forked from GaloisInc/cryptol-specs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSHA1.cry
92 lines (76 loc) · 2.8 KB
/
SHA1.cry
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
/*
Description of SHA1 at https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
Copyright (c) 2004, 2013-2018 Galois, Inc.
www.cryptol.net
You can freely use this source code for educational purposes.
*/
module Primitive::Keyless::Hash::SHA1 where
sha1 : {n} (width (8*n) <= 64) => [n][8] -> [160]
sha1 msg = sha1' pmsg
where
pmsg = pad(join(msg))
sha1' : {chunks} (fin chunks) => [chunks][512] -> [160]
sha1' pmsg = join (Hs!0)
where
Hs = [[0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, 0xc3d2e1f0]] #
[ block(H, split(M))
| H <- Hs
| M <- pmsg
]
/*
As a summary, a "1" followed by m "0"s followed by a 64-
bit integer are appended to the end of the message to produce a
padded message of length 512 * n. The 64-bit integer is the length
of the original message. The padded message is then processed by the
SHA-1 as n 512-bit blocks.
*/
pad : {msgLen}
( fin msgLen
, 64 >= width msgLen // message width fits in a word
)
=> [msgLen] -> [(msgLen + 65) /^ 512][512]
pad msg = split (msg # [True] # (zero:[padLen]) # (`msgLen:[64]))
where type padLen = (msgLen + 65) %^ 512
f : ([8], [32], [32], [32]) -> [32]
f (t, x, y, z) =
if (0 <= t) /\ (t <= 19) then (x && y) ^ (~x && z)
| (20 <= t) /\ (t <= 39) then x ^ y ^ z
| (40 <= t) /\ (t <= 59) then (x && y) ^ (x && z) ^ (y && z)
| (60 <= t) /\ (t <= 79) then x ^ y ^ z
else error "f: t out of range"
Ks : [80][32]
Ks = [ 0x5a827999 | t <- [0..19] ]
# [ 0x6ed9eba1 | t <- [20..39] ]
# [ 0x8f1bbcdc | t <- [40..59] ]
# [ 0xca62c1d6 | t <- [60..79] ]
block : ([5][32], [16][32]) -> [5][32]
block ([H0, H1, H2, H3, H4], M) =
[(H0+As@80), (H1+Bs@80), (H2+Cs@80), (H3+Ds@80), (H4+Es@80)]
where
Ws : [80][32]
Ws = M # [ (W3 ^ W8 ^ W14 ^ W16) <<< 1
| W16 <- drop`{16 - 16} Ws
| W14 <- drop`{16 - 14} Ws
| W8 <- drop`{16 - 8} Ws
| W3 <- drop`{16 - 3} Ws
| t <- [16..79]
]
As = [H0] # TEMP
Bs = [H1] # As
Cs = [H2] # [ B <<< 30 | B <- Bs ]
Ds = [H3] # Cs
Es = [H4] # Ds
TEMP : [80][32]
TEMP = [ (A <<< 5) + f(t, B, C, D) + E + W + K
| A <- As | B <- Bs | C <- Cs | D <- Ds | E <- Es
| W <- Ws | K <- Ks
| t <- [0..79]
]
t0 = sha1 "" == 0xda39a3ee5e6b4b0d3255bfef95601890afd80709
// Sample messages and their digests from FIPS180-1 appendix.
t1 = sha1 "abc" == 0xA9993E364706816ABA3E25717850C26C9CD0D89D
t2 = sha1 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" ==
0x84983E441C3BD26EBAAE4AA1F95129E5E54670F1
t3 = sha1 [ 'a' | i <- [1..1000000] ] ==
0x34AA973CD4C4DAA4F61EEB2BDBAD27316534016F
property testsPass = and [t0, t1, t2, t3]