From 350771b9d464d944b4bffb6b7d8715cc80550fb8 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 18:48:35 -0700 Subject: [PATCH] Replace hmac_sha256 implementation with scrypt's --- libsodium.vcxproj | 4 +- libsodium.vcxproj.filters | 2 +- src/libsodium/Makefile.am | 7 +- .../crypto_auth/hmacsha256/{ref => cp}/api.h | 0 .../hmacsha256/cp/hmac_hmacsha256.c | 395 ++++++++++++++++++ .../crypto_auth/hmacsha256/cp/sysendian.h | 146 +++++++ .../{ref => cp}/verify_hmacsha256.c | 0 .../hmacsha256/ref/hmac_hmacsha256.c | 83 ---- 8 files changed, 548 insertions(+), 89 deletions(-) rename src/libsodium/crypto_auth/hmacsha256/{ref => cp}/api.h (100%) create mode 100644 src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c create mode 100644 src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h rename src/libsodium/crypto_auth/hmacsha256/{ref => cp}/verify_hmacsha256.c (100%) delete mode 100644 src/libsodium/crypto_auth/hmacsha256/ref/hmac_hmacsha256.c diff --git a/libsodium.vcxproj b/libsodium.vcxproj index 2e5ce2e3..437978d2 100644 --- a/libsodium.vcxproj +++ b/libsodium.vcxproj @@ -374,8 +374,8 @@ - - + + diff --git a/libsodium.vcxproj.filters b/libsodium.vcxproj.filters index df34098d..3419de5d 100644 --- a/libsodium.vcxproj.filters +++ b/libsodium.vcxproj.filters @@ -202,7 +202,7 @@ Source Files - + Source Files diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index d81fccae..add096e5 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -4,9 +4,10 @@ lib_LTLIBRARIES = \ libsodium_la_SOURCES = \ crypto_auth/crypto_auth.c \ crypto_auth/hmacsha256/auth_hmacsha256_api.c \ - crypto_auth/hmacsha256/ref/api.h \ - crypto_auth/hmacsha256/ref/hmac_hmacsha256.c \ - crypto_auth/hmacsha256/ref/verify_hmacsha256.c \ + crypto_auth/hmacsha256/cp/api.h \ + crypto_auth/hmacsha256/cp/sysendian.h \ + crypto_auth/hmacsha256/cp/hmac_hmacsha256.c \ + crypto_auth/hmacsha256/cp/verify_hmacsha256.c \ crypto_auth/hmacsha512256/auth_hmacsha512256_api.c \ crypto_auth/hmacsha512256/ref/api.h \ crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c \ diff --git a/src/libsodium/crypto_auth/hmacsha256/ref/api.h b/src/libsodium/crypto_auth/hmacsha256/cp/api.h similarity index 100% rename from src/libsodium/crypto_auth/hmacsha256/ref/api.h rename to src/libsodium/crypto_auth/hmacsha256/cp/api.h diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c new file mode 100644 index 00000000..c9de5a5c --- /dev/null +++ b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c @@ -0,0 +1,395 @@ + +/*- + * Copyright 2005,2007,2009 Colin Percival + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ + +#include "api.h" +#include "crypto_hashblocks_sha256.h" +#include "utils.h" + +#include + +#include +#include +#include +#include + +#include "sysendian.h" + +typedef struct SHA256Context { + uint32_t state[8]; + uint32_t count[2]; + unsigned char buf[64]; +} SHA256_CTX; + +typedef struct HMAC_SHA256Context { + SHA256_CTX ictx; + SHA256_CTX octx; +} HMAC_SHA256_CTX; + +static void _SHA256_Init(SHA256_CTX *); +static void _SHA256_Update(SHA256_CTX *, const void *, size_t); +static void _SHA256_Final(unsigned char [32], SHA256_CTX *); +static void HMAC__SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t); +static void HMAC__SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t); +static void HMAC__SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *); + +/* + * Encode a length len/4 vector of (uint32_t) into a length len vector of + * (unsigned char) in big-endian form. Assumes len is a multiple of 4. + */ +static void +be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) +{ + size_t i; + + for (i = 0; i < len / 4; i++) + be32enc(dst + i * 4, src[i]); +} + +/* + * Decode a big-endian length len vector of (unsigned char) into a length + * len/4 vector of (uint32_t). Assumes len is a multiple of 4. + */ +static void +be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) +{ + size_t i; + + for (i = 0; i < len / 4; i++) + dst[i] = be32dec(src + i * 4); +} + +/* Elementary functions used by SHA256 */ +#define Ch(x, y, z) ((x & (y ^ z)) ^ z) +#define Maj(x, y, z) ((x & (y | z)) | (y & z)) +#define SHR(x, n) (x >> n) +#define ROTR(x, n) ((x >> n) | (x << (32 - n))) +#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) +#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) +#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) +#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) + +/* SHA256 round function */ +#define RND(a, b, c, d, e, f, g, h, k) \ + t0 = h + S1(e) + Ch(e, f, g) + k; \ + t1 = S0(a) + Maj(a, b, c); \ + d += t0; \ + h = t0 + t1; + +/* Adjusted round function for rotating state */ +#define RNDr(S, W, i, k) \ + RND(S[(64 - i) % 8], S[(65 - i) % 8], \ + S[(66 - i) % 8], S[(67 - i) % 8], \ + S[(68 - i) % 8], S[(69 - i) % 8], \ + S[(70 - i) % 8], S[(71 - i) % 8], \ + W[i] + k) + +/* + * SHA256 block compression function. The 256-bit state is transformed via + * the 512-bit input block to produce a new state. + */ +static void +SHA256_Transform(uint32_t * state, const unsigned char block[64]) +{ + uint32_t W[64]; + uint32_t S[8]; + uint32_t t0, t1; + int i; + + /* 1. Prepare message schedule W. */ + be32dec_vect(W, block, 64); + for (i = 16; i < 64; i++) + W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; + + /* 2. Initialize working variables. */ + memcpy(S, state, 32); + + /* 3. Mix. */ + RNDr(S, W, 0, 0x428a2f98); + RNDr(S, W, 1, 0x71374491); + RNDr(S, W, 2, 0xb5c0fbcf); + RNDr(S, W, 3, 0xe9b5dba5); + RNDr(S, W, 4, 0x3956c25b); + RNDr(S, W, 5, 0x59f111f1); + RNDr(S, W, 6, 0x923f82a4); + RNDr(S, W, 7, 0xab1c5ed5); + RNDr(S, W, 8, 0xd807aa98); + RNDr(S, W, 9, 0x12835b01); + RNDr(S, W, 10, 0x243185be); + RNDr(S, W, 11, 0x550c7dc3); + RNDr(S, W, 12, 0x72be5d74); + RNDr(S, W, 13, 0x80deb1fe); + RNDr(S, W, 14, 0x9bdc06a7); + RNDr(S, W, 15, 0xc19bf174); + RNDr(S, W, 16, 0xe49b69c1); + RNDr(S, W, 17, 0xefbe4786); + RNDr(S, W, 18, 0x0fc19dc6); + RNDr(S, W, 19, 0x240ca1cc); + RNDr(S, W, 20, 0x2de92c6f); + RNDr(S, W, 21, 0x4a7484aa); + RNDr(S, W, 22, 0x5cb0a9dc); + RNDr(S, W, 23, 0x76f988da); + RNDr(S, W, 24, 0x983e5152); + RNDr(S, W, 25, 0xa831c66d); + RNDr(S, W, 26, 0xb00327c8); + RNDr(S, W, 27, 0xbf597fc7); + RNDr(S, W, 28, 0xc6e00bf3); + RNDr(S, W, 29, 0xd5a79147); + RNDr(S, W, 30, 0x06ca6351); + RNDr(S, W, 31, 0x14292967); + RNDr(S, W, 32, 0x27b70a85); + RNDr(S, W, 33, 0x2e1b2138); + RNDr(S, W, 34, 0x4d2c6dfc); + RNDr(S, W, 35, 0x53380d13); + RNDr(S, W, 36, 0x650a7354); + RNDr(S, W, 37, 0x766a0abb); + RNDr(S, W, 38, 0x81c2c92e); + RNDr(S, W, 39, 0x92722c85); + RNDr(S, W, 40, 0xa2bfe8a1); + RNDr(S, W, 41, 0xa81a664b); + RNDr(S, W, 42, 0xc24b8b70); + RNDr(S, W, 43, 0xc76c51a3); + RNDr(S, W, 44, 0xd192e819); + RNDr(S, W, 45, 0xd6990624); + RNDr(S, W, 46, 0xf40e3585); + RNDr(S, W, 47, 0x106aa070); + RNDr(S, W, 48, 0x19a4c116); + RNDr(S, W, 49, 0x1e376c08); + RNDr(S, W, 50, 0x2748774c); + RNDr(S, W, 51, 0x34b0bcb5); + RNDr(S, W, 52, 0x391c0cb3); + RNDr(S, W, 53, 0x4ed8aa4a); + RNDr(S, W, 54, 0x5b9cca4f); + RNDr(S, W, 55, 0x682e6ff3); + RNDr(S, W, 56, 0x748f82ee); + RNDr(S, W, 57, 0x78a5636f); + RNDr(S, W, 58, 0x84c87814); + RNDr(S, W, 59, 0x8cc70208); + RNDr(S, W, 60, 0x90befffa); + RNDr(S, W, 61, 0xa4506ceb); + RNDr(S, W, 62, 0xbef9a3f7); + RNDr(S, W, 63, 0xc67178f2); + + /* 4. Mix local working variables into global state */ + for (i = 0; i < 8; i++) + state[i] += S[i]; + + /* Clean the stack. */ + sodium_memzero(W, 256); + sodium_memzero(S, 32); + t0 = t1 = 0; +} + +static unsigned char PAD[64] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +/* Add padding and terminating bit-count. */ +static void +SHA256_Pad(SHA256_CTX * ctx) +{ + unsigned char len[8]; + uint32_t r, plen; + + /* + * Convert length to a vector of bytes -- we do this now rather + * than later because the length will change after we pad. + */ + be32enc_vect(len, ctx->count, 8); + + /* Add 1--64 bytes so that the resulting length is 56 mod 64 */ + r = (ctx->count[1] >> 3) & 0x3f; + plen = (r < 56) ? (56 - r) : (120 - r); + _SHA256_Update(ctx, PAD, (size_t)plen); + + /* Add the terminating bit-count */ + _SHA256_Update(ctx, len, 8); +} + +/* SHA-256 initialization. Begins a SHA-256 operation. */ +static void +_SHA256_Init(SHA256_CTX * ctx) +{ + + /* Zero bits processed so far */ + ctx->count[0] = ctx->count[1] = 0; + + /* Magic initialization constants */ + ctx->state[0] = 0x6A09E667; + ctx->state[1] = 0xBB67AE85; + ctx->state[2] = 0x3C6EF372; + ctx->state[3] = 0xA54FF53A; + ctx->state[4] = 0x510E527F; + ctx->state[5] = 0x9B05688C; + ctx->state[6] = 0x1F83D9AB; + ctx->state[7] = 0x5BE0CD19; +} + +/* Add bytes into the hash */ +static void +_SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) +{ + uint32_t bitlen[2]; + uint32_t r; + const unsigned char *src = (const unsigned char *) in; + + /* Number of bytes left in the buffer from previous updates */ + r = (ctx->count[1] >> 3) & 0x3f; + + /* Convert the length into a number of bits */ + bitlen[1] = ((uint32_t)len) << 3; + bitlen[0] = (uint32_t)(len >> 29); + + /* Update number of bits */ + if ((ctx->count[1] += bitlen[1]) < bitlen[1]) + ctx->count[0]++; + ctx->count[0] += bitlen[0]; + + /* Handle the case where we don't need to perform any transforms */ + if (len < 64 - r) { + memcpy(&ctx->buf[r], src, len); + return; + } + + /* Finish the current block */ + memcpy(&ctx->buf[r], src, 64 - r); + SHA256_Transform(ctx->state, ctx->buf); + src += 64 - r; + len -= 64 - r; + + /* Perform complete blocks */ + while (len >= 64) { + SHA256_Transform(ctx->state, src); + src += 64; + len -= 64; + } + + /* Copy left over data into buffer */ + memcpy(ctx->buf, src, len); +} + +/* + * SHA-256 finalization. Pads the input data, exports the hash value, + * and clears the context state. + */ +static void +_SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx) +{ + + /* Add padding */ + SHA256_Pad(ctx); + + /* Write the hash */ + be32enc_vect(digest, ctx->state, 32); + + /* Clear the context state */ + sodium_memzero((void *)ctx, sizeof(*ctx)); +} + +/* Initialize an HMAC-SHA256 operation with the given key. */ +static void +HMAC__SHA256_Init(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen) +{ + unsigned char pad[64]; + unsigned char khash[32]; + const unsigned char * K = (const unsigned char *) _K; + size_t i; + + /* If Klen > 64, the key is really SHA256(K). */ + if (Klen > 64) { + _SHA256_Init(&ctx->ictx); + _SHA256_Update(&ctx->ictx, K, Klen); + _SHA256_Final(khash, &ctx->ictx); + K = khash; + Klen = 32; + } + + /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */ + _SHA256_Init(&ctx->ictx); + memset(pad, 0x36, 64); + for (i = 0; i < Klen; i++) + pad[i] ^= K[i]; + _SHA256_Update(&ctx->ictx, pad, 64); + + /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */ + _SHA256_Init(&ctx->octx); + memset(pad, 0x5c, 64); + for (i = 0; i < Klen; i++) + pad[i] ^= K[i]; + _SHA256_Update(&ctx->octx, pad, 64); + + /* Clean the stack. */ + sodium_memzero(khash, 32); +} + +/* Add bytes to the HMAC-SHA256 operation. */ +void +HMAC__SHA256_Update(HMAC_SHA256_CTX * ctx, const void *in, size_t len) +{ + + /* Feed data to the inner SHA256 operation. */ + _SHA256_Update(&ctx->ictx, in, len); +} + +/* Finish an HMAC-SHA256 operation. */ +static void +HMAC__SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX * ctx) +{ + unsigned char ihash[32]; + + /* Finish the inner SHA256 operation. */ + _SHA256_Final(ihash, &ctx->ictx); + + /* Feed the inner hash to the outer SHA256 operation. */ + _SHA256_Update(&ctx->octx, ihash, 32); + + /* Finish the outer SHA256 operation. */ + _SHA256_Final(digest, &ctx->octx); + + /* Clean the stack. */ + sodium_memzero(ihash, 32); +} + +int +crypto_auth(unsigned char *out, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) +{ + HMAC_SHA256_CTX ctx; + + if (inlen > SIZE_MAX) { + memset(out, 0, crypto_auth_BYTES); + return -1; + } + HMAC__SHA256_Init(&ctx, k, crypto_auth_KEYBYTES); + HMAC__SHA256_Update(&ctx, in, (size_t) inlen); + HMAC__SHA256_Final(out, &ctx); + + return 0; +} diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h b/src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h new file mode 100644 index 00000000..2f2c96f6 --- /dev/null +++ b/src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h @@ -0,0 +1,146 @@ +#ifndef _SYSENDIAN_H_ +#define _SYSENDIAN_H_ + +#include + +/* Avoid namespace collisions with BSD . */ +#define be16dec scrypt_be16dec +#define be16enc scrypt_be16enc +#define be32dec scrypt_be32dec +#define be32enc scrypt_be32enc +#define be64dec scrypt_be64dec +#define be64enc scrypt_be64enc +#define le16dec scrypt_le16dec +#define le16enc scrypt_le16enc +#define le32dec scrypt_le32dec +#define le32enc scrypt_le32enc +#define le64dec scrypt_le64dec +#define le64enc scrypt_le64enc + +static inline uint16_t +be16dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint16_t)(p[1]) + ((uint16_t)(p[0]) << 8)); +} + +static inline void +be16enc(void *pp, uint16_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[1] = x & 0xff; + p[0] = (x >> 8) & 0xff; +} + +static inline uint32_t +be32dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + + ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); +} + +static inline void +be32enc(void *pp, uint32_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[3] = x & 0xff; + p[2] = (x >> 8) & 0xff; + p[1] = (x >> 16) & 0xff; + p[0] = (x >> 24) & 0xff; +} + +static inline uint64_t +be64dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) + + ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) + + ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) + + ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56)); +} + +static inline void +be64enc(void *pp, uint64_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[7] = x & 0xff; + p[6] = (x >> 8) & 0xff; + p[5] = (x >> 16) & 0xff; + p[4] = (x >> 24) & 0xff; + p[3] = (x >> 32) & 0xff; + p[2] = (x >> 40) & 0xff; + p[1] = (x >> 48) & 0xff; + p[0] = (x >> 56) & 0xff; +} + +static inline uint16_t +le16dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint16_t)(p[0]) + ((uint16_t)(p[1]) << 8)); +} + +static inline void +le16enc(void *pp, uint16_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[0] = x & 0xff; + p[1] = (x >> 8) & 0xff; +} + +static inline uint32_t +le32dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) + + ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24)); +} + +static inline void +le32enc(void *pp, uint32_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[0] = x & 0xff; + p[1] = (x >> 8) & 0xff; + p[2] = (x >> 16) & 0xff; + p[3] = (x >> 24) & 0xff; +} + +static inline uint64_t +le64dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) + + ((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) + + ((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) + + ((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56)); +} + +static inline void +le64enc(void *pp, uint64_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[0] = x & 0xff; + p[1] = (x >> 8) & 0xff; + p[2] = (x >> 16) & 0xff; + p[3] = (x >> 24) & 0xff; + p[4] = (x >> 32) & 0xff; + p[5] = (x >> 40) & 0xff; + p[6] = (x >> 48) & 0xff; + p[7] = (x >> 56) & 0xff; +} + +#endif /* !_SYSENDIAN_H_ */ diff --git a/src/libsodium/crypto_auth/hmacsha256/ref/verify_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/verify_hmacsha256.c similarity index 100% rename from src/libsodium/crypto_auth/hmacsha256/ref/verify_hmacsha256.c rename to src/libsodium/crypto_auth/hmacsha256/cp/verify_hmacsha256.c diff --git a/src/libsodium/crypto_auth/hmacsha256/ref/hmac_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/ref/hmac_hmacsha256.c deleted file mode 100644 index c1498f8e..00000000 --- a/src/libsodium/crypto_auth/hmacsha256/ref/hmac_hmacsha256.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * 20080913 - * D. J. Bernstein - * Public domain. - * */ - -#include "api.h" -#include "crypto_hashblocks_sha256.h" - -#define blocks crypto_hashblocks_sha256 - -typedef unsigned int uint32; - -static const unsigned char iv[32] = { - 0x6a,0x09,0xe6,0x67, - 0xbb,0x67,0xae,0x85, - 0x3c,0x6e,0xf3,0x72, - 0xa5,0x4f,0xf5,0x3a, - 0x51,0x0e,0x52,0x7f, - 0x9b,0x05,0x68,0x8c, - 0x1f,0x83,0xd9,0xab, - 0x5b,0xe0,0xcd,0x19, -} ; - -int crypto_auth(unsigned char *out,const unsigned char *in,unsigned long long inlen,const unsigned char *k) -{ - unsigned char h[32]; - unsigned char padded[128]; - unsigned long long i; - unsigned long long bits = 512 + (inlen << 3); - - for (i = 0;i < 32;++i) h[i] = iv[i]; - - for (i = 0;i < 32;++i) padded[i] = k[i] ^ 0x36; - for (i = 32;i < 64;++i) padded[i] = 0x36; - - blocks(h,padded,64); - blocks(h,in,inlen); - in += inlen; - inlen &= 63; - in -= inlen; - - for (i = 0;i < inlen;++i) padded[i] = in[i]; - padded[inlen] = 0x80; - - if (inlen < 56) { - for (i = inlen + 1;i < 56;++i) padded[i] = 0; - padded[56] = bits >> 56; - padded[57] = bits >> 48; - padded[58] = bits >> 40; - padded[59] = bits >> 32; - padded[60] = bits >> 24; - padded[61] = bits >> 16; - padded[62] = bits >> 8; - padded[63] = bits; - blocks(h,padded,64); - } else { - for (i = inlen + 1;i < 120;++i) padded[i] = 0; - padded[120] = bits >> 56; - padded[121] = bits >> 48; - padded[122] = bits >> 40; - padded[123] = bits >> 32; - padded[124] = bits >> 24; - padded[125] = bits >> 16; - padded[126] = bits >> 8; - padded[127] = bits; - blocks(h,padded,128); - } - - for (i = 0;i < 32;++i) padded[i] = k[i] ^ 0x5c; - for (i = 32;i < 64;++i) padded[i] = 0x5c; - for (i = 0;i < 32;++i) padded[64 + i] = h[i]; - - for (i = 0;i < 32;++i) out[i] = iv[i]; - - for (i = 32;i < 64;++i) padded[64 + i] = 0; - padded[64 + 32] = 0x80; - padded[64 + 62] = 3; - - blocks(out,padded,128); - - return 0; -}