374330e2 |
1 | /* |
e5574168 |
2 | * SHA1 hash algorithm. Used in SSH2 as a MAC, and the transform is |
3 | * also used as a `stirring' function for the PuTTY random number |
4 | * pool. Implemented directly from the specification by Simon |
5 | * Tatham. |
374330e2 |
6 | */ |
7 | |
8 | #include "ssh.h" |
9 | |
e5574168 |
10 | /* ---------------------------------------------------------------------- |
11 | * Core SHA algorithm: processes 16-word blocks into a message digest. |
12 | */ |
13 | |
14 | #define rol(x,y) ( ((x) << (y)) | (((uint32)x) >> (32-y)) ) |
15 | |
16 | void SHA_Core_Init(uint32 h[5]) { |
17 | h[0] = 0x67452301; |
18 | h[1] = 0xefcdab89; |
19 | h[2] = 0x98badcfe; |
20 | h[3] = 0x10325476; |
21 | h[4] = 0xc3d2e1f0; |
22 | } |
e9483e66 |
23 | |
24 | void SHATransform(word32 *digest, word32 *block) { |
25 | word32 w[80]; |
26 | word32 a,b,c,d,e; |
27 | int t; |
28 | |
29 | for (t = 0; t < 16; t++) |
30 | w[t] = block[t]; |
31 | |
32 | for (t = 16; t < 80; t++) { |
33 | word32 tmp = w[t-3] ^ w[t-8] ^ w[t-14] ^ w[t-16]; |
34 | w[t] = rol(tmp, 1); |
35 | } |
36 | |
37 | a = digest[0]; |
38 | b = digest[1]; |
39 | c = digest[2]; |
40 | d = digest[3]; |
41 | e = digest[4]; |
42 | |
43 | for (t = 0; t < 20; t++) { |
44 | word32 tmp = rol(a, 5) + ( (b&c) | (d&~b) ) + e + w[t] + 0x5a827999; |
45 | e = d; d = c; c = rol(b, 30); b = a; a = tmp; |
46 | } |
47 | for (t = 20; t < 40; t++) { |
48 | word32 tmp = rol(a, 5) + (b^c^d) + e + w[t] + 0x6ed9eba1; |
49 | e = d; d = c; c = rol(b, 30); b = a; a = tmp; |
50 | } |
51 | for (t = 40; t < 60; t++) { |
52 | word32 tmp = rol(a, 5) + ( (b&c) | (b&d) | (c&d) ) + e + w[t] + 0x8f1bbcdc; |
53 | e = d; d = c; c = rol(b, 30); b = a; a = tmp; |
54 | } |
55 | for (t = 60; t < 80; t++) { |
56 | word32 tmp = rol(a, 5) + (b^c^d) + e + w[t] + 0xca62c1d6; |
57 | e = d; d = c; c = rol(b, 30); b = a; a = tmp; |
58 | } |
59 | |
60 | digest[0] += a; |
61 | digest[1] += b; |
62 | digest[2] += c; |
63 | digest[3] += d; |
64 | digest[4] += e; |
374330e2 |
65 | } |
e5574168 |
66 | |
67 | /* ---------------------------------------------------------------------- |
68 | * Outer SHA algorithm: take an arbitrary length byte string, |
69 | * convert it into 16-word blocks with the prescribed padding at |
70 | * the end, and pass those blocks to the core SHA algorithm. |
71 | */ |
72 | |
73 | void SHA_Init(SHA_State *s) { |
74 | SHA_Core_Init(s->h); |
75 | s->blkused = 0; |
76 | s->lenhi = s->lenlo = 0; |
77 | } |
78 | |
79 | void SHA_Bytes(SHA_State *s, void *p, int len) { |
80 | unsigned char *q = (unsigned char *)p; |
81 | uint32 wordblock[16]; |
82 | uint32 lenw = len; |
83 | int i; |
84 | |
85 | /* |
86 | * Update the length field. |
87 | */ |
88 | s->lenlo += lenw; |
89 | s->lenhi += (s->lenlo < lenw); |
90 | |
91 | if (s->blkused && s->blkused+len < 64) { |
92 | /* |
93 | * Trivial case: just add to the block. |
94 | */ |
95 | memcpy(s->block + s->blkused, q, len); |
96 | s->blkused += len; |
97 | } else { |
98 | /* |
99 | * We must complete and process at least one block. |
100 | */ |
101 | while (s->blkused + len >= 64) { |
102 | memcpy(s->block + s->blkused, q, 64 - s->blkused); |
103 | q += 64 - s->blkused; |
104 | len -= 64 - s->blkused; |
105 | /* Now process the block. Gather bytes big-endian into words */ |
106 | for (i = 0; i < 16; i++) { |
107 | wordblock[i] = |
108 | ( ((uint32)s->block[i*4+0]) << 24 ) | |
109 | ( ((uint32)s->block[i*4+1]) << 16 ) | |
110 | ( ((uint32)s->block[i*4+2]) << 8 ) | |
111 | ( ((uint32)s->block[i*4+3]) << 0 ); |
112 | } |
113 | SHATransform(s->h, wordblock); |
114 | s->blkused = 0; |
115 | } |
116 | memcpy(s->block, q, len); |
117 | s->blkused = len; |
118 | } |
119 | } |
120 | |
121 | void SHA_Final(SHA_State *s, unsigned char *output) { |
122 | int i; |
123 | int pad; |
124 | unsigned char c[64]; |
125 | uint32 lenhi, lenlo; |
126 | |
127 | if (s->blkused >= 56) |
128 | pad = 56 + 64 - s->blkused; |
129 | else |
130 | pad = 56 - s->blkused; |
131 | |
132 | lenhi = (s->lenhi << 3) | (s->lenlo >> (32-3)); |
133 | lenlo = (s->lenlo << 3); |
134 | |
135 | memset(c, 0, pad); |
136 | c[0] = 0x80; |
137 | SHA_Bytes(s, &c, pad); |
138 | |
139 | c[0] = (lenhi >> 24) & 0xFF; |
140 | c[1] = (lenhi >> 16) & 0xFF; |
141 | c[2] = (lenhi >> 8) & 0xFF; |
142 | c[3] = (lenhi >> 0) & 0xFF; |
143 | c[4] = (lenlo >> 24) & 0xFF; |
144 | c[5] = (lenlo >> 16) & 0xFF; |
145 | c[6] = (lenlo >> 8) & 0xFF; |
146 | c[7] = (lenlo >> 0) & 0xFF; |
147 | |
148 | SHA_Bytes(s, &c, 8); |
149 | |
150 | for (i = 0; i < 5; i++) { |
151 | output[i*4 ] = (s->h[i] >> 24) & 0xFF; |
152 | output[i*4+1] = (s->h[i] >> 16) & 0xFF; |
153 | output[i*4+2] = (s->h[i] >> 8) & 0xFF; |
154 | output[i*4+3] = (s->h[i] ) & 0xFF; |
155 | } |
156 | } |
157 | |
158 | void SHA_Simple(void *p, int len, unsigned char *output) { |
159 | SHA_State s; |
160 | |
161 | SHA_Init(&s); |
162 | SHA_Bytes(&s, p, len); |
163 | SHA_Final(&s, output); |
164 | } |
165 | |
166 | /* ---------------------------------------------------------------------- |
167 | * The above is the SHA-1 algorithm itself. Now we implement the |
168 | * HMAC wrapper on it. |
169 | */ |
170 | |
d39f364a |
171 | static SHA_State sha1_cs_mac_s1, sha1_cs_mac_s2; |
172 | static SHA_State sha1_sc_mac_s1, sha1_sc_mac_s2; |
e5574168 |
173 | |
d39f364a |
174 | static void sha1_key(SHA_State *s1, SHA_State *s2, |
175 | unsigned char *key, int len) { |
e5574168 |
176 | unsigned char foo[64]; |
177 | int i; |
178 | |
179 | memset(foo, 0x36, 64); |
180 | for (i = 0; i < len && i < 64; i++) |
181 | foo[i] ^= key[i]; |
d39f364a |
182 | SHA_Init(s1); |
183 | SHA_Bytes(s1, foo, 64); |
e5574168 |
184 | |
185 | memset(foo, 0x5C, 64); |
186 | for (i = 0; i < len && i < 64; i++) |
187 | foo[i] ^= key[i]; |
d39f364a |
188 | SHA_Init(s2); |
189 | SHA_Bytes(s2, foo, 64); |
e5574168 |
190 | |
191 | memset(foo, 0, 64); /* burn the evidence */ |
192 | } |
193 | |
d39f364a |
194 | static void sha1_cskey(unsigned char *key) { |
195 | sha1_key(&sha1_cs_mac_s1, &sha1_cs_mac_s2, key, 20); |
196 | } |
197 | |
198 | static void sha1_sckey(unsigned char *key) { |
199 | sha1_key(&sha1_sc_mac_s1, &sha1_sc_mac_s2, key, 20); |
200 | } |
201 | |
202 | static void sha1_do_hmac(SHA_State *s1, SHA_State *s2, |
203 | unsigned char *blk, int len, unsigned long seq, |
e5574168 |
204 | unsigned char *hmac) { |
205 | SHA_State s; |
206 | unsigned char intermediate[20]; |
207 | |
208 | intermediate[0] = (unsigned char)((seq >> 24) & 0xFF); |
209 | intermediate[1] = (unsigned char)((seq >> 16) & 0xFF); |
210 | intermediate[2] = (unsigned char)((seq >> 8) & 0xFF); |
211 | intermediate[3] = (unsigned char)((seq ) & 0xFF); |
212 | |
d39f364a |
213 | s = *s1; /* structure copy */ |
e5574168 |
214 | SHA_Bytes(&s, intermediate, 4); |
215 | SHA_Bytes(&s, blk, len); |
216 | SHA_Final(&s, intermediate); |
d39f364a |
217 | s = *s2; /* structure copy */ |
e5574168 |
218 | SHA_Bytes(&s, intermediate, 20); |
219 | SHA_Final(&s, hmac); |
220 | } |
221 | |
222 | static void sha1_generate(unsigned char *blk, int len, unsigned long seq) { |
d39f364a |
223 | sha1_do_hmac(&sha1_cs_mac_s1, &sha1_cs_mac_s2, blk, len, seq, blk+len); |
e5574168 |
224 | } |
225 | |
226 | static int sha1_verify(unsigned char *blk, int len, unsigned long seq) { |
227 | unsigned char correct[20]; |
d39f364a |
228 | sha1_do_hmac(&sha1_sc_mac_s1, &sha1_sc_mac_s2, blk, len, seq, correct); |
e5574168 |
229 | return !memcmp(correct, blk+len, 20); |
230 | } |
231 | |
232 | struct ssh_mac ssh_sha1 = { |
d39f364a |
233 | sha1_cskey, sha1_sckey, |
e5574168 |
234 | sha1_generate, |
235 | sha1_verify, |
236 | "hmac-sha1", |
237 | 20 |
238 | }; |