diff --git a/cipher/poly1305.c b/cipher/poly1305.c index b5f5a19b..96db2fb4 100644 --- a/cipher/poly1305.c +++ b/cipher/poly1305.c @@ -1,846 +1,846 @@ /* poly1305.c - Poly1305 internals and generic implementation * Copyright (C) 2014,2017,2018 Jussi Kivilinna * * This file is part of Libgcrypt. * * Libgcrypt is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser general Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * Libgcrypt is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this program; if not, see . */ #include #include #include #include #include "types.h" #include "g10lib.h" #include "cipher.h" #include "bufhelp.h" #include "poly1305-internal.h" #include "mpi-internal.h" #include "longlong.h" static const char *selftest (void); #undef HAVE_ASM_POLY1305_BLOCKS #undef USE_MPI_64BIT #undef USE_MPI_32BIT -#if BYTES_PER_MPI_LIMB == 8 && defined(HAVE_TYPE_U64) +#if BYTES_PER_MPI_LIMB == 8 && defined(HAVE_U64) # define USE_MPI_64BIT 1 #elif BYTES_PER_MPI_LIMB == 4 # define USE_MPI_32BIT 1 #else # error please implement for this limb size. #endif /* USE_S390X_ASM indicates whether to enable zSeries code. */ #undef USE_S390X_ASM #if BYTES_PER_MPI_LIMB == 8 # if defined (__s390x__) && __GNUC__ >= 4 && __ARCH__ >= 9 # if defined(HAVE_GCC_INLINE_ASM_S390X) # define USE_S390X_ASM 1 # endif /* USE_S390X_ASM */ # endif #endif /* AMD64 Assembly implementations use SystemV ABI, ABI conversion and * additional stack to store XMM6-XMM15 needed on Win64. */ #undef ASM_FUNC_ABI #undef ASM_FUNC_WRAPPER_ATTR #if defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS) # define ASM_FUNC_ABI __attribute__((sysv_abi)) # define ASM_FUNC_WRAPPER_ATTR __attribute__((noinline)) #else # define ASM_FUNC_ABI # define ASM_FUNC_WRAPPER_ATTR #endif #ifdef USE_S390X_ASM #define HAVE_ASM_POLY1305_BLOCKS 1 extern unsigned int _gcry_poly1305_s390x_blocks1(void *state, const byte *buf, size_t len, byte high_pad); static unsigned int poly1305_blocks (poly1305_context_t *ctx, const byte *buf, size_t len, byte high_pad) { return _gcry_poly1305_s390x_blocks1(&ctx->state, buf, len, high_pad); } #endif /* USE_S390X_ASM */ #ifdef POLY1305_USE_AVX512 extern unsigned int _gcry_poly1305_amd64_avx512_blocks(const void *msg, const u64 msg_len, void *hash, const void *key) ASM_FUNC_ABI; ASM_FUNC_WRAPPER_ATTR static unsigned int poly1305_amd64_avx512_blocks(poly1305_context_t *ctx, const byte *buf, size_t len) { POLY1305_STATE *st = &ctx->state; return _gcry_poly1305_amd64_avx512_blocks(buf, len, st->h, st->r); } #endif /* POLY1305_USE_AVX512 */ #ifdef POLY1305_USE_PPC_VEC extern unsigned int gcry_poly1305_p10le_4blocks(unsigned char *key, const byte *m, size_t len); #endif /* POLY1305_USE_PPC_VEC */ static void poly1305_init (poly1305_context_t *ctx, const byte key[POLY1305_KEYLEN]) { POLY1305_STATE *st = &ctx->state; unsigned int features = _gcry_get_hw_features (); #ifdef POLY1305_USE_AVX512 ctx->use_avx512 = (features & HWF_INTEL_AVX512) != 0; #endif #ifdef POLY1305_USE_PPC_VEC ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0; # ifdef ENABLE_FORCE_SOFT_HWFEATURES /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10. * Actual implementation works with HWF_PPC_ARCH_3_00 also. */ ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0; # endif #endif (void)features; ctx->leftover = 0; st->h[0] = 0; st->h[1] = 0; st->h[2] = 0; st->h[3] = 0; st->h[4] = 0; st->r[0] = buf_get_le32(key + 0) & 0x0fffffff; st->r[1] = buf_get_le32(key + 4) & 0x0ffffffc; st->r[2] = buf_get_le32(key + 8) & 0x0ffffffc; st->r[3] = buf_get_le32(key + 12) & 0x0ffffffc; st->k[0] = buf_get_le32(key + 16); st->k[1] = buf_get_le32(key + 20); st->k[2] = buf_get_le32(key + 24); st->k[3] = buf_get_le32(key + 28); } #ifdef USE_MPI_64BIT #if defined (__aarch64__) && defined(HAVE_CPU_ARCH_ARM) && __GNUC__ >= 4 /* A += B (armv8/aarch64) */ #define ADD_1305_64(A2, A1, A0, B2, B1, B0) \ __asm__ ("adds %0, %3, %0\n" \ "adcs %1, %4, %1\n" \ "adc %2, %5, %2\n" \ : "+r" (A0), "+r" (A1), "+r" (A2) \ : "r" (B0), "r" (B1), "r" (B2) \ : "cc" ) #endif /* __aarch64__ */ #if defined (__x86_64__) && defined(HAVE_CPU_ARCH_X86) && __GNUC__ >= 4 /* A += B (x86-64) */ #define ADD_1305_64(A2, A1, A0, B2, B1, B0) \ __asm__ ("addq %3, %0\n" \ "adcq %4, %1\n" \ "adcq %5, %2\n" \ : "+r" (A0), "+r" (A1), "+r" (A2) \ : "g" (B0), "g" (B1), "g" (B2) \ : "cc" ) #endif /* __x86_64__ */ #if defined (__powerpc__) && defined(HAVE_CPU_ARCH_PPC) && __GNUC__ >= 4 /* A += B (ppc64) */ #define ADD_1305_64(A2, A1, A0, B2, B1, B0) \ __asm__ ("addc %0, %3, %0\n" \ "adde %1, %4, %1\n" \ "adde %2, %5, %2\n" \ : "+r" (A0), "+r" (A1), "+r" (A2) \ : "r" (B0), "r" (B1), "r" (B2) \ : "cc" ) #endif /* __powerpc__ */ #ifndef ADD_1305_64 /* A += B (generic, mpi) */ # define ADD_1305_64(A2, A1, A0, B2, B1, B0) do { \ u64 carry; \ add_ssaaaa(carry, A0, 0, A0, 0, B0); \ add_ssaaaa(A2, A1, A2, A1, B2, B1); \ add_ssaaaa(A2, A1, A2, A1, 0, carry); \ } while (0) #endif /* H = H * R mod 2¹³⁰-5 */ #define MUL_MOD_1305_64(H2, H1, H0, R1, R0, R1_MULT5) do { \ u64 x0_lo, x0_hi, x1_lo, x1_hi; \ u64 t0_lo, t0_hi, t1_lo, t1_hi; \ \ /* x = a * r (partial mod 2^130-5) */ \ umul_ppmm(x0_hi, x0_lo, H0, R0); /* h0 * r0 */ \ umul_ppmm(x1_hi, x1_lo, H0, R1); /* h0 * r1 */ \ \ umul_ppmm(t0_hi, t0_lo, H1, R1_MULT5); /* h1 * r1 mod 2^130-5 */ \ add_ssaaaa(x0_hi, x0_lo, x0_hi, x0_lo, t0_hi, t0_lo); \ umul_ppmm(t1_hi, t1_lo, H1, R0); /* h1 * r0 */ \ add_ssaaaa(x1_hi, x1_lo, x1_hi, x1_lo, t1_hi, t1_lo); \ \ t1_lo = H2 * R1_MULT5; /* h2 * r1 mod 2^130-5 */ \ t1_hi = H2 * R0; /* h2 * r0 */ \ add_ssaaaa(H0, H1, x1_hi, x1_lo, t1_hi, t1_lo); \ \ /* carry propagation */ \ H2 = H0 & 3; \ H0 = (H0 >> 2) * 5; /* msb mod 2^130-5 */ \ ADD_1305_64(H2, H1, H0, (u64)0, x0_hi, x0_lo); \ } while (0) #ifndef HAVE_ASM_POLY1305_BLOCKS static unsigned int poly1305_blocks_generic (poly1305_context_t *ctx, const byte *buf, size_t len, byte high_pad) { POLY1305_STATE *st = &ctx->state; u64 r0, r1, r1_mult5; u64 h0, h1, h2; u64 m0, m1, m2; m2 = high_pad; h0 = st->h[0] + ((u64)st->h[1] << 32); h1 = st->h[2] + ((u64)st->h[3] << 32); h2 = st->h[4]; r0 = st->r[0] + ((u64)st->r[1] << 32); r1 = st->r[2] + ((u64)st->r[3] << 32); r1_mult5 = (r1 >> 2) + r1; m0 = buf_get_le64(buf + 0); m1 = buf_get_le64(buf + 8); buf += POLY1305_BLOCKSIZE; len -= POLY1305_BLOCKSIZE; while (len >= POLY1305_BLOCKSIZE) { /* a = h + m */ ADD_1305_64(h2, h1, h0, m2, m1, m0); m0 = buf_get_le64(buf + 0); m1 = buf_get_le64(buf + 8); /* h = a * r (partial mod 2^130-5) */ MUL_MOD_1305_64(h2, h1, h0, r1, r0, r1_mult5); buf += POLY1305_BLOCKSIZE; len -= POLY1305_BLOCKSIZE; } /* a = h + m */ ADD_1305_64(h2, h1, h0, m2, m1, m0); /* h = a * r (partial mod 2^130-5) */ MUL_MOD_1305_64(h2, h1, h0, r1, r0, r1_mult5); st->h[0] = h0; st->h[1] = h0 >> 32; st->h[2] = h1; st->h[3] = h1 >> 32; st->h[4] = h2; return 6 * sizeof (void *) + 18 * sizeof (u64); } static unsigned int poly1305_blocks (poly1305_context_t *ctx, const byte *buf, size_t len, byte high_pad) { #ifdef POLY1305_USE_AVX512 if ((high_pad & ctx->use_avx512) != 0) return poly1305_amd64_avx512_blocks(ctx, buf, len); #endif return poly1305_blocks_generic(ctx, buf, len, high_pad); } #endif /* !HAVE_ASM_POLY1305_BLOCKS */ static unsigned int poly1305_final (poly1305_context_t *ctx, byte mac[POLY1305_TAGLEN]) { POLY1305_STATE *st = &ctx->state; unsigned int burn = 0; u64 u, carry; u64 k0, k1; u64 h0, h1; u64 h2; /* process the remaining block */ if (ctx->leftover) { ctx->buffer[ctx->leftover++] = 1; if (ctx->leftover < POLY1305_BLOCKSIZE) { memset (&ctx->buffer[ctx->leftover], 0, POLY1305_BLOCKSIZE - ctx->leftover); ctx->leftover = POLY1305_BLOCKSIZE; } burn = poly1305_blocks (ctx, ctx->buffer, POLY1305_BLOCKSIZE, 0); } h0 = st->h[0] + ((u64)st->h[1] << 32); h1 = st->h[2] + ((u64)st->h[3] << 32); h2 = st->h[4]; k0 = st->k[0] + ((u64)st->k[1] << 32); k1 = st->k[2] + ((u64)st->k[3] << 32); /* check if h is more than 2^130-5, by adding 5. */ add_ssaaaa(carry, u, 0, h0, 0, 5); add_ssaaaa(carry, u, 0, carry, 0, h1); u = (carry + h2) >> 2; /* u == 0 or 1 */ /* minus 2^130-5 ... (+5) */ u = (-u) & 5; add_ssaaaa(h1, h0, h1, h0, 0, u); /* add high part of key + h */ add_ssaaaa(h1, h0, h1, h0, k1, k0); buf_put_le64(mac + 0, h0); buf_put_le64(mac + 8, h1); /* burn_stack */ return 4 * sizeof (void *) + 7 * sizeof (u64) + burn; } #endif /* USE_MPI_64BIT */ #ifdef USE_MPI_32BIT #ifdef HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS /* HI:LO += A * B (arm) */ #define UMUL_ADD_32(HI, LO, A, B) \ __asm__ ("umlal %1, %0, %4, %5" \ : "=r" (HI), "=r" (LO) \ : "0" (HI), "1" (LO), "r" (A), "r" (B) ) /* A += B (arm) */ #ifdef __GCC_ASM_FLAG_OUTPUTS__ # define ADD_1305_32(A4, A3, A2, A1, A0, B4, B3, B2, B1, B0) do { \ u32 __carry; \ __asm__ ("adds %0, %0, %5\n" \ "adcs %1, %1, %6\n" \ "adcs %2, %2, %7\n" \ "adcs %3, %3, %8\n" \ : "+r" (A0), "+r" (A1), "+r" (A2), "+r" (A3), \ "=@cccs" (__carry) \ : "r" (B0), "r" (B1), "r" (B2), "r" (B3) \ : ); \ (A4) += (B4) + __carry; \ } while (0) #else # define ADD_1305_32(A4, A3, A2, A1, A0, B4, B3, B2, B1, B0) do { \ u32 __carry = (B0); \ __asm__ ("adds %0, %0, %2\n" \ "adcs %1, %1, %3\n" \ "rrx %2, %2\n" /* carry to 31th bit */ \ : "+r" (A0), "+r" (A1), "+r" (__carry) \ : "r" (B1), "r" (0) \ : "cc" ); \ __asm__ ("lsls %0, %0, #1\n" /* carry from 31th bit */ \ "adcs %1, %1, %4\n" \ "adcs %2, %2, %5\n" \ "adc %3, %3, %6\n" \ : "+r" (__carry), "+r" (A2), "+r" (A3), "+r" (A4) \ : "r" (B2), "r" (B3), "r" (B4) \ : "cc" ); \ } while (0) #endif #endif /* HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS */ #if defined (__i386__) && defined(HAVE_CPU_ARCH_X86) && __GNUC__ >= 5 /* Note: ADD_1305_32 below does not compile on GCC-4.7 */ /* A += B (i386) */ #define ADD_1305_32(A4, A3, A2, A1, A0, B4, B3, B2, B1, B0) \ __asm__ ("addl %5, %0\n" \ "adcl %6, %1\n" \ "adcl %7, %2\n" \ "adcl %8, %3\n" \ "adcl %9, %4\n" \ : "+r" (A0), "+r" (A1), "+r" (A2), "+r" (A3), "+r" (A4) \ : "g" (B0), "g" (B1), "g" (B2), "g" (B3), "g" (B4) \ : "cc" ) #endif /* __i386__ */ #ifndef UMUL_ADD_32 /* HI:LO += A * B (generic, mpi) */ # define UMUL_ADD_32(HI, LO, A, B) do { \ u32 t_lo, t_hi; \ umul_ppmm(t_hi, t_lo, A, B); \ add_ssaaaa(HI, LO, HI, LO, t_hi, t_lo); \ } while (0) #endif #ifndef ADD_1305_32 /* A += B (generic, mpi) */ # define ADD_1305_32(A4, A3, A2, A1, A0, B4, B3, B2, B1, B0) do { \ u32 carry0, carry1, carry2; \ add_ssaaaa(carry0, A0, 0, A0, 0, B0); \ add_ssaaaa(carry1, A1, 0, A1, 0, B1); \ add_ssaaaa(carry1, A1, carry1, A1, 0, carry0); \ add_ssaaaa(carry2, A2, 0, A2, 0, B2); \ add_ssaaaa(carry2, A2, carry2, A2, 0, carry1); \ add_ssaaaa(A4, A3, A4, A3, B4, B3); \ add_ssaaaa(A4, A3, A4, A3, 0, carry2); \ } while (0) #endif /* H = H * R mod 2¹³⁰-5 */ #define MUL_MOD_1305_32(H4, H3, H2, H1, H0, R3, R2, R1, R0, \ R3_MULT5, R2_MULT5, R1_MULT5) do { \ u32 x0_lo, x0_hi, x1_lo, x1_hi, x2_lo, x2_hi, x3_lo, x3_hi; \ u32 t0_lo, t0_hi; \ \ /* x = a * r (partial mod 2^130-5) */ \ umul_ppmm(x0_hi, x0_lo, H0, R0); /* h0 * r0 */ \ umul_ppmm(x1_hi, x1_lo, H0, R1); /* h0 * r1 */ \ umul_ppmm(x2_hi, x2_lo, H0, R2); /* h0 * r2 */ \ umul_ppmm(x3_hi, x3_lo, H0, R3); /* h0 * r3 */ \ \ UMUL_ADD_32(x0_hi, x0_lo, H1, R3_MULT5); /* h1 * r3 mod 2^130-5 */ \ UMUL_ADD_32(x1_hi, x1_lo, H1, R0); /* h1 * r0 */ \ UMUL_ADD_32(x2_hi, x2_lo, H1, R1); /* h1 * r1 */ \ UMUL_ADD_32(x3_hi, x3_lo, H1, R2); /* h1 * r2 */ \ \ UMUL_ADD_32(x0_hi, x0_lo, H2, R2_MULT5); /* h2 * r2 mod 2^130-5 */ \ UMUL_ADD_32(x1_hi, x1_lo, H2, R3_MULT5); /* h2 * r3 mod 2^130-5 */ \ UMUL_ADD_32(x2_hi, x2_lo, H2, R0); /* h2 * r0 */ \ UMUL_ADD_32(x3_hi, x3_lo, H2, R1); /* h2 * r1 */ \ \ UMUL_ADD_32(x0_hi, x0_lo, H3, R1_MULT5); /* h3 * r1 mod 2^130-5 */ \ H1 = x0_hi; \ UMUL_ADD_32(x1_hi, x1_lo, H3, R2_MULT5); /* h3 * r2 mod 2^130-5 */ \ UMUL_ADD_32(x2_hi, x2_lo, H3, R3_MULT5); /* h3 * r3 mod 2^130-5 */ \ UMUL_ADD_32(x3_hi, x3_lo, H3, R0); /* h3 * r0 */ \ \ t0_lo = H4 * R1_MULT5; /* h4 * r1 mod 2^130-5 */ \ t0_hi = H4 * R2_MULT5; /* h4 * r2 mod 2^130-5 */ \ add_ssaaaa(H2, x1_lo, x1_hi, x1_lo, 0, t0_lo); \ add_ssaaaa(H3, x2_lo, x2_hi, x2_lo, 0, t0_hi); \ t0_lo = H4 * R3_MULT5; /* h4 * r3 mod 2^130-5 */ \ t0_hi = H4 * R0; /* h4 * r0 */ \ add_ssaaaa(H4, x3_lo, x3_hi, x3_lo, t0_hi, t0_lo); \ \ /* carry propagation */ \ H0 = (H4 >> 2) * 5; /* msb mod 2^130-5 */ \ H4 = H4 & 3; \ ADD_1305_32(H4, H3, H2, H1, H0, 0, x3_lo, x2_lo, x1_lo, x0_lo); \ } while (0) #ifndef HAVE_ASM_POLY1305_BLOCKS static unsigned int poly1305_blocks (poly1305_context_t *ctx, const byte *buf, size_t len, byte high_pad) { POLY1305_STATE *st = &ctx->state; u32 r1_mult5, r2_mult5, r3_mult5; u32 h0, h1, h2, h3, h4; u32 m0, m1, m2, m3, m4; m4 = high_pad; h0 = st->h[0]; h1 = st->h[1]; h2 = st->h[2]; h3 = st->h[3]; h4 = st->h[4]; r1_mult5 = (st->r[1] >> 2) + st->r[1]; r2_mult5 = (st->r[2] >> 2) + st->r[2]; r3_mult5 = (st->r[3] >> 2) + st->r[3]; while (len >= POLY1305_BLOCKSIZE) { m0 = buf_get_le32(buf + 0); m1 = buf_get_le32(buf + 4); m2 = buf_get_le32(buf + 8); m3 = buf_get_le32(buf + 12); /* a = h + m */ ADD_1305_32(h4, h3, h2, h1, h0, m4, m3, m2, m1, m0); /* h = a * r (partial mod 2^130-5) */ MUL_MOD_1305_32(h4, h3, h2, h1, h0, st->r[3], st->r[2], st->r[1], st->r[0], r3_mult5, r2_mult5, r1_mult5); buf += POLY1305_BLOCKSIZE; len -= POLY1305_BLOCKSIZE; } st->h[0] = h0; st->h[1] = h1; st->h[2] = h2; st->h[3] = h3; st->h[4] = h4; return 6 * sizeof (void *) + 28 * sizeof (u32); } #endif /* !HAVE_ASM_POLY1305_BLOCKS */ static unsigned int poly1305_final (poly1305_context_t *ctx, byte mac[POLY1305_TAGLEN]) { POLY1305_STATE *st = &ctx->state; unsigned int burn = 0; u32 carry, tmp0, tmp1, tmp2, u; u32 h4, h3, h2, h1, h0; /* process the remaining block */ if (ctx->leftover) { ctx->buffer[ctx->leftover++] = 1; if (ctx->leftover < POLY1305_BLOCKSIZE) { memset (&ctx->buffer[ctx->leftover], 0, POLY1305_BLOCKSIZE - ctx->leftover); ctx->leftover = POLY1305_BLOCKSIZE; } burn = poly1305_blocks (ctx, ctx->buffer, POLY1305_BLOCKSIZE, 0); } h0 = st->h[0]; h1 = st->h[1]; h2 = st->h[2]; h3 = st->h[3]; h4 = st->h[4]; /* check if h is more than 2^130-5, by adding 5. */ add_ssaaaa(carry, tmp0, 0, h0, 0, 5); add_ssaaaa(carry, tmp0, 0, carry, 0, h1); add_ssaaaa(carry, tmp0, 0, carry, 0, h2); add_ssaaaa(carry, tmp0, 0, carry, 0, h3); u = (carry + h4) >> 2; /* u == 0 or 1 */ /* minus 2^130-5 ... (+5) */ u = (-u) & 5; add_ssaaaa(carry, h0, 0, h0, 0, u); add_ssaaaa(carry, h1, 0, h1, 0, carry); add_ssaaaa(carry, h2, 0, h2, 0, carry); add_ssaaaa(carry, h3, 0, h3, 0, carry); /* add high part of key + h */ add_ssaaaa(tmp0, h0, 0, h0, 0, st->k[0]); add_ssaaaa(tmp1, h1, 0, h1, 0, st->k[1]); add_ssaaaa(tmp1, h1, tmp1, h1, 0, tmp0); add_ssaaaa(tmp2, h2, 0, h2, 0, st->k[2]); add_ssaaaa(tmp2, h2, tmp2, h2, 0, tmp1); add_ssaaaa(carry, h3, 0, h3, 0, st->k[3]); h3 += tmp2; buf_put_le32(mac + 0, h0); buf_put_le32(mac + 4, h1); buf_put_le32(mac + 8, h2); buf_put_le32(mac + 12, h3); /* burn_stack */ return 4 * sizeof (void *) + 10 * sizeof (u32) + burn; } #endif /* USE_MPI_32BIT */ unsigned int _gcry_poly1305_update_burn (poly1305_context_t *ctx, const byte *m, size_t bytes) { unsigned int burn = 0; unsigned int nburn; /* handle leftover */ if (ctx->leftover) { size_t want = (POLY1305_BLOCKSIZE - ctx->leftover); if (want > bytes) want = bytes; buf_cpy (ctx->buffer + ctx->leftover, m, want); bytes -= want; m += want; ctx->leftover += want; if (ctx->leftover < POLY1305_BLOCKSIZE) return 0; nburn = poly1305_blocks (ctx, ctx->buffer, POLY1305_BLOCKSIZE, 1); burn = nburn > burn ? nburn : burn; ctx->leftover = 0; } #ifdef POLY1305_USE_PPC_VEC /* PPC-P10/little-endian: bulk process multiples of eight blocks */ if (ctx->use_p10 && bytes >= POLY1305_BLOCKSIZE * 8) { size_t nblks = bytes / (POLY1305_BLOCKSIZE * 8); size_t len = nblks * (POLY1305_BLOCKSIZE * 8); POLY1305_STATE *st = &ctx->state; nburn = gcry_poly1305_p10le_4blocks ((unsigned char *) st, m, len); burn = nburn > burn ? nburn : burn; m += len; bytes -= len; } #endif /* POLY1305_USE_PPC_VEC */ /* process full blocks */ if (bytes >= POLY1305_BLOCKSIZE) { size_t nblks = bytes / POLY1305_BLOCKSIZE; nburn = poly1305_blocks (ctx, m, nblks * POLY1305_BLOCKSIZE, 1); burn = nburn > burn ? nburn : burn; m += nblks * POLY1305_BLOCKSIZE; bytes -= nblks * POLY1305_BLOCKSIZE; } /* store leftover */ if (bytes) { buf_cpy (ctx->buffer + ctx->leftover, m, bytes); ctx->leftover += bytes; } return burn; } void _gcry_poly1305_update (poly1305_context_t *ctx, const byte *m, size_t bytes) { unsigned int burn; burn = _gcry_poly1305_update_burn (ctx, m, bytes); if (burn) _gcry_burn_stack (burn); } void _gcry_poly1305_finish (poly1305_context_t *ctx, byte mac[POLY1305_TAGLEN]) { unsigned int burn; burn = poly1305_final (ctx, mac); _gcry_burn_stack (burn); } gcry_err_code_t _gcry_poly1305_init (poly1305_context_t * ctx, const byte * key, size_t keylen) { static int initialized; static const char *selftest_failed; if (!initialized) { initialized = 1; selftest_failed = selftest (); if (selftest_failed) log_error ("Poly1305 selftest failed (%s)\n", selftest_failed); } if (keylen != POLY1305_KEYLEN) return GPG_ERR_INV_KEYLEN; if (selftest_failed) return GPG_ERR_SELFTEST_FAILED; poly1305_init (ctx, key); return 0; } static void poly1305_auth (byte mac[POLY1305_TAGLEN], const byte * m, size_t bytes, const byte * key) { poly1305_context_t ctx; memset (&ctx, 0, sizeof (ctx)); _gcry_poly1305_init (&ctx, key, POLY1305_KEYLEN); _gcry_poly1305_update (&ctx, m, bytes); _gcry_poly1305_finish (&ctx, mac); wipememory (&ctx, sizeof (ctx)); } static const char * selftest (void) { /* example from nacl */ static const byte nacl_key[POLY1305_KEYLEN] = { 0xee, 0xa6, 0xa7, 0x25, 0x1c, 0x1e, 0x72, 0x91, 0x6d, 0x11, 0xc2, 0xcb, 0x21, 0x4d, 0x3c, 0x25, 0x25, 0x39, 0x12, 0x1d, 0x8e, 0x23, 0x4e, 0x65, 0x2d, 0x65, 0x1f, 0xa4, 0xc8, 0xcf, 0xf8, 0x80, }; static const byte nacl_msg[131] = { 0x8e, 0x99, 0x3b, 0x9f, 0x48, 0x68, 0x12, 0x73, 0xc2, 0x96, 0x50, 0xba, 0x32, 0xfc, 0x76, 0xce, 0x48, 0x33, 0x2e, 0xa7, 0x16, 0x4d, 0x96, 0xa4, 0x47, 0x6f, 0xb8, 0xc5, 0x31, 0xa1, 0x18, 0x6a, 0xc0, 0xdf, 0xc1, 0x7c, 0x98, 0xdc, 0xe8, 0x7b, 0x4d, 0xa7, 0xf0, 0x11, 0xec, 0x48, 0xc9, 0x72, 0x71, 0xd2, 0xc2, 0x0f, 0x9b, 0x92, 0x8f, 0xe2, 0x27, 0x0d, 0x6f, 0xb8, 0x63, 0xd5, 0x17, 0x38, 0xb4, 0x8e, 0xee, 0xe3, 0x14, 0xa7, 0xcc, 0x8a, 0xb9, 0x32, 0x16, 0x45, 0x48, 0xe5, 0x26, 0xae, 0x90, 0x22, 0x43, 0x68, 0x51, 0x7a, 0xcf, 0xea, 0xbd, 0x6b, 0xb3, 0x73, 0x2b, 0xc0, 0xe9, 0xda, 0x99, 0x83, 0x2b, 0x61, 0xca, 0x01, 0xb6, 0xde, 0x56, 0x24, 0x4a, 0x9e, 0x88, 0xd5, 0xf9, 0xb3, 0x79, 0x73, 0xf6, 0x22, 0xa4, 0x3d, 0x14, 0xa6, 0x59, 0x9b, 0x1f, 0x65, 0x4c, 0xb4, 0x5a, 0x74, 0xe3, 0x55, 0xa5 }; static const byte nacl_mac[16] = { 0xf3, 0xff, 0xc7, 0x70, 0x3f, 0x94, 0x00, 0xe5, 0x2a, 0x7d, 0xfb, 0x4b, 0x3d, 0x33, 0x05, 0xd9 }; /* generates a final value of (2^130 - 2) == 3 */ static const byte wrap_key[POLY1305_KEYLEN] = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; static const byte wrap_msg[16] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; static const byte wrap_mac[16] = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; /* mac of the macs of messages of length 0 to 256, where the key and messages * have all their values set to the length */ static const byte total_key[POLY1305_KEYLEN] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; static const byte total_mac[16] = { 0x64, 0xaf, 0xe2, 0xe8, 0xd6, 0xad, 0x7b, 0xbd, 0xd2, 0x87, 0xf9, 0x7c, 0x44, 0x62, 0x3d, 0x39 }; poly1305_context_t ctx; poly1305_context_t total_ctx; byte all_key[POLY1305_KEYLEN]; byte all_msg[256]; byte mac[16]; size_t i, j; memset (&ctx, 0, sizeof (ctx)); memset (&total_ctx, 0, sizeof (total_ctx)); memset (mac, 0, sizeof (mac)); poly1305_auth (mac, nacl_msg, sizeof (nacl_msg), nacl_key); if (memcmp (nacl_mac, mac, sizeof (nacl_mac)) != 0) return "Poly1305 test 1 failed."; /* SSE2/AVX have a 32 byte block size, but also support 64 byte blocks, so * make sure everything still works varying between them */ memset (mac, 0, sizeof (mac)); _gcry_poly1305_init (&ctx, nacl_key, POLY1305_KEYLEN); _gcry_poly1305_update (&ctx, nacl_msg + 0, 32); _gcry_poly1305_update (&ctx, nacl_msg + 32, 64); _gcry_poly1305_update (&ctx, nacl_msg + 96, 16); _gcry_poly1305_update (&ctx, nacl_msg + 112, 8); _gcry_poly1305_update (&ctx, nacl_msg + 120, 4); _gcry_poly1305_update (&ctx, nacl_msg + 124, 2); _gcry_poly1305_update (&ctx, nacl_msg + 126, 1); _gcry_poly1305_update (&ctx, nacl_msg + 127, 1); _gcry_poly1305_update (&ctx, nacl_msg + 128, 1); _gcry_poly1305_update (&ctx, nacl_msg + 129, 1); _gcry_poly1305_update (&ctx, nacl_msg + 130, 1); _gcry_poly1305_finish (&ctx, mac); if (memcmp (nacl_mac, mac, sizeof (nacl_mac)) != 0) return "Poly1305 test 2 failed."; memset (mac, 0, sizeof (mac)); poly1305_auth (mac, wrap_msg, sizeof (wrap_msg), wrap_key); if (memcmp (wrap_mac, mac, sizeof (nacl_mac)) != 0) return "Poly1305 test 3 failed."; _gcry_poly1305_init (&total_ctx, total_key, POLY1305_KEYLEN); for (i = 0; i < 256; i++) { /* set key and message to 'i,i,i..' */ for (j = 0; j < sizeof (all_key); j++) all_key[j] = i; for (j = 0; j < i; j++) all_msg[j] = i; poly1305_auth (mac, all_msg, i, all_key); _gcry_poly1305_update (&total_ctx, mac, 16); } _gcry_poly1305_finish (&total_ctx, mac); if (memcmp (total_mac, mac, sizeof (total_mac)) != 0) return "Poly1305 test 4 failed."; return NULL; } diff --git a/src/hmac256.c b/src/hmac256.c index 899e6d15..bfce9f8a 100644 --- a/src/hmac256.c +++ b/src/hmac256.c @@ -1,810 +1,810 @@ /* hmac256.c - Standalone HMAC implementation * Copyright (C) 2003, 2006, 2008 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * * Libgcrypt is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * Libgcrypt is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this program; if not, see . */ /* This is a standalone HMAC-SHA-256 implementation based on the code from ../cipher/sha256.c. It is a second implementation to allow comparing against the standard implementations and to be used for internal consistency checks. It should not be used for sensitive data because no mechanisms to clear the stack etc are used. This module may be used standalone. Types: u32 - unsigned 32 bit type. Constants: WORDS_BIGENDIAN Defined to 1 on big endian systems. inline If defined, it should yield the keyword used to inline a function. - HAVE_TYPE_U32 Defined if the u32 type is available. + HAVE_U32 Defined if the u32 type is available. SIZEOF_UNSIGNED_INT Defined to the size in bytes of an unsigned int. SIZEOF_UNSIGNED_LONG Defined to the size in bytes of an unsigned long. STANDALONE Compile a test driver similar to the sha1sum tool. This driver uses a self-test identically to the one used by Libcgrypt for testing this included module. */ #ifdef STANDALONE # ifndef KEY_FOR_BINARY_CHECK # define KEY_FOR_BINARY_CHECK "What am I, a doctor or a moonshuttle conductor?" # endif #include -#define HAVE_TYPE_U32 1 +#define HAVE_U32 1 typedef uint32_t u32; #define VERSION "standalone" /* For GCC, we can detect endianness. If not GCC, please define manually. */ #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ #define WORDS_BIGENDIAN 1 #endif #else #include #endif #include #include #include #include #include #if defined(__WIN32) && defined(STANDALONE) # include /* We need setmode(). */ #endif #ifdef STANDALONE #define xtrymalloc(a) malloc((a)) #define gpg_err_set_errno(a) (errno = (a)) #define xfree(a) free((a)) #else #include "g10lib.h" #endif #include "hmac256.h" -#ifndef HAVE_TYPE_U32 +#ifndef HAVE_U32 # undef u32 /* Undef a possible macro with that name. */ # if SIZEOF_UNSIGNED_INT == 4 typedef unsigned int u32; # elif SIZEOF_UNSIGNED_LONG == 4 typedef unsigned long u32; # else # error no typedef for u32 # endif -# define HAVE_TYPE_U32 +# define HAVE_U32 #endif /* The context used by this module. */ struct hmac256_context { u32 h0, h1, h2, h3, h4, h5, h6, h7; u32 nblocks; int count; int finalized:1; int use_hmac:1; unsigned char buf[64]; unsigned char opad[64]; }; /* Rotate a 32 bit word. */ static inline u32 ror(u32 x, int n) { return ( ((x) >> (n)) | ((x) << (32-(n))) ); } #define my_wipememory2(_ptr,_set,_len) do { \ volatile char *_vptr=(volatile char *)(_ptr); \ size_t _vlen=(_len); \ while(_vlen) { *_vptr=(_set); _vptr++; _vlen--; } \ } while(0) #define my_wipememory(_ptr,_len) my_wipememory2(_ptr,0,_len) /* The SHA-256 core: Transform the message X which consists of 16 32-bit-words. See FIPS 180-2 for details. */ static void transform (hmac256_context_t hd, const void *data_arg) { const unsigned char *data = data_arg; #define Cho(x,y,z) (z ^ (x & (y ^ z))) /* (4.2) same as SHA-1's F1 */ #define Maj(x,y,z) ((x & y) | (z & (x|y))) /* (4.3) same as SHA-1's F3 */ #define Sum0(x) (ror ((x), 2) ^ ror ((x), 13) ^ ror ((x), 22)) /* (4.4) */ #define Sum1(x) (ror ((x), 6) ^ ror ((x), 11) ^ ror ((x), 25)) /* (4.5) */ #define S0(x) (ror ((x), 7) ^ ror ((x), 18) ^ ((x) >> 3)) /* (4.6) */ #define S1(x) (ror ((x), 17) ^ ror ((x), 19) ^ ((x) >> 10)) /* (4.7) */ #define R(a,b,c,d,e,f,g,h,k,w) do \ { \ t1 = (h) + Sum1((e)) + Cho((e),(f),(g)) + (k) + (w); \ t2 = Sum0((a)) + Maj((a),(b),(c)); \ h = g; \ g = f; \ f = e; \ e = d + t1; \ d = c; \ c = b; \ b = a; \ a = t1 + t2; \ } while (0) static const u32 K[64] = { 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 }; u32 a, b, c, d, e, f, g, h, t1, t2; u32 x[16]; u32 w[64]; int i; a = hd->h0; b = hd->h1; c = hd->h2; d = hd->h3; e = hd->h4; f = hd->h5; g = hd->h6; h = hd->h7; #ifdef WORDS_BIGENDIAN memcpy (x, data, 64); #else /*!WORDS_BIGENDIAN*/ { unsigned char *p2; for (i=0, p2=(unsigned char*)x; i < 16; i++, p2 += 4 ) { p2[3] = *data++; p2[2] = *data++; p2[1] = *data++; p2[0] = *data++; } } #endif /*!WORDS_BIGENDIAN*/ for (i=0; i < 16; i++) w[i] = x[i]; for (; i < 64; i++) w[i] = S1(w[i-2]) + w[i-7] + S0(w[i-15]) + w[i-16]; for (i=0; i < 64; i++) R(a,b,c,d,e,f,g,h,K[i],w[i]); hd->h0 += a; hd->h1 += b; hd->h2 += c; hd->h3 += d; hd->h4 += e; hd->h5 += f; hd->h6 += g; hd->h7 += h; } #undef Cho #undef Maj #undef Sum0 #undef Sum1 #undef S0 #undef S1 #undef R /* Finalize the current SHA256 calculation. */ static void finalize (hmac256_context_t hd) { u32 t, msb, lsb; unsigned char *p; if (hd->finalized) return; /* Silently ignore a finalized context. */ _gcry_hmac256_update (hd, NULL, 0); /* Flush. */ t = hd->nblocks; /* Multiply by 64 to make a byte count. */ lsb = t << 6; msb = t >> 26; /* Add the count. */ t = lsb; if ((lsb += hd->count) < t) msb++; /* Multiply by 8 to make a bit count. */ t = lsb; lsb <<= 3; msb <<= 3; msb |= t >> 29; if (hd->count < 56) { /* Enough room. */ hd->buf[hd->count++] = 0x80; /* pad */ while (hd->count < 56) hd->buf[hd->count++] = 0; /* pad */ } else { /* Need one extra block. */ hd->buf[hd->count++] = 0x80; /* pad character */ while (hd->count < 64) hd->buf[hd->count++] = 0; _gcry_hmac256_update (hd, NULL, 0); /* Flush. */; memset (hd->buf, 0, 56 ); /* Zero out next next block. */ } /* Append the 64 bit count. */ hd->buf[56] = msb >> 24; hd->buf[57] = msb >> 16; hd->buf[58] = msb >> 8; hd->buf[59] = msb; hd->buf[60] = lsb >> 24; hd->buf[61] = lsb >> 16; hd->buf[62] = lsb >> 8; hd->buf[63] = lsb; transform (hd, hd->buf); /* Store the digest into hd->buf. */ p = hd->buf; #define X(a) do { *p++ = hd->h##a >> 24; *p++ = hd->h##a >> 16; \ *p++ = hd->h##a >> 8; *p++ = hd->h##a; } while(0) X(0); X(1); X(2); X(3); X(4); X(5); X(6); X(7); #undef X hd->finalized = 1; } /* Create a new context. On error NULL is returned and errno is set appropriately. If KEY is given the function computes HMAC using this key; with KEY given as NULL, a plain SHA-256 digest is computed. */ hmac256_context_t _gcry_hmac256_new (const void *key, size_t keylen) { hmac256_context_t hd; hd = xtrymalloc (sizeof *hd); if (!hd) return NULL; hd->h0 = 0x6a09e667; hd->h1 = 0xbb67ae85; hd->h2 = 0x3c6ef372; hd->h3 = 0xa54ff53a; hd->h4 = 0x510e527f; hd->h5 = 0x9b05688c; hd->h6 = 0x1f83d9ab; hd->h7 = 0x5be0cd19; hd->nblocks = 0; hd->count = 0; hd->finalized = 0; hd->use_hmac = 0; if (key) { int i; unsigned char ipad[64]; memset (ipad, 0, 64); memset (hd->opad, 0, 64); if (keylen <= 64) { memcpy (ipad, key, keylen); memcpy (hd->opad, key, keylen); } else { hmac256_context_t tmphd; tmphd = _gcry_hmac256_new (NULL, 0); if (!tmphd) { xfree (hd); return NULL; } _gcry_hmac256_update (tmphd, key, keylen); finalize (tmphd); memcpy (ipad, tmphd->buf, 32); memcpy (hd->opad, tmphd->buf, 32); _gcry_hmac256_release (tmphd); } for (i=0; i < 64; i++) { ipad[i] ^= 0x36; hd->opad[i] ^= 0x5c; } hd->use_hmac = 1; _gcry_hmac256_update (hd, ipad, 64); my_wipememory (ipad, 64); } return hd; } /* Release a context created by _gcry_hmac256_new. CTX may be NULL in which case the function does nothing. */ void _gcry_hmac256_release (hmac256_context_t ctx) { if (ctx) { /* Note: We need to take care not to modify errno. */ if (ctx->use_hmac) my_wipememory (ctx->opad, 64); xfree (ctx); } } /* Update the message digest with the contents of BUFFER containing LENGTH bytes. */ void _gcry_hmac256_update (hmac256_context_t hd, const void *buffer, size_t length) { const unsigned char *inbuf = buffer; if (hd->finalized) return; /* Silently ignore a finalized context. */ if (hd->count == 64) { /* Flush the buffer. */ transform (hd, hd->buf); hd->count = 0; hd->nblocks++; } if (!inbuf) return; /* Only flushing was requested. */ if (hd->count) { for (; length && hd->count < 64; length--) hd->buf[hd->count++] = *inbuf++; _gcry_hmac256_update (hd, NULL, 0); /* Flush. */ if (!length) return; } while (length >= 64) { transform (hd, inbuf); hd->count = 0; hd->nblocks++; length -= 64; inbuf += 64; } for (; length && hd->count < 64; length--) hd->buf[hd->count++] = *inbuf++; } /* Finalize an operation and return the digest. If R_DLEN is not NULL the length of the digest will be stored at that address. The returned value is valid as long as the context exists. On error NULL is returned. */ const void * _gcry_hmac256_finalize (hmac256_context_t hd, size_t *r_dlen) { finalize (hd); if (hd->use_hmac) { hmac256_context_t tmphd; tmphd = _gcry_hmac256_new (NULL, 0); if (!tmphd) return NULL; _gcry_hmac256_update (tmphd, hd->opad, 64); _gcry_hmac256_update (tmphd, hd->buf, 32); finalize (tmphd); memcpy (hd->buf, tmphd->buf, 32); _gcry_hmac256_release (tmphd); } if (r_dlen) *r_dlen = 32; return (void*)hd->buf; } /* Convenience function to compute the HMAC-SHA256 of one file. The user needs to provide a buffer RESULT of at least 32 bytes, he needs to put the size of the buffer into RESULTSIZE and the FILENAME. KEY and KEYLEN are as described for _gcry_hmac256_new. On success the function returns the valid length of the result buffer (which will be 32) or -1 on error. On error ERRNO is set appropriate. */ int _gcry_hmac256_file (void *result, size_t resultsize, const char *filename, const void *key, size_t keylen) { FILE *fp; hmac256_context_t hd; size_t buffer_size, nread, digestlen; char *buffer; const unsigned char *digest; fp = fopen (filename, "rb"); if (!fp) return -1; hd = _gcry_hmac256_new (key, keylen); if (!hd) { fclose (fp); return -1; } buffer_size = 32768; buffer = xtrymalloc (buffer_size); if (!buffer) { fclose (fp); _gcry_hmac256_release (hd); return -1; } while ( (nread = fread (buffer, 1, buffer_size, fp))) _gcry_hmac256_update (hd, buffer, nread); xfree (buffer); if (ferror (fp)) { fclose (fp); _gcry_hmac256_release (hd); return -1; } fclose (fp); digest = _gcry_hmac256_finalize (hd, &digestlen); if (!digest) { _gcry_hmac256_release (hd); return -1; } if (digestlen > resultsize) { _gcry_hmac256_release (hd); gpg_err_set_errno (EINVAL); return -1; } memcpy (result, digest, digestlen); _gcry_hmac256_release (hd); return digestlen; } #ifdef STANDALONE static int selftest (void) { static struct { const char * const desc; const char * const data; const char * const key; const unsigned char expect[32]; } tv[] = { { "data-28 key-4", "what do ya want for nothing?", "Jefe", { 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43 } }, { "data-9 key-20", "Hi There", "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" "\x0b\x0b\x0b\x0b", { 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7 } }, { "data-50 key-20", "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" "\xdd\xdd", "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa", { 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe } }, { "data-50 key-26", "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" "\xcd\xcd", "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19", { 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b } }, { "data-54 key-131", "Test Using Larger Than Block-Size Key - Hash Key First", "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa", { 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54 } }, { "data-152 key-131", "This is a test using a larger than block-size key and a larger " "than block-size data. The key needs to be hashed before being " "used by the HMAC algorithm.", "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa", { 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2 } }, { NULL } }; int tvidx; for (tvidx=0; tv[tvidx].desc; tvidx++) { hmac256_context_t hmachd; const unsigned char *digest; size_t dlen; hmachd = _gcry_hmac256_new (tv[tvidx].key, strlen (tv[tvidx].key)); if (!hmachd) return -1; _gcry_hmac256_update (hmachd, tv[tvidx].data, strlen (tv[tvidx].data)); digest = _gcry_hmac256_finalize (hmachd, &dlen); if (!digest) { _gcry_hmac256_release (hmachd); return -1; } if (dlen != sizeof (tv[tvidx].expect) || memcmp (digest, tv[tvidx].expect, sizeof (tv[tvidx].expect))) { _gcry_hmac256_release (hmachd); return -1; } _gcry_hmac256_release (hmachd); } return 0; /* Succeeded. */ } int main (int argc, char **argv) { const char *pgm; int last_argc = -1; const char *key; size_t keylen; FILE *fp; hmac256_context_t hd; const unsigned char *digest; char buffer[4096]; size_t n, dlen, idx; int use_stdin = 0; int use_binary = 0; int use_stdkey = 0; assert (sizeof (u32) == 4); #ifdef __WIN32 setmode (fileno (stdin), O_BINARY); #endif if (argc) { pgm = strrchr (*argv, '/'); if (pgm) pgm++; else pgm = *argv; argc--; argv++; } else pgm = "?"; while (argc && last_argc != argc ) { last_argc = argc; if (!strcmp (*argv, "--")) { argc--; argv++; break; } else if (!strcmp (*argv, "--version")) { fputs ("hmac256 (Libgcrypt) " VERSION "\n" "Copyright (C) 2008 Free Software Foundation, Inc.\n" "License LGPLv2.1+: GNU LGPL version 2.1 or later " "\n" "This is free software: you are free to change and " "redistribute it.\n" "There is NO WARRANTY, to the extent permitted by law.\n", stdout); exit (0); } else if (!strcmp (*argv, "--binary")) { argc--; argv++; use_binary = 1; } else if (!strcmp (*argv, "--stdkey")) { argc--; argv++; use_stdkey = 1; } } if (argc < 1 && !use_stdkey) { fprintf (stderr, "usage: %s [--binary] [--stdkey|key] [filename]\n", pgm); exit (1); } #ifdef __WIN32 if (use_binary) setmode (fileno (stdout), O_BINARY); #endif if (use_stdkey) key = KEY_FOR_BINARY_CHECK; else { key = *argv; argc--, argv++; } keylen = strlen (key); use_stdin = !argc; if (selftest ()) { fprintf (stderr, "%s: fatal error: self-test failed\n", pgm); exit (2); } for (; argc || use_stdin; argv++, argc--) { const char *fname = use_stdin? "-" : *argv; fp = use_stdin? stdin : fopen (fname, "rb"); if (!fp) { fprintf (stderr, "%s: can't open `%s': %s\n", pgm, fname, strerror (errno)); exit (1); } hd = _gcry_hmac256_new (key, keylen); if (!hd) { fprintf (stderr, "%s: can't allocate context: %s\n", pgm, strerror (errno)); exit (1); } while ( (n = fread (buffer, 1, sizeof buffer, fp))) _gcry_hmac256_update (hd, buffer, n); if (ferror (fp)) { fprintf (stderr, "%s: error reading `%s': %s\n", pgm, fname, strerror (errno)); exit (1); } if (!use_stdin) fclose (fp); digest = _gcry_hmac256_finalize (hd, &dlen); if (!digest) { fprintf (stderr, "%s: error computing HMAC: %s\n", pgm, strerror (errno)); exit (1); } if (use_binary) { if (fwrite (digest, dlen, 1, stdout) != 1) { fprintf (stderr, "%s: error writing output: %s\n", pgm, strerror (errno)); exit (1); } _gcry_hmac256_release (hd); if (use_stdin) break; } else { for (idx=0; idx < dlen; idx++) printf ("%02x", digest[idx]); _gcry_hmac256_release (hd); if (use_stdin) { putchar ('\n'); break; } printf (" %s\n", fname); } } return 0; } #endif /*STANDALONE*/ /* Local Variables: compile-command: "cc -Wall -g -I.. -DSTANDALONE -o hmac256 hmac256.c" End: */ diff --git a/src/types.h b/src/types.h index b4f28bc4..8b69dce9 100644 --- a/src/types.h +++ b/src/types.h @@ -1,136 +1,136 @@ /* types.h - some common typedefs * Copyright (C) 1998, 2000, 2002, 2003 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * * Libgcrypt is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser general Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * Libgcrypt is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ #ifndef GCRYPT_TYPES_H #define GCRYPT_TYPES_H #ifndef _GCRYPT_CONFIG_H_INCLUDED # error config.h must be included before types.h #endif /* The AC_CHECK_SIZEOF() in configure fails for some machines. * we provide some fallback values here */ #if !SIZEOF_UNSIGNED_SHORT # undef SIZEOF_UNSIGNED_SHORT # define SIZEOF_UNSIGNED_SHORT 2 #endif #if !SIZEOF_UNSIGNED_INT # undef SIZEOF_UNSIGNED_INT # define SIZEOF_UNSIGNED_INT 4 #endif #if !SIZEOF_UNSIGNED_LONG # undef SIZEOF_UNSIGNED_LONG # define SIZEOF_UNSIGNED_LONG 4 #endif #include /* Provide uintptr_t */ #ifdef HAVE_STDINT_H # include /* uintptr_t */ #elif defined(HAVE_INTTYPES_H) # include #else /* In this case, uintptr_t is provided by config.h. */ #endif -#ifndef HAVE_TYPE_BYTE +#ifndef HAVE_BYTE # undef byte /* In case there is a macro with that name. */ # if !(defined(_WIN32) && defined(cbNDRContext)) /* Windows typedefs byte in the rpc headers. Avoid warning about double definition. */ typedef unsigned char byte; # endif -# define HAVE_TYPE_BYTE +# define HAVE_BYTE #endif -#ifndef HAVE_TYPE_USHORT +#ifndef HAVE_USHORT # undef ushort /* In case there is a macro with that name. */ typedef unsigned short ushort; -# define HAVE_TYPE_USHORT +# define HAVE_USHORT #endif -#ifndef HAVE_TYPE_U16 +#ifndef HAVE_U16 # undef u16 /* In case there is a macro with that name. */ # if SIZEOF_UNSIGNED_INT == 2 typedef unsigned int u16; # elif SIZEOF_UNSIGNED_SHORT == 2 typedef unsigned short u16; # else # error no typedef for u16 # endif -# define HAVE_TYPE_U16 +# define HAVE_U16 #endif -#ifndef HAVE_TYPE_U32 +#ifndef HAVE_U32 # undef u32 /* In case there is a macro with that name. */ # if SIZEOF_UNSIGNED_INT == 4 typedef unsigned int u32; # elif SIZEOF_UNSIGNED_LONG == 4 typedef unsigned long u32; # else # error no typedef for u32 # endif -# define HAVE_TYPE_U32 +# define HAVE_U32 #endif /* * Warning: Some systems segfault when this u64 typedef and * the dummy code in cipher/md.c is not available. Examples are * Solaris and IRIX. */ -#ifndef HAVE_TYPE_U64 +#ifndef HAVE_U64 # undef u64 /* In case there is a macro with that name. */ # if SIZEOF_UINT64_T == 8 typedef uint64_t u64; # define U64_C(c) (UINT64_C(c)) -# define HAVE_TYPE_U64 +# define HAVE_U64 # elif SIZEOF_UNSIGNED_INT == 8 typedef unsigned int u64; # define U64_C(c) (c ## U) -# define HAVE_TYPE_U64 +# define HAVE_U64 # elif SIZEOF_UNSIGNED_LONG == 8 typedef unsigned long u64; # define U64_C(c) (c ## UL) -# define HAVE_TYPE_U64 +# define HAVE_U64 # elif SIZEOF_UNSIGNED_LONG_LONG == 8 typedef unsigned long long u64; # define U64_C(c) (c ## ULL) -# define HAVE_TYPE_U64 +# define HAVE_U64 # else # error No way to declare a 64 bit integer type # endif #endif typedef union { int a; short b; char c[1]; long d; u64 e; float f; double g; } PROPERLY_ALIGNED_TYPE; #endif /*GCRYPT_TYPES_H*/