| blob | ae9f8268ca51074518915d560a0ef5e026dd2337 |
1 /* ========================================================================== **
2 *
3 * MD5.c
4 *
5 * Copyright:
6 * Copyright (C) 2003, 2004 by Christopher R. Hertel
7 *
8 * Email: crh@ubiqx.mn.org
9 *
10 * $Id$
11 *
12 * -------------------------------------------------------------------------- **
13 *
14 * Description:
15 * Implements the MD5 hash algorithm, as described in RFC 1321.
16 *
17 * -------------------------------------------------------------------------- **
18 *
19 * License:
20 *
21 * This library is free software; you can redistribute it and/or
22 * modify it under the terms of the GNU Lesser General Public
23 * License as published by the Free Software Foundation; either
24 * version 2.1 of the License, or (at your option) any later version.
25 *
26 * This library is distributed in the hope that it will be useful,
27 * but WITHOUT ANY WARRANTY; without even the implied warranty of
28 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
29 * Lesser General Public License for more details.
30 *
31 * You should have received a copy of the GNU Lesser General Public
32 * License along with this library; if not, write to the Free Software
33 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
34 *
35 * -------------------------------------------------------------------------- **
36 *
37 * Notes:
38 *
39 * None of this will make any sense unless you're studying RFC 1321 as you
40 * read the code.
41 *
42 * MD5 is described in RFC 1321.
43 * The MD*4* algorithm is described in RFC 1320 (that's 1321 - 1).
44 * MD5 is very similar to MD4, but not quite similar enough to justify
45 * putting the two into a single module. Besides, I wanted to add a few
46 * extra functions to this one to expand its usability.
47 *
48 * There are three primary motivations for this particular implementation.
49 * 1) Programmer's pride. I wanted to be able to say I'd done it, and I
50 * wanted to learn from the experience.
51 * 2) Portability. I wanted an implementation that I knew to be portable
52 * to a reasonable number platforms. In particular, the algorithm is
53 * designed with little-endian platforms in mind, but I wanted an
54 * endian-agnostic implementation.
55 * 3) Compactness. While not an overriding goal, I thought it worth-while
56 * to see if I could reduce the overall size of the result. This is in
57 * keeping with my hopes that this library will be suitable for use in
58 * some embedded environments.
59 * Beyond that, cleanliness and clarity are always worth pursuing.
60 *
61 * As mentioned above, the code really only makes sense if you are familiar
62 * with the MD5 algorithm or are using RFC 1321 as a guide. This code is
63 * quirky, however, so you'll want to be reading carefully.
64 *
65 * Yeah...most of the comments are cut-and-paste from my MD4 implementation.
66 *
67 * -------------------------------------------------------------------------- **
68 *
69 * References:
70 * IETF RFC 1321: The MD5 Message-Digest Algorithm
71 * Ron Rivest. IETF, April, 1992
72 *
73 * ========================================================================== **
74 */
76 /* #include "MD5.h" Line of original code */
80 /* -------------------------------------------------------------------------- **
81 * Static Constants:
82 *
83 * K[][] - In round one, the values of k (which are used to index
84 * particular four-byte sequences in the input) are simply
85 * sequential. In later rounds, however, they are a bit more
86 * varied. Rather than calculate the values of k (which may
87 * or may not be possible--I haven't though about it) the
88 * values are stored in this array.
89 *
90 * S[][] - In each round there is a left rotate operation performed as
91 * part of the 16 permutations. The number of bits varies in
92 * a repeating patter. This array keeps track of the patterns
93 * used in each round.
94 *
95 * T[][] - There are four rounds of 16 permutations for a total of 64.
96 * In each of these 64 permutation operations, a different
97 * constant value is added to the mix. The constants are
98 * based on the sine function...read RFC 1321 for more detail.
99 * In any case, the correct constants are stored in the T[][]
100 * array. They're divided up into four groups of 16.
101 */
104 {
105 /* Round 1: skipped (since it is simply sequential). */
109 };
112 {
117 };
121 {
141 };
144 /* -------------------------------------------------------------------------- **
145 * Macros:
146 * md5F(), md5G(), md5H(), and md5I() are described in RFC 1321.
147 * All of these operations are bitwise, and so not impacted by endian-ness.
148 *
149 * GetLongByte()
150 * Extract one byte from a (32-bit) longword. A value of 0 for <idx>
151 * indicates the lowest order byte, while 3 indicates the highest order
152 * byte.
153 *
154 */
156 #define md5F( X, Y, Z ) ( ((X) & (Y)) | ((~(X)) & (Z)) )
157 #define md5G( X, Y, Z ) ( ((X) & (Z)) | ((Y) & (~(Z))) )
158 #define md5H( X, Y, Z ) ( (X) ^ (Y) ^ (Z) )
159 #define md5I( X, Y, Z ) ( (Y) ^ ((X) | (~(Z))) )
161 #define GetLongByte( L, idx ) ((uchar)(( L >> (((idx) & 0x03) << 3) ) & 0xFF))
164 /* -------------------------------------------------------------------------- **
165 * Static Functions:
166 */
169 /* ------------------------------------------------------------------------ **
170 * Permute the ABCD "registers" using the 64-byte <block> as a driver.
171 *
172 * Input: ABCD - Pointer to an array of four unsigned longwords.
173 * block - An array of bytes, 64 bytes in size.
174 *
175 * Output: none.
176 *
177 * Notes: The MD5 algorithm operates on a set of four longwords stored
178 * (conceptually) in four "registers". It is easy to imagine a
179 * simple MD4/5 chip that would operate this way. In any case,
180 * the mangling of the contents of those registers is driven by
181 * the input message. The message is chopped and finally padded
182 * into 64-byte chunks and each chunk is used to manipulate the
183 * contents of the registers.
184 *
185 * The MD5 Algorithm calls for padding the input to ensure that
186 * it is a multiple of 64 bytes in length. The last 16 bytes
187 * of the padding space are used to store the message length
188 * (the length of the original message, before padding, expressed
189 * in terms of bits). If there is not enough room for 16 bytes
190 * worth of bitcount (eg., if the original message was 122 bytes
191 * long) then the block is padded to the end with zeros and
192 * passed to this function. Then *another* block is filled with
193 * zeros except for the last 16 bytes which contain the length.
194 *
195 * Oh... and the algorithm requires that there be at least one
196 * padding byte. The first padding byte has a value of 0x80,
197 * and any others are 0x00.
198 *
199 * ------------------------------------------------------------------------ **
200 */
201 {
209 /* Store the current ABCD values for later re-use.
210 */
214 /* Convert the input block into an array of unsigned longs, taking care
215 * to read the block in Little Endian order (the algorithm assumes this).
216 * The uint32_t values are then handled in host order.
217 */
219 {
224 }
226 /* This loop performs the four rounds of permutations.
227 * The rounds are each very similar. The differences are in three areas:
228 * - The function (F, G, H, or I) used to perform bitwise permutations
229 * on the registers,
230 * - The order in which values from X[] are chosen.
231 * - Changes to the number of bits by which the registers are rotated.
232 * This implementation uses a switch statement to deal with some of the
233 * differences between rounds. Other differences are handled by storing
234 * values in arrays and using the round number to select the correct set
235 * of values.
236 *
237 * (My implementation appears to be a poor compromise between speed, size,
238 * and clarity. Ugh. [crh])
239 */
241 {
243 {
251 /* The actual perumation function.
252 * This is broken out to minimize the code within the switch().
253 */
255 {
257 /* round 1 */
261 /* round 2 */
265 /* round 3 */
269 /* round 4 */
272 }
275 }
276 }
278 /* Use the stored original A, B, C, D values to perform
279 * one last convolution.
280 */
287 /* -------------------------------------------------------------------------- **
288 * Functions:
289 */
292 /* ------------------------------------------------------------------------ **
293 * Initialize an MD5 context.
294 *
295 * Input: ctx - A pointer to the MD5 context structure to be initialized.
296 * Contexts are typically created thusly:
297 * ctx = (auth_md5Ctx *)malloc( sizeof(auth_md5Ctx) );
298 *
299 * Output: A pointer to the initialized context (same as <ctx>).
300 *
301 * Notes: The purpose of the context is to make it possible to generate
302 * an MD5 Message Digest in stages, rather than having to pass a
303 * single large block to a single MD5 function. The context
304 * structure keeps track of various bits of state information.
305 *
306 * Once the context is initialized, the blocks of message data
307 * are passed to the <auth_md5SumCtx()> function. Once the
308 * final bit of data has been handed to <auth_md5SumCtx()> the
309 * context can be closed out by calling <auth_md5CloseCtx()>,
310 * which also calculates the final MD5 result.
311 *
312 * Don't forget to free an allocated context structure when
313 * you've finished using it.
314 *
315 * See Also: <auth_md5SumCtx()>, <auth_md5CloseCtx()>
316 *
317 * ------------------------------------------------------------------------ **
318 */
319 {
327 /* 'round. The initial values are those */
328 /* given in RFC 1321 (pg. 4). Note, however, that RFC 1321 */
329 /* provides these values as bytes, not as longwords, and the */
330 /* bytes are arranged in little-endian order as if they were */
331 /* the bytes of (little endian) 32-bit ints. That's */
332 /* confusing as all getout (to me, anyway). The values given */
333 /* here are provided as 32-bit values in C language format, */
334 /* so they are endian-agnostic. */
342 /* ------------------------------------------------------------------------ **
343 * Build an MD5 Message Digest within the given context.
344 *
345 * Input: ctx - Pointer to the context in which the MD5 sum is being
346 * built.
347 * src - A chunk of source data. This will be used to drive
348 * the MD5 algorithm.
349 * len - The number of bytes in <src>.
350 *
351 * Output: A pointer to the updated context (same as <ctx>).
352 *
353 * See Also: <auth_md5InitCtx()>, <auth_md5CloseCtx()>, <auth_md5Sum()>
354 *
355 * ------------------------------------------------------------------------ **
356 */
357 {
360 /* Add the new block's length to the total length.
361 */
364 /* Copy the new block's data into the context block.
365 * Call the Permute() function whenever the context block is full.
366 */
368 {
372 {
375 }
376 }
378 /* Return the updated context.
379 */
385 /* ------------------------------------------------------------------------ **
386 * Close an MD5 Message Digest context and generate the final MD5 sum.
387 *
388 * Input: ctx - Pointer to the context in which the MD5 sum is being
389 * built.
390 * dst - A pointer to at least 16 bytes of memory, which will
391 * receive the finished MD5 sum.
392 *
393 * Output: A pointer to the closed context (same as <ctx>).
394 * You might use this to free a malloc'd context structure. :)
395 *
396 * Notes: The context (<ctx>) is returned in an undefined state.
397 * It must be re-initialized before re-use.
398 *
399 * See Also: <auth_md5InitCtx()>, <auth_md5SumCtx()>
400 *
401 * ------------------------------------------------------------------------ **
402 */
403 {
407 /* Add the required 0x80 padding initiator byte.
408 * The auth_md5SumCtx() function always permutes and resets the context
409 * block when it gets full, so we know that there must be at least one
410 * free byte in the context block.
411 */
415 /* Zero out any remaining free bytes in the context block.
416 */
420 /* We need 8 bytes to store the length field.
421 * If we don't have 8, call Permute() and reset the context block.
422 */
424 {
428 }
430 /* Add the total length and perform the final perumation.
431 * Note: The 60'th byte is read from the *original* <ctx->len> value
432 * and shifted to the correct position. This neatly avoids
433 * any MAXINT numeric overflow issues.
434 */
441 /* Now copy the result into the output buffer and we're done.
442 */
444 {
449 }
451 /* Return the context.
452 * This is done for compatibility with the other auth_md5*Ctx() functions.
453 */
459 /* ------------------------------------------------------------------------ **
460 * Compute an MD5 message digest.
461 *
462 * Input: dst - Destination buffer into which the result will be written.
463 * Must be 16 bytes, minimum.
464 * src - Source data block to be MD5'd.
465 * len - The length, in bytes, of the source block.
466 * (Note that the length is given in bytes, not bits.)
467 *
468 * Output: A pointer to <dst>, which will contain the calculated 16-byte
469 * MD5 message digest.
470 *
471 * Notes: This function is a shortcut. It takes a single input block.
472 * For more drawn-out operations, see <auth_md5InitCtx()>.
473 *
474 * This function is interface-compatible with the
475 * <auth_md4Sum()> function in the MD4 module.
476 *
477 * The MD5 algorithm is designed to work on data with an
478 * arbitrary *bit* length. Most implementations, this one
479 * included, handle the input data in byte-sized chunks.
480 *
481 * The MD5 algorithm does much of its work using four-byte
482 * words, and so can be tuned for speed based on the endian-ness
483 * of the host. This implementation is intended to be
484 * endian-neutral, which may make it a teeny bit slower than
485 * others. ...maybe.
486 *
487 * See Also: <auth_md5InitCtx()>
488 *
489 * ------------------------------------------------------------------------ **
490 */
491 {
502 /* ========================================================================== */