Line data Source code
1 : /* gosthash94.c - an implementation of GOST Hash Function
2 : *
3 : * based on the Russian Standard GOST R 34.11-94.
4 : * English description in RFC 5831.
5 : * See also RFC 4357.
6 : *
7 : * Copyright: 2009-2012 Aleksey Kravchenko <rhash.admin@gmail.com>
8 : *
9 : * Permission is hereby granted, free of charge, to any person obtaining a
10 : * copy of this software and associated documentation files (the
11 : * "Software"), to deal in the Software without restriction, including
12 : * without limitation the rights to use, copy, modify, merge, publish,
13 : * distribute, sublicense, and/or sell copies of the Software, and to
14 : * permit persons to whom the Software is furnished to do so, subject to
15 : * the following conditions:
16 : *
17 : * The above copyright notice and this permission notice shall be included
18 : * in all copies or substantial portions of the Software.
19 : *
20 : * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
21 : * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
22 : * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
23 : * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
24 : * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
25 : * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
26 : * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
27 : */
28 :
29 : /*
30 : * Ported to nettle by Nikos Mavrogiannopoulos.
31 : */
32 :
33 : #if HAVE_CONFIG_H
34 : #include "config.h"
35 : #endif
36 :
37 : #ifndef HAVE_NETTLE_GOSTHASH94CP_UPDATE
38 : #include <gnutls_int.h>
39 :
40 : #include <string.h>
41 :
42 : #include <nettle/macros.h>
43 : #include "nettle-write.h"
44 : #include "gosthash94.h"
45 : #include "gost28147.h"
46 :
47 : /**
48 : * The core transformation. Process a 512-bit block.
49 : *
50 : * @param hash intermediate message hash
51 : * @param block the message block to process
52 : */
53 : static void
54 408565 : gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block,
55 : const uint32_t *sbox)
56 : {
57 408565 : unsigned i;
58 408565 : uint32_t key[8], u[8], v[8], w[8], s[8];
59 :
60 : /* u := hash, v := <256-bit message block> */
61 408565 : memcpy (u, ctx->hash, sizeof (u));
62 408565 : memcpy (v, block, sizeof (v));
63 :
64 : /* w := u xor v */
65 408565 : w[0] = u[0] ^ v[0], w[1] = u[1] ^ v[1];
66 408565 : w[2] = u[2] ^ v[2], w[3] = u[3] ^ v[3];
67 408565 : w[4] = u[4] ^ v[4], w[5] = u[5] ^ v[5];
68 408565 : w[6] = u[6] ^ v[6], w[7] = u[7] ^ v[7];
69 :
70 : /* calculate keys, encrypt hash and store result to the s[] array */
71 1634260 : for (i = 0;; i += 2)
72 : {
73 : /* key generation: key_i := P(w) */
74 1634260 : key[0] =
75 1634260 : (w[0] & 0x000000ff) | ((w[2] & 0x000000ff) << 8) |
76 1634260 : ((w[4] & 0x000000ff) << 16) | ((w[6] & 0x000000ff) << 24);
77 1634260 : key[1] =
78 1634260 : ((w[0] & 0x0000ff00) >> 8) | (w[2] & 0x0000ff00) |
79 1634260 : ((w[4] & 0x0000ff00) << 8) | ((w[6] & 0x0000ff00) << 16);
80 1634260 : key[2] =
81 1634260 : ((w[0] & 0x00ff0000) >> 16) | ((w[2] & 0x00ff0000) >> 8) |
82 1634260 : (w[4] & 0x00ff0000) | ((w[6] & 0x00ff0000) << 8);
83 1634260 : key[3] =
84 1634260 : ((w[0] & 0xff000000) >> 24) | ((w[2] & 0xff000000) >> 16) |
85 1634260 : ((w[4] & 0xff000000) >> 8) | (w[6] & 0xff000000);
86 1634260 : key[4] =
87 1634260 : (w[1] & 0x000000ff) | ((w[3] & 0x000000ff) << 8) |
88 1634260 : ((w[5] & 0x000000ff) << 16) | ((w[7] & 0x000000ff) << 24);
89 1634260 : key[5] =
90 1634260 : ((w[1] & 0x0000ff00) >> 8) | (w[3] & 0x0000ff00) |
91 1634260 : ((w[5] & 0x0000ff00) << 8) | ((w[7] & 0x0000ff00) << 16);
92 1634260 : key[6] =
93 1634260 : ((w[1] & 0x00ff0000) >> 16) | ((w[3] & 0x00ff0000) >> 8) |
94 1634260 : (w[5] & 0x00ff0000) | ((w[7] & 0x00ff0000) << 8);
95 1634260 : key[7] =
96 1634260 : ((w[1] & 0xff000000) >> 24) | ((w[3] & 0xff000000) >> 16) |
97 1634260 : ((w[5] & 0xff000000) >> 8) | (w[7] & 0xff000000);
98 :
99 : /* encryption: s_i := E_{key_i} (h_i) */
100 1634260 : gost28147_encrypt_simple (key, sbox, &ctx->hash[i], &s[i]);
101 :
102 1634260 : if (i == 0)
103 : {
104 : /* w:= A(u) ^ A^2(v) */
105 408565 : w[0] = u[2] ^ v[4], w[1] = u[3] ^ v[5];
106 408565 : w[2] = u[4] ^ v[6], w[3] = u[5] ^ v[7];
107 408565 : w[4] = u[6] ^ (v[0] ^= v[2]);
108 408565 : w[5] = u[7] ^ (v[1] ^= v[3]);
109 408565 : w[6] = (u[0] ^= u[2]) ^ (v[2] ^= v[4]);
110 408565 : w[7] = (u[1] ^= u[3]) ^ (v[3] ^= v[5]);
111 : }
112 1225700 : else if ((i & 2) != 0)
113 : {
114 817130 : if (i == 6)
115 : break;
116 :
117 : /* w := A^2(u) xor A^4(v) xor C_3; u := A(u) xor C_3 */
118 : /* C_3=0xff00ffff000000ffff0000ff00ffff0000ff00ff00ff00ffff00ff00ff00ff00 */
119 408565 : u[2] ^= u[4] ^ 0x000000ff;
120 408565 : u[3] ^= u[5] ^ 0xff00ffff;
121 408565 : u[4] ^= 0xff00ff00;
122 408565 : u[5] ^= 0xff00ff00;
123 408565 : u[6] ^= 0x00ff00ff;
124 408565 : u[7] ^= 0x00ff00ff;
125 408565 : u[0] ^= 0x00ffff00;
126 408565 : u[1] ^= 0xff0000ff;
127 :
128 408565 : w[0] = u[4] ^ v[0];
129 408565 : w[2] = u[6] ^ v[2];
130 408565 : w[4] = u[0] ^ (v[4] ^= v[6]);
131 408565 : w[6] = u[2] ^ (v[6] ^= v[0]);
132 408565 : w[1] = u[5] ^ v[1];
133 408565 : w[3] = u[7] ^ v[3];
134 408565 : w[5] = u[1] ^ (v[5] ^= v[7]);
135 408565 : w[7] = u[3] ^ (v[7] ^= v[1]);
136 : }
137 : else
138 : {
139 : /* i==4 here */
140 : /* w:= A( A^2(u) xor C_3 ) xor A^6(v) */
141 408565 : w[0] = u[6] ^ v[4], w[1] = u[7] ^ v[5];
142 408565 : w[2] = u[0] ^ v[6], w[3] = u[1] ^ v[7];
143 408565 : w[4] = u[2] ^ (v[0] ^= v[2]);
144 408565 : w[5] = u[3] ^ (v[1] ^= v[3]);
145 408565 : w[6] = (u[4] ^= u[6]) ^ (v[2] ^= v[4]);
146 408565 : w[7] = (u[5] ^= u[7]) ^ (v[3] ^= v[5]);
147 : }
148 : }
149 :
150 : /* step hash function: x(block, hash) := psi^61(hash xor psi(block xor psi^12(S))) */
151 :
152 : /* 12 rounds of the LFSR and xor in <message block> */
153 408565 : u[0] = block[0] ^ s[6];
154 408565 : u[1] = block[1] ^ s[7];
155 408565 : u[2] =
156 408565 : block[2] ^ (s[0] << 16) ^ (s[0] >> 16) ^ (s[0] & 0xffff) ^ (s[1] &
157 : 0xffff)
158 408565 : ^ (s[1] >> 16) ^ (s[2] << 16) ^ s[6] ^ (s[6] << 16) ^ (s[7] &
159 : 0xffff0000)
160 408565 : ^ (s[7] >> 16);
161 408565 : u[3] =
162 408565 : block[3] ^ (s[0] & 0xffff) ^ (s[0] << 16) ^ (s[1] & 0xffff) ^ (s[1]
163 408565 : <<
164 : 16)
165 408565 : ^ (s[1] >> 16) ^ (s[2] << 16) ^ (s[2] >> 16) ^ (s[3] << 16) ^ s[6]
166 408565 : ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff) ^ (s[7] << 16) ^
167 : (s[7] >> 16);
168 408565 : u[4] =
169 408565 : block[4] ^ (s[0] & 0xffff0000) ^ (s[0] << 16) ^ (s[0] >> 16) ^
170 408565 : (s[1] & 0xffff0000) ^ (s[1] >> 16) ^ (s[2] << 16) ^ (s[2] >> 16) ^
171 408565 : (s[3] << 16) ^ (s[3] >> 16) ^ (s[4] << 16) ^ (s[6] << 16) ^ (s[6]
172 : >> 16)
173 408565 : ^ (s[7] & 0xffff) ^ (s[7] << 16) ^ (s[7] >> 16);
174 408565 : u[5] =
175 408565 : block[5] ^ (s[0] << 16) ^ (s[0] >> 16) ^ (s[0] & 0xffff0000) ^
176 408565 : (s[1] & 0xffff) ^ s[2] ^ (s[2] >> 16) ^ (s[3] << 16) ^ (s[3] >> 16)
177 408565 : ^ (s[4] << 16) ^ (s[4] >> 16) ^ (s[5] << 16) ^ (s[6] << 16) ^ (s[6]
178 : >>
179 : 16)
180 408565 : ^ (s[7] & 0xffff0000) ^ (s[7] << 16) ^ (s[7] >> 16);
181 408565 : u[6] =
182 408565 : block[6] ^ s[0] ^ (s[1] >> 16) ^ (s[2] << 16) ^ s[3] ^ (s[3] >> 16)
183 408565 : ^ (s[4] << 16) ^ (s[4] >> 16) ^ (s[5] << 16) ^ (s[5] >> 16) ^ s[6]
184 408565 : ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] << 16);
185 408565 : u[7] =
186 408565 : block[7] ^ (s[0] & 0xffff0000) ^ (s[0] << 16) ^ (s[1] & 0xffff) ^
187 408565 : (s[1] << 16) ^ (s[2] >> 16) ^ (s[3] << 16) ^ s[4] ^ (s[4] >> 16) ^
188 408565 : (s[5] << 16) ^ (s[5] >> 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff) ^
189 408565 : (s[7] << 16) ^ (s[7] >> 16);
190 :
191 : /* 1 round of the LFSR (a mixing transformation) and xor with <hash> */
192 408565 : v[0] = ctx->hash[0] ^ (u[1] << 16) ^ (u[0] >> 16);
193 408565 : v[1] = ctx->hash[1] ^ (u[2] << 16) ^ (u[1] >> 16);
194 408565 : v[2] = ctx->hash[2] ^ (u[3] << 16) ^ (u[2] >> 16);
195 408565 : v[3] = ctx->hash[3] ^ (u[4] << 16) ^ (u[3] >> 16);
196 408565 : v[4] = ctx->hash[4] ^ (u[5] << 16) ^ (u[4] >> 16);
197 408565 : v[5] = ctx->hash[5] ^ (u[6] << 16) ^ (u[5] >> 16);
198 408565 : v[6] = ctx->hash[6] ^ (u[7] << 16) ^ (u[6] >> 16);
199 408565 : v[7] =
200 : ctx->
201 408565 : hash[7] ^ (u[0] & 0xffff0000) ^ (u[0] << 16) ^ (u[1] & 0xffff0000)
202 408565 : ^ (u[1] << 16) ^ (u[6] << 16) ^ (u[7] & 0xffff0000) ^ (u[7] >> 16);
203 :
204 : /* 61 rounds of LFSR, mixing up hash */
205 408565 : ctx->hash[0] = (v[0] & 0xffff0000) ^ (v[0] << 16) ^ (v[0] >> 16) ^
206 408565 : (v[1] >> 16) ^ (v[1] & 0xffff0000) ^ (v[2] << 16) ^
207 408565 : (v[3] >> 16) ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[5] ^
208 408565 : (v[6] >> 16) ^ (v[7] << 16) ^ (v[7] >> 16) ^ (v[7] & 0xffff);
209 408565 : ctx->hash[1] = (v[0] << 16) ^ (v[0] >> 16) ^ (v[0] & 0xffff0000) ^
210 408565 : (v[1] & 0xffff) ^ v[2] ^ (v[2] >> 16) ^ (v[3] << 16) ^
211 408565 : (v[4] >> 16) ^ (v[5] << 16) ^ (v[6] << 16) ^ v[6] ^
212 408565 : (v[7] & 0xffff0000) ^ (v[7] >> 16);
213 408565 : ctx->hash[2] = (v[0] & 0xffff) ^ (v[0] << 16) ^ (v[1] << 16) ^
214 408565 : (v[1] >> 16) ^ (v[1] & 0xffff0000) ^ (v[2] << 16) ^ (v[3] >> 16) ^
215 408565 : v[3] ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[6] ^ (v[6] >> 16) ^
216 408565 : (v[7] & 0xffff) ^ (v[7] << 16) ^ (v[7] >> 16);
217 408565 : ctx->hash[3] = (v[0] << 16) ^ (v[0] >> 16) ^ (v[0] & 0xffff0000) ^
218 408565 : (v[1] & 0xffff0000) ^ (v[1] >> 16) ^ (v[2] << 16) ^
219 408565 : (v[2] >> 16) ^ v[2] ^ (v[3] << 16) ^ (v[4] >> 16) ^ v[4] ^
220 408565 : (v[5] << 16) ^ (v[6] << 16) ^ (v[7] & 0xffff) ^ (v[7] >> 16);
221 408565 : ctx->hash[4] =
222 408565 : (v[0] >> 16) ^ (v[1] << 16) ^ v[1] ^ (v[2] >> 16) ^ v[2] ^ (v[3] <<
223 408565 : 16) ^
224 408565 : (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[5] ^ (v[6] <<
225 408565 : 16) ^
226 408565 : (v[6] >> 16) ^ (v[7] << 16);
227 408565 : ctx->hash[5] =
228 408565 : (v[0] << 16) ^ (v[0] & 0xffff0000) ^ (v[1] << 16) ^ (v[1] >> 16) ^
229 408565 : (v[1] & 0xffff0000) ^ (v[2] << 16) ^ v[2] ^ (v[3] >> 16) ^ v[3] ^
230 408565 : (v[4] << 16) ^ (v[4] >> 16) ^ v[4] ^ (v[5] << 16) ^ (v[6] << 16) ^
231 408565 : (v[6] >> 16) ^ v[6] ^ (v[7] << 16) ^ (v[7] >> 16) ^ (v[7] &
232 : 0xffff0000);
233 408565 : ctx->hash[6] =
234 408565 : v[0] ^ v[2] ^ (v[2] >> 16) ^ v[3] ^ (v[3] << 16) ^ v[4] ^ (v[4] >>
235 408565 : 16) ^
236 408565 : (v[5] << 16) ^ (v[5] >> 16) ^ v[5] ^ (v[6] << 16) ^ (v[6] >> 16) ^
237 408565 : v[6] ^ (v[7] << 16) ^ v[7];
238 408565 : ctx->hash[7] =
239 408565 : v[0] ^ (v[0] >> 16) ^ (v[1] << 16) ^ (v[1] >> 16) ^ (v[2] << 16) ^
240 408565 : (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ v[4] ^ (v[5] >> 16) ^ v[5] ^
241 408565 : (v[6] << 16) ^ (v[6] >> 16) ^ (v[7] << 16) ^ v[7];
242 408565 : }
243 :
244 : /**
245 : * This function calculates hash value by 256-bit blocks.
246 : * It updates 256-bit check sum as follows:
247 : * *(uint256_t)(ctx->sum) += *(uint256_t*)block;
248 : * and then updates intermediate hash value ctx->hash
249 : * by calling gost_block_compress().
250 : *
251 : * @param ctx algorithm context
252 : * @param block the 256-bit message block to process
253 : */
254 : static void
255 136367 : gost_compute_sum_and_hash (struct gosthash94_ctx *ctx, const uint8_t *block,
256 : const uint32_t *sbox)
257 : {
258 136367 : uint32_t block_le[8];
259 136367 : unsigned i, carry;
260 :
261 : /* compute the 256-bit sum */
262 1227300 : for (i = carry = 0; i < 8; i++, block += 4)
263 : {
264 1090940 : block_le[i] = LE_READ_UINT32(block);
265 1090940 : ctx->sum[i] += carry;
266 1090940 : carry = (ctx->sum[i] < carry);
267 1090940 : ctx->sum[i] += block_le[i];
268 1090940 : carry += (ctx->sum[i] < block_le[i]);
269 : }
270 :
271 : /* update message hash */
272 136367 : gost_block_compress (ctx, block_le, sbox);
273 136367 : }
274 :
275 : /**
276 : * Calculate message hash.
277 : * Can be called repeatedly with chunks of the message to be hashed.
278 : *
279 : * @param ctx the algorithm context containing current hashing state
280 : * @param msg message chunk
281 : * @param size length of the message chunk
282 : */
283 : static void
284 136148 : gosthash94_update_int (struct gosthash94_ctx *ctx,
285 : size_t length, const uint8_t *msg,
286 : const uint32_t *sbox)
287 : {
288 136148 : unsigned index = (unsigned) ctx->length & 31;
289 136148 : ctx->length += length;
290 :
291 : /* fill partial block */
292 136148 : if (index)
293 : {
294 15 : unsigned left = GOSTHASH94_BLOCK_SIZE - index;
295 15 : memcpy (ctx->message + index, msg, (length < left ? length : left));
296 15 : if (length < left)
297 : return;
298 :
299 : /* process partial block */
300 4 : gost_compute_sum_and_hash (ctx, ctx->message, sbox);
301 4 : msg += left;
302 4 : length -= left;
303 : }
304 272449 : while (length >= GOSTHASH94_BLOCK_SIZE)
305 : {
306 136312 : gost_compute_sum_and_hash (ctx, msg, sbox);
307 136312 : msg += GOSTHASH94_BLOCK_SIZE;
308 136312 : length -= GOSTHASH94_BLOCK_SIZE;
309 : }
310 136137 : if (length)
311 : {
312 : /* save leftovers */
313 51 : memcpy (ctx->message, msg, length);
314 : }
315 : }
316 :
317 : /**
318 : * Calculate message hash.
319 : * Can be called repeatedly with chunks of the message to be hashed.
320 : *
321 : * @param ctx the algorithm context containing current hashing state
322 : * @param msg message chunk
323 : * @param size length of the message chunk
324 : */
325 : void
326 136148 : gosthash94cp_update (struct gosthash94_ctx *ctx,
327 : size_t length, const uint8_t *msg)
328 : {
329 136148 : gosthash94_update_int (ctx, length, msg,
330 : gost28147_param_CryptoPro_3411.sbox);
331 136148 : }
332 :
333 : /**
334 : * Finish hashing and store message digest into given array.
335 : *
336 : * @param ctx the algorithm context containing current hashing state
337 : * @param result calculated hash in binary form
338 : */
339 : static void
340 136099 : gosthash94_write_digest (struct gosthash94_ctx *ctx,
341 : size_t length, uint8_t *result,
342 : const uint32_t *sbox)
343 : {
344 136099 : unsigned index = ctx->length & 31;
345 136099 : uint32_t msg32[8];
346 :
347 136099 : assert(length <= GOSTHASH94_DIGEST_SIZE);
348 :
349 : /* pad the last block with zeroes and hash it */
350 136099 : if (index > 0)
351 : {
352 51 : memset (ctx->message + index, 0, 32 - index);
353 51 : gost_compute_sum_and_hash (ctx, ctx->message, sbox);
354 : }
355 :
356 : /* hash the message length and the sum */
357 136099 : msg32[0] = ctx->length << 3;
358 136099 : msg32[1] = ctx->length >> 29;
359 136099 : memset (msg32 + 2, 0, sizeof (uint32_t) * 6);
360 :
361 136099 : gost_block_compress (ctx, msg32, sbox);
362 136099 : gost_block_compress (ctx, ctx->sum, sbox);
363 :
364 : /* convert hash state to result bytes */
365 136099 : _nettle_write_le32(length, result, ctx->hash);
366 136099 : gosthash94_init (ctx);
367 136099 : }
368 :
369 : void
370 136099 : gosthash94cp_digest (struct gosthash94_ctx *ctx,
371 : size_t length, uint8_t *result)
372 : {
373 136099 : gosthash94_write_digest (ctx, length, result,
374 : gost28147_param_CryptoPro_3411.sbox);
375 136099 : }
376 : #endif
|
