1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
|
/* $Id: md5.c 4154 2000-10-31 16:28:53Z kondou $
**
** RSA Data Security, Inc. MD5 Message-Digest Algorithm
**
** The standard MD5 message digest routines, from RSA Data Security, Inc.
** by way of Landon Curt Noll, modified and integrated into INN by Clayton
** O'Neill and then simplified somewhat, converted to INN coding style,
** and commented by Russ Allbery.
**
** To form the message digest for a message M:
** (1) Initialize a context buffer md5_context using md5_init
** (2) Call md5_update on md5_context and M
** (3) Call md5_final on md5_context
** The message digest is now in md5_context->digest[0...15].
**
** Alternately, just call md5_hash on M, passing it a buffer of at least
** 16 bytes into which to put the digest. md5_hash does the above
** internally for you and is the most convenient interface; the interface
** described above, however, is better when all of the data to hash isn't
** available neatly in a single buffer (such as hashing data aquired a
** block at a time).
**
** For information about MD5, see RFC 1321.
**
** LANDON CURT NOLL DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
** INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO
** EVENT SHALL LANDON CURT NOLL BE LIABLE FOR ANY SPECIAL, INDIRECT OR
** CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
** USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
** OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
** PERFORMANCE OF THIS SOFTWARE.
**
** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
**
** License to copy and use this software is granted provided that it is
** identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm"
** in all material mentioning or referencing this software or this
** function.
**
** License is also granted to make and use derivative works provided that
** such works are identified as "derived from the RSA Data Security,
** Inc. MD5 Message-Digest Algorithm" in all material mentioning or
** referencing the derived work.
**
** RSA Data Security, Inc. makes no representations concerning either the
** merchantability of this software or the suitability of this software for
** any particular purpose. It is provided "as is" without express or
** implied warranty of any kind.
**
** These notices must be retained in any copies of any part of this
** documentation and/or software.
*/
/*
** The actual mathematics and cryptography are at the bottom of this file,
** as those parts should be fully debugged and very infrequently changed.
** The core of actual work is done by md5_transform. The beginning of this
** file contains the infrastructure around the mathematics.
*/
#include "config.h"
#include "clibrary.h"
#include "inn/md5.h"
/* Rotate a 32-bit value left, used by both the MD5 mathematics and by the
routine below to byteswap data on big-endian machines. */
#define ROT(X, n) (((X) << (n)) | ((X) >> (32 - (n))))
/* Almost zero fill padding, used by md5_final. The 0x80 is part of the MD5
hash algorithm, from RFC 1321 section 3.1:
Padding is performed as follows: a single "1" bit is appended to the
message, and then "0" bits are appended so that the length in bits of
the padded message becomes congruent to 448, modulo 512. In all, at
least one bit and at most 512 bits are appended.
Let the compiler zero the remainder of the array for us, guaranteed by
ISO C99 6.7.8 paragraph 21. */
static const unsigned char padding[MD5_CHUNKSIZE] = { 0x80, 0 /* 0, ... */ };
/* Internal prototypes. */
static void md5_transform(uint32_t *, const uint32_t *);
static void md5_update_block(struct md5_context *, const unsigned char *,
size_t);
/* MD5 requires that input data be treated as words in little-endian byte
order. From RFC 1321 section 2:
Similarly, a sequence of bytes can be interpreted as a sequence of
32-bit words, where each consecutive group of four bytes is interpreted
as a word with the low-order (least significant) byte given first.
Input data must therefore be byteswapped on big-endian machines, as must
the 16-byte result digest. Since we have to make a copy of the incoming
data anyway to ensure alignment for 4-byte access, we can byteswap it in
place. */
#if !WORDS_BIGENDIAN
# define decode(data) /* empty */
# define encode(data, out) memcpy((out), (data), MD5_DIGESTSIZE)
#else
/* The obvious way to do this is to pull single bytes at a time out of the
input array and build words from them; this requires three shifts and
three Boolean or operations, but it requires four memory reads per word
unless the compiler is really smart. Since we can assume four-byte
alignment for the input data, use this optimized routine from J. Touch,
USC/ISI. This requires four shifts, two ands, and two ors, but only one
memory read per word. */
#define swap(word) \
do { \
htmp = ROT((word), 16); \
ltmp = htmp >> 8; \
htmp &= 0x00ff00ff; \
ltmp &= 0x00ff00ff; \
htmp <<= 8; \
(word) = htmp | ltmp; \
} while (0)
/* We process 16 words of data (one MD5 block) of data at a time, completely
unrolling the loop manually since it should allow the compiler to take
advantage of pipelining and parallel arithmetic units. */
static void
decode(uint32_t *data)
{
uint32_t ltmp, htmp;
swap(data[ 0]); swap(data[ 1]); swap(data[ 2]); swap(data[ 3]);
swap(data[ 4]); swap(data[ 5]); swap(data[ 6]); swap(data[ 7]);
swap(data[ 8]); swap(data[ 9]); swap(data[10]); swap(data[11]);
swap(data[12]); swap(data[13]); swap(data[14]); swap(data[15]);
}
/* Used by md5_final to generate the final digest. The digest is not
guaranteed to be aligned for 4-byte access but we are allowed to be
destructive, so byteswap first and then copy the result over. */
static void
encode(uint32_t *data, unsigned char *out)
{
uint32_t ltmp, htmp;
swap(data[0]);
swap(data[1]);
swap(data[2]);
swap(data[3]);
memcpy(out, data, MD5_DIGESTSIZE);
}
#endif /* WORDS_BIGENDIAN */
/*
** That takes care of the preliminaries; now the real fun begins. The
** initialization function for a struct md5_context; set lengths to zero
** and initialize our working buffer with the magic constants (c.f. RFC
** 1321 section 3.3).
*/
void
md5_init(struct md5_context *context)
{
context->buf[0] = 0x67452301U;
context->buf[1] = 0xefcdab89U;
context->buf[2] = 0x98badcfeU;
context->buf[3] = 0x10325476U;
context->count[0] = 0;
context->count[1] = 0;
context->datalen = 0;
}
/*
** The workhorse function, called for each chunk of data. Update the
** message-digest context to account for the presence of each of the
** characters data[0 .. count - 1] in the message whose digest is being
** computed. Accepts any length of data; all whole blocks are processed
** and the remaining data is buffered for later processing by either
** another call to md5_update or by md5_final.
*/
void
md5_update(struct md5_context *context, const unsigned char *data,
size_t count)
{
unsigned int datalen = context->datalen;
unsigned int left;
size_t high_count, low_count, used;
/* Update the count of hashed bytes. The machinations here are to do
the right thing on a platform where size_t > 32 bits without causing
compiler warnings on platforms where it's 32 bits. RFC 1321 section
3.2 says:
A 64-bit representation of b (the length of the message before the
padding bits were added) is appended to the result of the previous
step. In the unlikely event that b is greater than 2^64, then only
the low-order 64 bits of b are used.
so we can just ignore the higher bits of count if size_t is larger
than 64 bits. (Think ahead!) If size_t is only 32 bits, the
compiler should kill the whole if statement as dead code. */
if (sizeof(count) > 4) {
high_count = count >> 31;
context->count[1] += (high_count >> 1) & 0xffffffffU;
}
/* Now deal with count[0]. Add in the low 32 bits of count and
increment count[1] if count[0] wraps. Isn't unsigned arithmetic
cool? */
low_count = count & 0xffffffffU;
context->count[0] += low_count;
if (context->count[0] < low_count)
context->count[1]++;
/* See if we already have some data queued. If so, try to complete a
block and then deal with it first. If the new data still doesn't
fill the buffer, add it to the buffer and return. Otherwise,
transform that block and update data and count to account for the
data we've already used. */
if (datalen > 0) {
left = MD5_CHUNKSIZE - datalen;
if (left > count) {
memcpy(context->in.byte + datalen, data, count);
context->datalen += count;
return;
} else {
memcpy(context->in.byte + datalen, data, left);
decode(context->in.word);
md5_transform(context->buf, context->in.word);
data += left;
count -= left;
context->datalen = 0;
}
}
/* If we have a block of data or more left, pass the rest off to
md5_update_block to deal with all of the full blocks available. */
if (count >= MD5_CHUNKSIZE) {
md5_update_block(context, data, count);
used = (count / MD5_CHUNKSIZE) * MD5_CHUNKSIZE;
data += used;
count -= used;
}
/* If there's anything left, buffer it until we can complete a block or
for md5_final to deal with. */
if (count > 0) {
memcpy(context->in.byte, data, count);
context->datalen = count;
}
}
/*
** Update the message-digest context to account for the presence of each of
** the characters data[0 .. count - 1] in the message whose digest is being
** computed, except that we only deal with full blocks of data. The data
** is processed one block at a time, and partial blocks at the end are
** ignored (they're dealt with by md5_update, which calls this routine.
**
** Note that we always make a copy of the input data into an array of
** 4-byte values. If our input data were guaranteed to be aligned for
** 4-byte access, we could just use the input buffer directly on
** little-endian machines, and in fact this implementation used to do that.
** However, a requirement to align isn't always easily detectable, even by
** configure (an Alpha running Tru64 will appear to allow unaligned
** accesses, but will spew errors to the terminal if you do it). On top of
** that, even when it's allowed, unaligned access is quite frequently
** slower; we're about to do four reads of each word of the input data for
** the calculations, so doing one additional copy of the data up-front is
** probably worth it.
*/
static void
md5_update_block(struct md5_context *context, const unsigned char *data,
size_t count)
{
uint32_t in[MD5_CHUNKWORDS];
/* Process data in MD5_CHUNKSIZE blocks. */
while (count >= MD5_CHUNKSIZE) {
memcpy(in, data, MD5_CHUNKSIZE);
decode(in);
md5_transform(context->buf, in);
data += MD5_CHUNKSIZE;
count -= MD5_CHUNKSIZE;
}
}
/*
** Terminates the message-digest computation, accounting for any final
** trailing data and adding the message length to the hashed data, and ends
** with the desired message digest in context->digest[0...15].
*/
void
md5_final(struct md5_context *context)
{
unsigned int pad_needed, left;
uint32_t count[2];
uint32_t *countloc;
/* Save the count before appending the padding. */
count[0] = context->count[0];
count[1] = context->count[1];
/* Pad the final block of data. RFC 1321 section 3.1:
The message is "padded" (extended) so that its length (in bits) is
congruent to 448, modulo 512. That is, the message is extended so
that it is just 64 bits shy of being a multiple of 512 bits long.
Padding is always performed, even if the length of the message is
already congruent to 448, modulo 512.
The 64 bits (two words) left are for the 64-bit count of bits
hashed. We'll need at most 64 bytes of padding; lucky that the
padding array is exactly that size! */
left = context->datalen;
pad_needed = (left < 64 - 8) ? (64 - 8 - left) : (128 - 8 - left);
md5_update(context, padding, pad_needed);
/* Append length in bits and transform. Note that we cheat slightly
here to save a few operations on big-endian machines; the algorithm
says that we should add the length, in little-endian byte order, to
the last block of data. We'd then transform it into big-endian order
on a big-endian machine. But the count is *already* in big-endian
order on a big-endian machine, so effectively we'd be byteswapping it
twice. Instead, add it to the block after doing byte swapping on the
rest.
Note that we've been counting *bytes*, but the algorithm demands the
length in *bits*, so shift things around a bit. */
decode(context->in.word);
countloc = &context->in.word[MD5_CHUNKWORDS - 2];
countloc[0] = count[0] << 3;
countloc[1] = (count[1] << 3) | (count[0] >> 29);
md5_transform(context->buf, context->in.word);
/* Recover the final digest. Whoo-hoo, we're done! */
encode(context->buf, context->digest);
}
/*
** A convenience wrapper around md5_init, md5_update, and md5_final. Takes
** a pointer to a buffer of data, the length of the data, and a pointer to
** a buffer of at least 16 bytes into which to write the message digest.
*/
void
md5_hash(const unsigned char *data, size_t length, unsigned char *digest)
{
struct md5_context context;
md5_init(&context);
md5_update(&context, data, length);
md5_final(&context);
memcpy(digest, context.digest, MD5_DIGESTSIZE);
}
/*
** Look out, here comes the math.
**
** There are no user-serviceable parts below this point unless you know
** quite a bit about MD5 or optimization of integer math. The only
** function remaining, down below, is md5_transform; the rest of this is
** setting up macros to make that function more readable.
**
** The F, G, H and I are basic MD5 functions. The following identity saves
** one boolean operation.
**
** F: (((x) & (y)) | (~(x) & (z))) == ((z) ^ ((x) & ((y) ^ (z))))
** G: (((x) & (z)) | ((y) & ~(z))) == ((y) ^ ((z) & ((x) ^ (y))))
*/
#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
#define G(x, y, z) ((y) ^ ((z) & ((x) ^ (y))))
#define H(x, y, z) ((x) ^ (y) ^ (z))
#define I(x, y, z) ((y) ^ ((x) | (~z)))
/*
** FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. Rotation
** is separate from addition to prevent recomputation. S?? are the shift
** values for each round.
*/
#define S11 7
#define S12 12
#define S13 17
#define S14 22
#define FF(a, b, c, d, x, s, ac) \
{ \
(a) += F((b), (c), (d)) + (x) + (uint32_t) (ac); \
(a) = ROT((a), (s)); \
(a) += (b); \
}
#define S21 5
#define S22 9
#define S23 14
#define S24 20
#define GG(a, b, c, d, x, s, ac) \
{ \
(a) += G((b), (c), (d)) + (x) + (uint32_t) (ac); \
(a) = ROT((a), (s)); \
(a) += (b); \
}
#define S31 4
#define S32 11
#define S33 16
#define S34 23
#define HH(a, b, c, d, x, s, ac) \
{ \
(a) += H((b), (c), (d)) + (x) + (uint32_t) (ac); \
(a) = ROT((a), (s)); \
(a) += (b); \
}
#define S41 6
#define S42 10
#define S43 15
#define S44 21
#define II(a, b, c, d, x, s, ac) \
{ \
(a) += I((b), (c), (d)) + (x) + (uint32_t) (ac); \
(a) = ROT((a), (s)); \
(a) += (b); \
}
/*
** Basic MD5 step. Transforms buf based on in.
*/
static void
md5_transform(uint32_t *buf, const uint32_t *in)
{
uint32_t a = buf[0];
uint32_t b = buf[1];
uint32_t c = buf[2];
uint32_t d = buf[3];
/* Round 1 */
FF(a, b, c, d, in[ 0], S11, 3614090360UL); /* 1 */
FF(d, a, b, c, in[ 1], S12, 3905402710UL); /* 2 */
FF(c, d, a, b, in[ 2], S13, 606105819UL); /* 3 */
FF(b, c, d, a, in[ 3], S14, 3250441966UL); /* 4 */
FF(a, b, c, d, in[ 4], S11, 4118548399UL); /* 5 */
FF(d, a, b, c, in[ 5], S12, 1200080426UL); /* 6 */
FF(c, d, a, b, in[ 6], S13, 2821735955UL); /* 7 */
FF(b, c, d, a, in[ 7], S14, 4249261313UL); /* 8 */
FF(a, b, c, d, in[ 8], S11, 1770035416UL); /* 9 */
FF(d, a, b, c, in[ 9], S12, 2336552879UL); /* 10 */
FF(c, d, a, b, in[10], S13, 4294925233UL); /* 11 */
FF(b, c, d, a, in[11], S14, 2304563134UL); /* 12 */
FF(a, b, c, d, in[12], S11, 1804603682UL); /* 13 */
FF(d, a, b, c, in[13], S12, 4254626195UL); /* 14 */
FF(c, d, a, b, in[14], S13, 2792965006UL); /* 15 */
FF(b, c, d, a, in[15], S14, 1236535329UL); /* 16 */
/* Round 2 */
GG(a, b, c, d, in[ 1], S21, 4129170786UL); /* 17 */
GG(d, a, b, c, in[ 6], S22, 3225465664UL); /* 18 */
GG(c, d, a, b, in[11], S23, 643717713UL); /* 19 */
GG(b, c, d, a, in[ 0], S24, 3921069994UL); /* 20 */
GG(a, b, c, d, in[ 5], S21, 3593408605UL); /* 21 */
GG(d, a, b, c, in[10], S22, 38016083UL); /* 22 */
GG(c, d, a, b, in[15], S23, 3634488961UL); /* 23 */
GG(b, c, d, a, in[ 4], S24, 3889429448UL); /* 24 */
GG(a, b, c, d, in[ 9], S21, 568446438UL); /* 25 */
GG(d, a, b, c, in[14], S22, 3275163606UL); /* 26 */
GG(c, d, a, b, in[ 3], S23, 4107603335UL); /* 27 */
GG(b, c, d, a, in[ 8], S24, 1163531501UL); /* 28 */
GG(a, b, c, d, in[13], S21, 2850285829UL); /* 29 */
GG(d, a, b, c, in[ 2], S22, 4243563512UL); /* 30 */
GG(c, d, a, b, in[ 7], S23, 1735328473UL); /* 31 */
GG(b, c, d, a, in[12], S24, 2368359562UL); /* 32 */
/* Round 3 */
HH(a, b, c, d, in[ 5], S31, 4294588738UL); /* 33 */
HH(d, a, b, c, in[ 8], S32, 2272392833UL); /* 34 */
HH(c, d, a, b, in[11], S33, 1839030562UL); /* 35 */
HH(b, c, d, a, in[14], S34, 4259657740UL); /* 36 */
HH(a, b, c, d, in[ 1], S31, 2763975236UL); /* 37 */
HH(d, a, b, c, in[ 4], S32, 1272893353UL); /* 38 */
HH(c, d, a, b, in[ 7], S33, 4139469664UL); /* 39 */
HH(b, c, d, a, in[10], S34, 3200236656UL); /* 40 */
HH(a, b, c, d, in[13], S31, 681279174UL); /* 41 */
HH(d, a, b, c, in[ 0], S32, 3936430074UL); /* 42 */
HH(c, d, a, b, in[ 3], S33, 3572445317UL); /* 43 */
HH(b, c, d, a, in[ 6], S34, 76029189UL); /* 44 */
HH(a, b, c, d, in[ 9], S31, 3654602809UL); /* 45 */
HH(d, a, b, c, in[12], S32, 3873151461UL); /* 46 */
HH(c, d, a, b, in[15], S33, 530742520UL); /* 47 */
HH(b, c, d, a, in[ 2], S34, 3299628645UL); /* 48 */
/* Round 4 */
II(a, b, c, d, in[ 0], S41, 4096336452UL); /* 49 */
II(d, a, b, c, in[ 7], S42, 1126891415UL); /* 50 */
II(c, d, a, b, in[14], S43, 2878612391UL); /* 51 */
II(b, c, d, a, in[ 5], S44, 4237533241UL); /* 52 */
II(a, b, c, d, in[12], S41, 1700485571UL); /* 53 */
II(d, a, b, c, in[ 3], S42, 2399980690UL); /* 54 */
II(c, d, a, b, in[10], S43, 4293915773UL); /* 55 */
II(b, c, d, a, in[ 1], S44, 2240044497UL); /* 56 */
II(a, b, c, d, in[ 8], S41, 1873313359UL); /* 57 */
II(d, a, b, c, in[15], S42, 4264355552UL); /* 58 */
II(c, d, a, b, in[ 6], S43, 2734768916UL); /* 59 */
II(b, c, d, a, in[13], S44, 1309151649UL); /* 60 */
II(a, b, c, d, in[ 4], S41, 4149444226UL); /* 61 */
II(d, a, b, c, in[11], S42, 3174756917UL); /* 62 */
II(c, d, a, b, in[ 2], S43, 718787259UL); /* 63 */
II(b, c, d, a, in[ 9], S44, 3951481745UL); /* 64 */
buf[0] += a;
buf[1] += b;
buf[2] += c;
buf[3] += d;
}
|
