ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Use strongSwan hash plugins for SHA-1 and SHA-256

This commit is contained in:
Andreas Steffen 2013-11-24 15:31:19 +01:00
parent d993a567b7
commit 5443762491
20 changed files with 168 additions and 2754 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/libstrongswan/plugins/ntru/Makefile.am
View File

@ -16,10 +16,6 @@ libstrongswan_ntru_la_SOURCES = \
ntru_ke.h ntru_ke.c \
ntru_test_rng.h ntru_test_rng.c \
ntru_crypto/ntru_crypto.h ntru_crypto/ntru_crypto_error.h \
ntru_crypto/ntru_crypto_hash_basics.h \
ntru_crypto/ntru_crypto_hash.h ntru_crypto/ntru_crypto_hash.c \
ntru_crypto/ntru_crypto_msbyte_uint32.h \
ntru_crypto/ntru_crypto_msbyte_uint32.c \
ntru_crypto/ntru_crypto_ntru_convert.h \
ntru_crypto/ntru_crypto_ntru_convert.c \
ntru_crypto/ntru_crypto_ntru_encrypt.c \
@ -28,11 +24,7 @@ libstrongswan_ntru_la_SOURCES = \
ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \
ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \
ntru_crypto/ntru_crypto_ntru_mgf1.h ntru_crypto/ntru_crypto_ntru_mgf1.c \
ntru_crypto/ntru_crypto_ntru_poly.h ntru_crypto/ntru_crypto_ntru_poly.c \
ntru_crypto/ntru_crypto_platform.h ntru_crypto/ntru_crypto_sha.h\
ntru_crypto/ntru_crypto_sha1.h ntru_crypto/ntru_crypto_sha1.c\
ntru_crypto/ntru_crypto_sha2.h ntru_crypto/ntru_crypto_sha2.c\
ntru_crypto/ntru_crypto_sha256.h ntru_crypto/ntru_crypto_sha256.c
ntru_crypto/ntru_crypto_ntru_poly.h ntru_crypto/ntru_crypto_ntru_poly.c
libstrongswan_ntru_la_LDFLAGS = -module -avoid-version

335
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_hash.c
View File

@ -1,335 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_hash.c is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_hash.c
*
* Contents: Routines implementing the hash object abstraction.
*
*****************************************************************************/
#include <stdlib.h>
#include "ntru_crypto_hash.h"
typedef uint32_t (*NTRU_CRYPTO_HASH_INIT_FN)(
void *c);
typedef uint32_t (*NTRU_CRYPTO_HASH_UPDATE_FN)(
void *c,
void const *data,
uint32_t len);
typedef uint32_t (*NTRU_CRYPTO_HASH_FINAL_FN)(
void *c,
void *md);
typedef uint32_t (*NTRU_CRYPTO_HASH_DIGEST_FN)(
void const *data,
uint32_t len,
void *md);
typedef struct _NTRU_CRYPTO_HASH_ALG_PARAMS {
uint8_t algid;
uint16_t block_length;
uint16_t digest_length;
NTRU_CRYPTO_HASH_INIT_FN init;
NTRU_CRYPTO_HASH_UPDATE_FN update;
NTRU_CRYPTO_HASH_FINAL_FN final;
NTRU_CRYPTO_HASH_FINAL_FN final_zero_pad;
NTRU_CRYPTO_HASH_DIGEST_FN digest;
} NTRU_CRYPTO_HASH_ALG_PARAMS;
static NTRU_CRYPTO_HASH_ALG_PARAMS const algs_params[] = {
{
NTRU_CRYPTO_HASH_ALGID_SHA1,
SHA_1_BLK_LEN,
SHA_1_MD_LEN,
(NTRU_CRYPTO_HASH_INIT_FN) SHA_1_INIT_FN,
(NTRU_CRYPTO_HASH_UPDATE_FN) SHA_1_UPDATE_FN,
(NTRU_CRYPTO_HASH_FINAL_FN) SHA_1_FINAL_FN,
(NTRU_CRYPTO_HASH_FINAL_FN) SHA_1_FINAL_ZERO_PAD_FN,
(NTRU_CRYPTO_HASH_DIGEST_FN) SHA_1_DIGEST_FN,
},
{
NTRU_CRYPTO_HASH_ALGID_SHA256,
SHA_256_BLK_LEN,
SHA_256_MD_LEN,
(NTRU_CRYPTO_HASH_INIT_FN) SHA_256_INIT_FN,
(NTRU_CRYPTO_HASH_UPDATE_FN) SHA_256_UPDATE_FN,
(NTRU_CRYPTO_HASH_FINAL_FN) SHA_256_FINAL_FN,
(NTRU_CRYPTO_HASH_FINAL_FN) SHA_256_FINAL_ZERO_PAD_FN,
(NTRU_CRYPTO_HASH_DIGEST_FN) SHA_256_DIGEST_FN,
},
};
static int const numalgs = (sizeof(algs_params)/sizeof(algs_params[0]));
/* get_alg_params
*
* Return a pointer to the hash algorithm parameters for the hash algorithm
* specified, by looking for algid in the global algs_params table.
* If not found, return NULL.
*/
static NTRU_CRYPTO_HASH_ALG_PARAMS const *
get_alg_params(
NTRU_CRYPTO_HASH_ALGID algid) // in - the hash algorithm to find
{
int i;
for (i = 0; i < numalgs; i++)
if (algs_params[i].algid == algid)
return &algs_params[i];
return NULL;
}
/* ntru_crypto_hash_set_alg
*
* Sets the hash algorithm for the hash context. This must be called before
* any calls to ntru_crypto_hash_block_length(),
* ntru_crypto_hash_digest_length(), or ntru_crypto_hash_init() are made.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the specified algorithm is not supported.
*/
uint32_t
ntru_crypto_hash_set_alg(
NTRU_CRYPTO_HASH_ALGID algid, // in - hash algoirithm to be used
NTRU_CRYPTO_HASH_CTX *c) // in/out - pointer to the hash context
{
if (!c)
HASH_RET(NTRU_CRYPTO_HASH_BAD_PARAMETER);
c->alg_params = get_alg_params(algid);
if (!c->alg_params) {
HASH_RET(NTRU_CRYPTO_HASH_BAD_ALG);
}
HASH_RET(NTRU_CRYPTO_HASH_OK);
}
/* ntru_crypto_hash_block_length
*
* Gets the number of bytes in an input block for the hash algorithm
* specified in the hash context. The hash algorithm must have been set
* in the hash context with a call to ntru_crypto_hash_set_alg() prior to
* calling this function.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
uint32_t
ntru_crypto_hash_block_length(
NTRU_CRYPTO_HASH_CTX *c, // in - pointer to the hash context
uint16_t *blk_len) // out - address for block length in bytes
{
if (!c || !blk_len)
HASH_RET(NTRU_CRYPTO_HASH_BAD_PARAMETER);
if (!c->alg_params)
HASH_RET(NTRU_CRYPTO_HASH_BAD_ALG);
*blk_len = c->alg_params->block_length;
HASH_RET(NTRU_CRYPTO_HASH_OK);
}
/* ntru_crypto_hash_digest_length
*
* Gets the number of bytes needed to hold the message digest for the
* hash algorithm specified in the hash context. The algorithm must have
* been set in the hash context with a call to ntru_crypto_hash_set_alg() prior
* to calling this function.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
uint32_t
ntru_crypto_hash_digest_length(
NTRU_CRYPTO_HASH_CTX const *c, // in - pointer to the hash context
uint16_t *md_len) // out - addr for digest length in bytes
{
if (!c || !md_len)
HASH_RET(NTRU_CRYPTO_HASH_BAD_PARAMETER);
if (!c->alg_params)
HASH_RET(NTRU_CRYPTO_HASH_BAD_ALG);
*md_len = c->alg_params->digest_length;
HASH_RET(NTRU_CRYPTO_HASH_OK);
}
/* ntru_crypto_hash_init
*
* This routine performs standard initialization of the hash state.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
uint32_t
ntru_crypto_hash_init(
NTRU_CRYPTO_HASH_CTX *c) // in/out - pointer to hash context
{
if (!c)
HASH_RET(NTRU_CRYPTO_HASH_BAD_PARAMETER);
if (!c->alg_params)
HASH_RET(NTRU_CRYPTO_HASH_BAD_ALG);
return c->alg_params->init(&c->alg_ctx);
}
/* ntru_crypto_hash_update
*
* This routine processes input data and updates the hash calculation.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_OVERFLOW if too much text has been fed to the
* hash algorithm. The size limit is dependent on the hash algorithm,
* and not all algorithms have this limit.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
uint32_t
ntru_crypto_hash_update(
NTRU_CRYPTO_HASH_CTX *c, // in/out - pointer to hash context
uint8_t const *data, // in - pointer to input data
uint32_t data_len) // in - number of bytes of input data
{
if (!c || (data_len && !data))
HASH_RET(NTRU_CRYPTO_HASH_BAD_PARAMETER);
if (!c->alg_params)
HASH_RET(NTRU_CRYPTO_HASH_BAD_ALG);
return c->alg_params->update(&c->alg_ctx, data, data_len);
}
/* ntru_crypto_hash_final
*
* This routine completes the hash calculation and returns the message digest.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
uint32_t
ntru_crypto_hash_final(
NTRU_CRYPTO_HASH_CTX *c, // in/out - pointer to hash context
uint8_t *md) // out - address for message digest
{
if (!c || !md)
HASH_RET(NTRU_CRYPTO_HASH_BAD_PARAMETER);
if (!c->alg_params)
HASH_RET(NTRU_CRYPTO_HASH_BAD_ALG);
return c->alg_params->final(&c->alg_ctx, md);
}
/* ntru_crypto_hash_final_zero_pad
*
* This routine completes the hash calculation using zero padding and
* returns the message digest.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
uint32_t
ntru_crypto_hash_final_zero_pad(
NTRU_CRYPTO_HASH_CTX *c, // in/out - pointer to hash context
uint8_t *md) // out - address for message digest
{
if (!c || !md)
HASH_RET(NTRU_CRYPTO_HASH_BAD_PARAMETER);
if (!c->alg_params)
HASH_RET(NTRU_CRYPTO_HASH_BAD_ALG);
return c->alg_params->final_zero_pad(&c->alg_ctx, md);
}
/* ntru_crypto_hash_digest
*
* This routine computes a message digest. It is assumed that the
* output buffer md is large enough to hold the output (see
* ntru_crypto_hash_digest_length)
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_OVERFLOW if too much text has been fed to the
* hash algorithm. The size limit is dependent on the hash algorithm,
* and not all algorithms have this limit.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the specified algorithm is not supported.
*/
uint32_t
ntru_crypto_hash_digest(
NTRU_CRYPTO_HASH_ALGID algid, // in - the hash algorithm to use
uint8_t const *data, // in - pointer to input data
uint32_t data_len, // in - number of bytes of input data
uint8_t *md) // out - address for message digest
{
NTRU_CRYPTO_HASH_ALG_PARAMS const *alg_params = get_alg_params(algid);
if (!alg_params)
HASH_RET(NTRU_CRYPTO_HASH_BAD_ALG);
if ((data_len && !data) || !md)
HASH_RET(NTRU_CRYPTO_HASH_BAD_PARAMETER);
return alg_params->digest(data, data_len, md);
}

233
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_hash.h
View File

@ -1,233 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_hash.h is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_hash.h
*
* Contents: Definitions and declarations for the hash object abstraction.
*
*****************************************************************************/
#ifndef NTRU_CRYPTO_HASH_H
#define NTRU_CRYPTO_HASH_H
#include "ntru_crypto_error.h"
#include "ntru_crypto_hash_basics.h"
#include "ntru_crypto_sha1.h"
#include "ntru_crypto_sha256.h"
#include <library.h>
/***************
* error macro *
***************/
#define HASH_RESULT(r) ((uint32_t)((r) ? HASH_ERROR_BASE + (r) : (r)))
#define HASH_RET(r) return HASH_RESULT(r);
/*************************
* structure definitions *
*************************/
/* _NTRU_CRYPTO_HASH_ALG_PARAMS
*
* An opaque forward declaration for a private structure used
* internally by the hash object interface.
*/
struct _NTRU_CRYPTO_HASH_ALG_PARAMS;
/* NTRU_CRYPTO_HASH_CTX
*
* Hash object context information.
*/
typedef struct {
struct _NTRU_CRYPTO_HASH_ALG_PARAMS const *alg_params;
union {
NTRU_CRYPTO_SHA1_CTX sha1;
NTRU_CRYPTO_SHA2_CTX sha256;
} alg_ctx;
} NTRU_CRYPTO_HASH_CTX;
/*************************
* function declarations *
*************************/
/* ntru_crypto_hash_set_alg
*
* Sets the hash algorithm for the hash context. This must be called before
* any calls to crypto_hash_block_length(), crypto_hash_digest_length(), or
* crypto_hash_init() are made.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the specified algorithm is not supported.
*/
extern uint32_t
ntru_crypto_hash_set_alg(
NTRU_CRYPTO_HASH_ALGID algid, // in - hash algoirithm to be used
NTRU_CRYPTO_HASH_CTX *c); // in/out - pointer to the hash context
/* ntru_crypto_hash_block_length
*
* Gets the number of bytes in an input block for the hash algorithm
* specified in the hash context. The hash algorithm must have been set
* in the hash context with a call to crypto_hash_set_alg() prior to
* calling this function.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
extern uint32_t
ntru_crypto_hash_block_length(
NTRU_CRYPTO_HASH_CTX *c, // in - pointer to the hash context
uint16_t *blk_len); // out - address for block length in bytes
/* ntru_crypto_hash_digest_length
*
* Gets the number of bytes needed to hold the message digest for the
* hash algorithm specified in the hash context. The algorithm must have
* been set in the hash context with a call to crypto_hash_set_alg() prior
* to calling this function.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
extern uint32_t
ntru_crypto_hash_digest_length(
NTRU_CRYPTO_HASH_CTX const *c, // in - pointer to the hash context
uint16_t *md_len); // out - addrfor digest length in bytes
/* ntru_crypto_hash_init
*
* This routine initializes the hash state.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
extern uint32_t
ntru_crypto_hash_init(
NTRU_CRYPTO_HASH_CTX *c); // in/out - pointer to hash context
/* ntru_crypto_hash_update
*
* This routine processes input data and updates the hash calculation.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_OVERFLOW if too much text has been fed to the
* hash algorithm. The size limit is dependent on the hash algorithm,
* and not all algorithms have this limit.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
extern uint32_t
ntru_crypto_hash_update(
NTRU_CRYPTO_HASH_CTX *c, // in/out - pointer to hash context
uint8_t const *data, // in - pointer to input data
uint32_t data_len); // in - number of bytes of input data
/* ntru_crypto_hash_final
*
* This routine completes the hash calculation and returns the message digest.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
extern uint32_t
ntru_crypto_hash_final(
NTRU_CRYPTO_HASH_CTX *c, // in/out - pointer to hash context
uint8_t *md); // out - address for message digest
/* ntru_crypto_hash_final_zero_pad
*
* This routine completes the hash calculation using zero padding and
* returns the message digest.
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are
* passed.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the algorithm has not been set.
*/
extern uint32_t
ntru_crypto_hash_final_zero_pad(
NTRU_CRYPTO_HASH_CTX *c, // in/out - pointer to hash context
uint8_t *md); // out - address for message digest
/* ntru_crypto_hash_digest
*
* This routine computes a message digest. It is assumed that the
* output buffer md is large enough to hold the output (see
* crypto_hash_digest_length)
*
* Returns NTRU_CRYPTO_HASH_OK on success.
* Returns NTRU_CRYPTO_HASH_FAIL with corrupted context.
* Returns NTRU_CRYPTO_HASH_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns NTRU_CRYPTO_HASH_OVERFLOW if too much text has been fed to the
* hash algorithm. The size limit is dependent on the hash algorithm,
* and not all algorithms have this limit.
* Returns NTRU_CRYPTO_HASH_BAD_ALG if the specified algorithm is not supported.
*/
extern uint32_t
ntru_crypto_hash_digest(
NTRU_CRYPTO_HASH_ALGID algid, // in - the hash algorithm to use
uint8_t const *data, // in - pointer to input data
uint32_t data_len, // in - number of bytes of input data
uint8_t *md); // out - address for message digest
#endif /* NTRU_CRYPTO_HASH_H */

75
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_hash_basics.h
View File

@ -1,75 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_hash_basics.c is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_hash_basics.h
*
* Contents: Common definitions for all hash algorithms.
*
*****************************************************************************/
#ifndef NTRU_CRYPTO_HASH_BASICS_H
#define NTRU_CRYPTO_HASH_BASICS_H
#include <library.h>
/**************
* algorithms *
**************/
typedef enum {
NTRU_CRYPTO_HASH_ALGID_NONE = 0,
NTRU_CRYPTO_HASH_ALGID_SHA1,
NTRU_CRYPTO_HASH_ALGID_SHA256,
} NTRU_CRYPTO_HASH_ALGID;
/***************
* error codes *
***************/
#define NTRU_CRYPTO_HASH_OK ((uint32_t)0x00)
#define NTRU_CRYPTO_HASH_FAIL ((uint32_t)0x01)
#define NTRU_CRYPTO_HASH_BAD_PARAMETER ((uint32_t)0x02)
#define NTRU_CRYPTO_HASH_OVERFLOW ((uint32_t)0x03)
#define NTRU_CRYPTO_HASH_BAD_ALG ((uint32_t)0x20)
#define NTRU_CRYPTO_HASH_OUT_OF_MEMORY ((uint32_t)0x21)
// For backward-compatibility
typedef uint32_t NTRU_CRYPTO_HASH_ERROR;
/*********
* flags *
*********/
#define HASH_DATA_ONLY 0
#define HASH_INIT (1 << 0)
#define HASH_FINISH (1 << 1)
#define HASH_ZERO_PAD (1 << 2)
#endif /* NTRU_CRYPTO_HASH_BASICS_H */

92
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_msbyte_uint32.c
View File

@ -1,92 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_mbyte_uint32.c is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_msbyte_uint32.c
*
* Contents: Routines to convert between an array of bytes in network byte
* order (most-significant byte first) and an array of uint32 words.
*
*****************************************************************************/
#include <stdlib.h>
#include "ntru_crypto_msbyte_uint32.h"
/* ntru_crypto_msbyte_2_uint32()
*
* This routine converts an array of bytes in network byte order to an array
* of uint32_t, placing the first byte in the most significant byte of the
* first uint32_t word.
*
* The number of bytes in the input stream MUST be at least 4 times the
* number of words expected in the output array.
*/
void
ntru_crypto_msbyte_2_uint32(
uint32_t *words, // out - pointer to the output uint32_t array
uint8_t const *bytes, // in - pointer to the input byte array
uint32_t n) // in - number of words in the output array
{
uint32_t i;
for (i = 0; i < n; i++) {
words[i] = ((uint32_t) (*bytes++)) << 24;
words[i] |= ((uint32_t) (*bytes++)) << 16;
words[i] |= ((uint32_t) (*bytes++)) << 8;
words[i] |= (uint32_t) (*bytes++);
}
}
/* ntru_crypto_uint32_2_msbyte()
*
* This routine converts an array of uint32_t to an array of bytes in
* network byte order, placing the most significant byte of the first uint32_t
* word as the first byte of the output array.
*
* The number of bytes in the output stream will be 4 times the number of words
* specified in the input array.
*/
void
ntru_crypto_uint32_2_msbyte(
uint8_t *bytes, // out - pointer to the output byte array
uint32_t const *words, // in - pointer to the input uint32_t array
uint32_t n) // in - number of words in the input array
{
uint32_t i;
for (i = 0; i < n; i++) {
*bytes++ = (uint8_t) (words[i] >> 24);
*bytes++ = (uint8_t) (words[i] >> 16);
*bytes++ = (uint8_t) (words[i] >> 8);
*bytes++ = (uint8_t) (words[i] );
}
}

75
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_msbyte_uint32.h
View File

@ -1,75 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_msbyte_uint32.h is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_msbyte_uint32.h
*
* Contents: Definitions and declarations for converting between a most-
* significant-first byte stream and a uint32_t array.
*
*****************************************************************************/
#ifndef NTRU_CRYPTO_MSBYTE_UINT32_H
#define NTRU_CRYPTO_MSBYTE_UINT32_H
#include <library.h>
/* ntru_crypto_msbyte_2_uint32()
*
* This routine converts an array of bytes in network byte order to an array
* of uint32_t, placing the first byte in the most significant byte of the
* first uint32_t word.
*
* The number of bytes in the input stream MUST be at least 4 times the
* number of words expected in the output array.
*/
extern void
ntru_crypto_msbyte_2_uint32(
uint32_t *words, // out - pointer to the output uint32_t array
uint8_t const *bytes, // in - pointer to the input byte array
uint32_t n); // in - number of words in the output array
/* ntru_crypto_uint32_2_msbyte()
*
* This routine converts an array of uint32_t to an array of bytes in
* network byte order, placing the most significant byte of the first uint32_t
* word as the first byte of the output array.
*
* The number of bytes in the output stream will be 4 times the number of words
* specified in the input array.
*/
extern void
ntru_crypto_uint32_2_msbyte(
uint8_t *bytes, // out - pointer to the output byte array
uint32_t const *words, // in - pointer to the input uint32_t array
uint32_t n); // in - number of words in the input array
#endif /* NTRU_CRYPTO_MSBYTE_UINT32_H */

66
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c
View File

@ -106,7 +106,7 @@ ntru_crypto_ntru_encrypt(
uint8_t *b_buf = NULL;
uint8_t *tmp_buf = NULL;
bool msg_rep_good = FALSE;
NTRU_CRYPTO_HASH_ALGID hash_algid;
hash_algorithm_t hash_algid;
uint8_t md_len;
uint16_t mprime_len = 0;
uint16_t mod_q_mask;
@ -178,15 +178,17 @@ ntru_crypto_ntru_encrypt(
b_buf = (uint8_t *)(r_buf + (dr << 1));
tmp_buf = (uint8_t *)scratch_buf;
/* set hash algorithm based on security strength */
if (params->sec_strength_len <= 20) {
hash_algid = NTRU_CRYPTO_HASH_ALGID_SHA1;
md_len = 20;
} else {
hash_algid = NTRU_CRYPTO_HASH_ALGID_SHA256;
md_len = 32;
}
/* set hash algorithm based on security strength */
if (params->sec_strength_len <= 20)
{
hash_algid = HASH_SHA1;
md_len = 20;
}
else
{
hash_algid = HASH_SHA256;
md_len = 32;
}
/* set constants */
@ -424,7 +426,7 @@ ntru_crypto_ntru_decrypt(
uint8_t *Mtrin_buf = NULL;
uint8_t *M_buf = NULL;
uint8_t *ptr = NULL;
NTRU_CRYPTO_HASH_ALGID hash_algid;
hash_algorithm_t hash_algid;
uint8_t md_len;
uint16_t cmprime_len;
uint16_t mod_q_mask;
@ -502,14 +504,16 @@ ntru_crypto_ntru_decrypt(
Mtrin_buf = (uint8_t *)ringel_buf1;
M_buf = Mtrin_buf + params->N;
/* set hash algorithm based on security strength */
if (params->sec_strength_len <= 20) {
hash_algid = NTRU_CRYPTO_HASH_ALGID_SHA1;
md_len = 20;
} else {
hash_algid = NTRU_CRYPTO_HASH_ALGID_SHA256;
md_len = 32;
/* set hash algorithm based on security strength */
if (params->sec_strength_len <= 20)
{
hash_algid = HASH_SHA1;
md_len = 20;
}
else
{
hash_algid = HASH_SHA256;
md_len = 32;
}
/* set constants */
@ -802,7 +806,7 @@ ntru_crypto_ntru_encrypt_keygen(
uint16_t *F_buf = NULL;
uint8_t *tmp_buf = NULL;
uint16_t mod_q_mask;
NTRU_CRYPTO_HASH_ALGID hash_algid;
hash_algorithm_t hash_algid;
uint8_t md_len;
uint16_t seed_len;
uint32_t result = NTRU_OK;
@ -866,16 +870,18 @@ ntru_crypto_ntru_encrypt_keygen(
F_buf = ringel_buf2 + params->N;
tmp_buf = (uint8_t *)scratch_buf;
/* set hash algorithm and seed length based on security strength */
if (params->sec_strength_len <= 20) {
hash_algid = NTRU_CRYPTO_HASH_ALGID_SHA1;
md_len = 20;
} else {
hash_algid = NTRU_CRYPTO_HASH_ALGID_SHA256;
md_len = 32;
}
seed_len = params->sec_strength_len + 8;
/* set hash algorithm and seed length based on security strength */
if (params->sec_strength_len <= 20)
{
hash_algid = HASH_SHA1;
md_len = 20;
}
else
{
hash_algid = HASH_SHA256;
md_len = 32;
}
seed_len = params->sec_strength_len + 8;
/* set constants */

17
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h
View File

@ -34,8 +34,6 @@
#define NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H
#include "ntru_crypto.h"
#include "ntru_crypto_hash_basics.h"
/* structures */
@ -105,20 +103,5 @@ extern NTRU_ENCRYPT_PARAM_SET *
ntru_encrypt_get_params_with_OID(
uint8_t const *oid); /* in - pointer to parameter-set OID */
/* ntru_encrypt_get_params_with_DER_id
*
* Looks up a set of NTRUEncrypt parameters based on the DER id of the
* parameter set.
*
* Returns a pointer to the parameter set parameters if successful.
* Returns NULL if the parameter set cannot be found.
*/
extern NTRU_ENCRYPT_PARAM_SET *
ntru_encrypt_get_params_with_DER_id(
uint8_t der_id); /* in - parameter-set DER id */
#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H */

219
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_mgf1.c
View File

@ -53,45 +53,60 @@
uint32_t
ntru_mgf1(
uint8_t *state, /* in/out - pointer to the state */
NTRU_CRYPTO_HASH_ALGID algid, /* in - hash algorithm ID */
uint8_t md_len, /* in - no. of octets in digest */
uint8_t num_calls, /* in - no. of hash calls */
uint16_t seed_len, /* in - no. of octets in seed */
uint8_t const *seed, /* in - pointer to seed */
uint8_t *out) /* out - address for output */
uint8_t *state, /* in/out - pointer to the state */
hash_algorithm_t hash_algid, /* in - hash algorithm ID */
uint8_t md_len, /* in - no. of octets in digest */
uint8_t num_calls, /* in - no. of hash calls */
uint16_t seed_len, /* in - no. of octets in seed */
uint8_t *seed, /* in - pointer to seed */
uint8_t *out) /* out - address for output */
{
uint8_t *ctr = state + md_len;
uint32_t retcode;
uint8_t *ctr = state + md_len;
hasher_t *hasher;
assert(state);
assert(out);
assert(state);
assert(out);
/* if seed present, init state */
hasher = lib->crypto->create_hasher(lib->crypto, hash_algid);
if (!hasher)
{
NTRU_RET(NTRU_FAIL);
}
if (seed) {
if ((retcode = ntru_crypto_hash_digest(algid, seed, seed_len, state)) !=
NTRU_CRYPTO_HASH_OK)
return retcode;
memset(ctr, 0, 4);
}
/* generate output */
while (num_calls-- > 0) {
if ((retcode = ntru_crypto_hash_digest(algid, state, md_len + 4,
out)) !=
NTRU_CRYPTO_HASH_OK)
return retcode;
out += md_len;
/* increment counter */
if (++ctr[3] == 0)
if (++ctr[2] == 0)
if (++ctr[1] == 0)
++ctr[0];
/* if seed present, init state */
if (seed)
{
if (!hasher->get_hash(hasher, chunk_create(seed, seed_len), state))
{
hasher->destroy(hasher);
NTRU_RET(NTRU_FAIL);
}
memset(ctr, 0, 4);
}
/* generate output */
while (num_calls-- > 0)
{
if (!hasher->get_hash(hasher, chunk_create(state, md_len + 4), out))
{
hasher->destroy(hasher);
NTRU_RET(NTRU_FAIL);
}
out += md_len;
/* increment counter */
if (++ctr[3] == 0)
{
if (++ctr[2] == 0)
{
if (++ctr[1] == 0)
{
++ctr[0];
}
}
}
}
hasher->destroy(hasher);
NTRU_RET(NTRU_OK);
}
@ -113,85 +128,93 @@ ntru_mgf1(
uint32_t
ntru_mgftp1(
NTRU_CRYPTO_HASH_ALGID hash_algid, /* in - hash alg ID for
hash_algorithm_t hash_algid, /* in - hash alg ID for
MGF-TP-1 */
uint8_t md_len, /* in - no. of octets in
uint8_t md_len, /* in - no. of octets in
digest */
uint8_t min_calls, /* in - minimum no. of hash
uint8_t min_calls, /* in - minimum no. of hash
calls */
uint16_t seed_len, /* in - no. of octets in seed */
uint8_t *seed, /* in - pointer to seed */
uint8_t *buf, /* in - pointer to working
uint16_t seed_len, /* in - no. of octets in seed */
uint8_t *seed, /* in - pointer to seed */
uint8_t *buf, /* in - pointer to working
buffer */
uint16_t num_trits_needed, /* in - no. of trits in mask */
uint8_t *mask) /* out - address for mask trits */
uint16_t num_trits_needed, /* in - no. of trits in mask */
uint8_t *mask) /* out - address for mask trits */
{
uint8_t *mgf_out;
uint8_t *octets;
uint16_t octets_available;
uint32_t retcode;
uint8_t *mgf_out;
uint8_t *octets;
uint16_t octets_available;
uint32_t retcode;
assert(seed);
assert(buf);
assert(mask);
assert(seed);
assert(buf);
assert(mask);
/* generate minimum MGF1 output */
mgf_out = buf + md_len + 4;
if ((retcode = ntru_mgf1(buf, hash_algid, md_len, min_calls,
/* generate minimum MGF1 output */
mgf_out = buf + md_len + 4;
if ((retcode = ntru_mgf1(buf, hash_algid, md_len, min_calls,
seed_len, seed, mgf_out)) != NTRU_OK)
return retcode;
octets = mgf_out;
octets_available = min_calls * md_len;
{
return retcode;
}
octets = mgf_out;
octets_available = min_calls * md_len;
/* get trits for mask */
while (num_trits_needed >= 5) {
/* get another octet and convert it to 5 trits */
if (octets_available == 0) {
if ((retcode = ntru_mgf1(buf, hash_algid, md_len, 1,
/* get trits for mask */
while (num_trits_needed >= 5)
{
/* get another octet and convert it to 5 trits */
if (octets_available == 0)
{
if ((retcode = ntru_mgf1(buf, hash_algid, md_len, 1,
0, NULL, mgf_out)) != NTRU_OK)
return retcode;
octets = mgf_out;
octets_available = md_len;
}
{
return retcode;
}
octets = mgf_out;
octets_available = md_len;
}
if (*octets < 243) {
ntru_octet_2_trits(*octets, mask);
mask += 5;
num_trits_needed -= 5;
}
octets++;
--octets_available;
}
if (*octets < 243)
{
ntru_octet_2_trits(*octets, mask);
mask += 5;
num_trits_needed -= 5;
}
octets++;
--octets_available;
}
/* get any remaining trits */
/* get any remaining trits */
while (num_trits_needed)
{
uint8_t trits[5];
while (num_trits_needed) {
uint8_t trits[5];
/* get another octet and convert it to remaining trits */
if (octets_available == 0) {
if ((retcode = ntru_mgf1(buf, hash_algid, md_len, 1,
/* get another octet and convert it to remaining trits */
if (octets_available == 0)
{
if ((retcode = ntru_mgf1(buf, hash_algid, md_len, 1,
0, NULL, mgf_out)) != NTRU_OK)
return retcode;
octets = mgf_out;
octets_available = md_len;
}
if (*octets < 243) {
ntru_octet_2_trits(*octets, trits);
memcpy(mask, trits, num_trits_needed);
num_trits_needed = 0;
} else {
octets++;
--octets_available;
}
}
{
return retcode;
}
octets = mgf_out;
octets_available = md_len;
}
if (*octets < 243)
{
ntru_octet_2_trits(*octets, trits);
memcpy(mask, trits, num_trits_needed);
num_trits_needed = 0;
}
else
{
octets++;
--octets_available;
}
}
NTRU_RET(NTRU_OK);
NTRU_RET(NTRU_OK);
}

8
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_mgf1.h
View File

@ -36,8 +36,8 @@
#include "ntru_crypto.h"
#include "ntru_crypto_hash.h"
#include <crypto/hashers/hasher.h>
/* function declarations */
@ -57,11 +57,11 @@
extern uint32_t
ntru_mgf1(
uint8_t *state, /* in/out - pointer to the state */
NTRU_CRYPTO_HASH_ALGID algid, /* in - hash algorithm ID */
hash_algorithm_t hash_algid, /* in - hash algorithm ID */
uint8_t md_len, /* in - no. of octets in digest */
uint8_t num_calls, /* in - no. of hash calls */
uint16_t seed_len, /* in - no. of octets in seed */
uint8_t const *seed, /* in - pointer to seed */
uint8_t *seed, /* in - pointer to seed */
uint8_t *out); /* out - address for output */
@ -81,7 +81,7 @@ ntru_mgf1(
extern uint32_t
ntru_mgftp1(
NTRU_CRYPTO_HASH_ALGID hash_algid, /* in - hash alg ID for
hash_algorithm_t hash_algid, /* in - hash alg ID for
MGF-TP-1 */
uint8_t md_len, /* in - no. of octets in
digest */

2
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c
View File

@ -62,7 +62,7 @@
uint32_t
ntru_gen_poly(
NTRU_CRYPTO_HASH_ALGID hash_algid, /* in - hash algorithm ID for
hash_algorithm_t hash_algid, /* in - hash algorithm ID for
IGF-2 */
uint8_t md_len, /* in - no. of octets in digest */
uint8_t min_calls, /* in - minimum no. of hash

5
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h
View File

@ -37,7 +37,8 @@
#include "ntru_crypto.h"
#include "ntru_crypto_hash_basics.h"
#include <crypto/hashers/hasher.h>
/* function declarations */
@ -65,7 +66,7 @@
extern uint32_t
ntru_gen_poly(
NTRU_CRYPTO_HASH_ALGID hash_algid, /* in - hash algorithm ID for
hash_algorithm_t hash_algid, /* in - hash algorithm ID for
IGF-2 */
uint8_t md_len, /* in - no. of octets in digest */
uint8_t min_calls, /* in - minimum no. of hash

65
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_sha.h
View File

@ -1,65 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_sha.h is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_sha.h
*
* Contents: Definitions and declarations common to all SHA hash algorithms.
*
*****************************************************************************/
#ifndef NTRU_CRYPTO_SHA_H
#define NTRU_CRYPTO_SHA_H
#include "ntru_crypto_error.h"
#include "ntru_crypto_hash_basics.h"
/***************
* error codes *
***************/
#define SHA_OK ((uint32_t)NTRU_CRYPTO_HASH_OK)
#define SHA_FAIL ((uint32_t)NTRU_CRYPTO_HASH_FAIL)
#define SHA_BAD_PARAMETER ((uint32_t)NTRU_CRYPTO_HASH_BAD_PARAMETER)
#define SHA_OVERFLOW ((uint32_t)NTRU_CRYPTO_HASH_OVERFLOW)
#define SHA_RESULT(r) ((uint32_t)((r) ? SHA_ERROR_BASE + (r) : (r)))
#define SHA_RET(r) return SHA_RESULT(r);
/*********
* flags *
*********/
#define SHA_DATA_ONLY HASH_DATA_ONLY
#define SHA_INIT HASH_INIT
#define SHA_FINISH HASH_FINISH
#define SHA_ZERO_PAD HASH_ZERO_PAD
#endif /* NTRU_CRYPTO_SHA_H */

588
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_sha1.c
View File

@ -1,588 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_ntru_crypto_sha1.c is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_sha1.c
*
* Contents: Routines implementing the SHA-1 hash calculation.
*
*****************************************************************************/
#include <stdlib.h>
#include <string.h>
#include "ntru_crypto_sha1.h"
#include "ntru_crypto_msbyte_uint32.h"
/* chaining state elements */
#define H0 state[0]
#define H1 state[1]
#define H2 state[2]
#define H3 state[3]
#define H4 state[4]
/* standard SHA-1 initialization values */
#define H0_INIT 0x67452301UL
#define H1_INIT 0xefcdab89UL
#define H2_INIT 0x98badcfeUL
#define H3_INIT 0x10325476UL
#define H4_INIT 0xc3d2e1f0UL
/* sha1_blk()
*
* This routine updates the current hash output (chaining state)
* by performing SHA-1 on a 512-bit block of data represented as sixteen
* 32-bit words.
*/
#define K00_19 0x5a827999UL
#define K20_39 0x6ed9eba1UL
#define K40_59 0x8f1bbcdcUL
#define K60_79 0xca62c1d6UL
#define RL(a, n) ( ((a) << (n)) | ((a) >> (32 - (n))) )
static void
sha1_blk(
uint32_t const *data, // in - ptr to 16 32-bit word input block
uint32_t *state) // in/out - ptr to 5 32-bit word chaining state
{
uint32_t A, B, C, D, E;
uint32_t w[16];
/* init A - E */
A = H0; B = H1; C = H2; D = H3; E = H4;
/* rounds 0 - 15 */
E += RL(A, 5) + K00_19 + (B & (C ^ D) ^ D) + data[ 0]; B = RL(B, 30);
D += RL(E, 5) + K00_19 + (A & (B ^ C) ^ C) + data[ 1]; A = RL(A, 30);
C += RL(D, 5) + K00_19 + (E & (A ^ B) ^ B) + data[ 2]; E = RL(E, 30);
B += RL(C, 5) + K00_19 + (D & (E ^ A) ^ A) + data[ 3]; D = RL(D, 30);
A += RL(B, 5) + K00_19 + (C & (D ^ E) ^ E) + data[ 4]; C = RL(C, 30);
E += RL(A, 5) + K00_19 + (B & (C ^ D) ^ D) + data[ 5]; B = RL(B, 30);
D += RL(E, 5) + K00_19 + (A & (B ^ C) ^ C) + data[ 6]; A = RL(A, 30);
C += RL(D, 5) + K00_19 + (E & (A ^ B) ^ B) + data[ 7]; E = RL(E, 30);
B += RL(C, 5) + K00_19 + (D & (E ^ A) ^ A) + data[ 8]; D = RL(D, 30);
A += RL(B, 5) + K00_19 + (C & (D ^ E) ^ E) + data[ 9]; C = RL(C, 30);
E += RL(A, 5) + K00_19 + (B & (C ^ D) ^ D) + data[10]; B = RL(B, 30);
D += RL(E, 5) + K00_19 + (A & (B ^ C) ^ C) + data[11]; A = RL(A, 30);
C += RL(D, 5) + K00_19 + (E & (A ^ B) ^ B) + data[12]; E = RL(E, 30);
B += RL(C, 5) + K00_19 + (D & (E ^ A) ^ A) + data[13]; D = RL(D, 30);
A += RL(B, 5) + K00_19 + (C & (D ^ E) ^ E) + data[14]; C = RL(C, 30);
E += RL(A, 5) + K00_19 + (B & (C ^ D) ^ D) + data[15]; B = RL(B, 30);
/* rounds 16 - 19 */
w[ 0] = data[ 0] ^ data[ 2] ^ data[ 8] ^ data[13]; w[ 0] = RL(w[0], 1);
D += RL(E, 5) + K00_19 + (A & (B ^ C) ^ C) + w[ 0]; A = RL(A, 30);
w[ 1] = data[ 1] ^ data[ 3] ^ data[ 9] ^ data[14]; w[ 1] = RL(w[1], 1);
C += RL(D, 5) + K00_19 + (E & (A ^ B) ^ B) + w[ 1]; E = RL(E, 30);
w[ 2] = data[ 2] ^ data[ 4] ^ data[10] ^ data[15]; w[ 2] = RL(w[ 2], 1);
B += RL(C, 5) + K00_19 + (D & (E ^ A) ^ A) + w[ 2]; D = RL(D, 30);
w[ 3] = data[ 3] ^ data[ 5] ^ data[11] ^ w[ 0]; w[ 3] = RL(w[ 3], 1);
A += RL(B, 5) + K00_19 + (C & (D ^ E) ^ E) + w[ 3]; C = RL(C, 30);
/* rounds 20 - 39 */
w[ 4] = data[ 4] ^ data[ 6] ^ data[12] ^ w[ 1]; w[ 4] = RL(w[ 4], 1);
E += RL(A, 5) + K20_39 + (B ^ C ^ D) + w[ 4]; B = RL(B, 30);
w[ 5] = data[ 5] ^ data[ 7] ^ data[13] ^ w[ 2]; w[ 5] = RL(w[ 5], 1);
D += RL(E, 5) + K20_39 + (A ^ B ^ C) + w[ 5]; A = RL(A, 30);
w[ 6] = data[ 6] ^ data[ 8] ^ data[14] ^ w[ 3]; w[ 6] = RL(w[ 6], 1);
C += RL(D, 5) + K20_39 + (E ^ A ^ B) + w[ 6]; E = RL(E, 30);
w[ 7] = data[ 7] ^ data[ 9] ^ data[15] ^ w[ 4]; w[ 7] = RL(w[ 7], 1);
B += RL(C, 5) + K20_39 + (D ^ E ^ A) + w[ 7]; D = RL(D, 30);
w[ 8] = data[ 8] ^ data[10] ^ w[ 0] ^ w[ 5]; w[ 8] = RL(w[ 8], 1);
A += RL(B, 5) + K20_39 + (C ^ D ^ E) + w[ 8]; C = RL(C, 30);
w[ 9] = data[ 9] ^ data[11] ^ w[ 1] ^ w[ 6]; w[ 9] = RL(w[ 9], 1);
E += RL(A, 5) + K20_39 + (B ^ C ^ D) + w[ 9]; B = RL(B, 30);
w[10] = data[10] ^ data[12] ^ w[ 2] ^ w[ 7]; w[10] = RL(w[10], 1);
D += RL(E, 5) + K20_39 + (A ^ B ^ C) + w[10]; A = RL(A, 30);
w[11] = data[11] ^ data[13] ^ w[ 3] ^ w[ 8]; w[11] = RL(w[11], 1);
C += RL(D, 5) + K20_39 + (E ^ A ^ B) + w[11]; E = RL(E, 30);
w[12] = data[12] ^ data[14] ^ w[ 4] ^ w[ 9]; w[12] = RL(w[12], 1);
B += RL(C, 5) + K20_39 + (D ^ E ^ A) + w[12]; D = RL(D, 30);
w[13] = data[13] ^ data[15] ^ w[ 5] ^ w[10]; w[13] = RL(w[13], 1);
A += RL(B, 5) + K20_39 + (C ^ D ^ E) + w[13]; C = RL(C, 30);
w[14] = data[14] ^ w[ 0] ^ w[ 6] ^ w[11]; w[14] = RL(w[14], 1);
E += RL(A, 5) + K20_39 + (B ^ C ^ D) + w[14]; B = RL(B, 30);
w[15] = data[15] ^ w[ 1] ^ w[ 7] ^ w[12]; w[15] = RL(w[15], 1);
D += RL(E, 5) + K20_39 + (A ^ B ^ C) + w[15]; A = RL(A, 30);
w[ 0] = w[ 0] ^ w[ 2] ^ w[ 8] ^ w[13]; w[ 0] = RL(w[ 0], 1);
C += RL(D, 5) + K20_39 + (E ^ A ^ B) + w[ 0]; E = RL(E, 30);
w[ 1] = w[ 1] ^ w[ 3] ^ w[ 9] ^ w[14]; w[ 1] = RL(w[ 1], 1);
B += RL(C, 5) + K20_39 + (D ^ E ^ A) + w[ 1]; D = RL(D, 30);
w[ 2] = w[ 2] ^ w[ 4] ^ w[10] ^ w[15]; w[ 2] = RL(w[ 2], 1);
A += RL(B, 5) + K20_39 + (C ^ D ^ E) + w[ 2]; C = RL(C, 30);
w[ 3] = w[ 3] ^ w[ 5] ^ w[11] ^ w[ 0]; w[ 3] = RL(w[ 3], 1);
E += RL(A, 5) + K20_39 + (B ^ C ^ D) + w[ 3]; B = RL(B, 30);
w[ 4] = w[ 4] ^ w[ 6] ^ w[12] ^ w[ 1]; w[ 4] = RL(w[ 4], 1);
D += RL(E, 5) + K20_39 + (A ^ B ^ C) + w[ 4]; A = RL(A, 30);
w[ 5] = w[ 5] ^ w[ 7] ^ w[13] ^ w[ 2]; w[ 5] = RL(w[ 5], 1);
C += RL(D, 5) + K20_39 + (E ^ A ^ B) + w[ 5]; E = RL(E, 30);
w[ 6] = w[ 6] ^ w[ 8] ^ w[14] ^ w[ 3]; w[ 6] = RL(w[ 6], 1);
B += RL(C, 5) + K20_39 + (D ^ E ^ A) + w[ 6]; D = RL(D, 30);
w[ 7] = w[ 7] ^ w[ 9] ^ w[15] ^ w[ 4]; w[ 7] = RL(w[ 7], 1);
A += RL(B, 5) + K20_39 + (C ^ D ^ E) + w[ 7]; C = RL(C, 30);
/* rounds 40 - 59 */
w[ 8] = w[ 8] ^ w[10] ^ w[ 0] ^ w[ 5]; w[ 8] = RL(w[ 8], 1);
E += RL(A, 5) + K40_59 + ((B & C) | (D & (B | C))) + w[ 8]; B = RL(B, 30);
w[ 9] = w[ 9] ^ w[11] ^ w[ 1] ^ w[ 6]; w[ 9] = RL(w[ 9], 1);
D += RL(E, 5) + K40_59 + ((A & B) | (C & (A | B))) + w[ 9]; A = RL(A, 30);
w[10] = w[10] ^ w[12] ^ w[ 2] ^ w[ 7]; w[10] = RL(w[10], 1);
C += RL(D, 5) + K40_59 + ((E & A) | (B & (E | A))) + w[10]; E = RL(E, 30);
w[11] = w[11] ^ w[13] ^ w[ 3] ^ w[ 8]; w[11] = RL(w[11], 1);
B += RL(C, 5) + K40_59 + ((D & E) | (A & (D | E))) + w[11]; D = RL(D, 30);
w[12] = w[12] ^ w[14] ^ w[ 4] ^ w[ 9]; w[12] = RL(w[12], 1);
A += RL(B, 5) + K40_59 + ((C & D) | (E & (C | D))) + w[12]; C = RL(C, 30);
w[13] = w[13] ^ w[15] ^ w[ 5] ^ w[10]; w[13] = RL(w[13], 1);
E += RL(A, 5) + K40_59 + ((B & C) | (D & (B | C))) + w[13]; B = RL(B, 30);
w[14] = w[14] ^ w[ 0] ^ w[ 6] ^ w[11]; w[14] = RL(w[14], 1);
D += RL(E, 5) + K40_59 + ((A & B) | (C & (A | B))) + w[14]; A = RL(A, 30);
w[15] = w[15] ^ w[ 1] ^ w[ 7] ^ w[12]; w[15] = RL(w[15], 1);
C += RL(D, 5) + K40_59 + ((E & A) | (B & (E | A))) + w[15]; E = RL(E, 30);
w[ 0] = w[ 0] ^ w[ 2] ^ w[ 8] ^ w[13]; w[ 0] = RL(w[ 0], 1);
B += RL(C, 5) + K40_59 + ((D & E) | (A & (D | E))) + w[ 0]; D = RL(D, 30);
w[ 1] = w[ 1] ^ w[ 3] ^ w[ 9] ^ w[14]; w[ 1] = RL(w[ 1], 1);
A += RL(B, 5) + K40_59 + ((C & D) | (E & (C | D))) + w[ 1]; C = RL(C, 30);
w[ 2] = w[ 2] ^ w[ 4] ^ w[10] ^ w[15]; w[ 2] = RL(w[ 2], 1);
E += RL(A, 5) + K40_59 + ((B & C) | (D & (B | C))) + w[ 2]; B = RL(B, 30);
w[ 3] = w[ 3] ^ w[ 5] ^ w[11] ^ w[ 0]; w[ 3] = RL(w[ 3], 1);
D += RL(E, 5) + K40_59 + ((A & B) | (C & (A | B))) + w[ 3]; A = RL(A, 30);
w[ 4] = w[ 4] ^ w[ 6] ^ w[12] ^ w[ 1]; w[ 4] = RL(w[ 4], 1);
C += RL(D, 5) + K40_59 + ((E & A) | (B & (E | A))) + w[ 4]; E = RL(E, 30);
w[ 5] = w[ 5] ^ w[ 7] ^ w[13] ^ w[ 2]; w[ 5] = RL(w[ 5], 1);
B += RL(C, 5) + K40_59 + ((D & E) | (A & (D | E))) + w[ 5]; D = RL(D, 30);
w[ 6] = w[ 6] ^ w[ 8] ^ w[14] ^ w[ 3]; w[ 6] = RL(w[ 6], 1);
A += RL(B, 5) + K40_59 + ((C & D) | (E & (C | D))) + w[ 6]; C = RL(C, 30);
w[ 7] = w[ 7] ^ w[ 9] ^ w[15] ^ w[ 4]; w[ 7] = RL(w[ 7], 1);
E += RL(A, 5) + K40_59 + ((B & C) | (D & (B | C))) + w[ 7]; B = RL(B, 30);
w[ 8] = w[ 8] ^ w[10] ^ w[ 0] ^ w[ 5]; w[ 8] = RL(w[ 8], 1);
D += RL(E, 5) + K40_59 + ((A & B) | (C & (A | B))) + w[ 8]; A = RL(A, 30);
w[ 9] = w[ 9] ^ w[11] ^ w[ 1] ^ w[ 6]; w[ 9] = RL(w[ 9], 1);
C += RL(D, 5) + K40_59 + ((E & A) | (B & (E | A))) + w[ 9]; E = RL(E, 30);
w[10] = w[10] ^ w[12] ^ w[ 2] ^ w[ 7]; w[10] = RL(w[10], 1);
B += RL(C, 5) + K40_59 + ((D & E) | (A & (D | E))) + w[10]; D = RL(D, 30);
w[11] = w[11] ^ w[13] ^ w[ 3] ^ w[ 8]; w[11] = RL(w[11], 1);
A += RL(B, 5) + K40_59 + ((C & D) | (E & (C | D))) + w[11]; C = RL(C, 30);
/* rounds 60 - 79 */
w[12] = w[12] ^ w[14] ^ w[ 4] ^ w[ 9]; w[12] = RL(w[12], 1);
E += RL(A, 5) + K60_79 + (B ^ C ^ D) + w[12]; B = RL(B, 30);
w[13] = w[13] ^ w[15] ^ w[ 5] ^ w[10]; w[13] = RL(w[13], 1);
D += RL(E, 5) + K60_79 + (A ^ B ^ C) + w[13]; A = RL(A, 30);
w[14] = w[14] ^ w[ 0] ^ w[ 6] ^ w[11]; w[14] = RL(w[14], 1);
C += RL(D, 5) + K60_79 + (E ^ A ^ B) + w[14]; E = RL(E, 30);
w[15] = w[15] ^ w[ 1] ^ w[ 7] ^ w[12]; w[15] = RL(w[15], 1);
B += RL(C, 5) + K60_79 + (D ^ E ^ A) + w[15]; D = RL(D, 30);
w[ 0] = w[ 0] ^ w[ 2] ^ w[ 8] ^ w[13]; w[ 0] = RL(w[ 0], 1);
A += RL(B, 5) + K60_79 + (C ^ D ^ E) + w[ 0]; C = RL(C, 30);
w[ 1] = w[ 1] ^ w[ 3] ^ w[ 9] ^ w[14]; w[ 1] = RL(w[ 1], 1);
E += RL(A, 5) + K60_79 + (B ^ C ^ D) + w[ 1]; B = RL(B, 30);
w[ 2] = w[ 2] ^ w[ 4] ^ w[10] ^ w[15]; w[ 2] = RL(w[ 2], 1);
D += RL(E, 5) + K60_79 + (A ^ B ^ C) + w[ 2]; A = RL(A, 30);
w[ 3] = w[ 3] ^ w[ 5] ^ w[11] ^ w[ 0]; w[ 3] = RL(w[ 3], 1);
C += RL(D, 5) + K60_79 + (E ^ A ^ B) + w[ 3]; E = RL(E, 30);
w[ 4] = w[ 4] ^ w[ 6] ^ w[12] ^ w[ 1]; w[ 4] = RL(w[ 4], 1);
B += RL(C, 5) + K60_79 + (D ^ E ^ A) + w[ 4]; D = RL(D, 30);
w[ 5] = w[ 5] ^ w[ 7] ^ w[13] ^ w[ 2]; w[ 5] = RL(w[ 5], 1);
A += RL(B, 5) + K60_79 + (C ^ D ^ E) + w[ 5]; C = RL(C, 30);
w[ 6] = w[ 6] ^ w[ 8] ^ w[14] ^ w[ 3]; w[ 6] = RL(w[ 6], 1);
E += RL(A, 5) + K60_79 + (B ^ C ^ D) + w[ 6]; B = RL(B, 30);
w[ 7] = w[ 7] ^ w[ 9] ^ w[15] ^ w[ 4]; w[ 7] = RL(w[ 7], 1);
D += RL(E, 5) + K60_79 + (A ^ B ^ C) + w[ 7]; A = RL(A, 30);
w[ 8] = w[ 8] ^ w[10] ^ w[ 0] ^ w[ 5]; w[ 8] = RL(w[ 8], 1);
C += RL(D, 5) + K60_79 + (E ^ A ^ B) + w[ 8]; E = RL(E, 30);
w[ 9] = w[ 9] ^ w[11] ^ w[ 1] ^ w[ 6]; w[ 9] = RL(w[ 9], 1);
B += RL(C, 5) + K60_79 + (D ^ E ^ A) + w[ 9]; D = RL(D, 30);
w[10] = w[10] ^ w[12] ^ w[ 2] ^ w[ 7]; w[10] = RL(w[10], 1);
A += RL(B, 5) + K60_79 + (C ^ D ^ E) + w[10]; C = RL(C, 30);
w[11] = w[11] ^ w[13] ^ w[ 3] ^ w[ 8]; w[11] = RL(w[11], 1);
E += RL(A, 5) + K60_79 + (B ^ C ^ D) + w[11]; B = RL(B, 30);
w[12] = w[12] ^ w[14] ^ w[ 4] ^ w[ 9]; w[12] = RL(w[12], 1);
D += RL(E, 5) + K60_79 + (A ^ B ^ C) + w[12]; A = RL(A, 30);
w[13] = w[13] ^ w[15] ^ w[ 5] ^ w[10];
C += RL(D, 5) + K60_79 + (E ^ A ^ B) + RL(w[13], 1); E = RL(E, 30);
w[14] = w[14] ^ w[ 0] ^ w[ 6] ^ w[11];
B += RL(C, 5) + K60_79 + (D ^ E ^ A) + RL(w[14], 1); D = RL(D, 30);
/* update H0 - H4 */
w[15] = w[15] ^ w[ 1] ^ w[ 7] ^ w[12];
H0 += A + RL(B, 5) + K60_79 + (C ^ D ^ E) + RL(w[15], 1);
H1 += B;
H2 += RL(C, 30);
H3 += D;
H4 += E;
/* clear temp variables */
A = B = C = D = E = 0;
memset(w, 0, sizeof(w));
}
/* ntru_crypto_sha1()
*
* This routine provides all operations for a SHA-1 hash, and the use
* of SHA-1 for DSA signing and key generation.
* It may be used to initialize, update, or complete a message digest,
* or any combination of those actions, as determined by the SHA_INIT flag,
* the in_len parameter, and the SHA_FINISH flag, respectively.
*
* When in_len == 0 (no data to hash), the parameter, in, may be NULL.
* When the SHA_FINISH flag is not set, the parameter, md, may be NULL.
*
* Initialization may be standard or use a specified initialization vector,
* and is indicated by setting the SHA_INIT flag.
* Setting init = NULL specifies standard initialization. Otherwise, init
* points to the array of five alternate initialization 32-bit words.
*
* The hash operation can be updated with any number of input bytes, including
* zero.
*
* The hash operation can be completed with normal padding or with zero
* padding as required for parts of DSA parameter generation, and is indicated
* by setting the SHA_FINISH flag. Using zero padding, indicated by setting
* the SHA_ZERO_PAD flag, never creates an extra input block because the
* bit count is not included in the hashed data.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
uint32_t
ntru_crypto_sha1(
NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
uint32_t const *init, /* in - pointer to alternate */
/* initialization - may be NULL */
uint8_t const *in, /* in - pointer to input data -
may be NULL if in_len == 0 */
uint32_t in_len, /* in - number of input data bytes */
uint32_t flags, /* in - INIT, FINISH, zero-pad flags */
uint8_t *md) /* out - address for message digest -
may be NULL if not FINISH */
{
uint32_t in_blk[16]; /* input block */
uint32_t space;
uint8_t *d = NULL;
/* check error conditions */
if (!c || (in_len && !in) || ((flags & SHA_FINISH) && !md))
SHA_RET(SHA_BAD_PARAMETER)
/* initialize context if requested */
if (flags & SHA_INIT) {
/* init chaining state */
if (!init) {
c->state[0] = H0_INIT; // standard initialization
c->state[1] = H1_INIT;
c->state[2] = H2_INIT;
c->state[3] = H3_INIT;
c->state[4] = H4_INIT;
} else {
c->state[0] = init[0]; // alternate initialization
c->state[1] = init[1];
c->state[2] = init[2];
c->state[3] = init[3];
c->state[4] = init[4];
}
/* init bit count and number of unhashed data bytes */
c->num_bits_hashed[0] = 0;
c->num_bits_hashed[1] = 0;
c->unhashed_len = 0;
}
/* determine space left in unhashed data buffer */
if (c->unhashed_len > 63)
SHA_RET(SHA_FAIL)
space = 64 - c->unhashed_len;
/* process input if it exists */
if (in_len) {
/* update count of bits hashed */
{
uint32_t bits0, bits1;
bits0 = in_len << 3;
bits1 = in_len >> 29;
if ((c->num_bits_hashed[0] += bits0) < bits0)
bits1++;
if ((c->num_bits_hashed[1] += bits1) < bits1) {
memset((uint8_t *) c, 0, sizeof(NTRU_CRYPTO_SHA1_CTX));
space = 0;
memset((char *) in_blk, 0, sizeof(in_blk));
SHA_RET(SHA_OVERFLOW)
}
}
/* process input bytes */
if (in_len < space) {
/* input does not fill block buffer:
* add input to buffer
*/
memcpy(c->unhashed + c->unhashed_len, in, in_len);
c->unhashed_len += in_len;
} else {
uint32_t blks;
/* input will fill block buffer:
* fill unhashed data buffer,
* convert to block buffer,
* and process block
*/
in_len -= space;
for (d = c->unhashed + c->unhashed_len; space; space--)
*d++ = *in++;
ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
16);
sha1_blk((uint32_t const *) in_blk, c->state);
/* process any remaining full blocks */
for (blks = in_len >> 6; blks--; in += 64) {
ntru_crypto_msbyte_2_uint32(in_blk, in, 16);
sha1_blk((uint32_t const *) in_blk, c->state);
}
/* put any remaining input in the unhashed data buffer */
in_len &= 0x3f;
memcpy(c->unhashed, in, in_len);
c->unhashed_len = in_len;
}
}
/* complete message digest if requested */
if (flags & SHA_FINISH) {
space = 64 - c->unhashed_len;
/* check padding type */
if (!(flags & SHA_ZERO_PAD)) {
/* add 0x80 padding byte to the unhashed data buffer
* (there is always space since the buffer can't be full)
*/
d = c->unhashed + c->unhashed_len;
*d++ = 0x80;
space--;
/* check for space for bit count */
if (space < 8) {
/* no space for count:
* fill remainder of unhashed data buffer with zeros,
* convert to input block,
* process block,
* fill all but 8 bytes of unhashed data buffer with zeros
*/
memset(d, 0, space);
ntru_crypto_msbyte_2_uint32(in_blk,
(uint8_t const *) c->unhashed, 16);
sha1_blk((uint32_t const *) in_blk, c->state);
memset(c->unhashed, 0, 56);
} else {
/* fill unhashed data buffer with zeros,
* leaving space for bit count
*/
for (space -= 8; space; space--)
*d++ = 0;
}
/* convert partially filled unhashed data buffer to input block and
* add bit count to input block
*/
ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
14);
in_blk[14] = c->num_bits_hashed[1];
in_blk[15] = c->num_bits_hashed[0];
} else {
/* pad unhashed data buffer with zeros and no bit count and
* convert to input block
*/
memset(c->unhashed + c->unhashed_len, 0, space);
ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
16);
}
/* process last block */
sha1_blk((uint32_t const *) in_blk, c->state);
/* copy result to message digest buffer */
ntru_crypto_uint32_2_msbyte(md, c->state, 5);
/* clear context and stack variables */
memset((uint8_t *) c, 0, sizeof(NTRU_CRYPTO_SHA1_CTX));
space = 0;
memset((char *) in_blk, 0, sizeof(in_blk));
}
SHA_RET(SHA_OK)
}
/* ntru_crypto_sha1_init
*
* This routine performs standard initialization of the SHA-1 state.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
*/
uint32_t
ntru_crypto_sha1_init(
NTRU_CRYPTO_SHA1_CTX *c) /* in/out - pointer to SHA-1 context */
{
return ntru_crypto_sha1(c, NULL, NULL, 0, SHA_INIT, NULL);
}
/* ntru_crypto_sha1_update
*
* This routine processes input data and updates the SHA-1 hash calculation.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
uint32_t
ntru_crypto_sha1_update(
NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
uint8_t const *data, /* in - pointer to input data */
uint32_t data_len) /* in - number of bytes of input data */
{
return ntru_crypto_sha1(c, NULL, data, data_len, SHA_DATA_ONLY, NULL);
}
/* ntru_crypto_sha1_final
*
* This routine completes the SHA-1 hash calculation and returns the
* message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
uint32_t
ntru_crypto_sha1_final(
NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
uint8_t *md) /* out - address for message digest */
{
return ntru_crypto_sha1(c, NULL, NULL, 0, SHA_FINISH, md);
}
/* ntru_crypto_sha1_final_zero_pad
*
* This routine completes the SHA-1 hash calculation using zero padding
* and returns the message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
uint32_t
ntru_crypto_sha1_final_zero_pad(
NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
uint8_t *md) /* out - address for message digest */
{
return ntru_crypto_sha1(c, NULL, NULL, 0, SHA_FINISH | SHA_ZERO_PAD, md);
}
/* ntru_crypto_sha1_digest
*
* This routine computes a SHA-1 message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
uint32_t
ntru_crypto_sha1_digest(
uint8_t const *data, // in - pointer to input data
uint32_t data_len, // in - number of bytes of input data
uint8_t *md) // out - address for message digest
{
NTRU_CRYPTO_SHA1_CTX c;
return ntru_crypto_sha1(&c, NULL, data, data_len, SHA_INIT | SHA_FINISH,
md);
}

205
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_sha1.h
View File

@ -1,205 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_crypto_sha1.h is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_sha1.h
*
* Contents: Definitions and declarations for the SHA-1 implementation.
*
*****************************************************************************/
#ifndef NTRU_CRYPTO_SHA1_H
#define NTRU_CRYPTO_SHA1_H
#include "ntru_crypto_sha.h"
#include <library.h>
/******************************************
* macros needed for generic hash objects *
******************************************/
#define SHA_1_CTX_LEN sizeof(SHA1_CTX) /* no. bytes in SHA-1
ctx */
#define SHA_1_BLK_LEN 64 /* 64 bytes in input
block */
#define SHA_1_MD_LEN 20 /* 20 bytes in msg
digest */
#define SHA_1_INIT_FN &ntru_crypto_sha1_init /* init function */
#define SHA_1_UPDATE_FN &ntru_crypto_sha1_update /* update function */
#define SHA_1_FINAL_FN &ntru_crypto_sha1_final /* final function */
#define SHA_1_FINAL_ZERO_PAD_FN \
&ntru_crypto_sha1_final_zero_pad
/* final function using
zero padding */
#define SHA_1_DIGEST_FN &ntru_crypto_sha1_digest /* digest function */
/*************************
* structure definitions *
*************************/
/* SHA-1 context structure */
typedef struct {
uint32_t state[5]; // chaining state
uint32_t num_bits_hashed[2]; // number of bits hashed
uint8_t unhashed[64]; // input data not yet hashed
uint32_t unhashed_len; // number of bytes of unhashed input data
} NTRU_CRYPTO_SHA1_CTX;
/*************************
* function declarations *
*************************/
/* ntru_crypto_sha1()
*
* This routine provides all operations for a SHA-1 hash, and the use
* of SHA-1 for DSA signing and key generation.
* It may be used to initialize, update, or complete a message digest,
* or any combination of those actions, as determined by the SHA_INIT flag,
* the in_len parameter, and the SHA_FINISH flag, respectively.
*
* When in_len == 0 (no data to hash), the parameter, in, may be NULL.
* When the SHA_FINISH flag is not set, the parameter, md, may be NULL.
*
* Initialization may be standard or use a specified initialization vector,
* and is indicated by setting the SHA_INIT flag.
* Setting init = NULL specifies standard initialization. Otherwise, init
* points to the array of five alternate initialization 32-bit words.
*
* The hash operation can be updated with any number of input bytes, including
* zero.
*
* The hash operation can be completed with normal padding or with zero
* padding as required for parts of DSA parameter generation, and is indicated
* by setting the SHA_FINISH flag. Using zero padding, indicated by setting
* the SHA_ZERO_PAD flag, never creates an extra input block because the
* bit count is not included in the hashed data.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
extern uint32_t
ntru_crypto_sha1(
NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
uint32_t const *init, /* in - pointer to alternate */
/* initialization - may be NULL */
uint8_t const *in, /* in - pointer to input data -
may be NULL if in_len == 0 */
uint32_t in_len, /* in - number of input data bytes */
uint32_t flags, /* in - INIT, FINISH, zero-pad flags */
uint8_t *md); /* out - address for message digest -
may be NULL if not FINISH */
/* ntru_crypto_sha1_init
*
* This routine performs standard initialization of the SHA-1 state.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
*/
extern uint32_t
ntru_crypto_sha1_init(
NTRU_CRYPTO_SHA1_CTX *c); /* in/out - pointer to SHA-1 context */
/* ntru_crypto_sha1_update
*
* This routine processes input data and updates the SHA-1 hash calculation.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
extern uint32_t
ntru_crypto_sha1_update(
NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
uint8_t const *data, /* in - pointer to input data */
uint32_t data_len); /* in - number of bytes of input data */
/* ntru_crypto_sha1_final
*
* This routine completes the SHA-1 hash calculation and returns the
* message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
extern uint32_t
ntru_crypto_sha1_final(
NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
uint8_t *md); /* out - address for message digest */
/* ntru_crypto_sha1_final_zero_pad
*
* This routine completes the SHA-1 hash calculation using zero padding
* and returns the message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
extern uint32_t
ntru_crypto_sha1_final_zero_pad(
NTRU_CRYPTO_SHA1_CTX *c, /* in/out - pointer to SHA-1 context */
uint8_t *md); /* out - address for message digest */
/* ntru_crypto_sha1_digest
*
* This routine computes a SHA-1 message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
uint32_t
ntru_crypto_sha1_digest(
uint8_t const *data, /* in - pointer to input data */
uint32_t data_len, /* in - number of bytes of input data */
uint8_t *md); /* out - address for message digest */
#endif /* NTRU_CRYPTO_SHA1_H */

532
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_sha2.c
View File

@ -1,532 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_sha2.c is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_sha2.c
*
* Contents: Routines implementing the SHA-256 hash calculation.
*
*****************************************************************************/
#include <stdlib.h>
#include <string.h>
#include "ntru_crypto_sha2.h"
#include "ntru_crypto_msbyte_uint32.h"
/* chaining state elements */
#define H0 state[0]
#define H1 state[1]
#define H2 state[2]
#define H3 state[3]
#define H4 state[4]
#define H5 state[5]
#define H6 state[6]
#define H7 state[7]
/* standard SHA-256 initialization values */
#define H0_SHA256_INIT 0x6a09e667UL
#define H1_SHA256_INIT 0xbb67ae85UL
#define H2_SHA256_INIT 0x3c6ef372UL
#define H3_SHA256_INIT 0xa54ff53aUL
#define H4_SHA256_INIT 0x510e527fUL
#define H5_SHA256_INIT 0x9b05688cUL
#define H6_SHA256_INIT 0x1f83d9abUL
#define H7_SHA256_INIT 0x5be0cd19UL
/* sha2_blk()
*
* This routine updates the current hash output (chaining state)
* by performing SHA-256 on a 512-bit block of data represented
* as sixteen 32-bit words.
*/
#define RR(a, n) ( ((a) >> (n)) | ((a) << (32 - (n))) )
#define S0(a) ( RR((a), 2) ^ RR((a), 13) ^ RR((a), 22) )
#define S1(a) ( RR((a), 6) ^ RR((a), 11) ^ RR((a), 25) )
#define s0(a) ( RR((a), 7) ^ RR((a), 18) ^ ((a) >> 3) )
#define s1(a) ( RR((a), 17) ^ RR((a), 19) ^ ((a) >> 10) )
static void
sha2_blk(
uint32_t const *data, // in - ptr to 16 32-bit word input block
uint32_t *state) // in/out - ptr to 8 32-bit word chaining state
{
uint32_t A, B, C, D, E, F, G, H;
uint32_t w[16];
/* init A - H */
A = H0; B = H1; C = H2; D = H3; E = H4; F = H5; G = H6; H = H7;
/* rounds 0 - 15 */
H += S1(E) + (E & (F ^ G) ^ G) + 0x428A2F98UL + data[ 0]; D += H;
H += S0(A) + ((A & B) | (C & (A | B)));
G += S1(D) + (D & (E ^ F) ^ F) + 0x71374491UL + data[ 1]; C += G;
G += S0(H) + ((H & A) | (B & (H | A)));
F += S1(C) + (C & (D ^ E) ^ E) + 0xB5C0FBCFUL + data[ 2]; B += F;
F += S0(G) + ((G & H) | (A & (G | H)));
E += S1(B) + (B & (C ^ D) ^ D) + 0xE9B5DBA5UL + data[ 3]; A += E;
E += S0(F) + ((F & G) | (H & (F | G)));
D += S1(A) + (A & (B ^ C) ^ C) + 0x3956C25BUL + data[ 4]; H += D;
D += S0(E) + ((E & F) | (G & (E | F)));
C += S1(H) + (H & (A ^ B) ^ B) + 0x59F111F1UL + data[ 5]; G += C;
C += S0(D) + ((D & E) | (F & (D | E)));
B += S1(G) + (G & (H ^ A) ^ A) + 0x923F82A4UL + data[ 6]; F += B;
B += S0(C) + ((C & D) | (E & (C | D)));
A += S1(F) + (F & (G ^ H) ^ H) + 0xAB1C5ED5UL + data[ 7]; E += A;
A += S0(B) + ((B & C) | (D & (B | C)));
H += S1(E) + (E & (F ^ G) ^ G) + 0xD807AA98UL + data[ 8]; D += H;
H += S0(A) + ((A & B) | (C & (A | B)));
G += S1(D) + (D & (E ^ F) ^ F) + 0x12835B01UL + data[ 9]; C += G;
G += S0(H) + ((H & A) | (B & (H | A)));
F += S1(C) + (C & (D ^ E) ^ E) + 0x243185BEUL + data[10]; B += F;
F += S0(G) + ((G & H) | (A & (G | H)));
E += S1(B) + (B & (C ^ D) ^ D) + 0x550C7DC3UL + data[11]; A += E;
E += S0(F) + ((F & G) | (H & (F | G)));
D += S1(A) + (A & (B ^ C) ^ C) + 0x72BE5D74UL + data[12]; H += D;
D += S0(E) + ((E & F) | (G & (E | F)));
C += S1(H) + (H & (A ^ B) ^ B) + 0x80DEB1FEUL + data[13]; G += C;
C += S0(D) + ((D & E) | (F & (D | E)));
B += S1(G) + (G & (H ^ A) ^ A) + 0x9BDC06A7UL + data[14]; F += B;
B += S0(C) + ((C & D) | (E & (C | D)));
A += S1(F) + (F & (G ^ H) ^ H) + 0xC19BF174UL + data[15]; E += A;
A += S0(B) + ((B & C) | (D & (B | C)));
/* rounds 16 - 63 */
w[ 0] = data[ 0] + s0(data[ 1]) + data[ 9] + s1(data[14]);
H += S1(E) + (E & (F ^ G) ^ G) + 0xE49B69C1UL + w[ 0]; D += H;
H += S0(A) + ((A & B) | (C & (A | B)));
w[ 1] = data[ 1] + s0(data[ 2]) + data[10] + s1(data[15]);
G += S1(D) + (D & (E ^ F) ^ F) + 0xEFBE4786UL + w[ 1]; C += G;
G += S0(H) + ((H & A) | (B & (H | A)));
w[ 2] = data[ 2] + s0(data[ 3]) + data[11] + s1(w[ 0]);
F += S1(C) + (C & (D ^ E) ^ E) + 0x0FC19DC6UL + w[ 2]; B += F;
F += S0(G) + ((G & H) | (A & (G | H)));
w[ 3] = data[ 3] + s0(data[ 4]) + data[12] + s1(w[ 1]);
E += S1(B) + (B & (C ^ D) ^ D) + 0x240CA1CCUL + w[ 3]; A += E;
E += S0(F) + ((F & G) | (H & (F | G)));
w[ 4] = data[ 4] + s0(data[ 5]) + data[13] + s1(w[ 2]);
D += S1(A) + (A & (B ^ C) ^ C) + 0x2DE92C6FUL + w[ 4]; H += D;
D += S0(E) + ((E & F) | (G & (E | F)));
w[ 5] = data[ 5] + s0(data[ 6]) + data[14] + s1(w[ 3]);
C += S1(H) + (H & (A ^ B) ^ B) + 0x4A7484AAUL + w[ 5]; G += C;
C += S0(D) + ((D & E) | (F & (D | E)));
w[ 6] = data[ 6] + s0(data[ 7]) + data[15] + s1(w[ 4]);
B += S1(G) + (G & (H ^ A) ^ A) + 0x5CB0A9DCUL + w[ 6]; F += B;
B += S0(C) + ((C & D) | (E & (C | D)));
w[ 7] = data[ 7] + s0(data[ 8]) + w[ 0] + s1(w[ 5]);
A += S1(F) + (F & (G ^ H) ^ H) + 0x76F988DAUL + w[ 7]; E += A;
A += S0(B) + ((B & C) | (D & (B | C)));
w[ 8] = data[ 8] + s0(data[ 9]) + w[ 1] + s1(w[ 6]);
H += S1(E) + (E & (F ^ G) ^ G) + 0x983E5152UL + w[ 8]; D += H;
H += S0(A) + ((A & B) | (C & (A | B)));
w[ 9] = data[ 9] + s0(data[10]) + w[ 2] + s1(w[ 7]);
G += S1(D) + (D & (E ^ F) ^ F) + 0xA831C66DUL + w[ 9]; C += G;
G += S0(H) + ((H & A) | (B & (H | A)));
w[10] = data[10] + s0(data[11]) + w[ 3] + s1(w[ 8]);
F += S1(C) + (C & (D ^ E) ^ E) + 0xB00327C8UL + w[10]; B += F;
F += S0(G) + ((G & H) | (A & (G | H)));
w[11] = data[11] + s0(data[12]) + w[ 4] + s1(w[ 9]);
E += S1(B) + (B & (C ^ D) ^ D) + 0xBF597FC7UL + w[11]; A += E;
E += S0(F) + ((F & G) | (H & (F | G)));
w[12] = data[12] + s0(data[13]) + w[ 5] + s1(w[10]);
D += S1(A) + (A & (B ^ C) ^ C) + 0xC6E00BF3UL + w[12]; H += D;
D += S0(E) + ((E & F) | (G & (E | F)));
w[13] = data[13] + s0(data[14]) + w[ 6] + s1(w[11]);
C += S1(H) + (H & (A ^ B) ^ B) + 0xD5A79147UL + w[13]; G += C;
C += S0(D) + ((D & E) | (F & (D | E)));
w[14] = data[14] + s0(data[15]) + w[ 7] + s1(w[12]);
B += S1(G) + (G & (H ^ A) ^ A) + 0x06CA6351UL + w[14]; F += B;
B += S0(C) + ((C & D) | (E & (C | D)));
w[15] = data[15] + s0(w[ 0]) + w[ 8] + s1(w[13]);
A += S1(F) + (F & (G ^ H) ^ H) + 0x14292967UL + w[15]; E += A;
A += S0(B) + ((B & C) | (D & (B | C)));
w[ 0] = w[ 0] + s0(w[ 1]) + w[ 9] + s1(w[14]);
H += S1(E) + (E & (F ^ G) ^ G) + 0x27B70A85UL + w[ 0]; D += H;
H += S0(A) + ((A & B) | (C & (A | B)));
w[ 1] = w[ 1] + s0(w[ 2]) + w[10] + s1(w[15]);
G += S1(D) + (D & (E ^ F) ^ F) + 0x2E1B2138UL + w[ 1]; C += G;
G += S0(H) + ((H & A) | (B & (H | A)));
w[ 2] = w[ 2] + s0(w[ 3]) + w[11] + s1(w[ 0]);
F += S1(C) + (C & (D ^ E) ^ E) + 0x4D2C6DFCUL + w[ 2]; B += F;
F += S0(G) + ((G & H) | (A & (G | H)));
w[ 3] = w[ 3] + s0(w[ 4]) + w[12] + s1(w[ 1]);
E += S1(B) + (B & (C ^ D) ^ D) + 0x53380D13UL + w[ 3]; A += E;
E += S0(F) + ((F & G) | (H & (F | G)));
w[ 4] = w[ 4] + s0(w[ 5]) + w[13] + s1(w[ 2]);
D += S1(A) + (A & (B ^ C) ^ C) + 0x650A7354UL + w[ 4]; H += D;
D += S0(E) + ((E & F) | (G & (E | F)));
w[ 5] = w[ 5] + s0(w[ 6]) + w[14] + s1(w[ 3]);
C += S1(H) + (H & (A ^ B) ^ B) + 0x766A0ABBUL + w[ 5]; G += C;
C += S0(D) + ((D & E) | (F & (D | E)));
w[ 6] = w[ 6] + s0(w[ 7]) + w[15] + s1(w[ 4]);
B += S1(G) + (G & (H ^ A) ^ A) + 0x81C2C92EUL + w[ 6]; F += B;
B += S0(C) + ((C & D) | (E & (C | D)));
w[ 7] = w[ 7] + s0(w[ 8]) + w[ 0] + s1(w[ 5]);
A += S1(F) + (F & (G ^ H) ^ H) + 0x92722C85UL + w[ 7]; E += A;
A += S0(B) + ((B & C) | (D & (B | C)));
w[ 8] = w[ 8] + s0(w[ 9]) + w[ 1] + s1(w[ 6]);
H += S1(E) + (E & (F ^ G) ^ G) + 0xA2BFE8A1UL + w[ 8]; D += H;
H += S0(A) + ((A & B) | (C & (A | B)));
w[ 9] = w[ 9] + s0(w[10]) + w[ 2] + s1(w[ 7]);
G += S1(D) + (D & (E ^ F) ^ F) + 0xA81A664BUL + w[ 9]; C += G;
G += S0(H) + ((H & A) | (B & (H | A)));
w[10] = w[10] + s0(w[11]) + w[ 3] + s1(w[ 8]);
F += S1(C) + (C & (D ^ E) ^ E) + 0xC24B8B70UL + w[10]; B += F;
F += S0(G) + ((G & H) | (A & (G | H)));
w[11] = w[11] + s0(w[12]) + w[ 4] + s1(w[ 9]);
E += S1(B) + (B & (C ^ D) ^ D) + 0xC76C51A3UL + w[11]; A += E;
E += S0(F) + ((F & G) | (H & (F | G)));
w[12] = w[12] + s0(w[13]) + w[ 5] + s1(w[10]);
D += S1(A) + (A & (B ^ C) ^ C) + 0xD192E819UL + w[12]; H += D;
D += S0(E) + ((E & F) | (G & (E | F)));
w[13] = w[13] + s0(w[14]) + w[ 6] + s1(w[11]);
C += S1(H) + (H & (A ^ B) ^ B) + 0xD6990624UL + w[13]; G += C;
C += S0(D) + ((D & E) | (F & (D | E)));
w[14] = w[14] + s0(w[15]) + w[ 7] + s1(w[12]);
B += S1(G) + (G & (H ^ A) ^ A) + 0xF40E3585UL + w[14]; F += B;
B += S0(C) + ((C & D) | (E & (C | D)));
w[15] = w[15] + s0(w[ 0]) + w[ 8] + s1(w[13]);
A += S1(F) + (F & (G ^ H) ^ H) + 0x106AA070UL + w[15]; E += A;
A += S0(B) + ((B & C) | (D & (B | C)));
w[ 0] = w[ 0] + s0(w[ 1]) + w[ 9] + s1(w[14]);
H += S1(E) + (E & (F ^ G) ^ G) + 0x19A4C116UL + w[ 0]; D += H;
H += S0(A) + ((A & B) | (C & (A | B)));
w[ 1] = w[ 1] + s0(w[ 2]) + w[10] + s1(w[15]);
G += S1(D) + (D & (E ^ F) ^ F) + 0x1E376C08UL + w[ 1]; C += G;
G += S0(H) + ((H & A) | (B & (H | A)));
w[ 2] = w[ 2] + s0(w[ 3]) + w[11] + s1(w[ 0]);
F += S1(C) + (C & (D ^ E) ^ E) + 0x2748774CUL + w[ 2]; B += F;
F += S0(G) + ((G & H) | (A & (G | H)));
w[ 3] = w[ 3] + s0(w[ 4]) + w[12] + s1(w[ 1]);
E += S1(B) + (B & (C ^ D) ^ D) + 0x34B0BCB5UL + w[ 3]; A += E;
E += S0(F) + ((F & G) | (H & (F | G)));
w[ 4] = w[ 4] + s0(w[ 5]) + w[13] + s1(w[ 2]);
D += S1(A) + (A & (B ^ C) ^ C) + 0x391C0CB3UL + w[ 4]; H += D;
D += S0(E) + ((E & F) | (G & (E | F)));
w[ 5] = w[ 5] + s0(w[ 6]) + w[14] + s1(w[ 3]);
C += S1(H) + (H & (A ^ B) ^ B) + 0x4ED8AA4AUL + w[ 5]; G += C;
C += S0(D) + ((D & E) | (F & (D | E)));
w[ 6] = w[ 6] + s0(w[ 7]) + w[15] + s1(w[ 4]);
B += S1(G) + (G & (H ^ A) ^ A) + 0x5B9CCA4FUL + w[ 6]; F += B;
B += S0(C) + ((C & D) | (E & (C | D)));
w[ 7] = w[ 7] + s0(w[ 8]) + w[ 0] + s1(w[ 5]);
A += S1(F) + (F & (G ^ H) ^ H) + 0x682E6FF3UL + w[ 7]; E += A;
A += S0(B) + ((B & C) | (D & (B | C)));
w[ 8] = w[ 8] + s0(w[ 9]) + w[ 1] + s1(w[ 6]);
H += S1(E) + (E & (F ^ G) ^ G) + 0x748F82EEUL + w[ 8]; D += H;
H += S0(A) + ((A & B) | (C & (A | B)));
w[ 9] = w[ 9] + s0(w[10]) + w[ 2] + s1(w[ 7]);
G += S1(D) + (D & (E ^ F) ^ F) + 0x78A5636FUL + w[ 9]; C += G;
G += S0(H) + ((H & A) | (B & (H | A)));
w[10] = w[10] + s0(w[11]) + w[ 3] + s1(w[ 8]);
F += S1(C) + (C & (D ^ E) ^ E) + 0x84C87814UL + w[10]; B += F;
F += S0(G) + ((G & H) | (A & (G | H)));
w[11] = w[11] + s0(w[12]) + w[ 4] + s1(w[ 9]);
E += S1(B) + (B & (C ^ D) ^ D) + 0x8CC70208UL + w[11]; A += E;
E += S0(F) + ((F & G) | (H & (F | G)));
w[12] = w[12] + s0(w[13]) + w[ 5] + s1(w[10]);
D += S1(A) + (A & (B ^ C) ^ C) + 0x90BEFFFAUL + w[12]; H += D;
D += S0(E) + ((E & F) | (G & (E | F)));
w[13] = w[13] + s0(w[14]) + w[ 6] + s1(w[11]);
C += S1(H) + (H & (A ^ B) ^ B) + 0xA4506CEBUL + w[13]; G += C;
C += S0(D) + ((D & E) | (F & (D | E)));
w[14] = w[14] + s0(w[15]) + w[ 7] + s1(w[12]);
B += S1(G) + (G & (H ^ A) ^ A) + 0xBEF9A3F7UL + w[14]; F += B;
B += S0(C) + ((C & D) | (E & (C | D)));
w[15] = w[15] + s0(w[ 0]) + w[ 8] + s1(w[13]);
A += S1(F) + (F & (G ^ H) ^ H) + 0xC67178F2UL + w[15]; E += A;
A += S0(B) + ((B & C) | (D & (B | C)));
/* update H0 - H7 */
H0 += A;
H1 += B;
H2 += C;
H3 += D;
H4 += E;
H5 += F;
H6 += G;
H7 += H;
/* clear temp variables */
A = B = C = D = E = F = G = H = 0;
memset(w, 0, sizeof(w));
}
/* ntru_crypto_sha2()
*
* This routine provides all operations for a SHA-256 hash,
* and the use of SHA-256 for DSA signing and key generation.
* It may be used to initialize, update, or complete a message digest,
* or any combination of those actions, as determined by the SHA_INIT flag,
* the in_len parameter, and the SHA_FINISH flag, respectively.
*
* When in_len == 0 (no data to hash), the parameter, in, may be NULL.
* When the SHA_FINISH flag is not set, the parameter, md, may be NULL.
*
* Initialization may be standard or use a specified initialization vector,
* and is indicated by setting the SHA_INIT flag.
* Setting init = NULL specifies standard initialization. Otherwise, init
* points to the array of eight alternate initialization 32-bit words.
*
* The hash operation can be updated with any number of input bytes, including
* zero.
*
* The hash operation can be completed with normal padding or with zero
* padding as required for parts of DSA parameter generation, and is indicated
* by setting the SHA_FINISH flag. Using zero padding, indicated by setting
* the SHA_ZERO_PAD flag, never creates an extra input block because the
* bit count is not included in the hashed data.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
uint32_t
ntru_crypto_sha2(
NTRU_CRYPTO_HASH_ALGID algid, // in - hash algorithm ID
NTRU_CRYPTO_SHA2_CTX *c, // in/out - pointer to SHA-2 context
uint32_t const *init, // in - pointer to alternate
// initialization - may be NULL
uint8_t const *in, // in - pointer to input data -
// may be NULL if in_len == 0
uint32_t in_len, // in - number of input data bytes
uint32_t flags, // in - INIT, FINISH, zero-pad flags
uint8_t *md) // out - address for message digest -
// may be NULL if not FINISH
{
uint32_t in_blk[16]; // input block
uint32_t space;
uint8_t *d = NULL;
/* check error conditions */
if (algid != NTRU_CRYPTO_HASH_ALGID_SHA256)
SHA_RET(SHA_BAD_PARAMETER)
if (!c || (in_len && !in) || ((flags & SHA_FINISH) && !md))
SHA_RET(SHA_BAD_PARAMETER)
/* initialize context if requested */
if (flags & SHA_INIT) {
/* init chaining state */
if (!init) { // standard initialization
c->state[0] = H0_SHA256_INIT; // standard SHA-256 init
c->state[1] = H1_SHA256_INIT;
c->state[2] = H2_SHA256_INIT;
c->state[3] = H3_SHA256_INIT;
c->state[4] = H4_SHA256_INIT;
c->state[5] = H5_SHA256_INIT;
c->state[6] = H6_SHA256_INIT;
c->state[7] = H7_SHA256_INIT;
} else {
c->state[0] = init[0]; // alternate initialization
c->state[1] = init[1];
c->state[2] = init[2];
c->state[3] = init[3];
c->state[4] = init[4];
c->state[5] = init[5];
c->state[6] = init[6];
c->state[7] = init[7];
}
/* init bit count and number of unhashed data bytes */
c->num_bits_hashed[0] = 0;
c->num_bits_hashed[1] = 0;
c->unhashed_len = 0;
}
/* determine space left in unhashed data buffer */
if (c->unhashed_len > 63)
SHA_RET(SHA_FAIL)
space = 64 - c->unhashed_len;
/* process input if it exists */
if (in_len) {
/* update count of bits hashed */
{
uint32_t bits0, bits1;
bits0 = in_len << 3;
bits1 = in_len >> 29;
if ((c->num_bits_hashed[0] += bits0) < bits0)
bits1++;
if ((c->num_bits_hashed[1] += bits1) < bits1) {
memset((uint8_t *) c, 0, sizeof(NTRU_CRYPTO_SHA2_CTX));
space = 0;
memset((char *) in_blk, 0, sizeof(in_blk));
SHA_RET(SHA_OVERFLOW)
}
}
/* process input bytes */
if (in_len < space) {
/* input does not fill block buffer:
* add input to buffer
*/
memcpy(c->unhashed + c->unhashed_len, in, in_len);
c->unhashed_len += in_len;
} else {
uint32_t blks;
/* input will fill block buffer:
* fill unhashed data buffer,
* convert to block buffer,
* and process block
*/
in_len -= space;
for (d = c->unhashed + c->unhashed_len; space; space--)
*d++ = *in++;
ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
16);
sha2_blk((uint32_t const *) in_blk, c->state);
/* process any remaining full blocks */
for (blks = in_len >> 6; blks--; in += 64) {
ntru_crypto_msbyte_2_uint32(in_blk, in, 16);
sha2_blk((uint32_t const *) in_blk, c->state);
}
/* put any remaining input in the unhashed data buffer */
in_len &= 0x3f;
memcpy(c->unhashed, in, in_len);
c->unhashed_len = in_len;
}
}
/* complete message digest if requested */
if (flags & SHA_FINISH) {
space = 64 - c->unhashed_len;
/* check padding type */
if (!(flags & SHA_ZERO_PAD)) {
/* add 0x80 padding byte to the unhashed data buffer
* (there is always space since the buffer can't be full)
*/
d = c->unhashed + c->unhashed_len;
*d++ = 0x80;
space--;
/* check for space for bit count */
if (space < 8) {
/* no space for count:
* fill remainder of unhashed data buffer with zeros,
* convert to input block,
* process block,
* fill all but 8 bytes of unhashed data buffer with zeros
*/
memset(d, 0, space);
ntru_crypto_msbyte_2_uint32(in_blk,
(uint8_t const *) c->unhashed, 16);
sha2_blk((uint32_t const *) in_blk, c->state);
memset(c->unhashed, 0, 56);
} else {
/* fill unhashed data buffer with zeros,
* leaving space for bit count
*/
for (space -= 8; space; space--)
*d++ = 0;
}
/* convert partially filled unhashed data buffer to input block and
* add bit count to input block
*/
ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
14);
in_blk[14] = c->num_bits_hashed[1];
in_blk[15] = c->num_bits_hashed[0];
} else {
/* pad unhashed data buffer with zeros and no bit count and
* convert to input block
*/
memset(c->unhashed + c->unhashed_len, 0, space);
ntru_crypto_msbyte_2_uint32(in_blk, (uint8_t const *) c->unhashed,
16);
}
/* process last block */
sha2_blk((uint32_t const *) in_blk, c->state);
/* copy result to message digest buffer */
ntru_crypto_uint32_2_msbyte(md, c->state, 8);
/* clear context and stack variables */
memset((uint8_t *) c, 0, sizeof(NTRU_CRYPTO_SHA2_CTX));
space = 0;
memset((char *) in_blk, 0, sizeof(in_blk));
}
SHA_RET(SHA_OK)
}

104
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_sha2.h
View File

@ -1,104 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_crypto_sha2.h is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_sha2.h
*
* Contents: Definitions and declarations for the SHA-256 implementation.
*
*****************************************************************************/
#ifndef NTRU_CRYPTO_SHA2_H
#define NTRU_CRYPTO_SHA2_H
#include "ntru_crypto_sha.h"
#include <library.h>
/*************************
* structure definitions *
*************************/
/* SHA-256 context structure */
typedef struct {
uint32_t state[8]; /* chaining state */
uint32_t num_bits_hashed[2]; /* number of bits hashed */
uint8_t unhashed[64]; /* input data not yet hashed */
uint32_t unhashed_len; /* number of bytes of unhashed input data */
} NTRU_CRYPTO_SHA2_CTX;
/*************************
* function declarations *
*************************/
/* ntru_crypto_sha2()
*
* This routine provides all operations for a SHA-256 hash,
* and the use of SHA-256 for DSA signing and key generation.
* It may be used to initialize, update, or complete a message digest,
* or any combination of those actions, as determined by the SHA_INIT flag,
* the in_len parameter, and the SHA_FINISH flag, respectively.
*
* When in_len == 0 (no data to hash), the parameter, in, may be NULL.
* When the SHA_FINISH flag is not set, the parameter, md, may be NULL.
*
* Initialization may be standard or use a specified initialization vector,
* and is indicated by setting the SHA_INIT flag.
* Setting init = NULL specifies standard initialization. Otherwise, init
* points to the array of eight alternate initialization 32-bit words.
*
* The hash operation can be updated with any number of input bytes, including
* zero.
*
* The hash operation can be completed with normal padding or with zero
* padding as required for parts of DSA parameter generation, and is indicated
* by setting the SHA_FINISH flag. Using zero padding, indicated by setting
* the SHA_ZERO_PAD flag, never creates an extra input block because the
* bit count is not included in the hashed data.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
extern uint32_t
ntru_crypto_sha2(
NTRU_CRYPTO_HASH_ALGID algid, /* in - hash algorithm ID */
NTRU_CRYPTO_SHA2_CTX *c, /* in/out - pointer to SHA-2 context */
uint32_t const *init, /* in - pointer to alternate */
/* initialization - may be NULL */
uint8_t const *in, /* in - pointer to input data -
may be NULL if in_len == 0 */
uint32_t in_len, /* in - number of input data bytes */
uint32_t flags, /* in - INIT, FINISH, zero-pad flags */
uint8_t *md); /* out - address for message digest -
may be NULL if not FINISH */
#endif /* NTRU_CRYPTO_SHA2_H */

140
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_sha256.c
View File

@ -1,140 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_sha256.c is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_sha256.c
*
* Contents: Routines implementing the SHA-256 hash calculations.
*
*****************************************************************************/
#include <stdlib.h>
#include "ntru_crypto_sha256.h"
/* ntru_crypto_sha256_init
*
* This routine performs standard initialization of the SHA-256 state.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
*/
uint32_t
ntru_crypto_sha256_init(
NTRU_CRYPTO_SHA2_CTX *c) /* in/out - pointer to SHA-2 context */
{
return ntru_crypto_sha2(NTRU_CRYPTO_HASH_ALGID_SHA256, c, NULL, NULL, 0,
SHA_INIT, NULL);
}
/* ntru_crypto_sha256_update
*
* This routine processes input data and updates the SHA-256 hash calculation.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
uint32_t
ntru_crypto_sha256_update(
NTRU_CRYPTO_SHA2_CTX *c, /* in/out - pointer to SHA-2 context */
uint8_t const *data, /* in - pointer to input data */
uint32_t data_len) /* in - no. of bytes of input data */
{
return ntru_crypto_sha2(NTRU_CRYPTO_HASH_ALGID_SHA256, c, NULL, data,
data_len, SHA_DATA_ONLY, NULL);
}
/* ntru_crypto_sha256_final
*
* This routine completes the SHA-256 hash calculation and returns the
* message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
uint32_t
ntru_crypto_sha256_final(
NTRU_CRYPTO_SHA2_CTX *c, /* in/out - pointer to SHA-2 context */
uint8_t *md) /* out - address for message digest */
{
return ntru_crypto_sha2(NTRU_CRYPTO_HASH_ALGID_SHA256, c, NULL, NULL, 0,
SHA_FINISH, md);
}
/* ntru_crypto_sha256_final_zero_pad
*
* This routine completes the SHA-256 hash calculation using zero padding
* and returns the message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
uint32_t
ntru_crypto_sha256_final_zero_pad(
NTRU_CRYPTO_SHA2_CTX *c, /* in/out - pointer to SHA-2 context */
uint8_t *md) /* out - address for message digest */
{
return ntru_crypto_sha2(NTRU_CRYPTO_HASH_ALGID_SHA256, c, NULL, NULL, 0,
SHA_FINISH | SHA_ZERO_PAD, md);
}
/* ntru_crypto_sha256_digest
*
* This routine computes a SHA-256 message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
uint32_t
ntru_crypto_sha256_digest(
uint8_t const *data, // in - pointer to input data
uint32_t data_len, // in - number of bytes of input data
uint8_t *md) // out - address for message digest
{
NTRU_CRYPTO_SHA2_CTX c;
return ntru_crypto_sha2(NTRU_CRYPTO_HASH_ALGID_SHA256, &c, NULL, data,
data_len, SHA_INIT | SHA_FINISH, md);
}

149
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_sha256.h
View File

@ -1,149 +0,0 @@
/******************************************************************************
* NTRU Cryptography Reference Source Code
* Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved.
*
* ntru_crypto_sha256.h is a component of ntru-crypto.
*
* Copyright (C) 2009-2013 Security Innovation
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*****************************************************************************/
/******************************************************************************
*
* File: ntru_crypto_sha256.h
*
* Contents: Definitions and declarations for the SHA-256 implementation.
*
*****************************************************************************/
#ifndef CRYPTO_SHA256_H
#define CRYPTO_SHA256_H
#include "ntru_crypto_sha2.h"
#include <library.h>
/******************************************
* macros needed for generic hash objects *
******************************************/
#define SHA_256_CTX_LEN sizeof(NTRU_CRYPTO_SHA2_CTX)
/* no. bytes in SHA-2
ctx */
#define SHA_256_BLK_LEN 64 /* 64 bytes in input
block */
#define SHA_256_MD_LEN 32 /* 32 bytes in msg
digest */
#define SHA_256_INIT_FN &ntru_crypto_sha256_init /* init function */
#define SHA_256_UPDATE_FN &ntru_crypto_sha256_update /* update function */
#define SHA_256_FINAL_FN &ntru_crypto_sha256_final /* final function */
#define SHA_256_FINAL_ZERO_PAD_FN \
&ntru_crypto_sha256_final_zero_pad
/* final function using
zero padding */
#define SHA_256_DIGEST_FN &ntru_crypto_sha256_digest /* digest function */
/*************************
* function declarations *
*************************/
/* ntru_crypto_sha256_init
*
* This routine performs standard initialization of the SHA-256 state.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
*/
extern uint32_t
ntru_crypto_sha256_init(
NTRU_CRYPTO_SHA2_CTX *c); /* in/out - pointer to SHA-2 context */
/* ntru_crypto_sha256_update
*
* This routine processes input data and updates the SHA-256 hash calculation.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
extern uint32_t
ntru_crypto_sha256_update(
NTRU_CRYPTO_SHA2_CTX *c, /* in/out - pointer to SHA-2 context */
uint8_t const *data, /* in - pointer to input data */
uint32_t data_len); /* in - no. of bytes of input data */
/* ntru_crypto_sha256_final
*
* This routine completes the SHA-256 hash calculation and returns the
* message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
extern uint32_t
ntru_crypto_sha256_final(
NTRU_CRYPTO_SHA2_CTX *c, /* in/out - pointer to SHA-2 context */
uint8_t *md); /* out - address for message digest */
/* ntru_crypto_sha256_final_zero_pad
*
* This routine completes the SHA-256 hash calculation using zero padding
* and returns the message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
extern uint32_t
ntru_crypto_sha256_final_zero_pad(
NTRU_CRYPTO_SHA2_CTX *c, /* in/out - pointer to SHA-2 context */
uint8_t *md); /* out - address for message digest */
/* ntru_crypto_sha256_digest
*
* This routine computes a SHA-256 message digest.
*
* Returns SHA_OK on success.
* Returns SHA_FAIL with corrupted context.
* Returns SHA_BAD_PARAMETER if inappropriate NULL pointers are passed.
* Returns SHA_OVERFLOW if more than 2^64 - 1 bytes are hashed.
*/
extern uint32_t
ntru_crypto_sha256_digest(
uint8_t const *data, // in - pointer to input data
uint32_t data_len, // in - number of bytes of input data
uint8_t *md); // out - address for message digest
#endif /* CRYPTO_SHA256_H */

2
src/libstrongswan/plugins/ntru/ntru_plugin.c
View File

@ -48,6 +48,8 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(DH, NTRU_256_BIT),
PLUGIN_DEPENDS(RNG, RNG_TRUE),
PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA2_256_256),
PLUGIN_DEPENDS(HASHER, HASH_SHA256),
PLUGIN_SDEPEND(HASHER, HASH_SHA1)
};
*features = f;