我正在尝试用python重新实现SHA1算法,但是我的函数的结果与内置hashlib中的结果不同,一开始我以为问题出在我的rotate函数中,但是修复后,仍然存在差异输出,这是我的代码:
from hashlib import sha1 as builtin_sha1
def rotl32(value: int, count: int) -> int:
return ((value << count) | (value >> (32 - count))) & 0xffffffff
def default_sha1(data: bytes) -> bytes:
return builtin_sha1(data).digest()
def sha1(data: bytes) -> bytes:
# initialize variables
h0 = 0x67452301
h1 = 0xefcdab89
h2 = 0x98badcfe
h3 = 0x10325476
h4 = 0xc3d2e1f0
msg_len = len(data)
# append 0x80
data += b"\x80"
# append 0x00 until msg_len % 64 == 56
data += b"\x00" * ((56 - msg_len % 64) % 64)
# append bit length as 64-bit big-endian integer
data += (msg_len * 8).to_bytes(8, "big")
# get the new length (now a multiple of 64)
msg_len = len(data)
for i in range(0, msg_len, 64):
# for each chunk of 64 bytes
# break the chunk into sixteen 32-bit big-endian words
words = [int.from_bytes(data[i + j:i + j + 4], "big")
for j in range(0, 64, 4)]
# extend the sixteen 32-bit words into eighty 32-bit words
for j in range(16, 80):
words.append(
rotl32((words[j - 3] ^ words[j - 8] ^ words[j - 14] ^ words[j - 16]), 1)
)
# initialize hash value for this chunk
a = h0
b = h1
c = h2
d = h3
e = h4
for j in range(80):
if 0 <= j <= 19:
f = (b & c) | ((~b) & d)
k = 0x5a827999
elif 20 <= j <= 39:
f = b ^ c ^ d
k = 0x6ed9eba1
elif 40 <= j <= 59:
f = (b & c) | (b & d) | (c & d)
k = 0x8f1bbcdc
else: # 60 <= j <= 79:
f = b ^ c ^ d
k = 0xca62c1d6
temp = (rotl32(a, 5) + f + e + k + words[j]) & 0xffffffff
e = d
d = c
c = rotl32(b, 30)
b = a
a = temp
# add this chunk's hash to result so far
h0 = (h0 + a) & 0xffffffff
h1 = (h1 + b) & 0xffffffff
h2 = (h2 + c) & 0xffffffff
h3 = (h3 + d) & 0xffffffff
h4 = (h4 + e) & 0xffffffff
# produce the final hash value
return ((h0 << 128) | (h1 << 96) | (h2 << 64) | (h3 << 32) | h4).to_bytes(20, "big")
if __name__ == "__main__":
assert(sha1(b"hello") == default_sha1(b"hello")) # diff
也许这是一个字节序问题,但我到处都使用大字节序,我使用维基百科上的伪代码作为参考SHA1。
编辑:我附加了消息的字节长度而不是位长度,现在代码已更正并附加了位长度,但它仍然与内置实现不同
已解决,问题在于计算填充的公式,而不是
data += b"\x00" * ((56 - msg_len % 64) % 64)
,它应该是data += b"\x00" * ((56 - (msg_len + 1) % 64) % 64)
,因为因为我在附加len(msg)
之前计算了0x80
,所以我需要将1
添加到msg_len
以获得实际长度。