2 * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
5 * "Digital Equipment Corporation authorizes the reproduction,
6 * distribution and modification of this software subject to the following
9 * 1. Any partial or whole copy of this software, or any modification
10 * thereof, must include this copyright notice in its entirety.
12 * 2. This software is supplied "as is" with no warranty of any kind,
13 * expressed or implied, for any purpose, including any warranty of fitness
14 * or merchantibility. DIGITAL assumes no responsibility for the use or
15 * reliability of this software, nor promises to provide any form of
16 * support for it on any basis.
18 * 3. Distribution of this software is authorized only if no profit or
19 * remuneration of any kind is received in exchange for such distribution.
21 * 4. This software produces public key authentication certificates
22 * bearing an expiration date established by DIGITAL and RSA Data
23 * Security, Inc. It may cease to generate certificates after the expiration
24 * date. Any modification of this software that changes or defeats
25 * the expiration date or its effect is unauthorized.
27 * 5. Software that will renew or extend the expiration date of
28 * authentication certificates produced by this software may be obtained
29 * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
30 * 94065, (415)595-8782, or from DIGITAL"
37 * This file contains RSA hash routines.
46 * This conditionally includes the BSAFE MD and MAC routines. These
47 * are not used by Sphinx so usually this definition is commented out.
51 #define INCLUDE_RSA_BSAFE_STUFF 1
54 #define TEMP_BUFSIZ 256
57 * Externally Callable Routines. All arguments are character pointers
61 void RSA_MD2(); /* RSA_MD2(input_buffer, length, hash_result) */
62 void RSA_MD4(); /* RSA_MD4(input_buffer, length, hash_result) */
63 #ifdef INCLUDE_RSA_BSAFE_STUFF
64 void RSA_MAC(); /* RSA_MAC(input_buffer, length, mac, output_length) */
65 void RSA_MD(); /* RSA_MD(input_buffer, length, hash_result) */
70 ** **************************************************************************
71 ** md4.h -- Header file for implementation of MD4 Message Digest Algorithm **
72 ** Updated: 2/13/90 by Ronald L. Rivest **
73 ** (C) 1990 RSA Data Security, Inc. **
74 ** **************************************************************************
77 /* MDstruct is the data structure for a message digest computation.
80 unsigned int buffer[4]; /* Holds 4-word result of MD computation */
81 unsigned char count[8]; /* Number of bits processed so far */
82 unsigned int done; /* Nonzero means MD computation finished */
86 ** **************************************************************************
87 ** md4.c -- Implementation of MD4 Message Digest Algorithm **
88 ** Updated: 2/16/90 by Ronald L. Rivest **
89 ** (C) 1990 RSA Data Security, Inc. **
90 ** **************************************************************************
95 ** -- Include md4.h in your program
96 ** -- Declare an MDstruct MD to hold the state of the digest computation.
97 ** -- Initialize MD using MDbegin(&MD)
98 ** -- For each full block (64 bytes) X you wish to process, call
99 ** MDupdate(&MD,X,512)
100 ** (512 is the number of bits in a full block.)
101 ** -- For the last block (less than 64 bytes) you wish to process,
103 ** where n is the number of bits in the partial block. A partial
104 ** block terminates the computation, so every MD computation should
105 ** terminate by processing a partial block, even if it has n = 0.
106 ** -- The message digest is available in MD.buffer[0] ... MD.buffer[3].
107 ** (Least-significant byte of each word should be output first.)
108 ** -- You can print out the digest using MDprint(&MD)
111 /* Implementation notes:
112 ** This implementation assumes that ints are 32-bit quantities.
113 ** If the machine stores the least-significant byte of an int in the
114 ** least-addressed byte (eg., VAX and 8086), then LOWBYTEFIRST should be
115 ** set to TRUE. Otherwise (eg., SUNS), LOWBYTEFIRST should be set to
116 ** FALSE. Note that on machines with LOWBYTEFIRST FALSE the routine
117 ** MDupdate modifies has a side-effect on its input array (the order of bytes
118 ** in each word are reversed). If this is undesired a call to MDreverse(X) can
119 ** reverse the bytes of X back into order after each call to MDupdate.
133 #define LOWBYTEFIRST SPHINX_ENDIAN
135 /* Compile-time declarations of MD4 ``magic constants''.
137 #define I0 0x67452301 /* Initial values for MD buffer */
138 #define I1 0xefcdab89
139 #define I2 0x98badcfe
140 #define I3 0x10325476
141 #define C2 013240474631 /* round 2 constant = sqrt(2) in octal */
142 #define C3 015666365641 /* round 3 constant = sqrt(3) in octal */
143 /* C2 and C3 are from Knuth, The Art of Programming, Volume 2
144 ** (Seminumerical Algorithms), Second Edition (1981), Addison-Wesley.
145 ** Table 2, page 660.
147 #define fs1 3 /* round 1 shift amounts */
151 #define gs1 3 /* round 2 shift amounts */
155 #define hs1 3 /* round 3 shift amounts */
161 /* Compile-time macro declarations for MD4.
162 ** Note: The ``rot'' operator uses the variable ``tmp''.
163 ** It assumes tmp is declared as unsigned int, so that the >>
164 ** operator will shift in zeros rather than extending the sign bit.
166 #define f(X,Y,Z) ((X&Y) | ((~X)&Z))
167 #define g(X,Y,Z) ((X&Y) | (X&Z) | (Y&Z))
168 #define h(X,Y,Z) (X^Y^Z)
169 #define rot(X,S) (tmp=X,(tmp<<S) | (tmp>>(32-S)))
170 #define ff(A,B,C,D,i,s) A = rot((A + f(B,C,D) + X[i]),s)
171 #define gg(A,B,C,D,i,s) A = rot((A + g(B,C,D) + X[i] + C2),s)
172 #define hh(A,B,C,D,i,s) A = rot((A + h(B,C,D) + X[i] + C3),s)
176 ** Print message digest buffer MDp as 32 hexadecimal digits.
177 ** Order is from low-order byte of buffer[0] to high-order byte of buffer[3].
178 ** Each byte is printed with high-order hexadecimal digit first.
179 ** This is a user-callable routine.
181 static void MDprint(MDp)
186 printf("%02x",(MDp->buffer[i]>>j) & 0xFF);
190 ** Initialize message digest buffer MDp.
191 ** This is a user-callable routine.
193 static void MDbegin(MDp)
200 for (i=0;i<8;i++) MDp->count[i] = 0;
205 ** Reverse the byte-ordering of every int in X.
206 ** Assumes X is an array of 16 ints.
207 ** The macro revx reverses the byte-ordering of the next word of X.
209 #define revx { t = (*X << 16) | (*X >> 16); \
210 *X++ = ((t & 0xFF00FF00) >> 8) | ((t & 0x00FF00FF) << 8); }
211 static void MDreverse(X)
213 { register unsigned int t;
214 revx; revx; revx; revx; revx; revx; revx; revx;
215 revx; revx; revx; revx; revx; revx; revx; revx;
219 ** Update message digest buffer MDp->buffer using 16-word data block X.
220 ** Assumes all 16 words of X are full of data.
221 ** Does not update MDp->count.
222 ** This routine is not user-callable.
224 static void MDblock(MDp,X)
228 register unsigned int tmp, A, B, C, D;
229 #if LOWBYTEFIRST == FALSE
236 /* Update the message digest buffer */
237 ff(A , B , C , D , 0 , fs1); /* Round 1 */
238 ff(D , A , B , C , 1 , fs2);
239 ff(C , D , A , B , 2 , fs3);
240 ff(B , C , D , A , 3 , fs4);
241 ff(A , B , C , D , 4 , fs1);
242 ff(D , A , B , C , 5 , fs2);
243 ff(C , D , A , B , 6 , fs3);
244 ff(B , C , D , A , 7 , fs4);
245 ff(A , B , C , D , 8 , fs1);
246 ff(D , A , B , C , 9 , fs2);
247 ff(C , D , A , B , 10 , fs3);
248 ff(B , C , D , A , 11 , fs4);
249 ff(A , B , C , D , 12 , fs1);
250 ff(D , A , B , C , 13 , fs2);
251 ff(C , D , A , B , 14 , fs3);
252 ff(B , C , D , A , 15 , fs4);
253 gg(A , B , C , D , 0 , gs1); /* Round 2 */
254 gg(D , A , B , C , 4 , gs2);
255 gg(C , D , A , B , 8 , gs3);
256 gg(B , C , D , A , 12 , gs4);
257 gg(A , B , C , D , 1 , gs1);
258 gg(D , A , B , C , 5 , gs2);
259 gg(C , D , A , B , 9 , gs3);
260 gg(B , C , D , A , 13 , gs4);
261 gg(A , B , C , D , 2 , gs1);
262 gg(D , A , B , C , 6 , gs2);
263 gg(C , D , A , B , 10 , gs3);
264 gg(B , C , D , A , 14 , gs4);
265 gg(A , B , C , D , 3 , gs1);
266 gg(D , A , B , C , 7 , gs2);
267 gg(C , D , A , B , 11 , gs3);
268 gg(B , C , D , A , 15 , gs4);
269 hh(A , B , C , D , 0 , hs1); /* Round 3 */
270 hh(D , A , B , C , 8 , hs2);
271 hh(C , D , A , B , 4 , hs3);
272 hh(B , C , D , A , 12 , hs4);
273 hh(A , B , C , D , 2 , hs1);
274 hh(D , A , B , C , 10 , hs2);
275 hh(C , D , A , B , 6 , hs3);
276 hh(B , C , D , A , 14 , hs4);
277 hh(A , B , C , D , 1 , hs1);
278 hh(D , A , B , C , 9 , hs2);
279 hh(C , D , A , B , 5 , hs3);
280 hh(B , C , D , A , 13 , hs4);
281 hh(A , B , C , D , 3 , hs1);
282 hh(D , A , B , C , 11 , hs2);
283 hh(C , D , A , B , 7 , hs3);
284 hh(B , C , D , A , 15 , hs4);
292 /* MDupdate(MDp,X,count)
293 ** Input: MDp -- an MDptr
294 ** X -- a pointer to an array of unsigned characters.
295 ** count -- the number of bits of X to use.
296 ** (if not a multiple of 8, uses high bits of last byte.)
297 ** Update MDp using the number of bits of X given by count.
298 ** This is the basic input routine for an MD4 user.
299 ** The routine completes the MD computation when count < 512, so
300 ** every MD computation should end with one call to MDupdate with a
301 ** count less than 512. A call with count 0 will be ignored if the
302 ** MD has already been terminated (done != 0), so an extra call with count
303 ** 0 can be given as a ``courtesy close'' to force termination if desired.
305 static int MDupdate(MDp,X,count)
309 { unsigned int i, tmp, bit, byte, mask;
310 unsigned char XX[64];
312 /* return with no error if this is a courtesy close with count
313 ** zero and MDp->done is true.
315 if (count == 0 && MDp->done) return(1);
316 /* check to see if MD is already done and report error */
319 printf("\nError: MDupdate MD already done.");
322 /* Add count to MDp->count */
332 { /* Full block of data to handle */
333 MDblock(MDp,(unsigned int *)X);
335 else if (count > 512) /* Check for count too large */
338 printf("\nError: MDupdate called with illegal count value %d.",count);
342 else /* partial block -- must be last block so finish up */
343 { /* Find out how many bytes and residual bits there are */
346 /* Copy X into XX since we need to modify it */
347 for (i=0;i<=byte;i++) XX[i] = X[i];
348 for (i=byte+1;i<64;i++) XX[i] = 0;
349 /* Add padding '1' bit and low-order zeros in last byte */
350 mask = 1 << (7 - bit);
351 XX[byte] = (XX[byte] | mask) & ~( mask - 1);
352 /* If room for bit count, finish up with this block */
354 { for (i=0;i<8;i++) XX[56+i] = MDp->count[i];
355 MDblock(MDp,(unsigned int *)XX);
357 else /* need to do two blocks to finish up */
358 { MDblock(MDp,(unsigned int *)XX);
359 for (i=0;i<56;i++) XX[i] = 0;
360 for (i=0;i<8;i++) XX[56+i] = MDp->count[i];
361 MDblock(MDp,(unsigned int *)XX);
363 /* Set flag saying we're done with MD computation */
378 void RSA_MD4 (inbuf, isize, digest)
379 char * inbuf, * digest ;
384 for (i=0;i+64<=isize;i=i+64) MDupdate(&MD,inbuf+i,512);
385 MDupdate(&MD,inbuf+i,(isize-i)*8);
386 memcpy(digest,MD.buffer,16);
391 #ifdef INCLUDE_RSA_BSAFE_STUFF
392 /* SUBSTITUTION TABLE BASED ON DIGITS OF PI -- SEE PISUBST.DOC */
393 /* obtained from RSA, Inc. */
394 static unsigned char _pisubst[256] = {
395 189, 86,234,242,162,241,172, 42,176,147,209,156, 27, 51,253,208,
396 48, 4,182,220,125,223, 50, 75,247,203, 69,155, 49,187, 33, 90,
397 65,159,225,217, 74, 77,158,218,160,104, 44,195, 39, 95,128, 54,
398 62,238,251,149, 26,254,206,168, 52,169, 19,240,166, 63,216, 12,
399 120, 36,175, 35, 82,193,103, 23,245,102,144,231,232, 7,184, 96,
400 72,230, 30, 83,243,146,164,114,140, 8, 21,110,134, 0,132,250,
401 244,127,138, 66, 25,246,219,205, 20,141, 80, 18,186, 60, 6, 78,
402 236,179, 53, 17,161,136,142, 43,148,153,183,113,116,211,228,191,
403 58,222,150, 14,188, 10,237,119,252, 55,107, 3,121,137, 98,198,
404 215,192,210,124,106,139, 34,163, 91, 5, 93, 2,117,213, 97,227,
405 24,143, 85, 81,173, 31, 11, 94,133,229,194, 87, 99,202, 61,108,
406 180,197,204,112,178,145, 89, 13, 71, 32,200, 79, 88,224, 1,226,
407 22, 56,196,111, 59, 15,101, 70,190,126, 45,123,130,249, 64,181,
408 29,115,248,235, 38,199,135,151, 37, 84,177, 40,170,152,157,165,
409 100,109,122,212, 16,129, 68,239, 73,214,174, 46,221,118, 92, 47,
410 167, 28,201, 9,105,154,131,207, 41, 57,185,233, 76,255, 67,171
413 /* The table PS given below is a permutation of 0...255 constructed */
414 /* from the digits of pi. It is a ``random'' nonlinear byte */
415 /* substitution operation. */
416 static unsigned char PS[256] = {
417 41, 46, 67,201,162,216,124, 1, 61, 54, 84,161,236,240, 6, 19,
418 98,167, 5,243,192,199,115,140,152,147, 43,217,188, 76,130,202,
419 30,155, 87, 60,253,212,224, 22,103, 66,111, 24,138, 23,229, 18,
420 190, 78,196,214,218,158,222, 73,160,251,245,142,187, 47,238,122,
421 169,104,121,145, 21,178, 7, 63,148,194, 16,137, 11, 34, 95, 33,
422 128,127, 93,154, 90,144, 50, 39, 53, 62,204,231,191,247,151, 3,
423 255, 25, 48,179, 72,165,181,209,215, 94,146, 42,172, 86,170,198,
424 79,184, 56,210,150,164,125,182,118,252,107,226,156,116, 4,241,
425 69,157,112, 89,100,113,135, 32,134, 91,207,101,230, 45,168, 2,
426 27, 96, 37,173,174,176,185,246, 28, 70, 97,105, 52, 64,126, 15,
427 85, 71,163, 35,221, 81,175, 58,195, 92,249,206,186,197,234, 38,
428 44, 83, 13,110,133, 40,132, 9,211,223,205,244, 65,129, 77, 82,
429 106,220, 55,200,108,193,171,250, 36,225,123, 8, 12,189,177, 74,
430 120,136,149,139,227, 99,232,109,233,203,213,254, 59, 0, 29, 57,
431 242,239,183, 14,102, 88,208,228,166,119,114,248,235,117, 75, 10,
432 49, 68, 80,180,143,237, 31, 26,219,153,141, 51,159, 17,131, 20,
439 * Compute a message authentication code (MAC) over the specified
440 * buffer. This uses the RSADSI MAC algorithm.
443 * inbuf - Pointer to the input buffer
444 * isize - Size of the input buffer
445 * macsize - Number of bytes desired in MAC
448 * mac - Pointer to the resultant message authentication code buffer
452 void RSA_MAC(inbuf, isize, mac, macsize)
453 unsigned char * inbuf, * mac ;
458 memset(mac, 0, macsize); /* initialize the mac buffer */
459 macsize--; /* change to index */
461 * Run over the input buffer merging each byte into the MAC.
463 for (i = 0; i < isize; i++)
465 temp = _pisubst[mac[0] ^ mac[1]];
467 * Shift down the MAC one place and merge the new value into
471 memcpy(&mac[0],&mac[1], macsize);
473 memmove(&mac[0],&mac[1], macsize);
475 mac[macsize] = temp ^ *inbuf++;
484 * Compute a message digest over the specified buffer using the
485 * RSA, Inc., message digest "MD" algorithm.
488 * inbuf - Pointer to the input buffer
489 * isize - Size of the input buffer
492 * digest - Pointer to the resultant digest buffer. Assumed to be
497 void RSA_MD (inbuf, isize, digest )
498 char * inbuf, * digest ;
506 static unsigned char lastmac ,
513 memset(digest, 0, MD_BLOCK_SIZE); /* initialize return digest */
514 memset(buf, 0, sizeof(buf)); /* initialize temporaries */
515 memset(mac, 0, sizeof(mac));
517 for (i = 0, k = 0 , lastmac = 0 ; i < isize ; i++)
520 * Merge the new character into the buffer and
523 buf[k + 16] = *inbuf;
524 buf[k + 32] = *inbuf ^ buf[k];
525 lastmac = (mac[k] ^= PS[(*inbuf++ ^ lastmac) & 0xFF]);
529 * Encrypt at the end of each block.
533 for (l = 0; l < 18; l++)
534 for (j = 48; j > 0; j--)
535 t = (buf[48 - j] ^= PS[(t + j) & 0xFF]);
539 padlen = MD_BLOCK_SIZE - k;
540 x = (unsigned char) padlen ;
542 for (i = 0; i < padlen ; i++)
545 buf[k + 32] = x ^ buf[k];
546 lastmac = (mac[k] ^= PS[(x ^ lastmac) & 0xFF]);
554 for (l = 0; l < 18; l++)
555 for (j = 48; j > 0; j--)
556 t = (buf[48 - j] ^= PS[(t + j) & 0xFF]);
561 * Now merge the MAC computed above into the message digest value.
563 for (i = 0; i < 16; i++)
565 buf[i + 16] = mac[i];
566 buf[i + 32] = mac[i] ^ buf[i];
569 for (i = 0; i < 18; i++)
571 for (j = 48; j > 0; j--)
573 t = (buf[48 - j] ^= PS[(t + j) & 0xFF]);
578 * Now copy the final digest value to the output.
580 memcpy(digest, buf, MD_BLOCK_SIZE);
584 #endif /* INCLUDE_RSA_BSAFE_STUFF */
589 /* RSA-MD2 Message Digest algorithm in C */
590 /* by Ronald L. Rivest 10/1/88 */
592 /**********************************************************************/
593 /* Message digest routines: */
594 /* To form the message digest for a message M */
595 /* (1) Initialize a context buffer md using MDINIT */
596 /* (2) Call MDUPDATE on md and each character of M in turn */
597 /* (3) Call MDFINAL on md */
598 /* The message digest is now in md->D[0...15] */
599 /**********************************************************************/
600 /* An MDCTX structure is a context buffer for a message digest */
601 /* computation; it holds the current "state" of a message digest */
605 unsigned char D[48]; /* buffer for forming digest in */
606 /* At the end, D[0...15] form the message */
608 unsigned char C[16]; /* checksum register */
609 unsigned char i; /* number of bytes handled, modulo 16 */
610 unsigned char L; /* last checksum char saved */
612 /* The table S given below is a permutation of 0...255 constructed */
613 /* from the digits of pi. It is a ``random'' nonlinear byte */
614 /* substitution operation. */
616 41, 46, 67,201,162,216,124, 1, 61, 54, 84,161,236,240, 6, 19,
617 98,167, 5,243,192,199,115,140,152,147, 43,217,188, 76,130,202,
618 30,155, 87, 60,253,212,224, 22,103, 66,111, 24,138, 23,229, 18,
619 190, 78,196,214,218,158,222, 73,160,251,245,142,187, 47,238,122,
620 169,104,121,145, 21,178, 7, 63,148,194, 16,137, 11, 34, 95, 33,
621 128,127, 93,154, 90,144, 50, 39, 53, 62,204,231,191,247,151, 3,
622 255, 25, 48,179, 72,165,181,209,215, 94,146, 42,172, 86,170,198,
623 79,184, 56,210,150,164,125,182,118,252,107,226,156,116, 4,241,
624 69,157,112, 89,100,113,135, 32,134, 91,207,101,230, 45,168, 2,
625 27, 96, 37,173,174,176,185,246, 28, 70, 97,105, 52, 64,126, 15,
626 85, 71,163, 35,221, 81,175, 58,195, 92,249,206,186,197,234, 38,
627 44, 83, 13,110,133, 40,132, 9,211,223,205,244, 65,129, 77, 82,
628 106,220, 55,200,108,193,171,250, 36,225,123, 8, 12,189,177, 74,
629 120,136,149,139,227, 99,232,109,233,203,213,254, 59, 0, 29, 57,
630 242,239,183, 14,102, 88,208,228,166,119,114,248,235,117, 75, 10,
631 49, 68, 80,180,143,237, 31, 26,219,153,141, 51,159, 17,131, 20,
633 /*The routine MDINIT initializes the message digest context buffer md.*/
634 /* All fields are set to zero. */
638 for (i=0;i<16;i++) md->D[i] = md->C[i] = 0;
642 /* The routine MDUPDATE updates the message digest context buffer to */
643 /* account for the presence of the character c in the message whose */
644 /* digest is being computed. This routine will be called for each */
645 /* message byte in turn. */
649 { register unsigned char i,j,t,*p;
650 /**** Put i in a local register for efficiency ****/
652 /**** Add new character to buffer ****/
654 md->D[32+i] = c ^ md->D[i];
655 /**** Update checksum register C and value L ****/
656 md->L = (md->C[i] ^= S[0xFF & (c ^ md->L)]);
657 /**** Increment md->i by one modulo 16 ****/
658 i = md->i = (i + 1) & 15;
659 /**** Transform D if i=0 ****/
663 {/*The following is a more efficient version of the loop:*/
664 /* for (i=0;i<48;i++) t = md->D[i] = md->D[i] ^ S[t]; */
667 { t = (*p++ ^= S[t]);
674 /* End of more efficient loop implementation */
679 /* The routine MDFINAL terminates the message digest computation and */
680 /* ends with the desired message digest being in md->D[0...15]. */
684 /* pad out to multiple of 16 */
685 padlen = 16 - (md->i);
686 for (i=0;i<padlen;i++) MDUPDATE(md,(unsigned char)padlen);
687 /* extend with checksum */
688 /* Note that although md->C is modified by MDUPDATE, character */
689 /* md->C[i] is modified after it has been passed to MDUPDATE, so */
690 /* the net effect is the same as if md->C were not being modified.*/
691 for (i=0;i<16;i++) MDUPDATE(md,md->C[i]);
694 /**********************************************************************/
695 /* End of message digest implementation */
696 /**********************************************************************/
698 void RSA_MD2 (inbuf, isize, digest )
699 char * inbuf, * digest ;
706 for(i=0;i<isize;i++) MDUPDATE(&temp,*inbuf++);
708 memcpy(digest,temp.D,16);