2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
30 * SHA-1 implementation. SHA-1 is described in FIPS 180-4. Note that
31 * SHA-1 collisions can be computed more efficiently than what would be
32 * expected from an ideal hash function with the same output size; and
33 * this was actually done at least once. Use with care.
36 public sealed class SHA1 : DigestCore {
38 const int BLOCK_LEN = 64;
41 byte[] block, saveBlock;
46 * Create a new instance. It is ready to process data bytes.
50 block = new byte[BLOCK_LEN];
51 saveBlock = new byte[BLOCK_LEN];
56 public override string Name {
63 public override int DigestSize {
70 public override int BlockSize {
77 public override void Reset()
89 public override void Update(byte b)
93 if (ptr == BLOCK_LEN) {
99 public override void Update(byte[] buf, int off, int len)
102 throw new ArgumentException("negative chunk length");
104 byteCount += (ulong)len;
106 int clen = Math.Min(len, BLOCK_LEN - ptr);
107 Array.Copy(buf, off, block, ptr, clen);
111 if (ptr == BLOCK_LEN) {
118 public override void DoPartial(byte[] outBuf, int off)
121 * Save current state.
129 Array.Copy(block, 0, saveBlock, 0, savePtr);
132 * Add padding. This may involve processing an extra block.
134 block[ptr ++] = 0x80;
135 if (ptr > BLOCK_LEN - 8) {
136 for (int j = ptr; j < BLOCK_LEN; j ++) {
141 for (int j = ptr; j < (BLOCK_LEN - 8); j ++) {
144 ulong x = byteCount << 3;
145 Enc32be((uint)(x >> 32), block, BLOCK_LEN - 8);
146 Enc32be((uint)x, block, BLOCK_LEN - 4);
149 * Process final block and encode result.
152 Enc32be(A, outBuf, off);
153 Enc32be(B, outBuf, off + 4);
154 Enc32be(C, outBuf, off + 8);
155 Enc32be(D, outBuf, off + 12);
156 Enc32be(E, outBuf, off + 16);
159 * Restore current state.
161 Array.Copy(saveBlock, 0, block, 0, savePtr);
171 public override IDigest Dup()
180 h.byteCount = byteCount;
181 Array.Copy(block, 0, h.block, 0, ptr);
186 public override void CurrentState(byte[] outBuf, int off)
188 Enc32be(A, outBuf, off);
189 Enc32be(B, outBuf, off + 4);
190 Enc32be(C, outBuf, off + 8);
191 Enc32be(D, outBuf, off + 12);
192 Enc32be(E, outBuf, off + 16);
195 const uint K1 = 0x5A827999;
196 const uint K2 = 0x6ED9EBA1;
197 const uint K3 = 0x8F1BBCDC;
198 const uint K4 = 0xCA62C1D6;
214 uint x0 = Dec32be(block, 0);
215 we += ((wa << 5) | (wa >> 27)) + (wd ^ (wb & (wc ^ wd))) + x0 + K1;
216 wb = (wb << 30) | (wb >> 2);
217 uint x1 = Dec32be(block, 4);
218 wd += ((we << 5) | (we >> 27)) + (wc ^ (wa & (wb ^ wc))) + x1 + K1;
219 wa = (wa << 30) | (wa >> 2);
220 uint x2 = Dec32be(block, 8);
221 wc += ((wd << 5) | (wd >> 27)) + (wb ^ (we & (wa ^ wb))) + x2 + K1;
222 we = (we << 30) | (we >> 2);
223 uint x3 = Dec32be(block, 12);
224 wb += ((wc << 5) | (wc >> 27)) + (wa ^ (wd & (we ^ wa))) + x3 + K1;
225 wd = (wd << 30) | (wd >> 2);
226 uint x4 = Dec32be(block, 16);
227 wa += ((wb << 5) | (wb >> 27)) + (we ^ (wc & (wd ^ we))) + x4 + K1;
228 wc = (wc << 30) | (wc >> 2);
229 uint x5 = Dec32be(block, 20);
230 we += ((wa << 5) | (wa >> 27)) + (wd ^ (wb & (wc ^ wd))) + x5 + K1;
231 wb = (wb << 30) | (wb >> 2);
232 uint x6 = Dec32be(block, 24);
233 wd += ((we << 5) | (we >> 27)) + (wc ^ (wa & (wb ^ wc))) + x6 + K1;
234 wa = (wa << 30) | (wa >> 2);
235 uint x7 = Dec32be(block, 28);
236 wc += ((wd << 5) | (wd >> 27)) + (wb ^ (we & (wa ^ wb))) + x7 + K1;
237 we = (we << 30) | (we >> 2);
238 uint x8 = Dec32be(block, 32);
239 wb += ((wc << 5) | (wc >> 27)) + (wa ^ (wd & (we ^ wa))) + x8 + K1;
240 wd = (wd << 30) | (wd >> 2);
241 uint x9 = Dec32be(block, 36);
242 wa += ((wb << 5) | (wb >> 27)) + (we ^ (wc & (wd ^ we))) + x9 + K1;
243 wc = (wc << 30) | (wc >> 2);
244 uint xA = Dec32be(block, 40);
245 we += ((wa << 5) | (wa >> 27)) + (wd ^ (wb & (wc ^ wd))) + xA + K1;
246 wb = (wb << 30) | (wb >> 2);
247 uint xB = Dec32be(block, 44);
248 wd += ((we << 5) | (we >> 27)) + (wc ^ (wa & (wb ^ wc))) + xB + K1;
249 wa = (wa << 30) | (wa >> 2);
250 uint xC = Dec32be(block, 48);
251 wc += ((wd << 5) | (wd >> 27)) + (wb ^ (we & (wa ^ wb))) + xC + K1;
252 we = (we << 30) | (we >> 2);
253 uint xD = Dec32be(block, 52);
254 wb += ((wc << 5) | (wc >> 27)) + (wa ^ (wd & (we ^ wa))) + xD + K1;
255 wd = (wd << 30) | (wd >> 2);
256 uint xE = Dec32be(block, 56);
257 wa += ((wb << 5) | (wb >> 27)) + (we ^ (wc & (wd ^ we))) + xE + K1;
258 wc = (wc << 30) | (wc >> 2);
259 uint xF = Dec32be(block, 60);
260 we += ((wa << 5) | (wa >> 27)) + (wd ^ (wb & (wc ^ wd))) + xF + K1;
261 wb = (wb << 30) | (wb >> 2);
263 x0 = (x0 << 1) | (x0 >> 31);
264 wd += ((we << 5) | (we >> 27)) + (wc ^ (wa & (wb ^ wc))) + x0 + K1;
265 wa = (wa << 30) | (wa >> 2);
267 x1 = (x1 << 1) | (x1 >> 31);
268 wc += ((wd << 5) | (wd >> 27)) + (wb ^ (we & (wa ^ wb))) + x1 + K1;
269 we = (we << 30) | (we >> 2);
271 x2 = (x2 << 1) | (x2 >> 31);
272 wb += ((wc << 5) | (wc >> 27)) + (wa ^ (wd & (we ^ wa))) + x2 + K1;
273 wd = (wd << 30) | (wd >> 2);
275 x3 = (x3 << 1) | (x3 >> 31);
276 wa += ((wb << 5) | (wb >> 27)) + (we ^ (wc & (wd ^ we))) + x3 + K1;
277 wc = (wc << 30) | (wc >> 2);
283 x4 = (x4 << 1) | (x4 >> 31);
284 we += ((wa << 5) | (wa >> 27)) + (wb ^ wc ^ wd) + x4 + K2;
285 wb = (wb << 30) | (wb >> 2);
287 x5 = (x5 << 1) | (x5 >> 31);
288 wd += ((we << 5) | (we >> 27)) + (wa ^ wb ^ wc) + x5 + K2;
289 wa = (wa << 30) | (wa >> 2);
291 x6 = (x6 << 1) | (x6 >> 31);
292 wc += ((wd << 5) | (wd >> 27)) + (we ^ wa ^ wb) + x6 + K2;
293 we = (we << 30) | (we >> 2);
295 x7 = (x7 << 1) | (x7 >> 31);
296 wb += ((wc << 5) | (wc >> 27)) + (wd ^ we ^ wa) + x7 + K2;
297 wd = (wd << 30) | (wd >> 2);
299 x8 = (x8 << 1) | (x8 >> 31);
300 wa += ((wb << 5) | (wb >> 27)) + (wc ^ wd ^ we) + x8 + K2;
301 wc = (wc << 30) | (wc >> 2);
303 x9 = (x9 << 1) | (x9 >> 31);
304 we += ((wa << 5) | (wa >> 27)) + (wb ^ wc ^ wd) + x9 + K2;
305 wb = (wb << 30) | (wb >> 2);
307 xA = (xA << 1) | (xA >> 31);
308 wd += ((we << 5) | (we >> 27)) + (wa ^ wb ^ wc) + xA + K2;
309 wa = (wa << 30) | (wa >> 2);
311 xB = (xB << 1) | (xB >> 31);
312 wc += ((wd << 5) | (wd >> 27)) + (we ^ wa ^ wb) + xB + K2;
313 we = (we << 30) | (we >> 2);
315 xC = (xC << 1) | (xC >> 31);
316 wb += ((wc << 5) | (wc >> 27)) + (wd ^ we ^ wa) + xC + K2;
317 wd = (wd << 30) | (wd >> 2);
319 xD = (xD << 1) | (xD >> 31);
320 wa += ((wb << 5) | (wb >> 27)) + (wc ^ wd ^ we) + xD + K2;
321 wc = (wc << 30) | (wc >> 2);
323 xE = (xE << 1) | (xE >> 31);
324 we += ((wa << 5) | (wa >> 27)) + (wb ^ wc ^ wd) + xE + K2;
325 wb = (wb << 30) | (wb >> 2);
327 xF = (xF << 1) | (xF >> 31);
328 wd += ((we << 5) | (we >> 27)) + (wa ^ wb ^ wc) + xF + K2;
329 wa = (wa << 30) | (wa >> 2);
331 x0 = (x0 << 1) | (x0 >> 31);
332 wc += ((wd << 5) | (wd >> 27)) + (we ^ wa ^ wb) + x0 + K2;
333 we = (we << 30) | (we >> 2);
335 x1 = (x1 << 1) | (x1 >> 31);
336 wb += ((wc << 5) | (wc >> 27)) + (wd ^ we ^ wa) + x1 + K2;
337 wd = (wd << 30) | (wd >> 2);
339 x2 = (x2 << 1) | (x2 >> 31);
340 wa += ((wb << 5) | (wb >> 27)) + (wc ^ wd ^ we) + x2 + K2;
341 wc = (wc << 30) | (wc >> 2);
343 x3 = (x3 << 1) | (x3 >> 31);
344 we += ((wa << 5) | (wa >> 27)) + (wb ^ wc ^ wd) + x3 + K2;
345 wb = (wb << 30) | (wb >> 2);
347 x4 = (x4 << 1) | (x4 >> 31);
348 wd += ((we << 5) | (we >> 27)) + (wa ^ wb ^ wc) + x4 + K2;
349 wa = (wa << 30) | (wa >> 2);
351 x5 = (x5 << 1) | (x5 >> 31);
352 wc += ((wd << 5) | (wd >> 27)) + (we ^ wa ^ wb) + x5 + K2;
353 we = (we << 30) | (we >> 2);
355 x6 = (x6 << 1) | (x6 >> 31);
356 wb += ((wc << 5) | (wc >> 27)) + (wd ^ we ^ wa) + x6 + K2;
357 wd = (wd << 30) | (wd >> 2);
359 x7 = (x7 << 1) | (x7 >> 31);
360 wa += ((wb << 5) | (wb >> 27)) + (wc ^ wd ^ we) + x7 + K2;
361 wc = (wc << 30) | (wc >> 2);
367 x8 = (x8 << 1) | (x8 >> 31);
368 we += ((wa << 5) | (wa >> 27)) + ((wc & wd) ^ (wb & (wc ^ wd))) + x8 + K3;
369 wb = (wb << 30) | (wb >> 2);
371 x9 = (x9 << 1) | (x9 >> 31);
372 wd += ((we << 5) | (we >> 27)) + ((wb & wc) ^ (wa & (wb ^ wc))) + x9 + K3;
373 wa = (wa << 30) | (wa >> 2);
375 xA = (xA << 1) | (xA >> 31);
376 wc += ((wd << 5) | (wd >> 27)) + ((wa & wb) ^ (we & (wa ^ wb))) + xA + K3;
377 we = (we << 30) | (we >> 2);
379 xB = (xB << 1) | (xB >> 31);
380 wb += ((wc << 5) | (wc >> 27)) + ((we & wa) ^ (wd & (we ^ wa))) + xB + K3;
381 wd = (wd << 30) | (wd >> 2);
383 xC = (xC << 1) | (xC >> 31);
384 wa += ((wb << 5) | (wb >> 27)) + ((wd & we) ^ (wc & (wd ^ we))) + xC + K3;
385 wc = (wc << 30) | (wc >> 2);
387 xD = (xD << 1) | (xD >> 31);
388 we += ((wa << 5) | (wa >> 27)) + ((wc & wd) ^ (wb & (wc ^ wd))) + xD + K3;
389 wb = (wb << 30) | (wb >> 2);
391 xE = (xE << 1) | (xE >> 31);
392 wd += ((we << 5) | (we >> 27)) + ((wb & wc) ^ (wa & (wb ^ wc))) + xE + K3;
393 wa = (wa << 30) | (wa >> 2);
395 xF = (xF << 1) | (xF >> 31);
396 wc += ((wd << 5) | (wd >> 27)) + ((wa & wb) ^ (we & (wa ^ wb))) + xF + K3;
397 we = (we << 30) | (we >> 2);
399 x0 = (x0 << 1) | (x0 >> 31);
400 wb += ((wc << 5) | (wc >> 27)) + ((we & wa) ^ (wd & (we ^ wa))) + x0 + K3;
401 wd = (wd << 30) | (wd >> 2);
403 x1 = (x1 << 1) | (x1 >> 31);
404 wa += ((wb << 5) | (wb >> 27)) + ((wd & we) ^ (wc & (wd ^ we))) + x1 + K3;
405 wc = (wc << 30) | (wc >> 2);
407 x2 = (x2 << 1) | (x2 >> 31);
408 we += ((wa << 5) | (wa >> 27)) + ((wc & wd) ^ (wb & (wc ^ wd))) + x2 + K3;
409 wb = (wb << 30) | (wb >> 2);
411 x3 = (x3 << 1) | (x3 >> 31);
412 wd += ((we << 5) | (we >> 27)) + ((wb & wc) ^ (wa & (wb ^ wc))) + x3 + K3;
413 wa = (wa << 30) | (wa >> 2);
415 x4 = (x4 << 1) | (x4 >> 31);
416 wc += ((wd << 5) | (wd >> 27)) + ((wa & wb) ^ (we & (wa ^ wb))) + x4 + K3;
417 we = (we << 30) | (we >> 2);
419 x5 = (x5 << 1) | (x5 >> 31);
420 wb += ((wc << 5) | (wc >> 27)) + ((we & wa) ^ (wd & (we ^ wa))) + x5 + K3;
421 wd = (wd << 30) | (wd >> 2);
423 x6 = (x6 << 1) | (x6 >> 31);
424 wa += ((wb << 5) | (wb >> 27)) + ((wd & we) ^ (wc & (wd ^ we))) + x6 + K3;
425 wc = (wc << 30) | (wc >> 2);
427 x7 = (x7 << 1) | (x7 >> 31);
428 we += ((wa << 5) | (wa >> 27)) + ((wc & wd) ^ (wb & (wc ^ wd))) + x7 + K3;
429 wb = (wb << 30) | (wb >> 2);
431 x8 = (x8 << 1) | (x8 >> 31);
432 wd += ((we << 5) | (we >> 27)) + ((wb & wc) ^ (wa & (wb ^ wc))) + x8 + K3;
433 wa = (wa << 30) | (wa >> 2);
435 x9 = (x9 << 1) | (x9 >> 31);
436 wc += ((wd << 5) | (wd >> 27)) + ((wa & wb) ^ (we & (wa ^ wb))) + x9 + K3;
437 we = (we << 30) | (we >> 2);
439 xA = (xA << 1) | (xA >> 31);
440 wb += ((wc << 5) | (wc >> 27)) + ((we & wa) ^ (wd & (we ^ wa))) + xA + K3;
441 wd = (wd << 30) | (wd >> 2);
443 xB = (xB << 1) | (xB >> 31);
444 wa += ((wb << 5) | (wb >> 27)) + ((wd & we) ^ (wc & (wd ^ we))) + xB + K3;
445 wc = (wc << 30) | (wc >> 2);
451 xC = (xC << 1) | (xC >> 31);
452 we += ((wa << 5) | (wa >> 27)) + (wb ^ wc ^ wd) + xC + K4;
453 wb = (wb << 30) | (wb >> 2);
455 xD = (xD << 1) | (xD >> 31);
456 wd += ((we << 5) | (we >> 27)) + (wa ^ wb ^ wc) + xD + K4;
457 wa = (wa << 30) | (wa >> 2);
459 xE = (xE << 1) | (xE >> 31);
460 wc += ((wd << 5) | (wd >> 27)) + (we ^ wa ^ wb) + xE + K4;
461 we = (we << 30) | (we >> 2);
463 xF = (xF << 1) | (xF >> 31);
464 wb += ((wc << 5) | (wc >> 27)) + (wd ^ we ^ wa) + xF + K4;
465 wd = (wd << 30) | (wd >> 2);
467 x0 = (x0 << 1) | (x0 >> 31);
468 wa += ((wb << 5) | (wb >> 27)) + (wc ^ wd ^ we) + x0 + K4;
469 wc = (wc << 30) | (wc >> 2);
471 x1 = (x1 << 1) | (x1 >> 31);
472 we += ((wa << 5) | (wa >> 27)) + (wb ^ wc ^ wd) + x1 + K4;
473 wb = (wb << 30) | (wb >> 2);
475 x2 = (x2 << 1) | (x2 >> 31);
476 wd += ((we << 5) | (we >> 27)) + (wa ^ wb ^ wc) + x2 + K4;
477 wa = (wa << 30) | (wa >> 2);
479 x3 = (x3 << 1) | (x3 >> 31);
480 wc += ((wd << 5) | (wd >> 27)) + (we ^ wa ^ wb) + x3 + K4;
481 we = (we << 30) | (we >> 2);
483 x4 = (x4 << 1) | (x4 >> 31);
484 wb += ((wc << 5) | (wc >> 27)) + (wd ^ we ^ wa) + x4 + K4;
485 wd = (wd << 30) | (wd >> 2);
487 x5 = (x5 << 1) | (x5 >> 31);
488 wa += ((wb << 5) | (wb >> 27)) + (wc ^ wd ^ we) + x5 + K4;
489 wc = (wc << 30) | (wc >> 2);
491 x6 = (x6 << 1) | (x6 >> 31);
492 we += ((wa << 5) | (wa >> 27)) + (wb ^ wc ^ wd) + x6 + K4;
493 wb = (wb << 30) | (wb >> 2);
495 x7 = (x7 << 1) | (x7 >> 31);
496 wd += ((we << 5) | (we >> 27)) + (wa ^ wb ^ wc) + x7 + K4;
497 wa = (wa << 30) | (wa >> 2);
499 x8 = (x8 << 1) | (x8 >> 31);
500 wc += ((wd << 5) | (wd >> 27)) + (we ^ wa ^ wb) + x8 + K4;
501 we = (we << 30) | (we >> 2);
503 x9 = (x9 << 1) | (x9 >> 31);
504 wb += ((wc << 5) | (wc >> 27)) + (wd ^ we ^ wa) + x9 + K4;
505 wd = (wd << 30) | (wd >> 2);
507 xA = (xA << 1) | (xA >> 31);
508 wa += ((wb << 5) | (wb >> 27)) + (wc ^ wd ^ we) + xA + K4;
509 wc = (wc << 30) | (wc >> 2);
511 xB = (xB << 1) | (xB >> 31);
512 we += ((wa << 5) | (wa >> 27)) + (wb ^ wc ^ wd) + xB + K4;
513 wb = (wb << 30) | (wb >> 2);
515 xC = (xC << 1) | (xC >> 31);
516 wd += ((we << 5) | (we >> 27)) + (wa ^ wb ^ wc) + xC + K4;
517 wa = (wa << 30) | (wa >> 2);
519 xD = (xD << 1) | (xD >> 31);
520 wc += ((wd << 5) | (wd >> 27)) + (we ^ wa ^ wb) + xD + K4;
521 we = (we << 30) | (we >> 2);
523 xE = (xE << 1) | (xE >> 31);
524 wb += ((wc << 5) | (wc >> 27)) + (wd ^ we ^ wa) + xE + K4;
525 wd = (wd << 30) | (wd >> 2);
527 xF = (xF << 1) | (xF >> 31);
528 wa += ((wb << 5) | (wb >> 27)) + (wc ^ wd ^ we) + xF + K4;
529 wc = (wc << 30) | (wc >> 2);
532 * Update state words and reset block pointer.
542 static uint Dec32be(byte[] buf, int off)
544 return ((uint)buf[off] << 24)
545 | ((uint)buf[off + 1] << 16)
546 | ((uint)buf[off + 2] << 8)
547 | (uint)buf[off + 3];
550 static void Enc32be(uint x, byte[] buf, int off)
552 buf[off] = (byte)(x >> 24);
553 buf[off + 1] = (byte)(x >> 16);
554 buf[off + 2] = (byte)(x >> 8);
555 buf[off + 3] = (byte)x;