2 * SHA1 hash algorithm. Used in SSH2 as a MAC, and the transform is
3 * also used as a `stirring' function for the PuTTY random number
4 * pool. Implemented directly from the specification by Simon
10 /* ----------------------------------------------------------------------
11 * Core SHA algorithm: processes 16-word blocks into a message digest.
14 #define rol(x,y) ( ((x) << (y)) | (((uint32)x) >> (32-y)) )
16 static void SHA_Core_Init(uint32 h[5])
25 void SHATransform(word32 * digest, word32 * block)
31 for (t = 0; t < 16; t++)
34 for (t = 16; t < 80; t++) {
35 word32 tmp = w[t - 3] ^ w[t - 8] ^ w[t - 14] ^ w[t - 16];
45 for (t = 0; t < 20; t++) {
47 rol(a, 5) + ((b & c) | (d & ~b)) + e + w[t] + 0x5a827999;
54 for (t = 20; t < 40; t++) {
55 word32 tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0x6ed9eba1;
62 for (t = 40; t < 60; t++) {
64 5) + ((b & c) | (b & d) | (c & d)) + e + w[t] +
72 for (t = 60; t < 80; t++) {
73 word32 tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0xca62c1d6;
88 /* ----------------------------------------------------------------------
89 * Outer SHA algorithm: take an arbitrary length byte string,
90 * convert it into 16-word blocks with the prescribed padding at
91 * the end, and pass those blocks to the core SHA algorithm.
94 void SHA_Init(SHA_State * s)
98 s->lenhi = s->lenlo = 0;
101 void SHA_Bytes(SHA_State * s, void *p, int len)
103 unsigned char *q = (unsigned char *) p;
104 uint32 wordblock[16];
109 * Update the length field.
112 s->lenhi += (s->lenlo < lenw);
114 if (s->blkused && s->blkused + len < 64) {
116 * Trivial case: just add to the block.
118 memcpy(s->block + s->blkused, q, len);
122 * We must complete and process at least one block.
124 while (s->blkused + len >= 64) {
125 memcpy(s->block + s->blkused, q, 64 - s->blkused);
126 q += 64 - s->blkused;
127 len -= 64 - s->blkused;
128 /* Now process the block. Gather bytes big-endian into words */
129 for (i = 0; i < 16; i++) {
131 (((uint32) s->block[i * 4 + 0]) << 24) |
132 (((uint32) s->block[i * 4 + 1]) << 16) |
133 (((uint32) s->block[i * 4 + 2]) << 8) |
134 (((uint32) s->block[i * 4 + 3]) << 0);
136 SHATransform(s->h, wordblock);
139 memcpy(s->block, q, len);
144 void SHA_Final(SHA_State * s, unsigned char *output)
151 if (s->blkused >= 56)
152 pad = 56 + 64 - s->blkused;
154 pad = 56 - s->blkused;
156 lenhi = (s->lenhi << 3) | (s->lenlo >> (32 - 3));
157 lenlo = (s->lenlo << 3);
161 SHA_Bytes(s, &c, pad);
163 c[0] = (lenhi >> 24) & 0xFF;
164 c[1] = (lenhi >> 16) & 0xFF;
165 c[2] = (lenhi >> 8) & 0xFF;
166 c[3] = (lenhi >> 0) & 0xFF;
167 c[4] = (lenlo >> 24) & 0xFF;
168 c[5] = (lenlo >> 16) & 0xFF;
169 c[6] = (lenlo >> 8) & 0xFF;
170 c[7] = (lenlo >> 0) & 0xFF;
174 for (i = 0; i < 5; i++) {
175 output[i * 4] = (s->h[i] >> 24) & 0xFF;
176 output[i * 4 + 1] = (s->h[i] >> 16) & 0xFF;
177 output[i * 4 + 2] = (s->h[i] >> 8) & 0xFF;
178 output[i * 4 + 3] = (s->h[i]) & 0xFF;
182 void SHA_Simple(void *p, int len, unsigned char *output)
187 SHA_Bytes(&s, p, len);
188 SHA_Final(&s, output);
191 /* ----------------------------------------------------------------------
192 * The above is the SHA-1 algorithm itself. Now we implement the
193 * HMAC wrapper on it.
196 static void *sha1_make_context(void)
198 return snewn(2, SHA_State);
201 static void sha1_free_context(void *handle)
206 static void sha1_key_internal(void *handle, unsigned char *key, int len)
208 SHA_State *keys = (SHA_State *)handle;
209 unsigned char foo[64];
212 memset(foo, 0x36, 64);
213 for (i = 0; i < len && i < 64; i++)
216 SHA_Bytes(&keys[0], foo, 64);
218 memset(foo, 0x5C, 64);
219 for (i = 0; i < len && i < 64; i++)
222 SHA_Bytes(&keys[1], foo, 64);
224 memset(foo, 0, 64); /* burn the evidence */
227 static void sha1_key(void *handle, unsigned char *key)
229 sha1_key_internal(handle, key, 20);
232 static void sha1_key_buggy(void *handle, unsigned char *key)
234 sha1_key_internal(handle, key, 16);
237 static void sha1_do_hmac(void *handle, unsigned char *blk, int len,
238 unsigned long seq, unsigned char *hmac)
240 SHA_State *keys = (SHA_State *)handle;
242 unsigned char intermediate[20];
244 intermediate[0] = (unsigned char) ((seq >> 24) & 0xFF);
245 intermediate[1] = (unsigned char) ((seq >> 16) & 0xFF);
246 intermediate[2] = (unsigned char) ((seq >> 8) & 0xFF);
247 intermediate[3] = (unsigned char) ((seq) & 0xFF);
249 s = keys[0]; /* structure copy */
250 SHA_Bytes(&s, intermediate, 4);
251 SHA_Bytes(&s, blk, len);
252 SHA_Final(&s, intermediate);
253 s = keys[1]; /* structure copy */
254 SHA_Bytes(&s, intermediate, 20);
258 static void sha1_generate(void *handle, unsigned char *blk, int len,
261 sha1_do_hmac(handle, blk, len, seq, blk + len);
264 static int sha1_verify(void *handle, unsigned char *blk, int len,
267 unsigned char correct[20];
268 sha1_do_hmac(handle, blk, len, seq, correct);
269 return !memcmp(correct, blk + len, 20);
272 void hmac_sha1_simple(void *key, int keylen, void *data, int datalen,
273 unsigned char *output) {
275 unsigned char intermediate[20];
277 sha1_key_internal(states, key, keylen);
278 SHA_Bytes(&states[0], data, datalen);
279 SHA_Final(&states[0], intermediate);
281 SHA_Bytes(&states[1], intermediate, 20);
282 SHA_Final(&states[1], output);
285 const struct ssh_mac ssh_sha1 = {
286 sha1_make_context, sha1_free_context, sha1_key,
287 sha1_generate, sha1_verify,
292 const struct ssh_mac ssh_sha1_buggy = {
293 sha1_make_context, sha1_free_context, sha1_key_buggy,
294 sha1_generate, sha1_verify,