/* * CRC32 implementation, as used in SSH-1. * * This particular form of the CRC uses the polynomial * P(x) = x^32+x^26+x^23+x^22+x^16+x^12+x^11+x^10+x^8+x^7+x^5+x^4+x^2+x^1+1 * and represents polynomials in bit-reversed form, so that the x^0 * coefficient (constant term) appears in the bit with place value * 2^31, and the x^31 coefficient in the bit with place value 2^0. In * this representation, (x^32 mod P) = 0xEDB88320, so multiplying the * current state by x is done by shifting right by one bit, and XORing * that constant into the result if the bit shifted out was 1. * * There's a bewildering array of subtly different variants of CRC out * there, using different polynomials, both bit orders, and varying * the start and end conditions. There are catalogue websites such as * http://reveng.sourceforge.net/crc-catalogue/ , which generally seem * to have the convention of indexing CRCs by their 'check value', * defined as whatever you get if you hash the 9-byte test string * "123456789". * * The crc32_rfc1662() function below, which starts off the CRC state * at 0xFFFFFFFF and complements it after feeding all the data, gives * the check value 0xCBF43926, and matches the hash function that the * above catalogue refers to as "CRC-32/ISO-HDLC"; among other things, * it's also the "FCS-32" checksum described in RFC 1662 section C.3 * (hence the name I've given it here). * * The crc32_ssh1() function implements the variant form used by * SSH-1, which uses the same update function, but starts the state at * zero and doesn't complement it at the end of the computation. The * check value for that version is 0x2DFD2D88, which that CRC * catalogue doesn't list at all. */ #include #include #include "ssh.h" /* * Multiply a CRC value by x^4. This implementation strategy avoids * using a lookup table (which would be a side-channel hazard, since * SSH-1 applies this CRC to decrypted session data). * * The basic idea is that you'd like to "multiply" the shifted-out 4 * bits by the CRC polynomial value 0xEDB88320, or rather by that * value shifted right 3 bits (since you want the _last_ bit shifted * out, i.e. the one originally at the 2^3 position, to generate * 0xEDB88320 itself). But the scare-quoted "multiply" would have to * be a multiplication of polynomials over GF(2), which differs from * integer multiplication in that you don't have any carries. In other * words, you make a copy of one input shifted left by the index of * each set bit in the other, so that adding them all together would * give you the ordinary integer product, and then you XOR them * together instead. * * With a 4-bit multiplier, the two kinds of multiplication coincide * provided the multiplicand has no two set bits at positions * differing by less than 4, because then no two copies of the * multiplier can overlap to generate a carry. So I break up the * intended multiplicand K = 0xEDB88320 >> 3 into three sub-constants * a,b,c with that property, such that a^b^c = K. Then I can multiply * m by each of them separately, and XOR together the results. */ static inline uint32_t crc32_shift_4(uint32_t v) { const uint32_t a = 0x11111044, b = 0x08840020, c = 0x04220000; uint32_t m = v & 0xF; return (v >> 4) ^ (a*m) ^ (b*m) ^ (c*m); } /* * The 8-bit shift you need every time you absorb an input byte, * implemented simply by iterating the 4-bit shift twice. */ static inline uint32_t crc32_shift_8(uint32_t v) { return crc32_shift_4(crc32_shift_4(v)); } /* * Update an existing hash value with extra bytes of data. */ uint32_t crc32_update(uint32_t crc, ptrlen data) { const uint8_t *p = (const uint8_t *)data.ptr; for (size_t len = data.len; len-- > 0 ;) crc = crc32_shift_8(crc ^ *p++); return crc; } /* * The SSH-1 variant of CRC-32. */ uint32_t crc32_ssh1(ptrlen data) { return crc32_update(0, data); } /* * The official version of CRC-32. Nothing in PuTTY proper uses this, * but it's useful to expose it to testcrypt so that we can implement * standard test vectors. */ uint32_t crc32_rfc1662(ptrlen data) { return crc32_update(0xFFFFFFFF, data) ^ 0xFFFFFFFF; }