1238384Sjkim/********************************************************************** 2238384Sjkim * gosthash.c * 3238384Sjkim * Copyright (c) 2005-2006 Cryptocom LTD * 4238384Sjkim * This file is distributed under the same license as OpenSSL * 5238384Sjkim * * 6238384Sjkim * Implementation of GOST R 34.11-94 hash function * 7238384Sjkim * uses on gost89.c and gost89.h Doesn't need OpenSSL * 8238384Sjkim **********************************************************************/ 9238384Sjkim#include <string.h> 10238384Sjkim 11238384Sjkim#include "gost89.h" 12238384Sjkim#include "gosthash.h" 13238384Sjkim 14280304Sjkim/* 15280304Sjkim * Use OPENSSL_malloc for memory allocation if compiled with 16238384Sjkim * -DOPENSSL_BUILD, and libc malloc otherwise 17238384Sjkim */ 18238384Sjkim#ifndef MYALLOC 19238384Sjkim# ifdef OPENSSL_BUILD 20238384Sjkim# include <openssl/crypto.h> 21238384Sjkim# define MYALLOC(size) OPENSSL_malloc(size) 22238384Sjkim# define MYFREE(ptr) OPENSSL_free(ptr) 23238384Sjkim# else 24238384Sjkim# define MYALLOC(size) malloc(size) 25238384Sjkim# define MYFREE(ptr) free(ptr) 26238384Sjkim# endif 27238384Sjkim#endif 28280304Sjkim/* 29280304Sjkim * Following functions are various bit meshing routines used in GOST R 30280304Sjkim * 34.11-94 algorithms 31280304Sjkim */ 32280304Sjkimstatic void swap_bytes(byte * w, byte * k) 33280304Sjkim{ 34280304Sjkim int i, j; 35280304Sjkim for (i = 0; i < 4; i++) 36280304Sjkim for (j = 0; j < 8; j++) 37280304Sjkim k[i + 4 * j] = w[8 * i + j]; 38238384Sjkim 39280304Sjkim} 40238384Sjkim 41238384Sjkim/* was A_A */ 42280304Sjkimstatic void circle_xor8(const byte * w, byte * k) 43280304Sjkim{ 44280304Sjkim byte buf[8]; 45280304Sjkim int i; 46280304Sjkim memcpy(buf, w, 8); 47280304Sjkim memmove(k, w + 8, 24); 48280304Sjkim for (i = 0; i < 8; i++) 49280304Sjkim k[i + 24] = buf[i] ^ k[i]; 50280304Sjkim} 51238384Sjkim 52238384Sjkim/* was R_R */ 53280304Sjkimstatic void transform_3(byte * data) 54280304Sjkim{ 55280304Sjkim unsigned short int acc; 56280304Sjkim acc = (data[0] ^ data[2] ^ data[4] ^ data[6] ^ data[24] ^ data[30]) | 57280304Sjkim ((data[1] ^ data[3] ^ data[5] ^ data[7] ^ data[25] ^ data[31]) << 8); 58280304Sjkim memmove(data, data + 2, 30); 59280304Sjkim data[30] = acc & 0xff; 60280304Sjkim data[31] = acc >> 8; 61280304Sjkim} 62238384Sjkim 63238384Sjkim/* Adds blocks of N bytes modulo 2**(8*n). Returns carry*/ 64280304Sjkimstatic int add_blocks(int n, byte * left, const byte * right) 65280304Sjkim{ 66280304Sjkim int i; 67280304Sjkim int carry = 0; 68280304Sjkim int sum; 69280304Sjkim for (i = 0; i < n; i++) { 70280304Sjkim sum = (int)left[i] + (int)right[i] + carry; 71280304Sjkim left[i] = sum & 0xff; 72280304Sjkim carry = sum >> 8; 73280304Sjkim } 74280304Sjkim return carry; 75280304Sjkim} 76238384Sjkim 77238384Sjkim/* Xor two sequences of bytes */ 78280304Sjkimstatic void xor_blocks(byte * result, const byte * a, const byte * b, 79280304Sjkim size_t len) 80280304Sjkim{ 81280304Sjkim size_t i; 82280304Sjkim for (i = 0; i < len; i++) 83280304Sjkim result[i] = a[i] ^ b[i]; 84280304Sjkim} 85238384Sjkim 86280304Sjkim/* 87280304Sjkim * Calculate H(i+1) = Hash(Hi,Mi) 88280304Sjkim * Where H and M are 32 bytes long 89238384Sjkim */ 90280304Sjkimstatic int hash_step(gost_ctx * c, byte * H, const byte * M) 91280304Sjkim{ 92280304Sjkim byte U[32], W[32], V[32], S[32], Key[32]; 93280304Sjkim int i; 94280304Sjkim /* Compute first key */ 95280304Sjkim xor_blocks(W, H, M, 32); 96280304Sjkim swap_bytes(W, Key); 97280304Sjkim /* Encrypt first 8 bytes of H with first key */ 98280304Sjkim gost_enc_with_key(c, Key, H, S); 99280304Sjkim /* Compute second key */ 100280304Sjkim circle_xor8(H, U); 101280304Sjkim circle_xor8(M, V); 102280304Sjkim circle_xor8(V, V); 103280304Sjkim xor_blocks(W, U, V, 32); 104280304Sjkim swap_bytes(W, Key); 105280304Sjkim /* encrypt second 8 bytes of H with second key */ 106280304Sjkim gost_enc_with_key(c, Key, H + 8, S + 8); 107280304Sjkim /* compute third key */ 108280304Sjkim circle_xor8(U, U); 109280304Sjkim U[31] = ~U[31]; 110280304Sjkim U[29] = ~U[29]; 111280304Sjkim U[28] = ~U[28]; 112280304Sjkim U[24] = ~U[24]; 113280304Sjkim U[23] = ~U[23]; 114280304Sjkim U[20] = ~U[20]; 115280304Sjkim U[18] = ~U[18]; 116280304Sjkim U[17] = ~U[17]; 117280304Sjkim U[14] = ~U[14]; 118280304Sjkim U[12] = ~U[12]; 119280304Sjkim U[10] = ~U[10]; 120280304Sjkim U[8] = ~U[8]; 121280304Sjkim U[7] = ~U[7]; 122280304Sjkim U[5] = ~U[5]; 123280304Sjkim U[3] = ~U[3]; 124280304Sjkim U[1] = ~U[1]; 125280304Sjkim circle_xor8(V, V); 126280304Sjkim circle_xor8(V, V); 127280304Sjkim xor_blocks(W, U, V, 32); 128280304Sjkim swap_bytes(W, Key); 129280304Sjkim /* encrypt third 8 bytes of H with third key */ 130280304Sjkim gost_enc_with_key(c, Key, H + 16, S + 16); 131280304Sjkim /* Compute fourth key */ 132280304Sjkim circle_xor8(U, U); 133280304Sjkim circle_xor8(V, V); 134280304Sjkim circle_xor8(V, V); 135280304Sjkim xor_blocks(W, U, V, 32); 136280304Sjkim swap_bytes(W, Key); 137280304Sjkim /* Encrypt last 8 bytes with fourth key */ 138280304Sjkim gost_enc_with_key(c, Key, H + 24, S + 24); 139280304Sjkim for (i = 0; i < 12; i++) 140280304Sjkim transform_3(S); 141280304Sjkim xor_blocks(S, S, M, 32); 142280304Sjkim transform_3(S); 143280304Sjkim xor_blocks(S, S, H, 32); 144280304Sjkim for (i = 0; i < 61; i++) 145280304Sjkim transform_3(S); 146280304Sjkim memcpy(H, S, 32); 147280304Sjkim return 1; 148280304Sjkim} 149238384Sjkim 150280304Sjkim/* 151280304Sjkim * Initialize gost_hash ctx - cleans up temporary structures and set up 152280304Sjkim * substitution blocks 153238384Sjkim */ 154280304Sjkimint init_gost_hash_ctx(gost_hash_ctx * ctx, 155280304Sjkim const gost_subst_block * subst_block) 156280304Sjkim{ 157280304Sjkim memset(ctx, 0, sizeof(gost_hash_ctx)); 158280304Sjkim ctx->cipher_ctx = (gost_ctx *) MYALLOC(sizeof(gost_ctx)); 159280304Sjkim if (!ctx->cipher_ctx) { 160280304Sjkim return 0; 161280304Sjkim } 162280304Sjkim gost_init(ctx->cipher_ctx, subst_block); 163280304Sjkim return 1; 164280304Sjkim} 165238384Sjkim 166238384Sjkim/* 167238384Sjkim * Free cipher CTX if it is dynamically allocated. Do not use 168238384Sjkim * if cipher ctx is statically allocated as in OpenSSL implementation of 169238384Sjkim * GOST hash algroritm 170238384Sjkim * 171280304Sjkim */ 172280304Sjkimvoid done_gost_hash_ctx(gost_hash_ctx * ctx) 173280304Sjkim{ 174280304Sjkim /* 175280304Sjkim * No need to use gost_destroy, because cipher keys are not really secret 176280304Sjkim * when hashing 177280304Sjkim */ 178280304Sjkim MYFREE(ctx->cipher_ctx); 179280304Sjkim} 180238384Sjkim 181238384Sjkim/* 182238384Sjkim * reset state of hash context to begin hashing new message 183238384Sjkim */ 184280304Sjkimint start_hash(gost_hash_ctx * ctx) 185280304Sjkim{ 186280304Sjkim if (!ctx->cipher_ctx) 187280304Sjkim return 0; 188280304Sjkim memset(&(ctx->H), 0, 32); 189280304Sjkim memset(&(ctx->S), 0, 32); 190280304Sjkim ctx->len = 0L; 191280304Sjkim ctx->left = 0; 192280304Sjkim return 1; 193280304Sjkim} 194238384Sjkim 195238384Sjkim/* 196238384Sjkim * Hash block of arbitrary length 197238384Sjkim * 198238384Sjkim * 199238384Sjkim */ 200280304Sjkimint hash_block(gost_hash_ctx * ctx, const byte * block, size_t length) 201280304Sjkim{ 202280304Sjkim if (ctx->left) { 203280304Sjkim /* 204280304Sjkim * There are some bytes from previous step 205280304Sjkim */ 206280304Sjkim unsigned int add_bytes = 32 - ctx->left; 207280304Sjkim if (add_bytes > length) { 208280304Sjkim add_bytes = length; 209280304Sjkim } 210280304Sjkim memcpy(&(ctx->remainder[ctx->left]), block, add_bytes); 211280304Sjkim ctx->left += add_bytes; 212280304Sjkim if (ctx->left < 32) { 213280304Sjkim return 1; 214280304Sjkim } 215280304Sjkim block += add_bytes; 216280304Sjkim length -= add_bytes; 217280304Sjkim hash_step(ctx->cipher_ctx, ctx->H, ctx->remainder); 218280304Sjkim add_blocks(32, ctx->S, ctx->remainder); 219280304Sjkim ctx->len += 32; 220280304Sjkim ctx->left = 0; 221280304Sjkim } 222280304Sjkim while (length >= 32) { 223280304Sjkim hash_step(ctx->cipher_ctx, ctx->H, block); 224238384Sjkim 225280304Sjkim add_blocks(32, ctx->S, block); 226280304Sjkim ctx->len += 32; 227280304Sjkim block += 32; 228280304Sjkim length -= 32; 229280304Sjkim } 230280304Sjkim if (length) { 231280304Sjkim memcpy(ctx->remainder, block, ctx->left = length); 232280304Sjkim } 233280304Sjkim return 1; 234280304Sjkim} 235280304Sjkim 236238384Sjkim/* 237238384Sjkim * Compute hash value from current state of ctx 238238384Sjkim * state of hash ctx becomes invalid and cannot be used for further 239238384Sjkim * hashing. 240280304Sjkim */ 241280304Sjkimint finish_hash(gost_hash_ctx * ctx, byte * hashval) 242280304Sjkim{ 243280304Sjkim byte buf[32]; 244280304Sjkim byte H[32]; 245280304Sjkim byte S[32]; 246280304Sjkim ghosthash_len fin_len = ctx->len; 247280304Sjkim byte *bptr; 248280304Sjkim memcpy(H, ctx->H, 32); 249280304Sjkim memcpy(S, ctx->S, 32); 250280304Sjkim if (ctx->left) { 251280304Sjkim memset(buf, 0, 32); 252280304Sjkim memcpy(buf, ctx->remainder, ctx->left); 253280304Sjkim hash_step(ctx->cipher_ctx, H, buf); 254280304Sjkim add_blocks(32, S, buf); 255280304Sjkim fin_len += ctx->left; 256280304Sjkim } 257280304Sjkim memset(buf, 0, 32); 258280304Sjkim bptr = buf; 259280304Sjkim fin_len <<= 3; /* Hash length in BITS!! */ 260280304Sjkim while (fin_len > 0) { 261280304Sjkim *(bptr++) = (byte) (fin_len & 0xFF); 262280304Sjkim fin_len >>= 8; 263280304Sjkim }; 264280304Sjkim hash_step(ctx->cipher_ctx, H, buf); 265280304Sjkim hash_step(ctx->cipher_ctx, H, S); 266280304Sjkim memcpy(hashval, H, 32); 267280304Sjkim return 1; 268280304Sjkim} 269