wp_dgst.c 8.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264
  1. /*
  2. * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /**
  10. * The Whirlpool hashing function.
  11. *
  12. * See
  13. * P.S.L.M. Barreto, V. Rijmen,
  14. * ``The Whirlpool hashing function,''
  15. * NESSIE submission, 2000 (tweaked version, 2001),
  16. * <https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/whirlpool.zip>
  17. *
  18. * Based on "@version 3.0 (2003.03.12)" by Paulo S.L.M. Barreto and
  19. * Vincent Rijmen. Lookup "reference implementations" on
  20. * <http://planeta.terra.com.br/informatica/paulobarreto/>
  21. *
  22. * =============================================================================
  23. *
  24. * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
  25. * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  26. * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  27. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
  28. * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  29. * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  30. * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  31. * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
  32. * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
  33. * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
  34. * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  35. *
  36. */
  37. /*
  38. * OpenSSL-specific implementation notes.
  39. *
  40. * WHIRLPOOL_Update as well as one-stroke WHIRLPOOL both expect
  41. * number of *bytes* as input length argument. Bit-oriented routine
  42. * as specified by authors is called WHIRLPOOL_BitUpdate[!] and
  43. * does not have one-stroke counterpart.
  44. *
  45. * WHIRLPOOL_BitUpdate implements byte-oriented loop, essentially
  46. * to serve WHIRLPOOL_Update. This is done for performance.
  47. *
  48. * Unlike authors' reference implementation, block processing
  49. * routine whirlpool_block is designed to operate on multi-block
  50. * input. This is done for performance.
  51. */
  52. /*
  53. * Whirlpool low level APIs are deprecated for public use, but still ok for
  54. * internal use.
  55. */
  56. #include "internal/deprecated.h"
  57. #include <openssl/crypto.h>
  58. #include "wp_local.h"
  59. #include <string.h>
  60. int WHIRLPOOL_Init(WHIRLPOOL_CTX *c)
  61. {
  62. memset(c, 0, sizeof(*c));
  63. return 1;
  64. }
  65. int WHIRLPOOL_Update(WHIRLPOOL_CTX *c, const void *_inp, size_t bytes)
  66. {
  67. /*
  68. * Well, largest suitable chunk size actually is
  69. * (1<<(sizeof(size_t)*8-3))-64, but below number is large enough for not
  70. * to care about excessive calls to WHIRLPOOL_BitUpdate...
  71. */
  72. size_t chunk = ((size_t)1) << (sizeof(size_t) * 8 - 4);
  73. const unsigned char *inp = _inp;
  74. while (bytes >= chunk) {
  75. WHIRLPOOL_BitUpdate(c, inp, chunk * 8);
  76. bytes -= chunk;
  77. inp += chunk;
  78. }
  79. if (bytes)
  80. WHIRLPOOL_BitUpdate(c, inp, bytes * 8);
  81. return 1;
  82. }
  83. void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c, const void *_inp, size_t bits)
  84. {
  85. size_t n;
  86. unsigned int bitoff = c->bitoff,
  87. bitrem = bitoff % 8, inpgap = (8 - (unsigned int)bits % 8) & 7;
  88. const unsigned char *inp = _inp;
  89. /*
  90. * This 256-bit increment procedure relies on the size_t being natural
  91. * size of CPU register, so that we don't have to mask the value in order
  92. * to detect overflows.
  93. */
  94. c->bitlen[0] += bits;
  95. if (c->bitlen[0] < bits) { /* overflow */
  96. n = 1;
  97. do {
  98. c->bitlen[n]++;
  99. } while (c->bitlen[n] == 0
  100. && ++n < (WHIRLPOOL_COUNTER / sizeof(size_t)));
  101. }
  102. #ifndef OPENSSL_SMALL_FOOTPRINT
  103. reconsider:
  104. if (inpgap == 0 && bitrem == 0) { /* byte-oriented loop */
  105. while (bits) {
  106. if (bitoff == 0 && (n = bits / WHIRLPOOL_BBLOCK)) {
  107. whirlpool_block(c, inp, n);
  108. inp += n * WHIRLPOOL_BBLOCK / 8;
  109. bits %= WHIRLPOOL_BBLOCK;
  110. } else {
  111. unsigned int byteoff = bitoff / 8;
  112. bitrem = WHIRLPOOL_BBLOCK - bitoff; /* re-use bitrem */
  113. if (bits >= bitrem) {
  114. bits -= bitrem;
  115. bitrem /= 8;
  116. memcpy(c->data + byteoff, inp, bitrem);
  117. inp += bitrem;
  118. whirlpool_block(c, c->data, 1);
  119. bitoff = 0;
  120. } else {
  121. memcpy(c->data + byteoff, inp, bits / 8);
  122. bitoff += (unsigned int)bits;
  123. bits = 0;
  124. }
  125. c->bitoff = bitoff;
  126. }
  127. }
  128. } else /* bit-oriented loop */
  129. #endif
  130. {
  131. /*-
  132. inp
  133. |
  134. +-------+-------+-------
  135. |||||||||||||||||||||
  136. +-------+-------+-------
  137. +-------+-------+-------+-------+-------
  138. |||||||||||||| c->data
  139. +-------+-------+-------+-------+-------
  140. |
  141. c->bitoff/8
  142. */
  143. while (bits) {
  144. unsigned int byteoff = bitoff / 8;
  145. unsigned char b;
  146. #ifndef OPENSSL_SMALL_FOOTPRINT
  147. if (bitrem == inpgap) {
  148. c->data[byteoff++] |= inp[0] & (0xff >> inpgap);
  149. inpgap = 8 - inpgap;
  150. bitoff += inpgap;
  151. bitrem = 0; /* bitoff%8 */
  152. bits -= inpgap;
  153. inpgap = 0; /* bits%8 */
  154. inp++;
  155. if (bitoff == WHIRLPOOL_BBLOCK) {
  156. whirlpool_block(c, c->data, 1);
  157. bitoff = 0;
  158. }
  159. c->bitoff = bitoff;
  160. goto reconsider;
  161. } else
  162. #endif
  163. if (bits > 8) {
  164. b = ((inp[0] << inpgap) | (inp[1] >> (8 - inpgap)));
  165. b &= 0xff;
  166. if (bitrem)
  167. c->data[byteoff++] |= b >> bitrem;
  168. else
  169. c->data[byteoff++] = b;
  170. bitoff += 8;
  171. bits -= 8;
  172. inp++;
  173. if (bitoff >= WHIRLPOOL_BBLOCK) {
  174. whirlpool_block(c, c->data, 1);
  175. byteoff = 0;
  176. bitoff %= WHIRLPOOL_BBLOCK;
  177. }
  178. if (bitrem)
  179. c->data[byteoff] = b << (8 - bitrem);
  180. } else { /* remaining less than or equal to 8 bits */
  181. b = (inp[0] << inpgap) & 0xff;
  182. if (bitrem)
  183. c->data[byteoff++] |= b >> bitrem;
  184. else
  185. c->data[byteoff++] = b;
  186. bitoff += (unsigned int)bits;
  187. if (bitoff == WHIRLPOOL_BBLOCK) {
  188. whirlpool_block(c, c->data, 1);
  189. byteoff = 0;
  190. bitoff %= WHIRLPOOL_BBLOCK;
  191. }
  192. if (bitrem)
  193. c->data[byteoff] = b << (8 - bitrem);
  194. bits = 0;
  195. }
  196. c->bitoff = bitoff;
  197. }
  198. }
  199. }
  200. int WHIRLPOOL_Final(unsigned char *md, WHIRLPOOL_CTX *c)
  201. {
  202. unsigned int bitoff = c->bitoff, byteoff = bitoff / 8;
  203. size_t i, j, v;
  204. unsigned char *p;
  205. bitoff %= 8;
  206. if (bitoff)
  207. c->data[byteoff] |= 0x80 >> bitoff;
  208. else
  209. c->data[byteoff] = 0x80;
  210. byteoff++;
  211. /* pad with zeros */
  212. if (byteoff > (WHIRLPOOL_BBLOCK / 8 - WHIRLPOOL_COUNTER)) {
  213. if (byteoff < WHIRLPOOL_BBLOCK / 8)
  214. memset(&c->data[byteoff], 0, WHIRLPOOL_BBLOCK / 8 - byteoff);
  215. whirlpool_block(c, c->data, 1);
  216. byteoff = 0;
  217. }
  218. if (byteoff < (WHIRLPOOL_BBLOCK / 8 - WHIRLPOOL_COUNTER))
  219. memset(&c->data[byteoff], 0,
  220. (WHIRLPOOL_BBLOCK / 8 - WHIRLPOOL_COUNTER) - byteoff);
  221. /* smash 256-bit c->bitlen in big-endian order */
  222. p = &c->data[WHIRLPOOL_BBLOCK / 8 - 1]; /* last byte in c->data */
  223. for (i = 0; i < WHIRLPOOL_COUNTER / sizeof(size_t); i++)
  224. for (v = c->bitlen[i], j = 0; j < sizeof(size_t); j++, v >>= 8)
  225. *p-- = (unsigned char)(v & 0xff);
  226. whirlpool_block(c, c->data, 1);
  227. if (md) {
  228. memcpy(md, c->H.c, WHIRLPOOL_DIGEST_LENGTH);
  229. OPENSSL_cleanse(c, sizeof(*c));
  230. return 1;
  231. }
  232. return 0;
  233. }
  234. unsigned char *WHIRLPOOL(const void *inp, size_t bytes, unsigned char *md)
  235. {
  236. WHIRLPOOL_CTX ctx;
  237. static unsigned char m[WHIRLPOOL_DIGEST_LENGTH];
  238. if (md == NULL)
  239. md = m;
  240. WHIRLPOOL_Init(&ctx);
  241. WHIRLPOOL_Update(&ctx, inp, bytes);
  242. WHIRLPOOL_Final(md, &ctx);
  243. return md;
  244. }