View Javadoc
1   /*
2    * Copyright (C) 2017, Google Inc.
3    * and other copyright owners as documented in the project's IP log.
4    *
5    * This program and the accompanying materials are made available
6    * under the terms of the Eclipse Distribution License v1.0 which
7    * accompanies this distribution, is reproduced below, and is
8    * available at http://www.eclipse.org/org/documents/edl-v10.php
9    *
10   * All rights reserved.
11   *
12   * Redistribution and use in source and binary forms, with or
13   * without modification, are permitted provided that the following
14   * conditions are met:
15   *
16   * - Redistributions of source code must retain the above copyright
17   *   notice, this list of conditions and the following disclaimer.
18   *
19   * - Redistributions in binary form must reproduce the above
20   *   copyright notice, this list of conditions and the following
21   *   disclaimer in the documentation and/or other materials provided
22   *   with the distribution.
23   *
24   * - Neither the name of the Eclipse Foundation, Inc. nor the
25   *   names of its contributors may be used to endorse or promote
26   *   products derived from this software without specific prior
27   *   written permission.
28   *
29   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
30   * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
31   * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
34   * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
35   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
36   * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
37   * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
38   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
39   * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
41   * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
42   */
43  
44  package org.eclipse.jgit.util.sha1;
45  
46  import static java.lang.Integer.lowestOneBit;
47  import static java.lang.Integer.numberOfTrailingZeros;
48  import static java.lang.Integer.rotateLeft;
49  import static java.lang.Integer.rotateRight;
50  
51  import java.text.MessageFormat;
52  import java.util.Arrays;
53  
54  import org.eclipse.jgit.internal.JGitText;
55  import org.eclipse.jgit.lib.MutableObjectId;
56  import org.eclipse.jgit.lib.ObjectId;
57  import org.eclipse.jgit.util.NB;
58  import org.eclipse.jgit.util.SystemReader;
59  import org.slf4j.Logger;
60  import org.slf4j.LoggerFactory;
61  
62  /**
63   * Pure Java implementation of SHA-1 from FIPS 180-1 / RFC 3174.
64   *
65   * <p>
66   * See <a href="https://tools.ietf.org/html/rfc3174">RFC 3174</a>.
67   * <p>
68   * Unlike MessageDigest, this implementation includes the algorithm used by
69   * {@code sha1dc} to detect cryptanalytic collision attacks against SHA-1, such
70   * as the one used by <a href="https://shattered.it/">SHAttered</a>. See
71   * <a href="https://github.com/cr-marcstevens/sha1collisiondetection">
72   * sha1collisiondetection</a> for more information.
73   * <p>
74   * When detectCollision is true (default), this implementation throws
75   * {@link org.eclipse.jgit.util.sha1.Sha1CollisionException} from any digest
76   * method if a potential collision was detected.
77   *
78   * @since 4.7
79   */
80  public class SHA1 {
81  	private static Logger LOG = LoggerFactory.getLogger(SHA1.class);
82  	private static final boolean DETECT_COLLISIONS;
83  
84  	static {
85  		SystemReader sr = SystemReader.getInstance();
86  		String v = sr.getProperty("org.eclipse.jgit.util.sha1.detectCollision"); //$NON-NLS-1$
87  		DETECT_COLLISIONS = v != null ? Boolean.parseBoolean(v) : true;
88  	}
89  
90  	/**
91  	 * Create a new context to compute a SHA-1 hash of data.
92  	 *
93  	 * @return a new context to compute a SHA-1 hash of data.
94  	 */
95  	public static SHA1 newInstance() {
96  		return new SHA1();
97  	}
98  
99  	private final State h = new State();
100 	private final int[] w = new int[80];
101 
102 	/** Buffer to accumulate partial blocks to 64 byte alignment. */
103 	private final byte[] buffer = new byte[64];
104 
105 	/** Total number of bytes in the message. */
106 	private long length;
107 
108 	private boolean detectCollision = DETECT_COLLISIONS;
109 	private boolean foundCollision;
110 
111 	private final int[] w2 = new int[80];
112 	private final State state58 = new State();
113 	private final State state65 = new State();
114 	private final State hIn = new State();
115 	private final State hTmp = new State();
116 
117 	private SHA1() {
118 		h.init();
119 	}
120 
121 	/**
122 	 * Enable likely collision detection.
123 	 * <p>
124 	 * Default is {@code true}.
125 	 * <p>
126 	 * May also be set by system property:
127 	 * {@code -Dorg.eclipse.jgit.util.sha1.detectCollision=true}.
128 	 *
129 	 * @param detect
130 	 *            a boolean.
131 	 * @return {@code this}
132 	 */
133 	public SHA1 setDetectCollision(boolean detect) {
134 		detectCollision = detect;
135 		return this;
136 	}
137 
138 	/**
139 	 * Update the digest computation by adding a byte.
140 	 *
141 	 * @param b a byte.
142 	 */
143 	public void update(byte b) {
144 		int bufferLen = (int) (length & 63);
145 		length++;
146 		buffer[bufferLen] = b;
147 		if (bufferLen == 63) {
148 			compress(buffer, 0);
149 		}
150 	}
151 
152 	/**
153 	 * Update the digest computation by adding bytes to the message.
154 	 *
155 	 * @param in
156 	 *            input array of bytes.
157 	 */
158 	public void update(byte[] in) {
159 		update(in, 0, in.length);
160 	}
161 
162 	/**
163 	 * Update the digest computation by adding bytes to the message.
164 	 *
165 	 * @param in
166 	 *            input array of bytes.
167 	 * @param p
168 	 *            offset to start at from {@code in}.
169 	 * @param len
170 	 *            number of bytes to hash.
171 	 */
172 	public void update(byte[] in, int p, int len) {
173 		// SHA-1 compress can only process whole 64 byte blocks.
174 		// Hold partial updates in buffer, whose length is the low bits.
175 		int bufferLen = (int) (length & 63);
176 		length += len;
177 
178 		if (bufferLen > 0) {
179 			int n = Math.min(64 - bufferLen, len);
180 			System.arraycopy(in, p, buffer, bufferLen, n);
181 			p += n;
182 			len -= n;
183 			if (bufferLen + n < 64) {
184 				return;
185 			}
186 			compress(buffer, 0);
187 		}
188 		while (len >= 64) {
189 			compress(in, p);
190 			p += 64;
191 			len -= 64;
192 		}
193 		if (len > 0) {
194 			System.arraycopy(in, p, buffer, 0, len);
195 		}
196 	}
197 
198 	private void compress(byte[] block, int p) {
199 		initBlock(block, p);
200 		int ubcDvMask = detectCollision ? UbcCheck.check(w) : 0;
201 		compress();
202 
203 		while (ubcDvMask != 0) {
204 			int b = numberOfTrailingZeros(lowestOneBit(ubcDvMask));
205 			UbcCheck.DvInfo dv = UbcCheck.DV[b];
206 			for (int i = 0; i < 80; i++) {
207 				w2[i] = w[i] ^ dv.dm[i];
208 			}
209 			recompress(dv.testt);
210 			if (eq(hTmp, h)) {
211 				foundCollision = true;
212 				break;
213 			}
214 			ubcDvMask &= ~(1 << b);
215 		}
216 	}
217 
218 	private void initBlock(byte[] block, int p) {
219 		for (int t = 0; t < 16; t++) {
220 			w[t] = NB.decodeInt32(block, p + (t << 2));
221 		}
222 
223 		// RFC 3174 6.1.b, extend state vector to 80 words.
224 		for (int t = 16; t < 80; t++) {
225 			int x = w[t - 3] ^ w[t - 8] ^ w[t - 14] ^ w[t - 16];
226 			w[t] = rotateLeft(x, 1); // S^1(...)
227 		}
228 	}
229 
230 	private void compress() {
231 		// Method 1 from RFC 3174 section 6.1.
232 		// Method 2 (circular queue of 16 words) is slower.
233 		int a = h.a, b = h.b, c = h.c, d = h.d, e = h.e;
234 
235 		// @formatter:off
236 		 e += s1(a, b, c, d,w[ 0]);  b = rotateLeft( b, 30);
237 		 d += s1(e, a, b, c,w[ 1]);  a = rotateLeft( a, 30);
238 		 c += s1(d, e, a, b,w[ 2]);  e = rotateLeft( e, 30);
239 		 b += s1(c, d, e, a,w[ 3]);  d = rotateLeft( d, 30);
240 		 a += s1(b, c, d, e,w[ 4]);  c = rotateLeft( c, 30);
241 		 e += s1(a, b, c, d,w[ 5]);  b = rotateLeft( b, 30);
242 		 d += s1(e, a, b, c,w[ 6]);  a = rotateLeft( a, 30);
243 		 c += s1(d, e, a, b,w[ 7]);  e = rotateLeft( e, 30);
244 		 b += s1(c, d, e, a,w[ 8]);  d = rotateLeft( d, 30);
245 		 a += s1(b, c, d, e,w[ 9]);  c = rotateLeft( c, 30);
246 		 e += s1(a, b, c, d,w[ 10]);  b = rotateLeft( b, 30);
247 		 d += s1(e, a, b, c,w[ 11]);  a = rotateLeft( a, 30);
248 		 c += s1(d, e, a, b,w[ 12]);  e = rotateLeft( e, 30);
249 		 b += s1(c, d, e, a,w[ 13]);  d = rotateLeft( d, 30);
250 		 a += s1(b, c, d, e,w[ 14]);  c = rotateLeft( c, 30);
251 		 e += s1(a, b, c, d,w[ 15]);  b = rotateLeft( b, 30);
252 		 d += s1(e, a, b, c,w[ 16]);  a = rotateLeft( a, 30);
253 		 c += s1(d, e, a, b,w[ 17]);  e = rotateLeft( e, 30);
254 		 b += s1(c, d, e, a,w[ 18]);  d = rotateLeft( d, 30);
255 		 a += s1(b, c, d, e,w[ 19]);  c = rotateLeft( c, 30);
256 
257 		 e += s2(a, b, c, d,w[ 20]);  b = rotateLeft( b, 30);
258 		 d += s2(e, a, b, c,w[ 21]);  a = rotateLeft( a, 30);
259 		 c += s2(d, e, a, b,w[ 22]);  e = rotateLeft( e, 30);
260 		 b += s2(c, d, e, a,w[ 23]);  d = rotateLeft( d, 30);
261 		 a += s2(b, c, d, e,w[ 24]);  c = rotateLeft( c, 30);
262 		 e += s2(a, b, c, d,w[ 25]);  b = rotateLeft( b, 30);
263 		 d += s2(e, a, b, c,w[ 26]);  a = rotateLeft( a, 30);
264 		 c += s2(d, e, a, b,w[ 27]);  e = rotateLeft( e, 30);
265 		 b += s2(c, d, e, a,w[ 28]);  d = rotateLeft( d, 30);
266 		 a += s2(b, c, d, e,w[ 29]);  c = rotateLeft( c, 30);
267 		 e += s2(a, b, c, d,w[ 30]);  b = rotateLeft( b, 30);
268 		 d += s2(e, a, b, c,w[ 31]);  a = rotateLeft( a, 30);
269 		 c += s2(d, e, a, b,w[ 32]);  e = rotateLeft( e, 30);
270 		 b += s2(c, d, e, a,w[ 33]);  d = rotateLeft( d, 30);
271 		 a += s2(b, c, d, e,w[ 34]);  c = rotateLeft( c, 30);
272 		 e += s2(a, b, c, d,w[ 35]);  b = rotateLeft( b, 30);
273 		 d += s2(e, a, b, c,w[ 36]);  a = rotateLeft( a, 30);
274 		 c += s2(d, e, a, b,w[ 37]);  e = rotateLeft( e, 30);
275 		 b += s2(c, d, e, a,w[ 38]);  d = rotateLeft( d, 30);
276 		 a += s2(b, c, d, e,w[ 39]);  c = rotateLeft( c, 30);
277 
278 		 e += s3(a, b, c, d,w[ 40]);  b = rotateLeft( b, 30);
279 		 d += s3(e, a, b, c,w[ 41]);  a = rotateLeft( a, 30);
280 		 c += s3(d, e, a, b,w[ 42]);  e = rotateLeft( e, 30);
281 		 b += s3(c, d, e, a,w[ 43]);  d = rotateLeft( d, 30);
282 		 a += s3(b, c, d, e,w[ 44]);  c = rotateLeft( c, 30);
283 		 e += s3(a, b, c, d,w[ 45]);  b = rotateLeft( b, 30);
284 		 d += s3(e, a, b, c,w[ 46]);  a = rotateLeft( a, 30);
285 		 c += s3(d, e, a, b,w[ 47]);  e = rotateLeft( e, 30);
286 		 b += s3(c, d, e, a,w[ 48]);  d = rotateLeft( d, 30);
287 		 a += s3(b, c, d, e,w[ 49]);  c = rotateLeft( c, 30);
288 		 e += s3(a, b, c, d,w[ 50]);  b = rotateLeft( b, 30);
289 		 d += s3(e, a, b, c,w[ 51]);  a = rotateLeft( a, 30);
290 		 c += s3(d, e, a, b,w[ 52]);  e = rotateLeft( e, 30);
291 		 b += s3(c, d, e, a,w[ 53]);  d = rotateLeft( d, 30);
292 		 a += s3(b, c, d, e,w[ 54]);  c = rotateLeft( c, 30);
293 		 e += s3(a, b, c, d,w[ 55]);  b = rotateLeft( b, 30);
294 		 d += s3(e, a, b, c,w[ 56]);  a = rotateLeft( a, 30);
295 		 c += s3(d, e, a, b,w[ 57]);  e = rotateLeft( e, 30);
296 		state58.save(a, b, c, d, e);
297 		 b += s3(c, d, e, a,w[ 58]);  d = rotateLeft( d, 30);
298 		 a += s3(b, c, d, e,w[ 59]);  c = rotateLeft( c, 30);
299 
300 		 e += s4(a, b, c, d,w[ 60]);  b = rotateLeft( b, 30);
301 		 d += s4(e, a, b, c,w[ 61]);  a = rotateLeft( a, 30);
302 		 c += s4(d, e, a, b,w[ 62]);  e = rotateLeft( e, 30);
303 		 b += s4(c, d, e, a,w[ 63]);  d = rotateLeft( d, 30);
304 		 a += s4(b, c, d, e,w[ 64]);  c = rotateLeft( c, 30);
305 		state65.save(a, b, c, d, e);
306 		 e += s4(a, b, c, d,w[ 65]);  b = rotateLeft( b, 30);
307 		 d += s4(e, a, b, c,w[ 66]);  a = rotateLeft( a, 30);
308 		 c += s4(d, e, a, b,w[ 67]);  e = rotateLeft( e, 30);
309 		 b += s4(c, d, e, a,w[ 68]);  d = rotateLeft( d, 30);
310 		 a += s4(b, c, d, e,w[ 69]);  c = rotateLeft( c, 30);
311 		 e += s4(a, b, c, d,w[ 70]);  b = rotateLeft( b, 30);
312 		 d += s4(e, a, b, c,w[ 71]);  a = rotateLeft( a, 30);
313 		 c += s4(d, e, a, b,w[ 72]);  e = rotateLeft( e, 30);
314 		 b += s4(c, d, e, a,w[ 73]);  d = rotateLeft( d, 30);
315 		 a += s4(b, c, d, e,w[ 74]);  c = rotateLeft( c, 30);
316 		 e += s4(a, b, c, d,w[ 75]);  b = rotateLeft( b, 30);
317 		 d += s4(e, a, b, c,w[ 76]);  a = rotateLeft( a, 30);
318 		 c += s4(d, e, a, b,w[ 77]);  e = rotateLeft( e, 30);
319 		 b += s4(c, d, e, a,w[ 78]);  d = rotateLeft( d, 30);
320 		 a += s4(b, c, d, e,w[ 79]);  c = rotateLeft( c, 30);
321 
322 		// @formatter:on
323 		h.save(h.a + a, h.b + b, h.c + c, h.d + d, h.e + e);
324 	}
325 
326 	private void recompress(int t) {
327 		State s;
328 		if (t == 58) {
329 			s = state58;
330 		} else if (t == 65) {
331 			s = state65;
332 		} else {
333 			throw new IllegalStateException();
334 		}
335 		int a = s.a, b = s.b, c = s.c, d = s.d, e = s.e;
336 
337 		// @formatter:off
338 	  if (t == 65) {
339 		{ c = rotateRight( c, 30);  a -= s4(b, c, d, e,w2[ 64]);}
340 		{ d = rotateRight( d, 30);  b -= s4(c, d, e, a,w2[ 63]);}
341 		{ e = rotateRight( e, 30);  c -= s4(d, e, a, b,w2[ 62]);}
342 		{ a = rotateRight( a, 30);  d -= s4(e, a, b, c,w2[ 61]);}
343 		{ b = rotateRight( b, 30);  e -= s4(a, b, c, d,w2[ 60]);}
344 
345 		{ c = rotateRight( c, 30);  a -= s3(b, c, d, e,w2[ 59]);}
346 		{ d = rotateRight( d, 30);  b -= s3(c, d, e, a,w2[ 58]);}
347 	  }
348 		{ e = rotateRight( e, 30);  c -= s3(d, e, a, b,w2[ 57]);}
349 		{ a = rotateRight( a, 30);  d -= s3(e, a, b, c,w2[ 56]);}
350 		{ b = rotateRight( b, 30);  e -= s3(a, b, c, d,w2[ 55]);}
351 		{ c = rotateRight( c, 30);  a -= s3(b, c, d, e,w2[ 54]);}
352 		{ d = rotateRight( d, 30);  b -= s3(c, d, e, a,w2[ 53]);}
353 		{ e = rotateRight( e, 30);  c -= s3(d, e, a, b,w2[ 52]);}
354 		{ a = rotateRight( a, 30);  d -= s3(e, a, b, c,w2[ 51]);}
355 		{ b = rotateRight( b, 30);  e -= s3(a, b, c, d,w2[ 50]);}
356 		{ c = rotateRight( c, 30);  a -= s3(b, c, d, e,w2[ 49]);}
357 		{ d = rotateRight( d, 30);  b -= s3(c, d, e, a,w2[ 48]);}
358 		{ e = rotateRight( e, 30);  c -= s3(d, e, a, b,w2[ 47]);}
359 		{ a = rotateRight( a, 30);  d -= s3(e, a, b, c,w2[ 46]);}
360 		{ b = rotateRight( b, 30);  e -= s3(a, b, c, d,w2[ 45]);}
361 		{ c = rotateRight( c, 30);  a -= s3(b, c, d, e,w2[ 44]);}
362 		{ d = rotateRight( d, 30);  b -= s3(c, d, e, a,w2[ 43]);}
363 		{ e = rotateRight( e, 30);  c -= s3(d, e, a, b,w2[ 42]);}
364 		{ a = rotateRight( a, 30);  d -= s3(e, a, b, c,w2[ 41]);}
365 		{ b = rotateRight( b, 30);  e -= s3(a, b, c, d,w2[ 40]);}
366 
367 		{ c = rotateRight( c, 30);  a -= s2(b, c, d, e,w2[ 39]);}
368 		{ d = rotateRight( d, 30);  b -= s2(c, d, e, a,w2[ 38]);}
369 		{ e = rotateRight( e, 30);  c -= s2(d, e, a, b,w2[ 37]);}
370 		{ a = rotateRight( a, 30);  d -= s2(e, a, b, c,w2[ 36]);}
371 		{ b = rotateRight( b, 30);  e -= s2(a, b, c, d,w2[ 35]);}
372 		{ c = rotateRight( c, 30);  a -= s2(b, c, d, e,w2[ 34]);}
373 		{ d = rotateRight( d, 30);  b -= s2(c, d, e, a,w2[ 33]);}
374 		{ e = rotateRight( e, 30);  c -= s2(d, e, a, b,w2[ 32]);}
375 		{ a = rotateRight( a, 30);  d -= s2(e, a, b, c,w2[ 31]);}
376 		{ b = rotateRight( b, 30);  e -= s2(a, b, c, d,w2[ 30]);}
377 		{ c = rotateRight( c, 30);  a -= s2(b, c, d, e,w2[ 29]);}
378 		{ d = rotateRight( d, 30);  b -= s2(c, d, e, a,w2[ 28]);}
379 		{ e = rotateRight( e, 30);  c -= s2(d, e, a, b,w2[ 27]);}
380 		{ a = rotateRight( a, 30);  d -= s2(e, a, b, c,w2[ 26]);}
381 		{ b = rotateRight( b, 30);  e -= s2(a, b, c, d,w2[ 25]);}
382 		{ c = rotateRight( c, 30);  a -= s2(b, c, d, e,w2[ 24]);}
383 		{ d = rotateRight( d, 30);  b -= s2(c, d, e, a,w2[ 23]);}
384 		{ e = rotateRight( e, 30);  c -= s2(d, e, a, b,w2[ 22]);}
385 		{ a = rotateRight( a, 30);  d -= s2(e, a, b, c,w2[ 21]);}
386 		{ b = rotateRight( b, 30);  e -= s2(a, b, c, d,w2[ 20]);}
387 
388 		{ c = rotateRight( c, 30);  a -= s1(b, c, d, e,w2[ 19]);}
389 		{ d = rotateRight( d, 30);  b -= s1(c, d, e, a,w2[ 18]);}
390 		{ e = rotateRight( e, 30);  c -= s1(d, e, a, b,w2[ 17]);}
391 		{ a = rotateRight( a, 30);  d -= s1(e, a, b, c,w2[ 16]);}
392 		{ b = rotateRight( b, 30);  e -= s1(a, b, c, d,w2[ 15]);}
393 		{ c = rotateRight( c, 30);  a -= s1(b, c, d, e,w2[ 14]);}
394 		{ d = rotateRight( d, 30);  b -= s1(c, d, e, a,w2[ 13]);}
395 		{ e = rotateRight( e, 30);  c -= s1(d, e, a, b,w2[ 12]);}
396 		{ a = rotateRight( a, 30);  d -= s1(e, a, b, c,w2[ 11]);}
397 		{ b = rotateRight( b, 30);  e -= s1(a, b, c, d,w2[ 10]);}
398 		{ c = rotateRight( c, 30);  a -= s1(b, c, d, e,w2[ 9]);}
399 		{ d = rotateRight( d, 30);  b -= s1(c, d, e, a,w2[ 8]);}
400 		{ e = rotateRight( e, 30);  c -= s1(d, e, a, b,w2[ 7]);}
401 		{ a = rotateRight( a, 30);  d -= s1(e, a, b, c,w2[ 6]);}
402 		{ b = rotateRight( b, 30);  e -= s1(a, b, c, d,w2[ 5]);}
403 		{ c = rotateRight( c, 30);  a -= s1(b, c, d, e,w2[ 4]);}
404 		{ d = rotateRight( d, 30);  b -= s1(c, d, e, a,w2[ 3]);}
405 		{ e = rotateRight( e, 30);  c -= s1(d, e, a, b,w2[ 2]);}
406 		{ a = rotateRight( a, 30);  d -= s1(e, a, b, c,w2[ 1]);}
407 		{ b = rotateRight( b, 30);  e -= s1(a, b, c, d,w2[ 0]);}
408 
409 		hIn.save(a, b, c, d, e);
410 		a = s.a; b = s.b; c = s.c; d = s.d; e = s.e;
411 
412 	  if (t == 58) {
413 		{ b += s3(c, d, e, a,w2[ 58]);  d = rotateLeft( d, 30);}
414 		{ a += s3(b, c, d, e,w2[ 59]);  c = rotateLeft( c, 30);}
415 
416 		{ e += s4(a, b, c, d,w2[ 60]);  b = rotateLeft( b, 30);}
417 		{ d += s4(e, a, b, c,w2[ 61]);  a = rotateLeft( a, 30);}
418 		{ c += s4(d, e, a, b,w2[ 62]);  e = rotateLeft( e, 30);}
419 		{ b += s4(c, d, e, a,w2[ 63]);  d = rotateLeft( d, 30);}
420 		{ a += s4(b, c, d, e,w2[ 64]);  c = rotateLeft( c, 30);}
421 	  }
422 		{ e += s4(a, b, c, d,w2[ 65]);  b = rotateLeft( b, 30);}
423 		{ d += s4(e, a, b, c,w2[ 66]);  a = rotateLeft( a, 30);}
424 		{ c += s4(d, e, a, b,w2[ 67]);  e = rotateLeft( e, 30);}
425 		{ b += s4(c, d, e, a,w2[ 68]);  d = rotateLeft( d, 30);}
426 		{ a += s4(b, c, d, e,w2[ 69]);  c = rotateLeft( c, 30);}
427 		{ e += s4(a, b, c, d,w2[ 70]);  b = rotateLeft( b, 30);}
428 		{ d += s4(e, a, b, c,w2[ 71]);  a = rotateLeft( a, 30);}
429 		{ c += s4(d, e, a, b,w2[ 72]);  e = rotateLeft( e, 30);}
430 		{ b += s4(c, d, e, a,w2[ 73]);  d = rotateLeft( d, 30);}
431 		{ a += s4(b, c, d, e,w2[ 74]);  c = rotateLeft( c, 30);}
432 		{ e += s4(a, b, c, d,w2[ 75]);  b = rotateLeft( b, 30);}
433 		{ d += s4(e, a, b, c,w2[ 76]);  a = rotateLeft( a, 30);}
434 		{ c += s4(d, e, a, b,w2[ 77]);  e = rotateLeft( e, 30);}
435 		{ b += s4(c, d, e, a,w2[ 78]);  d = rotateLeft( d, 30);}
436 		{ a += s4(b, c, d, e,w2[ 79]);  c = rotateLeft( c, 30);}
437 
438 		// @formatter:on
439 		hTmp.save(hIn.a + a, hIn.b + b, hIn.c + c, hIn.d + d, hIn.e + e);
440 	}
441 
442 	private static int s1(int a, int b, int c, int d, int w_t) {
443 		return rotateLeft(a, 5)
444 				// f: 0 <= t <= 19
445 				+ ((b & c) | ((~b) & d))
446 				+ 0x5A827999 + w_t;
447 	}
448 
449 	private static int s2(int a, int b, int c, int d, int w_t) {
450 		return rotateLeft(a, 5)
451 				// f: 20 <= t <= 39
452 				+ (b ^ c ^ d)
453 				+ 0x6ED9EBA1 + w_t;
454 	}
455 
456 	private static int s3(int a, int b, int c, int d, int w_t) {
457 		return rotateLeft(a, 5)
458 				// f: 40 <= t <= 59
459 				+ ((b & c) | (b & d) | (c & d))
460 				+ 0x8F1BBCDC + w_t;
461 	}
462 
463 	private static int s4(int a, int b, int c, int d, int w_t) {
464 		return rotateLeft(a, 5)
465 				// f: 60 <= t <= 79
466 				+ (b ^ c ^ d)
467 				+ 0xCA62C1D6 + w_t;
468 	}
469 
470 	private static boolean eq(State q, State r) {
471 		return q.a == r.a
472 				&& q.b == r.b
473 				&& q.c == r.c
474 				&& q.d == r.d
475 				&& q.e == r.e;
476 	}
477 
478 	private void finish() {
479 		int bufferLen = (int) (length & 63);
480 		if (bufferLen > 55) {
481 			// Last block is too small; pad, compress, pad another block.
482 			buffer[bufferLen++] = (byte) 0x80;
483 			Arrays.fill(buffer, bufferLen, 64, (byte) 0);
484 			compress(buffer, 0);
485 			Arrays.fill(buffer, 0, 56, (byte) 0);
486 		} else {
487 			// Last block can hold padding and length.
488 			buffer[bufferLen++] = (byte) 0x80;
489 			Arrays.fill(buffer, bufferLen, 56, (byte) 0);
490 		}
491 
492 		// SHA-1 appends the length of the message in bits after the
493 		// padding block (above). Here length is in bytes. Multiply by
494 		// 8 by shifting by 3 as part of storing the 64 bit byte length
495 		// into the two words expected in the trailer.
496 		NB.encodeInt32(buffer, 56, (int) (length >>> (32 - 3)));
497 		NB.encodeInt32(buffer, 60, (int) (length << 3));
498 		compress(buffer, 0);
499 
500 		if (foundCollision) {
501 			ObjectId id = h.toObjectId();
502 			LOG.warn(MessageFormat.format(JGitText.get().sha1CollisionDetected,
503 					id.name()));
504 			throw new Sha1CollisionException(id);
505 		}
506 	}
507 
508 	/**
509 	 * Finish the digest and return the resulting hash.
510 	 * <p>
511 	 * Once {@code digest()} is called, this instance should be discarded.
512 	 *
513 	 * @return the bytes for the resulting hash.
514 	 * @throws org.eclipse.jgit.util.sha1.Sha1CollisionException
515 	 *             if a collision was detected and safeHash is false.
516 	 */
517 	public byte[] digest() throws Sha1CollisionException {
518 		finish();
519 
520 		byte[] b = new byte[20];
521 		NB.encodeInt32(b, 0, h.a);
522 		NB.encodeInt32(b, 4, h.b);
523 		NB.encodeInt32(b, 8, h.c);
524 		NB.encodeInt32(b, 12, h.d);
525 		NB.encodeInt32(b, 16, h.e);
526 		return b;
527 	}
528 
529 	/**
530 	 * Finish the digest and return the resulting hash.
531 	 * <p>
532 	 * Once {@code digest()} is called, this instance should be discarded.
533 	 *
534 	 * @return the ObjectId for the resulting hash.
535 	 * @throws org.eclipse.jgit.util.sha1.Sha1CollisionException
536 	 *             if a collision was detected and safeHash is false.
537 	 */
538 	public ObjectId toObjectId() throws Sha1CollisionException {
539 		finish();
540 		return h.toObjectId();
541 	}
542 
543 	/**
544 	 * Finish the digest and return the resulting hash.
545 	 * <p>
546 	 * Once {@code digest()} is called, this instance should be discarded.
547 	 *
548 	 * @param id
549 	 *            destination to copy the digest to.
550 	 * @throws org.eclipse.jgit.util.sha1.Sha1CollisionException
551 	 *             if a collision was detected and safeHash is false.
552 	 */
553 	public void digest(MutableObjectId id) throws Sha1CollisionException {
554 		finish();
555 		id.set(h.a, h.b, h.c, h.d, h.e);
556 	}
557 
558 	/**
559 	 * Check if a collision was detected.
560 	 *
561 	 * <p>
562 	 * This method only returns an accurate result after the digest was obtained
563 	 * through {@link #digest()}, {@link #digest(MutableObjectId)} or
564 	 * {@link #toObjectId()}, as the hashing function must finish processing to
565 	 * know the final state.
566 	 *
567 	 * @return {@code true} if a likely collision was detected.
568 	 */
569 	public boolean hasCollision() {
570 		return foundCollision;
571 	}
572 
573 	/**
574 	 * Reset this instance to compute another hash.
575 	 *
576 	 * @return {@code this}.
577 	 */
578 	public SHA1 reset() {
579 		h.init();
580 		length = 0;
581 		foundCollision = false;
582 		return this;
583 	}
584 
585 	private static final class State {
586 		int a;
587 		int b;
588 		int c;
589 		int d;
590 		int e;
591 
592 		final void init() {
593 			// Magic initialization constants defined by FIPS180.
594 			save(0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0);
595 		}
596 
597 		final void save(int a1, int b1, int c1, int d1, int e1) {
598 			a = a1;
599 			b = b1;
600 			c = c1;
601 			d = d1;
602 			e = e1;
603 		}
604 
605 		ObjectId toObjectId() {
606 			return new ObjectId(a, b, c, d, e);
607 		}
608 	}
609 }