Fossil SCM

Make it possible to turn off SHA1 hardening, falling back to the legacy implementations.

drh 2017-03-01 21:24 hardened-sha1

Commit 2f87dcf5dfc42d8e846e94fb9cd9571f424d3bbc

Parent ba9d10807e93830…

3 files changed +5 +226 +3

~ src/config.h ~ src/sha1.c ~ src/sha1hard.c

M src/config.h

		--- src/config.h
		+++ src/config.h
		@@ -38,10 +38,15 @@
38	38	#endif
39	39
40	40	#ifdef HAVE_AUTOCONFIG_H
41	41	#include "autoconfig.h"
42	42	#endif
	43	+
	44	+/* Enable the hardened SHA1 implemenation by default */
	45	+#ifndef FOSSIL_HARDENED_SHA1
	46	+# define FOSSIL_HARDENED_SHA1 1
	47	+#endif
43	48
44	49	#ifndef _RC_COMPILE_
45	50
46	51	/*
47	52	** System header files used by all modules
48	53

	--- src/config.h
	+++ src/config.h
	@@ -38,10 +38,15 @@
38	#endif
39
40	#ifdef HAVE_AUTOCONFIG_H
41	#include "autoconfig.h"
42	#endif





43
44	#ifndef _RC_COMPILE_
45
46	/*
47	** System header files used by all modules
48

	--- src/config.h
	+++ src/config.h
	@@ -38,10 +38,15 @@
38	#endif
39
40	#ifdef HAVE_AUTOCONFIG_H
41	#include "autoconfig.h"
42	#endif
43
44	/* Enable the hardened SHA1 implemenation by default */
45	#ifndef FOSSIL_HARDENED_SHA1
46	# define FOSSIL_HARDENED_SHA1 1
47	#endif
48
49	#ifndef _RC_COMPILE_
50
51	/*
52	** System header files used by all modules
53

M src/sha1.c

+226

		--- src/sha1.c
		+++ src/sha1.c
		@@ -21,10 +21,21 @@
21	21	#include <sys/types.h>
22	22	#include <stdint.h>
23	23	#include "sha1.h"
24	24
25	25
	26	+/*
	27	+** Implementation #1 is the hardened SHA1 implementation by
	28	+** Marc Stevens. Code obtained from GitHub
	29	+**
	30	+** https://github.com/cr-marcstevens/sha1collisiondetection
	31	+**
	32	+** Downloaded on 2017-03-01 then repackaged to work with Fossil
	33	+** and makeheaders.
	34	+*/
	35	+#if FOSSIL_HARDENED_SHA1
	36	+
26	37	#if INTERFACE
27	38	typedef void(collision_block_callback)(uint64_t, const uint32_t, const uint32_t, const uint32_t, const uint32_t*);
28	39	struct SHA1_CTX {
29	40	uint64_t total;
30	41	uint32_t ihv[5];
		@@ -51,10 +62,225 @@
51	62	#define SHA1Context SHA1_CTX
52	63	#define SHA1Init SHA1DCInit
53	64	#define SHA1Update SHA1DCUpdate
54	65	#define SHA1Final SHA1DCFinal
55	66
	67	+/*
	68	+** The second case: use the SHA1 algorithm built into SSL
	69	+*/
	70	+#elif defined(FOSSIL_ENABLE_SSL)
	71	+
	72	+# include <openssl/sha.h>
	73	+# define SHA1Context SHA_CTX
	74	+# define SHA1Init SHA1_Init
	75	+# define SHA1Update SHA1_Update
	76	+# define SHA1Final SHA1_Final
	77	+
	78	+/*
	79	+** If none of the previous two SHA1 algorithms work, there
	80	+** is this built-in. The built-in below is the original.
	81	+*/
	82	+#else
	83	+/*
	84	+** The SHA1 implementation below is adapted from:
	85	+**
	86	+** $NetBSD: sha1.c,v 1.6 2009/11/06 20:31:18 joerg Exp $
	87	+** $OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $
	88	+**
	89	+** SHA-1 in C
	90	+** By Steve Reid <[email protected]>
	91	+** 100% Public Domain
	92	+*/
	93	+typedef struct SHA1Context SHA1Context;
	94	+struct SHA1Context {
	95	+ unsigned int state[5];
	96	+ unsigned int count[2];
	97	+ unsigned char buffer[64];
	98	+};
	99	+
	100	+/*
	101	+ * blk0() and blk() perform the initial expand.
	102	+ * I got the idea of expanding during the round function from SSLeay
	103	+ *
	104	+ * blk0le() for little-endian and blk0be() for big-endian.
	105	+ */
	106	+#if __GNUC__ && (defined(__i386__) \|\| defined(__x86_64__))
	107	+/*
	108	+ * GCC by itself only generates left rotates. Use right rotates if
	109	+ * possible to be kinder to dinky implementations with iterative rotate
	110	+ * instructions.
	111	+ */
	112	+#define SHA_ROT(op, x, k) \
	113	+ ({ unsigned int y; asm(op " %1,%0" : "=r" (y) : "I" (k), "0" (x)); y; })
	114	+#define rol(x,k) SHA_ROT("roll", x, k)
	115	+#define ror(x,k) SHA_ROT("rorl", x, k)
	116	+
	117	+#else
	118	+/* Generic C equivalent */
	119	+#define SHA_ROT(x,l,r) ((x) << (l) \| (x) >> (r))
	120	+#define rol(x,k) SHA_ROT(x,k,32-(k))
	121	+#define ror(x,k) SHA_ROT(x,32-(k),k)
	122	+#endif
	123	+
	124	+
	125	+
	126	+
	127	+
	128	+#define blk0le(i) (block[i] = (ror(block[i],8)&0xFF00FF00) \
	129	+ \|(rol(block[i],8)&0x00FF00FF))
	130	+#define blk0be(i) block[i]
	131	+#define blk(i) (block[i&15] = rol(block[(i+13)&15]^block[(i+8)&15] \
	132	+ ^block[(i+2)&15]^block[i&15],1))
	133	+
	134	+/*
	135	+ * (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1
	136	+ *
	137	+ * Rl0() for little-endian and Rb0() for big-endian. Endianness is
	138	+ * determined at run-time.
	139	+ */
	140	+#define Rl0(v,w,x,y,z,i) \
	141	+ z+=((w&(x^y))^y)+blk0le(i)+0x5A827999+rol(v,5);w=ror(w,2);
	142	+#define Rb0(v,w,x,y,z,i) \
	143	+ z+=((w&(x^y))^y)+blk0be(i)+0x5A827999+rol(v,5);w=ror(w,2);
	144	+#define R1(v,w,x,y,z,i) \
	145	+ z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=ror(w,2);
	146	+#define R2(v,w,x,y,z,i) \
	147	+ z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=ror(w,2);
	148	+#define R3(v,w,x,y,z,i) \
	149	+ z+=(((w\|x)&y)\|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=ror(w,2);
	150	+#define R4(v,w,x,y,z,i) \
	151	+ z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=ror(w,2);
	152	+
	153	+/*
	154	+ * Hash a single 512-bit block. This is the core of the algorithm.
	155	+ */
	156	+#define a qq[0]
	157	+#define b qq[1]
	158	+#define c qq[2]
	159	+#define d qq[3]
	160	+#define e qq[4]
	161	+
	162	+void SHA1Transform(unsigned int state[5], const unsigned char buffer[64])
	163	+{
	164	+ unsigned int qq[5]; /* a, b, c, d, e; */
	165	+ static int one = 1;
	166	+ unsigned int block[16];
	167	+ memcpy(block, buffer, 64);
	168	+ memcpy(qq,state,5*sizeof(unsigned int));
	169	+
	170	+ /* Copy context->state[] to working vars */
	171	+ /*
	172	+ a = state[0];
	173	+ b = state[1];
	174	+ c = state[2];
	175	+ d = state[3];
	176	+ e = state[4];
	177	+ */
	178	+
	179	+ /* 4 rounds of 20 operations each. Loop unrolled. */
	180	+ if( 1 == (unsigned char)&one ){
	181	+ Rl0(a,b,c,d,e, 0); Rl0(e,a,b,c,d, 1); Rl0(d,e,a,b,c, 2); Rl0(c,d,e,a,b, 3);
	182	+ Rl0(b,c,d,e,a, 4); Rl0(a,b,c,d,e, 5); Rl0(e,a,b,c,d, 6); Rl0(d,e,a,b,c, 7);
	183	+ Rl0(c,d,e,a,b, 8); Rl0(b,c,d,e,a, 9); Rl0(a,b,c,d,e,10); Rl0(e,a,b,c,d,11);
	184	+ Rl0(d,e,a,b,c,12); Rl0(c,d,e,a,b,13); Rl0(b,c,d,e,a,14); Rl0(a,b,c,d,e,15);
	185	+ }else{
	186	+ Rb0(a,b,c,d,e, 0); Rb0(e,a,b,c,d, 1); Rb0(d,e,a,b,c, 2); Rb0(c,d,e,a,b, 3);
	187	+ Rb0(b,c,d,e,a, 4); Rb0(a,b,c,d,e, 5); Rb0(e,a,b,c,d, 6); Rb0(d,e,a,b,c, 7);
	188	+ Rb0(c,d,e,a,b, 8); Rb0(b,c,d,e,a, 9); Rb0(a,b,c,d,e,10); Rb0(e,a,b,c,d,11);
	189	+ Rb0(d,e,a,b,c,12); Rb0(c,d,e,a,b,13); Rb0(b,c,d,e,a,14); Rb0(a,b,c,d,e,15);
	190	+ }
	191	+ R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
	192	+ R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
	193	+ R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
	194	+ R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
	195	+ R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
	196	+ R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
	197	+ R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
	198	+ R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
	199	+ R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
	200	+ R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
	201	+ R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
	202	+ R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
	203	+ R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
	204	+ R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
	205	+ R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
	206	+ R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
	207	+
	208	+ /* Add the working vars back into context.state[] */
	209	+ state[0] += a;
	210	+ state[1] += b;
	211	+ state[2] += c;
	212	+ state[3] += d;
	213	+ state[4] += e;
	214	+}
	215	+
	216	+
	217	+/*
	218	+ * SHA1Init - Initialize new context
	219	+ */
	220	+static void SHA1Init(SHA1Context *context){
	221	+ /* SHA1 initialization constants */
	222	+ context->state[0] = 0x67452301;
	223	+ context->state[1] = 0xEFCDAB89;
	224	+ context->state[2] = 0x98BADCFE;
	225	+ context->state[3] = 0x10325476;
	226	+ context->state[4] = 0xC3D2E1F0;
	227	+ context->count[0] = context->count[1] = 0;
	228	+}
	229	+
	230	+
	231	+/*
	232	+ * Run your data through this.
	233	+ */
	234	+static void SHA1Update(
	235	+ SHA1Context *context,
	236	+ const unsigned char *data,
	237	+ unsigned int len
	238	+){
	239	+ unsigned int i, j;
	240	+
	241	+ j = context->count[0];
	242	+ if ((context->count[0] += len << 3) < j)
	243	+ context->count[1] += (len>>29)+1;
	244	+ j = (j >> 3) & 63;
	245	+ if ((j + len) > 63) {
	246	+ (void)memcpy(&context->buffer[j], data, (i = 64-j));
	247	+ SHA1Transform(context->state, context->buffer);
	248	+ for ( ; i + 63 < len; i += 64)
	249	+ SHA1Transform(context->state, &data[i]);
	250	+ j = 0;
	251	+ } else {
	252	+ i = 0;
	253	+ }
	254	+ (void)memcpy(&context->buffer[j], &data[i], len - i);
	255	+}
	256	+
	257	+
	258	+/*
	259	+ * Add padding and return the message digest.
	260	+ */
	261	+static void SHA1Final(unsigned char digest, SHA1Context context){
	262	+ unsigned int i;
	263	+ unsigned char finalcount[8];
	264	+
	265	+ for (i = 0; i < 8; i++) {
	266	+ finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
	267	+ >> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */
	268	+ }
	269	+ SHA1Update(context, (const unsigned char *)"\200", 1);
	270	+ while ((context->count[0] & 504) != 448)
	271	+ SHA1Update(context, (const unsigned char *)"\0", 1);
	272	+ SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */
	273	+
	274	+ if (digest) {
	275	+ for (i = 0; i < 20; i++)
	276	+ digest[i] = (unsigned char)
	277	+ ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
	278	+ }
	279	+}
	280	+#endif /* Built-in SHA1 implemenation */
	281	+
56	282	/*
57	283	** Convert a digest into base-16. digest should be declared as
58	284	** "unsigned char digest[20]" in the calling function. The SHA1
59	285	** digest is stored in the first 20 bytes. zBuf should
60	286	** be "char zBuf[41]".
61	287

	--- src/sha1.c
	+++ src/sha1.c
	@@ -21,10 +21,21 @@
21	#include <sys/types.h>
22	#include <stdint.h>
23	#include "sha1.h"
24
25











26	#if INTERFACE
27	typedef void(collision_block_callback)(uint64_t, const uint32_t, const uint32_t, const uint32_t, const uint32_t*);
28	struct SHA1_CTX {
29	uint64_t total;
30	uint32_t ihv[5];
	@@ -51,10 +62,225 @@
51	#define SHA1Context SHA1_CTX
52	#define SHA1Init SHA1DCInit
53	#define SHA1Update SHA1DCUpdate
54	#define SHA1Final SHA1DCFinal
55























































































































































































































56	/*
57	** Convert a digest into base-16. digest should be declared as
58	** "unsigned char digest[20]" in the calling function. The SHA1
59	** digest is stored in the first 20 bytes. zBuf should
60	** be "char zBuf[41]".
61

	--- src/sha1.c
	+++ src/sha1.c
	@@ -21,10 +21,21 @@
21	#include <sys/types.h>
22	#include <stdint.h>
23	#include "sha1.h"
24
25
26	/*
27	** Implementation #1 is the hardened SHA1 implementation by
28	** Marc Stevens. Code obtained from GitHub
29	**
30	** https://github.com/cr-marcstevens/sha1collisiondetection
31	**
32	** Downloaded on 2017-03-01 then repackaged to work with Fossil
33	** and makeheaders.
34	*/
35	#if FOSSIL_HARDENED_SHA1
36
37	#if INTERFACE
38	typedef void(collision_block_callback)(uint64_t, const uint32_t, const uint32_t, const uint32_t, const uint32_t*);
39	struct SHA1_CTX {
40	uint64_t total;
41	uint32_t ihv[5];
	@@ -51,10 +62,225 @@
62	#define SHA1Context SHA1_CTX
63	#define SHA1Init SHA1DCInit
64	#define SHA1Update SHA1DCUpdate
65	#define SHA1Final SHA1DCFinal
66
67	/*
68	** The second case: use the SHA1 algorithm built into SSL
69	*/
70	#elif defined(FOSSIL_ENABLE_SSL)
71
72	# include <openssl/sha.h>
73	# define SHA1Context SHA_CTX
74	# define SHA1Init SHA1_Init
75	# define SHA1Update SHA1_Update
76	# define SHA1Final SHA1_Final
77
78	/*
79	** If none of the previous two SHA1 algorithms work, there
80	** is this built-in. The built-in below is the original.
81	*/
82	#else
83	/*
84	** The SHA1 implementation below is adapted from:
85	**
86	** $NetBSD: sha1.c,v 1.6 2009/11/06 20:31:18 joerg Exp $
87	** $OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $
88	**
89	** SHA-1 in C
90	** By Steve Reid <[email protected]>
91	** 100% Public Domain
92	*/
93	typedef struct SHA1Context SHA1Context;
94	struct SHA1Context {
95	unsigned int state[5];
96	unsigned int count[2];
97	unsigned char buffer[64];
98	};
99
100	/*
101	* blk0() and blk() perform the initial expand.
102	* I got the idea of expanding during the round function from SSLeay
103	*
104	* blk0le() for little-endian and blk0be() for big-endian.
105	*/
106	#if __GNUC__ && (defined(__i386__) \|\| defined(__x86_64__))
107	/*
108	* GCC by itself only generates left rotates. Use right rotates if
109	* possible to be kinder to dinky implementations with iterative rotate
110	* instructions.
111	*/
112	#define SHA_ROT(op, x, k) \
113	({ unsigned int y; asm(op " %1,%0" : "=r" (y) : "I" (k), "0" (x)); y; })
114	#define rol(x,k) SHA_ROT("roll", x, k)
115	#define ror(x,k) SHA_ROT("rorl", x, k)
116
117	#else
118	/* Generic C equivalent */
119	#define SHA_ROT(x,l,r) ((x) << (l) \| (x) >> (r))
120	#define rol(x,k) SHA_ROT(x,k,32-(k))
121	#define ror(x,k) SHA_ROT(x,32-(k),k)
122	#endif
123
124
125
126
127
128	#define blk0le(i) (block[i] = (ror(block[i],8)&0xFF00FF00) \
129	\|(rol(block[i],8)&0x00FF00FF))
130	#define blk0be(i) block[i]
131	#define blk(i) (block[i&15] = rol(block[(i+13)&15]^block[(i+8)&15] \
132	^block[(i+2)&15]^block[i&15],1))
133
134	/*
135	* (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1
136	*
137	* Rl0() for little-endian and Rb0() for big-endian. Endianness is
138	* determined at run-time.
139	*/
140	#define Rl0(v,w,x,y,z,i) \
141	z+=((w&(x^y))^y)+blk0le(i)+0x5A827999+rol(v,5);w=ror(w,2);
142	#define Rb0(v,w,x,y,z,i) \
143	z+=((w&(x^y))^y)+blk0be(i)+0x5A827999+rol(v,5);w=ror(w,2);
144	#define R1(v,w,x,y,z,i) \
145	z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=ror(w,2);
146	#define R2(v,w,x,y,z,i) \
147	z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=ror(w,2);
148	#define R3(v,w,x,y,z,i) \
149	z+=(((w\|x)&y)\|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=ror(w,2);
150	#define R4(v,w,x,y,z,i) \
151	z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=ror(w,2);
152
153	/*
154	* Hash a single 512-bit block. This is the core of the algorithm.
155	*/
156	#define a qq[0]
157	#define b qq[1]
158	#define c qq[2]
159	#define d qq[3]
160	#define e qq[4]
161
162	void SHA1Transform(unsigned int state[5], const unsigned char buffer[64])
163	{
164	unsigned int qq[5]; /* a, b, c, d, e; */
165	static int one = 1;
166	unsigned int block[16];
167	memcpy(block, buffer, 64);
168	memcpy(qq,state,5*sizeof(unsigned int));
169
170	/* Copy context->state[] to working vars */
171	/*
172	a = state[0];
173	b = state[1];
174	c = state[2];
175	d = state[3];
176	e = state[4];
177	*/
178
179	/* 4 rounds of 20 operations each. Loop unrolled. */
180	if( 1 == (unsigned char)&one ){
181	Rl0(a,b,c,d,e, 0); Rl0(e,a,b,c,d, 1); Rl0(d,e,a,b,c, 2); Rl0(c,d,e,a,b, 3);
182	Rl0(b,c,d,e,a, 4); Rl0(a,b,c,d,e, 5); Rl0(e,a,b,c,d, 6); Rl0(d,e,a,b,c, 7);
183	Rl0(c,d,e,a,b, 8); Rl0(b,c,d,e,a, 9); Rl0(a,b,c,d,e,10); Rl0(e,a,b,c,d,11);
184	Rl0(d,e,a,b,c,12); Rl0(c,d,e,a,b,13); Rl0(b,c,d,e,a,14); Rl0(a,b,c,d,e,15);
185	}else{
186	Rb0(a,b,c,d,e, 0); Rb0(e,a,b,c,d, 1); Rb0(d,e,a,b,c, 2); Rb0(c,d,e,a,b, 3);
187	Rb0(b,c,d,e,a, 4); Rb0(a,b,c,d,e, 5); Rb0(e,a,b,c,d, 6); Rb0(d,e,a,b,c, 7);
188	Rb0(c,d,e,a,b, 8); Rb0(b,c,d,e,a, 9); Rb0(a,b,c,d,e,10); Rb0(e,a,b,c,d,11);
189	Rb0(d,e,a,b,c,12); Rb0(c,d,e,a,b,13); Rb0(b,c,d,e,a,14); Rb0(a,b,c,d,e,15);
190	}
191	R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
192	R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
193	R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
194	R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
195	R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
196	R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
197	R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
198	R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
199	R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
200	R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
201	R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
202	R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
203	R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
204	R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
205	R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
206	R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
207
208	/* Add the working vars back into context.state[] */
209	state[0] += a;
210	state[1] += b;
211	state[2] += c;
212	state[3] += d;
213	state[4] += e;
214	}
215
216
217	/*
218	* SHA1Init - Initialize new context
219	*/
220	static void SHA1Init(SHA1Context *context){
221	/* SHA1 initialization constants */
222	context->state[0] = 0x67452301;
223	context->state[1] = 0xEFCDAB89;
224	context->state[2] = 0x98BADCFE;
225	context->state[3] = 0x10325476;
226	context->state[4] = 0xC3D2E1F0;
227	context->count[0] = context->count[1] = 0;
228	}
229
230
231	/*
232	* Run your data through this.
233	*/
234	static void SHA1Update(
235	SHA1Context *context,
236	const unsigned char *data,
237	unsigned int len
238	){
239	unsigned int i, j;
240
241	j = context->count[0];
242	if ((context->count[0] += len << 3) < j)
243	context->count[1] += (len>>29)+1;
244	j = (j >> 3) & 63;
245	if ((j + len) > 63) {
246	(void)memcpy(&context->buffer[j], data, (i = 64-j));
247	SHA1Transform(context->state, context->buffer);
248	for ( ; i + 63 < len; i += 64)
249	SHA1Transform(context->state, &data[i]);
250	j = 0;
251	} else {
252	i = 0;
253	}
254	(void)memcpy(&context->buffer[j], &data[i], len - i);
255	}
256
257
258	/*
259	* Add padding and return the message digest.
260	*/
261	static void SHA1Final(unsigned char digest, SHA1Context context){
262	unsigned int i;
263	unsigned char finalcount[8];
264
265	for (i = 0; i < 8; i++) {
266	finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
267	>> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */
268	}
269	SHA1Update(context, (const unsigned char *)"\200", 1);
270	while ((context->count[0] & 504) != 448)
271	SHA1Update(context, (const unsigned char *)"\0", 1);
272	SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */
273
274	if (digest) {
275	for (i = 0; i < 20; i++)
276	digest[i] = (unsigned char)
277	((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
278	}
279	}
280	#endif /* Built-in SHA1 implemenation */
281
282	/*
283	** Convert a digest into base-16. digest should be declared as
284	** "unsigned char digest[20]" in the calling function. The SHA1
285	** digest is stored in the first 20 bytes. zBuf should
286	** be "char zBuf[41]".
287

M src/sha1hard.c

		--- src/sha1hard.c
		+++ src/sha1hard.c
		@@ -5,10 +5,12 @@
5	5	**
6	6	** On 2017-03-01, with minor changings in formatting. All
7	7	** original copyright claims are preserved.
8	8	*/
9	9	/MAKEHEADERS-STOP/
	10	+#include "config.h"
	11	+#if FOSSIL_HARDENED_SHA1 /* Only do this code if requested */
10	12	/************* File: lib/sha1.c **************/
11	13	/***
12	14	* Copyright 2017 Marc Stevens <[email protected]>, Dan Shumow ([email protected])
13	15	* Distributed under the MIT Software License.
14	16	* See accompanying file LICENSE.txt or copy at
		@@ -1581,5 +1583,6 @@
1581	1583	output[17] = (unsigned char)(ctx->ihv[4] >> 16);
1582	1584	output[18] = (unsigned char)(ctx->ihv[4] >> 8);
1583	1585	output[19] = (unsigned char)(ctx->ihv[4]);
1584	1586	return ctx->found_collision;
1585	1587	}
	1588	+#endif /* FOSSIL_HARDENED_SHA1 */
1586	1589

	--- src/sha1hard.c
	+++ src/sha1hard.c
	@@ -5,10 +5,12 @@
5	**
6	** On 2017-03-01, with minor changings in formatting. All
7	** original copyright claims are preserved.
8	*/
9	/MAKEHEADERS-STOP/


10	/************* File: lib/sha1.c **************/
11	/***
12	* Copyright 2017 Marc Stevens <[email protected]>, Dan Shumow ([email protected])
13	* Distributed under the MIT Software License.
14	* See accompanying file LICENSE.txt or copy at
	@@ -1581,5 +1583,6 @@
1581	output[17] = (unsigned char)(ctx->ihv[4] >> 16);
1582	output[18] = (unsigned char)(ctx->ihv[4] >> 8);
1583	output[19] = (unsigned char)(ctx->ihv[4]);
1584	return ctx->found_collision;
1585	}

1586

	--- src/sha1hard.c
	+++ src/sha1hard.c
	@@ -5,10 +5,12 @@
5	**
6	** On 2017-03-01, with minor changings in formatting. All
7	** original copyright claims are preserved.
8	*/
9	/MAKEHEADERS-STOP/
10	#include "config.h"
11	#if FOSSIL_HARDENED_SHA1 /* Only do this code if requested */
12	/************* File: lib/sha1.c **************/
13	/***
14	* Copyright 2017 Marc Stevens <[email protected]>, Dan Shumow ([email protected])
15	* Distributed under the MIT Software License.
16	* See accompanying file LICENSE.txt or copy at
	@@ -1581,5 +1583,6 @@
1583	output[17] = (unsigned char)(ctx->ihv[4] >> 16);
1584	output[18] = (unsigned char)(ctx->ihv[4] >> 8);
1585	output[19] = (unsigned char)(ctx->ihv[4]);
1586	return ctx->found_collision;
1587	}
1588	#endif /* FOSSIL_HARDENED_SHA1 */
1589

Fossil SCM

Keyboard Shortcuts