gosthash.c revision 296341 
1/**********************************************************************
2 *                          gosthash.c                                *
3 *             Copyright (c) 2005-2006 Cryptocom LTD                  *
4 *         This file is distributed under the same license as OpenSSL *
5 *                                                                    *
6 *    Implementation of GOST R 34.11-94 hash function                 *
7 *       uses on gost89.c and gost89.h Doesn't need OpenSSL           *
8 **********************************************************************/
9#include <string.h>
10
11#include "gost89.h"
12#include "gosthash.h"
13
14/*
15 * Use OPENSSL_malloc for memory allocation if compiled with
16 * -DOPENSSL_BUILD, and libc malloc otherwise
17 */
18#ifndef MYALLOC
19# ifdef OPENSSL_BUILD
20#  include <openssl/crypto.h>
21#  define MYALLOC(size) OPENSSL_malloc(size)
22#  define MYFREE(ptr) OPENSSL_free(ptr)
23# else
24#  define MYALLOC(size) malloc(size)
25#  define MYFREE(ptr) free(ptr)
26# endif
27#endif
28/*
29 * Following functions are various bit meshing routines used in GOST R
30 * 34.11-94 algorithms
31 */
32static void swap_bytes(byte * w, byte * k)
33{
34    int i, j;
35    for (i = 0; i < 4; i++)
36        for (j = 0; j < 8; j++)
37            k[i + 4 * j] = w[8 * i + j];
38
39}
40
41/* was A_A */
42static void circle_xor8(const byte * w, byte * k)
43{
44    byte buf[8];
45    int i;
46    memcpy(buf, w, 8);
47    memmove(k, w + 8, 24);
48    for (i = 0; i < 8; i++)
49        k[i + 24] = buf[i] ^ k[i];
50}
51
52/* was R_R */
53static void transform_3(byte * data)
54{
55    unsigned short int acc;
56    acc = (data[0] ^ data[2] ^ data[4] ^ data[6] ^ data[24] ^ data[30]) |
57        ((data[1] ^ data[3] ^ data[5] ^ data[7] ^ data[25] ^ data[31]) << 8);
58    memmove(data, data + 2, 30);
59    data[30] = acc & 0xff;
60    data[31] = acc >> 8;
61}
62
63/* Adds blocks of N bytes modulo 2**(8*n). Returns carry*/
64static int add_blocks(int n, byte * left, const byte * right)
65{
66    int i;
67    int carry = 0;
68    int sum;
69    for (i = 0; i < n; i++) {
70        sum = (int)left[i] + (int)right[i] + carry;
71        left[i] = sum & 0xff;
72        carry = sum >> 8;
73    }
74    return carry;
75}
76
77/* Xor two sequences of bytes */
78static void xor_blocks(byte * result, const byte * a, const byte * b,
79                       size_t len)
80{
81    size_t i;
82    for (i = 0; i < len; i++)
83        result[i] = a[i] ^ b[i];
84}
85
86/*
87 *      Calculate H(i+1) = Hash(Hi,Mi)
88 *      Where H and M are 32 bytes long
89 */
90static int hash_step(gost_ctx * c, byte * H, const byte * M)
91{
92    byte U[32], W[32], V[32], S[32], Key[32];
93    int i;
94    /* Compute first key */
95    xor_blocks(W, H, M, 32);
96    swap_bytes(W, Key);
97    /* Encrypt first 8 bytes of H with first key */
98    gost_enc_with_key(c, Key, H, S);
99    /* Compute second key */
100    circle_xor8(H, U);
101    circle_xor8(M, V);
102    circle_xor8(V, V);
103    xor_blocks(W, U, V, 32);
104    swap_bytes(W, Key);
105    /* encrypt second 8 bytes of H with second key */
106    gost_enc_with_key(c, Key, H + 8, S + 8);
107    /* compute third key */
108    circle_xor8(U, U);
109    U[31] = ~U[31];
110    U[29] = ~U[29];
111    U[28] = ~U[28];
112    U[24] = ~U[24];
113    U[23] = ~U[23];
114    U[20] = ~U[20];
115    U[18] = ~U[18];
116    U[17] = ~U[17];
117    U[14] = ~U[14];
118    U[12] = ~U[12];
119    U[10] = ~U[10];
120    U[8] = ~U[8];
121    U[7] = ~U[7];
122    U[5] = ~U[5];
123    U[3] = ~U[3];
124    U[1] = ~U[1];
125    circle_xor8(V, V);
126    circle_xor8(V, V);
127    xor_blocks(W, U, V, 32);
128    swap_bytes(W, Key);
129    /* encrypt third 8 bytes of H with third key */
130    gost_enc_with_key(c, Key, H + 16, S + 16);
131    /* Compute fourth key */
132    circle_xor8(U, U);
133    circle_xor8(V, V);
134    circle_xor8(V, V);
135    xor_blocks(W, U, V, 32);
136    swap_bytes(W, Key);
137    /* Encrypt last 8 bytes with fourth key */
138    gost_enc_with_key(c, Key, H + 24, S + 24);
139    for (i = 0; i < 12; i++)
140        transform_3(S);
141    xor_blocks(S, S, M, 32);
142    transform_3(S);
143    xor_blocks(S, S, H, 32);
144    for (i = 0; i < 61; i++)
145        transform_3(S);
146    memcpy(H, S, 32);
147    return 1;
148}
149
150/*
151 * Initialize gost_hash ctx - cleans up temporary structures and set up
152 * substitution blocks
153 */
154int init_gost_hash_ctx(gost_hash_ctx * ctx,
155                       const gost_subst_block * subst_block)
156{
157    memset(ctx, 0, sizeof(gost_hash_ctx));
158    ctx->cipher_ctx = (gost_ctx *) MYALLOC(sizeof(gost_ctx));
159    if (!ctx->cipher_ctx) {
160        return 0;
161    }
162    gost_init(ctx->cipher_ctx, subst_block);
163    return 1;
164}
165
166/*
167 * Free cipher CTX if it is dynamically allocated. Do not use
168 * if cipher ctx is statically allocated as in OpenSSL implementation of
169 * GOST hash algroritm
170 *
171 */
172void done_gost_hash_ctx(gost_hash_ctx * ctx)
173{
174    /*
175     * No need to use gost_destroy, because cipher keys are not really secret
176     * when hashing
177     */
178    MYFREE(ctx->cipher_ctx);
179}
180
181/*
182 * reset state of hash context to begin hashing new message
183 */
184int start_hash(gost_hash_ctx * ctx)
185{
186    if (!ctx->cipher_ctx)
187        return 0;
188    memset(&(ctx->H), 0, 32);
189    memset(&(ctx->S), 0, 32);
190    ctx->len = 0L;
191    ctx->left = 0;
192    return 1;
193}
194
195/*
196 * Hash block of arbitrary length
197 *
198 *
199 */
200int hash_block(gost_hash_ctx * ctx, const byte * block, size_t length)
201{
202    if (ctx->left) {
203        /*
204         * There are some bytes from previous step
205         */
206        unsigned int add_bytes = 32 - ctx->left;
207        if (add_bytes > length) {
208            add_bytes = length;
209        }
210        memcpy(&(ctx->remainder[ctx->left]), block, add_bytes);
211        ctx->left += add_bytes;
212        if (ctx->left < 32) {
213            return 1;
214        }
215        block += add_bytes;
216        length -= add_bytes;
217        hash_step(ctx->cipher_ctx, ctx->H, ctx->remainder);
218        add_blocks(32, ctx->S, ctx->remainder);
219        ctx->len += 32;
220        ctx->left = 0;
221    }
222    while (length >= 32) {
223        hash_step(ctx->cipher_ctx, ctx->H, block);
224
225        add_blocks(32, ctx->S, block);
226        ctx->len += 32;
227        block += 32;
228        length -= 32;
229    }
230    if (length) {
231        memcpy(ctx->remainder, block, ctx->left = length);
232    }
233    return 1;
234}
235
236/*
237 * Compute hash value from current state of ctx
238 * state of hash ctx becomes invalid and cannot be used for further
239 * hashing.
240 */
241int finish_hash(gost_hash_ctx * ctx, byte * hashval)
242{
243    byte buf[32];
244    byte H[32];
245    byte S[32];
246    ghosthash_len fin_len = ctx->len;
247    byte *bptr;
248    memcpy(H, ctx->H, 32);
249    memcpy(S, ctx->S, 32);
250    if (ctx->left) {
251        memset(buf, 0, 32);
252        memcpy(buf, ctx->remainder, ctx->left);
253        hash_step(ctx->cipher_ctx, H, buf);
254        add_blocks(32, S, buf);
255        fin_len += ctx->left;
256    }
257    memset(buf, 0, 32);
258    bptr = buf;
259    fin_len <<= 3;              /* Hash length in BITS!! */
260    while (fin_len > 0) {
261        *(bptr++) = (byte) (fin_len & 0xFF);
262        fin_len >>= 8;
263    };
264    hash_step(ctx->cipher_ctx, H, buf);
265    hash_step(ctx->cipher_ctx, H, S);
266    memcpy(hashval, H, 32);
267    return 1;
268}
269