Revision 4108e77e0eb091fdd9b9c4174374a6ac0cc0abd0 authored by Dmitry Belyavskiy on 27 May 2020, 09:56:07 UTC, committed by Dmitry Belyavskiy on 27 May 2020, 09:56:07 UTC
1 parent a90ad6c
gosthash2012.c
/*
* GOST R 34.11-2012 core functions.
*
* Copyright (c) 2013 Cryptocom LTD.
* This file is distributed under the same license as OpenSSL.
*
* Author: Alexey Degtyarev <alexey@renatasystems.org>
*
*/
#include "gosthash2012.h"
#if defined(__x86_64__) || defined(__e2k__)
# ifdef _MSC_VER
# include <intrin.h>
# else
# include <x86intrin.h>
# endif
#endif
#if defined(_WIN32) || defined(_WINDOWS)
# define INLINE __inline
#else
# define INLINE inline
#endif
#define BSWAP64(x) \
(((x & 0xFF00000000000000ULL) >> 56) | \
((x & 0x00FF000000000000ULL) >> 40) | \
((x & 0x0000FF0000000000ULL) >> 24) | \
((x & 0x000000FF00000000ULL) >> 8) | \
((x & 0x00000000FF000000ULL) << 8) | \
((x & 0x0000000000FF0000ULL) << 24) | \
((x & 0x000000000000FF00ULL) << 40) | \
((x & 0x00000000000000FFULL) << 56))
/*
* Initialize gost2012 hash context structure
*/
void init_gost2012_hash_ctx(gost2012_hash_ctx * CTX,
const unsigned int digest_size)
{
memset(CTX, 0, sizeof(gost2012_hash_ctx));
CTX->digest_size = digest_size;
/*
* IV for 512-bit hash should be 0^512
* IV for 256-bit hash should be (00000001)^64
*
* It's already zeroed when CTX is cleared above, so we only
* need to set it to 0x01-s for 256-bit hash.
*/
if (digest_size == 256)
memset(&CTX->h, 0x01, sizeof(uint512_u));
}
static INLINE void pad(gost2012_hash_ctx * CTX)
{
memset(&(CTX->buffer.B[CTX->bufsize]), 0, sizeof(CTX->buffer) - CTX->bufsize);
CTX->buffer.B[CTX->bufsize] = 1;
}
static INLINE void add512(union uint512_u * RESTRICT x,
const union uint512_u * RESTRICT y)
{
#ifndef __GOST3411_BIG_ENDIAN__
unsigned int CF = 0;
unsigned int i;
# ifdef HAVE_ADDCARRY_U64
for (i = 0; i < 8; i++)
CF = _addcarry_u64(CF, x->QWORD[i] , y->QWORD[i], &(x->QWORD[i]));
# else
for (i = 0; i < 8; i++) {
const unsigned long long left = x->QWORD[i];
unsigned long long sum;
sum = left + y->QWORD[i] + CF;
/*
* (sum == left): is noop, because it's possible only
* when `left' is added with `0 + 0' or with `ULLONG_MAX + 1',
* in that case `CF' (carry) retain previous value, which is correct,
* because when `left + 0 + 0' there was no overflow (thus no carry),
* and when `left + ULLONG_MAX + 1' value is wrapped back to
* itself with overflow, thus creating carry.
*
* (sum != left):
* if `sum' is not wrapped (sum > left) there should not be carry,
* if `sum' is wrapped (sum < left) there should be carry.
*/
if (sum != left)
CF = (sum < left);
x->QWORD[i] = sum;
}
# endif /* !__x86_64__ */
#else /* __GOST3411_BIG_ENDIAN__ */
const unsigned char *yp;
unsigned char *xp;
unsigned int i;
int buf;
xp = (unsigned char *)&x[0];
yp = (const unsigned char *)&y[0];
buf = 0;
for (i = 0; i < 64; i++) {
buf = xp[i] + yp[i] + (buf >> 8);
xp[i] = (unsigned char)buf & 0xFF;
}
#endif /* __GOST3411_BIG_ENDIAN__ */
}
static void g(union uint512_u *h, const union uint512_u * RESTRICT N,
const union uint512_u * RESTRICT m)
{
#ifdef __GOST3411_HAS_SSE2__
__m128i xmm0, xmm2, xmm4, xmm6; /* XMMR0-quadruple */
__m128i xmm1, xmm3, xmm5, xmm7; /* XMMR1-quadruple */
unsigned int i;
LOAD(N, xmm0, xmm2, xmm4, xmm6);
XLPS128M(h, xmm0, xmm2, xmm4, xmm6);
ULOAD(m, xmm1, xmm3, xmm5, xmm7);
XLPS128R(xmm0, xmm2, xmm4, xmm6, xmm1, xmm3, xmm5, xmm7);
for (i = 0; i < 11; i++)
ROUND128(i, xmm0, xmm2, xmm4, xmm6, xmm1, xmm3, xmm5, xmm7);
XLPS128M((&C[11]), xmm0, xmm2, xmm4, xmm6);
X128R(xmm0, xmm2, xmm4, xmm6, xmm1, xmm3, xmm5, xmm7);
X128M(h, xmm0, xmm2, xmm4, xmm6);
ULOAD(m, xmm1, xmm3, xmm5, xmm7);
X128R(xmm0, xmm2, xmm4, xmm6, xmm1, xmm3, xmm5, xmm7);
STORE(h, xmm0, xmm2, xmm4, xmm6);
# ifndef __i386__
/* Restore the Floating-point status on the CPU */
/* This is only required on MMX, but EXTRACT32 is using MMX */
_mm_empty();
# endif
#else
union uint512_u Ki, data;
unsigned int i;
XLPS(h, N, (&data));
/* Starting E() */
Ki = data;
XLPS((&Ki), ((const union uint512_u *)&m[0]), (&data));
for (i = 0; i < 11; i++)
ROUND(i, (&Ki), (&data));
XLPS((&Ki), (&C[11]), (&Ki));
X((&Ki), (&data), (&data));
/* E() done */
X((&data), h, (&data));
X((&data), m, h);
#endif
}
static INLINE void stage2(gost2012_hash_ctx * CTX, const union uint512_u *data)
{
g(&(CTX->h), &(CTX->N), data);
add512(&(CTX->N), &buffer512);
add512(&(CTX->Sigma), data);
}
static INLINE void stage3(gost2012_hash_ctx * CTX)
{
pad(CTX);
g(&(CTX->h), &(CTX->N), &(CTX->buffer));
add512(&(CTX->Sigma), &CTX->buffer);
memset(&(CTX->buffer.B[0]), 0, sizeof(uint512_u));
#ifndef __GOST3411_BIG_ENDIAN__
CTX->buffer.QWORD[0] = CTX->bufsize << 3;
#else
CTX->buffer.QWORD[0] = BSWAP64(CTX->bufsize << 3);
#endif
add512(&(CTX->N), &(CTX->buffer));
g(&(CTX->h), &buffer0, &(CTX->N));
g(&(CTX->h), &buffer0, &(CTX->Sigma));
}
/*
* Hash block of arbitrary length
*
*/
void gost2012_hash_block(gost2012_hash_ctx * CTX,
const unsigned char *data, size_t len)
{
register size_t bufsize = CTX->bufsize;
if (bufsize == 0) {
while (len >= 64) {
memcpy(&CTX->buffer.B[0], data, 64);
stage2(CTX, &(CTX->buffer));
data += 64;
len -= 64;
}
}
while (len) {
register size_t chunksize = 64 - bufsize;
if (chunksize > len)
chunksize = len;
memcpy(&CTX->buffer.B[bufsize], data, chunksize);
bufsize += chunksize;
len -= chunksize;
data += chunksize;
if (bufsize == 64) {
stage2(CTX, &(CTX->buffer) );
bufsize = 0;
}
}
CTX->bufsize = bufsize;
}
/*
* Compute hash value from current state of ctx
* state of hash ctx becomes invalid and cannot be used for further
* hashing.
*/
void gost2012_finish_hash(gost2012_hash_ctx * CTX, unsigned char *digest)
{
stage3(CTX);
CTX->bufsize = 0;
if (CTX->digest_size == 256)
memcpy(digest, &(CTX->h.QWORD[4]), 32);
else
memcpy(digest, &(CTX->h.QWORD[0]), 64);
}
Computing file changes ...
