Prototype implementation of IKE key exchange via NTRU encryption
[strongswan.git] / src / libstrongswan / plugins / ntru / ntru_crypto / ntru_crypto_sha1.c
1 /******************************************************************************
2 * NTRU Cryptography Reference Source Code
3 * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
4 *
5 * ntru_crypto_ntru_crypto_sha1.c is a component of ntru-crypto.
6 *
7 * Copyright (C) 2009-2013 Security Innovation
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
22 *
23 *****************************************************************************/
24
25 /******************************************************************************
26 *
27 * File: ntru_crypto_sha1.c
28 *
29 * Contents: Routines implementing the SHA-1 hash calculation.
30 *
31 *****************************************************************************/
32
33
34 #include <stdlib.h>
35 #include <string.h>
36 #include "ntru_crypto_sha1.h"
37 #include "ntru_crypto_msbyte_uint32.h"
38
39
40 /* chaining state elements */
41
42 #define H0 state[0]
43 #define H1 state[1]
44 #define H2 state[2]
45 #define H3 state[3]
46 #define H4 state[4]
47
48
49 /* standard SHA-1 initialization values */
50
51 #define H0_INIT 0x67452301UL
52 #define H1_INIT 0xefcdab89UL
53 #define H2_INIT 0x98badcfeUL
54 #define H3_INIT 0x10325476UL
55 #define H4_INIT 0xc3d2e1f0UL
56
57
58 /* sha1_blk()
59 *
60 * This routine updates the current hash output (chaining state)
61 * by performing SHA-1 on a 512-bit block of data represented as sixteen
62 * 32-bit words.
63 */
64
65 #define K00_19 0x5a827999UL
66 #define K20_39 0x6ed9eba1UL
67 #define K40_59 0x8f1bbcdcUL
68 #define K60_79 0xca62c1d6UL
69
70 #define RL(a, n) ( ((a) << (n)) | ((a) >> (32 - (n))) )
71
72
73 static void
74 sha1_blk(
75 uint32_t const *data, // in - ptr to 16 32-bit word input block
76 uint32_t *state) // in/out - ptr to 5 32-bit word chaining state
77 {
78 uint32_t A, B, C, D, E;
79 uint32_t w[16];
80
81 /* init A - E */
82
83 A = H0; B = H1; C = H2; D = H3; E = H4;
84
85 /* rounds 0 - 15 */
86
87 E += RL(A, 5) + K00_19 + (B & (C ^ D) ^ D) + data[ 0]; B = RL(B, 30);
88 D += RL(E, 5) + K00_19 + (A & (B ^ C) ^ C) + data[ 1]; A = RL(A, 30);
89 C += RL(D, 5) + K00_19 + (E & (A ^ B) ^ B) + data[ 2]; E = RL(E, 30);
90 B += RL(C, 5) + K00_19 + (D & (E ^ A) ^ A) + data[ 3]; D = RL(D, 30);
91 A += RL(B, 5) + K00_19 + (C & (D ^ E) ^ E) + data[ 4]; C = RL(C, 30);
92 E += RL(A, 5) + K00_19 + (B & (C ^ D) ^ D) + data[ 5]; B = RL(B, 30);
93 D += RL(E, 5) + K00_19 + (A & (B ^ C) ^ C) + data[ 6]; A = RL(A, 30);
94 C += RL(D, 5) + K00_19 + (E & (A ^ B) ^ B) + data[ 7]; E = RL(E, 30);
95 B += RL(C, 5) + K00_19 + (D & (E ^ A) ^ A) + data[ 8]; D = RL(D, 30);
96 A += RL(B, 5) + K00_19 + (C & (D ^ E) ^ E) + data[ 9]; C = RL(C, 30);
97 E += RL(A, 5) + K00_19 + (B & (C ^ D) ^ D) + data[10]; B = RL(B, 30);
98 D += RL(E, 5) + K00_19 + (A & (B ^ C) ^ C) + data[11]; A = RL(A, 30);
99 C += RL(D, 5) + K00_19 + (E & (A ^ B) ^ B) + data[12]; E = RL(E, 30);
100 B += RL(C, 5) + K00_19 + (D & (E ^ A) ^ A) + data[13]; D = RL(D, 30);
101 A += RL(B, 5) + K00_19 + (C & (D ^ E) ^ E) + data[14]; C = RL(C, 30);
102 E += RL(A, 5) + K00_19 + (B & (C ^ D) ^ D) + data[15]; B = RL(B, 30);
103
104 /* rounds 16 - 19 */
105
106 w[ 0] = data[ 0] ^ data[ 2] ^ data[ 8] ^ data[13]; w[ 0] = RL(w[0], 1);
107 D += RL(E, 5) + K00_19 + (A & (B ^ C) ^ C) + w[ 0]; A = RL(A, 30);
108 w[ 1] = data[ 1] ^ data[ 3] ^ data[ 9] ^ data[14]; w[ 1] = RL(w[1], 1);
109 C += RL(D, 5) + K00_19 + (E & (A ^ B) ^ B) + w[ 1]; E = RL(E, 30);
110 w[ 2] = data[ 2] ^ data[ 4] ^ data[10] ^ data[15]; w[ 2] = RL(w[ 2], 1);
111 B += RL(C, 5) + K00_19 + (D & (E ^ A) ^ A) + w[ 2]; D = RL(D, 30);
112 w[ 3] = data[ 3] ^ data[ 5] ^ data[11] ^ w[ 0]; w[ 3] = RL(w[ 3], 1);
113 A += RL(B, 5) + K00_19 + (C & (D ^ E) ^ E) + w[ 3]; C = RL(C, 30);
114
115 /* rounds 20 - 39 */
116
117 w[ 4] = data[ 4] ^ data[ 6] ^ data[12] ^ w[ 1]; w[ 4] = RL(w[ 4], 1);
118 E += RL(A, 5) + K20_39 + (B ^ C ^ D) + w[ 4]; B = RL(B, 30);
119 w[ 5] = data[ 5] ^ data[ 7] ^ data[13] ^ w[ 2]; w[ 5] = RL(w[ 5], 1);
120 D += RL(E, 5) + K20_39 + (A ^ B ^ C) + w[ 5]; A = RL(A, 30);
121 w[ 6] = data[ 6] ^ data[ 8] ^ data[14] ^ w[ 3]; w[ 6] = RL(w[ 6], 1);
122 C += RL(D, 5) + K20_39 + (E ^ A ^ B) + w[ 6]; E = RL(E, 30);
123 w[ 7] = data[ 7] ^ data[ 9] ^ data[15] ^ w[ 4]; w[ 7] = RL(w[ 7], 1);
124 B += RL(C, 5) + K20_39 + (D ^ E ^ A) + w[ 7]; D = RL(D, 30);
125 w[ 8] = data[ 8] ^ data[10] ^ w[ 0] ^ w[ 5]; w[ 8] = RL(w[ 8], 1);
126 A += RL(B, 5) + K20_39 + (C ^ D ^ E) + w[ 8]; C = RL(C, 30);
127 w[ 9] = data[ 9] ^ data[11] ^ w[ 1] ^ w[ 6]; w[ 9] = RL(w[ 9], 1);
128 E += RL(A, 5) + K20_39 + (B ^ C ^ D) + w[ 9]; B = RL(B, 30);
129 w[10] = data[10] ^ data[12] ^ w[ 2] ^ w[ 7]; w[10] = RL(w[10], 1);
130 D += RL(E, 5) + K20_39 + (A ^ B ^ C) + w[10]; A = RL(A, 30);
131 w[11] = data[11] ^ data[13] ^ w[ 3] ^ w[ 8]; w[11] = RL(w[11], 1);
132 C += RL(D, 5) + K20_39 + (E ^ A ^ B) + w[11]; E = RL(E, 30);
133 w[12] = data[12] ^ data[14] ^ w[ 4] ^ w[ 9]; w[12] = RL(w[12], 1);
134 B += RL(C, 5) + K20_39 + (D ^ E ^ A) + w[12]; D = RL(D, 30);
135 w[13] = data[13] ^ data[15] ^ w[ 5] ^ w[10]; w[13] = RL(w[13], 1);
136 A += RL(B, 5) + K20_39 + (C ^ D ^ E) + w[13]; C = RL(C, 30);
137 w[14] = data[14] ^ w[ 0] ^ w[ 6] ^ w[11]; w[14] = RL(w[14], 1);
138 E += RL(A, 5) + K20_39 + (B ^ C ^ D) + w[14]; B = RL(B, 30);
139 w[15] = data[15] ^ w[ 1] ^ w[ 7] ^ w[12]; w[15] = RL(w[15], 1);
140 D += RL(E, 5) + K20_39 + (A ^ B ^ C) + w[15]; A = RL(A, 30);
141 w[ 0] = w[ 0] ^ w[ 2] ^ w[ 8] ^ w[13]; w[ 0] = RL(w[ 0], 1);
142 C += RL(D, 5) + K20_39 + (E ^ A ^ B) + w[ 0]; E = RL(E, 30);
143 w[ 1] = w[ 1] ^ w[ 3] ^ w[ 9] ^ w[14]; w[ 1] = RL(w[ 1], 1);
144 B += RL(C, 5) + K20_39 + (D ^ E ^ A) + w[ 1]; D = RL(D, 30);
145 w[ 2] = w[ 2] ^ w[ 4] ^ w[10] ^ w[15]; w[ 2] = RL(w[ 2], 1);
146 A += RL(B, 5) + K20_39 + (C ^ D ^ E) + w[ 2]; C = RL(C, 30);
147 w[ 3] = w[ 3] ^ w[ 5] ^ w[11] ^ w[ 0]; w[ 3] = RL(w[ 3], 1);
148 E += RL(A, 5) + K20_39 + (B ^ C ^ D) + w[ 3]; B = RL(B, 30);
149 w[ 4] = w[ 4] ^ w[ 6] ^ w[12] ^ w[ 1]; w[ 4] = RL(w[ 4], 1);
150 D += RL(E, 5) + K20_39 + (A ^ B ^ C) + w[ 4]; A = RL(A, 30);
151 w[ 5] = w[ 5] ^ w[ 7] ^ w[13] ^ w[ 2]; w[ 5] = RL(w[ 5], 1);
152 C += RL(D, 5) + K20_39 + (E ^ A ^ B) + w[ 5]; E = RL(E, 30);
153 w[ 6] = w[ 6] ^ w[ 8] ^ w[14] ^ w[ 3]; w[ 6] = RL(w[ 6], 1);
154 B += RL(C, 5) + K20_39 + (D ^ E ^ A) + w[ 6]; D = RL(D, 30);
155 w[ 7] = w[ 7] ^ w[ 9] ^ w[15] ^ w[ 4]; w[ 7] = RL(w[ 7], 1);
156 A += RL(B, 5) + K20_39 + (C ^ D ^ E) + w[ 7]; C = RL(C, 30);
157
158 /* rounds 40 - 59 */
159
160 w[ 8] = w[ 8] ^ w[10] ^ w[ 0] ^ w[ 5]; w[ 8] = RL(w[ 8], 1);
161 E += RL(A, 5) + K40_59 + ((B & C) | (D & (B | C))) + w[ 8]; B = RL(B, 30);
162 w[ 9] = w[ 9] ^ w[11] ^ w[ 1] ^ w[ 6]; w[ 9] = RL(w[ 9], 1);
163 D += RL(E, 5) + K40_59 + ((A & B) | (C & (A | B))) + w[ 9]; A = RL(A, 30);
164 w[10] = w[10] ^ w[12] ^ w[ 2] ^ w[ 7]; w[10] = RL(w[10], 1);
165 C += RL(D, 5) + K40_59 + ((E & A) | (B & (E | A))) + w[10]; E = RL(E, 30);
166 w[11] = w[11] ^ w[13] ^ w[ 3] ^ w[ 8]; w[11] = RL(w[11], 1);
167 B += RL(C, 5) + K40_59 + ((D & E) | (A & (D | E))) + w[11]; D = RL(D, 30);
168 w[12] = w[12] ^ w[14] ^ w[ 4] ^ w[ 9]; w[12] = RL(w[12], 1);
169 A += RL(B, 5) + K40_59 + ((C & D) | (E & (C | D))) + w[12]; C = RL(C, 30);
170 w[13] = w[13] ^ w[15] ^ w[ 5] ^ w[10]; w[13] = RL(w[13], 1);
171 E += RL(A, 5) + K40_59 + ((B & C) | (D & (B | C))) + w[13]; B = RL(B, 30);
172 w[14] = w[14] ^ w[ 0] ^ w[ 6] ^ w[11]; w[14] = RL(w[14], 1);
173 D += RL(E, 5) + K40_59 + ((A & B) | (C & (A | B))) + w[14]; A = RL(A, 30);
174 w[15] = w[15] ^ w[ 1] ^ w[ 7] ^ w[12]; w[15] = RL(w[15], 1);
175 C += RL(D, 5) + K40_59 + ((E & A) | (B & (E | A))) + w[15]; E = RL(E, 30);
176 w[ 0] = w[ 0] ^ w[ 2] ^ w[ 8] ^ w[13]; w[ 0] = RL(w[ 0], 1);
177 B += RL(C, 5) + K40_59 + ((D & E) | (A & (D | E))) + w[ 0]; D = RL(D, 30);
178 w[ 1] = w[ 1] ^ w[ 3] ^ w[ 9] ^ w[14]; w[ 1] = RL(w[ 1], 1);
179 A += RL(B, 5) + K40_59 + ((C & D) | (E & (C | D))) + w[ 1]; C = RL(C, 30);
180 w[ 2] = w[ 2] ^ w[ 4] ^ w[10] ^ w[15]; w[ 2] = RL(w[ 2], 1);
181 E += RL(A, 5) + K40_59 + ((B & C) | (D & (B | C))) + w[ 2]; B = RL(B, 30);
182 w[ 3] = w[ 3] ^ w[ 5] ^ w[11] ^ w[ 0]; w[ 3] = RL(w[ 3], 1);
183 D += RL(E, 5) + K40_59 + ((A & B) | (C & (A | B))) + w[ 3]; A = RL(A, 30);
184 w[ 4] = w[ 4] ^ w[ 6] ^ w[12] ^ w[ 1]; w[ 4] = RL(w[ 4], 1);
185 C += RL(D, 5) + K40_59 + ((E & A) | (B & (E | A))) + w[ 4]; E = RL(E, 30);
186 w[ 5] = w[ 5] ^ w[ 7] ^ w[13] ^ w[ 2]; w[ 5] = RL(w[ 5], 1);
187 B += RL(C, 5) + K40_59 + ((D & E) | (A & (D | E))) + w[ 5]; D = RL(D, 30);
188 w[ 6] = w[ 6] ^ w[ 8] ^ w[14] ^ w[ 3]; w[ 6] = RL(w[ 6], 1);
189 A += RL(B, 5) + K40_59 + ((C & D) | (E & (C | D))) + w[ 6]; C = RL(C, 30);
190 w[ 7] = w[ 7] ^ w[ 9] ^ w[15] ^ w[ 4]; w[ 7] = RL(w[ 7], 1);
191 E += RL(A, 5) + K40_59 + ((B & C) | (D & (B | C))) + w[ 7]; B = RL(B, 30);
192 w[ 8] = w[ 8] ^ w[10] ^ w[ 0] ^ w[ 5]; w[ 8] = RL(w[ 8], 1);
193 D += RL(E, 5) + K40_59 + ((A & B) | (C & (A | B))) + w[ 8]; A = RL(A, 30);
194 w[ 9] = w[ 9] ^ w[11] ^ w[ 1] ^ w[ 6]; w[ 9] = RL(w[ 9], 1);
195 C += RL(D, 5) + K40_59 + ((E & A) | (B & (E | A))) + w[ 9]; E = RL(E, 30);
196 w[10] = w[10] ^ w[12] ^ w[ 2] ^ w[ 7]; w[10] = RL(w[10], 1);
197 B += RL(C, 5) + K40_59 + ((D & E) | (A & (D | E))) + w[10]; D = RL(D, 30);
198 w[11] = w[11] ^ w[13] ^ w[ 3] ^ w[ 8]; w[11] = RL(w[11], 1);
199 A += RL(B, 5) + K40_59 + ((C & D) | (E & (C | D))) + w[11]; C = RL(C, 30);
200
201 /* rounds 60 - 79 */
202
203 w[12] = w[12] ^ w[14] ^ w[ 4] ^ w[ 9]; w[12] = RL(w[12], 1);
204 E += RL(A, 5) + K60_79 + (B ^ C ^ D) + w[12]; B = RL(B, 30);
205 w[13] = w[13] ^ w[15] ^ w[ 5] ^ w[10]; w[13] = RL(w[13], 1);
206 D += RL(E, 5) + K60_79 + (A ^ B ^ C) + w[13]; A = RL(A, 30);
207 w[14] = w[14] ^ w[ 0] ^ w[ 6] ^ w[11]; w[14] = RL(w[14], 1);
208 C += RL(D, 5) + K60_79 + (E ^ A ^ B) + w[14]; E = RL(E, 30);
209 w[15] = w[15] ^ w[ 1] ^ w[ 7] ^ w[12]; w[15] = RL(w[15], 1);
210 B += RL(C, 5) + K60_79 + (D ^ E ^ A) + w[15]; D = RL(D, 30);
211 w[ 0] = w[ 0] ^ w[ 2] ^ w[ 8] ^ w[13]; w[ 0] = RL(w[ 0], 1);
212 A += RL(B, 5) + K60_79 + (C ^ D ^ E) + w[ 0]; C = RL(C, 30);
213 w[ 1] = w[ 1] ^ w[ 3] ^ w[ 9] ^ w[14]; w[ 1] = RL(w[ 1], 1);
214 E += RL(A, 5) + K60_79 + (B ^ C ^ D) + w[ 1]; B = RL(B, 30);
215 w[ 2] = w[ 2] ^ w[ 4] ^ w[10] ^ w[15]; w[ 2] = RL(w[ 2], 1);
216 D += RL(E, 5) + K60_79 + (A ^ B ^ C) + w[ 2]; A = RL(A, 30);
217 w[ 3] = w[ 3] ^ w[ 5] ^ w[11] ^ w[ 0]; w[ 3] = RL(w[ 3], 1);
218 C += RL(D, 5) + K60_79 + (E ^ A ^ B) + w[ 3]; E = RL(E, 30);
219 w[ 4] = w[ 4] ^ w[ 6] ^ w[12] ^ w[ 1]; w[ 4] = RL(w[ 4], 1);
220 B += RL(C, 5) + K60_79 + (D ^ E ^ A) + w[ 4]; D = RL(D, 30);
221 w[ 5] = w[ 5] ^ w[ 7] ^ w[13] ^ w[ 2]; w[ 5] = RL(w[ 5], 1);
222 A += RL(B, 5) + K60_79 + (C ^ D ^ E) + w[ 5]; C = RL(C, 30);
223 w[ 6] = w[ 6] ^ w[ 8] ^ w[14] ^ w[ 3]; w[ 6] = RL(w[ 6], 1);
224 E += RL(A, 5) + K60_79 + (B ^ C ^ D) + w[ 6]; B = RL(B, 30);
225 w[ 7] = w[ 7] ^ w[ 9] ^ w[15] ^ w[ 4]; w[ 7] = RL(w[ 7], 1);
226 D += RL(E, 5) + K60_79 + (A ^ B ^ C) + w[ 7]; A = RL(A, 30);
227 w[ 8] = w[ 8] ^ w[10] ^ w[ 0] ^ w[ 5]; w[ 8] = RL(w[ 8], 1);
228 C += RL(D, 5) + K60_79 + (E ^ A ^ B) + w[ 8]; E = RL(E, 30);
229 w[ 9] = w[ 9] ^ w[11] ^ w[ 1] ^ w[ 6]; w[ 9] = RL(w[ 9], 1);
230 B += RL(C, 5) + K60_79 + (D ^ E ^ A) + w[ 9]; D = RL(D, 30);
231 w[10] = w[10] ^ w[12] ^ w[ 2] ^ w[ 7]; w[10] = RL(w[10], 1);
232 A += RL(B, 5) + K60_79 + (C ^ D ^ E) + w[10]; C = RL(C, 30);
233 w[11] = w[11] ^ w[13] ^ w[ 3] ^ w[ 8]; w[11] = RL(w[11], 1);
234 E += RL(A, 5) + K60_79 + (B ^ C ^ D) + w[11]; B = RL(B, 30);
235 w[12] = w[12] ^ w[14] ^ w[ 4] ^ w[ 9]; w[12] = RL(w[12], 1);
236 D += RL(E, 5) + K60_79 + (A ^ B ^ C) + w[12]; A = RL(A, 30);
237 w[13] = w[13] ^ w[15] ^ w[ 5] ^ w[10];
238 C += RL(D, 5) + K60_79 + (E ^ A ^ B) + RL(w[13], 1); E = RL(E, 30);
239 w[14] = w[14] ^ w[ 0] ^ w[ 6] ^ w[11];
240 B += RL(C, 5) + K60_79 + (D ^ E ^ A) + RL(w[14], 1); D = RL(D, 30);
241
242 /* update H0 - H4 */
243
244 w[15] = w[15] ^ w[ 1] ^ w[ 7] ^ w[12];
245 H0 += A + RL(B, 5) + K60_79 + (C ^ D ^ E) + RL(w[15], 1);
246 H1 += B;
247 H2 += RL(C, 30);
248 H3 += D;
249 H4 += E;
250
251 /* clear temp variables */
252
253 A = B = C = D = E = 0;
254 memset(w, 0, sizeof(w));
255 }
256
257
258 /* ntru_crypto_sha1()
259 *
260 * This routine provides all operations for a SHA-1 hash, and the use
261 * of SHA-1 for DSA signing and key generation.
262 * It may be used to initialize, update, or complete a message digest,
263 * or any combination of those actions, as determined by the SHA_INIT flag,
264 * the in_len parameter, and the SHA_FINISH flag, respectively.
265 *
266 * When in_len == 0 (no data to hash), the parameter, in, may be NULL.
267 * When the SHA_FINISH flag is not set, the parameter, md, may be NULL.
268 *
269 * Initialization may be standard or use a specified initialization vector,
270 * and is indicated by setting the SHA_INIT flag.
271 * Setting init = NULL specifies standard initialization. Otherwise, init
272 * points to the array of five alternate initialization 32-bit words.
273 *
274 * The hash operation can be updated with any number of input bytes, including
275 * zero.
276 *
277 * The hash operation can be completed with normal padding or with zero
278 * padding as required for parts of DSA parameter generation, and is indicated
279 * by setting the SHA_FINISH flag. Using zero padding, indicated by setting
280 * the SHA_ZERO_PAD flag, never creates an extra input block because the
281 * bit count is not included in the hashed data.
282 *
283 * Returns SHA_OK on success.
284 * Returns SHA_FAIL with corrupted context.
285 * Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
286 * Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
287 */
288
289 uint32_t
290 ntru_crypto_sha1(
291 NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
292 uint32_t const *init, /* in - pointer to alternate */
293 /* initialization - may be NULL */
294 uint8_t const *in, /* in - pointer to input data -
295 may be NULL if in_len == 0 */
296 uint32_t in_len, /* in - number of input data bytes */
297 uint32_t flags, /* in - INIT, FINISH, zero-pad flags */
298 uint8_t *md) /* out - address for message digest -
299 may be NULL if not FINISH */
300 {
301 uint32_t in_blk[16]; /* input block */
302 uint32_t space;
303 uint8_t *d = NULL;
304
305 /* check error conditions */
306
307 if (!c || (in_len && !in) || ((flags & SHA_FINISH) && !md))
308 SHA_RET(SHA_BAD_PARAMETER)
309
310 /* initialize context if requested */
311
312 if (flags & SHA_INIT) {
313
314 /* init chaining state */
315
316 if (!init) {
317 c->state[0] = H0_INIT; // standard initialization
318 c->state[1] = H1_INIT;
319 c->state[2] = H2_INIT;
320 c->state[3] = H3_INIT;
321 c->state[4] = H4_INIT;
322 } else {
323 c->state[0] = init[0]; // alternate initialization
324 c->state[1] = init[1];
325 c->state[2] = init[2];
326 c->state[3] = init[3];
327 c->state[4] = init[4];
328 }
329
330 /* init bit count and number of unhashed data bytes */
331
332 c->num_bits_hashed[0] = 0;
333 c->num_bits_hashed[1] = 0;
334 c->unhashed_len = 0;
335 }
336
337 /* determine space left in unhashed data buffer */
338
339 if (c->unhashed_len > 63)
340 SHA_RET(SHA_FAIL)
341
342 space = 64 - c->unhashed_len;
343
344 /* process input if it exists */
345
346 if (in_len) {
347
348 /* update count of bits hashed */
349
350 {
351 uint32_t bits0, bits1;
352
353 bits0 = in_len << 3;
354 bits1 = in_len >> 29;
355 if ((c->num_bits_hashed[0] += bits0) < bits0)
356 bits1++;
357 if ((c->num_bits_hashed[1] += bits1) < bits1) {
358 memset((uint8_t *) c, 0, sizeof(NTRU_CRYPTO_SHA1_CTX));
359 space = 0;
360 memset((char *) in_blk, 0, sizeof(in_blk));
361 SHA_RET(SHA_OVERFLOW)
362 }
363 }
364
365 /* process input bytes */
366
367 if (in_len < space) {
368
369 /* input does not fill block buffer:
370 * add input to buffer
371 */
372
373 memcpy(c->unhashed + c->unhashed_len, in, in_len);
374 c->unhashed_len += in_len;
375
376 } else {
377 uint32_t blks;
378
379 /* input will fill block buffer:
380 * fill unhashed data buffer,
381 * convert to block buffer,
382 * and process block
383 */
384
385 in_len -= space;
386 for (d = c->unhashed + c->unhashed_len; space; space--)
387 *d++ = *in++;
388 ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
389 16);
390 sha1_blk((uint32_t const *) in_blk, c->state);
391
392 /* process any remaining full blocks */
393
394 for (blks = in_len >> 6; blks--; in += 64) {
395 ntru_crypto_msbyte_2_uint32(in_blk, in, 16);
396 sha1_blk((uint32_t const *) in_blk, c->state);
397 }
398
399 /* put any remaining input in the unhashed data buffer */
400
401 in_len &= 0x3f;
402 memcpy(c->unhashed, in, in_len);
403 c->unhashed_len = in_len;
404 }
405 }
406
407 /* complete message digest if requested */
408
409 if (flags & SHA_FINISH) {
410 space = 64 - c->unhashed_len;
411
412 /* check padding type */
413
414 if (!(flags & SHA_ZERO_PAD)) {
415
416 /* add 0x80 padding byte to the unhashed data buffer
417 * (there is always space since the buffer can't be full)
418 */
419
420 d = c->unhashed + c->unhashed_len;
421 *d++ = 0x80;
422 space--;
423
424 /* check for space for bit count */
425
426 if (space < 8) {
427
428 /* no space for count:
429 * fill remainder of unhashed data buffer with zeros,
430 * convert to input block,
431 * process block,
432 * fill all but 8 bytes of unhashed data buffer with zeros
433 */
434
435 memset(d, 0, space);
436 ntru_crypto_msbyte_2_uint32(in_blk,
437 (uint8_t const *) c->unhashed, 16);
438 sha1_blk((uint32_t const *) in_blk, c->state);
439 memset(c->unhashed, 0, 56);
440
441 } else {
442
443 /* fill unhashed data buffer with zeros,
444 * leaving space for bit count
445 */
446
447 for (space -= 8; space; space--)
448 *d++ = 0;
449 }
450
451 /* convert partially filled unhashed data buffer to input block and
452 * add bit count to input block
453 */
454
455 ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
456 14);
457 in_blk[14] = c->num_bits_hashed[1];
458 in_blk[15] = c->num_bits_hashed[0];
459
460 } else {
461
462 /* pad unhashed data buffer with zeros and no bit count and
463 * convert to input block
464 */
465
466 memset(c->unhashed + c->unhashed_len, 0, space);
467 ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
468 16);
469 }
470
471 /* process last block */
472
473 sha1_blk((uint32_t const *) in_blk, c->state);
474
475 /* copy result to message digest buffer */
476
477 ntru_crypto_uint32_2_msbyte(md, c->state, 5);
478
479 /* clear context and stack variables */
480
481 memset((uint8_t *) c, 0, sizeof(NTRU_CRYPTO_SHA1_CTX));
482 space = 0;
483 memset((char *) in_blk, 0, sizeof(in_blk));
484 }
485
486 SHA_RET(SHA_OK)
487 }
488
489
490 /* ntru_crypto_sha1_init
491 *
492 * This routine performs standard initialization of the SHA-1 state.
493 *
494 * Returns SHA_OK on success.
495 * Returns SHA_FAIL with corrupted context.
496 * Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
497 */
498
499 uint32_t
500 ntru_crypto_sha1_init(
501 NTRU_CRYPTO_SHA1_CTX *c) /* in/out - pointer to SHA-1 context */
502 {
503 return ntru_crypto_sha1(c, NULL, NULL, 0, SHA_INIT, NULL);
504 }
505
506
507 /* ntru_crypto_sha1_update
508 *
509 * This routine processes input data and updates the SHA-1 hash calculation.
510 *
511 * Returns SHA_OK on success.
512 * Returns SHA_FAIL with corrupted context.
513 * Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
514 * Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
515 */
516
517 uint32_t
518 ntru_crypto_sha1_update(
519 NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
520 uint8_t const *data, /* in - pointer to input data */
521 uint32_t data_len) /* in - number of bytes of input data */
522 {
523 return ntru_crypto_sha1(c, NULL, data, data_len, SHA_DATA_ONLY, NULL);
524 }
525
526
527 /* ntru_crypto_sha1_final
528 *
529 * This routine completes the SHA-1 hash calculation and returns the
530 * message digest.
531 *
532 * Returns SHA_OK on success.
533 * Returns SHA_FAIL with corrupted context.
534 * Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
535 * Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
536 */
537
538 uint32_t
539 ntru_crypto_sha1_final(
540 NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
541 uint8_t *md) /* out - address for message digest */
542 {
543 return ntru_crypto_sha1(c, NULL, NULL, 0, SHA_FINISH, md);
544 }
545
546
547 /* ntru_crypto_sha1_final_zero_pad
548 *
549 * This routine completes the SHA-1 hash calculation using zero padding
550 * and returns the message digest.
551 *
552 * Returns SHA_OK on success.
553 * Returns SHA_FAIL with corrupted context.
554 * Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
555 * Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
556 */
557
558 uint32_t
559 ntru_crypto_sha1_final_zero_pad(
560 NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
561 uint8_t *md) /* out - address for message digest */
562 {
563 return ntru_crypto_sha1(c, NULL, NULL, 0, SHA_FINISH | SHA_ZERO_PAD, md);
564 }
565
566
567 /* ntru_crypto_sha1_digest
568 *
569 * This routine computes a SHA-1 message digest.
570 *
571 * Returns SHA_OK on success.
572 * Returns SHA_FAIL with corrupted context.
573 * Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
574 * Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
575 */
576
577 uint32_t
578 ntru_crypto_sha1_digest(
579 uint8_t const *data, // in - pointer to input data
580 uint32_t data_len, // in - number of bytes of input data
581 uint8_t *md) // out - address for message digest
582 {
583 NTRU_CRYPTO_SHA1_CTX c;
584
585 return ntru_crypto_sha1(&c, NULL, data, data_len, SHA_INIT | SHA_FINISH,
586 md);
587 }
588