Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 6bc5a24ac867bfdc3ed615589d69ac640f51674b / . / xmss_hash.c
blob: b9eee7cff293f7d21c6a226eda054ed19b7bae24 [file] [log] [blame]
dtucker@openbsd.org27b9f392018-02-26 03:56:44 +0000[diff] [blame]1/* $OpenBSD: xmss_hash.c,v 1.2 2018/02/26 03:56:44 dtucker Exp $ */
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000[diff] [blame]2/*
3hash.c version 20160722
4Andreas Hülsing
5Joost Rijneveld
6Public domain.
7*/
8
Damien Millerf8854742018-02-26 12:18:14 +1100[diff] [blame]9#include "includes.h"
Darren Tucker941e0d32018-02-28 19:59:35 +1100[diff] [blame]10#ifdef WITH_XMSS
Damien Millerf8854742018-02-26 12:18:14 +1100[diff] [blame]11
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000[diff] [blame]12#include "xmss_hash_address.h"
13#include "xmss_commons.h"
14#include "xmss_hash.h"
15
16#include <stddef.h>
Darren Tuckerc7ef4a32018-02-26 17:42:56 +1100[diff] [blame]17#ifdef HAVE_STDINT_H
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000[diff] [blame]18#include <stdint.h>
Darren Tuckerc7ef4a32018-02-26 17:42:56 +1100[diff] [blame]19#endif
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000[diff] [blame]20#include <stdio.h>
21#include <string.h>
22#include <openssl/sha.h>
23#include <openssl/hmac.h>
24#include <openssl/evp.h>
25
26int core_hash_SHA2(unsigned char *, const unsigned int, const unsigned char *,
27 unsigned int, const unsigned char *, unsigned long long, unsigned int);
28
29unsigned char* addr_to_byte(unsigned char *bytes, const uint32_t addr[8]){
30#if IS_LITTLE_ENDIAN==1
31 int i = 0;
32 for(i=0;i<8;i++)
33 to_byte(bytes+i*4, addr[i],4);
34 return bytes;
35#else
36 memcpy(bytes, addr, 32);
37 return bytes;
38#endif
39}
40
41int core_hash_SHA2(unsigned char *out, const unsigned int type, const unsigned char *key, unsigned int keylen, const unsigned char *in, unsigned long long inlen, unsigned int n){
42 unsigned long long i = 0;
43 unsigned char buf[inlen + n + keylen];
44
45 // Input is (toByte(X, 32) || KEY || M)
46
47 // set toByte
48 to_byte(buf, type, n);
49
50 for (i=0; i < keylen; i++) {
51 buf[i+n] = key[i];
52 }
53
54 for (i=0; i < inlen; i++) {
55 buf[keylen + n + i] = in[i];
56 }
57
58 if (n == 32) {
59 SHA256(buf, inlen + keylen + n, out);
60 return 0;
61 }
62 else {
63 if (n == 64) {
64 SHA512(buf, inlen + keylen + n, out);
65 return 0;
66 }
67 }
68 return 1;
69}
70
71/**
72 * Implements PRF
73 */
74int prf(unsigned char *out, const unsigned char *in, const unsigned char *key, unsigned int keylen)
75{
76 return core_hash_SHA2(out, 3, key, keylen, in, 32, keylen);
77}
78
79/*
80 * Implemts H_msg
81 */
82int h_msg(unsigned char *out, const unsigned char *in, unsigned long long inlen, const unsigned char *key, const unsigned int keylen, const unsigned int n)
83{
84 if (keylen != 3*n){
85 // H_msg takes 3n-bit keys, but n does not match the keylength of keylen
86 return -1;
87 }
88 return core_hash_SHA2(out, 2, key, keylen, in, inlen, n);
89}
90
91/**
92 * We assume the left half is in in[0]...in[n-1]
93 */
94int hash_h(unsigned char *out, const unsigned char *in, const unsigned char *pub_seed, uint32_t addr[8], const unsigned int n)
95{
96
97 unsigned char buf[2*n];
98 unsigned char key[n];
99 unsigned char bitmask[2*n];
100 unsigned char byte_addr[32];
101 unsigned int i;
102
103 setKeyAndMask(addr, 0);
104 addr_to_byte(byte_addr, addr);
105 prf(key, byte_addr, pub_seed, n);
106 // Use MSB order
107 setKeyAndMask(addr, 1);
108 addr_to_byte(byte_addr, addr);
109 prf(bitmask, byte_addr, pub_seed, n);
110 setKeyAndMask(addr, 2);
111 addr_to_byte(byte_addr, addr);
112 prf(bitmask+n, byte_addr, pub_seed, n);
113 for (i = 0; i < 2*n; i++) {
114 buf[i] = in[i] ^ bitmask[i];
115 }
116 return core_hash_SHA2(out, 1, key, n, buf, 2*n, n);
117}
118
119int hash_f(unsigned char *out, const unsigned char *in, const unsigned char *pub_seed, uint32_t addr[8], const unsigned int n)
120{
121 unsigned char buf[n];
122 unsigned char key[n];
123 unsigned char bitmask[n];
124 unsigned char byte_addr[32];
125 unsigned int i;
126
127 setKeyAndMask(addr, 0);
128 addr_to_byte(byte_addr, addr);
129 prf(key, byte_addr, pub_seed, n);
130
131 setKeyAndMask(addr, 1);
132 addr_to_byte(byte_addr, addr);
133 prf(bitmask, byte_addr, pub_seed, n);
134
135 for (i = 0; i < n; i++) {
136 buf[i] = in[i] ^ bitmask[i];
137 }
138 return core_hash_SHA2(out, 0, key, n, buf, n, n);
139}
Darren Tuckera10d8552018-02-27 14:45:17 +1100[diff] [blame]140#endif /* WITH_XMSS */