[thirdparty/openssl.git] / crypto / whrlpool / wp_dgst.c

/*
 * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/**
 * The Whirlpool hashing function.
 *
 * See
 *      P.S.L.M. Barreto, V. Rijmen,
 *      ``The Whirlpool hashing function,''
 *      NESSIE submission, 2000 (tweaked version, 2001),
 *      <https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/whirlpool.zip>
 *
 * Based on "@version 3.0 (2003.03.12)" by Paulo S.L.M. Barreto and
 * Vincent Rijmen. Lookup "reference implementations" on
 * <http://planeta.terra.com.br/informatica/paulobarreto/>
 *
 * =============================================================================
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */

/*
 * OpenSSL-specific implementation notes.
 *
 * WHIRLPOOL_Update as well as one-stroke WHIRLPOOL both expect
 * number of *bytes* as input length argument. Bit-oriented routine
 * as specified by authors is called WHIRLPOOL_BitUpdate[!] and
 * does not have one-stroke counterpart.
 *
 * WHIRLPOOL_BitUpdate implements byte-oriented loop, essentially
 * to serve WHIRLPOOL_Update. This is done for performance.
 *
 * Unlike authors' reference implementation, block processing
 * routine whirlpool_block is designed to operate on multi-block
 * input. This is done for performance.
 */

#include <openssl/crypto.h>
#include "wp_local.h"
#include <string.h>

int WHIRLPOOL_Init(WHIRLPOOL_CTX *c)
{
    memset(c, 0, sizeof(*c));
    return 1;
}

int WHIRLPOOL_Update(WHIRLPOOL_CTX *c, const void *_inp, size_t bytes)
{
    /*
     * Well, largest suitable chunk size actually is
     * (1<<(sizeof(size_t)*8-3))-64, but below number is large enough for not
     * to care about excessive calls to WHIRLPOOL_BitUpdate...
     */
    size_t chunk = ((size_t)1) << (sizeof(size_t) * 8 - 4);
    const unsigned char *inp = _inp;

    while (bytes >= chunk) {
        WHIRLPOOL_BitUpdate(c, inp, chunk * 8);
        bytes -= chunk;
        inp += chunk;
    }
    if (bytes)
        WHIRLPOOL_BitUpdate(c, inp, bytes * 8);

    return 1;
}

void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c, const void *_inp, size_t bits)
{
    size_t n;
    unsigned int bitoff = c->bitoff,
        bitrem = bitoff % 8, inpgap = (8 - (unsigned int)bits % 8) & 7;
    const unsigned char *inp = _inp;

    /*
     * This 256-bit increment procedure relies on the size_t being natural
     * size of CPU register, so that we don't have to mask the value in order
     * to detect overflows.
     */
    c->bitlen[0] += bits;
    if (c->bitlen[0] < bits) {  /* overflow */
        n = 1;
        do {
            c->bitlen[n]++;
        } while (c->bitlen[n] == 0
                 && ++n < (WHIRLPOOL_COUNTER / sizeof(size_t)));
    }
#ifndef OPENSSL_SMALL_FOOTPRINT
 reconsider:
    if (inpgap == 0 && bitrem == 0) { /* byte-oriented loop */
        while (bits) {
            if (bitoff == 0 && (n = bits / WHIRLPOOL_BBLOCK)) {
                whirlpool_block(c, inp, n);
                inp += n * WHIRLPOOL_BBLOCK / 8;
                bits %= WHIRLPOOL_BBLOCK;
            } else {
                unsigned int byteoff = bitoff / 8;

                bitrem = WHIRLPOOL_BBLOCK - bitoff; /* re-use bitrem */
                if (bits >= bitrem) {
                    bits -= bitrem;
                    bitrem /= 8;
                    memcpy(c->data + byteoff, inp, bitrem);
                    inp += bitrem;
                    whirlpool_block(c, c->data, 1);
                    bitoff = 0;
                } else {
                    memcpy(c->data + byteoff, inp, bits / 8);
                    bitoff += (unsigned int)bits;
                    bits = 0;
                }
                c->bitoff = bitoff;
            }
        }
    } else                      /* bit-oriented loop */
#endif
    {
        /*-
                   inp
                   |
                   +-------+-------+-------
                      |||||||||||||||||||||
                   +-------+-------+-------
        +-------+-------+-------+-------+-------
        ||||||||||||||                          c->data
        +-------+-------+-------+-------+-------
                |
                c->bitoff/8
        */
        while (bits) {
            unsigned int byteoff = bitoff / 8;
            unsigned char b;

#ifndef OPENSSL_SMALL_FOOTPRINT
            if (bitrem == inpgap) {
                c->data[byteoff++] |= inp[0] & (0xff >> inpgap);
                inpgap = 8 - inpgap;
                bitoff += inpgap;
                bitrem = 0;     /* bitoff%8 */
                bits -= inpgap;
                inpgap = 0;     /* bits%8 */
                inp++;
                if (bitoff == WHIRLPOOL_BBLOCK) {
                    whirlpool_block(c, c->data, 1);
                    bitoff = 0;
                }
                c->bitoff = bitoff;
                goto reconsider;
            } else
#endif
            if (bits > 8) {
                b = ((inp[0] << inpgap) | (inp[1] >> (8 - inpgap)));
                b &= 0xff;
                if (bitrem)
                    c->data[byteoff++] |= b >> bitrem;
                else
                    c->data[byteoff++] = b;
                bitoff += 8;
                bits -= 8;
                inp++;
                if (bitoff >= WHIRLPOOL_BBLOCK) {
                    whirlpool_block(c, c->data, 1);
                    byteoff = 0;
                    bitoff %= WHIRLPOOL_BBLOCK;
                }
                if (bitrem)
                    c->data[byteoff] = b << (8 - bitrem);
            } else {            /* remaining less than or equal to 8 bits */

                b = (inp[0] << inpgap) & 0xff;
                if (bitrem)
                    c->data[byteoff++] |= b >> bitrem;
                else
                    c->data[byteoff++] = b;
                bitoff += (unsigned int)bits;
                if (bitoff == WHIRLPOOL_BBLOCK) {
                    whirlpool_block(c, c->data, 1);
                    byteoff = 0;
                    bitoff %= WHIRLPOOL_BBLOCK;
                }
                if (bitrem)
                    c->data[byteoff] = b << (8 - bitrem);
                bits = 0;
            }
            c->bitoff = bitoff;
        }
    }
}

int WHIRLPOOL_Final(unsigned char *md, WHIRLPOOL_CTX *c)
{
    unsigned int bitoff = c->bitoff, byteoff = bitoff / 8;
    size_t i, j, v;
    unsigned char *p;

    bitoff %= 8;
    if (bitoff)
        c->data[byteoff] |= 0x80 >> bitoff;
    else
        c->data[byteoff] = 0x80;
    byteoff++;

    /* pad with zeros */
    if (byteoff > (WHIRLPOOL_BBLOCK / 8 - WHIRLPOOL_COUNTER)) {
        if (byteoff < WHIRLPOOL_BBLOCK / 8)
            memset(&c->data[byteoff], 0, WHIRLPOOL_BBLOCK / 8 - byteoff);
        whirlpool_block(c, c->data, 1);
        byteoff = 0;
    }
    if (byteoff < (WHIRLPOOL_BBLOCK / 8 - WHIRLPOOL_COUNTER))
        memset(&c->data[byteoff], 0,
               (WHIRLPOOL_BBLOCK / 8 - WHIRLPOOL_COUNTER) - byteoff);
    /* smash 256-bit c->bitlen in big-endian order */
    p = &c->data[WHIRLPOOL_BBLOCK / 8 - 1]; /* last byte in c->data */
    for (i = 0; i < WHIRLPOOL_COUNTER / sizeof(size_t); i++)
        for (v = c->bitlen[i], j = 0; j < sizeof(size_t); j++, v >>= 8)
            *p-- = (unsigned char)(v & 0xff);

    whirlpool_block(c, c->data, 1);

    if (md) {
        memcpy(md, c->H.c, WHIRLPOOL_DIGEST_LENGTH);
        OPENSSL_cleanse(c, sizeof(*c));
        return 1;
    }
    return 0;
}

unsigned char *WHIRLPOOL(const void *inp, size_t bytes, unsigned char *md)
{
    WHIRLPOOL_CTX ctx;
    static unsigned char m[WHIRLPOOL_DIGEST_LENGTH];

    if (md == NULL)
        md = m;
    WHIRLPOOL_Init(&ctx);
    WHIRLPOOL_Update(&ctx, inp, bytes);
    WHIRLPOOL_Final(md, &ctx);
    return md;
}
Commit	Line	Data
4f22f405 RS	1	/*
	2	* Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
	3	*
677c7ab9	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
4f22f405 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
d1593e6b AP	10	/**
	11	* The Whirlpool hashing function.
	12	*
d1593e6b AP	13	* See
	14	* P.S.L.M. Barreto, V. Rijmen,
	15	* ``The Whirlpool hashing function,''
	16	* NESSIE submission, 2000 (tweaked version, 2001),
	17	* <https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/whirlpool.zip>
	18	*
	19	* Based on "@version 3.0 (2003.03.12)" by Paulo S.L.M. Barreto and
	20	* Vincent Rijmen. Lookup "reference implementations" on
	21	* <http://planeta.terra.com.br/informatica/paulobarreto/>
	22	*
	23	* =============================================================================
	24	*
	25	* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
	26	* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	27	* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	28	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
	29	* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	30	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	31	* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
	32	* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
	33	* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
	34	* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
	35	* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	36	*
	37	*/
	38
	39	/*
	40	* OpenSSL-specific implementation notes.
	41	*
	42	* WHIRLPOOL_Update as well as one-stroke WHIRLPOOL both expect
	43	* number of bytes as input length argument. Bit-oriented routine
	44	* as specified by authors is called WHIRLPOOL_BitUpdate[!] and
	45	* does not have one-stroke counterpart.
	46	*
	47	* WHIRLPOOL_BitUpdate implements byte-oriented loop, essentially
	48	* to serve WHIRLPOOL_Update. This is done for performance.
	49	*
	50	* Unlike authors' reference implementation, block processing
	51	* routine whirlpool_block is designed to operate on multi-block
0d4fb843	52	* input. This is done for performance.
d1593e6b AP	53	*/
d1593e6b AP	54
3ce2fdab	55	#include <openssl/crypto.h>
706457b7	56	#include "wp_local.h"
d1593e6b AP	57	#include <string.h>
d1593e6b AP	58
0f113f3e MC	59	int WHIRLPOOL_Init(WHIRLPOOL_CTX *c)
	60	{
	61	memset(c, 0, sizeof(*c));
208fb891	62	return 1;
0f113f3e	63	}
d1593e6b	64
0f113f3e MC	65	int WHIRLPOOL_Update(WHIRLPOOL_CTX c, const void _inp, size_t bytes)
	66	{
	67	/*
	68	* Well, largest suitable chunk size actually is
	69	* (1<<(sizeof(size_t)*8-3))-64, but below number is large enough for not
	70	* to care about excessive calls to WHIRLPOOL_BitUpdate...
	71	*/
	72	size_t chunk = ((size_t)1) << (sizeof(size_t) * 8 - 4);
	73	const unsigned char *inp = _inp;
d1593e6b	74
0f113f3e MC	75	while (bytes >= chunk) {
	76	WHIRLPOOL_BitUpdate(c, inp, chunk * 8);
	77	bytes -= chunk;
	78	inp += chunk;
	79	}
	80	if (bytes)
	81	WHIRLPOOL_BitUpdate(c, inp, bytes * 8);
137db78b	82
208fb891	83	return 1;
0f113f3e	84	}
d1593e6b	85
0f113f3e MC	86	void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX c, const void _inp, size_t bits)
	87	{
	88	size_t n;
	89	unsigned int bitoff = c->bitoff,
	90	bitrem = bitoff % 8, inpgap = (8 - (unsigned int)bits % 8) & 7;
	91	const unsigned char *inp = _inp;
d1593e6b	92
0f113f3e MC	93	/*
	94	* This 256-bit increment procedure relies on the size_t being natural
	95	* size of CPU register, so that we don't have to mask the value in order
	96	* to detect overflows.
	97	*/
	98	c->bitlen[0] += bits;
	99	if (c->bitlen[0] < bits) { /* overflow */
	100	n = 1;
	101	do {
	102	c->bitlen[n]++;
	103	} while (c->bitlen[n] == 0
	104	&& ++n < (WHIRLPOOL_COUNTER / sizeof(size_t)));
	105	}
d1593e6b	106	#ifndef OPENSSL_SMALL_FOOTPRINT
0f113f3e MC	107	reconsider:
	108	if (inpgap == 0 && bitrem == 0) { /* byte-oriented loop */
	109	while (bits) {
	110	if (bitoff == 0 && (n = bits / WHIRLPOOL_BBLOCK)) {
	111	whirlpool_block(c, inp, n);
	112	inp += n * WHIRLPOOL_BBLOCK / 8;
	113	bits %= WHIRLPOOL_BBLOCK;
	114	} else {
	115	unsigned int byteoff = bitoff / 8;
d1593e6b	116
0f113f3e MC	117	bitrem = WHIRLPOOL_BBLOCK - bitoff; /* re-use bitrem */
	118	if (bits >= bitrem) {
	119	bits -= bitrem;
	120	bitrem /= 8;
	121	memcpy(c->data + byteoff, inp, bitrem);
	122	inp += bitrem;
	123	whirlpool_block(c, c->data, 1);
	124	bitoff = 0;
	125	} else {
	126	memcpy(c->data + byteoff, inp, bits / 8);
	127	bitoff += (unsigned int)bits;
	128	bits = 0;
	129	}
	130	c->bitoff = bitoff;
	131	}
	132	}
	133	} else /* bit-oriented loop */
d1593e6b	134	#endif
0f113f3e	135	{
50e735f9 MC	136	/*-
	137	inp
	138	\|
	139	+-------+-------+-------
	140	\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|
	141	+-------+-------+-------
	142	+-------+-------+-------+-------+-------
	143	\|\|\|\|\|\|\|\|\|\|\|\|\|\| c->data
	144	+-------+-------+-------+-------+-------
	145	\|
	146	c->bitoff/8
	147	*/
0f113f3e MC	148	while (bits) {
	149	unsigned int byteoff = bitoff / 8;
	150	unsigned char b;
d1593e6b AP	151
d1593e6b AP	152	#ifndef OPENSSL_SMALL_FOOTPRINT
0f113f3e MC	153	if (bitrem == inpgap) {
	154	c->data[byteoff++] \|= inp[0] & (0xff >> inpgap);
	155	inpgap = 8 - inpgap;
	156	bitoff += inpgap;
	157	bitrem = 0; /* bitoff%8 */
	158	bits -= inpgap;
	159	inpgap = 0; /* bits%8 */
	160	inp++;
	161	if (bitoff == WHIRLPOOL_BBLOCK) {
	162	whirlpool_block(c, c->data, 1);
	163	bitoff = 0;
	164	}
	165	c->bitoff = bitoff;
	166	goto reconsider;
	167	} else
d1593e6b	168	#endif
0b20ad12	169	if (bits > 8) {
0f113f3e MC	170	b = ((inp[0] << inpgap) \| (inp[1] >> (8 - inpgap)));
	171	b &= 0xff;
	172	if (bitrem)
	173	c->data[byteoff++] \|= b >> bitrem;
	174	else
	175	c->data[byteoff++] = b;
	176	bitoff += 8;
	177	bits -= 8;
	178	inp++;
	179	if (bitoff >= WHIRLPOOL_BBLOCK) {
	180	whirlpool_block(c, c->data, 1);
	181	byteoff = 0;
	182	bitoff %= WHIRLPOOL_BBLOCK;
	183	}
	184	if (bitrem)
	185	c->data[byteoff] = b << (8 - bitrem);
0b20ad12	186	} else { /* remaining less than or equal to 8 bits */
0f113f3e MC	187
	188	b = (inp[0] << inpgap) & 0xff;
	189	if (bitrem)
	190	c->data[byteoff++] \|= b >> bitrem;
	191	else
	192	c->data[byteoff++] = b;
	193	bitoff += (unsigned int)bits;
	194	if (bitoff == WHIRLPOOL_BBLOCK) {
	195	whirlpool_block(c, c->data, 1);
	196	byteoff = 0;
	197	bitoff %= WHIRLPOOL_BBLOCK;
	198	}
	199	if (bitrem)
	200	c->data[byteoff] = b << (8 - bitrem);
	201	bits = 0;
	202	}
	203	c->bitoff = bitoff;
	204	}
	205	}
	206	}
d1593e6b	207
0f113f3e MC	208	int WHIRLPOOL_Final(unsigned char md, WHIRLPOOL_CTX c)
	209	{
	210	unsigned int bitoff = c->bitoff, byteoff = bitoff / 8;
	211	size_t i, j, v;
	212	unsigned char *p;
d1593e6b	213
0f113f3e MC	214	bitoff %= 8;
	215	if (bitoff)
	216	c->data[byteoff] \|= 0x80 >> bitoff;
	217	else
	218	c->data[byteoff] = 0x80;
	219	byteoff++;
d1593e6b	220
0f113f3e MC	221	/* pad with zeros */
	222	if (byteoff > (WHIRLPOOL_BBLOCK / 8 - WHIRLPOOL_COUNTER)) {
	223	if (byteoff < WHIRLPOOL_BBLOCK / 8)
	224	memset(&c->data[byteoff], 0, WHIRLPOOL_BBLOCK / 8 - byteoff);
	225	whirlpool_block(c, c->data, 1);
	226	byteoff = 0;
	227	}
	228	if (byteoff < (WHIRLPOOL_BBLOCK / 8 - WHIRLPOOL_COUNTER))
	229	memset(&c->data[byteoff], 0,
	230	(WHIRLPOOL_BBLOCK / 8 - WHIRLPOOL_COUNTER) - byteoff);
	231	/* smash 256-bit c->bitlen in big-endian order */
	232	p = &c->data[WHIRLPOOL_BBLOCK / 8 - 1]; /* last byte in c->data */
	233	for (i = 0; i < WHIRLPOOL_COUNTER / sizeof(size_t); i++)
	234	for (v = c->bitlen[i], j = 0; j < sizeof(size_t); j++, v >>= 8)
	235	*p-- = (unsigned char)(v & 0xff);
d1593e6b	236
0f113f3e	237	whirlpool_block(c, c->data, 1);
d1593e6b	238
0f113f3e MC	239	if (md) {
0f113f3e MC	240	memcpy(md, c->H.c, WHIRLPOOL_DIGEST_LENGTH);
3ce2fdab	241	OPENSSL_cleanse(c, sizeof(*c));
208fb891	242	return 1;
0f113f3e	243	}
26a7d938	244	return 0;
0f113f3e	245	}
d1593e6b	246
0f113f3e MC	247	unsigned char WHIRLPOOL(const void inp, size_t bytes, unsigned char *md)
	248	{
	249	WHIRLPOOL_CTX ctx;
	250	static unsigned char m[WHIRLPOOL_DIGEST_LENGTH];
d1593e6b	251
0f113f3e MC	252	if (md == NULL)
	253	md = m;
	254	WHIRLPOOL_Init(&ctx);
	255	WHIRLPOOL_Update(&ctx, inp, bytes);
	256	WHIRLPOOL_Final(md, &ctx);
26a7d938	257	return md;
0f113f3e	258	}