Add support for 64 bit Windows.

[ffftp/ffftp.git] / putty / SSHSHA.C

/*\r
 * SHA1 hash algorithm. Used in SSH-2 as a MAC, and the transform is\r
 * also used as a `stirring' function for the PuTTY random number\r
 * pool. Implemented directly from the specification by Simon\r
 * Tatham.\r
 */\r
\r
#include "ssh.h"\r
\r
/* ----------------------------------------------------------------------\r
 * Core SHA algorithm: processes 16-word blocks into a message digest.\r
 */\r
\r
#define rol(x,y) ( ((x) << (y)) | (((uint32)x) >> (32-y)) )\r
\r
static void SHA_Core_Init(uint32 h[5])\r
{\r
    h[0] = 0x67452301;\r
    h[1] = 0xefcdab89;\r
    h[2] = 0x98badcfe;\r
    h[3] = 0x10325476;\r
    h[4] = 0xc3d2e1f0;\r
}\r
\r
void SHATransform(word32 * digest, word32 * block)\r
{\r
    word32 w[80];\r
    word32 a, b, c, d, e;\r
    int t;\r
\r
    for (t = 0; t < 16; t++)\r
        w[t] = block[t];\r
\r
    for (t = 16; t < 80; t++) {\r
        word32 tmp = w[t - 3] ^ w[t - 8] ^ w[t - 14] ^ w[t - 16];\r
        w[t] = rol(tmp, 1);\r
    }\r
\r
    a = digest[0];\r
    b = digest[1];\r
    c = digest[2];\r
    d = digest[3];\r
    e = digest[4];\r
\r
    for (t = 0; t < 20; t++) {\r
        word32 tmp =\r
            rol(a, 5) + ((b & c) | (d & ~b)) + e + w[t] + 0x5a827999;\r
        e = d;\r
        d = c;\r
        c = rol(b, 30);\r
        b = a;\r
        a = tmp;\r
    }\r
    for (t = 20; t < 40; t++) {\r
        word32 tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0x6ed9eba1;\r
        e = d;\r
        d = c;\r
        c = rol(b, 30);\r
        b = a;\r
        a = tmp;\r
    }\r
    for (t = 40; t < 60; t++) {\r
        word32 tmp = rol(a,\r
                         5) + ((b & c) | (b & d) | (c & d)) + e + w[t] +\r
            0x8f1bbcdc;\r
        e = d;\r
        d = c;\r
        c = rol(b, 30);\r
        b = a;\r
        a = tmp;\r
    }\r
    for (t = 60; t < 80; t++) {\r
        word32 tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0xca62c1d6;\r
        e = d;\r
        d = c;\r
        c = rol(b, 30);\r
        b = a;\r
        a = tmp;\r
    }\r
\r
    digest[0] += a;\r
    digest[1] += b;\r
    digest[2] += c;\r
    digest[3] += d;\r
    digest[4] += e;\r
}\r
\r
/* ----------------------------------------------------------------------\r
 * Outer SHA algorithm: take an arbitrary length byte string,\r
 * convert it into 16-word blocks with the prescribed padding at\r
 * the end, and pass those blocks to the core SHA algorithm.\r
 */\r
\r
void SHA_Init(SHA_State * s)\r
{\r
    SHA_Core_Init(s->h);\r
    s->blkused = 0;\r
    s->lenhi = s->lenlo = 0;\r
}\r
\r
void SHA_Bytes(SHA_State * s, void *p, int len)\r
{\r
    unsigned char *q = (unsigned char *) p;\r
    uint32 wordblock[16];\r
    uint32 lenw = len;\r
    int i;\r
\r
    /*\r
     * Update the length field.\r
     */\r
    s->lenlo += lenw;\r
    s->lenhi += (s->lenlo < lenw);\r
\r
    if (s->blkused && s->blkused + len < 64) {\r
        /*\r
         * Trivial case: just add to the block.\r
         */\r
        memcpy(s->block + s->blkused, q, len);\r
        s->blkused += len;\r
    } else {\r
        /*\r
         * We must complete and process at least one block.\r
         */\r
        while (s->blkused + len >= 64) {\r
            memcpy(s->block + s->blkused, q, 64 - s->blkused);\r
            q += 64 - s->blkused;\r
            len -= 64 - s->blkused;\r
            /* Now process the block. Gather bytes big-endian into words */\r
            for (i = 0; i < 16; i++) {\r
                wordblock[i] =\r
                    (((uint32) s->block[i * 4 + 0]) << 24) |\r
                    (((uint32) s->block[i * 4 + 1]) << 16) |\r
                    (((uint32) s->block[i * 4 + 2]) << 8) |\r
                    (((uint32) s->block[i * 4 + 3]) << 0);\r
            }\r
            SHATransform(s->h, wordblock);\r
            s->blkused = 0;\r
        }\r
        memcpy(s->block, q, len);\r
        s->blkused = len;\r
    }\r
}\r
\r
void SHA_Final(SHA_State * s, unsigned char *output)\r
{\r
    int i;\r
    int pad;\r
    unsigned char c[64];\r
    uint32 lenhi, lenlo;\r
\r
    if (s->blkused >= 56)\r
        pad = 56 + 64 - s->blkused;\r
    else\r
        pad = 56 - s->blkused;\r
\r
    lenhi = (s->lenhi << 3) | (s->lenlo >> (32 - 3));\r
    lenlo = (s->lenlo << 3);\r
\r
    memset(c, 0, pad);\r
    c[0] = 0x80;\r
    SHA_Bytes(s, &c, pad);\r
\r
    c[0] = (lenhi >> 24) & 0xFF;\r
    c[1] = (lenhi >> 16) & 0xFF;\r
    c[2] = (lenhi >> 8) & 0xFF;\r
    c[3] = (lenhi >> 0) & 0xFF;\r
    c[4] = (lenlo >> 24) & 0xFF;\r
    c[5] = (lenlo >> 16) & 0xFF;\r
    c[6] = (lenlo >> 8) & 0xFF;\r
    c[7] = (lenlo >> 0) & 0xFF;\r
\r
    SHA_Bytes(s, &c, 8);\r
\r
    for (i = 0; i < 5; i++) {\r
        output[i * 4] = (s->h[i] >> 24) & 0xFF;\r
        output[i * 4 + 1] = (s->h[i] >> 16) & 0xFF;\r
        output[i * 4 + 2] = (s->h[i] >> 8) & 0xFF;\r
        output[i * 4 + 3] = (s->h[i]) & 0xFF;\r
    }\r
}\r
\r
void SHA_Simple(void *p, int len, unsigned char *output)\r
{\r
    SHA_State s;\r
\r
    SHA_Init(&s);\r
    SHA_Bytes(&s, p, len);\r
    SHA_Final(&s, output);\r
}\r
\r
/*\r
 * Thin abstraction for things where hashes are pluggable.\r
 */\r
\r
static void *sha1_init(void)\r
{\r
    SHA_State *s;\r
\r
    s = snew(SHA_State);\r
    SHA_Init(s);\r
    return s;\r
}\r
\r
static void sha1_bytes(void *handle, void *p, int len)\r
{\r
    SHA_State *s = handle;\r
\r
    SHA_Bytes(s, p, len);\r
}\r
\r
static void sha1_final(void *handle, unsigned char *output)\r
{\r
    SHA_State *s = handle;\r
\r
    SHA_Final(s, output);\r
    sfree(s);\r
}\r
\r
const struct ssh_hash ssh_sha1 = {\r
    sha1_init, sha1_bytes, sha1_final, 20, "SHA-1"\r
};\r
\r
/* ----------------------------------------------------------------------\r
 * The above is the SHA-1 algorithm itself. Now we implement the\r
 * HMAC wrapper on it.\r
 */\r
\r
static void *sha1_make_context(void)\r
{\r
    return snewn(3, SHA_State);\r
}\r
\r
static void sha1_free_context(void *handle)\r
{\r
    sfree(handle);\r
}\r
\r
static void sha1_key_internal(void *handle, unsigned char *key, int len)\r
{\r
    SHA_State *keys = (SHA_State *)handle;\r
    unsigned char foo[64];\r
    int i;\r
\r
    memset(foo, 0x36, 64);\r
    for (i = 0; i < len && i < 64; i++)\r
        foo[i] ^= key[i];\r
    SHA_Init(&keys[0]);\r
    SHA_Bytes(&keys[0], foo, 64);\r
\r
    memset(foo, 0x5C, 64);\r
    for (i = 0; i < len && i < 64; i++)\r
        foo[i] ^= key[i];\r
    SHA_Init(&keys[1]);\r
    SHA_Bytes(&keys[1], foo, 64);\r
\r
    memset(foo, 0, 64);                /* burn the evidence */\r
}\r
\r
static void sha1_key(void *handle, unsigned char *key)\r
{\r
    sha1_key_internal(handle, key, 20);\r
}\r
\r
static void sha1_key_buggy(void *handle, unsigned char *key)\r
{\r
    sha1_key_internal(handle, key, 16);\r
}\r
\r
static void hmacsha1_start(void *handle)\r
{\r
    SHA_State *keys = (SHA_State *)handle;\r
\r
    keys[2] = keys[0];                /* structure copy */\r
}\r
\r
static void hmacsha1_bytes(void *handle, unsigned char const *blk, int len)\r
{\r
    SHA_State *keys = (SHA_State *)handle;\r
    SHA_Bytes(&keys[2], (void *)blk, len);\r
}\r
\r
static void hmacsha1_genresult(void *handle, unsigned char *hmac)\r
{\r
    SHA_State *keys = (SHA_State *)handle;\r
    SHA_State s;\r
    unsigned char intermediate[20];\r
\r
    s = keys[2];                       /* structure copy */\r
    SHA_Final(&s, intermediate);\r
    s = keys[1];                       /* structure copy */\r
    SHA_Bytes(&s, intermediate, 20);\r
    SHA_Final(&s, hmac);\r
}\r
\r
static void sha1_do_hmac(void *handle, unsigned char *blk, int len,\r
                         unsigned long seq, unsigned char *hmac)\r
{\r
    unsigned char seqbuf[4];\r
\r
    seqbuf[0] = (unsigned char) ((seq >> 24) & 0xFF);\r
    seqbuf[1] = (unsigned char) ((seq >> 16) & 0xFF);\r
    seqbuf[2] = (unsigned char) ((seq >> 8) & 0xFF);\r
    seqbuf[3] = (unsigned char) ((seq) & 0xFF);\r
\r
    hmacsha1_start(handle);\r
    hmacsha1_bytes(handle, seqbuf, 4);\r
    hmacsha1_bytes(handle, blk, len);\r
    hmacsha1_genresult(handle, hmac);\r
}\r
\r
static void sha1_generate(void *handle, unsigned char *blk, int len,\r
                          unsigned long seq)\r
{\r
    sha1_do_hmac(handle, blk, len, seq, blk + len);\r
}\r
\r
static int hmacsha1_verresult(void *handle, unsigned char const *hmac)\r
{\r
    unsigned char correct[20];\r
    hmacsha1_genresult(handle, correct);\r
    return !memcmp(correct, hmac, 20);\r
}\r
\r
static int sha1_verify(void *handle, unsigned char *blk, int len,\r
                       unsigned long seq)\r
{\r
    unsigned char correct[20];\r
    sha1_do_hmac(handle, blk, len, seq, correct);\r
    return !memcmp(correct, blk + len, 20);\r
}\r
\r
static void hmacsha1_96_genresult(void *handle, unsigned char *hmac)\r
{\r
    unsigned char full[20];\r
    hmacsha1_genresult(handle, full);\r
    memcpy(hmac, full, 12);\r
}\r
\r
static void sha1_96_generate(void *handle, unsigned char *blk, int len,\r
                             unsigned long seq)\r
{\r
    unsigned char full[20];\r
    sha1_do_hmac(handle, blk, len, seq, full);\r
    memcpy(blk + len, full, 12);\r
}\r
\r
static int hmacsha1_96_verresult(void *handle, unsigned char const *hmac)\r
{\r
    unsigned char correct[20];\r
    hmacsha1_genresult(handle, correct);\r
    return !memcmp(correct, hmac, 12);\r
}\r
\r
static int sha1_96_verify(void *handle, unsigned char *blk, int len,\r
                       unsigned long seq)\r
{\r
    unsigned char correct[20];\r
    sha1_do_hmac(handle, blk, len, seq, correct);\r
    return !memcmp(correct, blk + len, 12);\r
}\r
\r
void hmac_sha1_simple(void *key, int keylen, void *data, int datalen,\r
                      unsigned char *output) {\r
    SHA_State states[2];\r
    unsigned char intermediate[20];\r
\r
    sha1_key_internal(states, key, keylen);\r
    SHA_Bytes(&states[0], data, datalen);\r
    SHA_Final(&states[0], intermediate);\r
\r
    SHA_Bytes(&states[1], intermediate, 20);\r
    SHA_Final(&states[1], output);\r
}\r
\r
const struct ssh_mac ssh_hmac_sha1 = {\r
    sha1_make_context, sha1_free_context, sha1_key,\r
    sha1_generate, sha1_verify,\r
    hmacsha1_start, hmacsha1_bytes, hmacsha1_genresult, hmacsha1_verresult,\r
    "hmac-sha1",\r
    20,\r
    "HMAC-SHA1"\r
};\r
\r
const struct ssh_mac ssh_hmac_sha1_96 = {\r
    sha1_make_context, sha1_free_context, sha1_key,\r
    sha1_96_generate, sha1_96_verify,\r
    hmacsha1_start, hmacsha1_bytes,\r
    hmacsha1_96_genresult, hmacsha1_96_verresult,\r
    "hmac-sha1-96",\r
    12,\r
    "HMAC-SHA1-96"\r
};\r
\r
const struct ssh_mac ssh_hmac_sha1_buggy = {\r
    sha1_make_context, sha1_free_context, sha1_key_buggy,\r
    sha1_generate, sha1_verify,\r
    hmacsha1_start, hmacsha1_bytes, hmacsha1_genresult, hmacsha1_verresult,\r
    "hmac-sha1",\r
    20,\r
    "bug-compatible HMAC-SHA1"\r
};\r
\r
const struct ssh_mac ssh_hmac_sha1_96_buggy = {\r
    sha1_make_context, sha1_free_context, sha1_key_buggy,\r
    sha1_96_generate, sha1_96_verify,\r
    hmacsha1_start, hmacsha1_bytes,\r
    hmacsha1_96_genresult, hmacsha1_96_verresult,\r
    "hmac-sha1-96",\r
    12,\r
    "bug-compatible HMAC-SHA1-96"\r
};\r