mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-25 09:12:24 +00:00
a647f2ba11
The annoying int64.h is completely retired, since C99 guarantees a 64-bit integer type that you can actually treat like an ordinary integer. Also, I've replaced the local typedefs uint32 and word32 (scattered through different parts of the crypto code) with the standard uint32_t.
440 lines
13 KiB
C
440 lines
13 KiB
C
/*
|
|
* SHA-512 algorithm as described at
|
|
*
|
|
* http://csrc.nist.gov/cryptval/shs.html
|
|
*
|
|
* Modifications made for SHA-384 also
|
|
*/
|
|
|
|
#include <assert.h>
|
|
#include "ssh.h"
|
|
|
|
#define BLKSIZE 128
|
|
|
|
/*
|
|
* Arithmetic implementations. Note that AND, XOR and NOT can
|
|
* overlap destination with one source, but the others can't.
|
|
*/
|
|
#define add(r,x,y) ( r = (x) + (y) )
|
|
#define rorB(r,x,y) ( r = ((x) >> (y)) | ((x) << (64-(y))) )
|
|
#define rorL(r,x,y) ( r = ((x) >> (y)) | ((x) << (64-(y))) )
|
|
#define shrB(r,x,y) ( r = (x) >> (y) )
|
|
#define shrL(r,x,y) ( r = (x) >> (y) )
|
|
#define and(r,x,y) ( r = (x) & (y) )
|
|
#define xor(r,x,y) ( r = (x) ^ (y) )
|
|
#define not(r,x) ( r = ~(x) )
|
|
#define INIT(h,l) ((((uint64_t)(h)) << 32) | (l))
|
|
#define BUILD(r,h,l) ( r = ((((uint64_t)(h)) << 32) | (l)) )
|
|
#define EXTRACT(h,l,r) ( h = (r) >> 32, l = (r) & 0xFFFFFFFFU )
|
|
|
|
/* ----------------------------------------------------------------------
|
|
* Core SHA512 algorithm: processes 16-doubleword blocks into a
|
|
* message digest.
|
|
*/
|
|
|
|
#define Ch(r,t,x,y,z) ( not(t,x), and(r,t,z), and(t,x,y), xor(r,r,t) )
|
|
#define Maj(r,t,x,y,z) ( and(r,x,y), and(t,x,z), xor(r,r,t), \
|
|
and(t,y,z), xor(r,r,t) )
|
|
#define bigsigma0(r,t,x) ( rorL(r,x,28), rorB(t,x,34), xor(r,r,t), \
|
|
rorB(t,x,39), xor(r,r,t) )
|
|
#define bigsigma1(r,t,x) ( rorL(r,x,14), rorL(t,x,18), xor(r,r,t), \
|
|
rorB(t,x,41), xor(r,r,t) )
|
|
#define smallsigma0(r,t,x) ( rorL(r,x,1), rorL(t,x,8), xor(r,r,t), \
|
|
shrL(t,x,7), xor(r,r,t) )
|
|
#define smallsigma1(r,t,x) ( rorL(r,x,19), rorB(t,x,61), xor(r,r,t), \
|
|
shrL(t,x,6), xor(r,r,t) )
|
|
|
|
static void SHA512_Core_Init(SHA512_State *s) {
|
|
static const uint64_t iv[] = {
|
|
INIT(0x6a09e667, 0xf3bcc908),
|
|
INIT(0xbb67ae85, 0x84caa73b),
|
|
INIT(0x3c6ef372, 0xfe94f82b),
|
|
INIT(0xa54ff53a, 0x5f1d36f1),
|
|
INIT(0x510e527f, 0xade682d1),
|
|
INIT(0x9b05688c, 0x2b3e6c1f),
|
|
INIT(0x1f83d9ab, 0xfb41bd6b),
|
|
INIT(0x5be0cd19, 0x137e2179),
|
|
};
|
|
int i;
|
|
for (i = 0; i < 8; i++)
|
|
s->h[i] = iv[i];
|
|
}
|
|
|
|
static void SHA384_Core_Init(SHA512_State *s) {
|
|
static const uint64_t iv[] = {
|
|
INIT(0xcbbb9d5d, 0xc1059ed8),
|
|
INIT(0x629a292a, 0x367cd507),
|
|
INIT(0x9159015a, 0x3070dd17),
|
|
INIT(0x152fecd8, 0xf70e5939),
|
|
INIT(0x67332667, 0xffc00b31),
|
|
INIT(0x8eb44a87, 0x68581511),
|
|
INIT(0xdb0c2e0d, 0x64f98fa7),
|
|
INIT(0x47b5481d, 0xbefa4fa4),
|
|
};
|
|
int i;
|
|
for (i = 0; i < 8; i++)
|
|
s->h[i] = iv[i];
|
|
}
|
|
|
|
static void SHA512_Block(SHA512_State *s, uint64_t *block) {
|
|
uint64_t w[80];
|
|
uint64_t a,b,c,d,e,f,g,h;
|
|
static const uint64_t k[] = {
|
|
INIT(0x428a2f98, 0xd728ae22), INIT(0x71374491, 0x23ef65cd),
|
|
INIT(0xb5c0fbcf, 0xec4d3b2f), INIT(0xe9b5dba5, 0x8189dbbc),
|
|
INIT(0x3956c25b, 0xf348b538), INIT(0x59f111f1, 0xb605d019),
|
|
INIT(0x923f82a4, 0xaf194f9b), INIT(0xab1c5ed5, 0xda6d8118),
|
|
INIT(0xd807aa98, 0xa3030242), INIT(0x12835b01, 0x45706fbe),
|
|
INIT(0x243185be, 0x4ee4b28c), INIT(0x550c7dc3, 0xd5ffb4e2),
|
|
INIT(0x72be5d74, 0xf27b896f), INIT(0x80deb1fe, 0x3b1696b1),
|
|
INIT(0x9bdc06a7, 0x25c71235), INIT(0xc19bf174, 0xcf692694),
|
|
INIT(0xe49b69c1, 0x9ef14ad2), INIT(0xefbe4786, 0x384f25e3),
|
|
INIT(0x0fc19dc6, 0x8b8cd5b5), INIT(0x240ca1cc, 0x77ac9c65),
|
|
INIT(0x2de92c6f, 0x592b0275), INIT(0x4a7484aa, 0x6ea6e483),
|
|
INIT(0x5cb0a9dc, 0xbd41fbd4), INIT(0x76f988da, 0x831153b5),
|
|
INIT(0x983e5152, 0xee66dfab), INIT(0xa831c66d, 0x2db43210),
|
|
INIT(0xb00327c8, 0x98fb213f), INIT(0xbf597fc7, 0xbeef0ee4),
|
|
INIT(0xc6e00bf3, 0x3da88fc2), INIT(0xd5a79147, 0x930aa725),
|
|
INIT(0x06ca6351, 0xe003826f), INIT(0x14292967, 0x0a0e6e70),
|
|
INIT(0x27b70a85, 0x46d22ffc), INIT(0x2e1b2138, 0x5c26c926),
|
|
INIT(0x4d2c6dfc, 0x5ac42aed), INIT(0x53380d13, 0x9d95b3df),
|
|
INIT(0x650a7354, 0x8baf63de), INIT(0x766a0abb, 0x3c77b2a8),
|
|
INIT(0x81c2c92e, 0x47edaee6), INIT(0x92722c85, 0x1482353b),
|
|
INIT(0xa2bfe8a1, 0x4cf10364), INIT(0xa81a664b, 0xbc423001),
|
|
INIT(0xc24b8b70, 0xd0f89791), INIT(0xc76c51a3, 0x0654be30),
|
|
INIT(0xd192e819, 0xd6ef5218), INIT(0xd6990624, 0x5565a910),
|
|
INIT(0xf40e3585, 0x5771202a), INIT(0x106aa070, 0x32bbd1b8),
|
|
INIT(0x19a4c116, 0xb8d2d0c8), INIT(0x1e376c08, 0x5141ab53),
|
|
INIT(0x2748774c, 0xdf8eeb99), INIT(0x34b0bcb5, 0xe19b48a8),
|
|
INIT(0x391c0cb3, 0xc5c95a63), INIT(0x4ed8aa4a, 0xe3418acb),
|
|
INIT(0x5b9cca4f, 0x7763e373), INIT(0x682e6ff3, 0xd6b2b8a3),
|
|
INIT(0x748f82ee, 0x5defb2fc), INIT(0x78a5636f, 0x43172f60),
|
|
INIT(0x84c87814, 0xa1f0ab72), INIT(0x8cc70208, 0x1a6439ec),
|
|
INIT(0x90befffa, 0x23631e28), INIT(0xa4506ceb, 0xde82bde9),
|
|
INIT(0xbef9a3f7, 0xb2c67915), INIT(0xc67178f2, 0xe372532b),
|
|
INIT(0xca273ece, 0xea26619c), INIT(0xd186b8c7, 0x21c0c207),
|
|
INIT(0xeada7dd6, 0xcde0eb1e), INIT(0xf57d4f7f, 0xee6ed178),
|
|
INIT(0x06f067aa, 0x72176fba), INIT(0x0a637dc5, 0xa2c898a6),
|
|
INIT(0x113f9804, 0xbef90dae), INIT(0x1b710b35, 0x131c471b),
|
|
INIT(0x28db77f5, 0x23047d84), INIT(0x32caab7b, 0x40c72493),
|
|
INIT(0x3c9ebe0a, 0x15c9bebc), INIT(0x431d67c4, 0x9c100d4c),
|
|
INIT(0x4cc5d4be, 0xcb3e42b6), INIT(0x597f299c, 0xfc657e2a),
|
|
INIT(0x5fcb6fab, 0x3ad6faec), INIT(0x6c44198c, 0x4a475817),
|
|
};
|
|
|
|
int t;
|
|
|
|
for (t = 0; t < 16; t++)
|
|
w[t] = block[t];
|
|
|
|
for (t = 16; t < 80; t++) {
|
|
uint64_t p, q, r, tmp;
|
|
smallsigma1(p, tmp, w[t-2]);
|
|
smallsigma0(q, tmp, w[t-15]);
|
|
add(r, p, q);
|
|
add(p, r, w[t-7]);
|
|
add(w[t], p, w[t-16]);
|
|
}
|
|
|
|
a = s->h[0]; b = s->h[1]; c = s->h[2]; d = s->h[3];
|
|
e = s->h[4]; f = s->h[5]; g = s->h[6]; h = s->h[7];
|
|
|
|
for (t = 0; t < 80; t+=8) {
|
|
uint64_t tmp, p, q, r;
|
|
|
|
#define ROUND(j,a,b,c,d,e,f,g,h) \
|
|
bigsigma1(p, tmp, e); \
|
|
Ch(q, tmp, e, f, g); \
|
|
add(r, p, q); \
|
|
add(p, r, k[j]) ; \
|
|
add(q, p, w[j]); \
|
|
add(r, q, h); \
|
|
bigsigma0(p, tmp, a); \
|
|
Maj(tmp, q, a, b, c); \
|
|
add(q, tmp, p); \
|
|
add(p, r, d); \
|
|
d = p; \
|
|
add(h, q, r);
|
|
|
|
ROUND(t+0, a,b,c,d,e,f,g,h);
|
|
ROUND(t+1, h,a,b,c,d,e,f,g);
|
|
ROUND(t+2, g,h,a,b,c,d,e,f);
|
|
ROUND(t+3, f,g,h,a,b,c,d,e);
|
|
ROUND(t+4, e,f,g,h,a,b,c,d);
|
|
ROUND(t+5, d,e,f,g,h,a,b,c);
|
|
ROUND(t+6, c,d,e,f,g,h,a,b);
|
|
ROUND(t+7, b,c,d,e,f,g,h,a);
|
|
}
|
|
|
|
{
|
|
uint64_t tmp;
|
|
#define UPDATE(state, local) ( tmp = state, add(state, tmp, local) )
|
|
UPDATE(s->h[0], a); UPDATE(s->h[1], b);
|
|
UPDATE(s->h[2], c); UPDATE(s->h[3], d);
|
|
UPDATE(s->h[4], e); UPDATE(s->h[5], f);
|
|
UPDATE(s->h[6], g); UPDATE(s->h[7], h);
|
|
}
|
|
}
|
|
|
|
/* ----------------------------------------------------------------------
|
|
* Outer SHA512 algorithm: take an arbitrary length byte string,
|
|
* convert it into 16-doubleword blocks with the prescribed padding
|
|
* at the end, and pass those blocks to the core SHA512 algorithm.
|
|
*/
|
|
|
|
static void SHA512_BinarySink_write(BinarySink *bs,
|
|
const void *p, size_t len);
|
|
|
|
void SHA512_Init(SHA512_State *s) {
|
|
SHA512_Core_Init(s);
|
|
s->blkused = 0;
|
|
s->lenhi = s->lenlo = 0;
|
|
BinarySink_INIT(s, SHA512_BinarySink_write);
|
|
}
|
|
|
|
void SHA384_Init(SHA512_State *s) {
|
|
SHA384_Core_Init(s);
|
|
s->blkused = 0;
|
|
s->lenhi = s->lenlo = 0;
|
|
BinarySink_INIT(s, SHA512_BinarySink_write);
|
|
}
|
|
|
|
static void SHA512_BinarySink_write(BinarySink *bs,
|
|
const void *p, size_t len)
|
|
{
|
|
SHA512_State *s = BinarySink_DOWNCAST(bs, SHA512_State);
|
|
unsigned char *q = (unsigned char *)p;
|
|
uint64_t wordblock[16];
|
|
int i;
|
|
|
|
/*
|
|
* Update the length field.
|
|
*/
|
|
s->lenlo += len;
|
|
s->lenhi += (s->lenlo < len);
|
|
|
|
if (s->blkused && s->blkused+len < BLKSIZE) {
|
|
/*
|
|
* Trivial case: just add to the block.
|
|
*/
|
|
memcpy(s->block + s->blkused, q, len);
|
|
s->blkused += len;
|
|
} else {
|
|
/*
|
|
* We must complete and process at least one block.
|
|
*/
|
|
while (s->blkused + len >= BLKSIZE) {
|
|
memcpy(s->block + s->blkused, q, BLKSIZE - s->blkused);
|
|
q += BLKSIZE - s->blkused;
|
|
len -= BLKSIZE - s->blkused;
|
|
/* Now process the block. Gather bytes big-endian into words */
|
|
for (i = 0; i < 16; i++)
|
|
wordblock[i] = GET_64BIT_MSB_FIRST(s->block + i*8);
|
|
SHA512_Block(s, wordblock);
|
|
s->blkused = 0;
|
|
}
|
|
memcpy(s->block, q, len);
|
|
s->blkused = len;
|
|
}
|
|
}
|
|
|
|
void SHA512_Final(SHA512_State *s, unsigned char *digest) {
|
|
int i;
|
|
int pad;
|
|
unsigned char c[BLKSIZE];
|
|
uint64_t lenhi, lenlo;
|
|
|
|
if (s->blkused >= BLKSIZE-16)
|
|
pad = (BLKSIZE-16) + BLKSIZE - s->blkused;
|
|
else
|
|
pad = (BLKSIZE-16) - s->blkused;
|
|
|
|
lenhi = (s->lenhi << 3) | (s->lenlo >> (32-3));
|
|
lenlo = (s->lenlo << 3);
|
|
|
|
memset(c, 0, pad);
|
|
c[0] = 0x80;
|
|
put_data(s, &c, pad);
|
|
|
|
put_uint64(s, lenhi);
|
|
put_uint64(s, lenlo);
|
|
|
|
for (i = 0; i < 8; i++)
|
|
PUT_64BIT_MSB_FIRST(digest + i*8, s->h[i]);
|
|
}
|
|
|
|
void SHA384_Final(SHA512_State *s, unsigned char *digest) {
|
|
unsigned char biggerDigest[512 / 8];
|
|
SHA512_Final(s, biggerDigest);
|
|
memcpy(digest, biggerDigest, 384 / 8);
|
|
}
|
|
|
|
void SHA512_Simple(const void *p, int len, unsigned char *output) {
|
|
SHA512_State s;
|
|
|
|
SHA512_Init(&s);
|
|
put_data(&s, p, len);
|
|
SHA512_Final(&s, output);
|
|
smemclr(&s, sizeof(s));
|
|
}
|
|
|
|
void SHA384_Simple(const void *p, int len, unsigned char *output) {
|
|
SHA512_State s;
|
|
|
|
SHA384_Init(&s);
|
|
put_data(&s, p, len);
|
|
SHA384_Final(&s, output);
|
|
smemclr(&s, sizeof(s));
|
|
}
|
|
|
|
/*
|
|
* Thin abstraction for things where hashes are pluggable.
|
|
*/
|
|
|
|
struct sha512_hash {
|
|
SHA512_State state;
|
|
ssh_hash hash;
|
|
};
|
|
|
|
static ssh_hash *sha512_new(const struct ssh_hashalg *alg)
|
|
{
|
|
struct sha512_hash *h = snew(struct sha512_hash);
|
|
SHA512_Init(&h->state);
|
|
h->hash.vt = alg;
|
|
BinarySink_DELEGATE_INIT(&h->hash, &h->state);
|
|
return &h->hash;
|
|
}
|
|
|
|
static ssh_hash *sha512_copy(ssh_hash *hashold)
|
|
{
|
|
struct sha512_hash *hold, *hnew;
|
|
ssh_hash *hashnew = sha512_new(hashold->vt);
|
|
|
|
hold = container_of(hashold, struct sha512_hash, hash);
|
|
hnew = container_of(hashnew, struct sha512_hash, hash);
|
|
|
|
hnew->state = hold->state;
|
|
BinarySink_COPIED(&hnew->state);
|
|
|
|
return hashnew;
|
|
}
|
|
|
|
static void sha512_free(ssh_hash *hash)
|
|
{
|
|
struct sha512_hash *h = container_of(hash, struct sha512_hash, hash);
|
|
|
|
smemclr(h, sizeof(*h));
|
|
sfree(h);
|
|
}
|
|
|
|
static void sha512_final(ssh_hash *hash, unsigned char *output)
|
|
{
|
|
struct sha512_hash *h = container_of(hash, struct sha512_hash, hash);
|
|
SHA512_Final(&h->state, output);
|
|
sha512_free(hash);
|
|
}
|
|
|
|
const struct ssh_hashalg ssh_sha512 = {
|
|
sha512_new, sha512_copy, sha512_final, sha512_free, 64, "SHA-512"
|
|
};
|
|
|
|
static ssh_hash *sha384_new(const struct ssh_hashalg *alg)
|
|
{
|
|
struct sha512_hash *h = snew(struct sha512_hash);
|
|
SHA384_Init(&h->state);
|
|
h->hash.vt = alg;
|
|
BinarySink_DELEGATE_INIT(&h->hash, &h->state);
|
|
return &h->hash;
|
|
}
|
|
|
|
static void sha384_final(ssh_hash *hash, unsigned char *output)
|
|
{
|
|
struct sha512_hash *h = container_of(hash, struct sha512_hash, hash);
|
|
SHA384_Final(&h->state, output);
|
|
sha512_free(hash);
|
|
}
|
|
|
|
const struct ssh_hashalg ssh_sha384 = {
|
|
sha384_new, sha512_copy, sha384_final, sha512_free, 48, "SHA-384"
|
|
};
|
|
|
|
#ifdef TEST
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <assert.h>
|
|
|
|
int main(void) {
|
|
unsigned char digest[64];
|
|
int i, j, errors;
|
|
|
|
struct {
|
|
const char *teststring;
|
|
unsigned char digest512[64];
|
|
} tests[] = {
|
|
{ "abc", {
|
|
0xdd, 0xaf, 0x35, 0xa1, 0x93, 0x61, 0x7a, 0xba,
|
|
0xcc, 0x41, 0x73, 0x49, 0xae, 0x20, 0x41, 0x31,
|
|
0x12, 0xe6, 0xfa, 0x4e, 0x89, 0xa9, 0x7e, 0xa2,
|
|
0x0a, 0x9e, 0xee, 0xe6, 0x4b, 0x55, 0xd3, 0x9a,
|
|
0x21, 0x92, 0x99, 0x2a, 0x27, 0x4f, 0xc1, 0xa8,
|
|
0x36, 0xba, 0x3c, 0x23, 0xa3, 0xfe, 0xeb, 0xbd,
|
|
0x45, 0x4d, 0x44, 0x23, 0x64, 0x3c, 0xe8, 0x0e,
|
|
0x2a, 0x9a, 0xc9, 0x4f, 0xa5, 0x4c, 0xa4, 0x9f,
|
|
} },
|
|
{ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
|
|
"hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", {
|
|
0x8e, 0x95, 0x9b, 0x75, 0xda, 0xe3, 0x13, 0xda,
|
|
0x8c, 0xf4, 0xf7, 0x28, 0x14, 0xfc, 0x14, 0x3f,
|
|
0x8f, 0x77, 0x79, 0xc6, 0xeb, 0x9f, 0x7f, 0xa1,
|
|
0x72, 0x99, 0xae, 0xad, 0xb6, 0x88, 0x90, 0x18,
|
|
0x50, 0x1d, 0x28, 0x9e, 0x49, 0x00, 0xf7, 0xe4,
|
|
0x33, 0x1b, 0x99, 0xde, 0xc4, 0xb5, 0x43, 0x3a,
|
|
0xc7, 0xd3, 0x29, 0xee, 0xb6, 0xdd, 0x26, 0x54,
|
|
0x5e, 0x96, 0xe5, 0x5b, 0x87, 0x4b, 0xe9, 0x09,
|
|
} },
|
|
{ NULL, {
|
|
0xe7, 0x18, 0x48, 0x3d, 0x0c, 0xe7, 0x69, 0x64,
|
|
0x4e, 0x2e, 0x42, 0xc7, 0xbc, 0x15, 0xb4, 0x63,
|
|
0x8e, 0x1f, 0x98, 0xb1, 0x3b, 0x20, 0x44, 0x28,
|
|
0x56, 0x32, 0xa8, 0x03, 0xaf, 0xa9, 0x73, 0xeb,
|
|
0xde, 0x0f, 0xf2, 0x44, 0x87, 0x7e, 0xa6, 0x0a,
|
|
0x4c, 0xb0, 0x43, 0x2c, 0xe5, 0x77, 0xc3, 0x1b,
|
|
0xeb, 0x00, 0x9c, 0x5c, 0x2c, 0x49, 0xaa, 0x2e,
|
|
0x4e, 0xad, 0xb2, 0x17, 0xad, 0x8c, 0xc0, 0x9b,
|
|
} },
|
|
};
|
|
|
|
errors = 0;
|
|
|
|
for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
|
|
if (tests[i].teststring) {
|
|
SHA512_Simple(tests[i].teststring,
|
|
strlen(tests[i].teststring), digest);
|
|
} else {
|
|
SHA512_State s;
|
|
int n;
|
|
SHA512_Init(&s);
|
|
for (n = 0; n < 1000000 / 40; n++)
|
|
put_data(&s, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 40);
|
|
SHA512_Final(&s, digest);
|
|
}
|
|
for (j = 0; j < 64; j++) {
|
|
if (digest[j] != tests[i].digest512[j]) {
|
|
fprintf(stderr,
|
|
"\"%s\" digest512 byte %d should be 0x%02x, is 0x%02x\n",
|
|
tests[i].teststring, j, tests[i].digest512[j],
|
|
digest[j]);
|
|
errors++;
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
printf("%d errors\n", errors);
|
|
|
|
return 0;
|
|
}
|
|
|
|
#endif
|