1 /******************************************************************************
2 * NTRU Cryptography Reference Source Code
3 * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
5 * ntru_crypto_sha2.c is a component of ntru-crypto.
7 * Copyright (C) 2009-2013 Security Innovation
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23 *****************************************************************************/
25 /******************************************************************************
27 * File: ntru_crypto_sha2.c
29 * Contents: Routines implementing the SHA-256 hash calculation.
31 *****************************************************************************/
36 #include "ntru_crypto_sha2.h"
37 #include "ntru_crypto_msbyte_uint32.h"
40 /* chaining state elements */
52 /* standard SHA-256 initialization values */
54 #define H0_SHA256_INIT 0x6a09e667UL
55 #define H1_SHA256_INIT 0xbb67ae85UL
56 #define H2_SHA256_INIT 0x3c6ef372UL
57 #define H3_SHA256_INIT 0xa54ff53aUL
58 #define H4_SHA256_INIT 0x510e527fUL
59 #define H5_SHA256_INIT 0x9b05688cUL
60 #define H6_SHA256_INIT 0x1f83d9abUL
61 #define H7_SHA256_INIT 0x5be0cd19UL
66 * This routine updates the current hash output (chaining state)
67 * by performing SHA-256 on a 512-bit block of data represented
68 * as sixteen 32-bit words.
71 #define RR(a, n) ( ((a) >> (n)) | ((a) << (32 - (n))) )
72 #define S0(a) ( RR((a), 2) ^ RR((a), 13) ^ RR((a), 22) )
73 #define S1(a) ( RR((a), 6) ^ RR((a), 11) ^ RR((a), 25) )
74 #define s0(a) ( RR((a), 7) ^ RR((a), 18) ^ ((a) >> 3) )
75 #define s1(a) ( RR((a), 17) ^ RR((a), 19) ^ ((a) >> 10) )
80 uint32_t const *data
, // in - ptr to 16 32-bit word input block
81 uint32_t *state
) // in/out - ptr to 8 32-bit word chaining state
83 uint32_t A
, B
, C
, D
, E
, F
, G
, H
;
88 A
= H0
; B
= H1
; C
= H2
; D
= H3
; E
= H4
; F
= H5
; G
= H6
; H
= H7
;
92 H
+= S1(E
) + (E
& (F
^ G
) ^ G
) + 0x428A2F98UL
+ data
[ 0]; D
+= H
;
93 H
+= S0(A
) + ((A
& B
) | (C
& (A
| B
)));
94 G
+= S1(D
) + (D
& (E
^ F
) ^ F
) + 0x71374491UL
+ data
[ 1]; C
+= G
;
95 G
+= S0(H
) + ((H
& A
) | (B
& (H
| A
)));
96 F
+= S1(C
) + (C
& (D
^ E
) ^ E
) + 0xB5C0FBCFUL
+ data
[ 2]; B
+= F
;
97 F
+= S0(G
) + ((G
& H
) | (A
& (G
| H
)));
98 E
+= S1(B
) + (B
& (C
^ D
) ^ D
) + 0xE9B5DBA5UL
+ data
[ 3]; A
+= E
;
99 E
+= S0(F
) + ((F
& G
) | (H
& (F
| G
)));
100 D
+= S1(A
) + (A
& (B
^ C
) ^ C
) + 0x3956C25BUL
+ data
[ 4]; H
+= D
;
101 D
+= S0(E
) + ((E
& F
) | (G
& (E
| F
)));
102 C
+= S1(H
) + (H
& (A
^ B
) ^ B
) + 0x59F111F1UL
+ data
[ 5]; G
+= C
;
103 C
+= S0(D
) + ((D
& E
) | (F
& (D
| E
)));
104 B
+= S1(G
) + (G
& (H
^ A
) ^ A
) + 0x923F82A4UL
+ data
[ 6]; F
+= B
;
105 B
+= S0(C
) + ((C
& D
) | (E
& (C
| D
)));
106 A
+= S1(F
) + (F
& (G
^ H
) ^ H
) + 0xAB1C5ED5UL
+ data
[ 7]; E
+= A
;
107 A
+= S0(B
) + ((B
& C
) | (D
& (B
| C
)));
108 H
+= S1(E
) + (E
& (F
^ G
) ^ G
) + 0xD807AA98UL
+ data
[ 8]; D
+= H
;
109 H
+= S0(A
) + ((A
& B
) | (C
& (A
| B
)));
110 G
+= S1(D
) + (D
& (E
^ F
) ^ F
) + 0x12835B01UL
+ data
[ 9]; C
+= G
;
111 G
+= S0(H
) + ((H
& A
) | (B
& (H
| A
)));
112 F
+= S1(C
) + (C
& (D
^ E
) ^ E
) + 0x243185BEUL
+ data
[10]; B
+= F
;
113 F
+= S0(G
) + ((G
& H
) | (A
& (G
| H
)));
114 E
+= S1(B
) + (B
& (C
^ D
) ^ D
) + 0x550C7DC3UL
+ data
[11]; A
+= E
;
115 E
+= S0(F
) + ((F
& G
) | (H
& (F
| G
)));
116 D
+= S1(A
) + (A
& (B
^ C
) ^ C
) + 0x72BE5D74UL
+ data
[12]; H
+= D
;
117 D
+= S0(E
) + ((E
& F
) | (G
& (E
| F
)));
118 C
+= S1(H
) + (H
& (A
^ B
) ^ B
) + 0x80DEB1FEUL
+ data
[13]; G
+= C
;
119 C
+= S0(D
) + ((D
& E
) | (F
& (D
| E
)));
120 B
+= S1(G
) + (G
& (H
^ A
) ^ A
) + 0x9BDC06A7UL
+ data
[14]; F
+= B
;
121 B
+= S0(C
) + ((C
& D
) | (E
& (C
| D
)));
122 A
+= S1(F
) + (F
& (G
^ H
) ^ H
) + 0xC19BF174UL
+ data
[15]; E
+= A
;
123 A
+= S0(B
) + ((B
& C
) | (D
& (B
| C
)));
127 w
[ 0] = data
[ 0] + s0(data
[ 1]) + data
[ 9] + s1(data
[14]);
128 H
+= S1(E
) + (E
& (F
^ G
) ^ G
) + 0xE49B69C1UL
+ w
[ 0]; D
+= H
;
129 H
+= S0(A
) + ((A
& B
) | (C
& (A
| B
)));
130 w
[ 1] = data
[ 1] + s0(data
[ 2]) + data
[10] + s1(data
[15]);
131 G
+= S1(D
) + (D
& (E
^ F
) ^ F
) + 0xEFBE4786UL
+ w
[ 1]; C
+= G
;
132 G
+= S0(H
) + ((H
& A
) | (B
& (H
| A
)));
133 w
[ 2] = data
[ 2] + s0(data
[ 3]) + data
[11] + s1(w
[ 0]);
134 F
+= S1(C
) + (C
& (D
^ E
) ^ E
) + 0x0FC19DC6UL
+ w
[ 2]; B
+= F
;
135 F
+= S0(G
) + ((G
& H
) | (A
& (G
| H
)));
136 w
[ 3] = data
[ 3] + s0(data
[ 4]) + data
[12] + s1(w
[ 1]);
137 E
+= S1(B
) + (B
& (C
^ D
) ^ D
) + 0x240CA1CCUL
+ w
[ 3]; A
+= E
;
138 E
+= S0(F
) + ((F
& G
) | (H
& (F
| G
)));
139 w
[ 4] = data
[ 4] + s0(data
[ 5]) + data
[13] + s1(w
[ 2]);
140 D
+= S1(A
) + (A
& (B
^ C
) ^ C
) + 0x2DE92C6FUL
+ w
[ 4]; H
+= D
;
141 D
+= S0(E
) + ((E
& F
) | (G
& (E
| F
)));
142 w
[ 5] = data
[ 5] + s0(data
[ 6]) + data
[14] + s1(w
[ 3]);
143 C
+= S1(H
) + (H
& (A
^ B
) ^ B
) + 0x4A7484AAUL
+ w
[ 5]; G
+= C
;
144 C
+= S0(D
) + ((D
& E
) | (F
& (D
| E
)));
145 w
[ 6] = data
[ 6] + s0(data
[ 7]) + data
[15] + s1(w
[ 4]);
146 B
+= S1(G
) + (G
& (H
^ A
) ^ A
) + 0x5CB0A9DCUL
+ w
[ 6]; F
+= B
;
147 B
+= S0(C
) + ((C
& D
) | (E
& (C
| D
)));
148 w
[ 7] = data
[ 7] + s0(data
[ 8]) + w
[ 0] + s1(w
[ 5]);
149 A
+= S1(F
) + (F
& (G
^ H
) ^ H
) + 0x76F988DAUL
+ w
[ 7]; E
+= A
;
150 A
+= S0(B
) + ((B
& C
) | (D
& (B
| C
)));
151 w
[ 8] = data
[ 8] + s0(data
[ 9]) + w
[ 1] + s1(w
[ 6]);
152 H
+= S1(E
) + (E
& (F
^ G
) ^ G
) + 0x983E5152UL
+ w
[ 8]; D
+= H
;
153 H
+= S0(A
) + ((A
& B
) | (C
& (A
| B
)));
154 w
[ 9] = data
[ 9] + s0(data
[10]) + w
[ 2] + s1(w
[ 7]);
155 G
+= S1(D
) + (D
& (E
^ F
) ^ F
) + 0xA831C66DUL
+ w
[ 9]; C
+= G
;
156 G
+= S0(H
) + ((H
& A
) | (B
& (H
| A
)));
157 w
[10] = data
[10] + s0(data
[11]) + w
[ 3] + s1(w
[ 8]);
158 F
+= S1(C
) + (C
& (D
^ E
) ^ E
) + 0xB00327C8UL
+ w
[10]; B
+= F
;
159 F
+= S0(G
) + ((G
& H
) | (A
& (G
| H
)));
160 w
[11] = data
[11] + s0(data
[12]) + w
[ 4] + s1(w
[ 9]);
161 E
+= S1(B
) + (B
& (C
^ D
) ^ D
) + 0xBF597FC7UL
+ w
[11]; A
+= E
;
162 E
+= S0(F
) + ((F
& G
) | (H
& (F
| G
)));
163 w
[12] = data
[12] + s0(data
[13]) + w
[ 5] + s1(w
[10]);
164 D
+= S1(A
) + (A
& (B
^ C
) ^ C
) + 0xC6E00BF3UL
+ w
[12]; H
+= D
;
165 D
+= S0(E
) + ((E
& F
) | (G
& (E
| F
)));
166 w
[13] = data
[13] + s0(data
[14]) + w
[ 6] + s1(w
[11]);
167 C
+= S1(H
) + (H
& (A
^ B
) ^ B
) + 0xD5A79147UL
+ w
[13]; G
+= C
;
168 C
+= S0(D
) + ((D
& E
) | (F
& (D
| E
)));
169 w
[14] = data
[14] + s0(data
[15]) + w
[ 7] + s1(w
[12]);
170 B
+= S1(G
) + (G
& (H
^ A
) ^ A
) + 0x06CA6351UL
+ w
[14]; F
+= B
;
171 B
+= S0(C
) + ((C
& D
) | (E
& (C
| D
)));
172 w
[15] = data
[15] + s0(w
[ 0]) + w
[ 8] + s1(w
[13]);
173 A
+= S1(F
) + (F
& (G
^ H
) ^ H
) + 0x14292967UL
+ w
[15]; E
+= A
;
174 A
+= S0(B
) + ((B
& C
) | (D
& (B
| C
)));
175 w
[ 0] = w
[ 0] + s0(w
[ 1]) + w
[ 9] + s1(w
[14]);
176 H
+= S1(E
) + (E
& (F
^ G
) ^ G
) + 0x27B70A85UL
+ w
[ 0]; D
+= H
;
177 H
+= S0(A
) + ((A
& B
) | (C
& (A
| B
)));
178 w
[ 1] = w
[ 1] + s0(w
[ 2]) + w
[10] + s1(w
[15]);
179 G
+= S1(D
) + (D
& (E
^ F
) ^ F
) + 0x2E1B2138UL
+ w
[ 1]; C
+= G
;
180 G
+= S0(H
) + ((H
& A
) | (B
& (H
| A
)));
181 w
[ 2] = w
[ 2] + s0(w
[ 3]) + w
[11] + s1(w
[ 0]);
182 F
+= S1(C
) + (C
& (D
^ E
) ^ E
) + 0x4D2C6DFCUL
+ w
[ 2]; B
+= F
;
183 F
+= S0(G
) + ((G
& H
) | (A
& (G
| H
)));
184 w
[ 3] = w
[ 3] + s0(w
[ 4]) + w
[12] + s1(w
[ 1]);
185 E
+= S1(B
) + (B
& (C
^ D
) ^ D
) + 0x53380D13UL
+ w
[ 3]; A
+= E
;
186 E
+= S0(F
) + ((F
& G
) | (H
& (F
| G
)));
187 w
[ 4] = w
[ 4] + s0(w
[ 5]) + w
[13] + s1(w
[ 2]);
188 D
+= S1(A
) + (A
& (B
^ C
) ^ C
) + 0x650A7354UL
+ w
[ 4]; H
+= D
;
189 D
+= S0(E
) + ((E
& F
) | (G
& (E
| F
)));
190 w
[ 5] = w
[ 5] + s0(w
[ 6]) + w
[14] + s1(w
[ 3]);
191 C
+= S1(H
) + (H
& (A
^ B
) ^ B
) + 0x766A0ABBUL
+ w
[ 5]; G
+= C
;
192 C
+= S0(D
) + ((D
& E
) | (F
& (D
| E
)));
193 w
[ 6] = w
[ 6] + s0(w
[ 7]) + w
[15] + s1(w
[ 4]);
194 B
+= S1(G
) + (G
& (H
^ A
) ^ A
) + 0x81C2C92EUL
+ w
[ 6]; F
+= B
;
195 B
+= S0(C
) + ((C
& D
) | (E
& (C
| D
)));
196 w
[ 7] = w
[ 7] + s0(w
[ 8]) + w
[ 0] + s1(w
[ 5]);
197 A
+= S1(F
) + (F
& (G
^ H
) ^ H
) + 0x92722C85UL
+ w
[ 7]; E
+= A
;
198 A
+= S0(B
) + ((B
& C
) | (D
& (B
| C
)));
199 w
[ 8] = w
[ 8] + s0(w
[ 9]) + w
[ 1] + s1(w
[ 6]);
200 H
+= S1(E
) + (E
& (F
^ G
) ^ G
) + 0xA2BFE8A1UL
+ w
[ 8]; D
+= H
;
201 H
+= S0(A
) + ((A
& B
) | (C
& (A
| B
)));
202 w
[ 9] = w
[ 9] + s0(w
[10]) + w
[ 2] + s1(w
[ 7]);
203 G
+= S1(D
) + (D
& (E
^ F
) ^ F
) + 0xA81A664BUL
+ w
[ 9]; C
+= G
;
204 G
+= S0(H
) + ((H
& A
) | (B
& (H
| A
)));
205 w
[10] = w
[10] + s0(w
[11]) + w
[ 3] + s1(w
[ 8]);
206 F
+= S1(C
) + (C
& (D
^ E
) ^ E
) + 0xC24B8B70UL
+ w
[10]; B
+= F
;
207 F
+= S0(G
) + ((G
& H
) | (A
& (G
| H
)));
208 w
[11] = w
[11] + s0(w
[12]) + w
[ 4] + s1(w
[ 9]);
209 E
+= S1(B
) + (B
& (C
^ D
) ^ D
) + 0xC76C51A3UL
+ w
[11]; A
+= E
;
210 E
+= S0(F
) + ((F
& G
) | (H
& (F
| G
)));
211 w
[12] = w
[12] + s0(w
[13]) + w
[ 5] + s1(w
[10]);
212 D
+= S1(A
) + (A
& (B
^ C
) ^ C
) + 0xD192E819UL
+ w
[12]; H
+= D
;
213 D
+= S0(E
) + ((E
& F
) | (G
& (E
| F
)));
214 w
[13] = w
[13] + s0(w
[14]) + w
[ 6] + s1(w
[11]);
215 C
+= S1(H
) + (H
& (A
^ B
) ^ B
) + 0xD6990624UL
+ w
[13]; G
+= C
;
216 C
+= S0(D
) + ((D
& E
) | (F
& (D
| E
)));
217 w
[14] = w
[14] + s0(w
[15]) + w
[ 7] + s1(w
[12]);
218 B
+= S1(G
) + (G
& (H
^ A
) ^ A
) + 0xF40E3585UL
+ w
[14]; F
+= B
;
219 B
+= S0(C
) + ((C
& D
) | (E
& (C
| D
)));
220 w
[15] = w
[15] + s0(w
[ 0]) + w
[ 8] + s1(w
[13]);
221 A
+= S1(F
) + (F
& (G
^ H
) ^ H
) + 0x106AA070UL
+ w
[15]; E
+= A
;
222 A
+= S0(B
) + ((B
& C
) | (D
& (B
| C
)));
223 w
[ 0] = w
[ 0] + s0(w
[ 1]) + w
[ 9] + s1(w
[14]);
224 H
+= S1(E
) + (E
& (F
^ G
) ^ G
) + 0x19A4C116UL
+ w
[ 0]; D
+= H
;
225 H
+= S0(A
) + ((A
& B
) | (C
& (A
| B
)));
226 w
[ 1] = w
[ 1] + s0(w
[ 2]) + w
[10] + s1(w
[15]);
227 G
+= S1(D
) + (D
& (E
^ F
) ^ F
) + 0x1E376C08UL
+ w
[ 1]; C
+= G
;
228 G
+= S0(H
) + ((H
& A
) | (B
& (H
| A
)));
229 w
[ 2] = w
[ 2] + s0(w
[ 3]) + w
[11] + s1(w
[ 0]);
230 F
+= S1(C
) + (C
& (D
^ E
) ^ E
) + 0x2748774CUL
+ w
[ 2]; B
+= F
;
231 F
+= S0(G
) + ((G
& H
) | (A
& (G
| H
)));
232 w
[ 3] = w
[ 3] + s0(w
[ 4]) + w
[12] + s1(w
[ 1]);
233 E
+= S1(B
) + (B
& (C
^ D
) ^ D
) + 0x34B0BCB5UL
+ w
[ 3]; A
+= E
;
234 E
+= S0(F
) + ((F
& G
) | (H
& (F
| G
)));
235 w
[ 4] = w
[ 4] + s0(w
[ 5]) + w
[13] + s1(w
[ 2]);
236 D
+= S1(A
) + (A
& (B
^ C
) ^ C
) + 0x391C0CB3UL
+ w
[ 4]; H
+= D
;
237 D
+= S0(E
) + ((E
& F
) | (G
& (E
| F
)));
238 w
[ 5] = w
[ 5] + s0(w
[ 6]) + w
[14] + s1(w
[ 3]);
239 C
+= S1(H
) + (H
& (A
^ B
) ^ B
) + 0x4ED8AA4AUL
+ w
[ 5]; G
+= C
;
240 C
+= S0(D
) + ((D
& E
) | (F
& (D
| E
)));
241 w
[ 6] = w
[ 6] + s0(w
[ 7]) + w
[15] + s1(w
[ 4]);
242 B
+= S1(G
) + (G
& (H
^ A
) ^ A
) + 0x5B9CCA4FUL
+ w
[ 6]; F
+= B
;
243 B
+= S0(C
) + ((C
& D
) | (E
& (C
| D
)));
244 w
[ 7] = w
[ 7] + s0(w
[ 8]) + w
[ 0] + s1(w
[ 5]);
245 A
+= S1(F
) + (F
& (G
^ H
) ^ H
) + 0x682E6FF3UL
+ w
[ 7]; E
+= A
;
246 A
+= S0(B
) + ((B
& C
) | (D
& (B
| C
)));
247 w
[ 8] = w
[ 8] + s0(w
[ 9]) + w
[ 1] + s1(w
[ 6]);
248 H
+= S1(E
) + (E
& (F
^ G
) ^ G
) + 0x748F82EEUL
+ w
[ 8]; D
+= H
;
249 H
+= S0(A
) + ((A
& B
) | (C
& (A
| B
)));
250 w
[ 9] = w
[ 9] + s0(w
[10]) + w
[ 2] + s1(w
[ 7]);
251 G
+= S1(D
) + (D
& (E
^ F
) ^ F
) + 0x78A5636FUL
+ w
[ 9]; C
+= G
;
252 G
+= S0(H
) + ((H
& A
) | (B
& (H
| A
)));
253 w
[10] = w
[10] + s0(w
[11]) + w
[ 3] + s1(w
[ 8]);
254 F
+= S1(C
) + (C
& (D
^ E
) ^ E
) + 0x84C87814UL
+ w
[10]; B
+= F
;
255 F
+= S0(G
) + ((G
& H
) | (A
& (G
| H
)));
256 w
[11] = w
[11] + s0(w
[12]) + w
[ 4] + s1(w
[ 9]);
257 E
+= S1(B
) + (B
& (C
^ D
) ^ D
) + 0x8CC70208UL
+ w
[11]; A
+= E
;
258 E
+= S0(F
) + ((F
& G
) | (H
& (F
| G
)));
259 w
[12] = w
[12] + s0(w
[13]) + w
[ 5] + s1(w
[10]);
260 D
+= S1(A
) + (A
& (B
^ C
) ^ C
) + 0x90BEFFFAUL
+ w
[12]; H
+= D
;
261 D
+= S0(E
) + ((E
& F
) | (G
& (E
| F
)));
262 w
[13] = w
[13] + s0(w
[14]) + w
[ 6] + s1(w
[11]);
263 C
+= S1(H
) + (H
& (A
^ B
) ^ B
) + 0xA4506CEBUL
+ w
[13]; G
+= C
;
264 C
+= S0(D
) + ((D
& E
) | (F
& (D
| E
)));
265 w
[14] = w
[14] + s0(w
[15]) + w
[ 7] + s1(w
[12]);
266 B
+= S1(G
) + (G
& (H
^ A
) ^ A
) + 0xBEF9A3F7UL
+ w
[14]; F
+= B
;
267 B
+= S0(C
) + ((C
& D
) | (E
& (C
| D
)));
268 w
[15] = w
[15] + s0(w
[ 0]) + w
[ 8] + s1(w
[13]);
269 A
+= S1(F
) + (F
& (G
^ H
) ^ H
) + 0xC67178F2UL
+ w
[15]; E
+= A
;
270 A
+= S0(B
) + ((B
& C
) | (D
& (B
| C
)));
283 /* clear temp variables */
285 A
= B
= C
= D
= E
= F
= G
= H
= 0;
286 memset(w
, 0, sizeof(w
));
290 /* ntru_crypto_sha2()
292 * This routine provides all operations for a SHA-256 hash,
293 * and the use of SHA-256 for DSA signing and key generation.
294 * It may be used to initialize, update, or complete a message digest,
295 * or any combination of those actions, as determined by the SHA_INIT flag,
296 * the in_len parameter, and the SHA_FINISH flag, respectively.
298 * When in_len == 0 (no data to hash), the parameter, in, may be NULL.
299 * When the SHA_FINISH flag is not set, the parameter, md, may be NULL.
301 * Initialization may be standard or use a specified initialization vector,
302 * and is indicated by setting the SHA_INIT flag.
303 * Setting init = NULL specifies standard initialization. Otherwise, init
304 * points to the array of eight alternate initialization 32-bit words.
306 * The hash operation can be updated with any number of input bytes, including
309 * The hash operation can be completed with normal padding or with zero
310 * padding as required for parts of DSA parameter generation, and is indicated
311 * by setting the SHA_FINISH flag. Using zero padding, indicated by setting
312 * the SHA_ZERO_PAD flag, never creates an extra input block because the
313 * bit count is not included in the hashed data.
315 * Returns SHA_OK on success.
316 * Returns SHA_FAIL with corrupted context.
317 * Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
318 * Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
323 NTRU_CRYPTO_HASH_ALGID algid
, // in - hash algorithm ID
324 NTRU_CRYPTO_SHA2_CTX
*c
, // in/out - pointer to SHA-2 context
325 uint32_t const *init
, // in - pointer to alternate
326 // initialization - may be NULL
327 uint8_t const *in
, // in - pointer to input data -
328 // may be NULL if in_len == 0
329 uint32_t in_len
, // in - number of input data bytes
330 uint32_t flags
, // in - INIT, FINISH, zero-pad flags
331 uint8_t *md
) // out - address for message digest -
332 // may be NULL if not FINISH
334 uint32_t in_blk
[16]; // input block
338 /* check error conditions */
340 if (algid
!= NTRU_CRYPTO_HASH_ALGID_SHA256
)
341 SHA_RET(SHA_BAD_PARAMETER
)
343 if (!c
|| (in_len
&& !in
) || ((flags
& SHA_FINISH
) && !md
))
344 SHA_RET(SHA_BAD_PARAMETER
)
346 /* initialize context if requested */
348 if (flags
& SHA_INIT
) {
350 /* init chaining state */
352 if (!init
) { // standard initialization
354 c
->state
[0] = H0_SHA256_INIT
; // standard SHA-256 init
355 c
->state
[1] = H1_SHA256_INIT
;
356 c
->state
[2] = H2_SHA256_INIT
;
357 c
->state
[3] = H3_SHA256_INIT
;
358 c
->state
[4] = H4_SHA256_INIT
;
359 c
->state
[5] = H5_SHA256_INIT
;
360 c
->state
[6] = H6_SHA256_INIT
;
361 c
->state
[7] = H7_SHA256_INIT
;
364 c
->state
[0] = init
[0]; // alternate initialization
365 c
->state
[1] = init
[1];
366 c
->state
[2] = init
[2];
367 c
->state
[3] = init
[3];
368 c
->state
[4] = init
[4];
369 c
->state
[5] = init
[5];
370 c
->state
[6] = init
[6];
371 c
->state
[7] = init
[7];
374 /* init bit count and number of unhashed data bytes */
376 c
->num_bits_hashed
[0] = 0;
377 c
->num_bits_hashed
[1] = 0;
381 /* determine space left in unhashed data buffer */
383 if (c
->unhashed_len
> 63)
386 space
= 64 - c
->unhashed_len
;
388 /* process input if it exists */
392 /* update count of bits hashed */
395 uint32_t bits0
, bits1
;
398 bits1
= in_len
>> 29;
399 if ((c
->num_bits_hashed
[0] += bits0
) < bits0
)
401 if ((c
->num_bits_hashed
[1] += bits1
) < bits1
) {
402 memset((uint8_t *) c
, 0, sizeof(NTRU_CRYPTO_SHA2_CTX
));
404 memset((char *) in_blk
, 0, sizeof(in_blk
));
405 SHA_RET(SHA_OVERFLOW
)
409 /* process input bytes */
411 if (in_len
< space
) {
413 /* input does not fill block buffer:
414 * add input to buffer
417 memcpy(c
->unhashed
+ c
->unhashed_len
, in
, in_len
);
418 c
->unhashed_len
+= in_len
;
423 /* input will fill block buffer:
424 * fill unhashed data buffer,
425 * convert to block buffer,
430 for (d
= c
->unhashed
+ c
->unhashed_len
; space
; space
--)
432 ntru_crypto_msbyte_2_uint32(in_blk
, (uint8_t const *) c
->unhashed
,
434 sha2_blk((uint32_t const *) in_blk
, c
->state
);
436 /* process any remaining full blocks */
438 for (blks
= in_len
>> 6; blks
--; in
+= 64) {
439 ntru_crypto_msbyte_2_uint32(in_blk
, in
, 16);
440 sha2_blk((uint32_t const *) in_blk
, c
->state
);
443 /* put any remaining input in the unhashed data buffer */
446 memcpy(c
->unhashed
, in
, in_len
);
447 c
->unhashed_len
= in_len
;
451 /* complete message digest if requested */
453 if (flags
& SHA_FINISH
) {
454 space
= 64 - c
->unhashed_len
;
456 /* check padding type */
458 if (!(flags
& SHA_ZERO_PAD
)) {
460 /* add 0x80 padding byte to the unhashed data buffer
461 * (there is always space since the buffer can't be full)
464 d
= c
->unhashed
+ c
->unhashed_len
;
468 /* check for space for bit count */
472 /* no space for count:
473 * fill remainder of unhashed data buffer with zeros,
474 * convert to input block,
476 * fill all but 8 bytes of unhashed data buffer with zeros
480 ntru_crypto_msbyte_2_uint32(in_blk
,
481 (uint8_t const *) c
->unhashed
, 16);
482 sha2_blk((uint32_t const *) in_blk
, c
->state
);
483 memset(c
->unhashed
, 0, 56);
487 /* fill unhashed data buffer with zeros,
488 * leaving space for bit count
491 for (space
-= 8; space
; space
--)
495 /* convert partially filled unhashed data buffer to input block and
496 * add bit count to input block
499 ntru_crypto_msbyte_2_uint32(in_blk
, (uint8_t const *) c
->unhashed
,
501 in_blk
[14] = c
->num_bits_hashed
[1];
502 in_blk
[15] = c
->num_bits_hashed
[0];
506 /* pad unhashed data buffer with zeros and no bit count and
507 * convert to input block
510 memset(c
->unhashed
+ c
->unhashed_len
, 0, space
);
511 ntru_crypto_msbyte_2_uint32(in_blk
, (uint8_t const *) c
->unhashed
,
515 /* process last block */
517 sha2_blk((uint32_t const *) in_blk
, c
->state
);
519 /* copy result to message digest buffer */
521 ntru_crypto_uint32_2_msbyte(md
, c
->state
, 8);
523 /* clear context and stack variables */
525 memset((uint8_t *) c
, 0, sizeof(NTRU_CRYPTO_SHA2_CTX
));
527 memset((char *) in_blk
, 0, sizeof(in_blk
));