2 * SHA1 hash algorithm. Used in SSH-2 as a MAC, and the transform is
3 * also used as a `stirring' function for the PuTTY random number
4 * pool. Implemented directly from the specification by Simon
10 /* ----------------------------------------------------------------------
11 * Core SHA algorithm: processes 16-word blocks into a message digest.
14 #define rol(x,y) ( ((x) << (y)) | (((uint32)x) >> (32-y)) )
16 static void SHA_Core_Init(uint32 h[5])
25 void SHATransform(word32 * digest, word32 * block)
31 for (t = 0; t < 16; t++)
34 for (t = 16; t < 80; t++) {
35 word32 tmp = w[t - 3] ^ w[t - 8] ^ w[t - 14] ^ w[t - 16];
45 for (t = 0; t < 20; t++) {
47 rol(a, 5) + ((b & c) | (d & ~b)) + e + w[t] + 0x5a827999;
54 for (t = 20; t < 40; t++) {
55 word32 tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0x6ed9eba1;
62 for (t = 40; t < 60; t++) {
64 5) + ((b & c) | (b & d) | (c & d)) + e + w[t] +
72 for (t = 60; t < 80; t++) {
73 word32 tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0xca62c1d6;
88 /* ----------------------------------------------------------------------
89 * Outer SHA algorithm: take an arbitrary length byte string,
90 * convert it into 16-word blocks with the prescribed padding at
91 * the end, and pass those blocks to the core SHA algorithm.
94 void SHA_Init(SHA_State * s)
98 s->lenhi = s->lenlo = 0;
101 void SHA_Bytes(SHA_State * s, void *p, int len)
103 unsigned char *q = (unsigned char *) p;
104 uint32 wordblock[16];
109 * Update the length field.
112 s->lenhi += (s->lenlo < lenw);
114 if (s->blkused && s->blkused + len < 64) {
116 * Trivial case: just add to the block.
118 memcpy(s->block + s->blkused, q, len);
122 * We must complete and process at least one block.
124 while (s->blkused + len >= 64) {
125 memcpy(s->block + s->blkused, q, 64 - s->blkused);
126 q += 64 - s->blkused;
127 len -= 64 - s->blkused;
128 /* Now process the block. Gather bytes big-endian into words */
129 for (i = 0; i < 16; i++) {
131 (((uint32) s->block[i * 4 + 0]) << 24) |
132 (((uint32) s->block[i * 4 + 1]) << 16) |
133 (((uint32) s->block[i * 4 + 2]) << 8) |
134 (((uint32) s->block[i * 4 + 3]) << 0);
136 SHATransform(s->h, wordblock);
139 memcpy(s->block, q, len);
144 void SHA_Final(SHA_State * s, unsigned char *output)
151 if (s->blkused >= 56)
152 pad = 56 + 64 - s->blkused;
154 pad = 56 - s->blkused;
156 lenhi = (s->lenhi << 3) | (s->lenlo >> (32 - 3));
157 lenlo = (s->lenlo << 3);
161 SHA_Bytes(s, &c, pad);
163 c[0] = (lenhi >> 24) & 0xFF;
164 c[1] = (lenhi >> 16) & 0xFF;
165 c[2] = (lenhi >> 8) & 0xFF;
166 c[3] = (lenhi >> 0) & 0xFF;
167 c[4] = (lenlo >> 24) & 0xFF;
168 c[5] = (lenlo >> 16) & 0xFF;
169 c[6] = (lenlo >> 8) & 0xFF;
170 c[7] = (lenlo >> 0) & 0xFF;
174 for (i = 0; i < 5; i++) {
175 output[i * 4] = (s->h[i] >> 24) & 0xFF;
176 output[i * 4 + 1] = (s->h[i] >> 16) & 0xFF;
177 output[i * 4 + 2] = (s->h[i] >> 8) & 0xFF;
178 output[i * 4 + 3] = (s->h[i]) & 0xFF;
182 void SHA_Simple(void *p, int len, unsigned char *output)
187 SHA_Bytes(&s, p, len);
188 SHA_Final(&s, output);
192 * Thin abstraction for things where hashes are pluggable.
195 static void *sha1_init(void)
204 static void sha1_bytes(void *handle, void *p, int len)
206 SHA_State *s = handle;
208 SHA_Bytes(s, p, len);
211 static void sha1_final(void *handle, unsigned char *output)
213 SHA_State *s = handle;
215 SHA_Final(s, output);
219 const struct ssh_hash ssh_sha1 = {
220 sha1_init, sha1_bytes, sha1_final, 20, "SHA-1"
223 /* ----------------------------------------------------------------------
224 * The above is the SHA-1 algorithm itself. Now we implement the
225 * HMAC wrapper on it.
228 static void *sha1_make_context(void)
230 return snewn(3, SHA_State);
233 static void sha1_free_context(void *handle)
238 static void sha1_key_internal(void *handle, unsigned char *key, int len)
240 SHA_State *keys = (SHA_State *)handle;
241 unsigned char foo[64];
244 memset(foo, 0x36, 64);
245 for (i = 0; i < len && i < 64; i++)
248 SHA_Bytes(&keys[0], foo, 64);
250 memset(foo, 0x5C, 64);
251 for (i = 0; i < len && i < 64; i++)
254 SHA_Bytes(&keys[1], foo, 64);
256 smemclr(foo, 64); /* burn the evidence */
259 static void sha1_key(void *handle, unsigned char *key)
261 sha1_key_internal(handle, key, 20);
264 static void sha1_key_buggy(void *handle, unsigned char *key)
266 sha1_key_internal(handle, key, 16);
269 static void hmacsha1_start(void *handle)
271 SHA_State *keys = (SHA_State *)handle;
273 keys[2] = keys[0]; /* structure copy */
276 static void hmacsha1_bytes(void *handle, unsigned char const *blk, int len)
278 SHA_State *keys = (SHA_State *)handle;
279 SHA_Bytes(&keys[2], (void *)blk, len);
282 static void hmacsha1_genresult(void *handle, unsigned char *hmac)
284 SHA_State *keys = (SHA_State *)handle;
286 unsigned char intermediate[20];
288 s = keys[2]; /* structure copy */
289 SHA_Final(&s, intermediate);
290 s = keys[1]; /* structure copy */
291 SHA_Bytes(&s, intermediate, 20);
295 static void sha1_do_hmac(void *handle, unsigned char *blk, int len,
296 unsigned long seq, unsigned char *hmac)
298 unsigned char seqbuf[4];
300 seqbuf[0] = (unsigned char) ((seq >> 24) & 0xFF);
301 seqbuf[1] = (unsigned char) ((seq >> 16) & 0xFF);
302 seqbuf[2] = (unsigned char) ((seq >> 8) & 0xFF);
303 seqbuf[3] = (unsigned char) ((seq) & 0xFF);
305 hmacsha1_start(handle);
306 hmacsha1_bytes(handle, seqbuf, 4);
307 hmacsha1_bytes(handle, blk, len);
308 hmacsha1_genresult(handle, hmac);
311 static void sha1_generate(void *handle, unsigned char *blk, int len,
314 sha1_do_hmac(handle, blk, len, seq, blk + len);
317 static int hmacsha1_verresult(void *handle, unsigned char const *hmac)
319 unsigned char correct[20];
320 hmacsha1_genresult(handle, correct);
321 return !memcmp(correct, hmac, 20);
324 static int sha1_verify(void *handle, unsigned char *blk, int len,
327 unsigned char correct[20];
328 sha1_do_hmac(handle, blk, len, seq, correct);
329 return !memcmp(correct, blk + len, 20);
332 static void hmacsha1_96_genresult(void *handle, unsigned char *hmac)
334 unsigned char full[20];
335 hmacsha1_genresult(handle, full);
336 memcpy(hmac, full, 12);
339 static void sha1_96_generate(void *handle, unsigned char *blk, int len,
342 unsigned char full[20];
343 sha1_do_hmac(handle, blk, len, seq, full);
344 memcpy(blk + len, full, 12);
347 static int hmacsha1_96_verresult(void *handle, unsigned char const *hmac)
349 unsigned char correct[20];
350 hmacsha1_genresult(handle, correct);
351 return !memcmp(correct, hmac, 12);
354 static int sha1_96_verify(void *handle, unsigned char *blk, int len,
357 unsigned char correct[20];
358 sha1_do_hmac(handle, blk, len, seq, correct);
359 return !memcmp(correct, blk + len, 12);
362 void hmac_sha1_simple(void *key, int keylen, void *data, int datalen,
363 unsigned char *output) {
365 unsigned char intermediate[20];
367 sha1_key_internal(states, key, keylen);
368 SHA_Bytes(&states[0], data, datalen);
369 SHA_Final(&states[0], intermediate);
371 SHA_Bytes(&states[1], intermediate, 20);
372 SHA_Final(&states[1], output);
375 const struct ssh_mac ssh_hmac_sha1 = {
376 sha1_make_context, sha1_free_context, sha1_key,
377 sha1_generate, sha1_verify,
378 hmacsha1_start, hmacsha1_bytes, hmacsha1_genresult, hmacsha1_verresult,
384 const struct ssh_mac ssh_hmac_sha1_96 = {
385 sha1_make_context, sha1_free_context, sha1_key,
386 sha1_96_generate, sha1_96_verify,
387 hmacsha1_start, hmacsha1_bytes,
388 hmacsha1_96_genresult, hmacsha1_96_verresult,
394 const struct ssh_mac ssh_hmac_sha1_buggy = {
395 sha1_make_context, sha1_free_context, sha1_key_buggy,
396 sha1_generate, sha1_verify,
397 hmacsha1_start, hmacsha1_bytes, hmacsha1_genresult, hmacsha1_verresult,
400 "bug-compatible HMAC-SHA1"
403 const struct ssh_mac ssh_hmac_sha1_96_buggy = {
404 sha1_make_context, sha1_free_context, sha1_key_buggy,
405 sha1_96_generate, sha1_96_verify,
406 hmacsha1_start, hmacsha1_bytes,
407 hmacsha1_96_genresult, hmacsha1_96_verresult,
410 "bug-compatible HMAC-SHA1-96"