From 0d235919fbb1430d52913df11da1f011a65ff319 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 11 Aug 2006 08:02:43 +0000 Subject: r17488: - add SHA1 and HMACSHA1 functions, based on rfc 2104,2202,3174 - and add torture tests also based on the rfc's metze (This used to be commit d48930a02f9560640697fd57e4bba03dc0abe284) --- source4/lib/basic.mk | 4 +- source4/lib/crypto/crypto.h | 6 +- source4/lib/crypto/hmacsha1.c | 87 +++++++++ source4/lib/crypto/hmacsha1.h | 34 ++++ source4/lib/crypto/hmacsha1test.c | 46 +++++ source4/lib/crypto/sha1.c | 390 ++++++++++++++++++++++++++++++++++++++ source4/lib/crypto/sha1.h | 62 ++++++ source4/lib/crypto/sha1test.c | 126 ++++++++++++ 8 files changed, 752 insertions(+), 3 deletions(-) create mode 100644 source4/lib/crypto/hmacsha1.c create mode 100644 source4/lib/crypto/hmacsha1.h create mode 100644 source4/lib/crypto/hmacsha1test.c create mode 100644 source4/lib/crypto/sha1.c create mode 100644 source4/lib/crypto/sha1.h create mode 100644 source4/lib/crypto/sha1test.c (limited to 'source4/lib') diff --git a/source4/lib/basic.mk b/source4/lib/basic.mk index 6faa6b3da7..bce5b85b32 100644 --- a/source4/lib/basic.mk +++ b/source4/lib/basic.mk @@ -36,7 +36,9 @@ OBJ_FILES = \ crypto/md5.o \ crypto/hmacmd5.o \ crypto/md4.o \ - crypto/arcfour.o + crypto/arcfour.o \ + crypto/sha1.o \ + crypto/hmacsha1.o # End SUBSYSTEM LIBCRYPTO ############################## diff --git a/source4/lib/crypto/crypto.h b/source4/lib/crypto/crypto.h index 19457f60dc..ca6386e28c 100644 --- a/source4/lib/crypto/crypto.h +++ b/source4/lib/crypto/crypto.h @@ -18,10 +18,12 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -#include "lib/crypto/md5.h" +#include "lib/crypto/crc32.h" #include "lib/crypto/md4.h" +#include "lib/crypto/md5.h" #include "lib/crypto/hmacmd5.h" -#include "lib/crypto/crc32.h" +#include "lib/crypto/sha1.h" +#include "lib/crypto/hmacsha1.h" struct arcfour_state { uint8_t sbox[256]; diff --git a/source4/lib/crypto/hmacsha1.c b/source4/lib/crypto/hmacsha1.c new file mode 100644 index 0000000000..c3d2ba403a --- /dev/null +++ b/source4/lib/crypto/hmacsha1.c @@ -0,0 +1,87 @@ +/* + Unix SMB/CIFS implementation. + Interface header: HMAC SHA-1 code + Copyright (C) Stefan Metzmacher + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +/* + taken direct from rfc2202 implementation and modified for suitable use + */ + +#include "includes.h" +#include "lib/crypto/crypto.h" + +/*********************************************************************** + the rfc 2104/2202 version of hmac_sha1 initialisation. +***********************************************************************/ +_PUBLIC_ void hmac_sha1_init(const uint8_t *key, size_t key_len, struct HMACSHA1Context *ctx) +{ + int i; + uint8_t tk[SHA1HashSize]; + + /* if key is longer than 64 bytes reset it to key=MD5(key) */ + if (key_len > 64) + { + struct SHA1Context tctx; + + SHA1Init(&tctx); + SHA1Update(&tctx, key, key_len); + SHA1Final(tk, &tctx); + + key = tk; + key_len = SHA1HashSize; + } + + /* start out by storing key in pads */ + ZERO_STRUCT(ctx->k_ipad); + ZERO_STRUCT(ctx->k_opad); + memcpy( ctx->k_ipad, key, key_len); + memcpy( ctx->k_opad, key, key_len); + + /* XOR key with ipad and opad values */ + for (i=0; i<64; i++) + { + ctx->k_ipad[i] ^= 0x36; + ctx->k_opad[i] ^= 0x5c; + } + + SHA1Init(&ctx->ctx); + SHA1Update(&ctx->ctx, ctx->k_ipad, 64); +} + +/*********************************************************************** + update hmac_sha1 "inner" buffer +***********************************************************************/ +_PUBLIC_ void hmac_sha1_update(const uint8_t *data, size_t data_len, struct HMACSHA1Context *ctx) +{ + SHA1Update(&ctx->ctx, data, data_len); /* then text of datagram */ +} + +/*********************************************************************** + finish off hmac_sha1 "inner" buffer and generate outer one. +***********************************************************************/ +_PUBLIC_ void hmac_sha1_final(uint8_t digest[SHA1HashSize], struct HMACSHA1Context *ctx) +{ + struct SHA1Context ctx_o; + + SHA1Final(digest, &ctx->ctx); + + SHA1Init(&ctx_o); + SHA1Update(&ctx_o, ctx->k_opad, 64); + SHA1Update(&ctx_o, digest, SHA1HashSize); + SHA1Final(digest, &ctx_o); +} diff --git a/source4/lib/crypto/hmacsha1.h b/source4/lib/crypto/hmacsha1.h new file mode 100644 index 0000000000..f199aa081f --- /dev/null +++ b/source4/lib/crypto/hmacsha1.h @@ -0,0 +1,34 @@ +/* + Unix SMB/CIFS implementation. + Interface header: HMAC SHA1 code + Copyright (C) Stefan Metzmacher 2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#ifndef _HMAC_SHA1_H + +struct HMACSHA1Context { + struct SHA1Context ctx; + uint8_t k_ipad[65]; + uint8_t k_opad[65]; + +}; + +void hmac_sha1_init(const uint8_t *key, size_t key_len, struct HMACSHA1Context *ctx); +void hmac_sha1_update(const uint8_t *data, size_t data_len, struct HMACSHA1Context *ctx); +void hmac_sha1_final(uint8_t digest[20], struct HMACSHA1Context *ctx); + +#endif /* _HMAC_SHA1_H */ diff --git a/source4/lib/crypto/hmacsha1test.c b/source4/lib/crypto/hmacsha1test.c new file mode 100644 index 0000000000..2631fe1659 --- /dev/null +++ b/source4/lib/crypto/hmacsha1test.c @@ -0,0 +1,46 @@ +#include "includes.h" + +#include "lib/crypto/crypto.h" + +struct torture_context; + +BOOL torture_local_crypto_hmacsha1(struct torture_context *torture) +{ + BOOL ret = True; + uint32_t i; + struct { + DATA_BLOB key; + DATA_BLOB data; + DATA_BLOB digest; + } testarray[] = { + { + .key = strhex_to_data_blob("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), + .data = data_blob_string_const("Hi There"), + .digest = strhex_to_data_blob("b617318655057264e28bc0b6fb378c8ef146be00") + } + }; + + for (i=0; i < ARRAY_SIZE(testarray); i++) { + struct HMACSHA1Context ctx; + uint8_t digest[SHA1HashSize]; + int e; + + hmac_sha1_init(testarray[i].key.data, testarray[i].key.length, &ctx); + hmac_sha1_update(testarray[i].data.data, testarray[i].data.length, &ctx); + hmac_sha1_final(digest, &ctx); + + e = memcmp(testarray[i].digest.data, + digest, + MIN(testarray[i].digest.length, SHA1HashSize)); + if (e != 0) { + printf("test[%u]: failed\n", i); + dump_data(0, testarray[i].key.data, testarray[i].key.length); + dump_data(0, testarray[i].data.data, testarray[i].data.length); + dump_data(0, testarray[i].digest.data, testarray[i].digest.length); + dump_data(0, digest, sizeof(digest)); + ret = False; + } + } + + return ret; +} diff --git a/source4/lib/crypto/sha1.c b/source4/lib/crypto/sha1.c new file mode 100644 index 0000000000..1b91f8a949 --- /dev/null +++ b/source4/lib/crypto/sha1.c @@ -0,0 +1,390 @@ +/* + This file contains the reference implementation of SHA-1 + from http://www.ietf.org/rfc/rfc3174.txt +*/ +/* + * sha1.c + * + * Description: + * This file implements the Secure Hashing Algorithm 1 as + * defined in FIPS PUB 180-1 published April 17, 1995. + * + * The SHA-1, produces a 160-bit message digest for a given + * data stream. It should take about 2**n steps to find a + * message with the same digest as a given message and + * 2**(n/2) to find any two messages with the same digest, + * when n is the digest size in bits. Therefore, this + * algorithm can serve as a means of providing a + * "fingerprint" for a message. + * + * Portability Issues: + * SHA-1 is defined in terms of 32-bit "words". This code + * uses (included via "sha1.h" to define 32 and 8 + * bit unsigned integer types. If your C compiler does not + * support 32 bit unsigned integers, this code is not + * appropriate. + * + * Caveats: + * SHA-1 is designed to work with messages less than 2^64 bits + * long. Although SHA-1 allows a message digest to be generated + * for messages of any number of bits less than 2^64, this + * implementation only works with messages with a length that is + * a multiple of the size of an 8-bit character. + * + */ + +#include "includes.h" + +#include "sha1.h" + +/* + * Define the SHA1 circular left shift macro + */ +#define SHA1CircularShift(bits,word) \ + (((word) << (bits)) | ((word) >> (32-(bits)))) + +/* Local Function Prototyptes */ +static void SHA1PadMessage(struct SHA1Context *); +static void SHA1ProcessMessageBlock(struct SHA1Context *); + +/* + * SHA1Init (SHA1Reset in the rfc) + * + * Description: + * This function will initialize the SHA1Context in preparation + * for computing a new SHA1 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + * + */ +int SHA1Init(struct SHA1Context *context) +{ + if (!context) + { + return shaNull; + } + + context->Length_Low = 0; + context->Length_High = 0; + context->Message_Block_Index = 0; + + context->Intermediate_Hash[0] = 0x67452301; + context->Intermediate_Hash[1] = 0xEFCDAB89; + context->Intermediate_Hash[2] = 0x98BADCFE; + context->Intermediate_Hash[3] = 0x10325476; + context->Intermediate_Hash[4] = 0xC3D2E1F0; + + context->Computed = 0; + context->Corrupted = 0; + + return shaSuccess; +} + +/* + * SHA1Final (SHA1Result in the rfc) + * + * Description: + * This function will return the 160-bit message digest into the + * Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 19th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA-1 hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + * sha Error Code. + * + */ +int SHA1Final(uint8_t Message_Digest[SHA1HashSize], + struct SHA1Context *context) +{ + int i; + + if (!context || !Message_Digest) + { + return shaNull; + } + + if (context->Corrupted) + { + return context->Corrupted; + } + + if (!context->Computed) + { + SHA1PadMessage(context); + for(i=0; i<64; ++i) + { + /* message may be sensitive, clear it out */ + context->Message_Block[i] = 0; + } + context->Length_Low = 0; /* and clear length */ + context->Length_High = 0; + context->Computed = 1; + } + + for(i = 0; i < SHA1HashSize; ++i) + { + Message_Digest[i] = context->Intermediate_Hash[i>>2] + >> 8 * ( 3 - ( i & 0x03 ) ); + } + + return shaSuccess; +} + +/* + * SHA1Update (SHA1Input in the rfc) + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + */ +int SHA1Update(struct SHA1Context *context, + const uint8_t *message_array, + size_t length) +{ + if (!length) + { + return shaSuccess; + } + + if (!context || !message_array) + { + return shaNull; + } + + if (context->Computed) + { + context->Corrupted = shaStateError; + return shaStateError; + } + + if (context->Corrupted) + { + return context->Corrupted; + } + while(length-- && !context->Corrupted) + { + context->Message_Block[context->Message_Block_Index++] = + (*message_array & 0xFF); + + context->Length_Low += 8; + if (context->Length_Low == 0) + { + context->Length_High++; + if (context->Length_High == 0) + { + /* Message is too long */ + context->Corrupted = 1; + } + } + + if (context->Message_Block_Index == 64) + { + SHA1ProcessMessageBlock(context); + } + + message_array++; + } + + return shaSuccess; +} + +/* + * SHA1ProcessMessageBlock + * + * Description: + * This function will process the next 512 bits of the message + * stored in the Message_Block array. + * + * Parameters: + * None. + * + * Returns: + * Nothing. + * + * Comments: + * Many of the variable names in this code, especially the + * single character names, were used because those were the + * names used in the publication. + * + * + */ +static void SHA1ProcessMessageBlock(struct SHA1Context *context) +{ + const uint32_t K[] = { /* Constants defined in SHA-1 */ + 0x5A827999, + 0x6ED9EBA1, + 0x8F1BBCDC, + 0xCA62C1D6 + }; + int t; /* Loop counter */ + uint32_t temp; /* Temporary word value */ + uint32_t W[80]; /* Word sequence */ + uint32_t A, B, C, D, E; /* Word buffers */ + + /* + * Initialize the first 16 words in the array W + */ + for(t = 0; t < 16; t++) + { + W[t] = context->Message_Block[t * 4] << 24; + W[t] |= context->Message_Block[t * 4 + 1] << 16; + W[t] |= context->Message_Block[t * 4 + 2] << 8; + W[t] |= context->Message_Block[t * 4 + 3]; + } + + for(t = 16; t < 80; t++) + { + W[t] = SHA1CircularShift(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); + } + + A = context->Intermediate_Hash[0]; + B = context->Intermediate_Hash[1]; + C = context->Intermediate_Hash[2]; + D = context->Intermediate_Hash[3]; + E = context->Intermediate_Hash[4]; + + for(t = 0; t < 20; t++) + { + temp = SHA1CircularShift(5,A) + + ((B & C) | ((~B) & D)) + E + W[t] + K[0]; + E = D; + D = C; + C = SHA1CircularShift(30,B); + B = A; + A = temp; + } + + for(t = 20; t < 40; t++) + { + temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[1]; + E = D; + D = C; + C = SHA1CircularShift(30,B); + B = A; + A = temp; + } + + for(t = 40; t < 60; t++) + { + temp = SHA1CircularShift(5,A) + + ((B & C) | (B & D) | (C & D)) + E + W[t] + K[2]; + E = D; + D = C; + C = SHA1CircularShift(30,B); + B = A; + A = temp; + } + + for(t = 60; t < 80; t++) + { + temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[3]; + E = D; + D = C; + C = SHA1CircularShift(30,B); + B = A; + A = temp; + } + + context->Intermediate_Hash[0] += A; + context->Intermediate_Hash[1] += B; + context->Intermediate_Hash[2] += C; + context->Intermediate_Hash[3] += D; + context->Intermediate_Hash[4] += E; + + context->Message_Block_Index = 0; +} + + +/* + * SHA1PadMessage + * + * Description: + * According to the standard, the message must be padded to an even + * 512 bits. The first padding bit must be a '1'. The last 64 + * bits represent the length of the original message. All bits in + * between should be 0. This function will pad the message + * according to those rules by filling the Message_Block array + * accordingly. It will also call the ProcessMessageBlock function + * provided appropriately. When it returns, it can be assumed that + * the message digest has been computed. + * + * Parameters: + * context: [in/out] + * The context to pad + * ProcessMessageBlock: [in] + * The appropriate SHA*ProcessMessageBlock function + * Returns: + * Nothing. + * + */ + +static void SHA1PadMessage(struct SHA1Context *context) +{ + /* + * Check to see if the current message block is too small to hold + * the initial padding bits and length. If so, we will pad the + * block, process it, and then continue padding into a second + * block. + */ + if (context->Message_Block_Index > 55) + { + context->Message_Block[context->Message_Block_Index++] = 0x80; + while(context->Message_Block_Index < 64) + { + context->Message_Block[context->Message_Block_Index++] = 0; + } + + SHA1ProcessMessageBlock(context); + + while(context->Message_Block_Index < 56) + { + context->Message_Block[context->Message_Block_Index++] = 0; + } + } + else + { + context->Message_Block[context->Message_Block_Index++] = 0x80; + while(context->Message_Block_Index < 56) + { + context->Message_Block[context->Message_Block_Index++] = 0; + } + } + + /* + * Store the message length as the last 8 octets + */ + context->Message_Block[56] = context->Length_High >> 24; + context->Message_Block[57] = context->Length_High >> 16; + context->Message_Block[58] = context->Length_High >> 8; + context->Message_Block[59] = context->Length_High; + context->Message_Block[60] = context->Length_Low >> 24; + context->Message_Block[61] = context->Length_Low >> 16; + context->Message_Block[62] = context->Length_Low >> 8; + context->Message_Block[63] = context->Length_Low; + + SHA1ProcessMessageBlock(context); +} diff --git a/source4/lib/crypto/sha1.h b/source4/lib/crypto/sha1.h new file mode 100644 index 0000000000..4a2d448bfc --- /dev/null +++ b/source4/lib/crypto/sha1.h @@ -0,0 +1,62 @@ +/* + This file contains the reference implementation of SHA-1 + from http://www.ietf.org/rfc/rfc3174.txt +*/ +/* + * sha1.h + * + * Description: + * This is the header file for code which implements the Secure + * Hashing Algorithm 1 as defined in FIPS PUB 180-1 published + * April 17, 1995. + * + * Many of the variable names in this code, especially the + * single character names, were used because those were the names + * used in the publication. + * + * Please read the file sha1.c for more information. + * + */ +#ifndef _SHA1_H_ +#define _SHA1_H_ + +#ifndef _SHA_enum_ +#define _SHA_enum_ +enum +{ + shaSuccess = 0, + shaNull, /* Null pointer parameter */ + shaInputTooLong, /* input data too long */ + shaStateError /* called Input after Result */ +}; +#endif +#define SHA1HashSize 20 + +/* + * This structure will hold context information for the SHA-1 + * hashing operation + */ +struct SHA1Context +{ + uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ + + uint32_t Length_Low; /* Message length in bits */ + uint32_t Length_High; /* Message length in bits */ + + /* Index into message block array */ + int16_t Message_Block_Index; + uint8_t Message_Block[64]; /* 512-bit message blocks */ + + int Computed; /* Is the digest computed? */ + int Corrupted; /* Is the message digest corrupted? */ +}; + +/* + * Function Prototypes + */ + +int SHA1Init(struct SHA1Context *); +int SHA1Update(struct SHA1Context *, const uint8_t *data, size_t data_len); +int SHA1Final(uint8_t Message_Digest[SHA1HashSize], struct SHA1Context *); + +#endif diff --git a/source4/lib/crypto/sha1test.c b/source4/lib/crypto/sha1test.c new file mode 100644 index 0000000000..c3b4506dec --- /dev/null +++ b/source4/lib/crypto/sha1test.c @@ -0,0 +1,126 @@ +/* + This file contains the reference implementation of SHA-1 + from http://www.ietf.org/rfc/rfc3174.txt +*/ +/* + * sha1test.c + * + * Description: + * This file will exercise the SHA-1 code performing the three + * tests documented in FIPS PUB 180-1 plus one which calls + * SHA1Input with an exact multiple of 512 bits, plus a few + * error test checks. + * + * Portability Issues: + * None. + * + */ + +#include "includes.h" + +#include "lib/crypto/crypto.h" + +struct torture_context; + +/* + * Define patterns for testing + */ +#define TEST1 "abc" +#define TEST2a "abcdbcdecdefdefgefghfghighijhi" +#define TEST2b "jkijkljklmklmnlmnomnopnopq" +#define TEST2 TEST2a TEST2b +#define TEST3 "a" +#define TEST4a "01234567012345670123456701234567" +#define TEST4b "01234567012345670123456701234567" + /* an exact multiple of 512 bits */ +#define TEST4 TEST4a TEST4b +static const char *testarray[4] = +{ + TEST1, + TEST2, + TEST3, + TEST4 +}; +static int repeatcount[4] = { 1, 1, 1000000, 10 }; +static const char *resultarray[4] = +{ + "A9 99 3E 36 47 06 81 6A BA 3E 25 71 78 50 C2 6C 9C D0 D8 9D ", + "84 98 3E 44 1C 3B D2 6E BA AE 4A A1 F9 51 29 E5 E5 46 70 F1 ", + "34 AA 97 3C D4 C4 DA A4 F6 1E EB 2B DB AD 27 31 65 34 01 6F ", + "DE A3 56 A2 CD DD 90 C7 A7 EC ED C5 EB B5 63 93 4F 46 04 52 " +}; + +BOOL torture_local_crypto_sha1(struct torture_context *torture) +{ + struct SHA1Context sha; + int i, j, err; + uint8_t Message_Digest[20]; + BOOL ret = True; + char tmp[60 + 10]; + + /* + * Perform SHA-1 tests + */ + for(j = 0; j < 4; ++j) + { + ZERO_STRUCT(tmp); + printf( "\nTest %d: %d, '%s'\n", + j+1, + repeatcount[j], + testarray[j]); + + err = SHA1Init(&sha); + if (err) + { + fprintf(stderr, "SHA1Init Error %d.\n", err ); + ret = False; + break; /* out of for j loop */ + } + + for(i = 0; i < repeatcount[j]; ++i) + { + err = SHA1Update(&sha, + (const unsigned char *) testarray[j], + strlen(testarray[j])); + if (err) + { + fprintf(stderr, "SHA1Update Error %d.\n", err ); + ret = False; + break; /* out of for i loop */ + } + } + + err = SHA1Final(Message_Digest, &sha); + if (err) + { + fprintf(stderr, + "SHA1Result Error %d, could not compute message digest.\n", + err ); + ret = False; + } + else + { + printf("\t"); + for(i = 0; i < 20 ; ++i) + { + snprintf(tmp+(i*3), sizeof(tmp) - (i*3),"%02X ", Message_Digest[i]); + printf("%02X ", Message_Digest[i]); + } + printf("\n"); + } + printf("Should match:\n"); + printf("\t%s\n", resultarray[j]); + if (strcmp(resultarray[j], tmp) != 0) { + ret = False; + } + } + + /* Test some error returns */ + err = SHA1Update(&sha,(const unsigned char *) testarray[1], 1); + if (err != shaStateError) ret = False; + printf ("\nError %d. Should be %d.\n", err, shaStateError ); + err = SHA1Init(0); + if (err != shaNull) ret = False; + printf ("\nError %d. Should be %d.\n", err, shaNull ); + return ret; +} -- cgit