git.distorted.org.uk Git - u/mdw/putty/blob - sshsha.c

   1 #include <stdarg.h> /* FIXME */
   2 #include <windows.h> /* FIXME */
   3 #include "putty.h" /* FIXME */
   4
   5 /*
   6  * SHA1 hash algorithm. Used in SSH2 as a MAC, and the transform is
   7  * also used as a `stirring' function for the PuTTY random number
   8  * pool. Implemented directly from the specification by Simon
   9  * Tatham.
  10  */
  11
  12 #include "ssh.h"
  13
  14 typedef unsigned int uint32;
  15
  16 /* ----------------------------------------------------------------------
  17  * Core SHA algorithm: processes 16-word blocks into a message digest.
  18  */
  19
  20 #define rol(x,y) ( ((x) << (y)) | (((uint32)x) >> (32-y)) )
  21
  22 void SHA_Core_Init(uint32 h[5]) {
  23     h[0] = 0x67452301;
  24     h[1] = 0xefcdab89;
  25     h[2] = 0x98badcfe;
  26     h[3] = 0x10325476;
  27     h[4] = 0xc3d2e1f0;
  28 }
  29
  30 void SHATransform(word32 *digest, word32 *block) {
  31     word32 w[80];
  32     word32 a,b,c,d,e;
  33     int t;
  34
  35     for (t = 0; t < 16; t++)
  36         w[t] = block[t];
  37
  38     for (t = 16; t < 80; t++) {
  39         word32 tmp = w[t-3] ^ w[t-8] ^ w[t-14] ^ w[t-16];
  40         w[t] = rol(tmp, 1);
  41     }
  42
  43     a = digest[0];
  44     b = digest[1];
  45     c = digest[2];
  46     d = digest[3];
  47     e = digest[4];
  48
  49     for (t = 0; t < 20; t++) {
  50         word32 tmp = rol(a, 5) + ( (b&c) | (d&~b) ) + e + w[t] + 0x5a827999;
  51         e = d; d = c; c = rol(b, 30); b = a; a = tmp;
  52     }
  53     for (t = 20; t < 40; t++) {
  54         word32 tmp = rol(a, 5) + (b^c^d) + e + w[t] + 0x6ed9eba1;
  55         e = d; d = c; c = rol(b, 30); b = a; a = tmp;
  56     }
  57     for (t = 40; t < 60; t++) {
  58         word32 tmp = rol(a, 5) + ( (b&c) | (b&d) | (c&d) ) + e + w[t] + 0x8f1bbcdc;
  59         e = d; d = c; c = rol(b, 30); b = a; a = tmp;
  60     }
  61     for (t = 60; t < 80; t++) {
  62         word32 tmp = rol(a, 5) + (b^c^d) + e + w[t] + 0xca62c1d6;
  63         e = d; d = c; c = rol(b, 30); b = a; a = tmp;
  64     }
  65
  66     digest[0] += a;
  67     digest[1] += b;
  68     digest[2] += c;
  69     digest[3] += d;
  70     digest[4] += e;
  71 }
  72
  73 /* ----------------------------------------------------------------------
  74  * Outer SHA algorithm: take an arbitrary length byte string,
  75  * convert it into 16-word blocks with the prescribed padding at
  76  * the end, and pass those blocks to the core SHA algorithm.
  77  */
  78
  79 void SHA_Init(SHA_State *s) {
  80     SHA_Core_Init(s->h);
  81     s->blkused = 0;
  82     s->lenhi = s->lenlo = 0;
  83 }
  84
  85 void SHA_Bytes(SHA_State *s, void *p, int len) {
  86     unsigned char *q = (unsigned char *)p;
  87     uint32 wordblock[16];
  88     uint32 lenw = len;
  89     int i;
  90
  91     /*
  92      * Update the length field.
  93      */
  94     s->lenlo += lenw;
  95     s->lenhi += (s->lenlo < lenw);
  96
  97     if (s->blkused && s->blkused+len < 64) {
  98         /*
  99          * Trivial case: just add to the block.
 100          */
 101         memcpy(s->block + s->blkused, q, len);
 102         s->blkused += len;
 103     } else {
 104         /*
 105          * We must complete and process at least one block.
 106          */
 107         while (s->blkused + len >= 64) {
 108             memcpy(s->block + s->blkused, q, 64 - s->blkused);
 109             q += 64 - s->blkused;
 110             len -= 64 - s->blkused;
 111             /* Now process the block. Gather bytes big-endian into words */
 112             for (i = 0; i < 16; i++) {
 113                 wordblock[i] =
 114                     ( ((uint32)s->block[i*4+0]) << 24 ) |
 115                     ( ((uint32)s->block[i*4+1]) << 16 ) |
 116                     ( ((uint32)s->block[i*4+2]) <<  8 ) |
 117                     ( ((uint32)s->block[i*4+3]) <<  0 );
 118             }
 119             SHATransform(s->h, wordblock);
 120             s->blkused = 0;
 121         }
 122         memcpy(s->block, q, len);
 123         s->blkused = len;
 124     }
 125 }
 126
 127 void SHA_Final(SHA_State *s, unsigned char *output) {
 128     int i;
 129     int pad;
 130     unsigned char c[64];
 131     uint32 lenhi, lenlo;
 132
 133     if (s->blkused >= 56)
 134         pad = 56 + 64 - s->blkused;
 135     else
 136         pad = 56 - s->blkused;
 137
 138     lenhi = (s->lenhi << 3) | (s->lenlo >> (32-3));
 139     lenlo = (s->lenlo << 3);
 140
 141     memset(c, 0, pad);
 142     c[0] = 0x80;
 143     SHA_Bytes(s, &c, pad);
 144
 145     c[0] = (lenhi >> 24) & 0xFF;
 146     c[1] = (lenhi >> 16) & 0xFF;
 147     c[2] = (lenhi >>  8) & 0xFF;
 148     c[3] = (lenhi >>  0) & 0xFF;
 149     c[4] = (lenlo >> 24) & 0xFF;
 150     c[5] = (lenlo >> 16) & 0xFF;
 151     c[6] = (lenlo >>  8) & 0xFF;
 152     c[7] = (lenlo >>  0) & 0xFF;
 153
 154     SHA_Bytes(s, &c, 8);
 155
 156     for (i = 0; i < 5; i++) {
 157         output[i*4  ] = (s->h[i] >> 24) & 0xFF;
 158         output[i*4+1] = (s->h[i] >> 16) & 0xFF;
 159         output[i*4+2] = (s->h[i] >>  8) & 0xFF;
 160         output[i*4+3] = (s->h[i]      ) & 0xFF;
 161     }
 162 }
 163
 164 void SHA_Simple(void *p, int len, unsigned char *output) {
 165     SHA_State s;
 166
 167     SHA_Init(&s);
 168     SHA_Bytes(&s, p, len);
 169     SHA_Final(&s, output);
 170 }
 171
 172 /* ----------------------------------------------------------------------
 173  * The above is the SHA-1 algorithm itself. Now we implement the
 174  * HMAC wrapper on it.
 175  */
 176
 177 static SHA_State sha1_cs_mac_s1, sha1_cs_mac_s2;
 178 static SHA_State sha1_sc_mac_s1, sha1_sc_mac_s2;
 179
 180 static void sha1_key(SHA_State *s1, SHA_State *s2,
 181                      unsigned char *key, int len) {
 182     unsigned char foo[64];
 183     int i;
 184     {int j;
 185         debug(("Key supplied is:\r\n"));
 186         for (j=0; j<len; j++) debug(("  %02X", key[j]));
 187         debug(("\r\n"));
 188     }
 189
 190     memset(foo, 0x36, 64);
 191     for (i = 0; i < len && i < 64; i++)
 192         foo[i] ^= key[i];
 193     SHA_Init(s1);
 194     SHA_Bytes(s1, foo, 64);
 195
 196     memset(foo, 0x5C, 64);
 197     for (i = 0; i < len && i < 64; i++)
 198         foo[i] ^= key[i];
 199     SHA_Init(s2);
 200     SHA_Bytes(s2, foo, 64);
 201
 202     memset(foo, 0, 64);                /* burn the evidence */
 203 }
 204
 205 static void sha1_cskey(unsigned char *key) {
 206     sha1_key(&sha1_cs_mac_s1, &sha1_cs_mac_s2, key, 20);
 207 }
 208
 209 static void sha1_sckey(unsigned char *key) {
 210     sha1_key(&sha1_sc_mac_s1, &sha1_sc_mac_s2, key, 20);
 211 }
 212
 213 static void sha1_do_hmac(SHA_State *s1, SHA_State *s2,
 214                          unsigned char *blk, int len, unsigned long seq,
 215                          unsigned char *hmac) {
 216     SHA_State s;
 217     unsigned char intermediate[20];
 218
 219     intermediate[0] = (unsigned char)((seq >> 24) & 0xFF);
 220     intermediate[1] = (unsigned char)((seq >> 16) & 0xFF);
 221     intermediate[2] = (unsigned char)((seq >>  8) & 0xFF);
 222     intermediate[3] = (unsigned char)((seq      ) & 0xFF);
 223
 224     s = *s1;                           /* structure copy */
 225     SHA_Bytes(&s, intermediate, 4);
 226     SHA_Bytes(&s, blk, len);
 227     SHA_Final(&s, intermediate);
 228     s = *s2;                           /* structure copy */
 229     SHA_Bytes(&s, intermediate, 20);
 230     SHA_Final(&s, hmac);
 231 }
 232
 233 static void sha1_generate(unsigned char *blk, int len, unsigned long seq) {
 234     {int i;
 235         debug(("Gen HMAC on block len=%d seq=%d:\r\n", len, seq));
 236         for (i=0; i<len; i++) debug(("  %02X", blk[i]));
 237         debug(("\r\n"));
 238     }
 239     sha1_do_hmac(&sha1_cs_mac_s1, &sha1_cs_mac_s2, blk, len, seq, blk+len);
 240     {int i;
 241         debug(("We compute HMAC as:\r\n"));
 242         for (i=0; i<20; i++) debug(("  %02X", blk[len+i]));
 243         debug(("\r\n"));
 244     }
 245 }
 246
 247 static int sha1_verify(unsigned char *blk, int len, unsigned long seq) {
 248     unsigned char correct[20];
 249     {int i;
 250         debug(("HMAC on block len=%d seq=%d:\r\n", len, seq));
 251         for (i=0; i<len; i++) debug(("  %02X", blk[i]));
 252         debug(("\r\n"));
 253     }
 254     sha1_do_hmac(&sha1_sc_mac_s1, &sha1_sc_mac_s2, blk, len, seq, correct);
 255     {int i;
 256         debug(("We compute HMAC as:\r\n"));
 257         for (i=0; i<20; i++) debug(("  %02X", correct[i]));
 258         debug(("\r\n"));
 259     }
 260     return !memcmp(correct, blk+len, 20);
 261 }
 262
 263 struct ssh_mac ssh_sha1 = {
 264     sha1_cskey, sha1_sckey,
 265     sha1_generate,
 266     sha1_verify,
 267     "hmac-sha1",
 268     20
 269 };