2 * SHA1 hash algorithm. Used in SSH2 as a MAC, and the transform is
3 * also used as a `stirring' function for the PuTTY random number
4 * pool. Implemented directly from the specification by Simon
10 /* ----------------------------------------------------------------------
11 * Core SHA algorithm: processes 16-word blocks into a message digest.
14 #define rol(x,y) ( ((x) << (y)) | (((uint32)x) >> (32-y)) )
16 void SHA_Core_Init(uint32 h[5])
25 void SHATransform(word32 * digest, word32 * block)
31 for (t = 0; t < 16; t++)
34 for (t = 16; t < 80; t++) {
35 word32 tmp = w[t - 3] ^ w[t - 8] ^ w[t - 14] ^ w[t - 16];
45 for (t = 0; t < 20; t++) {
47 rol(a, 5) + ((b & c) | (d & ~b)) + e + w[t] + 0x5a827999;
54 for (t = 20; t < 40; t++) {
55 word32 tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0x6ed9eba1;
62 for (t = 40; t < 60; t++) {
64 5) + ((b & c) | (b & d) | (c & d)) + e + w[t] +
72 for (t = 60; t < 80; t++) {
73 word32 tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0xca62c1d6;
88 /* ----------------------------------------------------------------------
89 * Outer SHA algorithm: take an arbitrary length byte string,
90 * convert it into 16-word blocks with the prescribed padding at
91 * the end, and pass those blocks to the core SHA algorithm.
94 void SHA_Init(SHA_State * s)
98 s->lenhi = s->lenlo = 0;
101 void SHA_Bytes(SHA_State * s, void *p, int len)
103 unsigned char *q = (unsigned char *) p;
104 uint32 wordblock[16];
109 * Update the length field.
112 s->lenhi += (s->lenlo < lenw);
114 if (s->blkused && s->blkused + len < 64) {
116 * Trivial case: just add to the block.
118 memcpy(s->block + s->blkused, q, len);
122 * We must complete and process at least one block.
124 while (s->blkused + len >= 64) {
125 memcpy(s->block + s->blkused, q, 64 - s->blkused);
126 q += 64 - s->blkused;
127 len -= 64 - s->blkused;
128 /* Now process the block. Gather bytes big-endian into words */
129 for (i = 0; i < 16; i++) {
131 (((uint32) s->block[i * 4 + 0]) << 24) |
132 (((uint32) s->block[i * 4 + 1]) << 16) |
133 (((uint32) s->block[i * 4 + 2]) << 8) |
134 (((uint32) s->block[i * 4 + 3]) << 0);
136 SHATransform(s->h, wordblock);
139 memcpy(s->block, q, len);
144 void SHA_Final(SHA_State * s, unsigned char *output)
151 if (s->blkused >= 56)
152 pad = 56 + 64 - s->blkused;
154 pad = 56 - s->blkused;
156 lenhi = (s->lenhi << 3) | (s->lenlo >> (32 - 3));
157 lenlo = (s->lenlo << 3);
161 SHA_Bytes(s, &c, pad);
163 c[0] = (lenhi >> 24) & 0xFF;
164 c[1] = (lenhi >> 16) & 0xFF;
165 c[2] = (lenhi >> 8) & 0xFF;
166 c[3] = (lenhi >> 0) & 0xFF;
167 c[4] = (lenlo >> 24) & 0xFF;
168 c[5] = (lenlo >> 16) & 0xFF;
169 c[6] = (lenlo >> 8) & 0xFF;
170 c[7] = (lenlo >> 0) & 0xFF;
174 for (i = 0; i < 5; i++) {
175 output[i * 4] = (s->h[i] >> 24) & 0xFF;
176 output[i * 4 + 1] = (s->h[i] >> 16) & 0xFF;
177 output[i * 4 + 2] = (s->h[i] >> 8) & 0xFF;
178 output[i * 4 + 3] = (s->h[i]) & 0xFF;
182 void SHA_Simple(void *p, int len, unsigned char *output)
187 SHA_Bytes(&s, p, len);
188 SHA_Final(&s, output);
191 /* ----------------------------------------------------------------------
192 * The above is the SHA-1 algorithm itself. Now we implement the
193 * HMAC wrapper on it.
196 static SHA_State sha1_cs_mac_s1, sha1_cs_mac_s2;
197 static SHA_State sha1_sc_mac_s1, sha1_sc_mac_s2;
199 static void sha1_key(SHA_State * s1, SHA_State * s2,
200 unsigned char *key, int len)
202 unsigned char foo[64];
205 memset(foo, 0x36, 64);
206 for (i = 0; i < len && i < 64; i++)
209 SHA_Bytes(s1, foo, 64);
211 memset(foo, 0x5C, 64);
212 for (i = 0; i < len && i < 64; i++)
215 SHA_Bytes(s2, foo, 64);
217 memset(foo, 0, 64); /* burn the evidence */
220 static void sha1_cskey(unsigned char *key)
222 sha1_key(&sha1_cs_mac_s1, &sha1_cs_mac_s2, key, 20);
225 static void sha1_sckey(unsigned char *key)
227 sha1_key(&sha1_sc_mac_s1, &sha1_sc_mac_s2, key, 20);
230 static void sha1_cskey_buggy(unsigned char *key)
232 sha1_key(&sha1_cs_mac_s1, &sha1_cs_mac_s2, key, 16);
235 static void sha1_sckey_buggy(unsigned char *key)
237 sha1_key(&sha1_sc_mac_s1, &sha1_sc_mac_s2, key, 16);
240 static void sha1_do_hmac(SHA_State * s1, SHA_State * s2,
241 unsigned char *blk, int len, unsigned long seq,
245 unsigned char intermediate[20];
247 intermediate[0] = (unsigned char) ((seq >> 24) & 0xFF);
248 intermediate[1] = (unsigned char) ((seq >> 16) & 0xFF);
249 intermediate[2] = (unsigned char) ((seq >> 8) & 0xFF);
250 intermediate[3] = (unsigned char) ((seq) & 0xFF);
252 s = *s1; /* structure copy */
253 SHA_Bytes(&s, intermediate, 4);
254 SHA_Bytes(&s, blk, len);
255 SHA_Final(&s, intermediate);
256 s = *s2; /* structure copy */
257 SHA_Bytes(&s, intermediate, 20);
261 static void sha1_generate(unsigned char *blk, int len, unsigned long seq)
263 sha1_do_hmac(&sha1_cs_mac_s1, &sha1_cs_mac_s2, blk, len, seq,
267 static int sha1_verify(unsigned char *blk, int len, unsigned long seq)
269 unsigned char correct[20];
270 sha1_do_hmac(&sha1_sc_mac_s1, &sha1_sc_mac_s2, blk, len, seq, correct);
271 return !memcmp(correct, blk + len, 20);
274 const struct ssh_mac ssh_sha1 = {
275 sha1_cskey, sha1_sckey,
282 const struct ssh_mac ssh_sha1_buggy = {
283 sha1_cskey_buggy, sha1_sckey_buggy,