1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package sha1 implements the SHA-1 hash algorithm as defined in RFC 3174.
7 // SHA-1 is cryptographically broken and should not be used for secure
18 crypto.RegisterHash(crypto.SHA1, New)
21 // The size of a SHA-1 checksum in bytes.
24 // The blocksize of SHA-1 in bytes.
36 // digest represents the partial evaluation of a checksum.
46 marshaledSize = len(magic) + 5*4 + chunk + 8
49 func (d *digest) MarshalBinary() ([]byte, error) {
50 b := make([]byte, 0, marshaledSize)
51 b = append(b, magic...)
52 b = appendUint32(b, d.h[0])
53 b = appendUint32(b, d.h[1])
54 b = appendUint32(b, d.h[2])
55 b = appendUint32(b, d.h[3])
56 b = appendUint32(b, d.h[4])
57 b = append(b, d.x[:d.nx]...)
58 b = b[:len(b)+len(d.x)-int(d.nx)] // already zero
59 b = appendUint64(b, d.len)
63 func (d *digest) UnmarshalBinary(b []byte) error {
64 if len(b) < len(magic) || string(b[:len(magic)]) != magic {
65 return errors.New("crypto/sha1: invalid hash state identifier")
67 if len(b) != marshaledSize {
68 return errors.New("crypto/sha1: invalid hash state size")
71 b, d.h[0] = consumeUint32(b)
72 b, d.h[1] = consumeUint32(b)
73 b, d.h[2] = consumeUint32(b)
74 b, d.h[3] = consumeUint32(b)
75 b, d.h[4] = consumeUint32(b)
76 b = b[copy(d.x[:], b):]
77 b, d.len = consumeUint64(b)
78 d.nx = int(d.len) % chunk
82 func appendUint64(b []byte, x uint64) []byte {
85 return append(b, a[:]...)
88 func appendUint32(b []byte, x uint32) []byte {
91 return append(b, a[:]...)
94 func consumeUint64(b []byte) ([]byte, uint64) {
96 x := uint64(b[7]) | uint64(b[6])<<8 | uint64(b[5])<<16 | uint64(b[4])<<24 |
97 uint64(b[3])<<32 | uint64(b[2])<<40 | uint64(b[1])<<48 | uint64(b[0])<<56
101 func consumeUint32(b []byte) ([]byte, uint32) {
103 x := uint32(b[3]) | uint32(b[2])<<8 | uint32(b[1])<<16 | uint32(b[0])<<24
107 func (d *digest) Reset() {
117 // New returns a new hash.Hash computing the SHA1 checksum. The Hash also
118 // implements encoding.BinaryMarshaler and encoding.BinaryUnmarshaler to
119 // marshal and unmarshal the internal state of the hash.
120 func New() hash.Hash {
122 return boringNewSHA1()
129 func (d *digest) Size() int { return Size }
131 func (d *digest) BlockSize() int { return BlockSize }
133 func (d *digest) Write(p []byte) (nn int, err error) {
138 n := copy(d.x[d.nx:], p)
147 n := len(p) &^ (chunk - 1)
152 d.nx = copy(d.x[:], p)
157 func (d *digest) Sum(in []byte) []byte {
159 // Make a copy of d so that caller can keep writing and summing.
161 hash := d0.checkSum()
162 return append(in, hash[:]...)
165 func (d *digest) checkSum() [Size]byte {
167 // Padding. Add a 1 bit and 0 bits until 56 bytes mod 64.
171 d.Write(tmp[0 : 56-len%64])
173 d.Write(tmp[0 : 64+56-len%64])
178 putUint64(tmp[:], len)
185 var digest [Size]byte
187 putUint32(digest[0:], d.h[0])
188 putUint32(digest[4:], d.h[1])
189 putUint32(digest[8:], d.h[2])
190 putUint32(digest[12:], d.h[3])
191 putUint32(digest[16:], d.h[4])
196 // ConstantTimeSum computes the same result of Sum() but in constant time
197 func (d *digest) ConstantTimeSum(in []byte) []byte {
199 hash := d0.constSum()
200 return append(in, hash[:]...)
203 func (d *digest) constSum() [Size]byte {
206 for i := uint(0); i < 8; i++ {
207 length[i] = byte(l >> (56 - 8*i))
211 t := nx - 56 // if nx < 56 then the MSB of t is one
212 mask1b := byte(int8(t) >> 7) // mask1b is 0xFF iff one block is enough
214 separator := byte(0x80) // gets reset to 0x00 once used
215 for i := byte(0); i < chunk; i++ {
216 mask := byte(int8(i-nx) >> 7) // 0x00 after the end of data
218 // if we reached the end of the data, replace with 0x80 or 0x00
219 d.x[i] = (^mask & separator) | (mask & d.x[i])
221 // zero the separator once used
225 // we might have to write the length here if all fit in one block
226 d.x[i] |= mask1b & length[i-56]
230 // compress, and only keep the digest if all fit in one block
233 var digest [Size]byte
234 for i, s := range d.h {
235 digest[i*4] = mask1b & byte(s>>24)
236 digest[i*4+1] = mask1b & byte(s>>16)
237 digest[i*4+2] = mask1b & byte(s>>8)
238 digest[i*4+3] = mask1b & byte(s)
241 for i := byte(0); i < chunk; i++ {
242 // second block, it's always past the end of data, might start with 0x80
247 d.x[i] = length[i-56]
251 // compress, and only keep the digest if we actually needed the second block
254 for i, s := range d.h {
255 digest[i*4] |= ^mask1b & byte(s>>24)
256 digest[i*4+1] |= ^mask1b & byte(s>>16)
257 digest[i*4+2] |= ^mask1b & byte(s>>8)
258 digest[i*4+3] |= ^mask1b & byte(s)
264 // Sum returns the SHA-1 checksum of the data.
265 func Sum(data []byte) [Size]byte {
279 func putUint64(x []byte, s uint64) {
291 func putUint32(x []byte, s uint32) {