Prototype implementation of IKE key exchange via NTRU encryption
[strongswan.git] / src / libstrongswan / plugins / ntru / ntru_crypto / ntru_crypto_sha2.c
1 /******************************************************************************
2 * NTRU Cryptography Reference Source Code
3 * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
4 *
5 * ntru_crypto_sha2.c is a component of ntru-crypto.
6 *
7 * Copyright (C) 2009-2013 Security Innovation
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
22 *
23 *****************************************************************************/
24
25 /******************************************************************************
26 *
27 * File: ntru_crypto_sha2.c
28 *
29 * Contents: Routines implementing the SHA-256 hash calculation.
30 *
31 *****************************************************************************/
32
33
34 #include <stdlib.h>
35 #include <string.h>
36 #include "ntru_crypto_sha2.h"
37 #include "ntru_crypto_msbyte_uint32.h"
38
39
40 /* chaining state elements */
41
42 #define H0 state[0]
43 #define H1 state[1]
44 #define H2 state[2]
45 #define H3 state[3]
46 #define H4 state[4]
47 #define H5 state[5]
48 #define H6 state[6]
49 #define H7 state[7]
50
51
52 /* standard SHA-256 initialization values */
53
54 #define H0_SHA256_INIT 0x6a09e667UL
55 #define H1_SHA256_INIT 0xbb67ae85UL
56 #define H2_SHA256_INIT 0x3c6ef372UL
57 #define H3_SHA256_INIT 0xa54ff53aUL
58 #define H4_SHA256_INIT 0x510e527fUL
59 #define H5_SHA256_INIT 0x9b05688cUL
60 #define H6_SHA256_INIT 0x1f83d9abUL
61 #define H7_SHA256_INIT 0x5be0cd19UL
62
63
64 /* sha2_blk()
65 *
66 * This routine updates the current hash output (chaining state)
67 * by performing SHA-256 on a 512-bit block of data represented
68 * as sixteen 32-bit words.
69 */
70
71 #define RR(a, n) ( ((a) >> (n)) | ((a) << (32 - (n))) )
72 #define S0(a) ( RR((a), 2) ^ RR((a), 13) ^ RR((a), 22) )
73 #define S1(a) ( RR((a), 6) ^ RR((a), 11) ^ RR((a), 25) )
74 #define s0(a) ( RR((a), 7) ^ RR((a), 18) ^ ((a) >> 3) )
75 #define s1(a) ( RR((a), 17) ^ RR((a), 19) ^ ((a) >> 10) )
76
77
78 static void
79 sha2_blk(
80 uint32_t const *data, // in - ptr to 16 32-bit word input block
81 uint32_t *state) // in/out - ptr to 8 32-bit word chaining state
82 {
83 uint32_t A, B, C, D, E, F, G, H;
84 uint32_t w[16];
85
86 /* init A - H */
87
88 A = H0; B = H1; C = H2; D = H3; E = H4; F = H5; G = H6; H = H7;
89
90 /* rounds 0 - 15 */
91
92 H += S1(E) + (E & (F ^ G) ^ G) + 0x428A2F98UL + data[ 0]; D += H;
93 H += S0(A) + ((A & B) | (C & (A | B)));
94 G += S1(D) + (D & (E ^ F) ^ F) + 0x71374491UL + data[ 1]; C += G;
95 G += S0(H) + ((H & A) | (B & (H | A)));
96 F += S1(C) + (C & (D ^ E) ^ E) + 0xB5C0FBCFUL + data[ 2]; B += F;
97 F += S0(G) + ((G & H) | (A & (G | H)));
98 E += S1(B) + (B & (C ^ D) ^ D) + 0xE9B5DBA5UL + data[ 3]; A += E;
99 E += S0(F) + ((F & G) | (H & (F | G)));
100 D += S1(A) + (A & (B ^ C) ^ C) + 0x3956C25BUL + data[ 4]; H += D;
101 D += S0(E) + ((E & F) | (G & (E | F)));
102 C += S1(H) + (H & (A ^ B) ^ B) + 0x59F111F1UL + data[ 5]; G += C;
103 C += S0(D) + ((D & E) | (F & (D | E)));
104 B += S1(G) + (G & (H ^ A) ^ A) + 0x923F82A4UL + data[ 6]; F += B;
105 B += S0(C) + ((C & D) | (E & (C | D)));
106 A += S1(F) + (F & (G ^ H) ^ H) + 0xAB1C5ED5UL + data[ 7]; E += A;
107 A += S0(B) + ((B & C) | (D & (B | C)));
108 H += S1(E) + (E & (F ^ G) ^ G) + 0xD807AA98UL + data[ 8]; D += H;
109 H += S0(A) + ((A & B) | (C & (A | B)));
110 G += S1(D) + (D & (E ^ F) ^ F) + 0x12835B01UL + data[ 9]; C += G;
111 G += S0(H) + ((H & A) | (B & (H | A)));
112 F += S1(C) + (C & (D ^ E) ^ E) + 0x243185BEUL + data[10]; B += F;
113 F += S0(G) + ((G & H) | (A & (G | H)));
114 E += S1(B) + (B & (C ^ D) ^ D) + 0x550C7DC3UL + data[11]; A += E;
115 E += S0(F) + ((F & G) | (H & (F | G)));
116 D += S1(A) + (A & (B ^ C) ^ C) + 0x72BE5D74UL + data[12]; H += D;
117 D += S0(E) + ((E & F) | (G & (E | F)));
118 C += S1(H) + (H & (A ^ B) ^ B) + 0x80DEB1FEUL + data[13]; G += C;
119 C += S0(D) + ((D & E) | (F & (D | E)));
120 B += S1(G) + (G & (H ^ A) ^ A) + 0x9BDC06A7UL + data[14]; F += B;
121 B += S0(C) + ((C & D) | (E & (C | D)));
122 A += S1(F) + (F & (G ^ H) ^ H) + 0xC19BF174UL + data[15]; E += A;
123 A += S0(B) + ((B & C) | (D & (B | C)));
124
125 /* rounds 16 - 63 */
126
127 w[ 0] = data[ 0] + s0(data[ 1]) + data[ 9] + s1(data[14]);
128 H += S1(E) + (E & (F ^ G) ^ G) + 0xE49B69C1UL + w[ 0]; D += H;
129 H += S0(A) + ((A & B) | (C & (A | B)));
130 w[ 1] = data[ 1] + s0(data[ 2]) + data[10] + s1(data[15]);
131 G += S1(D) + (D & (E ^ F) ^ F) + 0xEFBE4786UL + w[ 1]; C += G;
132 G += S0(H) + ((H & A) | (B & (H | A)));
133 w[ 2] = data[ 2] + s0(data[ 3]) + data[11] + s1(w[ 0]);
134 F += S1(C) + (C & (D ^ E) ^ E) + 0x0FC19DC6UL + w[ 2]; B += F;
135 F += S0(G) + ((G & H) | (A & (G | H)));
136 w[ 3] = data[ 3] + s0(data[ 4]) + data[12] + s1(w[ 1]);
137 E += S1(B) + (B & (C ^ D) ^ D) + 0x240CA1CCUL + w[ 3]; A += E;
138 E += S0(F) + ((F & G) | (H & (F | G)));
139 w[ 4] = data[ 4] + s0(data[ 5]) + data[13] + s1(w[ 2]);
140 D += S1(A) + (A & (B ^ C) ^ C) + 0x2DE92C6FUL + w[ 4]; H += D;
141 D += S0(E) + ((E & F) | (G & (E | F)));
142 w[ 5] = data[ 5] + s0(data[ 6]) + data[14] + s1(w[ 3]);
143 C += S1(H) + (H & (A ^ B) ^ B) + 0x4A7484AAUL + w[ 5]; G += C;
144 C += S0(D) + ((D & E) | (F & (D | E)));
145 w[ 6] = data[ 6] + s0(data[ 7]) + data[15] + s1(w[ 4]);
146 B += S1(G) + (G & (H ^ A) ^ A) + 0x5CB0A9DCUL + w[ 6]; F += B;
147 B += S0(C) + ((C & D) | (E & (C | D)));
148 w[ 7] = data[ 7] + s0(data[ 8]) + w[ 0] + s1(w[ 5]);
149 A += S1(F) + (F & (G ^ H) ^ H) + 0x76F988DAUL + w[ 7]; E += A;
150 A += S0(B) + ((B & C) | (D & (B | C)));
151 w[ 8] = data[ 8] + s0(data[ 9]) + w[ 1] + s1(w[ 6]);
152 H += S1(E) + (E & (F ^ G) ^ G) + 0x983E5152UL + w[ 8]; D += H;
153 H += S0(A) + ((A & B) | (C & (A | B)));
154 w[ 9] = data[ 9] + s0(data[10]) + w[ 2] + s1(w[ 7]);
155 G += S1(D) + (D & (E ^ F) ^ F) + 0xA831C66DUL + w[ 9]; C += G;
156 G += S0(H) + ((H & A) | (B & (H | A)));
157 w[10] = data[10] + s0(data[11]) + w[ 3] + s1(w[ 8]);
158 F += S1(C) + (C & (D ^ E) ^ E) + 0xB00327C8UL + w[10]; B += F;
159 F += S0(G) + ((G & H) | (A & (G | H)));
160 w[11] = data[11] + s0(data[12]) + w[ 4] + s1(w[ 9]);
161 E += S1(B) + (B & (C ^ D) ^ D) + 0xBF597FC7UL + w[11]; A += E;
162 E += S0(F) + ((F & G) | (H & (F | G)));
163 w[12] = data[12] + s0(data[13]) + w[ 5] + s1(w[10]);
164 D += S1(A) + (A & (B ^ C) ^ C) + 0xC6E00BF3UL + w[12]; H += D;
165 D += S0(E) + ((E & F) | (G & (E | F)));
166 w[13] = data[13] + s0(data[14]) + w[ 6] + s1(w[11]);
167 C += S1(H) + (H & (A ^ B) ^ B) + 0xD5A79147UL + w[13]; G += C;
168 C += S0(D) + ((D & E) | (F & (D | E)));
169 w[14] = data[14] + s0(data[15]) + w[ 7] + s1(w[12]);
170 B += S1(G) + (G & (H ^ A) ^ A) + 0x06CA6351UL + w[14]; F += B;
171 B += S0(C) + ((C & D) | (E & (C | D)));
172 w[15] = data[15] + s0(w[ 0]) + w[ 8] + s1(w[13]);
173 A += S1(F) + (F & (G ^ H) ^ H) + 0x14292967UL + w[15]; E += A;
174 A += S0(B) + ((B & C) | (D & (B | C)));
175 w[ 0] = w[ 0] + s0(w[ 1]) + w[ 9] + s1(w[14]);
176 H += S1(E) + (E & (F ^ G) ^ G) + 0x27B70A85UL + w[ 0]; D += H;
177 H += S0(A) + ((A & B) | (C & (A | B)));
178 w[ 1] = w[ 1] + s0(w[ 2]) + w[10] + s1(w[15]);
179 G += S1(D) + (D & (E ^ F) ^ F) + 0x2E1B2138UL + w[ 1]; C += G;
180 G += S0(H) + ((H & A) | (B & (H | A)));
181 w[ 2] = w[ 2] + s0(w[ 3]) + w[11] + s1(w[ 0]);
182 F += S1(C) + (C & (D ^ E) ^ E) + 0x4D2C6DFCUL + w[ 2]; B += F;
183 F += S0(G) + ((G & H) | (A & (G | H)));
184 w[ 3] = w[ 3] + s0(w[ 4]) + w[12] + s1(w[ 1]);
185 E += S1(B) + (B & (C ^ D) ^ D) + 0x53380D13UL + w[ 3]; A += E;
186 E += S0(F) + ((F & G) | (H & (F | G)));
187 w[ 4] = w[ 4] + s0(w[ 5]) + w[13] + s1(w[ 2]);
188 D += S1(A) + (A & (B ^ C) ^ C) + 0x650A7354UL + w[ 4]; H += D;
189 D += S0(E) + ((E & F) | (G & (E | F)));
190 w[ 5] = w[ 5] + s0(w[ 6]) + w[14] + s1(w[ 3]);
191 C += S1(H) + (H & (A ^ B) ^ B) + 0x766A0ABBUL + w[ 5]; G += C;
192 C += S0(D) + ((D & E) | (F & (D | E)));
193 w[ 6] = w[ 6] + s0(w[ 7]) + w[15] + s1(w[ 4]);
194 B += S1(G) + (G & (H ^ A) ^ A) + 0x81C2C92EUL + w[ 6]; F += B;
195 B += S0(C) + ((C & D) | (E & (C | D)));
196 w[ 7] = w[ 7] + s0(w[ 8]) + w[ 0] + s1(w[ 5]);
197 A += S1(F) + (F & (G ^ H) ^ H) + 0x92722C85UL + w[ 7]; E += A;
198 A += S0(B) + ((B & C) | (D & (B | C)));
199 w[ 8] = w[ 8] + s0(w[ 9]) + w[ 1] + s1(w[ 6]);
200 H += S1(E) + (E & (F ^ G) ^ G) + 0xA2BFE8A1UL + w[ 8]; D += H;
201 H += S0(A) + ((A & B) | (C & (A | B)));
202 w[ 9] = w[ 9] + s0(w[10]) + w[ 2] + s1(w[ 7]);
203 G += S1(D) + (D & (E ^ F) ^ F) + 0xA81A664BUL + w[ 9]; C += G;
204 G += S0(H) + ((H & A) | (B & (H | A)));
205 w[10] = w[10] + s0(w[11]) + w[ 3] + s1(w[ 8]);
206 F += S1(C) + (C & (D ^ E) ^ E) + 0xC24B8B70UL + w[10]; B += F;
207 F += S0(G) + ((G & H) | (A & (G | H)));
208 w[11] = w[11] + s0(w[12]) + w[ 4] + s1(w[ 9]);
209 E += S1(B) + (B & (C ^ D) ^ D) + 0xC76C51A3UL + w[11]; A += E;
210 E += S0(F) + ((F & G) | (H & (F | G)));
211 w[12] = w[12] + s0(w[13]) + w[ 5] + s1(w[10]);
212 D += S1(A) + (A & (B ^ C) ^ C) + 0xD192E819UL + w[12]; H += D;
213 D += S0(E) + ((E & F) | (G & (E | F)));
214 w[13] = w[13] + s0(w[14]) + w[ 6] + s1(w[11]);
215 C += S1(H) + (H & (A ^ B) ^ B) + 0xD6990624UL + w[13]; G += C;
216 C += S0(D) + ((D & E) | (F & (D | E)));
217 w[14] = w[14] + s0(w[15]) + w[ 7] + s1(w[12]);
218 B += S1(G) + (G & (H ^ A) ^ A) + 0xF40E3585UL + w[14]; F += B;
219 B += S0(C) + ((C & D) | (E & (C | D)));
220 w[15] = w[15] + s0(w[ 0]) + w[ 8] + s1(w[13]);
221 A += S1(F) + (F & (G ^ H) ^ H) + 0x106AA070UL + w[15]; E += A;
222 A += S0(B) + ((B & C) | (D & (B | C)));
223 w[ 0] = w[ 0] + s0(w[ 1]) + w[ 9] + s1(w[14]);
224 H += S1(E) + (E & (F ^ G) ^ G) + 0x19A4C116UL + w[ 0]; D += H;
225 H += S0(A) + ((A & B) | (C & (A | B)));
226 w[ 1] = w[ 1] + s0(w[ 2]) + w[10] + s1(w[15]);
227 G += S1(D) + (D & (E ^ F) ^ F) + 0x1E376C08UL + w[ 1]; C += G;
228 G += S0(H) + ((H & A) | (B & (H | A)));
229 w[ 2] = w[ 2] + s0(w[ 3]) + w[11] + s1(w[ 0]);
230 F += S1(C) + (C & (D ^ E) ^ E) + 0x2748774CUL + w[ 2]; B += F;
231 F += S0(G) + ((G & H) | (A & (G | H)));
232 w[ 3] = w[ 3] + s0(w[ 4]) + w[12] + s1(w[ 1]);
233 E += S1(B) + (B & (C ^ D) ^ D) + 0x34B0BCB5UL + w[ 3]; A += E;
234 E += S0(F) + ((F & G) | (H & (F | G)));
235 w[ 4] = w[ 4] + s0(w[ 5]) + w[13] + s1(w[ 2]);
236 D += S1(A) + (A & (B ^ C) ^ C) + 0x391C0CB3UL + w[ 4]; H += D;
237 D += S0(E) + ((E & F) | (G & (E | F)));
238 w[ 5] = w[ 5] + s0(w[ 6]) + w[14] + s1(w[ 3]);
239 C += S1(H) + (H & (A ^ B) ^ B) + 0x4ED8AA4AUL + w[ 5]; G += C;
240 C += S0(D) + ((D & E) | (F & (D | E)));
241 w[ 6] = w[ 6] + s0(w[ 7]) + w[15] + s1(w[ 4]);
242 B += S1(G) + (G & (H ^ A) ^ A) + 0x5B9CCA4FUL + w[ 6]; F += B;
243 B += S0(C) + ((C & D) | (E & (C | D)));
244 w[ 7] = w[ 7] + s0(w[ 8]) + w[ 0] + s1(w[ 5]);
245 A += S1(F) + (F & (G ^ H) ^ H) + 0x682E6FF3UL + w[ 7]; E += A;
246 A += S0(B) + ((B & C) | (D & (B | C)));
247 w[ 8] = w[ 8] + s0(w[ 9]) + w[ 1] + s1(w[ 6]);
248 H += S1(E) + (E & (F ^ G) ^ G) + 0x748F82EEUL + w[ 8]; D += H;
249 H += S0(A) + ((A & B) | (C & (A | B)));
250 w[ 9] = w[ 9] + s0(w[10]) + w[ 2] + s1(w[ 7]);
251 G += S1(D) + (D & (E ^ F) ^ F) + 0x78A5636FUL + w[ 9]; C += G;
252 G += S0(H) + ((H & A) | (B & (H | A)));
253 w[10] = w[10] + s0(w[11]) + w[ 3] + s1(w[ 8]);
254 F += S1(C) + (C & (D ^ E) ^ E) + 0x84C87814UL + w[10]; B += F;
255 F += S0(G) + ((G & H) | (A & (G | H)));
256 w[11] = w[11] + s0(w[12]) + w[ 4] + s1(w[ 9]);
257 E += S1(B) + (B & (C ^ D) ^ D) + 0x8CC70208UL + w[11]; A += E;
258 E += S0(F) + ((F & G) | (H & (F | G)));
259 w[12] = w[12] + s0(w[13]) + w[ 5] + s1(w[10]);
260 D += S1(A) + (A & (B ^ C) ^ C) + 0x90BEFFFAUL + w[12]; H += D;
261 D += S0(E) + ((E & F) | (G & (E | F)));
262 w[13] = w[13] + s0(w[14]) + w[ 6] + s1(w[11]);
263 C += S1(H) + (H & (A ^ B) ^ B) + 0xA4506CEBUL + w[13]; G += C;
264 C += S0(D) + ((D & E) | (F & (D | E)));
265 w[14] = w[14] + s0(w[15]) + w[ 7] + s1(w[12]);
266 B += S1(G) + (G & (H ^ A) ^ A) + 0xBEF9A3F7UL + w[14]; F += B;
267 B += S0(C) + ((C & D) | (E & (C | D)));
268 w[15] = w[15] + s0(w[ 0]) + w[ 8] + s1(w[13]);
269 A += S1(F) + (F & (G ^ H) ^ H) + 0xC67178F2UL + w[15]; E += A;
270 A += S0(B) + ((B & C) | (D & (B | C)));
271
272 /* update H0 - H7 */
273
274 H0 += A;
275 H1 += B;
276 H2 += C;
277 H3 += D;
278 H4 += E;
279 H5 += F;
280 H6 += G;
281 H7 += H;
282
283 /* clear temp variables */
284
285 A = B = C = D = E = F = G = H = 0;
286 memset(w, 0, sizeof(w));
287 }
288
289
290 /* ntru_crypto_sha2()
291 *
292 * This routine provides all operations for a SHA-256 hash,
293 * and the use of SHA-256 for DSA signing and key generation.
294 * It may be used to initialize, update, or complete a message digest,
295 * or any combination of those actions, as determined by the SHA_INIT flag,
296 * the in_len parameter, and the SHA_FINISH flag, respectively.
297 *
298 * When in_len == 0 (no data to hash), the parameter, in, may be NULL.
299 * When the SHA_FINISH flag is not set, the parameter, md, may be NULL.
300 *
301 * Initialization may be standard or use a specified initialization vector,
302 * and is indicated by setting the SHA_INIT flag.
303 * Setting init = NULL specifies standard initialization. Otherwise, init
304 * points to the array of eight alternate initialization 32-bit words.
305 *
306 * The hash operation can be updated with any number of input bytes, including
307 * zero.
308 *
309 * The hash operation can be completed with normal padding or with zero
310 * padding as required for parts of DSA parameter generation, and is indicated
311 * by setting the SHA_FINISH flag. Using zero padding, indicated by setting
312 * the SHA_ZERO_PAD flag, never creates an extra input block because the
313 * bit count is not included in the hashed data.
314 *
315 * Returns SHA_OK on success.
316 * Returns SHA_FAIL with corrupted context.
317 * Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
318 * Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
319 */
320
321 uint32_t
322 ntru_crypto_sha2(
323 NTRU_CRYPTO_HASH_ALGID algid, // in - hash algorithm ID
324 NTRU_CRYPTO_SHA2_CTX *c, // in/out - pointer to SHA-2 context
325 uint32_t const *init, // in - pointer to alternate
326 // initialization - may be NULL
327 uint8_t const *in, // in - pointer to input data -
328 // may be NULL if in_len == 0
329 uint32_t in_len, // in - number of input data bytes
330 uint32_t flags, // in - INIT, FINISH, zero-pad flags
331 uint8_t *md) // out - address for message digest -
332 // may be NULL if not FINISH
333 {
334 uint32_t in_blk[16]; // input block
335 uint32_t space;
336 uint8_t *d = NULL;
337
338 /* check error conditions */
339
340 if (algid != NTRU_CRYPTO_HASH_ALGID_SHA256)
341 SHA_RET(SHA_BAD_PARAMETER)
342
343 if (!c || (in_len && !in) || ((flags & SHA_FINISH) && !md))
344 SHA_RET(SHA_BAD_PARAMETER)
345
346 /* initialize context if requested */
347
348 if (flags & SHA_INIT) {
349
350 /* init chaining state */
351
352 if (!init) { // standard initialization
353
354 c->state[0] = H0_SHA256_INIT; // standard SHA-256 init
355 c->state[1] = H1_SHA256_INIT;
356 c->state[2] = H2_SHA256_INIT;
357 c->state[3] = H3_SHA256_INIT;
358 c->state[4] = H4_SHA256_INIT;
359 c->state[5] = H5_SHA256_INIT;
360 c->state[6] = H6_SHA256_INIT;
361 c->state[7] = H7_SHA256_INIT;
362
363 } else {
364 c->state[0] = init[0]; // alternate initialization
365 c->state[1] = init[1];
366 c->state[2] = init[2];
367 c->state[3] = init[3];
368 c->state[4] = init[4];
369 c->state[5] = init[5];
370 c->state[6] = init[6];
371 c->state[7] = init[7];
372 }
373
374 /* init bit count and number of unhashed data bytes */
375
376 c->num_bits_hashed[0] = 0;
377 c->num_bits_hashed[1] = 0;
378 c->unhashed_len = 0;
379 }
380
381 /* determine space left in unhashed data buffer */
382
383 if (c->unhashed_len > 63)
384 SHA_RET(SHA_FAIL)
385
386 space = 64 - c->unhashed_len;
387
388 /* process input if it exists */
389
390 if (in_len) {
391
392 /* update count of bits hashed */
393
394 {
395 uint32_t bits0, bits1;
396
397 bits0 = in_len << 3;
398 bits1 = in_len >> 29;
399 if ((c->num_bits_hashed[0] += bits0) < bits0)
400 bits1++;
401 if ((c->num_bits_hashed[1] += bits1) < bits1) {
402 memset((uint8_t *) c, 0, sizeof(NTRU_CRYPTO_SHA2_CTX));
403 space = 0;
404 memset((char *) in_blk, 0, sizeof(in_blk));
405 SHA_RET(SHA_OVERFLOW)
406 }
407 }
408
409 /* process input bytes */
410
411 if (in_len < space) {
412
413 /* input does not fill block buffer:
414 * add input to buffer
415 */
416
417 memcpy(c->unhashed + c->unhashed_len, in, in_len);
418 c->unhashed_len += in_len;
419
420 } else {
421 uint32_t blks;
422
423 /* input will fill block buffer:
424 * fill unhashed data buffer,
425 * convert to block buffer,
426 * and process block
427 */
428
429 in_len -= space;
430 for (d = c->unhashed + c->unhashed_len; space; space--)
431 *d++ = *in++;
432 ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
433 16);
434 sha2_blk((uint32_t const *) in_blk, c->state);
435
436 /* process any remaining full blocks */
437
438 for (blks = in_len >> 6; blks--; in += 64) {
439 ntru_crypto_msbyte_2_uint32(in_blk, in, 16);
440 sha2_blk((uint32_t const *) in_blk, c->state);
441 }
442
443 /* put any remaining input in the unhashed data buffer */
444
445 in_len &= 0x3f;
446 memcpy(c->unhashed, in, in_len);
447 c->unhashed_len = in_len;
448 }
449 }
450
451 /* complete message digest if requested */
452
453 if (flags & SHA_FINISH) {
454 space = 64 - c->unhashed_len;
455
456 /* check padding type */
457
458 if (!(flags & SHA_ZERO_PAD)) {
459
460 /* add 0x80 padding byte to the unhashed data buffer
461 * (there is always space since the buffer can't be full)
462 */
463
464 d = c->unhashed + c->unhashed_len;
465 *d++ = 0x80;
466 space--;
467
468 /* check for space for bit count */
469
470 if (space < 8) {
471
472 /* no space for count:
473 * fill remainder of unhashed data buffer with zeros,
474 * convert to input block,
475 * process block,
476 * fill all but 8 bytes of unhashed data buffer with zeros
477 */
478
479 memset(d, 0, space);
480 ntru_crypto_msbyte_2_uint32(in_blk,
481 (uint8_t const *) c->unhashed, 16);
482 sha2_blk((uint32_t const *) in_blk, c->state);
483 memset(c->unhashed, 0, 56);
484
485 } else {
486
487 /* fill unhashed data buffer with zeros,
488 * leaving space for bit count
489 */
490
491 for (space -= 8; space; space--)
492 *d++ = 0;
493 }
494
495 /* convert partially filled unhashed data buffer to input block and
496 * add bit count to input block
497 */
498
499 ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
500 14);
501 in_blk[14] = c->num_bits_hashed[1];
502 in_blk[15] = c->num_bits_hashed[0];
503
504 } else {
505
506 /* pad unhashed data buffer with zeros and no bit count and
507 * convert to input block
508 */
509
510 memset(c->unhashed + c->unhashed_len, 0, space);
511 ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
512 16);
513 }
514
515 /* process last block */
516
517 sha2_blk((uint32_t const *) in_blk, c->state);
518
519 /* copy result to message digest buffer */
520
521 ntru_crypto_uint32_2_msbyte(md, c->state, 8);
522
523 /* clear context and stack variables */
524
525 memset((uint8_t *) c, 0, sizeof(NTRU_CRYPTO_SHA2_CTX));
526 space = 0;
527 memset((char *) in_blk, 0, sizeof(in_blk));
528 }
529
530 SHA_RET(SHA_OK)
531 }
532