nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00
Code Issues Projects Releases Wiki Activity
1378bb049a
putty-source/sshsha.c

695 lines
18 KiB
C
Raw Normal View History

Initial checkin: beta 0.43 [originally from svn r11]
1999-01-08 13:02:13 +00:00
/*
Consistently use a single notation to refer to SSH protocol versions, as discussed. Use Barrett and Silverman's convention of "SSH-1" for SSH protocol version 1 and "SSH-2" for protocol 2 ("SSH1"/"SSH2" refer to ssh.com implementations in this scheme). <http://www.snailbook.com/terms.html> [originally from svn r5480]
2005-03-10 16:36:05 +00:00
* SHA1 hash algorithm. Used in SSH-2 as a MAC, and the transform is
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
* also used as a `stirring' function for the PuTTY random number
* pool. Implemented directly from the specification by Simon
* Tatham.
Initial checkin: beta 0.43 [originally from svn r11]
1999-01-08 13:02:13 +00:00
*/
#include "ssh.h"
Add SHA1 implementation with new instructions SHA1-NI code is conditionally enabled if CPU supports SHA extensions. The procedure is based on Jeffrey Walton's SHA1 implementation: https://github.com/noloader/SHA-Intrinsics
2018-02-18 21:07:06 +00:00
#include <assert.h>
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
/* ----------------------------------------------------------------------
* Core SHA algorithm: processes 16-word blocks into a message digest.
*/
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
#define rol(x,y) ( ((x) << (y)) | (((uint32_t)x) >> (32-y)) )
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
Add pointers to SHA1 and SHA256 implementation functions These pointers will be required in next commits where subroutines with new instructions are introduced. Depending on CPUID dynamic check, pointers will refer to old SW-only implementations or to new instructions subroutines
2018-02-11 10:40:24 +00:00
static void sha1_sw(SHA_State * s, const unsigned char *q, int len);
Add SHA1 implementation with new instructions SHA1-NI code is conditionally enabled if CPU supports SHA extensions. The procedure is based on Jeffrey Walton's SHA1 implementation: https://github.com/noloader/SHA-Intrinsics
2018-02-18 21:07:06 +00:00
static void sha1_ni(SHA_State * s, const unsigned char *q, int len);
Add pointers to SHA1 and SHA256 implementation functions These pointers will be required in next commits where subroutines with new instructions are introduced. Depending on CPUID dynamic check, pointers will refer to old SW-only implementations or to new instructions subroutines
2018-02-11 10:40:24 +00:00
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
static void SHA_Core_Init(uint32_t h[5])
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
{
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
h[0] = 0x67452301;
h[1] = 0xefcdab89;
h[2] = 0x98badcfe;
h[3] = 0x10325476;
h[4] = 0xc3d2e1f0;
}
Replace SHA implementation with homegrown one [originally from svn r334]
1999-12-03 11:32:50 +00:00
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
void SHATransform(uint32_t * digest, uint32_t * block)
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
{
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
uint32_t w[80];
uint32_t a, b, c, d, e;
Replace SHA implementation with homegrown one [originally from svn r334]
1999-12-03 11:32:50 +00:00
int t;
Add some conditionally-compilable diagnostics to the RNG. I got briefly worried that it might not be doing what I thought it was doing, but examining these diagnostics shows that it is after all, and now I've written them it would be a shame not to keep them for future use. [originally from svn r9938]
2013-07-19 17:44:58 +00:00
#ifdef RANDOM_DIAGNOSTICS
{
extern int random_diagnostics;
if (random_diagnostics) {
int i;
printf("SHATransform:");
for (i = 0; i < 5; i++)
printf(" %08x", digest[i]);
printf(" +");
for (i = 0; i < 16; i++)
printf(" %08x", block[i]);
}
}
#endif
Replace SHA implementation with homegrown one [originally from svn r334]
1999-12-03 11:32:50 +00:00
for (t = 0; t < 16; t++)
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
w[t] = block[t];
Replace SHA implementation with homegrown one [originally from svn r334]
1999-12-03 11:32:50 +00:00
for (t = 16; t < 80; t++) {
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
uint32_t tmp = w[t - 3] ^ w[t - 8] ^ w[t - 14] ^ w[t - 16];
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
w[t] = rol(tmp, 1);
Replace SHA implementation with homegrown one [originally from svn r334]
1999-12-03 11:32:50 +00:00
}
a = digest[0];
b = digest[1];
c = digest[2];
d = digest[3];
e = digest[4];
for (t = 0; t < 20; t++) {
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
uint32_t tmp =
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
rol(a, 5) + ((b & c) | (d & ~b)) + e + w[t] + 0x5a827999;
e = d;
d = c;
c = rol(b, 30);
b = a;
a = tmp;
Replace SHA implementation with homegrown one [originally from svn r334]
1999-12-03 11:32:50 +00:00
}
for (t = 20; t < 40; t++) {
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
uint32_t tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0x6ed9eba1;
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
e = d;
d = c;
c = rol(b, 30);
b = a;
a = tmp;
Replace SHA implementation with homegrown one [originally from svn r334]
1999-12-03 11:32:50 +00:00
}
for (t = 40; t < 60; t++) {
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
uint32_t tmp = rol(a,
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
5) + ((b & c) | (b & d) | (c & d)) + e + w[t] +
0x8f1bbcdc;
e = d;
d = c;
c = rol(b, 30);
b = a;
a = tmp;
Replace SHA implementation with homegrown one [originally from svn r334]
1999-12-03 11:32:50 +00:00
}
for (t = 60; t < 80; t++) {
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
uint32_t tmp = rol(a, 5) + (b ^ c ^ d) + e + w[t] + 0xca62c1d6;
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
e = d;
d = c;
c = rol(b, 30);
b = a;
a = tmp;
Replace SHA implementation with homegrown one [originally from svn r334]
1999-12-03 11:32:50 +00:00
}
digest[0] += a;
digest[1] += b;
digest[2] += c;
digest[3] += d;
digest[4] += e;
Add some conditionally-compilable diagnostics to the RNG. I got briefly worried that it might not be doing what I thought it was doing, but examining these diagnostics shows that it is after all, and now I've written them it would be a shame not to keep them for future use. [originally from svn r9938]
2013-07-19 17:44:58 +00:00
#ifdef RANDOM_DIAGNOSTICS
{
extern int random_diagnostics;
if (random_diagnostics) {
int i;
printf(" =");
for (i = 0; i < 5; i++)
printf(" %08x", digest[i]);
printf("\n");
}
}
#endif
Initial checkin: beta 0.43 [originally from svn r11]
1999-01-08 13:02:13 +00:00
}
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
/* ----------------------------------------------------------------------
* Outer SHA algorithm: take an arbitrary length byte string,
* convert it into 16-word blocks with the prescribed padding at
* the end, and pass those blocks to the core SHA algorithm.
*/
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
static void SHA_BinarySink_write(BinarySink *bs, const void *p, size_t len);
New centralised binary-data marshalling system. I've finally got tired of all the code throughout PuTTY that repeats the same logic about how to format the SSH binary primitives like uint32, string, mpint. We've got reasonably organised code in ssh.c that appends things like that to 'struct Packet'; something similar in sftp.c which repeats a lot of the work; utility functions in various places to format an mpint to feed to one or another hash function; and no end of totally ad-hoc stuff in functions like public key blob formatters which actually have to _count up_ the size of data painstakingly, then malloc exactly that much and mess about with PUT_32BIT. It's time to bring all of that into one place, and stop repeating myself in error-prone ways everywhere. The new marshal.h defines a system in which I centralise all the actual marshalling functions, and then layer a touch of C macro trickery on top to allow me to (look as if I) pass a wide range of different types to those functions, as long as the target type has been set up in the right way to have a write() function. This commit adds the new header and source file, and sets up some general centralised types (strbuf and the various hash-function contexts like SHA_State), but doesn't use the new calls for anything yet. (I've also renamed some internal functions in import.c which were using the same names that I've just defined macros over. That won't last long - those functions are going to go away soon, so the changed names are strictly temporary.)
2018-05-24 08:17:13 +00:00
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
void SHA_Init(SHA_State * s)
{
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
SHA_Core_Init(s->h);
s->blkused = 0;
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
s->len = 0;
Add SHA1 implementation with new instructions SHA1-NI code is conditionally enabled if CPU supports SHA extensions. The procedure is based on Jeffrey Walton's SHA1 implementation: https://github.com/noloader/SHA-Intrinsics
2018-02-18 21:07:06 +00:00
if (supports_sha_ni())
s->sha1 = &sha1_ni;
else
s->sha1 = &sha1_sw;
New centralised binary-data marshalling system. I've finally got tired of all the code throughout PuTTY that repeats the same logic about how to format the SSH binary primitives like uint32, string, mpint. We've got reasonably organised code in ssh.c that appends things like that to 'struct Packet'; something similar in sftp.c which repeats a lot of the work; utility functions in various places to format an mpint to feed to one or another hash function; and no end of totally ad-hoc stuff in functions like public key blob formatters which actually have to _count up_ the size of data painstakingly, then malloc exactly that much and mess about with PUT_32BIT. It's time to bring all of that into one place, and stop repeating myself in error-prone ways everywhere. The new marshal.h defines a system in which I centralise all the actual marshalling functions, and then layer a touch of C macro trickery on top to allow me to (look as if I) pass a wide range of different types to those functions, as long as the target type has been set up in the right way to have a write() function. This commit adds the new header and source file, and sets up some general centralised types (strbuf and the various hash-function contexts like SHA_State), but doesn't use the new calls for anything yet. (I've also renamed some internal functions in import.c which were using the same names that I've just defined macros over. That won't last long - those functions are going to go away soon, so the changed names are strictly temporary.)
2018-05-24 08:17:13 +00:00
BinarySink_INIT(s, SHA_BinarySink_write);
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
}
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
static void SHA_BinarySink_write(BinarySink *bs, const void *p, size_t len)
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
{
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
struct SHA_State *s = BinarySink_DOWNCAST(bs, struct SHA_State);
Add an assortment of missing consts I've just noticed. [originally from svn r9972]
2013-07-27 18:35:48 +00:00
const unsigned char *q = (const unsigned char *) p;
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
/*
* Update the length field.
*/
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
s->len += len;
Add pointers to SHA1 and SHA256 implementation functions These pointers will be required in next commits where subroutines with new instructions are introduced. Depending on CPUID dynamic check, pointers will refer to old SW-only implementations or to new instructions subroutines
2018-02-11 10:40:24 +00:00
(*(s->sha1))(s, q, len);
}
static void sha1_sw(SHA_State * s, const unsigned char *q, int len)
{
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
uint32_t wordblock[16];
Add pointers to SHA1 and SHA256 implementation functions These pointers will be required in next commits where subroutines with new instructions are introduced. Depending on CPUID dynamic check, pointers will refer to old SW-only implementations or to new instructions subroutines
2018-02-11 10:40:24 +00:00
int i;
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
if (s->blkused && s->blkused + len < 64) {
/*
* Trivial case: just add to the block.
*/
memcpy(s->block + s->blkused, q, len);
s->blkused += len;
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
} else {
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
/*
* We must complete and process at least one block.
*/
while (s->blkused + len >= 64) {
memcpy(s->block + s->blkused, q, 64 - s->blkused);
q += 64 - s->blkused;
len -= 64 - s->blkused;
/* Now process the block. Gather bytes big-endian into words */
for (i = 0; i < 16; i++) {
wordblock[i] =
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
(((uint32_t) s->block[i * 4 + 0]) << 24) |
(((uint32_t) s->block[i * 4 + 1]) << 16) |
(((uint32_t) s->block[i * 4 + 2]) << 8) |
(((uint32_t) s->block[i * 4 + 3]) << 0);
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
}
SHATransform(s->h, wordblock);
s->blkused = 0;
}
memcpy(s->block, q, len);
s->blkused = len;
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
}
}
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
void SHA_Final(SHA_State * s, unsigned char *output)
{
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
int i;
int pad;
unsigned char c[64];
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
uint64_t len;
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
if (s->blkused >= 56)
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
pad = 56 + 64 - s->blkused;
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
else
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
pad = 56 - s->blkused;
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
len = (s->len << 3);
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
memset(c, 0, pad);
c[0] = 0x80;
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
put_data(s, &c, pad);
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
put_uint64(s, len);
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
for (i = 0; i < 5; i++) {
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
output[i * 4] = (s->h[i] >> 24) & 0xFF;
output[i * 4 + 1] = (s->h[i] >> 16) & 0xFF;
output[i * 4 + 2] = (s->h[i] >> 8) & 0xFF;
output[i * 4 + 3] = (s->h[i]) & 0xFF;
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
}
}
Add an assortment of missing consts I've just noticed. [originally from svn r9972]
2013-07-27 18:35:48 +00:00
void SHA_Simple(const void *p, int len, unsigned char *output)
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
{
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
SHA_State s;
SHA_Init(&s);
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
put_data(&s, p, len);
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
SHA_Final(&s, output);
Add smemclrs of all hash states we destroy.
2015-04-26 22:55:33 +00:00
smemclr(&s, sizeof(s));
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
}
Add infrastructure for supporting multiple hashes in key exchange. Nothing very surprising here. [originally from svn r6251]
2005-08-31 20:43:06 +00:00
/*
* Thin abstraction for things where hashes are pluggable.
*/
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
struct sha1_hash {
SHA_State state;
ssh_hash hash;
};
Add infrastructure for supporting multiple hashes in key exchange. Nothing very surprising here. [originally from svn r6251]
2005-08-31 20:43:06 +00:00
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
static ssh_hash *sha1_new(const struct ssh_hashalg *alg)
{
struct sha1_hash *h = snew(struct sha1_hash);
SHA_Init(&h->state);
h->hash.vt = alg;
BinarySink_DELEGATE_INIT(&h->hash, &h->state);
return &h->hash;
Add infrastructure for supporting multiple hashes in key exchange. Nothing very surprising here. [originally from svn r6251]
2005-08-31 20:43:06 +00:00
}
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
static ssh_hash *sha1_copy(ssh_hash *hashold)
Add copy and free methods to 'struct ssh_hash'. This permits a hash state to be cloned in the middle of being used, so that multiple strings with the same prefix can be hashed without having to repeat all the computation over the prefix. Having done that, we'll also sometimes need to free a hash state that we aren't generating actual hash output from, so we need a free method as well.
2015-08-21 22:13:59 +00:00
{
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
struct sha1_hash *hold, *hnew;
ssh_hash *hashnew = sha1_new(hashold->vt);
Add copy and free methods to 'struct ssh_hash'. This permits a hash state to be cloned in the middle of being used, so that multiple strings with the same prefix can be hashed without having to repeat all the computation over the prefix. Having done that, we'll also sometimes need to free a hash state that we aren't generating actual hash output from, so we need a free method as well.
2015-08-21 22:13:59 +00:00
Rename FROMFIELD to 'container_of'. Ian Jackson points out that the Linux kernel has a macro of this name with the same purpose, and suggests that it's a good idea to use the same name as they do, so that at least some people reading one code base might recognise it from the other. I never really thought very hard about what order FROMFIELD's parameters should go in, and therefore I'm pleasantly surprised to find that my order agrees with the kernel's, so I don't have to permute every call site as part of making this change :-)
2018-10-05 22:49:08 +00:00
hold = container_of(hashold, struct sha1_hash, hash);
hnew = container_of(hashnew, struct sha1_hash, hash);
Add copy and free methods to 'struct ssh_hash'. This permits a hash state to be cloned in the middle of being used, so that multiple strings with the same prefix can be hashed without having to repeat all the computation over the prefix. Having done that, we'll also sometimes need to free a hash state that we aren't generating actual hash output from, so we need a free method as well.
2015-08-21 22:13:59 +00:00
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
hnew->state = hold->state;
BinarySink_COPIED(&hnew->state);
Add copy and free methods to 'struct ssh_hash'. This permits a hash state to be cloned in the middle of being used, so that multiple strings with the same prefix can be hashed without having to repeat all the computation over the prefix. Having done that, we'll also sometimes need to free a hash state that we aren't generating actual hash output from, so we need a free method as well.
2015-08-21 22:13:59 +00:00
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
return hashnew;
Add copy and free methods to 'struct ssh_hash'. This permits a hash state to be cloned in the middle of being used, so that multiple strings with the same prefix can be hashed without having to repeat all the computation over the prefix. Having done that, we'll also sometimes need to free a hash state that we aren't generating actual hash output from, so we need a free method as well.
2015-08-21 22:13:59 +00:00
}
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
static void sha1_free(ssh_hash *hash)
Add infrastructure for supporting multiple hashes in key exchange. Nothing very surprising here. [originally from svn r6251]
2005-08-31 20:43:06 +00:00
{
Rename FROMFIELD to 'container_of'. Ian Jackson points out that the Linux kernel has a macro of this name with the same purpose, and suggests that it's a good idea to use the same name as they do, so that at least some people reading one code base might recognise it from the other. I never really thought very hard about what order FROMFIELD's parameters should go in, and therefore I'm pleasantly surprised to find that my order agrees with the kernel's, so I don't have to permute every call site as part of making this change :-)
2018-10-05 22:49:08 +00:00
struct sha1_hash *h = container_of(hash, struct sha1_hash, hash);
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
smemclr(h, sizeof(*h));
sfree(h);
Add infrastructure for supporting multiple hashes in key exchange. Nothing very surprising here. [originally from svn r6251]
2005-08-31 20:43:06 +00:00
}
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
static void sha1_final(ssh_hash *hash, unsigned char *output)
Add infrastructure for supporting multiple hashes in key exchange. Nothing very surprising here. [originally from svn r6251]
2005-08-31 20:43:06 +00:00
{
Rename FROMFIELD to 'container_of'. Ian Jackson points out that the Linux kernel has a macro of this name with the same purpose, and suggests that it's a good idea to use the same name as they do, so that at least some people reading one code base might recognise it from the other. I never really thought very hard about what order FROMFIELD's parameters should go in, and therefore I'm pleasantly surprised to find that my order agrees with the kernel's, so I don't have to permute every call site as part of making this change :-)
2018-10-05 22:49:08 +00:00
struct sha1_hash *h = container_of(hash, struct sha1_hash, hash);
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
SHA_Final(&h->state, output);
sha1_free(hash);
Add infrastructure for supporting multiple hashes in key exchange. Nothing very surprising here. [originally from svn r6251]
2005-08-31 20:43:06 +00:00
}
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
const struct ssh_hashalg ssh_sha1 = {
sha1_new, sha1_copy, sha1_final, sha1_free, 20, "SHA-1"
Add infrastructure for supporting multiple hashes in key exchange. Nothing very surprising here. [originally from svn r6251]
2005-08-31 20:43:06 +00:00
};
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
/* ----------------------------------------------------------------------
* The above is the SHA-1 algorithm itself. Now we implement the
* HMAC wrapper on it.
*/
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
struct hmacsha1 {
SHA_State sha[3];
ssh2_mac mac;
};
static ssh2_mac *hmacsha1_new(
const struct ssh2_macalg *alg, ssh2_cipher *cipher)
SSH2 MACs now use dynamically allocated contexts. [originally from svn r2131]
2002-10-25 12:51:28 +00:00
{
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
struct hmacsha1 *ctx = snew(struct hmacsha1);
ctx->mac.vt = alg;
BinarySink_DELEGATE_INIT(&ctx->mac, &ctx->sha[2]);
return &ctx->mac;
SSH2 MACs now use dynamically allocated contexts. [originally from svn r2131]
2002-10-25 12:51:28 +00:00
}
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
static void hmacsha1_free(ssh2_mac *mac)
SSH2 MACs now use dynamically allocated contexts. [originally from svn r2131]
2002-10-25 12:51:28 +00:00
{
Rename FROMFIELD to 'container_of'. Ian Jackson points out that the Linux kernel has a macro of this name with the same purpose, and suggests that it's a good idea to use the same name as they do, so that at least some people reading one code base might recognise it from the other. I never really thought very hard about what order FROMFIELD's parameters should go in, and therefore I'm pleasantly surprised to find that my order agrees with the kernel's, so I don't have to permute every call site as part of making this change :-)
2018-10-05 22:49:08 +00:00
struct hmacsha1 *ctx = container_of(mac, struct hmacsha1, mac);
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
smemclr(ctx, sizeof(*ctx));
sfree(ctx);
SSH2 MACs now use dynamically allocated contexts. [originally from svn r2131]
2002-10-25 12:51:28 +00:00
}
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
static void sha1_key_internal(SHA_State *keys,
const unsigned char *key, int len)
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
{
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
unsigned char foo[64];
int i;
memset(foo, 0x36, 64);
for (i = 0; i < len && i < 64; i++)
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
foo[i] ^= key[i];
SSH2 MACs now use dynamically allocated contexts. [originally from svn r2131]
2002-10-25 12:51:28 +00:00
SHA_Init(&keys[0]);
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
put_data(&keys[0], foo, 64);
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
memset(foo, 0x5C, 64);
for (i = 0; i < len && i < 64; i++)
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
foo[i] ^= key[i];
SSH2 MACs now use dynamically allocated contexts. [originally from svn r2131]
2002-10-25 12:51:28 +00:00
SHA_Init(&keys[1]);
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
put_data(&keys[1], foo, 64);
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
Introduce a new utility function smemclr(), which memsets things to zero but does it in such a way that over-clever compilers hopefully won't helpfully optimise the call away if you do it just before freeing something or letting it go out of scope. Use this for (hopefully) every memset whose job is to destroy sensitive data that might otherwise be left lying around in the process's memory. [originally from svn r9586]
2012-07-22 19:51:50 +00:00
smemclr(foo, 64); /* burn the evidence */
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
}
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
static void hmacsha1_key(ssh2_mac *mac, const void *key)
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
{
Rename FROMFIELD to 'container_of'. Ian Jackson points out that the Linux kernel has a macro of this name with the same purpose, and suggests that it's a good idea to use the same name as they do, so that at least some people reading one code base might recognise it from the other. I never really thought very hard about what order FROMFIELD's parameters should go in, and therefore I'm pleasantly surprised to find that my order agrees with the kernel's, so I don't have to permute every call site as part of making this change :-)
2018-10-05 22:49:08 +00:00
struct hmacsha1 *ctx = container_of(mac, struct hmacsha1, mac);
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
/* Reading the key length out of the ssh2_macalg structure means
* this same method can be used for the _buggy variants which use
* a shorter key */
sha1_key_internal(ctx->sha, key, ctx->mac.vt->keylen);
Add a config option to emulate the HMAC bug in commercial SSH v2.3.x and earlier (namely, it uses only 16 bytes of key rather than 20). [originally from svn r706]
2000-10-12 12:39:44 +00:00
}
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
static void hmacsha1_start(ssh2_mac *mac)
Mitigation for VU#958563: When using a CBC-mode server-to-client cipher under SSH-2, don't risk looking at the length field of an incoming packet until we've successfully MAC'ed the packet. This requires a change to the MAC mechanics so that we can calculate MACs incrementally, and output a MAC for the packet so far while still being able to add more data to the packet later. [originally from svn r8334]
2008-11-26 12:49:25 +00:00
{
Rename FROMFIELD to 'container_of'. Ian Jackson points out that the Linux kernel has a macro of this name with the same purpose, and suggests that it's a good idea to use the same name as they do, so that at least some people reading one code base might recognise it from the other. I never really thought very hard about what order FROMFIELD's parameters should go in, and therefore I'm pleasantly surprised to find that my order agrees with the kernel's, so I don't have to permute every call site as part of making this change :-)
2018-10-05 22:49:08 +00:00
struct hmacsha1 *ctx = container_of(mac, struct hmacsha1, mac);
Mitigation for VU#958563: When using a CBC-mode server-to-client cipher under SSH-2, don't risk looking at the length field of an incoming packet until we've successfully MAC'ed the packet. This requires a change to the MAC mechanics so that we can calculate MACs incrementally, and output a MAC for the packet so far while still being able to add more data to the packet later. [originally from svn r8334]
2008-11-26 12:49:25 +00:00
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
ctx->sha[2] = ctx->sha[0]; /* structure copy */
BinarySink_COPIED(&ctx->sha[2]);
Mitigation for VU#958563: When using a CBC-mode server-to-client cipher under SSH-2, don't risk looking at the length field of an incoming packet until we've successfully MAC'ed the packet. This requires a change to the MAC mechanics so that we can calculate MACs incrementally, and output a MAC for the packet so far while still being able to add more data to the packet later. [originally from svn r8334]
2008-11-26 12:49:25 +00:00
}
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
static void hmacsha1_genresult(ssh2_mac *mac, unsigned char *hmac)
Mitigation for VU#958563: When using a CBC-mode server-to-client cipher under SSH-2, don't risk looking at the length field of an incoming packet until we've successfully MAC'ed the packet. This requires a change to the MAC mechanics so that we can calculate MACs incrementally, and output a MAC for the packet so far while still being able to add more data to the packet later. [originally from svn r8334]
2008-11-26 12:49:25 +00:00
{
Rename FROMFIELD to 'container_of'. Ian Jackson points out that the Linux kernel has a macro of this name with the same purpose, and suggests that it's a good idea to use the same name as they do, so that at least some people reading one code base might recognise it from the other. I never really thought very hard about what order FROMFIELD's parameters should go in, and therefore I'm pleasantly surprised to find that my order agrees with the kernel's, so I don't have to permute every call site as part of making this change :-)
2018-10-05 22:49:08 +00:00
struct hmacsha1 *ctx = container_of(mac, struct hmacsha1, mac);
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
SHA_State s;
unsigned char intermediate[20];
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
s = ctx->sha[2]; /* structure copy */
New centralised binary-data marshalling system. I've finally got tired of all the code throughout PuTTY that repeats the same logic about how to format the SSH binary primitives like uint32, string, mpint. We've got reasonably organised code in ssh.c that appends things like that to 'struct Packet'; something similar in sftp.c which repeats a lot of the work; utility functions in various places to format an mpint to feed to one or another hash function; and no end of totally ad-hoc stuff in functions like public key blob formatters which actually have to _count up_ the size of data painstakingly, then malloc exactly that much and mess about with PUT_32BIT. It's time to bring all of that into one place, and stop repeating myself in error-prone ways everywhere. The new marshal.h defines a system in which I centralise all the actual marshalling functions, and then layer a touch of C macro trickery on top to allow me to (look as if I) pass a wide range of different types to those functions, as long as the target type has been set up in the right way to have a write() function. This commit adds the new header and source file, and sets up some general centralised types (strbuf and the various hash-function contexts like SHA_State), but doesn't use the new calls for anything yet. (I've also renamed some internal functions in import.c which were using the same names that I've just defined macros over. That won't last long - those functions are going to go away soon, so the changed names are strictly temporary.)
2018-05-24 08:17:13 +00:00
BinarySink_COPIED(&s);
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
SHA_Final(&s, intermediate);
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
s = ctx->sha[1]; /* structure copy */
New centralised binary-data marshalling system. I've finally got tired of all the code throughout PuTTY that repeats the same logic about how to format the SSH binary primitives like uint32, string, mpint. We've got reasonably organised code in ssh.c that appends things like that to 'struct Packet'; something similar in sftp.c which repeats a lot of the work; utility functions in various places to format an mpint to feed to one or another hash function; and no end of totally ad-hoc stuff in functions like public key blob formatters which actually have to _count up_ the size of data painstakingly, then malloc exactly that much and mess about with PUT_32BIT. It's time to bring all of that into one place, and stop repeating myself in error-prone ways everywhere. The new marshal.h defines a system in which I centralise all the actual marshalling functions, and then layer a touch of C macro trickery on top to allow me to (look as if I) pass a wide range of different types to those functions, as long as the target type has been set up in the right way to have a write() function. This commit adds the new header and source file, and sets up some general centralised types (strbuf and the various hash-function contexts like SHA_State), but doesn't use the new calls for anything yet. (I've also renamed some internal functions in import.c which were using the same names that I've just defined macros over. That won't last long - those functions are going to go away soon, so the changed names are strictly temporary.)
2018-05-24 08:17:13 +00:00
BinarySink_COPIED(&s);
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
put_data(&s, intermediate, 20);
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
SHA_Final(&s, intermediate);
memcpy(hmac, intermediate, ctx->mac.vt->len);
smemclr(intermediate, sizeof(intermediate));
Implement hmac-sha1-96. It's RECOMMENDED in the current transport draft, and we don't have any strong reason not to implement it, for all that it's rather pointless. [originally from svn r6284]
2005-09-10 16:19:53 +00:00
}
Clean up a couple of consts and char pointers. hmacmd5_do_hmac and hmac_sha1_simple should be consistently referring to input memory blocks as 'const void *', but one had pointlessly typed the pointer as 'const unsigned char *' and the other had missed out the consts.
2018-09-13 15:43:30 +00:00
void hmac_sha1_simple(const void *key, int keylen,
const void *data, int datalen,
Add support for DSA authentication in SSH2, following clever ideas on how to get round the problem of generating a good k. [originally from svn r1284]
2001-09-22 20:52:21 +00:00
unsigned char *output) {
SSH2 MACs now use dynamically allocated contexts. [originally from svn r2131]
2002-10-25 12:51:28 +00:00
SHA_State states[2];
Add support for DSA authentication in SSH2, following clever ideas on how to get round the problem of generating a good k. [originally from svn r1284]
2001-09-22 20:52:21 +00:00
unsigned char intermediate[20];
SSH2 MACs now use dynamically allocated contexts. [originally from svn r2131]
2002-10-25 12:51:28 +00:00
sha1_key_internal(states, key, keylen);
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
put_data(&states[0], data, datalen);
SSH2 MACs now use dynamically allocated contexts. [originally from svn r2131]
2002-10-25 12:51:28 +00:00
SHA_Final(&states[0], intermediate);
Add support for DSA authentication in SSH2, following clever ideas on how to get round the problem of generating a good k. [originally from svn r1284]
2001-09-22 20:52:21 +00:00
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
put_data(&states[1], intermediate, 20);
SSH2 MACs now use dynamically allocated contexts. [originally from svn r2131]
2002-10-25 12:51:28 +00:00
SHA_Final(&states[1], output);
Add support for DSA authentication in SSH2, following clever ideas on how to get round the problem of generating a good k. [originally from svn r1284]
2001-09-22 20:52:21 +00:00
}
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
const struct ssh2_macalg ssh_hmac_sha1 = {
hmacsha1_new, hmacsha1_free, hmacsha1_key,
hmacsha1_start, hmacsha1_genresult,
Support OpenSSH encrypt-then-MAC protocol extension. This causes the initial length field of the SSH-2 binary packet to be unencrypted (with the knock-on effect that now the packet length not including MAC must be congruent to 4 rather than 0 mod the cipher block size), and then the MAC is applied over the unencrypted length field and encrypted ciphertext (prefixed by the sequence number as usual). At the cost of exposing some information about the packet lengths to an attacker (but rarely anything they couldn't have inferred from the TCP headers anyway), this closes down any possibility of a MITM using the client as a decryption oracle, unless they can _first_ fake a correct MAC. ETM mode is enabled by means of selecting a different MAC identifier, all the current ones of which are constructed by appending "-etm@openssh.com" to the name of a MAC that already existed. We currently prefer the original SSH-2 binary packet protocol (i.e. we list all the ETM-mode MACs last in our KEXINIT), on the grounds that it's better tested and more analysed, so at the moment the new mode is only activated if a server refuses to speak anything else.
2015-04-26 22:30:32 +00:00
"hmac-sha1", "hmac-sha1-etm@openssh.com",
Add a key-length field to 'struct ssh_mac'. The key derivation code has been assuming (though non-critically, as it happens) that the size of the MAC output is the same as the size of the MAC key. That isn't even a good assumption for the HMAC family, due to HMAC-SHA1-96 and also the bug-compatible versions of HMAC-SHA1 that only use 16 bytes of key material; so now we have an explicit key-length field separate from the MAC-length field.
2015-08-21 22:20:12 +00:00
20, 20,
Mention the negotiated SSH-2 MAC algorithm(s) in the Event Log. (It should be possible to at least see what MAC is in use without going to a SSH packet log.) [originally from svn r4591]
2004-09-29 23:57:03 +00:00
"HMAC-SHA1"
SSH 2 support, phase 1, debugging. Currently does Diffie-Hellman and gets the same results as the server, which is a pretty good start. [originally from svn r569]
2000-09-05 14:28:17 +00:00
};
Add a config option to emulate the HMAC bug in commercial SSH v2.3.x and earlier (namely, it uses only 16 bytes of key rather than 20). [originally from svn r706]
2000-10-12 12:39:44 +00:00
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
const struct ssh2_macalg ssh_hmac_sha1_96 = {
hmacsha1_new, hmacsha1_free, hmacsha1_key,
hmacsha1_start, hmacsha1_genresult,
Support OpenSSH encrypt-then-MAC protocol extension. This causes the initial length field of the SSH-2 binary packet to be unencrypted (with the knock-on effect that now the packet length not including MAC must be congruent to 4 rather than 0 mod the cipher block size), and then the MAC is applied over the unencrypted length field and encrypted ciphertext (prefixed by the sequence number as usual). At the cost of exposing some information about the packet lengths to an attacker (but rarely anything they couldn't have inferred from the TCP headers anyway), this closes down any possibility of a MITM using the client as a decryption oracle, unless they can _first_ fake a correct MAC. ETM mode is enabled by means of selecting a different MAC identifier, all the current ones of which are constructed by appending "-etm@openssh.com" to the name of a MAC that already existed. We currently prefer the original SSH-2 binary packet protocol (i.e. we list all the ETM-mode MACs last in our KEXINIT), on the grounds that it's better tested and more analysed, so at the moment the new mode is only activated if a server refuses to speak anything else.
2015-04-26 22:30:32 +00:00
"hmac-sha1-96", "hmac-sha1-96-etm@openssh.com",
Add a key-length field to 'struct ssh_mac'. The key derivation code has been assuming (though non-critically, as it happens) that the size of the MAC output is the same as the size of the MAC key. That isn't even a good assumption for the HMAC family, due to HMAC-SHA1-96 and also the bug-compatible versions of HMAC-SHA1 that only use 16 bytes of key material; so now we have an explicit key-length field separate from the MAC-length field.
2015-08-21 22:20:12 +00:00
12, 20,
Implement hmac-sha1-96. It's RECOMMENDED in the current transport draft, and we don't have any strong reason not to implement it, for all that it's rather pointless. [originally from svn r6284]
2005-09-10 16:19:53 +00:00
"HMAC-SHA1-96"
};
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
const struct ssh2_macalg ssh_hmac_sha1_buggy = {
hmacsha1_new, hmacsha1_free, hmacsha1_key,
hmacsha1_start, hmacsha1_genresult,
Support OpenSSH encrypt-then-MAC protocol extension. This causes the initial length field of the SSH-2 binary packet to be unencrypted (with the knock-on effect that now the packet length not including MAC must be congruent to 4 rather than 0 mod the cipher block size), and then the MAC is applied over the unencrypted length field and encrypted ciphertext (prefixed by the sequence number as usual). At the cost of exposing some information about the packet lengths to an attacker (but rarely anything they couldn't have inferred from the TCP headers anyway), this closes down any possibility of a MITM using the client as a decryption oracle, unless they can _first_ fake a correct MAC. ETM mode is enabled by means of selecting a different MAC identifier, all the current ones of which are constructed by appending "-etm@openssh.com" to the name of a MAC that already existed. We currently prefer the original SSH-2 binary packet protocol (i.e. we list all the ETM-mode MACs last in our KEXINIT), on the grounds that it's better tested and more analysed, so at the moment the new mode is only activated if a server refuses to speak anything else.
2015-04-26 22:30:32 +00:00
"hmac-sha1", NULL,
Add a key-length field to 'struct ssh_mac'. The key derivation code has been assuming (though non-critically, as it happens) that the size of the MAC output is the same as the size of the MAC key. That isn't even a good assumption for the HMAC family, due to HMAC-SHA1-96 and also the bug-compatible versions of HMAC-SHA1 that only use 16 bytes of key material; so now we have an explicit key-length field separate from the MAC-length field.
2015-08-21 22:20:12 +00:00
20, 16,
Mention the negotiated SSH-2 MAC algorithm(s) in the Event Log. (It should be possible to at least see what MAC is in use without going to a SSH packet log.) [originally from svn r4591]
2004-09-29 23:57:03 +00:00
"bug-compatible HMAC-SHA1"
Add a config option to emulate the HMAC bug in commercial SSH v2.3.x and earlier (namely, it uses only 16 bytes of key rather than 20). [originally from svn r706]
2000-10-12 12:39:44 +00:00
};
Implement hmac-sha1-96. It's RECOMMENDED in the current transport draft, and we don't have any strong reason not to implement it, for all that it's rather pointless. [originally from svn r6284]
2005-09-10 16:19:53 +00:00
Turn SSH-2 MACs into a classoid. This piece of tidying-up has come out particularly well in terms of saving tedious repetition and boilerplate. I've managed to remove three pointless methods from every MAC implementation by means of writing them once centrally in terms of the implementation-specific methods; another method (hmacmd5_sink) vanished because I was able to make the interface type 'ssh2_mac' be directly usable as a BinarySink by way of a new delegation system; and because all the method implementations can now find their own vtable, I was even able to merge a lot of keying and output functions that had previously differed only in length parameters by having them look up the lengths in whatever vtable they were passed.
2018-09-13 15:15:17 +00:00
const struct ssh2_macalg ssh_hmac_sha1_96_buggy = {
hmacsha1_new, hmacsha1_free, hmacsha1_key,
hmacsha1_start, hmacsha1_genresult,
Support OpenSSH encrypt-then-MAC protocol extension. This causes the initial length field of the SSH-2 binary packet to be unencrypted (with the knock-on effect that now the packet length not including MAC must be congruent to 4 rather than 0 mod the cipher block size), and then the MAC is applied over the unencrypted length field and encrypted ciphertext (prefixed by the sequence number as usual). At the cost of exposing some information about the packet lengths to an attacker (but rarely anything they couldn't have inferred from the TCP headers anyway), this closes down any possibility of a MITM using the client as a decryption oracle, unless they can _first_ fake a correct MAC. ETM mode is enabled by means of selecting a different MAC identifier, all the current ones of which are constructed by appending "-etm@openssh.com" to the name of a MAC that already existed. We currently prefer the original SSH-2 binary packet protocol (i.e. we list all the ETM-mode MACs last in our KEXINIT), on the grounds that it's better tested and more analysed, so at the moment the new mode is only activated if a server refuses to speak anything else.
2015-04-26 22:30:32 +00:00
"hmac-sha1-96", NULL,
Add a key-length field to 'struct ssh_mac'. The key derivation code has been assuming (though non-critically, as it happens) that the size of the MAC output is the same as the size of the MAC key. That isn't even a good assumption for the HMAC family, due to HMAC-SHA1-96 and also the bug-compatible versions of HMAC-SHA1 that only use 16 bytes of key material; so now we have an explicit key-length field separate from the MAC-length field.
2015-08-21 22:20:12 +00:00
12, 16,
Implement hmac-sha1-96. It's RECOMMENDED in the current transport draft, and we don't have any strong reason not to implement it, for all that it's rather pointless. [originally from svn r6284]
2005-09-10 16:19:53 +00:00
"bug-compatible HMAC-SHA1-96"
};
Add supports_sha_ni(void) function It executes CPUID instruction to check whether SHA extensions are supported by hosting CPU.
2018-02-18 21:06:14 +00:00
#ifdef COMPILER_SUPPORTS_SHA_NI
Include <intrin.h> for hardware SHA on Windows Fixes failure to build under Windows with Visual Studio 14.
2018-04-13 03:20:52 +00:00
#if defined _MSC_VER && defined _M_AMD64
# include <intrin.h>
#endif
Add supports_sha_ni(void) function It executes CPUID instruction to check whether SHA extensions are supported by hosting CPU.
2018-02-18 21:06:14 +00:00
/*
* Set target architecture for Clang and GCC
*/
#if !defined(__clang__) && defined(__GNUC__)
# pragma GCC target("sha")
# pragma GCC target("sse4.1")
#endif
#if defined(__clang__) || (defined(__GNUC__) && (__GNUC__ >= 5))
# define FUNC_ISA __attribute__ ((target("sse4.1,sha")))
#else
# define FUNC_ISA
#endif
Add SHA1 implementation with new instructions SHA1-NI code is conditionally enabled if CPU supports SHA extensions. The procedure is based on Jeffrey Walton's SHA1 implementation: https://github.com/noloader/SHA-Intrinsics
2018-02-18 21:07:06 +00:00
#include <wmmintrin.h>
#include <smmintrin.h>
#include <immintrin.h>
#if defined(__clang__) || defined(__GNUC__)
#include <shaintrin.h>
#endif
Add supports_sha_ni(void) function It executes CPUID instruction to check whether SHA extensions are supported by hosting CPU.
2018-02-18 21:06:14 +00:00
/*
* Determinators of CPU type
*/
#if defined(__clang__) || defined(__GNUC__)
#include <cpuid.h>
int supports_sha_ni(void)
{
unsigned int CPUInfo[4];
Add CPUID leaf checks prior to SHA checks Some old CPUs do not support CPUID to be called with eax=7 To prevent failures, call CPUID with eax=0 to get the highest possible eax value (leaf) and compare it to 7. GCC does this check internally with __get_cpuid_count function Thanks to Jeffrey Walton for noticing.
2018-03-22 18:57:38 +00:00
__cpuid(0, CPUInfo[0], CPUInfo[1], CPUInfo[2], CPUInfo[3]);
if (CPUInfo[0] < 7)
return 0;
Add supports_sha_ni(void) function It executes CPUID instruction to check whether SHA extensions are supported by hosting CPU.
2018-02-18 21:06:14 +00:00
__cpuid_count(7, 0, CPUInfo[0], CPUInfo[1], CPUInfo[2], CPUInfo[3]);
return CPUInfo[1] & (1 << 29); /* SHA */
}
#else /* defined(__clang__) || defined(__GNUC__) */
int supports_sha_ni(void)
{
unsigned int CPUInfo[4];
Add CPUID leaf checks prior to SHA checks Some old CPUs do not support CPUID to be called with eax=7 To prevent failures, call CPUID with eax=0 to get the highest possible eax value (leaf) and compare it to 7. GCC does this check internally with __get_cpuid_count function Thanks to Jeffrey Walton for noticing.
2018-03-22 18:57:38 +00:00
__cpuid(CPUInfo, 0);
if (CPUInfo[0] < 7)
return 0;
Add supports_sha_ni(void) function It executes CPUID instruction to check whether SHA extensions are supported by hosting CPU.
2018-02-18 21:06:14 +00:00
__cpuidex(CPUInfo, 7, 0);
return CPUInfo[1] & (1 << 29); /* Check SHA */
}
#endif /* defined(__clang__) || defined(__GNUC__) */
Add SHA1 implementation with new instructions SHA1-NI code is conditionally enabled if CPU supports SHA extensions. The procedure is based on Jeffrey Walton's SHA1 implementation: https://github.com/noloader/SHA-Intrinsics
2018-02-18 21:07:06 +00:00
/* SHA1 implementation using new instructions
The code is based on Jeffrey Walton's SHA1 implementation:
https://github.com/noloader/SHA-Intrinsics
*/
FUNC_ISA
Work around LLVM bug 34980 Clang generates an internal failure if the same function has different target attributes in definition and declaration. To work around that, we made a proxy predeclared function without target attribute.
2018-02-18 13:48:44 +00:00
static void sha1_ni_(SHA_State * s, const unsigned char *q, int len)
Add SHA1 implementation with new instructions SHA1-NI code is conditionally enabled if CPU supports SHA extensions. The procedure is based on Jeffrey Walton's SHA1 implementation: https://github.com/noloader/SHA-Intrinsics
2018-02-18 21:07:06 +00:00
{
if (s->blkused && s->blkused + len < 64) {
/*
* Trivial case: just add to the block.
*/
memcpy(s->block + s->blkused, q, len);
s->blkused += len;
} else {
__m128i ABCD, ABCD_SAVE, E0, E0_SAVE, E1;
const __m128i MASK = _mm_set_epi64x(0x0001020304050607ULL, 0x08090a0b0c0d0e0fULL);
ABCD = _mm_loadu_si128((const __m128i*) s->h);
E0 = _mm_set_epi32(s->h[4], 0, 0, 0);
ABCD = _mm_shuffle_epi32(ABCD, 0x1B);
/*
* We must complete and process at least one block.
*/
while (s->blkused + len >= 64)
{
__m128i MSG0, MSG1, MSG2, MSG3;
memcpy(s->block + s->blkused, q, 64 - s->blkused);
q += 64 - s->blkused;
len -= 64 - s->blkused;
/* Save current state */
ABCD_SAVE = ABCD;
E0_SAVE = E0;
/* Rounds 0-3 */
MSG0 = _mm_loadu_si128((const __m128i*)(s->block + 0));
MSG0 = _mm_shuffle_epi8(MSG0, MASK);
E0 = _mm_add_epi32(E0, MSG0);
E1 = ABCD;
ABCD = _mm_sha1rnds4_epu32(ABCD, E0, 0);
/* Rounds 4-7 */
MSG1 = _mm_loadu_si128((const __m128i*)(s->block + 16));
MSG1 = _mm_shuffle_epi8(MSG1, MASK);
E1 = _mm_sha1nexte_epu32(E1, MSG1);
E0 = ABCD;
ABCD = _mm_sha1rnds4_epu32(ABCD, E1, 0);
MSG0 = _mm_sha1msg1_epu32(MSG0, MSG1);
/* Rounds 8-11 */
MSG2 = _mm_loadu_si128((const __m128i*)(s->block + 32));
MSG2 = _mm_shuffle_epi8(MSG2, MASK);
E0 = _mm_sha1nexte_epu32(E0, MSG2);
E1 = ABCD;
ABCD = _mm_sha1rnds4_epu32(ABCD, E0, 0);
MSG1 = _mm_sha1msg1_epu32(MSG1, MSG2);
MSG0 = _mm_xor_si128(MSG0, MSG2);
/* Rounds 12-15 */
MSG3 = _mm_loadu_si128((const __m128i*)(s->block + 48));
MSG3 = _mm_shuffle_epi8(MSG3, MASK);
E1 = _mm_sha1nexte_epu32(E1, MSG3);
E0 = ABCD;
MSG0 = _mm_sha1msg2_epu32(MSG0, MSG3);
ABCD = _mm_sha1rnds4_epu32(ABCD, E1, 0);
MSG2 = _mm_sha1msg1_epu32(MSG2, MSG3);
MSG1 = _mm_xor_si128(MSG1, MSG3);
/* Rounds 16-19 */
E0 = _mm_sha1nexte_epu32(E0, MSG0);
E1 = ABCD;
MSG1 = _mm_sha1msg2_epu32(MSG1, MSG0);
ABCD = _mm_sha1rnds4_epu32(ABCD, E0, 0);
MSG3 = _mm_sha1msg1_epu32(MSG3, MSG0);
MSG2 = _mm_xor_si128(MSG2, MSG0);
/* Rounds 20-23 */
E1 = _mm_sha1nexte_epu32(E1, MSG1);
E0 = ABCD;
MSG2 = _mm_sha1msg2_epu32(MSG2, MSG1);
ABCD = _mm_sha1rnds4_epu32(ABCD, E1, 1);
MSG0 = _mm_sha1msg1_epu32(MSG0, MSG1);
MSG3 = _mm_xor_si128(MSG3, MSG1);
/* Rounds 24-27 */
E0 = _mm_sha1nexte_epu32(E0, MSG2);
E1 = ABCD;
MSG3 = _mm_sha1msg2_epu32(MSG3, MSG2);
ABCD = _mm_sha1rnds4_epu32(ABCD, E0, 1);
MSG1 = _mm_sha1msg1_epu32(MSG1, MSG2);
MSG0 = _mm_xor_si128(MSG0, MSG2);
/* Rounds 28-31 */
E1 = _mm_sha1nexte_epu32(E1, MSG3);
E0 = ABCD;
MSG0 = _mm_sha1msg2_epu32(MSG0, MSG3);
ABCD = _mm_sha1rnds4_epu32(ABCD, E1, 1);
MSG2 = _mm_sha1msg1_epu32(MSG2, MSG3);
MSG1 = _mm_xor_si128(MSG1, MSG3);
/* Rounds 32-35 */
E0 = _mm_sha1nexte_epu32(E0, MSG0);
E1 = ABCD;
MSG1 = _mm_sha1msg2_epu32(MSG1, MSG0);
ABCD = _mm_sha1rnds4_epu32(ABCD, E0, 1);
MSG3 = _mm_sha1msg1_epu32(MSG3, MSG0);
MSG2 = _mm_xor_si128(MSG2, MSG0);
/* Rounds 36-39 */
E1 = _mm_sha1nexte_epu32(E1, MSG1);
E0 = ABCD;
MSG2 = _mm_sha1msg2_epu32(MSG2, MSG1);
ABCD = _mm_sha1rnds4_epu32(ABCD, E1, 1);
MSG0 = _mm_sha1msg1_epu32(MSG0, MSG1);
MSG3 = _mm_xor_si128(MSG3, MSG1);
/* Rounds 40-43 */
E0 = _mm_sha1nexte_epu32(E0, MSG2);
E1 = ABCD;
MSG3 = _mm_sha1msg2_epu32(MSG3, MSG2);
ABCD = _mm_sha1rnds4_epu32(ABCD, E0, 2);
MSG1 = _mm_sha1msg1_epu32(MSG1, MSG2);
MSG0 = _mm_xor_si128(MSG0, MSG2);
/* Rounds 44-47 */
E1 = _mm_sha1nexte_epu32(E1, MSG3);
E0 = ABCD;
MSG0 = _mm_sha1msg2_epu32(MSG0, MSG3);
ABCD = _mm_sha1rnds4_epu32(ABCD, E1, 2);
MSG2 = _mm_sha1msg1_epu32(MSG2, MSG3);
MSG1 = _mm_xor_si128(MSG1, MSG3);
/* Rounds 48-51 */
E0 = _mm_sha1nexte_epu32(E0, MSG0);
E1 = ABCD;
MSG1 = _mm_sha1msg2_epu32(MSG1, MSG0);
ABCD = _mm_sha1rnds4_epu32(ABCD, E0, 2);
MSG3 = _mm_sha1msg1_epu32(MSG3, MSG0);
MSG2 = _mm_xor_si128(MSG2, MSG0);
/* Rounds 52-55 */
E1 = _mm_sha1nexte_epu32(E1, MSG1);
E0 = ABCD;
MSG2 = _mm_sha1msg2_epu32(MSG2, MSG1);
ABCD = _mm_sha1rnds4_epu32(ABCD, E1, 2);
MSG0 = _mm_sha1msg1_epu32(MSG0, MSG1);
MSG3 = _mm_xor_si128(MSG3, MSG1);
/* Rounds 56-59 */
E0 = _mm_sha1nexte_epu32(E0, MSG2);
E1 = ABCD;
MSG3 = _mm_sha1msg2_epu32(MSG3, MSG2);
ABCD = _mm_sha1rnds4_epu32(ABCD, E0, 2);
MSG1 = _mm_sha1msg1_epu32(MSG1, MSG2);
MSG0 = _mm_xor_si128(MSG0, MSG2);
/* Rounds 60-63 */
E1 = _mm_sha1nexte_epu32(E1, MSG3);
E0 = ABCD;
MSG0 = _mm_sha1msg2_epu32(MSG0, MSG3);
ABCD = _mm_sha1rnds4_epu32(ABCD, E1, 3);
MSG2 = _mm_sha1msg1_epu32(MSG2, MSG3);
MSG1 = _mm_xor_si128(MSG1, MSG3);
/* Rounds 64-67 */
E0 = _mm_sha1nexte_epu32(E0, MSG0);
E1 = ABCD;
MSG1 = _mm_sha1msg2_epu32(MSG1, MSG0);
ABCD = _mm_sha1rnds4_epu32(ABCD, E0, 3);
MSG3 = _mm_sha1msg1_epu32(MSG3, MSG0);
MSG2 = _mm_xor_si128(MSG2, MSG0);
/* Rounds 68-71 */
E1 = _mm_sha1nexte_epu32(E1, MSG1);
E0 = ABCD;
MSG2 = _mm_sha1msg2_epu32(MSG2, MSG1);
ABCD = _mm_sha1rnds4_epu32(ABCD, E1, 3);
MSG3 = _mm_xor_si128(MSG3, MSG1);
/* Rounds 72-75 */
E0 = _mm_sha1nexte_epu32(E0, MSG2);
E1 = ABCD;
MSG3 = _mm_sha1msg2_epu32(MSG3, MSG2);
ABCD = _mm_sha1rnds4_epu32(ABCD, E0, 3);
/* Rounds 76-79 */
E1 = _mm_sha1nexte_epu32(E1, MSG3);
E0 = ABCD;
ABCD = _mm_sha1rnds4_epu32(ABCD, E1, 3);
/* Combine state */
E0 = _mm_sha1nexte_epu32(E0, E0_SAVE);
ABCD = _mm_add_epi32(ABCD, ABCD_SAVE);
s->blkused = 0;
}
ABCD = _mm_shuffle_epi32(ABCD, 0x1B);
/* Save state */
_mm_storeu_si128((__m128i*) s->h, ABCD);
s->h[4] = _mm_extract_epi32(E0, 3);
memcpy(s->block, q, len);
s->blkused = len;
}
}
Work around LLVM bug 34980 Clang generates an internal failure if the same function has different target attributes in definition and declaration. To work around that, we made a proxy predeclared function without target attribute.
2018-02-18 13:48:44 +00:00
/*
* Workaround LLVM bug https://bugs.llvm.org/show_bug.cgi?id=34980
*/
static void sha1_ni(SHA_State * s, const unsigned char *q, int len)
{
sha1_ni_(s, q, len);
}
Add supports_sha_ni(void) function It executes CPUID instruction to check whether SHA extensions are supported by hosting CPU.
2018-02-18 21:06:14 +00:00
#else /* COMPILER_SUPPORTS_AES_NI */
Add SHA1 implementation with new instructions SHA1-NI code is conditionally enabled if CPU supports SHA extensions. The procedure is based on Jeffrey Walton's SHA1 implementation: https://github.com/noloader/SHA-Intrinsics
2018-02-18 21:07:06 +00:00
static void sha1_ni(SHA_State * s, const unsigned char *q, int len)
{
assert(0);
}
Add supports_sha_ni(void) function It executes CPUID instruction to check whether SHA extensions are supported by hosting CPU.
2018-02-18 21:06:14 +00:00
int supports_sha_ni(void)
{
return 0;
}
#endif /* COMPILER_SUPPORTS_AES_NI */
Reference in New Issue Copy Permalink