Line data Source code
1 : /* $Id: shavite.c 227 2010-06-16 17:28:38Z tp $ */
2 : /*
3 : * SHAvite-3 implementation.
4 : *
5 : * ==========================(LICENSE BEGIN)============================
6 : *
7 : * Copyright (c) 2007-2010 Projet RNRT SAPHIR
8 : *
9 : * Permission is hereby granted, free of charge, to any person obtaining
10 : * a copy of this software and associated documentation files (the
11 : * "Software"), to deal in the Software without restriction, including
12 : * without limitation the rights to use, copy, modify, merge, publish,
13 : * distribute, sublicense, and/or sell copies of the Software, and to
14 : * permit persons to whom the Software is furnished to do so, subject to
15 : * the following conditions:
16 : *
17 : * The above copyright notice and this permission notice shall be
18 : * included in all copies or substantial portions of the Software.
19 : *
20 : * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
21 : * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
22 : * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
23 : * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
24 : * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
25 : * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
26 : * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
27 : *
28 : * ===========================(LICENSE END)=============================
29 : *
30 : * @author Thomas Pornin <thomas.pornin@cryptolog.com>
31 : */
32 :
33 : #include <crypto/x11/aes.h>
34 : #include <crypto/x11/dispatch.h>
35 :
36 : #include <cstddef>
37 : #include <cstring>
38 :
39 : #include "sph_shavite.h"
40 :
41 : #ifdef _MSC_VER
42 : #pragma warning (disable: 4146)
43 : #endif
44 :
45 : #define C32 SPH_C32
46 :
47 : /*
48 : * As of round 2 of the SHA-3 competition, the published reference
49 : * implementation and test vectors are wrong, because they use
50 : * big-endian AES tables while the internal decoding uses little-endian.
51 : * The code below follows the specification. To turn it into a code
52 : * which follows the reference implementation (the one called "BugFix"
53 : * on the SHAvite-3 web site, published on Nov 23rd, 2009), comment out
54 : * the code below (from the '#define AES_BIG_ENDIAN...' to the definition
55 : * of the AES_ROUND_NOKEY macro) and replace it with the version which
56 : * is commented out afterwards.
57 : */
58 :
59 : static const sph_u32 IV512[] = {
60 : C32(0x72FCCDD8), C32(0x79CA4727), C32(0x128A077B), C32(0x40D55AEC),
61 : C32(0xD1901A06), C32(0x430AE307), C32(0xB29F5CD1), C32(0xDF07FBFC),
62 : C32(0x8E45D73D), C32(0x681AB538), C32(0xBDE86578), C32(0xDD577E47),
63 : C32(0xE275EADE), C32(0x502D9FCD), C32(0xB9357178), C32(0x022A4B9A)
64 : };
65 :
66 : #define AES_ROUND_NOKEY(x0, x1, x2, x3) do { \
67 : sapphire::soft_aes::RoundKeyless(x0, x1, x2, x3, x0, x1, x2, x3); \
68 : } while (0)
69 :
70 : namespace sapphire {
71 : namespace {
72 831124 : void CompressElement(uint32_t& l0, uint32_t& l1, uint32_t& l2, uint32_t& l3,
73 : uint32_t r0, uint32_t r1, uint32_t r2, uint32_t r3, const uint32_t* rk)
74 : {
75 831124 : uint32_t x0{r0 ^ rk[0]};
76 831124 : uint32_t x1{r1 ^ rk[1]};
77 831124 : uint32_t x2{r2 ^ rk[2]};
78 831124 : uint32_t x3{r3 ^ rk[3]};
79 831124 : soft_aes::RoundKeyless(x0, x1, x2, x3, x0, x1, x2, x3);
80 831124 : x0 ^= rk[4];
81 831124 : x1 ^= rk[5];
82 831124 : x2 ^= rk[6];
83 831124 : x3 ^= rk[7];
84 831124 : soft_aes::RoundKeyless(x0, x1, x2, x3, x0, x1, x2, x3);
85 831124 : x0 ^= rk[8];
86 831124 : x1 ^= rk[9];
87 831124 : x2 ^= rk[10];
88 831124 : x3 ^= rk[11];
89 831124 : soft_aes::RoundKeyless(x0, x1, x2, x3, x0, x1, x2, x3);
90 831124 : x0 ^= rk[12];
91 831124 : x1 ^= rk[13];
92 831124 : x2 ^= rk[14];
93 831124 : x3 ^= rk[15];
94 831124 : soft_aes::RoundKeyless(x0, x1, x2, x3, x0, x1, x2, x3);
95 831124 : l0 ^= x0;
96 831124 : l1 ^= x1;
97 831124 : l2 ^= x2;
98 831124 : l3 ^= x3;
99 831124 : }
100 : } // anonymous namespace
101 :
102 : namespace soft_shavite {
103 : /*
104 : * This function assumes that "msg" is aligned for 32-bit access.
105 : */
106 29683 : void Compress(sph_shavite_big_context *sc, const void *msg)
107 : {
108 29683 : sph_u32 p0, p1, p2, p3, p4, p5, p6, p7;
109 29683 : sph_u32 p8, p9, pA, pB, pC, pD, pE, pF;
110 29683 : alignas(16) sph_u32 rk[448];
111 29683 : size_t u;
112 29683 : int r, s;
113 :
114 : #if SPH_LITTLE_ENDIAN
115 : memcpy(rk, msg, 128);
116 : #else
117 267147 : for (u = 0; u < 32; u += 4) {
118 237464 : rk[u + 0] = sph_dec32le_aligned(
119 237464 : (const unsigned char *)msg + (u << 2) + 0);
120 237464 : rk[u + 1] = sph_dec32le_aligned(
121 237464 : (const unsigned char *)msg + (u << 2) + 4);
122 237464 : rk[u + 2] = sph_dec32le_aligned(
123 237464 : (const unsigned char *)msg + (u << 2) + 8);
124 237464 : rk[u + 3] = sph_dec32le_aligned(
125 237464 : (const unsigned char *)msg + (u << 2) + 12);
126 237464 : }
127 : #endif
128 29683 : u = 32;
129 207781 : for (;;) {
130 1038905 : for (s = 0; s < 4; s ++) {
131 831124 : sph_u32 x0, x1, x2, x3;
132 :
133 831124 : x0 = rk[u - 31];
134 831124 : x1 = rk[u - 30];
135 831124 : x2 = rk[u - 29];
136 831124 : x3 = rk[u - 32];
137 831124 : AES_ROUND_NOKEY(x0, x1, x2, x3);
138 831124 : rk[u + 0] = x0 ^ rk[u - 4];
139 831124 : rk[u + 1] = x1 ^ rk[u - 3];
140 831124 : rk[u + 2] = x2 ^ rk[u - 2];
141 831124 : rk[u + 3] = x3 ^ rk[u - 1];
142 831124 : if (u == 32) {
143 29683 : rk[ 32] ^= sc->count0;
144 29683 : rk[ 33] ^= sc->count1;
145 29683 : rk[ 34] ^= sc->count2;
146 29683 : rk[ 35] ^= SPH_T32(~sc->count3);
147 831124 : } else if (u == 440) {
148 29683 : rk[440] ^= sc->count1;
149 29683 : rk[441] ^= sc->count0;
150 29683 : rk[442] ^= sc->count3;
151 29683 : rk[443] ^= SPH_T32(~sc->count2);
152 29683 : }
153 831124 : u += 4;
154 :
155 831124 : x0 = rk[u - 31];
156 831124 : x1 = rk[u - 30];
157 831124 : x2 = rk[u - 29];
158 831124 : x3 = rk[u - 32];
159 831124 : AES_ROUND_NOKEY(x0, x1, x2, x3);
160 831124 : rk[u + 0] = x0 ^ rk[u - 4];
161 831124 : rk[u + 1] = x1 ^ rk[u - 3];
162 831124 : rk[u + 2] = x2 ^ rk[u - 2];
163 831124 : rk[u + 3] = x3 ^ rk[u - 1];
164 831124 : if (u == 164) {
165 29683 : rk[164] ^= sc->count3;
166 29683 : rk[165] ^= sc->count2;
167 29683 : rk[166] ^= sc->count1;
168 29683 : rk[167] ^= SPH_T32(~sc->count0);
169 831124 : } else if (u == 316) {
170 29683 : rk[316] ^= sc->count2;
171 29683 : rk[317] ^= sc->count3;
172 29683 : rk[318] ^= sc->count0;
173 29683 : rk[319] ^= SPH_T32(~sc->count1);
174 29683 : }
175 831124 : u += 4;
176 831124 : }
177 207781 : if (u == 448)
178 29683 : break;
179 1602882 : for (s = 0; s < 8; s ++) {
180 1424784 : rk[u + 0] = rk[u - 32] ^ rk[u - 7];
181 1424784 : rk[u + 1] = rk[u - 31] ^ rk[u - 6];
182 1424784 : rk[u + 2] = rk[u - 30] ^ rk[u - 5];
183 1424784 : rk[u + 3] = rk[u - 29] ^ rk[u - 4];
184 1424784 : u += 4;
185 1424784 : }
186 : }
187 :
188 29683 : p0 = sc->h[0x0];
189 29683 : p1 = sc->h[0x1];
190 29683 : p2 = sc->h[0x2];
191 29683 : p3 = sc->h[0x3];
192 29683 : p4 = sc->h[0x4];
193 29683 : p5 = sc->h[0x5];
194 29683 : p6 = sc->h[0x6];
195 29683 : p7 = sc->h[0x7];
196 29683 : p8 = sc->h[0x8];
197 29683 : p9 = sc->h[0x9];
198 29683 : pA = sc->h[0xA];
199 29683 : pB = sc->h[0xB];
200 29683 : pC = sc->h[0xC];
201 29683 : pD = sc->h[0xD];
202 29683 : pE = sc->h[0xE];
203 29683 : pF = sc->h[0xF];
204 29683 : u = 0;
205 445245 : for (r = 0; r < 14; r ++) {
206 : #define C512_ELT(l0, l1, l2, l3, r0, r1, r2, r3) do { \
207 : CompressElement(l0, l1, l2, l3, r0, r1, r2, r3, &rk[u]); \
208 : u += 16; \
209 : } while (0)
210 :
211 : #define WROT(a, b, c, d) do { \
212 : sph_u32 t = d; \
213 : d = c; \
214 : c = b; \
215 : b = a; \
216 : a = t; \
217 : } while (0)
218 :
219 415562 : C512_ELT(p0, p1, p2, p3, p4, p5, p6, p7);
220 415562 : C512_ELT(p8, p9, pA, pB, pC, pD, pE, pF);
221 :
222 415562 : WROT(p0, p4, p8, pC);
223 415562 : WROT(p1, p5, p9, pD);
224 415562 : WROT(p2, p6, pA, pE);
225 415562 : WROT(p3, p7, pB, pF);
226 :
227 : #undef C512_ELT
228 : #undef WROT
229 415562 : }
230 29683 : sc->h[0x0] ^= p0;
231 29683 : sc->h[0x1] ^= p1;
232 29683 : sc->h[0x2] ^= p2;
233 29683 : sc->h[0x3] ^= p3;
234 29683 : sc->h[0x4] ^= p4;
235 29683 : sc->h[0x5] ^= p5;
236 29683 : sc->h[0x6] ^= p6;
237 29683 : sc->h[0x7] ^= p7;
238 29683 : sc->h[0x8] ^= p8;
239 29683 : sc->h[0x9] ^= p9;
240 29683 : sc->h[0xA] ^= pA;
241 29683 : sc->h[0xB] ^= pB;
242 29683 : sc->h[0xC] ^= pC;
243 29683 : sc->h[0xD] ^= pD;
244 29683 : sc->h[0xE] ^= pE;
245 29683 : sc->h[0xF] ^= pF;
246 29683 : }
247 : } // namespace shavite_soft
248 : } // namespace sapphire
249 :
250 : sapphire::dispatch::ShaviteCompressFn shavite_c512 = sapphire::soft_shavite::Compress;
251 :
252 : static void
253 12479446 : shavite_big_init(sph_shavite_big_context *sc, const sph_u32 *iv)
254 : {
255 12479446 : memcpy(sc->h, iv, sizeof sc->h);
256 12479446 : sc->ptr = 0;
257 12479446 : sc->count0 = 0;
258 12479446 : sc->count1 = 0;
259 12479446 : sc->count2 = 0;
260 12479446 : sc->count3 = 0;
261 12479446 : }
262 :
263 : static void
264 6239715 : shavite_big_core(sph_shavite_big_context *sc, const void *data, size_t len)
265 : {
266 6239715 : unsigned char *buf;
267 6239715 : size_t ptr;
268 :
269 6239715 : buf = sc->buf;
270 6239715 : ptr = sc->ptr;
271 12479476 : while (len > 0) {
272 6239763 : size_t clen;
273 :
274 6239763 : clen = (sizeof sc->buf) - ptr;
275 6239763 : if (clen > len)
276 6239708 : clen = len;
277 6239763 : memcpy(buf + ptr, data, clen);
278 6239763 : data = (const unsigned char *)data + clen;
279 6239763 : ptr += clen;
280 6239763 : len -= clen;
281 6239763 : if (ptr == sizeof sc->buf) {
282 0 : if ((sc->count0 = SPH_T32(sc->count0 + 1024)) == 0) {
283 0 : sc->count1 = SPH_T32(sc->count1 + 1);
284 0 : if (sc->count1 == 0) {
285 0 : sc->count2 = SPH_T32(sc->count2 + 1);
286 0 : if (sc->count2 == 0) {
287 0 : sc->count3 = SPH_T32(
288 : sc->count3 + 1);
289 0 : }
290 0 : }
291 0 : }
292 0 : shavite_c512(sc, buf);
293 0 : ptr = 0;
294 0 : }
295 6239761 : }
296 6239713 : sc->ptr = ptr;
297 6239713 : }
298 :
299 : static void
300 6239678 : shavite_big_close(sph_shavite_big_context *sc,
301 : unsigned ub, unsigned n, void *dst, size_t out_size_w32)
302 : {
303 6239678 : unsigned char *buf;
304 6239678 : size_t ptr, u;
305 6239678 : unsigned z;
306 6239678 : sph_u32 count0, count1, count2, count3;
307 :
308 6239678 : buf = sc->buf;
309 6239678 : ptr = sc->ptr;
310 6239678 : count0 = (sc->count0 += (ptr << 3) + n);
311 6239678 : count1 = sc->count1;
312 6239678 : count2 = sc->count2;
313 6239678 : count3 = sc->count3;
314 6239678 : z = 0x80 >> n;
315 6239678 : z = ((ub & -z) | z) & 0xFF;
316 6239678 : if (ptr == 0 && n == 0) {
317 0 : buf[0] = 0x80;
318 0 : memset(buf + 1, 0, 109);
319 0 : sc->count0 = sc->count1 = sc->count2 = sc->count3 = 0;
320 6239678 : } else if (ptr < 110) {
321 6239678 : buf[ptr ++] = z;
322 6239678 : memset(buf + ptr, 0, 110 - ptr);
323 6239678 : } else {
324 0 : buf[ptr ++] = z;
325 0 : memset(buf + ptr, 0, 128 - ptr);
326 0 : shavite_c512(sc, buf);
327 0 : memset(buf, 0, 110);
328 0 : sc->count0 = sc->count1 = sc->count2 = sc->count3 = 0;
329 : }
330 6239678 : sph_enc32le(buf + 110, count0);
331 6239678 : sph_enc32le(buf + 114, count1);
332 6239678 : sph_enc32le(buf + 118, count2);
333 6239678 : sph_enc32le(buf + 122, count3);
334 6239678 : buf[126] = out_size_w32 << 5;
335 6239678 : buf[127] = out_size_w32 >> 3;
336 6239678 : shavite_c512(sc, buf);
337 106075803 : for (u = 0; u < out_size_w32; u ++)
338 99836125 : sph_enc32le((unsigned char *)dst + (u << 2), sc->h[u]);
339 6239678 : }
340 :
341 : /* see sph_shavite.h */
342 : void
343 6239820 : sph_shavite512_init(sph_shavite512_context *cc)
344 : {
345 6239820 : shavite_big_init(cc, IV512);
346 6239820 : }
347 :
348 : /* see sph_shavite.h */
349 : void
350 6239821 : sph_shavite512(sph_shavite512_context *cc, const void *data, size_t len)
351 : {
352 6239821 : shavite_big_core(cc, data, len);
353 6239821 : }
354 :
355 : /* see sph_shavite.h */
356 : void
357 6239629 : sph_shavite512_close(sph_shavite512_context *cc, void *dst)
358 : {
359 6239629 : shavite_big_close(cc, 0, 0, dst, 16);
360 6239629 : shavite_big_init(cc, IV512);
361 6239629 : }
362 :
363 : /* see sph_shavite.h */
364 : void
365 0 : sph_shavite512_addbits_and_close(sph_shavite512_context *cc, unsigned ub, unsigned n, void *dst)
366 : {
367 0 : shavite_big_close(cc, ub, n, dst, 16);
368 0 : shavite_big_init(cc, IV512);
369 0 : }
|
