[dev.boringcrypto] misc/boring: add go1.9.2b4 release

[gostls13.git] / src / crypto / sha1 / sha1.go

// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// Package sha1 implements the SHA-1 hash algorithm as defined in RFC 3174.
//
// SHA-1 is cryptographically broken and should not be used for secure
// applications.
package sha1

import (
        "crypto"
        "hash"
)

func init() {
        crypto.RegisterHash(crypto.SHA1, New)
}

// The size of a SHA-1 checksum in bytes.
const Size = 20

// The blocksize of SHA-1 in bytes.
const BlockSize = 64

const (
        chunk = 64
        init0 = 0x67452301
        init1 = 0xEFCDAB89
        init2 = 0x98BADCFE
        init3 = 0x10325476
        init4 = 0xC3D2E1F0
)

// digest represents the partial evaluation of a checksum.
type digest struct {
        h   [5]uint32
        x   [chunk]byte
        nx  int
        len uint64
}

func (d *digest) Reset() {
        d.h[0] = init0
        d.h[1] = init1
        d.h[2] = init2
        d.h[3] = init3
        d.h[4] = init4
        d.nx = 0
        d.len = 0
}

// New returns a new hash.Hash computing the SHA1 checksum.
func New() hash.Hash {
        if boringEnabled {
                return boringNewSHA1()
        }
        d := new(digest)
        d.Reset()
        return d
}

func (d *digest) Size() int { return Size }

func (d *digest) BlockSize() int { return BlockSize }

func (d *digest) Write(p []byte) (nn int, err error) {
        boringUnreachable()
        nn = len(p)
        d.len += uint64(nn)
        if d.nx > 0 {
                n := copy(d.x[d.nx:], p)
                d.nx += n
                if d.nx == chunk {
                        block(d, d.x[:])
                        d.nx = 0
                }
                p = p[n:]
        }
        if len(p) >= chunk {
                n := len(p) &^ (chunk - 1)
                block(d, p[:n])
                p = p[n:]
        }
        if len(p) > 0 {
                d.nx = copy(d.x[:], p)
        }
        return
}

func (d0 *digest) Sum(in []byte) []byte {
        boringUnreachable()
        // Make a copy of d0 so that caller can keep writing and summing.
        d := *d0
        hash := d.checkSum()
        return append(in, hash[:]...)
}

func (d *digest) checkSum() [Size]byte {
        len := d.len
        // Padding.  Add a 1 bit and 0 bits until 56 bytes mod 64.
        var tmp [64]byte
        tmp[0] = 0x80
        if len%64 < 56 {
                d.Write(tmp[0 : 56-len%64])
        } else {
                d.Write(tmp[0 : 64+56-len%64])
        }

        // Length in bits.
        len <<= 3
        for i := uint(0); i < 8; i++ {
                tmp[i] = byte(len >> (56 - 8*i))
        }
        d.Write(tmp[0:8])

        if d.nx != 0 {
                panic("d.nx != 0")
        }

        var digest [Size]byte
        for i, s := range d.h {
                digest[i*4] = byte(s >> 24)
                digest[i*4+1] = byte(s >> 16)
                digest[i*4+2] = byte(s >> 8)
                digest[i*4+3] = byte(s)
        }

        return digest
}

// ConstantTimeSum computes the same result of Sum() but in constant time
func (d0 *digest) ConstantTimeSum(in []byte) []byte {
        d := *d0
        hash := d.constSum()
        return append(in, hash[:]...)
}

func (d *digest) constSum() [Size]byte {
        var length [8]byte
        l := d.len << 3
        for i := uint(0); i < 8; i++ {
                length[i] = byte(l >> (56 - 8*i))
        }

        nx := byte(d.nx)
        t := nx - 56                 // if nx < 56 then the MSB of t is one
        mask1b := byte(int8(t) >> 7) // mask1b is 0xFF iff one block is enough

        separator := byte(0x80) // gets reset to 0x00 once used
        for i := byte(0); i < chunk; i++ {
                mask := byte(int8(i-nx) >> 7) // 0x00 after the end of data

                // if we reached the end of the data, replace with 0x80 or 0x00
                d.x[i] = (^mask & separator) | (mask & d.x[i])

                // zero the separator once used
                separator &= mask

                if i >= 56 {
                        // we might have to write the length here if all fit in one block
                        d.x[i] |= mask1b & length[i-56]
                }
        }

        // compress, and only keep the digest if all fit in one block
        block(d, d.x[:])

        var digest [Size]byte
        for i, s := range d.h {
                digest[i*4] = mask1b & byte(s>>24)
                digest[i*4+1] = mask1b & byte(s>>16)
                digest[i*4+2] = mask1b & byte(s>>8)
                digest[i*4+3] = mask1b & byte(s)
        }

        for i := byte(0); i < chunk; i++ {
                // second block, it's always past the end of data, might start with 0x80
                if i < 56 {
                        d.x[i] = separator
                        separator = 0
                } else {
                        d.x[i] = length[i-56]
                }
        }

        // compress, and only keep the digest if we actually needed the second block
        block(d, d.x[:])

        for i, s := range d.h {
                digest[i*4] |= ^mask1b & byte(s>>24)
                digest[i*4+1] |= ^mask1b & byte(s>>16)
                digest[i*4+2] |= ^mask1b & byte(s>>8)
                digest[i*4+3] |= ^mask1b & byte(s)
        }

        return digest
}

// Sum returns the SHA-1 checksum of the data.
func Sum(data []byte) [Size]byte {
        if boringEnabled {
                h := New()
                h.Write(data)
                var ret [Size]byte
                h.Sum(ret[:0])
                return ret
        }
        var d digest
        d.Reset()
        d.Write(data)
        return d.checkSum()
}