search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Allow make from the exec directory.
[openais.git] / exec / crypto.c
blob1c1903ec688b8344ef94fcf465f0a66d5ae28452
1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
2 *
3 * LibTomCrypt is a library that provides various cryptographic
4 * algorithms in a highly modular and flexible manner.
5 *
6 * The library is free for all purposes without any express
7 * guarantee it works.
8 *
9 * Tom St Denis, tomstdenis@iahu.ca, http://libtomcrypt.org
10 */
11 #include <assert.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <sys/types.h>
16 #include <sys/stat.h>
17 #include <sys/poll.h>
18 #if defined(OPENAIS_BSD)
19 #include <sys/endian.h>
20 #endif
21 #include <fcntl.h>
22 #include <unistd.h>
23
24 #include "crypto.h"
25
26 #define CONST64(n) n ## ULL
27
28 typedef unsigned long ulong32;
29 typedef unsigned long long ulong64;
30
31 #if __BYTE_ORDER == __LITTLE_ENDIAN
32 #define ENDIAN_LITTLE
33 #elif __BYTE_ORDER == __BIG_ENDIAN
34 #define ENDIAN_BIG
35 #elif _BYTE_ORDER == _LITTLE_ENDIAN
36 #define ENDIAN_LITTLE
37 #elif _BYTE_ORDER == _BIG_ENDIAN
38 #define ENDIAN_BIG
39 #elif
40 #warning "cannot detect byte order"
41 #endif
42
43 #if defined(OPENAIS_LINUX)
44 #if __WORDIZE == 64
45 #define ENDIAN_64BITWORD
46 #endif
47 #if __WORDIZE == 32
48 #define ENDIAN_32BITWORD
49 #endif
50 #else
51 /* XXX need to find a better default
52 */
53 #define ENDIAN_32BITWORD
54 #endif
55
56 /* ---- HELPER MACROS ---- */
57 #ifdef ENDIAN_NEUTRAL
58
59 #define STORE32L(x, y) \
60 { (y)[3] = (unsigned char)(((x)>>24)&255); (y)[2] = (unsigned char)(((x)>>16)&255); \
61 (y)[1] = (unsigned char)(((x)>>8)&255); (y)[0] = (unsigned char)((x)&255); }
62
63 #define LOAD32L(x, y) \
64 { x = ((unsigned long)((y)[3] & 255)<<24) | \
65 ((unsigned long)((y)[2] & 255)<<16) | \
66 ((unsigned long)((y)[1] & 255)<<8) | \
67 ((unsigned long)((y)[0] & 255)); }
68
69 #define STORE64L(x, y) \
70 { (y)[7] = (unsigned char)(((x)>>56)&255); (y)[6] = (unsigned char)(((x)>>48)&255); \
71 (y)[5] = (unsigned char)(((x)>>40)&255); (y)[4] = (unsigned char)(((x)>>32)&255); \
72 (y)[3] = (unsigned char)(((x)>>24)&255); (y)[2] = (unsigned char)(((x)>>16)&255); \
73 (y)[1] = (unsigned char)(((x)>>8)&255); (y)[0] = (unsigned char)((x)&255); }
74
75 #define LOAD64L(x, y) \
76 { x = (((ulong64)((y)[7] & 255))<<56)|(((ulong64)((y)[6] & 255))<<48)| \
77 (((ulong64)((y)[5] & 255))<<40)|(((ulong64)((y)[4] & 255))<<32)| \
78 (((ulong64)((y)[3] & 255))<<24)|(((ulong64)((y)[2] & 255))<<16)| \
79 (((ulong64)((y)[1] & 255))<<8)|(((ulong64)((y)[0] & 255))); }
80
81 #define STORE32H(x, y) \
82 { (y)[0] = (unsigned char)(((x)>>24)&255); (y)[1] = (unsigned char)(((x)>>16)&255); \
83 (y)[2] = (unsigned char)(((x)>>8)&255); (y)[3] = (unsigned char)((x)&255); }
84
85 #define LOAD32H(x, y) \
86 { x = ((unsigned long)((y)[0] & 255)<<24) | \
87 ((unsigned long)((y)[1] & 255)<<16) | \
88 ((unsigned long)((y)[2] & 255)<<8) | \
89 ((unsigned long)((y)[3] & 255)); }
90
91 #define STORE64H(x, y) \
92 { (y)[0] = (unsigned char)(((x)>>56)&255); (y)[1] = (unsigned char)(((x)>>48)&255); \
93 (y)[2] = (unsigned char)(((x)>>40)&255); (y)[3] = (unsigned char)(((x)>>32)&255); \
94 (y)[4] = (unsigned char)(((x)>>24)&255); (y)[5] = (unsigned char)(((x)>>16)&255); \
95 (y)[6] = (unsigned char)(((x)>>8)&255); (y)[7] = (unsigned char)((x)&255); }
96
97 #define LOAD64H(x, y) \
98 { x = (((ulong64)((y)[0] & 255))<<56)|(((ulong64)((y)[1] & 255))<<48) | \
99 (((ulong64)((y)[2] & 255))<<40)|(((ulong64)((y)[3] & 255))<<32) | \
100 (((ulong64)((y)[4] & 255))<<24)|(((ulong64)((y)[5] & 255))<<16) | \
101 (((ulong64)((y)[6] & 255))<<8)|(((ulong64)((y)[7] & 255))); }
102
103 #endif /* ENDIAN_NEUTRAL */
104
105 #ifdef ENDIAN_LITTLE
106
107 #define STORE32H(x, y) \
108 { (y)[0] = (unsigned char)(((x)>>24)&255); (y)[1] = (unsigned char)(((x)>>16)&255); \
109 (y)[2] = (unsigned char)(((x)>>8)&255); (y)[3] = (unsigned char)((x)&255); }
110
111 #define LOAD32H(x, y) \
112 { x = ((unsigned long)((y)[0] & 255)<<24) | \
113 ((unsigned long)((y)[1] & 255)<<16) | \
114 ((unsigned long)((y)[2] & 255)<<8) | \
115 ((unsigned long)((y)[3] & 255)); }
116
117 #define STORE64H(x, y) \
118 { (y)[0] = (unsigned char)(((x)>>56)&255); (y)[1] = (unsigned char)(((x)>>48)&255); \
119 (y)[2] = (unsigned char)(((x)>>40)&255); (y)[3] = (unsigned char)(((x)>>32)&255); \
120 (y)[4] = (unsigned char)(((x)>>24)&255); (y)[5] = (unsigned char)(((x)>>16)&255); \
121 (y)[6] = (unsigned char)(((x)>>8)&255); (y)[7] = (unsigned char)((x)&255); }
122
123 #define LOAD64H(x, y) \
124 { x = (((ulong64)((y)[0] & 255))<<56)|(((ulong64)((y)[1] & 255))<<48) | \
125 (((ulong64)((y)[2] & 255))<<40)|(((ulong64)((y)[3] & 255))<<32) | \
126 (((ulong64)((y)[4] & 255))<<24)|(((ulong64)((y)[5] & 255))<<16) | \
127 (((ulong64)((y)[6] & 255))<<8)|(((ulong64)((y)[7] & 255))); }
128
129 #ifdef ENDIAN_32BITWORD
130
131 #define STORE32L(x, y) \
132 { unsigned long __t = (x); memcpy(y, &__t, 4); }
133
134 #define LOAD32L(x, y) \
135 memcpy(&(x), y, 4);
136
137 #define STORE64L(x, y) \
138 { (y)[7] = (unsigned char)(((x)>>56)&255); (y)[6] = (unsigned char)(((x)>>48)&255); \
139 (y)[5] = (unsigned char)(((x)>>40)&255); (y)[4] = (unsigned char)(((x)>>32)&255); \
140 (y)[3] = (unsigned char)(((x)>>24)&255); (y)[2] = (unsigned char)(((x)>>16)&255); \
141 (y)[1] = (unsigned char)(((x)>>8)&255); (y)[0] = (unsigned char)((x)&255); }
142
143 #define LOAD64L(x, y) \
144 { x = (((ulong64)((y)[7] & 255))<<56)|(((ulong64)((y)[6] & 255))<<48)| \
145 (((ulong64)((y)[5] & 255))<<40)|(((ulong64)((y)[4] & 255))<<32)| \
146 (((ulong64)((y)[3] & 255))<<24)|(((ulong64)((y)[2] & 255))<<16)| \
147 (((ulong64)((y)[1] & 255))<<8)|(((ulong64)((y)[0] & 255))); }
148
149 #else /* 64-bit words then */
150
151 #define STORE32L(x, y) \
152 { unsigned long __t = (x); memcpy(y, &__t, 4); }
153
154 #define LOAD32L(x, y) \
155 { memcpy(&(x), y, 4); x &= 0xFFFFFFFF; }
156
157 #define STORE64L(x, y) \
158 { ulong64 __t = (x); memcpy(y, &__t, 8); }
159
160 #define LOAD64L(x, y) \
161 { memcpy(&(x), y, 8); }
162
163 #endif /* ENDIAN_64BITWORD */
164
165 #endif /* ENDIAN_LITTLE */
166
167 #ifdef ENDIAN_BIG
168 #define STORE32L(x, y) \
169 { (y)[3] = (unsigned char)(((x)>>24)&255); (y)[2] = (unsigned char)(((x)>>16)&255); \
170 (y)[1] = (unsigned char)(((x)>>8)&255); (y)[0] = (unsigned char)((x)&255); }
171
172 #define LOAD32L(x, y) \
173 { x = ((unsigned long)((y)[3] & 255)<<24) | \
174 ((unsigned long)((y)[2] & 255)<<16) | \
175 ((unsigned long)((y)[1] & 255)<<8) | \
176 ((unsigned long)((y)[0] & 255)); }
177
178 #define STORE64L(x, y) \
179 { (y)[7] = (unsigned char)(((x)>>56)&255); (y)[6] = (unsigned char)(((x)>>48)&255); \
180 (y)[5] = (unsigned char)(((x)>>40)&255); (y)[4] = (unsigned char)(((x)>>32)&255); \
181 (y)[3] = (unsigned char)(((x)>>24)&255); (y)[2] = (unsigned char)(((x)>>16)&255); \
182 (y)[1] = (unsigned char)(((x)>>8)&255); (y)[0] = (unsigned char)((x)&255); }
183
184 #define LOAD64L(x, y) \
185 { x = (((ulong64)((y)[7] & 255))<<56)|(((ulong64)((y)[6] & 255))<<48) | \
186 (((ulong64)((y)[5] & 255))<<40)|(((ulong64)((y)[4] & 255))<<32) | \
187 (((ulong64)((y)[3] & 255))<<24)|(((ulong64)((y)[2] & 255))<<16) | \
188 (((ulong64)((y)[1] & 255))<<8)|(((ulong64)((y)[0] & 255))); }
189
190 #ifdef ENDIAN_32BITWORD
191
192 #define STORE32H(x, y) \
193 { unsigned long __t = (x); memcpy(y, &__t, 4); }
194
195 #define LOAD32H(x, y) \
196 memcpy(&(x), y, 4);
197
198 #define STORE64H(x, y) \
199 { (y)[0] = (unsigned char)(((x)>>56)&255); (y)[1] = (unsigned char)(((x)>>48)&255); \
200 (y)[2] = (unsigned char)(((x)>>40)&255); (y)[3] = (unsigned char)(((x)>>32)&255); \
201 (y)[4] = (unsigned char)(((x)>>24)&255); (y)[5] = (unsigned char)(((x)>>16)&255); \
202 (y)[6] = (unsigned char)(((x)>>8)&255); (y)[7] = (unsigned char)((x)&255); }
203
204 #define LOAD64H(x, y) \
205 { x = (((ulong64)((y)[0] & 255))<<56)|(((ulong64)((y)[1] & 255))<<48)| \
206 (((ulong64)((y)[2] & 255))<<40)|(((ulong64)((y)[3] & 255))<<32)| \
207 (((ulong64)((y)[4] & 255))<<24)|(((ulong64)((y)[5] & 255))<<16)| \
208 (((ulong64)((y)[6] & 255))<<8)| (((ulong64)((y)[7] & 255))); }
209
210 #else /* 64-bit words then */
211
212 #define STORE32H(x, y) \
213 { unsigned long __t = (x); memcpy(y, &__t, 4); }
214
215 #define LOAD32H(x, y) \
216 { memcpy(&(x), y, 4); x &= 0xFFFFFFFF; }
217
218 #define STORE64H(x, y) \
219 { ulong64 __t = (x); memcpy(y, &__t, 8); }
220
221 #define LOAD64H(x, y) \
222 { memcpy(&(x), y, 8); }
223
224 #endif /* ENDIAN_64BITWORD */
225 #endif /* ENDIAN_BIG */
226
227 #define BSWAP(x) ( ((x>>24)&0x000000FFUL) | ((x<<24)&0xFF000000UL) | \
228 ((x>>8)&0x0000FF00UL) | ((x<<8)&0x00FF0000UL) )
229
230 #if defined(__GNUC__) && defined(__i386__) && !defined(INTEL_CC)
231
232 static inline unsigned long ROL(unsigned long word, int i)
233 {
234 __asm__("roll %%cl,%0"
235 :"=r" (word)
236 :"0" (word),"c" (i));
237 return word;
238 }
239
240 static inline unsigned long ROR(unsigned long word, int i)
241 {
242 __asm__("rorl %%cl,%0"
243 :"=r" (word)
244 :"0" (word),"c" (i));
245 return word;
246 }
247
248 #else
249
250 /* rotates the hard way */
251 #define ROL(x, y) ( (((unsigned long)(x)<<(unsigned long)((y)&31)) | (((unsigned long)(x)&0xFFFFFFFFUL)>>(unsigned long)(32-((y)&31)))) & 0xFFFFFFFFUL)
252 #define ROR(x, y) ( ((((unsigned long)(x)&0xFFFFFFFFUL)>>(unsigned long)((y)&31)) | ((unsigned long)(x)<<(unsigned long)(32-((y)&31)))) & 0xFFFFFFFFUL)
253
254 #endif
255
256 #define ROL64(x, y) \
257 ( (((x)<<((ulong64)(y)&63)) | \
258 (((x)&CONST64(0xFFFFFFFFFFFFFFFF))>>((ulong64)64-((y)&63)))) & CONST64(0xFFFFFFFFFFFFFFFF))
259
260 #define ROR64(x, y) \
261 ( ((((x)&CONST64(0xFFFFFFFFFFFFFFFF))>>((ulong64)(y)&CONST64(63))) | \
262 ((x)<<((ulong64)(64-((y)&CONST64(63)))))) & CONST64(0xFFFFFFFFFFFFFFFF))
263
264 #undef MAX
265 #undef MIN
266 #define MAX(x, y) ( ((x)>(y))?(x):(y) )
267 #define MIN(x, y) ( ((x)<(y))?(x):(y) )
268
269 /* extract a byte portably */
270 #define byte(x, n) (((x) >> (8 * (n))) & 255)
271
272 #define CONST64(n) n ## ULL
273
274 /* a simple macro for making hash "process" functions */
275 #define HASH_PROCESS(func_name, compress_name, state_var, block_size) \
276 int func_name (hash_state * md, const unsigned char *buf, unsigned long len) \
277 { \
278 unsigned long n; \
279 if (md-> state_var .curlen > sizeof(md-> state_var .buf)) { \
280 return CRYPT_INVALID_ARG; \
281 } \
282 while (len > 0) { \
283 if (md-> state_var .curlen == 0 && len >= block_size) { \
284 compress_name (md, (unsigned char *)buf); \
285 md-> state_var .length += block_size * 8; \
286 buf += block_size; \
287 len -= block_size; \
288 } else { \
289 n = MIN(len, (block_size - md-> state_var .curlen)); \
290 memcpy(md-> state_var .buf + md-> state_var.curlen, buf, (size_t)n); \
291 md-> state_var .curlen += n; \
292 buf += n; \
293 len -= n; \
294 if (md-> state_var .curlen == block_size) { \
295 compress_name (md, md-> state_var .buf); \
296 md-> state_var .length += 8*block_size; \
297 md-> state_var .curlen = 0; \
298 } \
299 } \
300 } \
301 return CRYPT_OK; \
302 }
303
304 #define MAXBLOCKSIZE 128
305
306 /*
307 * The mycrypt_macros.h file
308 */
309
310 /* ---- HELPER MACROS ---- */
311 #ifdef ENDIAN_NEUTRAL
312
313 #define STORE32L(x, y) \
314 { (y)[3] = (unsigned char)(((x)>>24)&255); (y)[2] = (unsigned char)(((x)>>16)&255); \
315 (y)[1] = (unsigned char)(((x)>>8)&255); (y)[0] = (unsigned char)((x)&255); }
316
317 #define LOAD32L(x, y) \
318 { x = ((unsigned long)((y)[3] & 255)<<24) | \
319 ((unsigned long)((y)[2] & 255)<<16) | \
320 ((unsigned long)((y)[1] & 255)<<8) | \
321 ((unsigned long)((y)[0] & 255)); }
322
323 #define STORE64L(x, y) \
324 { (y)[7] = (unsigned char)(((x)>>56)&255); (y)[6] = (unsigned char)(((x)>>48)&255); \
325 (y)[5] = (unsigned char)(((x)>>40)&255); (y)[4] = (unsigned char)(((x)>>32)&255); \
326 (y)[3] = (unsigned char)(((x)>>24)&255); (y)[2] = (unsigned char)(((x)>>16)&255); \
327 (y)[1] = (unsigned char)(((x)>>8)&255); (y)[0] = (unsigned char)((x)&255); }
328
329 #define LOAD64L(x, y) \
330 { x = (((ulong64)((y)[7] & 255))<<56)|(((ulong64)((y)[6] & 255))<<48)| \
331 (((ulong64)((y)[5] & 255))<<40)|(((ulong64)((y)[4] & 255))<<32)| \
332 (((ulong64)((y)[3] & 255))<<24)|(((ulong64)((y)[2] & 255))<<16)| \
333 (((ulong64)((y)[1] & 255))<<8)|(((ulong64)((y)[0] & 255))); }
334
335 #define STORE32H(x, y) \
336 { (y)[0] = (unsigned char)(((x)>>24)&255); (y)[1] = (unsigned char)(((x)>>16)&255); \
337 (y)[2] = (unsigned char)(((x)>>8)&255); (y)[3] = (unsigned char)((x)&255); }
338
339 #define LOAD32H(x, y) \
340 { x = ((unsigned long)((y)[0] & 255)<<24) | \
341 ((unsigned long)((y)[1] & 255)<<16) | \
342 ((unsigned long)((y)[2] & 255)<<8) | \
343 ((unsigned long)((y)[3] & 255)); }
344
345 #define STORE64H(x, y) \
346 { (y)[0] = (unsigned char)(((x)>>56)&255); (y)[1] = (unsigned char)(((x)>>48)&255); \
347 (y)[2] = (unsigned char)(((x)>>40)&255); (y)[3] = (unsigned char)(((x)>>32)&255); \
348 (y)[4] = (unsigned char)(((x)>>24)&255); (y)[5] = (unsigned char)(((x)>>16)&255); \
349 (y)[6] = (unsigned char)(((x)>>8)&255); (y)[7] = (unsigned char)((x)&255); }
350
351 #define LOAD64H(x, y) \
352 { x = (((ulong64)((y)[0] & 255))<<56)|(((ulong64)((y)[1] & 255))<<48) | \
353 (((ulong64)((y)[2] & 255))<<40)|(((ulong64)((y)[3] & 255))<<32) | \
354 (((ulong64)((y)[4] & 255))<<24)|(((ulong64)((y)[5] & 255))<<16) | \
355 (((ulong64)((y)[6] & 255))<<8)|(((ulong64)((y)[7] & 255))); }
356
357 #endif /* ENDIAN_NEUTRAL */
358
359 #ifdef ENDIAN_LITTLE
360
361 #define STORE32H(x, y) \
362 { (y)[0] = (unsigned char)(((x)>>24)&255); (y)[1] = (unsigned char)(((x)>>16)&255); \
363 (y)[2] = (unsigned char)(((x)>>8)&255); (y)[3] = (unsigned char)((x)&255); }
364
365 #define LOAD32H(x, y) \
366 { x = ((unsigned long)((y)[0] & 255)<<24) | \
367 ((unsigned long)((y)[1] & 255)<<16) | \
368 ((unsigned long)((y)[2] & 255)<<8) | \
369 ((unsigned long)((y)[3] & 255)); }
370
371 #define STORE64H(x, y) \
372 { (y)[0] = (unsigned char)(((x)>>56)&255); (y)[1] = (unsigned char)(((x)>>48)&255); \
373 (y)[2] = (unsigned char)(((x)>>40)&255); (y)[3] = (unsigned char)(((x)>>32)&255); \
374 (y)[4] = (unsigned char)(((x)>>24)&255); (y)[5] = (unsigned char)(((x)>>16)&255); \
375 (y)[6] = (unsigned char)(((x)>>8)&255); (y)[7] = (unsigned char)((x)&255); }
376
377 #define LOAD64H(x, y) \
378 { x = (((ulong64)((y)[0] & 255))<<56)|(((ulong64)((y)[1] & 255))<<48) | \
379 (((ulong64)((y)[2] & 255))<<40)|(((ulong64)((y)[3] & 255))<<32) | \
380 (((ulong64)((y)[4] & 255))<<24)|(((ulong64)((y)[5] & 255))<<16) | \
381 (((ulong64)((y)[6] & 255))<<8)|(((ulong64)((y)[7] & 255))); }
382
383 #ifdef ENDIAN_32BITWORD
384
385 #define STORE32L(x, y) \
386 { unsigned long __t = (x); memcpy(y, &__t, 4); }
387
388 #define LOAD32L(x, y) \
389 memcpy(&(x), y, 4);
390
391 #define STORE64L(x, y) \
392 { (y)[7] = (unsigned char)(((x)>>56)&255); (y)[6] = (unsigned char)(((x)>>48)&255); \
393 (y)[5] = (unsigned char)(((x)>>40)&255); (y)[4] = (unsigned char)(((x)>>32)&255); \
394 (y)[3] = (unsigned char)(((x)>>24)&255); (y)[2] = (unsigned char)(((x)>>16)&255); \
395 (y)[1] = (unsigned char)(((x)>>8)&255); (y)[0] = (unsigned char)((x)&255); }
396
397 #define LOAD64L(x, y) \
398 { x = (((ulong64)((y)[7] & 255))<<56)|(((ulong64)((y)[6] & 255))<<48)| \
399 (((ulong64)((y)[5] & 255))<<40)|(((ulong64)((y)[4] & 255))<<32)| \
400 (((ulong64)((y)[3] & 255))<<24)|(((ulong64)((y)[2] & 255))<<16)| \
401 (((ulong64)((y)[1] & 255))<<8)|(((ulong64)((y)[0] & 255))); }
402
403 #else /* 64-bit words then */
404
405 #define STORE32L(x, y) \
406 { unsigned long __t = (x); memcpy(y, &__t, 4); }
407
408 #define LOAD32L(x, y) \
409 { memcpy(&(x), y, 4); x &= 0xFFFFFFFF; }
410
411 #define STORE64L(x, y) \
412 { ulong64 __t = (x); memcpy(y, &__t, 8); }
413
414 #define LOAD64L(x, y) \
415 { memcpy(&(x), y, 8); }
416
417 #endif /* ENDIAN_64BITWORD */
418
419 #endif /* ENDIAN_LITTLE */
420
421 #ifdef ENDIAN_BIG
422 #define STORE32L(x, y) \
423 { (y)[3] = (unsigned char)(((x)>>24)&255); (y)[2] = (unsigned char)(((x)>>16)&255); \
424 (y)[1] = (unsigned char)(((x)>>8)&255); (y)[0] = (unsigned char)((x)&255); }
425
426 #define LOAD32L(x, y) \
427 { x = ((unsigned long)((y)[3] & 255)<<24) | \
428 ((unsigned long)((y)[2] & 255)<<16) | \
429 ((unsigned long)((y)[1] & 255)<<8) | \
430 ((unsigned long)((y)[0] & 255)); }
431
432 #define STORE64L(x, y) \
433 { (y)[7] = (unsigned char)(((x)>>56)&255); (y)[6] = (unsigned char)(((x)>>48)&255); \
434 (y)[5] = (unsigned char)(((x)>>40)&255); (y)[4] = (unsigned char)(((x)>>32)&255); \
435 (y)[3] = (unsigned char)(((x)>>24)&255); (y)[2] = (unsigned char)(((x)>>16)&255); \
436 (y)[1] = (unsigned char)(((x)>>8)&255); (y)[0] = (unsigned char)((x)&255); }
437
438 #define LOAD64L(x, y) \
439 { x = (((ulong64)((y)[7] & 255))<<56)|(((ulong64)((y)[6] & 255))<<48) | \
440 (((ulong64)((y)[5] & 255))<<40)|(((ulong64)((y)[4] & 255))<<32) | \
441 (((ulong64)((y)[3] & 255))<<24)|(((ulong64)((y)[2] & 255))<<16) | \
442 (((ulong64)((y)[1] & 255))<<8)|(((ulong64)((y)[0] & 255))); }
443
444 #ifdef ENDIAN_32BITWORD
445
446 #define STORE32H(x, y) \
447 { unsigned long __t = (x); memcpy(y, &__t, 4); }
448
449 #define LOAD32H(x, y) \
450 memcpy(&(x), y, 4);
451
452 #define STORE64H(x, y) \
453 { (y)[0] = (unsigned char)(((x)>>56)&255); (y)[1] = (unsigned char)(((x)>>48)&255); \
454 (y)[2] = (unsigned char)(((x)>>40)&255); (y)[3] = (unsigned char)(((x)>>32)&255); \
455 (y)[4] = (unsigned char)(((x)>>24)&255); (y)[5] = (unsigned char)(((x)>>16)&255); \
456 (y)[6] = (unsigned char)(((x)>>8)&255); (y)[7] = (unsigned char)((x)&255); }
457
458 #define LOAD64H(x, y) \
459 { x = (((ulong64)((y)[0] & 255))<<56)|(((ulong64)((y)[1] & 255))<<48)| \
460 (((ulong64)((y)[2] & 255))<<40)|(((ulong64)((y)[3] & 255))<<32)| \
461 (((ulong64)((y)[4] & 255))<<24)|(((ulong64)((y)[5] & 255))<<16)| \
462 (((ulong64)((y)[6] & 255))<<8)| (((ulong64)((y)[7] & 255))); }
463
464 #else /* 64-bit words then */
465
466 #define STORE32H(x, y) \
467 { unsigned long __t = (x); memcpy(y, &__t, 4); }
468
469 #define LOAD32H(x, y) \
470 { memcpy(&(x), y, 4); x &= 0xFFFFFFFF; }
471
472 #define STORE64H(x, y) \
473 { ulong64 __t = (x); memcpy(y, &__t, 8); }
474
475 #define LOAD64H(x, y) \
476 { memcpy(&(x), y, 8); }
477
478 #endif /* ENDIAN_64BITWORD */
479 #endif /* ENDIAN_BIG */
480
481 #define BSWAP(x) ( ((x>>24)&0x000000FFUL) | ((x<<24)&0xFF000000UL) | \
482 ((x>>8)&0x0000FF00UL) | ((x<<8)&0x00FF0000UL) )
483
484
485 #define ROL64(x, y) \
486 ( (((x)<<((ulong64)(y)&63)) | \
487 (((x)&CONST64(0xFFFFFFFFFFFFFFFF))>>((ulong64)64-((y)&63)))) & CONST64(0xFFFFFFFFFFFFFFFF))
488
489 #define ROR64(x, y) \
490 ( ((((x)&CONST64(0xFFFFFFFFFFFFFFFF))>>((ulong64)(y)&CONST64(63))) | \
491 ((x)<<((ulong64)(64-((y)&CONST64(63)))))) & CONST64(0xFFFFFFFFFFFFFFFF))
492
493 #undef MAX
494 #undef MIN
495 #define MAX(x, y) ( ((x)>(y))?(x):(y) )
496 #define MIN(x, y) ( ((x)<(y))?(x):(y) )
497
498 /* extract a byte portably */
499 #define byte(x, n) (((x) >> (8 * (n))) & 255)
500
501 /* $Id: s128multab.h 213 2003-12-16 04:27:12Z ggr $ */
502 /* @(#)TuringMultab.h 1.3 (QUALCOMM) 02/09/03 */
503 /* Multiplication table for Turing using 0xD02B4367 */
504
505 static const ulong32 Multab[256] = {
506 0x00000000, 0xD02B4367, 0xED5686CE, 0x3D7DC5A9,
507 0x97AC41D1, 0x478702B6, 0x7AFAC71F, 0xAAD18478,
508 0x631582EF, 0xB33EC188, 0x8E430421, 0x5E684746,
509 0xF4B9C33E, 0x24928059, 0x19EF45F0, 0xC9C40697,
510 0xC62A4993, 0x16010AF4, 0x2B7CCF5D, 0xFB578C3A,
511 0x51860842, 0x81AD4B25, 0xBCD08E8C, 0x6CFBCDEB,
512 0xA53FCB7C, 0x7514881B, 0x48694DB2, 0x98420ED5,
513 0x32938AAD, 0xE2B8C9CA, 0xDFC50C63, 0x0FEE4F04,
514 0xC154926B, 0x117FD10C, 0x2C0214A5, 0xFC2957C2,
515 0x56F8D3BA, 0x86D390DD, 0xBBAE5574, 0x6B851613,
516 0xA2411084, 0x726A53E3, 0x4F17964A, 0x9F3CD52D,
517 0x35ED5155, 0xE5C61232, 0xD8BBD79B, 0x089094FC,
518 0x077EDBF8, 0xD755989F, 0xEA285D36, 0x3A031E51,
519 0x90D29A29, 0x40F9D94E, 0x7D841CE7, 0xADAF5F80,
520 0x646B5917, 0xB4401A70, 0x893DDFD9, 0x59169CBE,
521 0xF3C718C6, 0x23EC5BA1, 0x1E919E08, 0xCEBADD6F,
522 0xCFA869D6, 0x1F832AB1, 0x22FEEF18, 0xF2D5AC7F,
523 0x58042807, 0x882F6B60, 0xB552AEC9, 0x6579EDAE,
524 0xACBDEB39, 0x7C96A85E, 0x41EB6DF7, 0x91C02E90,
525 0x3B11AAE8, 0xEB3AE98F, 0xD6472C26, 0x066C6F41,
526 0x09822045, 0xD9A96322, 0xE4D4A68B, 0x34FFE5EC,
527 0x9E2E6194, 0x4E0522F3, 0x7378E75A, 0xA353A43D,
528 0x6A97A2AA, 0xBABCE1CD, 0x87C12464, 0x57EA6703,
529 0xFD3BE37B, 0x2D10A01C, 0x106D65B5, 0xC04626D2,
530 0x0EFCFBBD, 0xDED7B8DA, 0xE3AA7D73, 0x33813E14,
531 0x9950BA6C, 0x497BF90B, 0x74063CA2, 0xA42D7FC5,
532 0x6DE97952, 0xBDC23A35, 0x80BFFF9C, 0x5094BCFB,
533 0xFA453883, 0x2A6E7BE4, 0x1713BE4D, 0xC738FD2A,
534 0xC8D6B22E, 0x18FDF149, 0x258034E0, 0xF5AB7787,
535 0x5F7AF3FF, 0x8F51B098, 0xB22C7531, 0x62073656,
536 0xABC330C1, 0x7BE873A6, 0x4695B60F, 0x96BEF568,
537 0x3C6F7110, 0xEC443277, 0xD139F7DE, 0x0112B4B9,
538 0xD31DD2E1, 0x03369186, 0x3E4B542F, 0xEE601748,
539 0x44B19330, 0x949AD057, 0xA9E715FE, 0x79CC5699,
540 0xB008500E, 0x60231369, 0x5D5ED6C0, 0x8D7595A7,
541 0x27A411DF, 0xF78F52B8, 0xCAF29711, 0x1AD9D476,
542 0x15379B72, 0xC51CD815, 0xF8611DBC, 0x284A5EDB,
543 0x829BDAA3, 0x52B099C4, 0x6FCD5C6D, 0xBFE61F0A,
544 0x7622199D, 0xA6095AFA, 0x9B749F53, 0x4B5FDC34,
545 0xE18E584C, 0x31A51B2B, 0x0CD8DE82, 0xDCF39DE5,
546 0x1249408A, 0xC26203ED, 0xFF1FC644, 0x2F348523,
547 0x85E5015B, 0x55CE423C, 0x68B38795, 0xB898C4F2,
548 0x715CC265, 0xA1778102, 0x9C0A44AB, 0x4C2107CC,
549 0xE6F083B4, 0x36DBC0D3, 0x0BA6057A, 0xDB8D461D,
550 0xD4630919, 0x04484A7E, 0x39358FD7, 0xE91ECCB0,
551 0x43CF48C8, 0x93E40BAF, 0xAE99CE06, 0x7EB28D61,
552 0xB7768BF6, 0x675DC891, 0x5A200D38, 0x8A0B4E5F,
553 0x20DACA27, 0xF0F18940, 0xCD8C4CE9, 0x1DA70F8E,
554 0x1CB5BB37, 0xCC9EF850, 0xF1E33DF9, 0x21C87E9E,
555 0x8B19FAE6, 0x5B32B981, 0x664F7C28, 0xB6643F4F,
556 0x7FA039D8, 0xAF8B7ABF, 0x92F6BF16, 0x42DDFC71,
557 0xE80C7809, 0x38273B6E, 0x055AFEC7, 0xD571BDA0,
558 0xDA9FF2A4, 0x0AB4B1C3, 0x37C9746A, 0xE7E2370D,
559 0x4D33B375, 0x9D18F012, 0xA06535BB, 0x704E76DC,
560 0xB98A704B, 0x69A1332C, 0x54DCF685, 0x84F7B5E2,
561 0x2E26319A, 0xFE0D72FD, 0xC370B754, 0x135BF433,
562 0xDDE1295C, 0x0DCA6A3B, 0x30B7AF92, 0xE09CECF5,
563 0x4A4D688D, 0x9A662BEA, 0xA71BEE43, 0x7730AD24,
564 0xBEF4ABB3, 0x6EDFE8D4, 0x53A22D7D, 0x83896E1A,
565 0x2958EA62, 0xF973A905, 0xC40E6CAC, 0x14252FCB,
566 0x1BCB60CF, 0xCBE023A8, 0xF69DE601, 0x26B6A566,
567 0x8C67211E, 0x5C4C6279, 0x6131A7D0, 0xB11AE4B7,
568 0x78DEE220, 0xA8F5A147, 0x958864EE, 0x45A32789,
569 0xEF72A3F1, 0x3F59E096, 0x0224253F, 0xD20F6658,
570 };
571
572 /* $Id: s128sbox.h 213 2003-12-16 04:27:12Z ggr $ */
573 /* Sbox for SOBER-128 */
574 /*
575 * This is really the combination of two SBoxes; the least significant
576 * 24 bits comes from:
577 * 8->32 Sbox generated by Millan et. al. at Queensland University of
578 * Technology. See: E. Dawson, W. Millan, L. Burnett, G. Carter,
579 * "On the Design of 8*32 S-boxes". Unpublished report, by the
580 * Information Systems Research Centre,
581 * Queensland University of Technology, 1999.
582 *
583 * The most significant 8 bits are the Skipjack "F table", which can be
584 * found at http://csrc.nist.gov/CryptoToolkit/skipjack/skipjack.pdf .
585 * In this optimised table, though, the intent is to XOR the word from
586 * the table selected by the high byte with the input word. Thus, the
587 * high byte is actually the Skipjack F-table entry XORED with its
588 * table index.
589 */
590 static const ulong32 Sbox[256] = {
591 0xa3aa1887, 0xd65e435c, 0x0b65c042, 0x800e6ef4,
592 0xfc57ee20, 0x4d84fed3, 0xf066c502, 0xf354e8ae,
593 0xbb2ee9d9, 0x281f38d4, 0x1f829b5d, 0x735cdf3c,
594 0x95864249, 0xbc2e3963, 0xa1f4429f, 0xf6432c35,
595 0xf7f40325, 0x3cc0dd70, 0x5f973ded, 0x9902dc5e,
596 0xda175b42, 0x590012bf, 0xdc94d78c, 0x39aab26b,
597 0x4ac11b9a, 0x8c168146, 0xc3ea8ec5, 0x058ac28f,
598 0x52ed5c0f, 0x25b4101c, 0x5a2db082, 0x370929e1,
599 0x2a1843de, 0xfe8299fc, 0x202fbc4b, 0x833915dd,
600 0x33a803fa, 0xd446b2de, 0x46233342, 0x4fcee7c3,
601 0x3ad607ef, 0x9e97ebab, 0x507f859b, 0xe81f2e2f,
602 0xc55b71da, 0xd7e2269a, 0x1339c3d1, 0x7ca56b36,
603 0xa6c9def2, 0xb5c9fc5f, 0x5927b3a3, 0x89a56ddf,
604 0xc625b510, 0x560f85a7, 0xace82e71, 0x2ecb8816,
605 0x44951e2a, 0x97f5f6af, 0xdfcbc2b3, 0xce4ff55d,
606 0xcb6b6214, 0x2b0b83e3, 0x549ea6f5, 0x9de041af,
607 0x792f1f17, 0xf73b99ee, 0x39a65ec0, 0x4c7016c6,
608 0x857709a4, 0xd6326e01, 0xc7b280d9, 0x5cfb1418,
609 0xa6aff227, 0xfd548203, 0x506b9d96, 0xa117a8c0,
610 0x9cd5bf6e, 0xdcee7888, 0x61fcfe64, 0xf7a193cd,
611 0x050d0184, 0xe8ae4930, 0x88014f36, 0xd6a87088,
612 0x6bad6c2a, 0x1422c678, 0xe9204de7, 0xb7c2e759,
613 0x0200248e, 0x013b446b, 0xda0d9fc2, 0x0414a895,
614 0x3a6cc3a1, 0x56fef170, 0x86c19155, 0xcf7b8a66,
615 0x551b5e69, 0xb4a8623e, 0xa2bdfa35, 0xc4f068cc,
616 0x573a6acd, 0x6355e936, 0x03602db9, 0x0edf13c1,
617 0x2d0bb16d, 0x6980b83c, 0xfeb23763, 0x3dd8a911,
618 0x01b6bc13, 0xf55579d7, 0xf55c2fa8, 0x19f4196e,
619 0xe7db5476, 0x8d64a866, 0xc06e16ad, 0xb17fc515,
620 0xc46feb3c, 0x8bc8a306, 0xad6799d9, 0x571a9133,
621 0x992466dd, 0x92eb5dcd, 0xac118f50, 0x9fafb226,
622 0xa1b9cef3, 0x3ab36189, 0x347a19b1, 0x62c73084,
623 0xc27ded5c, 0x6c8bc58f, 0x1cdde421, 0xed1e47fb,
624 0xcdcc715e, 0xb9c0ff99, 0x4b122f0f, 0xc4d25184,
625 0xaf7a5e6c, 0x5bbf18bc, 0x8dd7c6e0, 0x5fb7e420,
626 0x521f523f, 0x4ad9b8a2, 0xe9da1a6b, 0x97888c02,
627 0x19d1e354, 0x5aba7d79, 0xa2cc7753, 0x8c2d9655,
628 0x19829da1, 0x531590a7, 0x19c1c149, 0x3d537f1c,
629 0x50779b69, 0xed71f2b7, 0x463c58fa, 0x52dc4418,
630 0xc18c8c76, 0xc120d9f0, 0xafa80d4d, 0x3b74c473,
631 0xd09410e9, 0x290e4211, 0xc3c8082b, 0x8f6b334a,
632 0x3bf68ed2, 0xa843cc1b, 0x8d3c0ff3, 0x20e564a0,
633 0xf8f55a4f, 0x2b40f8e7, 0xfea7f15f, 0xcf00fe21,
634 0x8a6d37d6, 0xd0d506f1, 0xade00973, 0xefbbde36,
635 0x84670fa8, 0xfa31ab9e, 0xaedab618, 0xc01f52f5,
636 0x6558eb4f, 0x71b9e343, 0x4b8d77dd, 0x8cb93da6,
637 0x740fd52d, 0x425412f8, 0xc5a63360, 0x10e53ad0,
638 0x5a700f1c, 0x8324ed0b, 0xe53dc1ec, 0x1a366795,
639 0x6d549d15, 0xc5ce46d7, 0xe17abe76, 0x5f48e0a0,
640 0xd0f07c02, 0x941249b7, 0xe49ed6ba, 0x37a47f78,
641 0xe1cfffbd, 0xb007ca84, 0xbb65f4da, 0xb59f35da,
642 0x33d2aa44, 0x417452ac, 0xc0d674a7, 0x2d61a46a,
643 0xdc63152a, 0x3e12b7aa, 0x6e615927, 0xa14fb118,
644 0xa151758d, 0xba81687b, 0xe152f0b3, 0x764254ed,
645 0x34c77271, 0x0a31acab, 0x54f94aec, 0xb9e994cd,
646 0x574d9e81, 0x5b623730, 0xce8a21e8, 0x37917f0b,
647 0xe8a9b5d6, 0x9697adf8, 0xf3d30431, 0x5dcac921,
648 0x76b35d46, 0xaa430a36, 0xc2194022, 0x22bca65e,
649 0xdaec70ba, 0xdfaea8cc, 0x777bae8b, 0x242924d5,
650 0x1f098a5a, 0x4b396b81, 0x55de2522, 0x435c1cb8,
651 0xaeb8fe1d, 0x9db3c697, 0x5b164f83, 0xe0c16376,
652 0xa319224c, 0xd0203b35, 0x433ac0fe, 0x1466a19a,
653 0x45f0b24f, 0x51fda998, 0xc0d52d71, 0xfa0896a8,
654 0xf9e6053f, 0xa4b0d300, 0xd499cbcc, 0xb95e3d40,
655 };
656
657
658 /* Implementation of SOBER-128 by Tom St Denis.
659 * Based on s128fast.c reference code supplied by Greg Rose of QUALCOMM.
660 */
661
662 const struct _prng_descriptor sober128_desc =
663 {
664 "sober128", 64,
665 &sober128_start,
666 &sober128_add_entropy,
667 &sober128_ready,
668 &sober128_read,
669 };
670
671 const struct _prng_descriptor *prng_descriptor[] = {
672 &sober128_desc
673 };
674
675 /* don't change these... */
676 #define N 17
677 #define FOLD N /* how many iterations of folding to do */
678 #define INITKONST 0x6996c53a /* value of KONST to use during key loading */
679 #define KEYP 15 /* where to insert key words */
680 #define FOLDP 4 /* where to insert non-linear feedback */
681
682 #define B(x,i) ((unsigned char)(((x) >> (8*i)) & 0xFF))
683
684 static ulong32 BYTE2WORD(unsigned char *b)
685 {
686 ulong32 t;
687 LOAD32L(t, b);
688 return t;
689 }
690
691 #define WORD2BYTE(w, b) STORE32L(b, w)
692
693 static void XORWORD(ulong32 w, unsigned char *b)
694 {
695 ulong32 t;
696 LOAD32L(t, b);
697 t ^= w;
698 STORE32L(t, b);
699 }
700
701 /* give correct offset for the current position of the register,
702 * where logically R[0] is at position "zero".
703 */
704 #define OFF(zero, i) (((zero)+(i)) % N)
705
706 /* step the LFSR */
707 /* After stepping, "zero" moves right one place */
708 #define STEP(R,z) \
709 R[OFF(z,0)] = R[OFF(z,15)] ^ R[OFF(z,4)] ^ (R[OFF(z,0)] << 8) ^ Multab[(R[OFF(z,0)] >> 24) & 0xFF];
710
711 static void cycle(ulong32 *R)
712 {
713 ulong32 t;
714 int i;
715
716 STEP(R,0);
717 t = R[0];
718 for (i = 1; i < N; ++i) {
719 R[i-1] = R[i];
720 }
721 R[N-1] = t;
722 }
723
724 /* Return a non-linear function of some parts of the register.
725 */
726 #define NLFUNC(c,z) \
727 { \
728 t = c->R[OFF(z,0)] + c->R[OFF(z,16)]; \
729 t ^= Sbox[(t >> 24) & 0xFF]; \
730 t = ROR(t, 8); \
731 t = ((t + c->R[OFF(z,1)]) ^ c->konst) + c->R[OFF(z,6)]; \
732 t ^= Sbox[(t >> 24) & 0xFF]; \
733 t = t + c->R[OFF(z,13)]; \
734 }
735
736 static ulong32 nltap(struct sober128_prng *c)
737 {
738 ulong32 t;
739 NLFUNC(c, 0);
740 return t;
741 }
742
743 /* initialise to known state
744 */
745 int sober128_start(prng_state *prng)
746 {
747 int i;
748 struct sober128_prng *c;
749
750 c = &(prng->sober128);
751
752 /* Register initialised to Fibonacci numbers */
753 c->R[0] = 1;
754 c->R[1] = 1;
755 for (i = 2; i < N; ++i) {
756 c->R[i] = c->R[i-1] + c->R[i-2];
757 }
758 c->konst = INITKONST;
759
760 /* next add_entropy will be the key */
761 c->flag = 1;
762 c->set = 0;
763
764 return CRYPT_OK;
765 }
766
767 /* Save the current register state
768 */
769 static void s128_savestate(struct sober128_prng *c)
770 {
771 int i;
772 for (i = 0; i < N; ++i) {
773 c->initR[i] = c->R[i];
774 }
775 }
776
777 /* initialise to previously saved register state
778 */
779 static void s128_reloadstate(struct sober128_prng *c)
780 {
781 int i;
782
783 for (i = 0; i < N; ++i) {
784 c->R[i] = c->initR[i];
785 }
786 }
787
788 /* Initialise "konst"
789 */
790 static void s128_genkonst(struct sober128_prng *c)
791 {
792 ulong32 newkonst;
793
794 do {
795 cycle(c->R);
796 newkonst = nltap(c);
797 } while ((newkonst & 0xFF000000) == 0);
798 c->konst = newkonst;
799 }
800
801 /* Load key material into the register
802 */
803 #define ADDKEY(k) \
804 c->R[KEYP] += (k);
805
806 #define XORNL(nl) \
807 c->R[FOLDP] ^= (nl);
808
809 /* nonlinear diffusion of register for key */
810 #define DROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); c->R[OFF((z+1),FOLDP)] ^= t;
811 static void s128_diffuse(struct sober128_prng *c)
812 {
813 ulong32 t;
814 /* relies on FOLD == N == 17! */
815 DROUND(0);
816 DROUND(1);
817 DROUND(2);
818 DROUND(3);
819 DROUND(4);
820 DROUND(5);
821 DROUND(6);
822 DROUND(7);
823 DROUND(8);
824 DROUND(9);
825 DROUND(10);
826 DROUND(11);
827 DROUND(12);
828 DROUND(13);
829 DROUND(14);
830 DROUND(15);
831 DROUND(16);
832 }
833
834 int sober128_add_entropy(const unsigned char *buf, unsigned long len, prng_state *prng)
835 {
836 struct sober128_prng *c;
837 ulong32 i, k;
838
839 c = &(prng->sober128);
840
841 if (c->flag == 1) {
842 /* this is the first call to the add_entropy so this input is the key */
843 /* len must be multiple of 4 bytes */
844 assert ((len & 3) == 0);
845
846 for (i = 0; i < len; i += 4) {
847 k = BYTE2WORD((unsigned char *)&buf[i]);
848 ADDKEY(k);
849 cycle(c->R);
850 XORNL(nltap(c));
851 }
852
853 /* also fold in the length of the key */
854 ADDKEY(len);
855
856 /* now diffuse */
857 s128_diffuse(c);
858
859 s128_genkonst(c);
860 s128_savestate(c);
861 c->nbuf = 0;
862 c->flag = 0;
863 c->set = 1;
864 } else {
865 /* ok we are adding an IV then... */
866 s128_reloadstate(c);
867
868 /* len must be multiple of 4 bytes */
869 assert ((len & 3) == 0);
870
871 for (i = 0; i < len; i += 4) {
872 k = BYTE2WORD((unsigned char *)&buf[i]);
873 ADDKEY(k);
874 cycle(c->R);
875 XORNL(nltap(c));
876 }
877
878 /* also fold in the length of the key */
879 ADDKEY(len);
880
881 /* now diffuse */
882 s128_diffuse(c);
883 c->nbuf = 0;
884 }
885
886 return CRYPT_OK;
887 }
888
889 int sober128_ready(prng_state *prng)
890 {
891 return prng->sober128.set == 1 ? CRYPT_OK : CRYPT_ERROR;
892 }
893
894 /* XOR pseudo-random bytes into buffer
895 */
896 #define SROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); XORWORD(t, buf+(z*4));
897
898 unsigned long sober128_read(unsigned char *buf, unsigned long nbytes, prng_state *prng)
899 {
900 struct sober128_prng *c;
901 ulong32 t, tlen;
902
903 c = &(prng->sober128);
904 t = 0;
905 tlen = nbytes;
906
907 /* handle any previously buffered bytes */
908 while (c->nbuf != 0 && nbytes != 0) {
909 *buf++ ^= c->sbuf & 0xFF;
910 c->sbuf >>= 8;
911 c->nbuf -= 8;
912 --nbytes;
913 }
914
915 #ifndef SMALL_CODE
916 /* do lots at a time, if there's enough to do */
917 while (nbytes >= N*4) {
918 SROUND(0);
919 SROUND(1);
920 SROUND(2);
921 SROUND(3);
922 SROUND(4);
923 SROUND(5);
924 SROUND(6);
925 SROUND(7);
926 SROUND(8);
927 SROUND(9);
928 SROUND(10);
929 SROUND(11);
930 SROUND(12);
931 SROUND(13);
932 SROUND(14);
933 SROUND(15);
934 SROUND(16);
935 buf += 4*N;
936 nbytes -= 4*N;
937 }
938 #endif
939
940 /* do small or odd size buffers the slow way */
941 while (4 <= nbytes) {
942 cycle(c->R);
943 t = nltap(c);
944 XORWORD(t, buf);
945 buf += 4;
946 nbytes -= 4;
947 }
948
949 /* handle any trailing bytes */
950 if (nbytes != 0) {
951 cycle(c->R);
952 c->sbuf = nltap(c);
953 c->nbuf = 32;
954 while (c->nbuf != 0 && nbytes != 0) {
955 *buf++ ^= c->sbuf & 0xFF;
956 c->sbuf >>= 8;
957 c->nbuf -= 8;
958 --nbytes;
959 }
960 }
961
962 return tlen;
963 }
964
965 /* SHA1 code by Tom St Denis */
966
967 const struct _hash_descriptor sha1_desc =
968 {
969 "sha1",
970 2,
971 20,
972 64,
973
974 /* DER identifier */
975 { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E,
976 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14 },
977 15,
978
979 &sha1_init,
980 &sha1_process,
981 &sha1_done,
982 };
983
984 #define F0(x,y,z) (z ^ (x & (y ^ z)))
985 #define F1(x,y,z) (x ^ y ^ z)
986 #define F2(x,y,z) ((x & y) | (z & (x | y)))
987 #define F3(x,y,z) (x ^ y ^ z)
988
989 static void sha1_compress(hash_state *md, unsigned char *buf)
990 {
991 ulong32 a,b,c,d,e,W[80],i;
992
993 /* copy the state into 512-bits into W[0..15] */
994 for (i = 0; i < 16; i++) {
995 LOAD32H(W[i], buf + (4*i));
996 }
997
998 /* copy state */
999 a = md->sha1.state[0];
1000 b = md->sha1.state[1];
1001 c = md->sha1.state[2];
1002 d = md->sha1.state[3];
1003 e = md->sha1.state[4];
1004
1005 /* expand it */
1006 for (i = 16; i < 80; i++) {
1007 W[i] = ROL(W[i-3] ^ W[i-8] ^ W[i-14] ^ W[i-16], 1);
1008 }
1009
1010 /* compress */
1011 /* round one */
1012 #define FF0(a,b,c,d,e,i) e = (ROL(a, 5) + F0(b,c,d) + e + W[i] + 0x5a827999UL); b = ROL(b, 30);
1013 #define FF1(a,b,c,d,e,i) e = (ROL(a, 5) + F1(b,c,d) + e + W[i] + 0x6ed9eba1UL); b = ROL(b, 30);
1014 #define FF2(a,b,c,d,e,i) e = (ROL(a, 5) + F2(b,c,d) + e + W[i] + 0x8f1bbcdcUL); b = ROL(b, 30);
1015 #define FF3(a,b,c,d,e,i) e = (ROL(a, 5) + F3(b,c,d) + e + W[i] + 0xca62c1d6UL); b = ROL(b, 30);
1016
1017 for (i = 0; i < 20; ) {
1018 FF0(a,b,c,d,e,i++);
1019 FF0(e,a,b,c,d,i++);
1020 FF0(d,e,a,b,c,i++);
1021 FF0(c,d,e,a,b,i++);
1022 FF0(b,c,d,e,a,i++);
1023 }
1024
1025 /* round two */
1026 for (; i < 40; ) {
1027 FF1(a,b,c,d,e,i++);
1028 FF1(e,a,b,c,d,i++);
1029 FF1(d,e,a,b,c,i++);
1030 FF1(c,d,e,a,b,i++);
1031 FF1(b,c,d,e,a,i++);
1032 }
1033
1034 /* round three */
1035 for (; i < 60; ) {
1036 FF2(a,b,c,d,e,i++);
1037 FF2(e,a,b,c,d,i++);
1038 FF2(d,e,a,b,c,i++);
1039 FF2(c,d,e,a,b,i++);
1040 FF2(b,c,d,e,a,i++);
1041 }
1042
1043 /* round four */
1044 for (; i < 80; ) {
1045 FF3(a,b,c,d,e,i++);
1046 FF3(e,a,b,c,d,i++);
1047 FF3(d,e,a,b,c,i++);
1048 FF3(c,d,e,a,b,i++);
1049 FF3(b,c,d,e,a,i++);
1050 }
1051
1052 #undef FF0
1053 #undef FF1
1054 #undef FF2
1055 #undef FF3
1056
1057 /* store */
1058 md->sha1.state[0] = md->sha1.state[0] + a;
1059 md->sha1.state[1] = md->sha1.state[1] + b;
1060 md->sha1.state[2] = md->sha1.state[2] + c;
1061 md->sha1.state[3] = md->sha1.state[3] + d;
1062 md->sha1.state[4] = md->sha1.state[4] + e;
1063 }
1064
1065 void sha1_init(hash_state * md)
1066 {
1067 md->sha1.state[0] = 0x67452301UL;
1068 md->sha1.state[1] = 0xefcdab89UL;
1069 md->sha1.state[2] = 0x98badcfeUL;
1070 md->sha1.state[3] = 0x10325476UL;
1071 md->sha1.state[4] = 0xc3d2e1f0UL;
1072 md->sha1.curlen = 0;
1073 md->sha1.length = 0;
1074 }
1075
1076 HASH_PROCESS(sha1_process, sha1_compress, sha1, 64)
1077
1078 int sha1_done(hash_state * md, unsigned char *hash)
1079 {
1080 int i;
1081
1082 /*
1083 * Assert there isn't an invalid argument
1084 */
1085 assert (md->sha1.curlen < sizeof (md->sha1.buf));
1086
1087 /* increase the length of the message */
1088 md->sha1.length += md->sha1.curlen * 8;
1089
1090 /* append the '1' bit */
1091 md->sha1.buf[md->sha1.curlen++] = (unsigned char)0x80;
1092
1093 /* if the length is currently above 56 bytes we append zeros
1094 * then compress. Then we can fall back to padding zeros and length
1095 * encoding like normal.
1096 */
1097 if (md->sha1.curlen > 56) {
1098 while (md->sha1.curlen < 64) {
1099 md->sha1.buf[md->sha1.curlen++] = (unsigned char)0;
1100 }
1101 sha1_compress(md, md->sha1.buf);
1102 md->sha1.curlen = 0;
1103 }
1104
1105 /* pad upto 56 bytes of zeroes */
1106 while (md->sha1.curlen < 56) {
1107 md->sha1.buf[md->sha1.curlen++] = (unsigned char)0;
1108 }
1109
1110 /* store length */
1111 STORE64H(md->sha1.length, md->sha1.buf+56);
1112 sha1_compress(md, md->sha1.buf);
1113
1114 /* copy output */
1115 for (i = 0; i < 5; i++) {
1116 STORE32H(md->sha1.state[i], hash+(4*i));
1117 }
1118 return CRYPT_OK;
1119 }
1120
1121 /* Submited by Dobes Vandermeer (dobes@smartt.com) */
1122
1123 /*
1124 (1) append zeros to the end of K to create a B byte string
1125 (e.g., if K is of length 20 bytes and B=64, then K will be
1126 appended with 44 zero bytes 0x00)
1127 (2) XOR (bitwise exclusive-OR) the B byte string computed in step
1128 (1) with ipad (ipad = the byte 0x36 repeated B times)
1129 (3) append the stream of data 'text' to the B byte string resulting
1130 from step (2)
1131 (4) apply H to the stream generated in step (3)
1132 (5) XOR (bitwise exclusive-OR) the B byte string computed in
1133 step (1) with opad (opad = the byte 0x5C repeated B times.)
1134 (6) append the H result from step (4) to the B byte string
1135 resulting from step (5)
1136 (7) apply H to the stream generated in step (6) and output
1137 the result
1138 */
1139
1140 int hmac_init(hmac_state *hmac, int hash, const unsigned char *key, unsigned long keylen)
1141 {
1142 unsigned char buf[128];
1143 unsigned long hashsize;
1144 unsigned long i;
1145 int err;
1146
1147 hmac->hash = hash;
1148 hashsize = hash_descriptor[hash]->hashsize;
1149
1150 /* valid key length? */
1151 assert (keylen > 0);
1152 assert (keylen <= hash_descriptor[hash]->blocksize);
1153
1154 memcpy(hmac->key, key, (size_t)keylen);
1155 if(keylen < hash_descriptor[hash]->blocksize) {
1156 memset((hmac->key) + keylen, 0, (size_t)(hash_descriptor[hash]->blocksize - keylen));
1157 }
1158
1159 // Create the initial vector for step (3)
1160 for(i=0; i < hash_descriptor[hash]->blocksize; i++) {
1161 buf[i] = hmac->key[i] ^ 0x36;
1162 }
1163
1164 // Pre-pend that to the hash data
1165 hash_descriptor[hash]->init(&hmac->md);
1166 err = hash_descriptor[hash]->process(&hmac->md, buf, hash_descriptor[hash]->blocksize);
1167
1168 return err;
1169 }
1170
1171 int hmac_process(hmac_state *hmac, const unsigned char *buf, unsigned long len)
1172 {
1173 return hash_descriptor[hmac->hash]->process(&hmac->md, buf, len);
1174 }
1175
1176 /* Submited by Dobes Vandermeer (dobes@smartt.com) */
1177
1178 /*
1179 (1) append zeros to the end of K to create a B byte string
1180 (e.g., if K is of length 20 bytes and B=64, then K will be
1181 appended with 44 zero bytes 0x00)
1182 (2) XOR (bitwise exclusive-OR) the B byte string computed in step
1183 (1) with ipad (ipad = the byte 0x36 repeated B times)
1184 (3) append the stream of data 'text' to the B byte string resulting
1185 from step (2)
1186 (4) apply H to the stream generated in step (3)
1187 (5) XOR (bitwise exclusive-OR) the B byte string computed in
1188 step (1) with opad (opad = the byte 0x5C repeated B times.)
1189 (6) append the H result from step (4) to the B byte string
1190 resulting from step (5)
1191 (7) apply H to the stream generated in step (6) and output
1192 the result
1193 */
1194
1195 int hmac_done(hmac_state *hmac, unsigned char *hashOut, unsigned long *outlen)
1196 {
1197 unsigned char buf[128];
1198 unsigned char isha[256];
1199 unsigned long hashsize, i;
1200 int hash, err;
1201
1202 /* test hash */
1203 hash = hmac->hash;
1204
1205 /* get the hash message digest size */
1206 hashsize = hash_descriptor[hash]->hashsize;
1207
1208 // Get the hash of the first HMAC vector plus the data
1209 if ((err = hash_descriptor[hash]->done(&hmac->md, isha)) != CRYPT_OK) {
1210 goto __ERR;
1211 }
1212
1213 // Create the second HMAC vector vector for step (3)
1214 for(i=0; i < hash_descriptor[hash]->blocksize; i++) {
1215 buf[i] = hmac->key[i] ^ 0x5C;
1216 }
1217
1218 // Now calculate the "outer" hash for step (5), (6), and (7)
1219 hash_descriptor[hash]->init(&hmac->md);
1220 if ((err = hash_descriptor[hash]->process(&hmac->md, buf, hash_descriptor[hash]->blocksize)) != CRYPT_OK) {
1221 goto __ERR;
1222 }
1223 if ((err = hash_descriptor[hash]->process(&hmac->md, isha, hashsize)) != CRYPT_OK) {
1224 goto __ERR;
1225 }
1226 if ((err = hash_descriptor[hash]->done(&hmac->md, buf)) != CRYPT_OK) {
1227 goto __ERR;
1228 }
1229
1230 // copy to output
1231 for (i = 0; i < hashsize && i < *outlen; i++) {
1232 hashOut[i] = buf[i];
1233 }
1234 *outlen = i;
1235
1236 err = CRYPT_OK;
1237 __ERR:
1238
1239 return err;
1240 }
1241
1242 const struct _hash_descriptor *hash_descriptor[] =
1243 {
1244 &sha1_desc
1245 };
1246
1247 /* portable way to get secure random bits to feed a PRNG */
1248 /* on *NIX read /dev/random */
1249 static unsigned long rng_nix(unsigned char *buf, unsigned long len,
1250 void (*callback)(void))
1251 {
1252 int fd;
1253 int rb;
1254
1255 fd = open ("/dev/urandom", O_RDONLY);
1256
1257 rb = read (fd, buf, len);
1258
1259 close (fd);
1260
1261 return (rb);
1262 }
1263
1264 /* on ANSI C platforms with 100 < CLOCKS_PER_SEC < 10000 */
1265 #if defined(XCLOCKS_PER_SEC)
1266
1267 #define ANSI_RNG
1268
1269 static unsigned long rng_ansic(unsigned char *buf, unsigned long len,
1270 void (*callback)(void))
1271 {
1272 clock_t t1;
1273 int l, acc, bits, a, b;
1274
1275 if (XCLOCKS_PER_SEC < 100 || XCLOCKS_PER_SEC > 10000) {
1276 return 0;
1277 }
1278
1279 l = len;
1280 bits = 8;
1281 acc = a = b = 0;
1282 while (len--) {
1283 if (callback != NULL) callback();
1284 while (bits--) {
1285 do {
1286 t1 = XCLOCK(); while (t1 == XCLOCK()) a ^= 1;
1287 t1 = XCLOCK(); while (t1 == XCLOCK()) b ^= 1;
1288 } while (a == b);
1289 acc = (acc << 1) | a;
1290 }
1291 *buf++ = acc;
1292 acc = 0;
1293 bits = 8;
1294 }
1295 acc = bits = a = b = 0;
1296 return l;
1297 }
1298
1299 #endif
1300
1301 unsigned long rng_get_bytes(unsigned char *buf, unsigned long len,
1302 void (*callback)(void))
1303 {
1304 unsigned long x;
1305
1306 x = rng_nix(buf, len, callback); if (x != 0) { return x; }
1307 #ifdef ANSI_RNG
1308 x = rng_ansic(buf, len, callback); if (x != 0) { return x; }
1309 #endif
1310 return 0;
1311 }
1312
1313 int rng_make_prng(int bits, int wprng, prng_state *prng,
1314 void (*callback)(void))
1315 {
1316 unsigned char buf[256];
1317 int err;
1318
1319 if (bits < 64 || bits > 1024) {
1320 return CRYPT_INVALID_PRNGSIZE;
1321 }
1322
1323 if ((err = prng_descriptor[wprng]->start(prng)) != CRYPT_OK) {
1324 return err;
1325 }
1326
1327 bits = ((bits/8)+((bits&7)!=0?1:0)) * 2;
1328 if (rng_get_bytes(buf, (unsigned long)bits, callback) != (unsigned long)bits) {
1329 return CRYPT_ERROR_READPRNG;
1330 }
1331
1332 if ((err = prng_descriptor[wprng]->add_entropy(buf, (unsigned long)bits, prng)) != CRYPT_OK) {
1333 return err;
1334 }
1335
1336 if ((err = prng_descriptor[wprng]->ready(prng)) != CRYPT_OK) {
1337 return err;
1338 }
1339
1340 return CRYPT_OK;
1341 }
1342
openais svn mirror