summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Buland <eichlan@xagasoft.com>2011-01-13 00:16:41 +0000
committerMike Buland <eichlan@xagasoft.com>2011-01-13 00:16:41 +0000
commitd8fe3868996c80cd3de775584fde730c32c309c9 (patch)
tree2b0c265adc6241809aecb784b4ddbabbb90f38c4
parent1effc94df7e558de6319082e390803911cf45c24 (diff)
downloadlibbu++-d8fe3868996c80cd3de775584fde730c32c309c9.tar.gz
libbu++-d8fe3868996c80cd3de775584fde730c32c309c9.tar.bz2
libbu++-d8fe3868996c80cd3de775584fde730c32c309c9.tar.xz
libbu++-d8fe3868996c80cd3de775584fde730c32c309c9.zip
md5...is...broken...I'm...fixing it...
-rw-r--r--misc/rfc1321-md5.txt1179
-rw-r--r--src/md5.cpp32
-rw-r--r--src/md5.h10
3 files changed, 1189 insertions, 32 deletions
diff --git a/misc/rfc1321-md5.txt b/misc/rfc1321-md5.txt
new file mode 100644
index 0000000..68af27d
--- /dev/null
+++ b/misc/rfc1321-md5.txt
@@ -0,0 +1,1179 @@
1
2
3
4
5
6
7Network Working Group R. Rivest
8Request for Comments: 1321 MIT Laboratory for Computer Science
9 and RSA Data Security, Inc.
10 April 1992
11
12
13 The MD5 Message-Digest Algorithm
14
15Status of this Memo
16
17 This memo provides information for the Internet community. It does
18 not specify an Internet standard. Distribution of this memo is
19 unlimited.
20
21Acknowlegements
22
23 We would like to thank Don Coppersmith, Burt Kaliski, Ralph Merkle,
24 David Chaum, and Noam Nisan for numerous helpful comments and
25 suggestions.
26
27Table of Contents
28
29 1. Executive Summary 1
30 2. Terminology and Notation 2
31 3. MD5 Algorithm Description 3
32 4. Summary 6
33 5. Differences Between MD4 and MD5 6
34 References 7
35 APPENDIX A - Reference Implementation 7
36 Security Considerations 21
37 Author's Address 21
38
391. Executive Summary
40
41 This document describes the MD5 message-digest algorithm. The
42 algorithm takes as input a message of arbitrary length and produces
43 as output a 128-bit "fingerprint" or "message digest" of the input.
44 It is conjectured that it is computationally infeasible to produce
45 two messages having the same message digest, or to produce any
46 message having a given prespecified target message digest. The MD5
47 algorithm is intended for digital signature applications, where a
48 large file must be "compressed" in a secure manner before being
49 encrypted with a private (secret) key under a public-key cryptosystem
50 such as RSA.
51
52
53
54
55
56
57
58Rivest [Page 1]
59
60RFC 1321 MD5 Message-Digest Algorithm April 1992
61
62
63 The MD5 algorithm is designed to be quite fast on 32-bit machines. In
64 addition, the MD5 algorithm does not require any large substitution
65 tables; the algorithm can be coded quite compactly.
66
67 The MD5 algorithm is an extension of the MD4 message-digest algorithm
68 1,2]. MD5 is slightly slower than MD4, but is more "conservative" in
69 design. MD5 was designed because it was felt that MD4 was perhaps
70 being adopted for use more quickly than justified by the existing
71 critical review; because MD4 was designed to be exceptionally fast,
72 it is "at the edge" in terms of risking successful cryptanalytic
73 attack. MD5 backs off a bit, giving up a little in speed for a much
74 greater likelihood of ultimate security. It incorporates some
75 suggestions made by various reviewers, and contains additional
76 optimizations. The MD5 algorithm is being placed in the public domain
77 for review and possible adoption as a standard.
78
79 For OSI-based applications, MD5's object identifier is
80
81 md5 OBJECT IDENTIFIER ::=
82 iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5}
83
84 In the X.509 type AlgorithmIdentifier [3], the parameters for MD5
85 should have type NULL.
86
872. Terminology and Notation
88
89 In this document a "word" is a 32-bit quantity and a "byte" is an
90 eight-bit quantity. A sequence of bits can be interpreted in a
91 natural manner as a sequence of bytes, where each consecutive group
92 of eight bits is interpreted as a byte with the high-order (most
93 significant) bit of each byte listed first. Similarly, a sequence of
94 bytes can be interpreted as a sequence of 32-bit words, where each
95 consecutive group of four bytes is interpreted as a word with the
96 low-order (least significant) byte given first.
97
98 Let x_i denote "x sub i". If the subscript is an expression, we
99 surround it in braces, as in x_{i+1}. Similarly, we use ^ for
100 superscripts (exponentiation), so that x^i denotes x to the i-th
101 power.
102
103 Let the symbol "+" denote addition of words (i.e., modulo-2^32
104 addition). Let X <<< s denote the 32-bit value obtained by circularly
105 shifting (rotating) X left by s bit positions. Let not(X) denote the
106 bit-wise complement of X, and let X v Y denote the bit-wise OR of X
107 and Y. Let X xor Y denote the bit-wise XOR of X and Y, and let XY
108 denote the bit-wise AND of X and Y.
109
110
111
112
113
114Rivest [Page 2]
115
116RFC 1321 MD5 Message-Digest Algorithm April 1992
117
118
1193. MD5 Algorithm Description
120
121 We begin by supposing that we have a b-bit message as input, and that
122 we wish to find its message digest. Here b is an arbitrary
123 nonnegative integer; b may be zero, it need not be a multiple of
124 eight, and it may be arbitrarily large. We imagine the bits of the
125 message written down as follows:
126
127 m_0 m_1 ... m_{b-1}
128
129 The following five steps are performed to compute the message digest
130 of the message.
131
1323.1 Step 1. Append Padding Bits
133
134 The message is "padded" (extended) so that its length (in bits) is
135 congruent to 448, modulo 512. That is, the message is extended so
136 that it is just 64 bits shy of being a multiple of 512 bits long.
137 Padding is always performed, even if the length of the message is
138 already congruent to 448, modulo 512.
139
140 Padding is performed as follows: a single "1" bit is appended to the
141 message, and then "0" bits are appended so that the length in bits of
142 the padded message becomes congruent to 448, modulo 512. In all, at
143 least one bit and at most 512 bits are appended.
144
1453.2 Step 2. Append Length
146
147 A 64-bit representation of b (the length of the message before the
148 padding bits were added) is appended to the result of the previous
149 step. In the unlikely event that b is greater than 2^64, then only
150 the low-order 64 bits of b are used. (These bits are appended as two
151 32-bit words and appended low-order word first in accordance with the
152 previous conventions.)
153
154 At this point the resulting message (after padding with bits and with
155 b) has a length that is an exact multiple of 512 bits. Equivalently,
156 this message has a length that is an exact multiple of 16 (32-bit)
157 words. Let M[0 ... N-1] denote the words of the resulting message,
158 where N is a multiple of 16.
159
1603.3 Step 3. Initialize MD Buffer
161
162 A four-word buffer (A,B,C,D) is used to compute the message digest.
163 Here each of A, B, C, D is a 32-bit register. These registers are
164 initialized to the following values in hexadecimal, low-order bytes
165 first):
166
167
168
169
170Rivest [Page 3]
171
172RFC 1321 MD5 Message-Digest Algorithm April 1992
173
174
175 word A: 01 23 45 67
176 word B: 89 ab cd ef
177 word C: fe dc ba 98
178 word D: 76 54 32 10
179
1803.4 Step 4. Process Message in 16-Word Blocks
181
182 We first define four auxiliary functions that each take as input
183 three 32-bit words and produce as output one 32-bit word.
184
185 F(X,Y,Z) = XY v not(X) Z
186 G(X,Y,Z) = XZ v Y not(Z)
187 H(X,Y,Z) = X xor Y xor Z
188 I(X,Y,Z) = Y xor (X v not(Z))
189
190 In each bit position F acts as a conditional: if X then Y else Z.
191 The function F could have been defined using + instead of v since XY
192 and not(X)Z will never have 1's in the same bit position.) It is
193 interesting to note that if the bits of X, Y, and Z are independent
194 and unbiased, the each bit of F(X,Y,Z) will be independent and
195 unbiased.
196
197 The functions G, H, and I are similar to the function F, in that they
198 act in "bitwise parallel" to produce their output from the bits of X,
199 Y, and Z, in such a manner that if the corresponding bits of X, Y,
200 and Z are independent and unbiased, then each bit of G(X,Y,Z),
201 H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased. Note that
202 the function H is the bit-wise "xor" or "parity" function of its
203 inputs.
204
205 This step uses a 64-element table T[1 ... 64] constructed from the
206 sine function. Let T[i] denote the i-th element of the table, which
207 is equal to the integer part of 4294967296 times abs(sin(i)), where i
208 is in radians. The elements of the table are given in the appendix.
209
210 Do the following:
211
212 /* Process each 16-word block. */
213 For i = 0 to N/16-1 do
214
215 /* Copy block i into X. */
216 For j = 0 to 15 do
217 Set X[j] to M[i*16+j].
218 end /* of loop on j */
219
220 /* Save A as AA, B as BB, C as CC, and D as DD. */
221 AA = A
222 BB = B
223
224
225
226Rivest [Page 4]
227
228RFC 1321 MD5 Message-Digest Algorithm April 1992
229
230
231 CC = C
232 DD = D
233
234 /* Round 1. */
235 /* Let [abcd k s i] denote the operation
236 a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */
237 /* Do the following 16 operations. */
238 [ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4]
239 [ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8]
240 [ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12]
241 [ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16]
242
243 /* Round 2. */
244 /* Let [abcd k s i] denote the operation
245 a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */
246 /* Do the following 16 operations. */
247 [ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA 0 20 20]
248 [ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA 4 20 24]
249 [ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA 8 20 28]
250 [ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA 12 20 32]
251
252 /* Round 3. */
253 /* Let [abcd k s t] denote the operation
254 a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */
255 /* Do the following 16 operations. */
256 [ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA 14 23 36]
257 [ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA 10 23 40]
258 [ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 16 43] [BCDA 6 23 44]
259 [ABCD 9 4 45] [DABC 12 11 46] [CDAB 15 16 47] [BCDA 2 23 48]
260
261 /* Round 4. */
262 /* Let [abcd k s t] denote the operation
263 a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */
264 /* Do the following 16 operations. */
265 [ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] [BCDA 5 21 52]
266 [ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55] [BCDA 1 21 56]
267 [ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] [BCDA 13 21 60]
268 [ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64]
269
270 /* Then perform the following additions. (That is increment each
271 of the four registers by the value it had before this block
272 was started.) */
273 A = A + AA
274 B = B + BB
275 C = C + CC
276 D = D + DD
277
278 end /* of loop on i */
279
280
281
282Rivest [Page 5]
283
284RFC 1321 MD5 Message-Digest Algorithm April 1992
285
286
2873.5 Step 5. Output
288
289 The message digest produced as output is A, B, C, D. That is, we
290 begin with the low-order byte of A, and end with the high-order byte
291 of D.
292
293 This completes the description of MD5. A reference implementation in
294 C is given in the appendix.
295
2964. Summary
297
298 The MD5 message-digest algorithm is simple to implement, and provides
299 a "fingerprint" or message digest of a message of arbitrary length.
300 It is conjectured that the difficulty of coming up with two messages
301 having the same message digest is on the order of 2^64 operations,
302 and that the difficulty of coming up with any message having a given
303 message digest is on the order of 2^128 operations. The MD5 algorithm
304 has been carefully scrutinized for weaknesses. It is, however, a
305 relatively new algorithm and further security analysis is of course
306 justified, as is the case with any new proposal of this sort.
307
3085. Differences Between MD4 and MD5
309
310 The following are the differences between MD4 and MD5:
311
312 1. A fourth round has been added.
313
314 2. Each step now has a unique additive constant.
315
316 3. The function g in round 2 was changed from (XY v XZ v YZ) to
317 (XZ v Y not(Z)) to make g less symmetric.
318
319 4. Each step now adds in the result of the previous step. This
320 promotes a faster "avalanche effect".
321
322 5. The order in which input words are accessed in rounds 2 and
323 3 is changed, to make these patterns less like each other.
324
325 6. The shift amounts in each round have been approximately
326 optimized, to yield a faster "avalanche effect." The shifts in
327 different rounds are distinct.
328
329
330
331
332
333
334
335
336
337
338Rivest [Page 6]
339
340RFC 1321 MD5 Message-Digest Algorithm April 1992
341
342
343References
344
345 [1] Rivest, R., "The MD4 Message Digest Algorithm", RFC 1320, MIT and
346 RSA Data Security, Inc., April 1992.
347
348 [2] Rivest, R., "The MD4 message digest algorithm", in A.J. Menezes
349 and S.A. Vanstone, editors, Advances in Cryptology - CRYPTO '90
350 Proceedings, pages 303-311, Springer-Verlag, 1991.
351
352 [3] CCITT Recommendation X.509 (1988), "The Directory -
353 Authentication Framework."
354
355APPENDIX A - Reference Implementation
356
357 This appendix contains the following files taken from RSAREF: A
358 Cryptographic Toolkit for Privacy-Enhanced Mail:
359
360 global.h -- global header file
361
362 md5.h -- header file for MD5
363
364 md5c.c -- source code for MD5
365
366 For more information on RSAREF, send email to <rsaref@rsa.com>.
367
368 The appendix also includes the following file:
369
370 mddriver.c -- test driver for MD2, MD4 and MD5
371
372 The driver compiles for MD5 by default but can compile for MD2 or MD4
373 if the symbol MD is defined on the C compiler command line as 2 or 4.
374
375 The implementation is portable and should work on many different
376 plaforms. However, it is not difficult to optimize the implementation
377 on particular platforms, an exercise left to the reader. For example,
378 on "little-endian" platforms where the lowest-addressed byte in a 32-
379 bit word is the least significant and there are no alignment
380 restrictions, the call to Decode in MD5Transform can be replaced with
381 a typecast.
382
383A.1 global.h
384
385/* GLOBAL.H - RSAREF types and constants
386 */
387
388/* PROTOTYPES should be set to one if and only if the compiler supports
389 function argument prototyping.
390The following makes PROTOTYPES default to 0 if it has not already
391
392
393
394Rivest [Page 7]
395
396RFC 1321 MD5 Message-Digest Algorithm April 1992
397
398
399 been defined with C compiler flags.
400 */
401#ifndef PROTOTYPES
402#define PROTOTYPES 0
403#endif
404
405/* POINTER defines a generic pointer type */
406typedef unsigned char *POINTER;
407
408/* UINT2 defines a two byte word */
409typedef unsigned short int UINT2;
410
411/* UINT4 defines a four byte word */
412typedef unsigned long int UINT4;
413
414/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
415If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
416 returns an empty list.
417 */
418#if PROTOTYPES
419#define PROTO_LIST(list) list
420#else
421#define PROTO_LIST(list) ()
422#endif
423
424A.2 md5.h
425
426/* MD5.H - header file for MD5C.C
427 */
428
429/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
430rights reserved.
431
432License to copy and use this software is granted provided that it
433is identified as the "RSA Data Security, Inc. MD5 Message-Digest
434Algorithm" in all material mentioning or referencing this software
435or this function.
436
437License is also granted to make and use derivative works provided
438that such works are identified as "derived from the RSA Data
439Security, Inc. MD5 Message-Digest Algorithm" in all material
440mentioning or referencing the derived work.
441
442RSA Data Security, Inc. makes no representations concerning either
443the merchantability of this software or the suitability of this
444software for any particular purpose. It is provided "as is"
445without express or implied warranty of any kind.
446
447
448
449
450Rivest [Page 8]
451
452RFC 1321 MD5 Message-Digest Algorithm April 1992
453
454
455These notices must be retained in any copies of any part of this
456documentation and/or software.
457 */
458
459/* MD5 context. */
460typedef struct {
461 UINT4 state[4]; /* state (ABCD) */
462 UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
463 unsigned char buffer[64]; /* input buffer */
464} MD5_CTX;
465
466void MD5Init PROTO_LIST ((MD5_CTX *));
467void MD5Update PROTO_LIST
468 ((MD5_CTX *, unsigned char *, unsigned int));
469void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *));
470
471A.3 md5c.c
472
473/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
474 */
475
476/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
477rights reserved.
478
479License to copy and use this software is granted provided that it
480is identified as the "RSA Data Security, Inc. MD5 Message-Digest
481Algorithm" in all material mentioning or referencing this software
482or this function.
483
484License is also granted to make and use derivative works provided
485that such works are identified as "derived from the RSA Data
486Security, Inc. MD5 Message-Digest Algorithm" in all material
487mentioning or referencing the derived work.
488
489RSA Data Security, Inc. makes no representations concerning either
490the merchantability of this software or the suitability of this
491software for any particular purpose. It is provided "as is"
492without express or implied warranty of any kind.
493
494These notices must be retained in any copies of any part of this
495documentation and/or software.
496 */
497
498#include "global.h"
499#include "md5.h"
500
501/* Constants for MD5Transform routine.
502 */
503
504
505
506Rivest [Page 9]
507
508RFC 1321 MD5 Message-Digest Algorithm April 1992
509
510
511#define S11 7
512#define S12 12
513#define S13 17
514#define S14 22
515#define S21 5
516#define S22 9
517#define S23 14
518#define S24 20
519#define S31 4
520#define S32 11
521#define S33 16
522#define S34 23
523#define S41 6
524#define S42 10
525#define S43 15
526#define S44 21
527
528static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64]));
529static void Encode PROTO_LIST
530 ((unsigned char *, UINT4 *, unsigned int));
531static void Decode PROTO_LIST
532 ((UINT4 *, unsigned char *, unsigned int));
533static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
534static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
535
536static unsigned char PADDING[64] = {
537 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
538 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
539 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
540};
541
542/* F, G, H and I are basic MD5 functions.
543 */
544#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
545#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
546#define H(x, y, z) ((x) ^ (y) ^ (z))
547#define I(x, y, z) ((y) ^ ((x) | (~z)))
548
549/* ROTATE_LEFT rotates x left n bits.
550 */
551#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
552
553/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
554Rotation is separate from addition to prevent recomputation.
555 */
556#define FF(a, b, c, d, x, s, ac) { \
557 (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
558 (a) = ROTATE_LEFT ((a), (s)); \
559
560
561
562Rivest [Page 10]
563
564RFC 1321 MD5 Message-Digest Algorithm April 1992
565
566
567 (a) += (b); \
568 }
569#define GG(a, b, c, d, x, s, ac) { \
570 (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
571 (a) = ROTATE_LEFT ((a), (s)); \
572 (a) += (b); \
573 }
574#define HH(a, b, c, d, x, s, ac) { \
575 (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
576 (a) = ROTATE_LEFT ((a), (s)); \
577 (a) += (b); \
578 }
579#define II(a, b, c, d, x, s, ac) { \
580 (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
581 (a) = ROTATE_LEFT ((a), (s)); \
582 (a) += (b); \
583 }
584
585/* MD5 initialization. Begins an MD5 operation, writing a new context.
586 */
587void MD5Init (context)
588MD5_CTX *context; /* context */
589{
590 context->count[0] = context->count[1] = 0;
591 /* Load magic initialization constants.
592*/
593 context->state[0] = 0x67452301;
594 context->state[1] = 0xefcdab89;
595 context->state[2] = 0x98badcfe;
596 context->state[3] = 0x10325476;
597}
598
599/* MD5 block update operation. Continues an MD5 message-digest
600 operation, processing another message block, and updating the
601 context.
602 */
603void MD5Update (context, input, inputLen)
604MD5_CTX *context; /* context */
605unsigned char *input; /* input block */
606unsigned int inputLen; /* length of input block */
607{
608 unsigned int i, index, partLen;
609
610 /* Compute number of bytes mod 64 */
611 index = (unsigned int)((context->count[0] >> 3) & 0x3F);
612
613 /* Update number of bits */
614 if ((context->count[0] += ((UINT4)inputLen << 3))
615
616
617
618Rivest [Page 11]
619
620RFC 1321 MD5 Message-Digest Algorithm April 1992
621
622
623 < ((UINT4)inputLen << 3))
624 context->count[1]++;
625 context->count[1] += ((UINT4)inputLen >> 29);
626
627 partLen = 64 - index;
628
629 /* Transform as many times as possible.
630*/
631 if (inputLen >= partLen) {
632 MD5_memcpy
633 ((POINTER)&context->buffer[index], (POINTER)input, partLen);
634 MD5Transform (context->state, context->buffer);
635
636 for (i = partLen; i + 63 < inputLen; i += 64)
637 MD5Transform (context->state, &input[i]);
638
639 index = 0;
640 }
641 else
642 i = 0;
643
644 /* Buffer remaining input */
645 MD5_memcpy
646 ((POINTER)&context->buffer[index], (POINTER)&input[i],
647 inputLen-i);
648}
649
650/* MD5 finalization. Ends an MD5 message-digest operation, writing the
651 the message digest and zeroizing the context.
652 */
653void MD5Final (digest, context)
654unsigned char digest[16]; /* message digest */
655MD5_CTX *context; /* context */
656{
657 unsigned char bits[8];
658 unsigned int index, padLen;
659
660 /* Save number of bits */
661 Encode (bits, context->count, 8);
662
663 /* Pad out to 56 mod 64.
664*/
665 index = (unsigned int)((context->count[0] >> 3) & 0x3f);
666 padLen = (index < 56) ? (56 - index) : (120 - index);
667 MD5Update (context, PADDING, padLen);
668
669 /* Append length (before padding) */
670 MD5Update (context, bits, 8);
671
672
673
674Rivest [Page 12]
675
676RFC 1321 MD5 Message-Digest Algorithm April 1992
677
678
679 /* Store state in digest */
680 Encode (digest, context->state, 16);
681
682 /* Zeroize sensitive information.
683*/
684 MD5_memset ((POINTER)context, 0, sizeof (*context));
685}
686
687/* MD5 basic transformation. Transforms state based on block.
688 */
689static void MD5Transform (state, block)
690UINT4 state[4];
691unsigned char block[64];
692{
693 UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
694
695 Decode (x, block, 64);
696
697 /* Round 1 */
698 FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
699 FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
700 FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
701 FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
702 FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
703 FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
704 FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
705 FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
706 FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
707 FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
708 FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
709 FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
710 FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
711 FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
712 FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
713 FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
714
715 /* Round 2 */
716 GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
717 GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
718 GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
719 GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
720 GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
721 GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */
722 GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
723 GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
724 GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
725 GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
726 GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
727
728
729
730Rivest [Page 13]
731
732RFC 1321 MD5 Message-Digest Algorithm April 1992
733
734
735 GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
736 GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
737 GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
738 GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
739 GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
740
741 /* Round 3 */
742 HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
743 HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
744 HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
745 HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
746 HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
747 HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
748 HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
749 HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
750 HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
751 HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
752 HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
753 HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
754 HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
755 HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
756 HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
757 HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
758
759 /* Round 4 */
760 II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
761 II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
762 II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
763 II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
764 II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
765 II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
766 II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
767 II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
768 II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
769 II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
770 II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
771 II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
772 II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
773 II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
774 II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
775 II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
776
777 state[0] += a;
778 state[1] += b;
779 state[2] += c;
780 state[3] += d;
781
782 /* Zeroize sensitive information.
783
784
785
786Rivest [Page 14]
787
788RFC 1321 MD5 Message-Digest Algorithm April 1992
789
790
791*/
792 MD5_memset ((POINTER)x, 0, sizeof (x));
793}
794
795/* Encodes input (UINT4) into output (unsigned char). Assumes len is
796 a multiple of 4.
797 */
798static void Encode (output, input, len)
799unsigned char *output;
800UINT4 *input;
801unsigned int len;
802{
803 unsigned int i, j;
804
805 for (i = 0, j = 0; j < len; i++, j += 4) {
806 output[j] = (unsigned char)(input[i] & 0xff);
807 output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
808 output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
809 output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
810 }
811}
812
813/* Decodes input (unsigned char) into output (UINT4). Assumes len is
814 a multiple of 4.
815 */
816static void Decode (output, input, len)
817UINT4 *output;
818unsigned char *input;
819unsigned int len;
820{
821 unsigned int i, j;
822
823 for (i = 0, j = 0; j < len; i++, j += 4)
824 output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
825 (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
826}
827
828/* Note: Replace "for loop" with standard memcpy if possible.
829 */
830
831static void MD5_memcpy (output, input, len)
832POINTER output;
833POINTER input;
834unsigned int len;
835{
836 unsigned int i;
837
838 for (i = 0; i < len; i++)
839
840
841
842Rivest [Page 15]
843
844RFC 1321 MD5 Message-Digest Algorithm April 1992
845
846
847 output[i] = input[i];
848}
849
850/* Note: Replace "for loop" with standard memset if possible.
851 */
852static void MD5_memset (output, value, len)
853POINTER output;
854int value;
855unsigned int len;
856{
857 unsigned int i;
858
859 for (i = 0; i < len; i++)
860 ((char *)output)[i] = (char)value;
861}
862
863A.4 mddriver.c
864
865/* MDDRIVER.C - test driver for MD2, MD4 and MD5
866 */
867
868/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
869rights reserved.
870
871RSA Data Security, Inc. makes no representations concerning either
872the merchantability of this software or the suitability of this
873software for any particular purpose. It is provided "as is"
874without express or implied warranty of any kind.
875
876These notices must be retained in any copies of any part of this
877documentation and/or software.
878 */
879
880/* The following makes MD default to MD5 if it has not already been
881 defined with C compiler flags.
882 */
883#ifndef MD
884#define MD MD5
885#endif
886
887#include <stdio.h>
888#include <time.h>
889#include <string.h>
890#include "global.h"
891#if MD == 2
892#include "md2.h"
893#endif
894#if MD == 4
895
896
897
898Rivest [Page 16]
899
900RFC 1321 MD5 Message-Digest Algorithm April 1992
901
902
903#include "md4.h"
904#endif
905#if MD == 5
906#include "md5.h"
907#endif
908
909/* Length of test block, number of test blocks.
910 */
911#define TEST_BLOCK_LEN 1000
912#define TEST_BLOCK_COUNT 1000
913
914static void MDString PROTO_LIST ((char *));
915static void MDTimeTrial PROTO_LIST ((void));
916static void MDTestSuite PROTO_LIST ((void));
917static void MDFile PROTO_LIST ((char *));
918static void MDFilter PROTO_LIST ((void));
919static void MDPrint PROTO_LIST ((unsigned char [16]));
920
921#if MD == 2
922#define MD_CTX MD2_CTX
923#define MDInit MD2Init
924#define MDUpdate MD2Update
925#define MDFinal MD2Final
926#endif
927#if MD == 4
928#define MD_CTX MD4_CTX
929#define MDInit MD4Init
930#define MDUpdate MD4Update
931#define MDFinal MD4Final
932#endif
933#if MD == 5
934#define MD_CTX MD5_CTX
935#define MDInit MD5Init
936#define MDUpdate MD5Update
937#define MDFinal MD5Final
938#endif
939
940/* Main driver.
941
942Arguments (may be any combination):
943 -sstring - digests string
944 -t - runs time trial
945 -x - runs test script
946 filename - digests file
947 (none) - digests standard input
948 */
949int main (argc, argv)
950int argc;
951
952
953
954Rivest [Page 17]
955
956RFC 1321 MD5 Message-Digest Algorithm April 1992
957
958
959char *argv[];
960{
961 int i;
962
963 if (argc > 1)
964 for (i = 1; i < argc; i++)
965 if (argv[i][0] == '-' && argv[i][1] == 's')
966 MDString (argv[i] + 2);
967 else if (strcmp (argv[i], "-t") == 0)
968 MDTimeTrial ();
969 else if (strcmp (argv[i], "-x") == 0)
970 MDTestSuite ();
971 else
972 MDFile (argv[i]);
973 else
974 MDFilter ();
975
976 return (0);
977}
978
979/* Digests a string and prints the result.
980 */
981static void MDString (string)
982char *string;
983{
984 MD_CTX context;
985 unsigned char digest[16];
986 unsigned int len = strlen (string);
987
988 MDInit (&context);
989 MDUpdate (&context, string, len);
990 MDFinal (digest, &context);
991
992 printf ("MD%d (\"%s\") = ", MD, string);
993 MDPrint (digest);
994 printf ("\n");
995}
996
997/* Measures the time to digest TEST_BLOCK_COUNT TEST_BLOCK_LEN-byte
998 blocks.
999 */
1000static void MDTimeTrial ()
1001{
1002 MD_CTX context;
1003 time_t endTime, startTime;
1004 unsigned char block[TEST_BLOCK_LEN], digest[16];
1005 unsigned int i;
1006
1007
1008
1009
1010Rivest [Page 18]
1011
1012RFC 1321 MD5 Message-Digest Algorithm April 1992
1013
1014
1015 printf
1016 ("MD%d time trial. Digesting %d %d-byte blocks ...", MD,
1017 TEST_BLOCK_LEN, TEST_BLOCK_COUNT);
1018
1019 /* Initialize block */
1020 for (i = 0; i < TEST_BLOCK_LEN; i++)
1021 block[i] = (unsigned char)(i & 0xff);
1022
1023 /* Start timer */
1024 time (&startTime);
1025
1026 /* Digest blocks */
1027 MDInit (&context);
1028 for (i = 0; i < TEST_BLOCK_COUNT; i++)
1029 MDUpdate (&context, block, TEST_BLOCK_LEN);
1030 MDFinal (digest, &context);
1031
1032 /* Stop timer */
1033 time (&endTime);
1034
1035 printf (" done\n");
1036 printf ("Digest = ");
1037 MDPrint (digest);
1038 printf ("\nTime = %ld seconds\n", (long)(endTime-startTime));
1039 printf
1040 ("Speed = %ld bytes/second\n",
1041 (long)TEST_BLOCK_LEN * (long)TEST_BLOCK_COUNT/(endTime-startTime));
1042}
1043
1044/* Digests a reference suite of strings and prints the results.
1045 */
1046static void MDTestSuite ()
1047{
1048 printf ("MD%d test suite:\n", MD);
1049
1050 MDString ("");
1051 MDString ("a");
1052 MDString ("abc");
1053 MDString ("message digest");
1054 MDString ("abcdefghijklmnopqrstuvwxyz");
1055 MDString
1056 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");
1057 MDString
1058 ("1234567890123456789012345678901234567890\
10591234567890123456789012345678901234567890");
1060}
1061
1062/* Digests a file and prints the result.
1063
1064
1065
1066Rivest [Page 19]
1067
1068RFC 1321 MD5 Message-Digest Algorithm April 1992
1069
1070
1071 */
1072static void MDFile (filename)
1073char *filename;
1074{
1075 FILE *file;
1076 MD_CTX context;
1077 int len;
1078 unsigned char buffer[1024], digest[16];
1079
1080 if ((file = fopen (filename, "rb")) == NULL)
1081 printf ("%s can't be opened\n", filename);
1082
1083 else {
1084 MDInit (&context);
1085 while (len = fread (buffer, 1, 1024, file))
1086 MDUpdate (&context, buffer, len);
1087 MDFinal (digest, &context);
1088
1089 fclose (file);
1090
1091 printf ("MD%d (%s) = ", MD, filename);
1092 MDPrint (digest);
1093 printf ("\n");
1094 }
1095}
1096
1097/* Digests the standard input and prints the result.
1098 */
1099static void MDFilter ()
1100{
1101 MD_CTX context;
1102 int len;
1103 unsigned char buffer[16], digest[16];
1104
1105 MDInit (&context);
1106 while (len = fread (buffer, 1, 16, stdin))
1107 MDUpdate (&context, buffer, len);
1108 MDFinal (digest, &context);
1109
1110 MDPrint (digest);
1111 printf ("\n");
1112}
1113
1114/* Prints a message digest in hexadecimal.
1115 */
1116static void MDPrint (digest)
1117unsigned char digest[16];
1118{
1119
1120
1121
1122Rivest [Page 20]
1123
1124RFC 1321 MD5 Message-Digest Algorithm April 1992
1125
1126
1127 unsigned int i;
1128
1129 for (i = 0; i < 16; i++)
1130 printf ("%02x", digest[i]);
1131}
1132
1133A.5 Test suite
1134
1135 The MD5 test suite (driver option "-x") should print the following
1136 results:
1137
1138MD5 test suite:
1139MD5 ("") = d41d8cd98f00b204e9800998ecf8427e
1140MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661
1141MD5 ("abc") = 900150983cd24fb0d6963f7d28e17f72
1142MD5 ("message digest") = f96b697d7cb7938d525a2f31aaf161d0
1143MD5 ("abcdefghijklmnopqrstuvwxyz") = c3fcd3d76192e4007dfb496cca67e13b
1144MD5 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =
1145d174ab98d277d9f5a5611c2c9f419d9f
1146MD5 ("123456789012345678901234567890123456789012345678901234567890123456
114778901234567890") = 57edf4a22be3c955ac49da2e2107b67a
1148
1149Security Considerations
1150
1151 The level of security discussed in this memo is considered to be
1152 sufficient for implementing very high security hybrid digital-
1153 signature schemes based on MD5 and a public-key cryptosystem.
1154
1155Author's Address
1156
1157 Ronald L. Rivest
1158 Massachusetts Institute of Technology
1159 Laboratory for Computer Science
1160 NE43-324
1161 545 Technology Square
1162 Cambridge, MA 02139-1986
1163
1164 Phone: (617) 253-5880
1165 EMail: rivest@theory.lcs.mit.edu
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178Rivest [Page 21]
1179 \ No newline at end of file
diff --git a/src/md5.cpp b/src/md5.cpp
index abf4bfa..46ee769 100644
--- a/src/md5.cpp
+++ b/src/md5.cpp
@@ -13,29 +13,7 @@
13 13
14 14
15// This performs a wrapping bitwise shift, kinda' fun! 15// This performs a wrapping bitwise shift, kinda' fun!
16 16#define bitRoll( val, amnt ) ((val<<(amnt)) | (val>>(32-(amnt))))
17#define bit_roll( num, cnt ) \
18 (((num) << (cnt)) | (((num) >> (32 - (cnt))) & ~(-1<<(cnt))))
19
20//#define md5_cmn( q, a, b, x, s, t ) (bit_roll((a + q + x + t), s) + b)
21
22// The following are handy wrappers for the cmn function
23#define md5_ff( a, b, c, d, x, s, t ) \
24 (md5_cmn((b & c) | ((~b) & d), a, b, x, s, t))
25
26#define md5_gg( a, b, c, d, x, s, t ) \
27 (md5_cmn((b & d) | (c & (~d)), a, b, x, s, t))
28
29#define md5_hh( a, b, c, d, x, s, t ) \
30 (md5_cmn(b ^ c ^ d, a, b, x, s, t))
31
32#define md5_ii( a, b, c, d, x, s, t ) \
33 (md5_cmn(c ^ (b | (~d)), a, b, x, s, t))
34
35inline long md5_cmn( long q, long a, long b, long x, long s, long t )
36{
37 return bit_roll((a + q + x + t), s) + b;
38}
39 17
40Bu::Md5::Md5() 18Bu::Md5::Md5()
41{ 19{
@@ -50,10 +28,10 @@ void Bu::Md5::reset()
50{ 28{
51 // These are the magic seed numbers... 29 // These are the magic seed numbers...
52 30
53 sum[0] = 1732584193; 31 sum[0] = 0x67452301U;
54 sum[1] = -271733879; 32 sum[1] = 0xEFCDAB89U;
55 sum[2] = -1732584194; 33 sum[2] = 0x98BADCFEU;
56 sum[3] = 271733878; 34 sum[3] = 0x10325476U;
57 35
58 iBytes = 0; 36 iBytes = 0;
59 memset( inbuf, 0, 4*16 ); 37 memset( inbuf, 0, 4*16 );
diff --git a/src/md5.h b/src/md5.h
index 79b1d09..0be65fd 100644
--- a/src/md5.h
+++ b/src/md5.h
@@ -36,12 +36,12 @@ namespace Bu
36 /** 36 /**
37 * Compute one block of input data. 37 * Compute one block of input data.
38 */ 38 */
39 void compBlock( long *x, long *lsum ); 39 void compBlock( long *x, uint32_t *lsum );
40 void compCap( long *sumout ); 40 void compCap( uint32_t *sumout );
41 41
42 long inbuf[16]; 42 uint32_t inbuf[16];
43 long iFill; 43 uint32_t iFill;
44 long sum[4]; 44 uint32_t sum[4];
45 uint64_t iBytes; 45 uint64_t iBytes;
46 }; 46 };
47}; 47};