msg; |
328 | 44.0k | } else if (ctx->octets_in_buffer < 60) { |
329 | 1.33k | W[15] = 0x0; |
330 | 1.33k | } |
331 | | |
332 | | /* process the word array */ |
333 | 2.99M | for (t = 16; t < 80; t++) { |
334 | 2.94M | TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16]; |
335 | 2.94M | W[t] = S1(TEMP); |
336 | 2.94M | } |
337 | | |
338 | 46.0k | A = ctx->H[0]; |
339 | 46.0k | B = ctx->H[1]; |
340 | 46.0k | C = ctx->H[2]; |
341 | 46.0k | D = ctx->H[3]; |
342 | 46.0k | E = ctx->H[4]; |
343 | | |
344 | 967k | for (t = 0; t < 20; t++) { |
345 | 921k | TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; |
346 | 921k | E = D; |
347 | 921k | D = C; |
348 | 921k | C = S30(B); |
349 | 921k | B = A; |
350 | 921k | A = TEMP; |
351 | 921k | } |
352 | 967k | for (; t < 40; t++) { |
353 | 921k | TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; |
354 | 921k | E = D; |
355 | 921k | D = C; |
356 | 921k | C = S30(B); |
357 | 921k | B = A; |
358 | 921k | A = TEMP; |
359 | 921k | } |
360 | 967k | for (; t < 60; t++) { |
361 | 921k | TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; |
362 | 921k | E = D; |
363 | 921k | D = C; |
364 | 921k | C = S30(B); |
365 | 921k | B = A; |
366 | 921k | A = TEMP; |
367 | 921k | } |
368 | 967k | for (; t < 80; t++) { |
369 | 921k | TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; |
370 | 921k | E = D; |
371 | 921k | D = C; |
372 | 921k | C = S30(B); |
373 | 921k | B = A; |
374 | 921k | A = TEMP; |
375 | 921k | } |
376 | | |
377 | 46.0k | ctx->H[0] += A; |
378 | 46.0k | ctx->H[1] += B; |
379 | 46.0k | ctx->H[2] += C; |
380 | 46.0k | ctx->H[3] += D; |
381 | 46.0k | ctx->H[4] += E; |
382 | 46.0k | } |
383 | | |
384 | 46.0k | debug_print0(srtp_mod_sha1, "(final) running srtp_sha1_core()"); |
385 | | |
386 | 46.0k | if (ctx->octets_in_buffer >= 56) { |
387 | 2.02k | debug_print0(srtp_mod_sha1, "(final) running srtp_sha1_core() again"); |
388 | | |
389 | | /* we need to do one final run of the compression algo */ |
390 | | |
391 | | /* |
392 | | * set initial part of word array to zeros, and set the |
393 | | * final part to the number of bits in the message |
394 | | */ |
395 | 32.4k | for (i = 0; i < 15; i++) { |
396 | 30.3k | W[i] = 0x0; |
397 | 30.3k | } |
398 | 2.02k | W[15] = ctx->num_bits_in_msg; |
399 | | |
400 | | /* process the word array */ |
401 | 131k | for (t = 16; t < 80; t++) { |
402 | 129k | TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16]; |
403 | 129k | W[t] = S1(TEMP); |
404 | 129k | } |
405 | | |
406 | 2.02k | A = ctx->H[0]; |
407 | 2.02k | B = ctx->H[1]; |
408 | 2.02k | C = ctx->H[2]; |
409 | 2.02k | D = ctx->H[3]; |
410 | 2.02k | E = ctx->H[4]; |
411 | | |
412 | 42.5k | for (t = 0; t < 20; t++) { |
413 | 40.5k | TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; |
414 | 40.5k | E = D; |
415 | 40.5k | D = C; |
416 | 40.5k | C = S30(B); |
417 | 40.5k | B = A; |
418 | 40.5k | A = TEMP; |
419 | 40.5k | } |
420 | 42.5k | for (; t < 40; t++) { |
421 | 40.5k | TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; |
422 | 40.5k | E = D; |
423 | 40.5k | D = C; |
424 | 40.5k | C = S30(B); |
425 | 40.5k | B = A; |
426 | 40.5k | A = TEMP; |
427 | 40.5k | } |
428 | 42.5k | for (; t < 60; t++) { |
429 | 40.5k | TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; |
430 | 40.5k | E = D; |
431 | 40.5k | D = C; |
432 | 40.5k | C = S30(B); |
433 | 40.5k | B = A; |
434 | 40.5k | A = TEMP; |
435 | 40.5k | } |
436 | 42.5k | for (; t < 80; t++) { |
437 | 40.5k | TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; |
438 | 40.5k | E = D; |
439 | 40.5k | D = C; |
440 | 40.5k | C = S30(B); |
441 | 40.5k | B = A; |
442 | 40.5k | A = TEMP; |
443 | 40.5k | } |
444 | | |
445 | 2.02k | ctx->H[0] += A; |
446 | 2.02k | ctx->H[1] += B; |
447 | 2.02k | ctx->H[2] += C; |
448 | 2.02k | ctx->H[3] += D; |
449 | 2.02k | ctx->H[4] += E; |
450 | 2.02k | } |
451 | | |
452 | | /* copy result into output buffer */ |
453 | 46.0k | output[0] = be32_to_cpu(ctx->H[0]); |
454 | 46.0k | output[1] = be32_to_cpu(ctx->H[1]); |
455 | 46.0k | output[2] = be32_to_cpu(ctx->H[2]); |
456 | 46.0k | output[3] = be32_to_cpu(ctx->H[3]); |
457 | 46.0k | output[4] = be32_to_cpu(ctx->H[4]); |
458 | | |
459 | | /* indicate that message buffer in context is empty */ |
460 | 46.0k | ctx->octets_in_buffer = 0; |
461 | | |
462 | 46.0k | return; |
463 | 46.0k | } |