374330e2 |
1 | /* |
2e85c969 |
2 | * SHA1 hash algorithm. Used in SSH-2 as a MAC, and the transform is |
e5574168 |
3 | * also used as a `stirring' function for the PuTTY random number |
4 | * pool. Implemented directly from the specification by Simon |
5 | * Tatham. |
374330e2 |
6 | */ |
7 | |
8 | #include "ssh.h" |
9 | |
e5574168 |
10 | /* ---------------------------------------------------------------------- |
11 | * Core SHA algorithm: processes 16-word blocks into a message digest. |
12 | */ |
13 | |
14 | #define rol(x,y) ( ((x) << (y)) | (((uint32)x) >> (32-y)) ) |
15 | |
d5696ae5 |
16 | static void SHA_Core_Init(uint32 h[5]) |
32874aea |
17 | { |
e5574168 |
18 | h[0] = 0x67452301; |
19 | h[1] = 0xefcdab89; |
20 | h[2] = 0x98badcfe; |
21 | h[3] = 0x10325476; |
22 | h[4] = 0xc3d2e1f0; |
23 | } |
e9483e66 |
24 | |
32874aea |
25 | void SHATransform(word32 * digest, word32 * block) |
26 | { |
e9483e66 |
27 | word32 w[80]; |
32874aea |
28 | word32 a, b, c, d, e; |
e9483e66 |
29 | int t; |
30 | |
31 | for (t = 0; t < 16; t++) |
32874aea |
32 | w[t] = block[t]; |
e9483e66 |
33 | |
34 | for (t = 16; t < 80; t++) { |
32874aea |
35 | word32 tmp = w[t - 3] ^ w[t - 8] ^ w[t - 14] ^ w[t - 16]; |
36 | w[t] = rol(tmp, 1); |
e9483e66 |
37 | } |
38 | |
39 | a = digest[0]; |
40 | b = digest[1]; |
41 | c = digest[2]; |
42 | d = digest[3]; |
43 | e = digest[4]; |
44 | |
45 | for (t = 0; t < 20; t++) { |
32874aea |
46 | word32 tmp = |
47 | rol(a, 5) + ((b & c) | (d & ~b)) + e + w[t] + 0x5a827999; |
48 | e = d; |
49 | d = c; |
50 | c = rol(b, 30); |
51 | b = a; |
52 | a = tmp; |
e9483e66 |
53 | } |
54 | for (t = 20; t < 40; t++) { |
32874aea |
55 | word32 tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0x6ed9eba1; |
56 | e = d; |
57 | d = c; |
58 | c = rol(b, 30); |
59 | b = a; |
60 | a = tmp; |
e9483e66 |
61 | } |
62 | for (t = 40; t < 60; t++) { |
32874aea |
63 | word32 tmp = rol(a, |
64 | 5) + ((b & c) | (b & d) | (c & d)) + e + w[t] + |
65 | 0x8f1bbcdc; |
66 | e = d; |
67 | d = c; |
68 | c = rol(b, 30); |
69 | b = a; |
70 | a = tmp; |
e9483e66 |
71 | } |
72 | for (t = 60; t < 80; t++) { |
32874aea |
73 | word32 tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0xca62c1d6; |
74 | e = d; |
75 | d = c; |
76 | c = rol(b, 30); |
77 | b = a; |
78 | a = tmp; |
e9483e66 |
79 | } |
80 | |
81 | digest[0] += a; |
82 | digest[1] += b; |
83 | digest[2] += c; |
84 | digest[3] += d; |
85 | digest[4] += e; |
374330e2 |
86 | } |
e5574168 |
87 | |
88 | /* ---------------------------------------------------------------------- |
89 | * Outer SHA algorithm: take an arbitrary length byte string, |
90 | * convert it into 16-word blocks with the prescribed padding at |
91 | * the end, and pass those blocks to the core SHA algorithm. |
92 | */ |
93 | |
32874aea |
94 | void SHA_Init(SHA_State * s) |
95 | { |
e5574168 |
96 | SHA_Core_Init(s->h); |
97 | s->blkused = 0; |
98 | s->lenhi = s->lenlo = 0; |
99 | } |
100 | |
32874aea |
101 | void SHA_Bytes(SHA_State * s, void *p, int len) |
102 | { |
103 | unsigned char *q = (unsigned char *) p; |
e5574168 |
104 | uint32 wordblock[16]; |
105 | uint32 lenw = len; |
106 | int i; |
107 | |
108 | /* |
109 | * Update the length field. |
110 | */ |
111 | s->lenlo += lenw; |
112 | s->lenhi += (s->lenlo < lenw); |
113 | |
32874aea |
114 | if (s->blkused && s->blkused + len < 64) { |
115 | /* |
116 | * Trivial case: just add to the block. |
117 | */ |
118 | memcpy(s->block + s->blkused, q, len); |
119 | s->blkused += len; |
e5574168 |
120 | } else { |
32874aea |
121 | /* |
122 | * We must complete and process at least one block. |
123 | */ |
124 | while (s->blkused + len >= 64) { |
125 | memcpy(s->block + s->blkused, q, 64 - s->blkused); |
126 | q += 64 - s->blkused; |
127 | len -= 64 - s->blkused; |
128 | /* Now process the block. Gather bytes big-endian into words */ |
129 | for (i = 0; i < 16; i++) { |
130 | wordblock[i] = |
131 | (((uint32) s->block[i * 4 + 0]) << 24) | |
132 | (((uint32) s->block[i * 4 + 1]) << 16) | |
133 | (((uint32) s->block[i * 4 + 2]) << 8) | |
134 | (((uint32) s->block[i * 4 + 3]) << 0); |
135 | } |
136 | SHATransform(s->h, wordblock); |
137 | s->blkused = 0; |
138 | } |
139 | memcpy(s->block, q, len); |
140 | s->blkused = len; |
e5574168 |
141 | } |
142 | } |
143 | |
32874aea |
144 | void SHA_Final(SHA_State * s, unsigned char *output) |
145 | { |
e5574168 |
146 | int i; |
147 | int pad; |
148 | unsigned char c[64]; |
149 | uint32 lenhi, lenlo; |
150 | |
151 | if (s->blkused >= 56) |
32874aea |
152 | pad = 56 + 64 - s->blkused; |
e5574168 |
153 | else |
32874aea |
154 | pad = 56 - s->blkused; |
e5574168 |
155 | |
32874aea |
156 | lenhi = (s->lenhi << 3) | (s->lenlo >> (32 - 3)); |
e5574168 |
157 | lenlo = (s->lenlo << 3); |
158 | |
159 | memset(c, 0, pad); |
160 | c[0] = 0x80; |
161 | SHA_Bytes(s, &c, pad); |
162 | |
163 | c[0] = (lenhi >> 24) & 0xFF; |
164 | c[1] = (lenhi >> 16) & 0xFF; |
32874aea |
165 | c[2] = (lenhi >> 8) & 0xFF; |
166 | c[3] = (lenhi >> 0) & 0xFF; |
e5574168 |
167 | c[4] = (lenlo >> 24) & 0xFF; |
168 | c[5] = (lenlo >> 16) & 0xFF; |
32874aea |
169 | c[6] = (lenlo >> 8) & 0xFF; |
170 | c[7] = (lenlo >> 0) & 0xFF; |
e5574168 |
171 | |
172 | SHA_Bytes(s, &c, 8); |
173 | |
174 | for (i = 0; i < 5; i++) { |
32874aea |
175 | output[i * 4] = (s->h[i] >> 24) & 0xFF; |
176 | output[i * 4 + 1] = (s->h[i] >> 16) & 0xFF; |
177 | output[i * 4 + 2] = (s->h[i] >> 8) & 0xFF; |
178 | output[i * 4 + 3] = (s->h[i]) & 0xFF; |
e5574168 |
179 | } |
180 | } |
181 | |
32874aea |
182 | void SHA_Simple(void *p, int len, unsigned char *output) |
183 | { |
e5574168 |
184 | SHA_State s; |
185 | |
186 | SHA_Init(&s); |
187 | SHA_Bytes(&s, p, len); |
188 | SHA_Final(&s, output); |
189 | } |
190 | |
b672f405 |
191 | /* |
192 | * Thin abstraction for things where hashes are pluggable. |
193 | */ |
194 | |
195 | static void *sha1_init(void) |
196 | { |
197 | SHA_State *s; |
198 | |
199 | s = snew(SHA_State); |
200 | SHA_Init(s); |
201 | return s; |
202 | } |
203 | |
204 | static void sha1_bytes(void *handle, void *p, int len) |
205 | { |
206 | SHA_State *s = handle; |
207 | |
208 | SHA_Bytes(s, p, len); |
209 | } |
210 | |
211 | static void sha1_final(void *handle, unsigned char *output) |
212 | { |
213 | SHA_State *s = handle; |
214 | |
215 | SHA_Final(s, output); |
216 | sfree(s); |
217 | } |
218 | |
219 | const struct ssh_hash ssh_sha1 = { |
220 | sha1_init, sha1_bytes, sha1_final, 20 |
221 | }; |
222 | |
e5574168 |
223 | /* ---------------------------------------------------------------------- |
224 | * The above is the SHA-1 algorithm itself. Now we implement the |
225 | * HMAC wrapper on it. |
226 | */ |
227 | |
e0e1a00d |
228 | static void *sha1_make_context(void) |
229 | { |
3d88e64d |
230 | return snewn(2, SHA_State); |
e0e1a00d |
231 | } |
232 | |
233 | static void sha1_free_context(void *handle) |
234 | { |
235 | sfree(handle); |
236 | } |
e5574168 |
237 | |
e0e1a00d |
238 | static void sha1_key_internal(void *handle, unsigned char *key, int len) |
32874aea |
239 | { |
e0e1a00d |
240 | SHA_State *keys = (SHA_State *)handle; |
e5574168 |
241 | unsigned char foo[64]; |
242 | int i; |
243 | |
244 | memset(foo, 0x36, 64); |
245 | for (i = 0; i < len && i < 64; i++) |
32874aea |
246 | foo[i] ^= key[i]; |
e0e1a00d |
247 | SHA_Init(&keys[0]); |
248 | SHA_Bytes(&keys[0], foo, 64); |
e5574168 |
249 | |
250 | memset(foo, 0x5C, 64); |
251 | for (i = 0; i < len && i < 64; i++) |
32874aea |
252 | foo[i] ^= key[i]; |
e0e1a00d |
253 | SHA_Init(&keys[1]); |
254 | SHA_Bytes(&keys[1], foo, 64); |
e5574168 |
255 | |
32874aea |
256 | memset(foo, 0, 64); /* burn the evidence */ |
e5574168 |
257 | } |
258 | |
e0e1a00d |
259 | static void sha1_key(void *handle, unsigned char *key) |
32874aea |
260 | { |
e0e1a00d |
261 | sha1_key_internal(handle, key, 20); |
7591b9ff |
262 | } |
263 | |
e0e1a00d |
264 | static void sha1_key_buggy(void *handle, unsigned char *key) |
32874aea |
265 | { |
e0e1a00d |
266 | sha1_key_internal(handle, key, 16); |
7591b9ff |
267 | } |
268 | |
e0e1a00d |
269 | static void sha1_do_hmac(void *handle, unsigned char *blk, int len, |
270 | unsigned long seq, unsigned char *hmac) |
32874aea |
271 | { |
e0e1a00d |
272 | SHA_State *keys = (SHA_State *)handle; |
e5574168 |
273 | SHA_State s; |
274 | unsigned char intermediate[20]; |
275 | |
32874aea |
276 | intermediate[0] = (unsigned char) ((seq >> 24) & 0xFF); |
277 | intermediate[1] = (unsigned char) ((seq >> 16) & 0xFF); |
278 | intermediate[2] = (unsigned char) ((seq >> 8) & 0xFF); |
279 | intermediate[3] = (unsigned char) ((seq) & 0xFF); |
e5574168 |
280 | |
e0e1a00d |
281 | s = keys[0]; /* structure copy */ |
e5574168 |
282 | SHA_Bytes(&s, intermediate, 4); |
283 | SHA_Bytes(&s, blk, len); |
284 | SHA_Final(&s, intermediate); |
e0e1a00d |
285 | s = keys[1]; /* structure copy */ |
e5574168 |
286 | SHA_Bytes(&s, intermediate, 20); |
287 | SHA_Final(&s, hmac); |
288 | } |
289 | |
e0e1a00d |
290 | static void sha1_generate(void *handle, unsigned char *blk, int len, |
291 | unsigned long seq) |
32874aea |
292 | { |
e0e1a00d |
293 | sha1_do_hmac(handle, blk, len, seq, blk + len); |
e5574168 |
294 | } |
295 | |
e0e1a00d |
296 | static int sha1_verify(void *handle, unsigned char *blk, int len, |
297 | unsigned long seq) |
32874aea |
298 | { |
e5574168 |
299 | unsigned char correct[20]; |
e0e1a00d |
300 | sha1_do_hmac(handle, blk, len, seq, correct); |
32874aea |
301 | return !memcmp(correct, blk + len, 20); |
e5574168 |
302 | } |
303 | |
6668a75e |
304 | static void sha1_96_generate(void *handle, unsigned char *blk, int len, |
305 | unsigned long seq) |
306 | { |
307 | unsigned char full[20]; |
308 | sha1_do_hmac(handle, blk, len, seq, full); |
309 | memcpy(blk + len, full, 12); |
310 | } |
311 | |
312 | static int sha1_96_verify(void *handle, unsigned char *blk, int len, |
313 | unsigned long seq) |
314 | { |
315 | unsigned char correct[20]; |
316 | sha1_do_hmac(handle, blk, len, seq, correct); |
317 | return !memcmp(correct, blk + len, 12); |
318 | } |
319 | |
5c72ca61 |
320 | void hmac_sha1_simple(void *key, int keylen, void *data, int datalen, |
321 | unsigned char *output) { |
e0e1a00d |
322 | SHA_State states[2]; |
5c72ca61 |
323 | unsigned char intermediate[20]; |
324 | |
e0e1a00d |
325 | sha1_key_internal(states, key, keylen); |
326 | SHA_Bytes(&states[0], data, datalen); |
327 | SHA_Final(&states[0], intermediate); |
5c72ca61 |
328 | |
e0e1a00d |
329 | SHA_Bytes(&states[1], intermediate, 20); |
330 | SHA_Final(&states[1], output); |
5c72ca61 |
331 | } |
332 | |
1993f323 |
333 | const struct ssh_mac ssh_hmac_sha1 = { |
e0e1a00d |
334 | sha1_make_context, sha1_free_context, sha1_key, |
335 | sha1_generate, sha1_verify, |
e5574168 |
336 | "hmac-sha1", |
6c135243 |
337 | 20, |
338 | "HMAC-SHA1" |
e5574168 |
339 | }; |
7591b9ff |
340 | |
6668a75e |
341 | const struct ssh_mac ssh_hmac_sha1_96 = { |
342 | sha1_make_context, sha1_free_context, sha1_key, |
343 | sha1_96_generate, sha1_96_verify, |
344 | "hmac-sha1-96", |
345 | 12, |
346 | "HMAC-SHA1-96" |
347 | }; |
348 | |
1993f323 |
349 | const struct ssh_mac ssh_hmac_sha1_buggy = { |
e0e1a00d |
350 | sha1_make_context, sha1_free_context, sha1_key_buggy, |
351 | sha1_generate, sha1_verify, |
7591b9ff |
352 | "hmac-sha1", |
6c135243 |
353 | 20, |
354 | "bug-compatible HMAC-SHA1" |
7591b9ff |
355 | }; |
6668a75e |
356 | |
357 | const struct ssh_mac ssh_hmac_sha1_96_buggy = { |
358 | sha1_make_context, sha1_free_context, sha1_key_buggy, |
359 | sha1_96_generate, sha1_96_verify, |
360 | "hmac-sha1-96", |
361 | 12, |
362 | "bug-compatible HMAC-SHA1-96" |
363 | }; |