374330e2 |
1 | /* |
e5574168 |
2 | * SHA1 hash algorithm. Used in SSH2 as a MAC, and the transform is |
3 | * also used as a `stirring' function for the PuTTY random number |
4 | * pool. Implemented directly from the specification by Simon |
5 | * Tatham. |
374330e2 |
6 | */ |
7 | |
8 | #include "ssh.h" |
9 | |
e5574168 |
10 | typedef unsigned int uint32; |
11 | |
12 | /* ---------------------------------------------------------------------- |
13 | * Core SHA algorithm: processes 16-word blocks into a message digest. |
14 | */ |
15 | |
16 | #define rol(x,y) ( ((x) << (y)) | (((uint32)x) >> (32-y)) ) |
17 | |
18 | void SHA_Core_Init(uint32 h[5]) { |
19 | h[0] = 0x67452301; |
20 | h[1] = 0xefcdab89; |
21 | h[2] = 0x98badcfe; |
22 | h[3] = 0x10325476; |
23 | h[4] = 0xc3d2e1f0; |
24 | } |
e9483e66 |
25 | |
26 | void SHATransform(word32 *digest, word32 *block) { |
27 | word32 w[80]; |
28 | word32 a,b,c,d,e; |
29 | int t; |
30 | |
31 | for (t = 0; t < 16; t++) |
32 | w[t] = block[t]; |
33 | |
34 | for (t = 16; t < 80; t++) { |
35 | word32 tmp = w[t-3] ^ w[t-8] ^ w[t-14] ^ w[t-16]; |
36 | w[t] = rol(tmp, 1); |
37 | } |
38 | |
39 | a = digest[0]; |
40 | b = digest[1]; |
41 | c = digest[2]; |
42 | d = digest[3]; |
43 | e = digest[4]; |
44 | |
45 | for (t = 0; t < 20; t++) { |
46 | word32 tmp = rol(a, 5) + ( (b&c) | (d&~b) ) + e + w[t] + 0x5a827999; |
47 | e = d; d = c; c = rol(b, 30); b = a; a = tmp; |
48 | } |
49 | for (t = 20; t < 40; t++) { |
50 | word32 tmp = rol(a, 5) + (b^c^d) + e + w[t] + 0x6ed9eba1; |
51 | e = d; d = c; c = rol(b, 30); b = a; a = tmp; |
52 | } |
53 | for (t = 40; t < 60; t++) { |
54 | word32 tmp = rol(a, 5) + ( (b&c) | (b&d) | (c&d) ) + e + w[t] + 0x8f1bbcdc; |
55 | e = d; d = c; c = rol(b, 30); b = a; a = tmp; |
56 | } |
57 | for (t = 60; t < 80; t++) { |
58 | word32 tmp = rol(a, 5) + (b^c^d) + e + w[t] + 0xca62c1d6; |
59 | e = d; d = c; c = rol(b, 30); b = a; a = tmp; |
60 | } |
61 | |
62 | digest[0] += a; |
63 | digest[1] += b; |
64 | digest[2] += c; |
65 | digest[3] += d; |
66 | digest[4] += e; |
374330e2 |
67 | } |
e5574168 |
68 | |
69 | /* ---------------------------------------------------------------------- |
70 | * Outer SHA algorithm: take an arbitrary length byte string, |
71 | * convert it into 16-word blocks with the prescribed padding at |
72 | * the end, and pass those blocks to the core SHA algorithm. |
73 | */ |
74 | |
75 | void SHA_Init(SHA_State *s) { |
76 | SHA_Core_Init(s->h); |
77 | s->blkused = 0; |
78 | s->lenhi = s->lenlo = 0; |
79 | } |
80 | |
81 | void SHA_Bytes(SHA_State *s, void *p, int len) { |
82 | unsigned char *q = (unsigned char *)p; |
83 | uint32 wordblock[16]; |
84 | uint32 lenw = len; |
85 | int i; |
86 | |
87 | /* |
88 | * Update the length field. |
89 | */ |
90 | s->lenlo += lenw; |
91 | s->lenhi += (s->lenlo < lenw); |
92 | |
93 | if (s->blkused && s->blkused+len < 64) { |
94 | /* |
95 | * Trivial case: just add to the block. |
96 | */ |
97 | memcpy(s->block + s->blkused, q, len); |
98 | s->blkused += len; |
99 | } else { |
100 | /* |
101 | * We must complete and process at least one block. |
102 | */ |
103 | while (s->blkused + len >= 64) { |
104 | memcpy(s->block + s->blkused, q, 64 - s->blkused); |
105 | q += 64 - s->blkused; |
106 | len -= 64 - s->blkused; |
107 | /* Now process the block. Gather bytes big-endian into words */ |
108 | for (i = 0; i < 16; i++) { |
109 | wordblock[i] = |
110 | ( ((uint32)s->block[i*4+0]) << 24 ) | |
111 | ( ((uint32)s->block[i*4+1]) << 16 ) | |
112 | ( ((uint32)s->block[i*4+2]) << 8 ) | |
113 | ( ((uint32)s->block[i*4+3]) << 0 ); |
114 | } |
115 | SHATransform(s->h, wordblock); |
116 | s->blkused = 0; |
117 | } |
118 | memcpy(s->block, q, len); |
119 | s->blkused = len; |
120 | } |
121 | } |
122 | |
123 | void SHA_Final(SHA_State *s, unsigned char *output) { |
124 | int i; |
125 | int pad; |
126 | unsigned char c[64]; |
127 | uint32 lenhi, lenlo; |
128 | |
129 | if (s->blkused >= 56) |
130 | pad = 56 + 64 - s->blkused; |
131 | else |
132 | pad = 56 - s->blkused; |
133 | |
134 | lenhi = (s->lenhi << 3) | (s->lenlo >> (32-3)); |
135 | lenlo = (s->lenlo << 3); |
136 | |
137 | memset(c, 0, pad); |
138 | c[0] = 0x80; |
139 | SHA_Bytes(s, &c, pad); |
140 | |
141 | c[0] = (lenhi >> 24) & 0xFF; |
142 | c[1] = (lenhi >> 16) & 0xFF; |
143 | c[2] = (lenhi >> 8) & 0xFF; |
144 | c[3] = (lenhi >> 0) & 0xFF; |
145 | c[4] = (lenlo >> 24) & 0xFF; |
146 | c[5] = (lenlo >> 16) & 0xFF; |
147 | c[6] = (lenlo >> 8) & 0xFF; |
148 | c[7] = (lenlo >> 0) & 0xFF; |
149 | |
150 | SHA_Bytes(s, &c, 8); |
151 | |
152 | for (i = 0; i < 5; i++) { |
153 | output[i*4 ] = (s->h[i] >> 24) & 0xFF; |
154 | output[i*4+1] = (s->h[i] >> 16) & 0xFF; |
155 | output[i*4+2] = (s->h[i] >> 8) & 0xFF; |
156 | output[i*4+3] = (s->h[i] ) & 0xFF; |
157 | } |
158 | } |
159 | |
160 | void SHA_Simple(void *p, int len, unsigned char *output) { |
161 | SHA_State s; |
162 | |
163 | SHA_Init(&s); |
164 | SHA_Bytes(&s, p, len); |
165 | SHA_Final(&s, output); |
166 | } |
167 | |
168 | /* ---------------------------------------------------------------------- |
169 | * The above is the SHA-1 algorithm itself. Now we implement the |
170 | * HMAC wrapper on it. |
171 | */ |
172 | |
d39f364a |
173 | static SHA_State sha1_cs_mac_s1, sha1_cs_mac_s2; |
174 | static SHA_State sha1_sc_mac_s1, sha1_sc_mac_s2; |
e5574168 |
175 | |
d39f364a |
176 | static void sha1_key(SHA_State *s1, SHA_State *s2, |
177 | unsigned char *key, int len) { |
e5574168 |
178 | unsigned char foo[64]; |
179 | int i; |
180 | |
181 | memset(foo, 0x36, 64); |
182 | for (i = 0; i < len && i < 64; i++) |
183 | foo[i] ^= key[i]; |
d39f364a |
184 | SHA_Init(s1); |
185 | SHA_Bytes(s1, foo, 64); |
e5574168 |
186 | |
187 | memset(foo, 0x5C, 64); |
188 | for (i = 0; i < len && i < 64; i++) |
189 | foo[i] ^= key[i]; |
d39f364a |
190 | SHA_Init(s2); |
191 | SHA_Bytes(s2, foo, 64); |
e5574168 |
192 | |
193 | memset(foo, 0, 64); /* burn the evidence */ |
194 | } |
195 | |
d39f364a |
196 | static void sha1_cskey(unsigned char *key) { |
197 | sha1_key(&sha1_cs_mac_s1, &sha1_cs_mac_s2, key, 20); |
198 | } |
199 | |
200 | static void sha1_sckey(unsigned char *key) { |
201 | sha1_key(&sha1_sc_mac_s1, &sha1_sc_mac_s2, key, 20); |
202 | } |
203 | |
204 | static void sha1_do_hmac(SHA_State *s1, SHA_State *s2, |
205 | unsigned char *blk, int len, unsigned long seq, |
e5574168 |
206 | unsigned char *hmac) { |
207 | SHA_State s; |
208 | unsigned char intermediate[20]; |
209 | |
210 | intermediate[0] = (unsigned char)((seq >> 24) & 0xFF); |
211 | intermediate[1] = (unsigned char)((seq >> 16) & 0xFF); |
212 | intermediate[2] = (unsigned char)((seq >> 8) & 0xFF); |
213 | intermediate[3] = (unsigned char)((seq ) & 0xFF); |
214 | |
d39f364a |
215 | s = *s1; /* structure copy */ |
e5574168 |
216 | SHA_Bytes(&s, intermediate, 4); |
217 | SHA_Bytes(&s, blk, len); |
218 | SHA_Final(&s, intermediate); |
d39f364a |
219 | s = *s2; /* structure copy */ |
e5574168 |
220 | SHA_Bytes(&s, intermediate, 20); |
221 | SHA_Final(&s, hmac); |
222 | } |
223 | |
224 | static void sha1_generate(unsigned char *blk, int len, unsigned long seq) { |
d39f364a |
225 | sha1_do_hmac(&sha1_cs_mac_s1, &sha1_cs_mac_s2, blk, len, seq, blk+len); |
e5574168 |
226 | } |
227 | |
228 | static int sha1_verify(unsigned char *blk, int len, unsigned long seq) { |
229 | unsigned char correct[20]; |
d39f364a |
230 | sha1_do_hmac(&sha1_sc_mac_s1, &sha1_sc_mac_s2, blk, len, seq, correct); |
e5574168 |
231 | return !memcmp(correct, blk+len, 20); |
232 | } |
233 | |
234 | struct ssh_mac ssh_sha1 = { |
d39f364a |
235 | sha1_cskey, sha1_sckey, |
e5574168 |
236 | sha1_generate, |
237 | sha1_verify, |
238 | "hmac-sha1", |
239 | 20 |
240 | }; |