Kar*_*Kar 1 c encryption cryptography sha
我打算在HMAC中使用AVR-Crypto的SHA-1 实现.但是,我似乎无法生成正确的SHA-1总和.
例如,如果我用以下函数调用该函数
unsigned char sha1sum[20];
char *msg = "FFFFFFFFFF";
sha1( sha1sum, msg, strlen(msg));
我得到的000000000000000000002C002312290000000029不是预期的c1bb92851109fe950a2655fa1d4ba1d04719f6fb.有谁知道什么可能是错的?这是AVR-Crypto的实现
#include <string.h> /* memcpy & co */
#include <stdint.h>
#include "config.h"
#include "debug.h"
#include "sha1.h"
#ifdef DEBUG
# undef DEBUG
#endif
#include "cli.h"
#define LITTLE_ENDIAN
/********************************************************************************************************/
/**
* \brief initialises given SHA-1 context
*
*/
void sha1_init(sha1_ctx_t *state){
DEBUG_S("\r\nSHA1_INIT");
state->h[0] = 0x67452301;
state->h[1] = 0xefcdab89;
state->h[2] = 0x98badcfe;
state->h[3] = 0x10325476;
state->h[4] = 0xc3d2e1f0;
state->length = 0;
}
/********************************************************************************************************/
/* some helping functions */
uint32_t rotl32(uint32_t n, uint8_t bits){
return ((n<<bits) | (n>>(32-bits)));
}
uint32_t change_endian32(uint32_t x){
return (((x)<<24) | ((x)>>24) | (((x)& 0x0000ff00)<<8) | (((x)& 0x00ff0000)>>8));
}
/* three SHA-1 inner functions */
uint32_t ch(uint32_t x, uint32_t y, uint32_t z){
DEBUG_S("\r\nCH");
return ((x&y)^((~x)&z));
}
uint32_t maj(uint32_t x, uint32_t y, uint32_t z){
DEBUG_S("\r\nMAJ");
return ((x&y)^(x&z)^(y&z));
}
uint32_t parity(uint32_t x, uint32_t y, uint32_t z){
DEBUG_S("\r\nPARITY");
return ((x^y)^z);
}
/********************************************************************************************************/
/**
* \brief "add" a block to the hash
* This is the core function of the hash algorithm. To understand how it's working
* and what thoese variables do, take a look at FIPS-182. This is an "alternativ" implementation
*/
#define MASK 0x0000000f
typedef uint32_t (*pf_t)(uint32_t x, uint32_t y, uint32_t z);
void sha1_nextBlock (sha1_ctx_t *state, const void *block){
uint32_t a[5];
uint32_t w[16];
uint32_t temp;
uint8_t t,s,fi, fib;
pf_t f[] = {ch,parity,maj,parity};
uint32_t k[4]={ 0x5a827999,
0x6ed9eba1,
0x8f1bbcdc,
0xca62c1d6};
/* load the w array (changing the endian and so) */
for(t=0; t<16; ++t){
w[t] = change_endian32(((uint32_t*)block)[t]);
}
#if DEBUG
uint8_t dbgi;
for(dbgi=0; dbgi<16; ++dbgi){
/*
DEBUG_S("\n\rBlock:");
DEBUG_B(dbgi);
DEBUG_C(':');
*/
cli_putstr_P(PSTR("\r\nBlock:"));
cli_hexdump(&dbgi, 1);
cli_putc(':');
cli_hexdump(&(w[dbgi]) ,4);
}
#endif
/* load the state */
memcpy(a, state->h, 5*sizeof(uint32_t));
/* the fun stuff */
for(fi=0,fib=0,t=0; t<=79; ++t){
s = t & MASK;
if(t>=16){
#if DEBUG
DEBUG_S("\r\n ws = "); cli_hexdump(&(w[s]), 4);
#endif
w[s] = rotl32( w[(s+13)&MASK] ^ w[(s+8)&MASK] ^
w[(s+ 2)&MASK] ^ w[s] ,1);
#ifdef DEBUG
DEBUG_S(" --> ws = "); cli_hexdump(&(w[s]), 4);
#endif
}
uint32_t dtemp;
temp = rotl32(a[0],5) + (dtemp=f[fi](a[1],a[2],a[3])) + a[4] + k[fi] + w[s];
memmove(&(a[1]), &(a[0]), 4*sizeof(uint32_t)); /* e=d; d=c; c=b; b=a; */
a[0] = temp;
a[2] = rotl32(a[2],30); /* we might also do rotr32(c,2) */
fib++;
if(fib==20){
fib=0;
fi = (fi+1)%4;
}
#if DEBUG
/* debug dump */
DEBUG_S("\r\nt = "); DEBUG_B(t);
DEBUG_S("; a[]: ");
cli_hexdump(a, 5*4);
DEBUG_S("; k = ");
cli_hexdump(&(k[t/20]), 4);
DEBUG_S("; f(b,c,d) = ");
cli_hexdump(&dtemp, 4);
#endif
}
/* update the state */
for(t=0; t<5; ++t){
state->h[t] += a[t];
}
state->length += 512;
}
/********************************************************************************************************/
void sha1_lastBlock(sha1_ctx_t *state, const void *block, uint16_t length){
uint8_t lb[SHA1_BLOCK_BYTES]; /* local block */
while(length>=SHA1_BLOCK_BITS){
sha1_nextBlock(state, block);
length -= SHA1_BLOCK_BITS;
block = (uint8_t*)block + SHA1_BLOCK_BYTES;
}
state->length += length;
memset(lb, 0, SHA1_BLOCK_BYTES);
memcpy (lb, block, (length+7)>>3);
/* set the final one bit */
lb[length>>3] |= 0x80>>(length & 0x07);
if (length>512-64-1){ /* not enouth space for 64bit length value */
sha1_nextBlock(state, lb);
state->length -= 512;
memset(lb, 0, SHA1_BLOCK_BYTES);
}
/* store the 64bit length value */
#if defined LITTLE_ENDIAN
/* this is now rolled up */
uint8_t i;
for (i=0; i<8; ++i){
lb[56+i] = ((uint8_t*)&(state->length))[7-i];
}
#elif defined BIG_ENDIAN
*((uint64_t)&(lb[56])) = state->length;
#endif
sha1_nextBlock(state, lb);
}
/********************************************************************************************************/
void sha1_ctx2hash (void *dest, sha1_ctx_t *state){
#if defined LITTLE_ENDIAN
uint8_t i;
for(i=0; i<5; ++i){
((uint32_t*)dest)[i] = change_endian32(state->h[i]);
}
#elif BIG_ENDIAN
if (dest != state->h)
memcpy(dest, state->h, SHA1_HASH_BITS/8);
#else
# error unsupported endian type!
#endif
}
/********************************************************************************************************/
/**
*
*
*/
void sha1 (void *dest, const void *msg, uint32_t length){
sha1_ctx_t s;
DEBUG_S("\r\nBLA BLUB");
sha1_init(&s);
while(length & (~0x0001ff)){ /* length>=512 */
DEBUG_S("\r\none block");
sha1_nextBlock(&s, msg);
msg = (uint8_t*)msg + SHA1_BLOCK_BITS/8; /* increment pointer to next block */
length -= SHA1_BLOCK_BITS;
}
sha1_lastBlock(&s, msg, length);
sha1_ctx2hash(dest, &s);
}
这是标题:
#ifndef SHA1_H_
#define SHA1_H_
#include "stdint.h"
/** \def SHA1_HASH_BITS
* definees the size of a SHA-1 hash in bits
*/
/** \def SHA1_HASH_BYTES
* definees the size of a SHA-1 hash in bytes
*/
/** \def SHA1_BLOCK_BITS
* definees the size of a SHA-1 input block in bits
*/
/** \def SHA1_BLOCK_BYTES
* definees the size of a SHA-1 input block in bytes
*/
#define SHA1_HASH_BITS 160
#define SHA1_HASH_BYTES (SHA1_HASH_BITS/8)
#define SHA1_BLOCK_BITS 512
#define SHA1_BLOCK_BYTES (SHA1_BLOCK_BITS/8)
/** \typedef sha1_ctx_t
* \brief SHA-1 context type
*
* A vatiable of this type may hold the state of a SHA-1 hashing process
*/
typedef struct {
uint32_t h[5];
// uint64_t length;
uint8_t length;
} sha1_ctx_t;
/** \typedef sha1_hash_t
* \brief hash value type
* A variable of this type may hold a SHA-1 hash value
*/
/*
typedef uint8_t sha1_hash_t[SHA1_HASH_BITS/8];
*/
/** \fn sha1_init(sha1_ctx_t *state)
* \brief initializes a SHA-1 context
* This function sets a ::sha1_ctx_t variable to the initialization vector
* for SHA-1 hashing.
* \param state pointer to the SHA-1 context variable
*/
void sha1_init(sha1_ctx_t *state);
/** \fn sha1_nextBlock(sha1_ctx_t *state, const void *block)
* \brief process one input block
* This function processes one input block and updates the hash context
* accordingly
* \param state pointer to the state variable to update
* \param block pointer to the message block to process
*/
void sha1_nextBlock (sha1_ctx_t *state, const void *block);
/** \fn sha1_lastBlock(sha1_ctx_t *state, const void *block, uint16_t length_b)
* \brief processes the given block and finalizes the context
* This function processes the last block in a SHA-1 hashing process.
* The block should have a maximum length of a single input block.
* \param state pointer to the state variable to update and finalize
* \param block pointer to themessage block to process
* \param length_b length of the message block in bits
*/
void sha1_lastBlock (sha1_ctx_t *state, const void *block, uint16_t length_b);
/** \fn sha1_ctx2hash(sha1_hash_t *dest, sha1_ctx_t *state)
* \brief convert a state variable into an actual hash value
* Writes the hash value corresponding to the state to the memory pointed by dest.
* \param dest pointer to the hash value destination
* \param state pointer to the hash context
*/
void sha1_ctx2hash (void *dest, sha1_ctx_t *state);
/** \fn sha1(sha1_hash_t *dest, const void *msg, uint32_t length_b)
* \brief hashing a message which in located entirely in RAM
* This function automatically hashes a message which is entirely in RAM with
* the SHA-1 hashing algorithm.
* \param dest pointer to the hash value destination
* \param msg pointer to the message which should be hashed
* \param length_b length of the message in bits
*/
void sha1(void *dest, const void *msg, uint32_t length_b);
#endif /*SHA1_H_*/
UPDATE如果我初始化sha1sum用unsigned char sha1sum[20] = 0;,所产生的和都是0×00.
问题代码中至少有两个错误(详见下文),但两者都无法解释显示的结果,以及unsigned char sha1sum[20] = {0}调用代码中更改结果的附加事实.从我们读入机器代码的C源代码的翻译出了问题!最有可能的是,sha1_ctx2hash没有写出它应该写的地方.
问题可能在标题中没有问题,编译器错误...因为我们在8051上,这可能是指针类型的问题,特别是在指针转换必须是指针的类型尺寸.
此外,它是否确定8051编译器是little-endian?似乎常见的Keil C51使用big-endian约定.这是编译器+支持库的任意选择,因为在原始的8051上没有多字节数据相关的指令,最接近的是LCALL哪些堆栈推送是little-endian,但是LJMP和MOV DPTR,#code很大-endian.更新:我们被告知编译器是IAR.根据IAR的文档,版本5是big-endian,并且在版本6中变为little-endian.
更新:我们发现了另一个关键问题(除了可能不安全的指针转换,以及下面讨论的两个错误).在搜索中的某个时刻,用没有字节顺序依赖性或指针强制转换的单个过程替换代码,输出变为0000eb1700007f3d000004f0000059290000fc21,并且建议将32位值截断为16位.事实上,OP透露:
我有这个
stdint.h:typedef unsigned uint32_t;
这仅仅是在编译器正确其中unsigned int是完全相同的32位,在由C标准中给出的唯一保险的是,它是至少16位,而最低使用由大多数C编译器为低于32位CPU (出于效率的考虑,有的甚至有一个选项来禁用推广字节操作数到整数,甚至高兴80+80+96是0).
测试代码中的错误:sha1( sha1sum, msg, strlen(msg))应该是sha1( sha1sum, msg, strlen(msg)*8)等等,因为长度参数是以位为单位.
sha1_lastBlockwrt头文件中的错误:代码读取
for (i=0; i<8; ++i){
lb[56+i] = ((uint8_t*)&(state->length))[7-i];
}
假定它state->length是8个字节,当它不是时,因为在标题中uint64_t length被更改为uint8_t length(通常uint64_t在8051编译器上不可用).big-endian案例的代码(目前尚未编译)也会受到影响.
如果确实uint8_t length因此限制了最多31个字节的长度是可以接受的,那么little-endian和big-endian情况都会减少到lb[SHA1_BLOCK_BYTES-1] = state->length;(没有循环).
或者,对于任何无符号类型和字节序length可能使用:
for (i = SHA1_BLOCK_BYTES; state->length != 0; state->length >>= 8)
lb[--i] = (uint8_t)(state->length);
注意:代码*((uint64_t*)&(lb[56])) = state->length是将8个字节写入length数组的末尾lb[],但仅在具有正确结果的big-endian机器上才是正确的uint64_t.
在以下情况下,代码具有潜在的额外问题(length+7)%8 < 6:散列的最后一个字节中至少有一个位未被屏蔽,如果设置,则进入散列并使其错误.在对全字节进行哈希处理的用例中,这不会有害.
原始代码可能是正确的(除了上述潜在的额外问题),但是由于目标是使用单个调用(什么sha1做)对内存数据进行散列,并且既不紧凑也不可读,因此是不必要的复杂.其他问题包括:
sha1_lastBlock,因此标题中的限制措辞该块应该具有单个输入块的最大长度不存在;sha1冗余;uint8_t length或以其他方式散列少于56个字节,则可以删除这两个循环;memmove16个字节,并在索引表的向量中调用函数;sha1_ctx2hash,#elif BIG_ENDIAN我的心理编译器中触发一个错误,因为BIG_ENDIAN似乎未定义,#elif并且应该有一个参数; 应该是#elif defined BIG_ENDIAN(如上面几行所用);pf_t f[] = {ch,parity,maj,parity};const或许是一个很好的候选者static:我曾经使用的8051的每个C编译器都不会认识到在安装后数组没有改变,因此可以用代码雕刻;如果你追求速度,你开始的代码是不充分的,没有什么能与汇编语言完全匹配.就像二十年前一样,我为一些8051工具链编写了SHA-1,与仅C相比,汇编调整节省了大量成本(IIRC:主要是因为从性能角度来看,32位旋转是深海的).
更新:这是一个用端口中立方式散列短消息的说明性代码,没有任何指针强制转换,并且不依赖于<stdint.h>(对于所使用的编译器来说不合适).请注意length参数是以字节为单位(而不是位),限制为55字节,不允许在顶部实现HMAC-SHA-1.这是为了保持代码简单:超过这个限制,我们需要多次压缩函数迭代,因此需要重复代码重复,至少两个函数或某种状态机.
#include <limits.h> // for UCHAR_MAX, UINT_MAX, ULONG_MAX
// Compute the SHA-1 hash of a short msg, of length at most 55 bytes
// Result hash must be 20 bytes; it can overlap msg.
// CAUTION: if length>55 the result is wrong, and if length>59
// we loose second-preimage resistance, thus collision-resistance.
void sha1upto55bytes(
unsigned char *hash, // result, 20 bytes
const unsigned char *msg, // bytes to hash
unsigned char length // length of msg in bytes, maximum 55
)
{
// We locally (re)define uint8_t and uint32_t so as not to depend of <stdint.h>
// which is not available on some old C compilers for embedded systems.
#if 255==UCHAR_MAX
typedef unsigned char uint8_t;
#endif
#if 16383==UINT_MAX>>9>>9
typedef unsigned int uint32_t;
#elif 16383==ULONG_MAX>>9>>9
typedef unsigned long uint32_t;
#endif
// Internal buffer (64 bytes)
// We require 8-bit uint8_t, 32-bit uint32_t, and integer promotion; otherwise,
// we try to abort compilation on the following declaration.
uint32_t w[
99==(uint8_t)355 && // check uint8_t
4303==(uint32_t)(-1)/999u/999 && // check uint32_t
440==(uint8_t)55<<3 // check integer promotion
? 16 : -1]; // negative index if error
// Type for state, so that we can use struct copy for that
typedef struct state_t { uint32_t q[5]; } state_t;
// Initial state; use single quotes if the compiler barks
const state_t s = {{ 0x67452301,0xefcdab89,0x98badcfe,0x10325476,0xc3d2e1f0 }};
// Active state (20 bytes); on 8051 should be in internal RAM for best performance
state_t h = s; // initialize the state using a struct copy
// Workhorse temporary; on 8051 should be in internal RAM for best performance
uint32_t x;
// Workhorse index; on 8051 should be a register for performance
uint8_t j;
// Prepare the single block to hash; this code works regardless of endianness,
// and does not perform misaligned memory accesses if msg is misaligned.
x = 0; // This is only to prevent a bogus compiler warning
j = 0;
do
{ // for each block byte, up to and including high 4 bytes of length
x <<= 8;
if (j < length)
x |= *msg++; // message byte
else
if (j == length)
x |= 0x80; // padding byte
if ((j&3)==3)
w[j >> 2] = x;
}
while (++j!=60);
w[15] = length << 3; // length in bits, needs integer promotion for length>31
// Hash that block
j = 0;
do { // round loop, run 80 times
do { // dummy loop (avoid a goto)
if (j<40) {
if (j<20) { // for rounds 0..19
x = (((h.q[2] ^ h.q[3])&h.q[1]) ^ h.q[3]) + 0x5A827999;
break; // out of dummy loop
}
else
x = 0x6ED9EBA1; // for rounds 20..39
}
else {
if (j<60) { // for rounds 40..59
x = (h.q[1] | h.q[2])&h.q[3];
x |= h.q[1] & h.q[2];
x += 0x8F1BBCDC;
break;
}
else
x = 0xCA62C1D6; // for rounds 60..79
}
// for rounds 20..39 and 60..79
x += h.q[1] ^ h.q[2] ^ h.q[3];
}
while (0); // end of of dummy loop
// for all rounds
x += (h.q[0] << 5) | (h.q[0] >> 27);
x += h.q[4];
h.q[4] = h.q[3];
h.q[3] = h.q[2];
h.q[2] = (h.q[1] << 30) | (h.q[1] >> 2);
h.q[1] = h.q[0];
h.q[0] = x;
x = w[j & 15];
if (j>=16) { // rounds 16..79
x ^= w[(j + 2) & 15];
x ^= w[(j + 8) & 15];
x ^= w[(j + 13) & 15];
w[j & 15] = x = (x << 1) | (x >> 31);
}
h.q[0] += x; // for all rounds
}
while (++j != 80);
// The five final 32-bit modular additions are made in the next loop, and
// reuse the constants (rather than a RAM copy), saving code and RAM.
// Final addition and store result; this code works regardless of endianness,
// and does not perform misaligned memory accesses if hash is misaligned.
j = 0;
do
{
x = h.q[j] + s.q[j]; // final 32-bit modular additions
*hash++ = (uint8_t)(x>>24);
*hash++ = (uint8_t)(x>>16);
*hash++ = (uint8_t)(x>> 8);
*hash++ = (uint8_t)(x );
}
while (++j != 5);
}