sha1 Algorithm
The SHA1 (Secure Hash Algorithm 1) is a widely used cryptographic hash function that was designed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST) in 1995. This algorithm takes an input message of any length and generates a 160-bit (20-byte) fixed-length output, which is a unique representation of the input data. Its primary purpose is to ensure data integrity by detecting any alterations or tampering of the original message. SHA1 is widely employed in various security applications and protocols, such as digital signatures, message authentication codes, and secure password storage.
However, over time, researchers have found several vulnerabilities in the SHA1 algorithm, which has led to its depreciation in favor of more secure hashing algorithms, such as SHA-256 and SHA-3. In 2005, cryptanalysts discovered a technique called "collision attacks," which allowed them to find two different input messages that produce the same hash output, thus breaking the fundamental property of a cryptographic hash function – its collision resistance. Since then, more efficient attacks have been developed, further weakening the security of SHA1. Consequently, major organizations and security experts now recommend transitioning to stronger hash algorithms to ensure better security and data integrity.
// Copyright 2012 The Rust Project Developers. See the COPYRIGHT
// file at the top-level directory of this distribution and at
// http://rust-lang.org/COPYRIGHT.
//
// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
// option. This file may not be copied, modified, or distributed
// except according to those terms.
/*!
An implementation of the SHA-1 cryptographic hash algorithm.
To use this module, first create a `Sha1` object using the `Sha1` constructor,
then feed it an input message using the `input` or `input_str` methods,
which may be called any number of times; they will buffer the input until
there is enough to call the block algorithm.
After the entire input has been fed to the hash read the result using
the `result` or `result_str` methods. The first will return bytes, and
the second will return a `String` object of the same bytes represented
in hexadecimal form.
The `Sha1` object may be reused to create multiple hashes by calling
the `reset()` method. These traits are implemented by all hash digest
algorithms that implement the `Digest` trait. An example of use is:
```rust
use self::crypto::digest::Digest;
use self::crypto::sha1::Sha1;
// create a Sha1 object
let mut hasher = Sha1::new();
// write input message
hasher.input_str("hello world");
// read hash digest
let hex = hasher.result_str();
assert_eq!(hex, "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed");
```
# Mathematics
The mathematics of the SHA-1 algorithm are quite interesting. In its
definition, The SHA-1 algorithm uses:
* 1 binary operation on bit-arrays:
* "exclusive or" (XOR)
* 2 binary operations on integers:
* "addition" (ADD)
* "rotate left" (ROL)
* 3 ternary operations on bit-arrays:
* "choose" (CH)
* "parity" (PAR)
* "majority" (MAJ)
Some of these functions are commonly found in all hash digest
algorithms, but some, like "parity" is only found in SHA-1.
*/
use digest::Digest;
use cryptoutil::{write_u32_be, read_u32v_be, add_bytes_to_bits, FixedBuffer, FixedBuffer64, StandardPadding};
use simd::u32x4;
const STATE_LEN: usize = 5;
const BLOCK_LEN: usize = 16;
const K0: u32 = 0x5A827999u32;
const K1: u32 = 0x6ED9EBA1u32;
const K2: u32 = 0x8F1BBCDCu32;
const K3: u32 = 0xCA62C1D6u32;
/// Not an intrinsic, but gets the first element of a vector.
#[inline]
pub fn sha1_first(w0: u32x4) -> u32 {
w0.0
}
/// Not an intrinsic, but adds a word to the first element of a vector.
#[inline]
pub fn sha1_first_add(e: u32, w0: u32x4) -> u32x4 {
let u32x4(a, b, c, d) = w0;
u32x4(e.wrapping_add(a), b, c, d)
}
/// Emulates `llvm.x86.sha1msg1` intrinsic.
fn sha1msg1(a: u32x4, b: u32x4) -> u32x4 {
let u32x4(_, _, w2, w3) = a;
let u32x4(w4, w5, _, _) = b;
a ^ u32x4(w2, w3, w4, w5)
}
/// Emulates `llvm.x86.sha1msg2` intrinsic.
fn sha1msg2(a: u32x4, b: u32x4) -> u32x4 {
let u32x4(x0, x1, x2, x3) = a;
let u32x4(_, w13, w14, w15) = b;
let w16 = (x0 ^ w13).rotate_left(1);
let w17 = (x1 ^ w14).rotate_left(1);
let w18 = (x2 ^ w15).rotate_left(1);
let w19 = (x3 ^ w16).rotate_left(1);
u32x4(w16, w17, w18, w19)
}
/// Performs 4 rounds of the message schedule update.
pub fn sha1_schedule_x4(v0: u32x4, v1: u32x4, v2: u32x4, v3: u32x4) -> u32x4 {
sha1msg2(sha1msg1(v0, v1) ^ v2, v3)
}
/// Emulates `llvm.x86.sha1nexte` intrinsic.
#[inline]
pub fn sha1_first_half(abcd: u32x4, msg: u32x4) -> u32x4 {
sha1_first_add(sha1_first(abcd).rotate_left(30), msg)
}
/// Emulates `llvm.x86.sha1rnds4` intrinsic.
/// Performs 4 rounds of the message block digest.
pub fn sha1_digest_round_x4(abcd: u32x4, work: u32x4, i: i8) -> u32x4 {
const K0V: u32x4 = u32x4(K0, K0, K0, K0);
const K1V: u32x4 = u32x4(K1, K1, K1, K1);
const K2V: u32x4 = u32x4(K2, K2, K2, K2);
const K3V: u32x4 = u32x4(K3, K3, K3, K3);
match i {
0 => sha1rnds4c(abcd, work + K0V),
1 => sha1rnds4p(abcd, work + K1V),
2 => sha1rnds4m(abcd, work + K2V),
3 => sha1rnds4p(abcd, work + K3V),
_ => panic!("unknown icosaround index")
}
}
/// Not an intrinsic, but helps emulate `llvm.x86.sha1rnds4` intrinsic.
fn sha1rnds4c(abcd: u32x4, msg: u32x4) -> u32x4 {
let u32x4(mut a, mut b, mut c, mut d) = abcd;
let u32x4(t, u, v, w) = msg;
let mut e = 0u32;
macro_rules! bool3ary_202 {
($a:expr, $b:expr, $c:expr) => (($c ^ ($a & ($b ^ $c))))
} // Choose, MD5F, SHA1C
e = e.wrapping_add(a.rotate_left(5)).wrapping_add(bool3ary_202!(b, c, d)).wrapping_add(t);
b = b.rotate_left(30);
d = d.wrapping_add(e.rotate_left(5)).wrapping_add(bool3ary_202!(a, b, c)).wrapping_add(u);
a = a.rotate_left(30);
c = c.wrapping_add(d.rotate_left(5)).wrapping_add(bool3ary_202!(e, a, b)).wrapping_add(v);
e = e.rotate_left(30);
b = b.wrapping_add(c.rotate_left(5)).wrapping_add(bool3ary_202!(d, e, a)).wrapping_add(w);
d = d.rotate_left(30);
u32x4(b, c, d, e)
}
/// Not an intrinsic, but helps emulate `llvm.x86.sha1rnds4` intrinsic.
fn sha1rnds4p(abcd: u32x4, msg: u32x4) -> u32x4 {
let u32x4(mut a, mut b, mut c, mut d) = abcd;
let u32x4(t, u, v, w) = msg;
let mut e = 0u32;
macro_rules! bool3ary_150 {
($a:expr, $b:expr, $c:expr) => (($a ^ $b ^ $c))
} // Parity, XOR, MD5H, SHA1P
e = e.wrapping_add(a.rotate_left(5)).wrapping_add(bool3ary_150!(b, c, d)).wrapping_add(t);
b = b.rotate_left(30);
d = d.wrapping_add(e.rotate_left(5)).wrapping_add(bool3ary_150!(a, b, c)).wrapping_add(u);
a = a.rotate_left(30);
c = c.wrapping_add(d.rotate_left(5)).wrapping_add(bool3ary_150!(e, a, b)).wrapping_add(v);
e = e.rotate_left(30);
b = b.wrapping_add(c.rotate_left(5)).wrapping_add(bool3ary_150!(d, e, a)).wrapping_add(w);
d = d.rotate_left(30);
u32x4(b, c, d, e)
}
/// Not an intrinsic, but helps emulate `llvm.x86.sha1rnds4` intrinsic.
fn sha1rnds4m(abcd: u32x4, msg: u32x4) -> u32x4 {
let u32x4(mut a, mut b, mut c, mut d) = abcd;
let u32x4(t, u, v, w) = msg;
let mut e = 0u32;
macro_rules! bool3ary_232 {
($a:expr, $b:expr, $c:expr) => (($a & $b) ^ ($a & $c) ^ ($b & $c))
} // Majority, SHA1M
e = e.wrapping_add(a.rotate_left(5)).wrapping_add(bool3ary_232!(b, c, d)).wrapping_add(t);
b = b.rotate_left(30);
d = d.wrapping_add(e.rotate_left(5)).wrapping_add(bool3ary_232!(a, b, c)).wrapping_add(u);
a = a.rotate_left(30);
c = c.wrapping_add(d.rotate_left(5)).wrapping_add(bool3ary_232!(e, a, b)).wrapping_add(v);
e = e.rotate_left(30);
b = b.wrapping_add(c.rotate_left(5)).wrapping_add(bool3ary_232!(d, e, a)).wrapping_add(w);
d = d.rotate_left(30);
u32x4(b, c, d, e)
}
/// Process a block with the SHA-1 algorithm.
pub fn sha1_digest_block_u32(state: &mut [u32; 5], block: &[u32; 16]) {
macro_rules! schedule {
($v0:expr, $v1:expr, $v2:expr, $v3:expr) => (
sha1msg2(sha1msg1($v0, $v1) ^ $v2, $v3)
)
}
macro_rules! rounds4 {
($h0:ident, $h1:ident, $wk:expr, $i:expr) => (
sha1_digest_round_x4($h0, sha1_first_half($h1, $wk), $i)
)
}
// Rounds 0..20
let mut h0 = u32x4(state[0],
state[1],
state[2],
state[3]);
let mut w0 = u32x4(block[0],
block[1],
block[2],
block[3]);
let mut h1 = sha1_digest_round_x4(h0, sha1_first_add(state[4], w0), 0);
let mut w1 = u32x4(block[4],
block[5],
block[6],
block[7]);
h0 = rounds4!(h1, h0, w1, 0);
let mut w2 = u32x4(block[8],
block[9],
block[10],
block[11]);
h1 = rounds4!(h0, h1, w2, 0);
let mut w3 = u32x4(block[12],
block[13],
block[14],
block[15]);
h0 = rounds4!(h1, h0, w3, 0);
let mut w4 = schedule!(w0, w1, w2, w3);
h1 = rounds4!(h0, h1, w4, 0);
// Rounds 20..40
w0 = schedule!(w1, w2, w3, w4);
h0 = rounds4!(h1, h0, w0, 1);
w1 = schedule!(w2, w3, w4, w0);
h1 = rounds4!(h0, h1, w1, 1);
w2 = schedule!(w3, w4, w0, w1);
h0 = rounds4!(h1, h0, w2, 1);
w3 = schedule!(w4, w0, w1, w2);
h1 = rounds4!(h0, h1, w3, 1);
w4 = schedule!(w0, w1, w2, w3);
h0 = rounds4!(h1, h0, w4, 1);
// Rounds 40..60
w0 = schedule!(w1, w2, w3, w4);
h1 = rounds4!(h0, h1, w0, 2);
w1 = schedule!(w2, w3, w4, w0);
h0 = rounds4!(h1, h0, w1, 2);
w2 = schedule!(w3, w4, w0, w1);
h1 = rounds4!(h0, h1, w2, 2);
w3 = schedule!(w4, w0, w1, w2);
h0 = rounds4!(h1, h0, w3, 2);
w4 = schedule!(w0, w1, w2, w3);
h1 = rounds4!(h0, h1, w4, 2);
// Rounds 60..80
w0 = schedule!(w1, w2, w3, w4);
h0 = rounds4!(h1, h0, w0, 3);
w1 = schedule!(w2, w3, w4, w0);
h1 = rounds4!(h0, h1, w1, 3);
w2 = schedule!(w3, w4, w0, w1);
h0 = rounds4!(h1, h0, w2, 3);
w3 = schedule!(w4, w0, w1, w2);
h1 = rounds4!(h0, h1, w3, 3);
w4 = schedule!(w0, w1, w2, w3);
h0 = rounds4!(h1, h0, w4, 3);
let e = sha1_first(h1).rotate_left(30);
let u32x4(a, b, c, d) = h0;
state[0] = state[0].wrapping_add(a);
state[1] = state[1].wrapping_add(b);
state[2] = state[2].wrapping_add(c);
state[3] = state[3].wrapping_add(d);
state[4] = state[4].wrapping_add(e);
}
/// Process a block with the SHA-1 algorithm. (See more...)
///
/// SHA-1 is a cryptographic hash function, and as such, it operates
/// on an arbitrary number of bytes. This function operates on a fixed
/// number of bytes. If you call this function with anything other than
/// 64 bytes, then it will panic! This function takes two arguments:
///
/// * `state` is reference to an **array** of 5 words.
/// * `block` is reference to a **slice** of 64 bytes.
///
/// If you want the function that performs a message digest on an arbitrary
/// number of bytes, then see also the `Sha1` struct above.
///
/// # Implementation
///
/// First, some background. Both ARM and Intel are releasing documentation
/// that they plan to include instruction set extensions for SHA1 and SHA256
/// sometime in the near future. Second, LLVM won't lower these intrinsics yet,
/// so these functions were written emulate these instructions. Finally,
/// the block function implemented with these emulated intrinsics turned out
/// to be quite fast! What follows is a discussion of this CPU-level view
/// of the SHA-1 algorithm and how it relates to the mathematical definition.
///
/// The SHA instruction set extensions can be divided up into two categories:
///
/// * message work schedule update calculation ("schedule" v., "work" n.)
/// * message block 80-round digest calculation ("digest" v., "block" n.)
///
/// The schedule-related functions can be used to easily perform 4 rounds
/// of the message work schedule update calculation, as shown below:
///
/// ```ignore
/// macro_rules! schedule_x4 {
/// ($v0:expr, $v1:expr, $v2:expr, $v3:expr) => (
/// sha1msg2(sha1msg1($v0, $v1) ^ $v2, $v3)
/// )
/// }
///
/// macro_rules! round_x4 {
/// ($h0:ident, $h1:ident, $wk:expr, $i:expr) => (
/// sha1rnds4($h0, sha1_first_half($h1, $wk), $i)
/// )
/// }
/// ```
///
/// and also shown above is how the digest-related functions can be used to
/// perform 4 rounds of the message block digest calculation.
///
pub fn sha1_digest_block(state: &mut [u32; 5], block: &[u8/*; 64*/]) {
assert_eq!(block.len(), BLOCK_LEN*4);
let mut block2 = [0u32; BLOCK_LEN];
read_u32v_be(&mut block2[..], block);
sha1_digest_block_u32(state, &block2);
}
fn add_input(st: &mut Sha1, msg: &[u8]) {
assert!((!st.computed));
// Assumes that msg.len() can be converted to u64 without overflow
st.length_bits = add_bytes_to_bits(st.length_bits, msg.len() as u64);
let st_h = &mut st.h;
st.buffer.input(msg, |d: &[u8]| { sha1_digest_block(st_h, d); });
}
fn mk_result(st: &mut Sha1, rs: &mut [u8]) {
if !st.computed {
let st_h = &mut st.h;
st.buffer.standard_padding(8, |d: &[u8]| { sha1_digest_block(&mut *st_h, d) });
write_u32_be(st.buffer.next(4), (st.length_bits >> 32) as u32 );
write_u32_be(st.buffer.next(4), st.length_bits as u32);
sha1_digest_block(st_h, st.buffer.full_buffer());
st.computed = true;
}
write_u32_be(&mut rs[0..4], st.h[0]);
write_u32_be(&mut rs[4..8], st.h[1]);
write_u32_be(&mut rs[8..12], st.h[2]);
write_u32_be(&mut rs[12..16], st.h[3]);
write_u32_be(&mut rs[16..20], st.h[4]);
}
/// Structure representing the state of a Sha1 computation
#[derive(Clone, Copy)]
pub struct Sha1 {
h: [u32; STATE_LEN],
length_bits: u64,
buffer: FixedBuffer64,
computed: bool,
}
impl Sha1 {
/// Construct a `sha` object
pub fn new() -> Sha1 {
let mut st = Sha1 {
h: [0u32; STATE_LEN],
length_bits: 0u64,
buffer: FixedBuffer64::new(),
computed: false,
};
st.reset();
st
}
}
impl Digest for Sha1 {
fn reset(&mut self) {
self.length_bits = 0;
self.h[0] = 0x67452301u32;
self.h[1] = 0xEFCDAB89u32;
self.h[2] = 0x98BADCFEu32;
self.h[3] = 0x10325476u32;
self.h[4] = 0xC3D2E1F0u32;
self.buffer.reset();
self.computed = false;
}
fn input(&mut self, msg: &[u8]) { add_input(self, msg); }
fn result(&mut self, out: &mut [u8]) { mk_result(self, out) }
fn output_bits(&self) -> usize { 160 }
fn block_size(&self) -> usize { 64 }
}
#[cfg(test)]
mod tests {
use cryptoutil::test::test_digest_1million_random;
use digest::Digest;
use sha1::Sha1;
#[derive(Clone)]
struct Test {
input: &'static str,
output: Vec<u8>,
output_str: &'static str,
}
#[test]
fn test() {
let tests = vec![
// Test messages from FIPS 180-1
Test {
input: "abc",
output: vec![
0xA9u8, 0x99u8, 0x3Eu8, 0x36u8,
0x47u8, 0x06u8, 0x81u8, 0x6Au8,
0xBAu8, 0x3Eu8, 0x25u8, 0x71u8,
0x78u8, 0x50u8, 0xC2u8, 0x6Cu8,
0x9Cu8, 0xD0u8, 0xD8u8, 0x9Du8,
],
output_str: "a9993e364706816aba3e25717850c26c9cd0d89d"
},
Test {
input:
"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
output: vec![
0x84u8, 0x98u8, 0x3Eu8, 0x44u8,
0x1Cu8, 0x3Bu8, 0xD2u8, 0x6Eu8,
0xBAu8, 0xAEu8, 0x4Au8, 0xA1u8,
0xF9u8, 0x51u8, 0x29u8, 0xE5u8,
0xE5u8, 0x46u8, 0x70u8, 0xF1u8,
],
output_str: "84983e441c3bd26ebaae4aa1f95129e5e54670f1"
},
// Examples from wikipedia
Test {
input: "The quick brown fox jumps over the lazy dog",
output: vec![
0x2fu8, 0xd4u8, 0xe1u8, 0xc6u8,
0x7au8, 0x2du8, 0x28u8, 0xfcu8,
0xedu8, 0x84u8, 0x9eu8, 0xe1u8,
0xbbu8, 0x76u8, 0xe7u8, 0x39u8,
0x1bu8, 0x93u8, 0xebu8, 0x12u8,
],
output_str: "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
},
Test {
input: "The quick brown fox jumps over the lazy cog",
output: vec![
0xdeu8, 0x9fu8, 0x2cu8, 0x7fu8,
0xd2u8, 0x5eu8, 0x1bu8, 0x3au8,
0xfau8, 0xd3u8, 0xe8u8, 0x5au8,
0x0bu8, 0xd1u8, 0x7du8, 0x9bu8,
0x10u8, 0x0du8, 0xb4u8, 0xb3u8,
],
output_str: "de9f2c7fd25e1b3afad3e85a0bd17d9b100db4b3",
},
];
// Test that it works when accepting the message all at once
let mut out = [0u8; 20];
let mut sh = Box::new(Sha1::new());
for t in tests.iter() {
(*sh).input_str(t.input);
sh.result(&mut out);
assert!(t.output[..] == out[..]);
let out_str = (*sh).result_str();
assert_eq!(out_str.len(), 40);
assert!(&out_str[..] == t.output_str);
sh.reset();
}
// Test that it works when accepting the message in pieces
for t in tests.iter() {
let len = t.input.len();
let mut left = len;
while left > 0 {
let take = (left + 1) / 2;
(*sh).input_str(&t.input[len - left..take + len - left]);
left = left - take;
}
sh.result(&mut out);
assert!(t.output[..] == out[..]);
let out_str = (*sh).result_str();
assert_eq!(out_str.len(), 40);
assert!(&out_str[..] == t.output_str);
sh.reset();
}
}
#[test]
fn test_1million_random_sha1() {
let mut sh = Sha1::new();
test_digest_1million_random(
&mut sh,
64,
"34aa973cd4c4daa4f61eeb2bdbad27316534016f");
}
}
#[cfg(all(test, feature = "with-bench"))]
mod bench {
use test::Bencher;
use digest::Digest;
use sha1::{STATE_LEN, BLOCK_LEN};
use sha1::{Sha1, sha1_digest_block_u32};
#[bench]
pub fn sha1_block(bh: & mut Bencher) {
let mut state = [0u32; STATE_LEN];
let words = [1u32; BLOCK_LEN];
bh.iter( || {
sha1_digest_block_u32(&mut state, &words);
});
bh.bytes = 64u64;
}
#[bench]
pub fn sha1_10(bh: & mut Bencher) {
let mut sh = Sha1::new();
let bytes = [1u8; 10];
bh.iter( || {
sh.input(&bytes);
});
bh.bytes = bytes.len() as u64;
}
#[bench]
pub fn sha1_1k(bh: & mut Bencher) {
let mut sh = Sha1::new();
let bytes = [1u8; 1024];
bh.iter( || {
sh.input(&bytes);
});
bh.bytes = bytes.len() as u64;
}
#[bench]
pub fn sha1_64k(bh: & mut Bencher) {
let mut sh = Sha1::new();
let bytes = [1u8; 65536];
bh.iter( || {
sh.input(&bytes);
});
bh.bytes = bytes.len() as u64;
}
}
