1/********************************************************************** 2 * gosthash.c * 3 * Copyright (c) 2005-2006 Cryptocom LTD * 4 * This file is distributed under the same license as OpenSSL * 5 * * 6 * Implementation of GOST R 34.11-94 hash function * 7 * uses on gost89.c and gost89.h Doesn't need OpenSSL * 8 **********************************************************************/ 9#include <string.h> 10 11#include "gost89.h" 12#include "gosthash.h" 13 14/* 15 * Use OPENSSL_malloc for memory allocation if compiled with 16 * -DOPENSSL_BUILD, and libc malloc otherwise 17 */ 18#ifndef MYALLOC 19# ifdef OPENSSL_BUILD 20# include <openssl/crypto.h> 21# define MYALLOC(size) OPENSSL_malloc(size) 22# define MYFREE(ptr) OPENSSL_free(ptr) 23# else 24# define MYALLOC(size) malloc(size) 25# define MYFREE(ptr) free(ptr) 26# endif 27#endif 28/* 29 * Following functions are various bit meshing routines used in GOST R 30 * 34.11-94 algorithms 31 */ 32static void swap_bytes(byte * w, byte * k) 33{ 34 int i, j; 35 for (i = 0; i < 4; i++) 36 for (j = 0; j < 8; j++) 37 k[i + 4 * j] = w[8 * i + j]; 38 39} 40 41/* was A_A */ 42static void circle_xor8(const byte * w, byte * k) 43{ 44 byte buf[8]; 45 int i; 46 memcpy(buf, w, 8); 47 memmove(k, w + 8, 24); 48 for (i = 0; i < 8; i++) 49 k[i + 24] = buf[i] ^ k[i]; 50} 51 52/* was R_R */ 53static void transform_3(byte * data) 54{ 55 unsigned short int acc; 56 acc = (data[0] ^ data[2] ^ data[4] ^ data[6] ^ data[24] ^ data[30]) | 57 ((data[1] ^ data[3] ^ data[5] ^ data[7] ^ data[25] ^ data[31]) << 8); 58 memmove(data, data + 2, 30); 59 data[30] = acc & 0xff; 60 data[31] = acc >> 8; 61} 62 63/* Adds blocks of N bytes modulo 2**(8*n). Returns carry*/ 64static int add_blocks(int n, byte * left, const byte * right) 65{ 66 int i; 67 int carry = 0; 68 int sum; 69 for (i = 0; i < n; i++) { 70 sum = (int)left[i] + (int)right[i] + carry; 71 left[i] = sum & 0xff; 72 carry = sum >> 8; 73 } 74 return carry; 75} 76 77/* Xor two sequences of bytes */ 78static void xor_blocks(byte * result, const byte * a, const byte * b, 79 size_t len) 80{ 81 size_t i; 82 for (i = 0; i < len; i++) 83 result[i] = a[i] ^ b[i]; 84} 85 86/* 87 * Calculate H(i+1) = Hash(Hi,Mi) 88 * Where H and M are 32 bytes long 89 */ 90static int hash_step(gost_ctx * c, byte * H, const byte * M) 91{ 92 byte U[32], W[32], V[32], S[32], Key[32]; 93 int i; 94 /* Compute first key */ 95 xor_blocks(W, H, M, 32); 96 swap_bytes(W, Key); 97 /* Encrypt first 8 bytes of H with first key */ 98 gost_enc_with_key(c, Key, H, S); 99 /* Compute second key */ 100 circle_xor8(H, U); 101 circle_xor8(M, V); 102 circle_xor8(V, V); 103 xor_blocks(W, U, V, 32); 104 swap_bytes(W, Key); 105 /* encrypt second 8 bytes of H with second key */ 106 gost_enc_with_key(c, Key, H + 8, S + 8); 107 /* compute third key */ 108 circle_xor8(U, U); 109 U[31] = ~U[31]; 110 U[29] = ~U[29]; 111 U[28] = ~U[28]; 112 U[24] = ~U[24]; 113 U[23] = ~U[23]; 114 U[20] = ~U[20]; 115 U[18] = ~U[18]; 116 U[17] = ~U[17]; 117 U[14] = ~U[14]; 118 U[12] = ~U[12]; 119 U[10] = ~U[10]; 120 U[8] = ~U[8]; 121 U[7] = ~U[7]; 122 U[5] = ~U[5]; 123 U[3] = ~U[3]; 124 U[1] = ~U[1]; 125 circle_xor8(V, V); 126 circle_xor8(V, V); 127 xor_blocks(W, U, V, 32); 128 swap_bytes(W, Key); 129 /* encrypt third 8 bytes of H with third key */ 130 gost_enc_with_key(c, Key, H + 16, S + 16); 131 /* Compute fourth key */ 132 circle_xor8(U, U); 133 circle_xor8(V, V); 134 circle_xor8(V, V); 135 xor_blocks(W, U, V, 32); 136 swap_bytes(W, Key); 137 /* Encrypt last 8 bytes with fourth key */ 138 gost_enc_with_key(c, Key, H + 24, S + 24); 139 for (i = 0; i < 12; i++) 140 transform_3(S); 141 xor_blocks(S, S, M, 32); 142 transform_3(S); 143 xor_blocks(S, S, H, 32); 144 for (i = 0; i < 61; i++) 145 transform_3(S); 146 memcpy(H, S, 32); 147 return 1; 148} 149 150/* 151 * Initialize gost_hash ctx - cleans up temporary structures and set up 152 * substitution blocks 153 */ 154int init_gost_hash_ctx(gost_hash_ctx * ctx, 155 const gost_subst_block * subst_block) 156{ 157 memset(ctx, 0, sizeof(gost_hash_ctx)); 158 ctx->cipher_ctx = (gost_ctx *) MYALLOC(sizeof(gost_ctx)); 159 if (!ctx->cipher_ctx) { 160 return 0; 161 } 162 gost_init(ctx->cipher_ctx, subst_block); 163 return 1; 164} 165 166/* 167 * Free cipher CTX if it is dynamically allocated. Do not use 168 * if cipher ctx is statically allocated as in OpenSSL implementation of 169 * GOST hash algroritm 170 * 171 */ 172void done_gost_hash_ctx(gost_hash_ctx * ctx) 173{ 174 /* 175 * No need to use gost_destroy, because cipher keys are not really secret 176 * when hashing 177 */ 178 MYFREE(ctx->cipher_ctx); 179} 180 181/* 182 * reset state of hash context to begin hashing new message 183 */ 184int start_hash(gost_hash_ctx * ctx) 185{ 186 if (!ctx->cipher_ctx) 187 return 0; 188 memset(&(ctx->H), 0, 32); 189 memset(&(ctx->S), 0, 32); 190 ctx->len = 0L; 191 ctx->left = 0; 192 return 1; 193} 194 195/* 196 * Hash block of arbitrary length 197 * 198 * 199 */ 200int hash_block(gost_hash_ctx * ctx, const byte * block, size_t length) 201{ 202 if (ctx->left) { 203 /* 204 * There are some bytes from previous step 205 */ 206 unsigned int add_bytes = 32 - ctx->left; 207 if (add_bytes > length) { 208 add_bytes = length; 209 } 210 memcpy(&(ctx->remainder[ctx->left]), block, add_bytes); 211 ctx->left += add_bytes; 212 if (ctx->left < 32) { 213 return 1; 214 } 215 block += add_bytes; 216 length -= add_bytes; 217 hash_step(ctx->cipher_ctx, ctx->H, ctx->remainder); 218 add_blocks(32, ctx->S, ctx->remainder); 219 ctx->len += 32; 220 ctx->left = 0; 221 } 222 while (length >= 32) { 223 hash_step(ctx->cipher_ctx, ctx->H, block); 224 225 add_blocks(32, ctx->S, block); 226 ctx->len += 32; 227 block += 32; 228 length -= 32; 229 } 230 if (length) { 231 memcpy(ctx->remainder, block, ctx->left = length); 232 } 233 return 1; 234} 235 236/* 237 * Compute hash value from current state of ctx 238 * state of hash ctx becomes invalid and cannot be used for further 239 * hashing. 240 */ 241int finish_hash(gost_hash_ctx * ctx, byte * hashval) 242{ 243 byte buf[32]; 244 byte H[32]; 245 byte S[32]; 246 ghosthash_len fin_len = ctx->len; 247 byte *bptr; 248 memcpy(H, ctx->H, 32); 249 memcpy(S, ctx->S, 32); 250 if (ctx->left) { 251 memset(buf, 0, 32); 252 memcpy(buf, ctx->remainder, ctx->left); 253 hash_step(ctx->cipher_ctx, H, buf); 254 add_blocks(32, S, buf); 255 fin_len += ctx->left; 256 } 257 memset(buf, 0, 32); 258 bptr = buf; 259 fin_len <<= 3; /* Hash length in BITS!! */ 260 while (fin_len > 0) { 261 *(bptr++) = (byte) (fin_len & 0xFF); 262 fin_len >>= 8; 263 }; 264 hash_step(ctx->cipher_ctx, H, buf); 265 hash_step(ctx->cipher_ctx, H, S); 266 memcpy(hashval, H, 32); 267 return 1; 268} 269