nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00
Code Issues Projects Releases Wiki Activity
c6d921add5
putty-source/sshsh512.c

301 lines
8.4 KiB
C
Raw Normal View History

Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
/*
* SHA-512 algorithm as described at
Whitespace rationalisation of entire code base. The number of people has been steadily increasing who read our source code with an editor that thinks tab stops are 4 spaces apart, as opposed to the traditional tty-derived 8 that the PuTTY code expects. So I've been wondering for ages about just fixing it, and switching to a spaces-only policy throughout the code. And I recently found out about 'git blame -w', which should make this change not too disruptive for the purposes of source-control archaeology; so perhaps now is the time. While I'm at it, I've also taken the opportunity to remove all the trailing spaces from source lines (on the basis that git dislikes them, and is the only thing that seems to have a strong opinion one way or the other). Apologies to anyone downstream of this code who has complicated patch sets to rebase past this change. I don't intend it to be needed again.
2019-09-08 19:29:00 +00:00
*
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
* http://csrc.nist.gov/cryptval/shs.html
Provide SHA-384 and SHA-512 as hashes usable in SSH KEX. SHA-384 was previously not implemented at all, but is a trivial adjustment to SHA-512 (different starting constants, and truncate the output hash). Both are now exposed as 'ssh_hash' structures so that key exchange methods can ask for them.
2014-11-01 08:59:25 +00:00
*
* Modifications made for SHA-384 also
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
*/
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
#include <assert.h>
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
#include "ssh.h"
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
static const uint64_t sha512_initial_state[] = {
0x6a09e667f3bcc908ULL,
0xbb67ae8584caa73bULL,
0x3c6ef372fe94f82bULL,
0xa54ff53a5f1d36f1ULL,
0x510e527fade682d1ULL,
0x9b05688c2b3e6c1fULL,
0x1f83d9abfb41bd6bULL,
0x5be0cd19137e2179ULL,
};
static const uint64_t sha384_initial_state[] = {
0xcbbb9d5dc1059ed8ULL,
0x629a292a367cd507ULL,
0x9159015a3070dd17ULL,
0x152fecd8f70e5939ULL,
0x67332667ffc00b31ULL,
0x8eb44a8768581511ULL,
0xdb0c2e0d64f98fa7ULL,
0x47b5481dbefa4fa4ULL,
};
static const uint64_t sha512_round_constants[] = {
0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL,
};
#define SHA512_ROUNDS 80
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
typedef struct sha512_block sha512_block;
struct sha512_block {
uint8_t block[128];
size_t used;
Access all hashes and MACs through the standard API. All the hash-specific state structures, and the functions that directly accessed them, are now local to the source files implementing the hashes themselves. Everywhere we previously used those types or functions, we're now using the standard ssh_hash or ssh2_mac API. The 'simple' functions (hmacmd5_simple, SHA_Simple etc) are now a pair of wrappers in sshauxcrypt.c, each of which takes an algorithm structure and can do the same conceptual thing regardless of what it is.
2019-01-20 16:15:14 +00:00
uint64_t lenhi, lenlo;
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
};
Access all hashes and MACs through the standard API. All the hash-specific state structures, and the functions that directly accessed them, are now local to the source files implementing the hashes themselves. Everywhere we previously used those types or functions, we're now using the standard ssh_hash or ssh2_mac API. The 'simple' functions (hmacmd5_simple, SHA_Simple etc) are now a pair of wrappers in sshauxcrypt.c, each of which takes an algorithm structure and can do the same conceptual thing regardless of what it is.
2019-01-20 16:15:14 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
static inline void sha512_block_setup(sha512_block *blk)
{
blk->used = 0;
blk->lenhi = blk->lenlo = 0;
}
static inline bool sha512_block_write(
sha512_block *blk, const void **vdata, size_t *len)
{
size_t blkleft = sizeof(blk->block) - blk->used;
size_t chunk = *len < blkleft ? *len : blkleft;
const uint8_t *p = *vdata;
memcpy(blk->block + blk->used, p, chunk);
*vdata = p + chunk;
*len -= chunk;
blk->used += chunk;
size_t chunkbits = chunk << 3;
blk->lenlo += chunkbits;
blk->lenhi += (blk->lenlo < chunkbits);
if (blk->used == sizeof(blk->block)) {
blk->used = 0;
return true;
}
return false;
}
static inline void sha512_block_pad(sha512_block *blk, BinarySink *bs)
{
uint64_t final_lenhi = blk->lenhi;
uint64_t final_lenlo = blk->lenlo;
size_t pad = 127 & (111 - blk->used);
put_byte(bs, 0x80);
put_padding(bs, pad, 0);
put_uint64(bs, final_lenhi);
put_uint64(bs, final_lenlo);
assert(blk->used == 0 && "Should have exactly hit a block boundary");
}
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
Tidy up arithmetic in the SHA-512 implementation. It was written in an awkward roundabout way involving all the arithmetic being done in horrible macros looking like assembler instructions, and lots of explicit temp variables. That's because, when I originally wrote it, I needed it to compile on platforms without a 64-bit integer type. In commit a647f2ba11 I switched it over to using uint64_t, but I did it in a way that made minimal change to the code structure, by rewriting the insides of those macros to contain ordinary uint64_t arithmetic instead of faffing about with 32-bit halves. So it worked, but it still looked disgusting. Now I've reworked it so that individual arithmetic operations are written directly in the sensible way, and the more complicated SHA-specific operations are written as inline functions instead of macros.
2020-12-24 10:52:48 +00:00
static inline uint64_t ror(uint64_t x, unsigned y)
{
return (x << (63 & -y)) | (x >> (63 & y));
}
static inline uint64_t Ch(uint64_t ctrl, uint64_t if1, uint64_t if0)
{
return if0 ^ (ctrl & (if1 ^ if0));
}
static inline uint64_t Maj(uint64_t x, uint64_t y, uint64_t z)
{
return (x & y) | (z & (x | y));
}
static inline uint64_t Sigma_0(uint64_t x)
{
return ror(x,28) ^ ror(x,34) ^ ror(x,39);
}
static inline uint64_t Sigma_1(uint64_t x)
{
return ror(x,14) ^ ror(x,18) ^ ror(x,41);
}
static inline uint64_t sigma_0(uint64_t x)
{
return ror(x,1) ^ ror(x,8) ^ (x >> 7);
}
static inline uint64_t sigma_1(uint64_t x)
{
return ror(x,19) ^ ror(x,61) ^ (x >> 6);
}
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
static inline void sha512_sw_round(
unsigned round_index, const uint64_t *schedule,
Tidy up arithmetic in the SHA-512 implementation. It was written in an awkward roundabout way involving all the arithmetic being done in horrible macros looking like assembler instructions, and lots of explicit temp variables. That's because, when I originally wrote it, I needed it to compile on platforms without a 64-bit integer type. In commit a647f2ba11 I switched it over to using uint64_t, but I did it in a way that made minimal change to the code structure, by rewriting the insides of those macros to contain ordinary uint64_t arithmetic instead of faffing about with 32-bit halves. So it worked, but it still looked disgusting. Now I've reworked it so that individual arithmetic operations are written directly in the sensible way, and the more complicated SHA-specific operations are written as inline functions instead of macros.
2020-12-24 10:52:48 +00:00
uint64_t *a, uint64_t *b, uint64_t *c, uint64_t *d,
uint64_t *e, uint64_t *f, uint64_t *g, uint64_t *h)
{
uint64_t t1 = *h + Sigma_1(*e) + Ch(*e,*f,*g) +
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
sha512_round_constants[round_index] + schedule[round_index];
Tidy up arithmetic in the SHA-512 implementation. It was written in an awkward roundabout way involving all the arithmetic being done in horrible macros looking like assembler instructions, and lots of explicit temp variables. That's because, when I originally wrote it, I needed it to compile on platforms without a 64-bit integer type. In commit a647f2ba11 I switched it over to using uint64_t, but I did it in a way that made minimal change to the code structure, by rewriting the insides of those macros to contain ordinary uint64_t arithmetic instead of faffing about with 32-bit halves. So it worked, but it still looked disgusting. Now I've reworked it so that individual arithmetic operations are written directly in the sensible way, and the more complicated SHA-specific operations are written as inline functions instead of macros.
2020-12-24 10:52:48 +00:00
uint64_t t2 = Sigma_0(*a) + Maj(*a,*b,*c);
*d += t1;
*h = t1 + t2;
}
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
static void sha512_sw_block(uint64_t *core, const uint8_t *block)
{
uint64_t w[SHA512_ROUNDS];
Adopt C99 <stdint.h> integer types. The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
2018-10-26 22:08:58 +00:00
uint64_t a,b,c,d,e,f,g,h;
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
int t;
for (t = 0; t < 16; t++)
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
w[t] = GET_64BIT_MSB_FIRST(block + 8*t);
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
for (t = 16; t < SHA512_ROUNDS; t++)
Tidy up arithmetic in the SHA-512 implementation. It was written in an awkward roundabout way involving all the arithmetic being done in horrible macros looking like assembler instructions, and lots of explicit temp variables. That's because, when I originally wrote it, I needed it to compile on platforms without a 64-bit integer type. In commit a647f2ba11 I switched it over to using uint64_t, but I did it in a way that made minimal change to the code structure, by rewriting the insides of those macros to contain ordinary uint64_t arithmetic instead of faffing about with 32-bit halves. So it worked, but it still looked disgusting. Now I've reworked it so that individual arithmetic operations are written directly in the sensible way, and the more complicated SHA-specific operations are written as inline functions instead of macros.
2020-12-24 10:52:48 +00:00
w[t] = w[t-16] + w[t-7] + sigma_0(w[t-15]) + sigma_1(w[t-2]);
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
a = core[0]; b = core[1]; c = core[2]; d = core[3];
e = core[4]; f = core[5]; g = core[6]; h = core[7];
for (t = 0; t < SHA512_ROUNDS; t+=8) {
sha512_sw_round(t+0, w, &a,&b,&c,&d,&e,&f,&g,&h);
sha512_sw_round(t+1, w, &h,&a,&b,&c,&d,&e,&f,&g);
sha512_sw_round(t+2, w, &g,&h,&a,&b,&c,&d,&e,&f);
sha512_sw_round(t+3, w, &f,&g,&h,&a,&b,&c,&d,&e);
sha512_sw_round(t+4, w, &e,&f,&g,&h,&a,&b,&c,&d);
sha512_sw_round(t+5, w, &d,&e,&f,&g,&h,&a,&b,&c);
sha512_sw_round(t+6, w, &c,&d,&e,&f,&g,&h,&a,&b);
sha512_sw_round(t+7, w, &b,&c,&d,&e,&f,&g,&h,&a);
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
}
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
core[0] += a; core[1] += b; core[2] += c; core[3] += d;
core[4] += e; core[5] += f; core[6] += g; core[7] += h;
smemclr(w, sizeof(w));
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
}
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
typedef struct sha512_sw {
uint64_t core[8];
sha512_block blk;
BinarySink_IMPLEMENTATION;
ssh_hash hash;
} sha512_sw;
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
static void sha512_sw_write(BinarySink *bs, const void *vp, size_t len);
New centralised binary-data marshalling system. I've finally got tired of all the code throughout PuTTY that repeats the same logic about how to format the SSH binary primitives like uint32, string, mpint. We've got reasonably organised code in ssh.c that appends things like that to 'struct Packet'; something similar in sftp.c which repeats a lot of the work; utility functions in various places to format an mpint to feed to one or another hash function; and no end of totally ad-hoc stuff in functions like public key blob formatters which actually have to _count up_ the size of data painstakingly, then malloc exactly that much and mess about with PUT_32BIT. It's time to bring all of that into one place, and stop repeating myself in error-prone ways everywhere. The new marshal.h defines a system in which I centralise all the actual marshalling functions, and then layer a touch of C macro trickery on top to allow me to (look as if I) pass a wide range of different types to those functions, as long as the target type has been set up in the right way to have a write() function. This commit adds the new header and source file, and sets up some general centralised types (strbuf and the various hash-function contexts like SHA_State), but doesn't use the new calls for anything yet. (I've also renamed some internal functions in import.c which were using the same names that I've just defined macros over. That won't last long - those functions are going to go away soon, so the changed names are strictly temporary.)
2018-05-24 08:17:13 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
static ssh_hash *sha512_sw_new(const ssh_hashalg *alg)
{
sha512_sw *s = snew(sha512_sw);
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
s->hash.vt = alg;
BinarySink_INIT(s, sha512_sw_write);
BinarySink_DELEGATE_INIT(&s->hash, s);
return &s->hash;
Provide SHA-384 and SHA-512 as hashes usable in SSH KEX. SHA-384 was previously not implemented at all, but is a trivial adjustment to SHA-512 (different starting constants, and truncate the output hash). Both are now exposed as 'ssh_hash' structures so that key exchange methods can ask for them.
2014-11-01 08:59:25 +00:00
}
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
static void sha512_sw_reset(ssh_hash *hash)
Replace all uses of SHA*_Bytes / MD5Update. In fact, those functions don't even exist any more. The only way to get data into a primitive hash state is via the new put_* system. Of course, that means put_data() is a viable replacement for every previous call to one of the per-hash update functions - but just mechanically doing that would have missed the opportunity to simplify a lot of the call sites.
2018-05-24 09:03:36 +00:00
{
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
sha512_sw *s = container_of(hash, sha512_sw, hash);
Destroy DOS line endings and unnecessary redefinition of uint32. [originally from svn r1289]
2001-09-23 16:45:36 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
/* The 'extra' field in the ssh_hashalg indicates which
* initialisation vector we're using */
memcpy(s->core, hash->vt->extra, sizeof(s->core));
sha512_block_setup(&s->blk);
Provide SHA-384 and SHA-512 as hashes usable in SSH KEX. SHA-384 was previously not implemented at all, but is a trivial adjustment to SHA-512 (different starting constants, and truncate the output hash). Both are now exposed as 'ssh_hash' structures so that key exchange methods can ask for them.
2014-11-01 08:59:25 +00:00
}
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
static void sha512_sw_copyfrom(ssh_hash *hcopy, ssh_hash *horig)
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
{
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
sha512_sw *copy = container_of(hcopy, sha512_sw, hash);
sha512_sw *orig = container_of(horig, sha512_sw, hash);
Provide SHA-384 and SHA-512 as hashes usable in SSH KEX. SHA-384 was previously not implemented at all, but is a trivial adjustment to SHA-512 (different starting constants, and truncate the output hash). Both are now exposed as 'ssh_hash' structures so that key exchange methods can ask for them.
2014-11-01 08:59:25 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
memcpy(copy, orig, sizeof(*copy));
BinarySink_COPIED(copy);
BinarySink_DELEGATE_INIT(&copy->hash, copy);
Refactor the ssh_hash vtable. (NFC) The idea is to arrange that an ssh_hash object can be reused without having to free it and allocate a new one. So the 'final' method has been replaced with 'digest', which does everything except the trailing free; and there's also a new pair of methods 'reset' and 'copyfrom' which overwrite the state of a hash with either the starting state or a copy of another state. Meanwhile, the 'new' allocator function has stopped performing 'reset' as a side effect; now it _just_ does the administrative stuff (allocation, setting up vtables), and returns an object which isn't yet ready to receive any actual data, expecting that the caller will either reset it or copy another hash state into it. In particular, that means that the SHA-384 / SHA-512 pair no longer need separate 'new' methods, because only the 'reset' part has to change between them. This commit makes no change to the user-facing API of wrapper functions in ssh.h, except to add new functions which nothing yet calls. The user-facing ssh_hash_new() calls the new and reset methods in succession, and the copy and final methods still exist to do new+copy and digest+free.
2019-12-15 09:30:10 +00:00
}
Add copy and free methods to 'struct ssh_hash'. This permits a hash state to be cloned in the middle of being used, so that multiple strings with the same prefix can be hashed without having to repeat all the computation over the prefix. Having done that, we'll also sometimes need to free a hash state that we aren't generating actual hash output from, so we need a free method as well.
2015-08-21 22:13:59 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
static void sha512_sw_free(ssh_hash *hash)
Refactor the ssh_hash vtable. (NFC) The idea is to arrange that an ssh_hash object can be reused without having to free it and allocate a new one. So the 'final' method has been replaced with 'digest', which does everything except the trailing free; and there's also a new pair of methods 'reset' and 'copyfrom' which overwrite the state of a hash with either the starting state or a copy of another state. Meanwhile, the 'new' allocator function has stopped performing 'reset' as a side effect; now it _just_ does the administrative stuff (allocation, setting up vtables), and returns an object which isn't yet ready to receive any actual data, expecting that the caller will either reset it or copy another hash state into it. In particular, that means that the SHA-384 / SHA-512 pair no longer need separate 'new' methods, because only the 'reset' part has to change between them. This commit makes no change to the user-facing API of wrapper functions in ssh.h, except to add new functions which nothing yet calls. The user-facing ssh_hash_new() calls the new and reset methods in succession, and the copy and final methods still exist to do new+copy and digest+free.
2019-12-15 09:30:10 +00:00
{
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
sha512_sw *s = container_of(hash, sha512_sw, hash);
Add copy and free methods to 'struct ssh_hash'. This permits a hash state to be cloned in the middle of being used, so that multiple strings with the same prefix can be hashed without having to repeat all the computation over the prefix. Having done that, we'll also sometimes need to free a hash state that we aren't generating actual hash output from, so we need a free method as well.
2015-08-21 22:13:59 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
smemclr(s, sizeof(*s));
sfree(s);
Add copy and free methods to 'struct ssh_hash'. This permits a hash state to be cloned in the middle of being used, so that multiple strings with the same prefix can be hashed without having to repeat all the computation over the prefix. Having done that, we'll also sometimes need to free a hash state that we aren't generating actual hash output from, so we need a free method as well.
2015-08-21 22:13:59 +00:00
}
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
static void sha512_sw_write(BinarySink *bs, const void *vp, size_t len)
Provide SHA-384 and SHA-512 as hashes usable in SSH KEX. SHA-384 was previously not implemented at all, but is a trivial adjustment to SHA-512 (different starting constants, and truncate the output hash). Both are now exposed as 'ssh_hash' structures so that key exchange methods can ask for them.
2014-11-01 08:59:25 +00:00
{
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
sha512_sw *s = BinarySink_DOWNCAST(bs, sha512_sw);
Turn SSH hashes into a classoid. The new version of ssh_hash has the same nice property as ssh2_mac, that I can make the generic interface object type function directly as a BinarySink so that clients don't have to call h->sink() and worry about the separate sink object they get back from that.
2018-09-13 15:41:46 +00:00
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
while (len > 0)
if (sha512_block_write(&s->blk, &vp, &len))
sha512_sw_block(s->core, s->blk.block);
Provide SHA-384 and SHA-512 as hashes usable in SSH KEX. SHA-384 was previously not implemented at all, but is a trivial adjustment to SHA-512 (different starting constants, and truncate the output hash). Both are now exposed as 'ssh_hash' structures so that key exchange methods can ask for them.
2014-11-01 08:59:25 +00:00
}
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
static void sha512_sw_digest(ssh_hash *hash, uint8_t *digest)
Provide SHA-384 and SHA-512 as hashes usable in SSH KEX. SHA-384 was previously not implemented at all, but is a trivial adjustment to SHA-512 (different starting constants, and truncate the output hash). Both are now exposed as 'ssh_hash' structures so that key exchange methods can ask for them.
2014-11-01 08:59:25 +00:00
{
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
sha512_sw *s = container_of(hash, sha512_sw, hash);
sha512_block_pad(&s->blk, BinarySink_UPCAST(s));
for (size_t i = 0; i < hash->vt->hlen / 8; i++)
PUT_64BIT_MSB_FIRST(digest + 8*i, s->core[i]);
Provide SHA-384 and SHA-512 as hashes usable in SSH KEX. SHA-384 was previously not implemented at all, but is a trivial adjustment to SHA-512 (different starting constants, and truncate the output hash). Both are now exposed as 'ssh_hash' structures so that key exchange methods can ask for them.
2014-11-01 08:59:25 +00:00
}
Remove a lot of pointless 'struct' keywords. This is the commit that f3295e0fb _should_ have been. Yesterday I just added some typedefs so that I didn't have to wear out my fingers typing 'struct' in new code, but what I ought to have done is to move all the typedefs into defs.h with the rest, and then go through cleaning up the legacy 'struct's all through the existing code. But I was mostly trying to concentrate on getting the test suite finished, so I just did the minimum. Now it's time to come back and do it better.
2019-01-04 06:51:44 +00:00
const ssh_hashalg ssh_sha512 = {
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
.new = sha512_sw_new,
.reset = sha512_sw_reset,
.copyfrom = sha512_sw_copyfrom,
.digest = sha512_sw_digest,
.free = sha512_sw_free,
Change vtable defs to use C99 designated initialisers. This is a sweeping change applied across the whole code base by a spot of Emacs Lisp. Now, everywhere I declare a vtable filled with function pointers (and the occasional const data member), all the members of the vtable structure are initialised by name using the '.fieldname = value' syntax introduced in C99. We were already using this syntax for a handful of things in the new key-generation progress report system, so it's not new to the code base as a whole. The advantage is that now, when a vtable only declares a subset of the available fields, I can initialise the rest to NULL or zero just by leaving them out. This is most dramatic in a couple of the outlying vtables in things like psocks (which has a ConnectionLayerVtable containing only one non-NULL method), but less dramatically, it means that the new 'flags' field in BackendVtable can be completely left out of every backend definition except for the SUPDUP one which defines it to a nonzero value. Similarly, the test_for_upstream method only used by SSH doesn't have to be mentioned in the rest of the backends; network Plugs for listening sockets don't have to explicitly null out 'receive' and 'sent', and vice versa for 'accepting', and so on. While I'm at it, I've normalised the declarations so they don't use the unnecessarily verbose 'struct' keyword. Also a handful of them weren't const; now they are.
2020-03-10 21:06:29 +00:00
.hlen = 64,
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
.blocklen = 128,
HASHALG_NAMES_ANNOTATED("SHA-512", "unaccelerated"),
.extra = sha512_initial_state,
Provide SHA-384 and SHA-512 as hashes usable in SSH KEX. SHA-384 was previously not implemented at all, but is a trivial adjustment to SHA-512 (different starting constants, and truncate the output hash). Both are now exposed as 'ssh_hash' structures so that key exchange methods can ask for them.
2014-11-01 08:59:25 +00:00
};
Remove a lot of pointless 'struct' keywords. This is the commit that f3295e0fb _should_ have been. Yesterday I just added some typedefs so that I didn't have to wear out my fingers typing 'struct' in new code, but what I ought to have done is to move all the typedefs into defs.h with the rest, and then go through cleaning up the legacy 'struct's all through the existing code. But I was mostly trying to concentrate on getting the test suite finished, so I just did the minimum. Now it's time to come back and do it better.
2019-01-04 06:51:44 +00:00
const ssh_hashalg ssh_sha384 = {
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
.new = sha512_sw_new,
.reset = sha512_sw_reset,
.copyfrom = sha512_sw_copyfrom,
.digest = sha512_sw_digest,
.free = sha512_sw_free,
Change vtable defs to use C99 designated initialisers. This is a sweeping change applied across the whole code base by a spot of Emacs Lisp. Now, everywhere I declare a vtable filled with function pointers (and the occasional const data member), all the members of the vtable structure are initialised by name using the '.fieldname = value' syntax introduced in C99. We were already using this syntax for a handful of things in the new key-generation progress report system, so it's not new to the code base as a whole. The advantage is that now, when a vtable only declares a subset of the available fields, I can initialise the rest to NULL or zero just by leaving them out. This is most dramatic in a couple of the outlying vtables in things like psocks (which has a ConnectionLayerVtable containing only one non-NULL method), but less dramatically, it means that the new 'flags' field in BackendVtable can be completely left out of every backend definition except for the SUPDUP one which defines it to a nonzero value. Similarly, the test_for_upstream method only used by SSH doesn't have to be mentioned in the rest of the backends; network Plugs for listening sockets don't have to explicitly null out 'receive' and 'sent', and vice versa for 'accepting', and so on. While I'm at it, I've normalised the declarations so they don't use the unnecessarily verbose 'struct' keyword. Also a handful of them weren't const; now they are.
2020-03-10 21:06:29 +00:00
.hlen = 48,
Reorganise SHA-512 to match SHA-256. This builds on the previous refactoring by reworking the SHA-512 vtables and block layer to look more like the SHA-256 version, in which the block and padding structure is a subroutine of the top-level vtable methods instead of an owning layer around them. This also organises the code in a way that makes it easy to drop in hardware-accelerated versions alongside it: the block layer and the big arrays of constants are now nicely separate from the inner block-transform part.
2020-12-24 15:20:03 +00:00
.blocklen = 128,
HASHALG_NAMES_ANNOTATED("SHA-384", "unaccelerated"),
.extra = sha384_initial_state,
Provide SHA-384 and SHA-512 as hashes usable in SSH KEX. SHA-384 was previously not implemented at all, but is a trivial adjustment to SHA-512 (different starting constants, and truncate the output hash). Both are now exposed as 'ssh_hash' structures so that key exchange methods can ask for them.
2014-11-01 08:59:25 +00:00
};
Reference in New Issue Copy Permalink