1 /* $OpenBSD: xmss_hash.c,v 1.2 2018/02/26 03:56:44 dtucker Exp $ */ 2 /* 3 hash.c version 20160722 4 Andreas Hülsing 5 Joost Rijneveld 6 Public domain. 7 */ 8 9 #include "includes.h" 10 #ifdef WITH_XMSS 11 12 #include "xmss_hash_address.h" 13 #include "xmss_commons.h" 14 #include "xmss_hash.h" 15 16 #include <stddef.h> 17 #ifdef HAVE_STDINT_H 18 # include <stdint.h> 19 #endif 20 #include <stdio.h> 21 #include <string.h> 22 #include <openssl/sha.h> 23 #include <openssl/hmac.h> 24 #include <openssl/evp.h> 25 26 int core_hash_SHA2(unsigned char *, const unsigned int, const unsigned char *, 27 unsigned int, const unsigned char *, unsigned long long, unsigned int); 28 29 unsigned char* addr_to_byte(unsigned char *bytes, const uint32_t addr[8]){ 30 #if IS_LITTLE_ENDIAN==1 31 int i = 0; 32 for(i=0;i<8;i++) 33 to_byte(bytes+i*4, addr[i],4); 34 return bytes; 35 #else 36 memcpy(bytes, addr, 32); 37 return bytes; 38 #endif 39 } 40 41 int core_hash_SHA2(unsigned char *out, const unsigned int type, const unsigned char *key, unsigned int keylen, const unsigned char *in, unsigned long long inlen, unsigned int n){ 42 unsigned long long i = 0; 43 unsigned char buf[inlen + n + keylen]; 44 45 // Input is (toByte(X, 32) || KEY || M) 46 47 // set toByte 48 to_byte(buf, type, n); 49 50 for (i=0; i < keylen; i++) { 51 buf[i+n] = key[i]; 52 } 53 54 for (i=0; i < inlen; i++) { 55 buf[keylen + n + i] = in[i]; 56 } 57 58 if (n == 32) { 59 SHA256(buf, inlen + keylen + n, out); 60 return 0; 61 } 62 else { 63 if (n == 64) { 64 SHA512(buf, inlen + keylen + n, out); 65 return 0; 66 } 67 } 68 return 1; 69 } 70 71 /** 72 * Implements PRF 73 */ 74 int prf(unsigned char *out, const unsigned char *in, const unsigned char *key, unsigned int keylen) 75 { 76 return core_hash_SHA2(out, 3, key, keylen, in, 32, keylen); 77 } 78 79 /* 80 * Implemts H_msg 81 */ 82 int h_msg(unsigned char *out, const unsigned char *in, unsigned long long inlen, const unsigned char *key, const unsigned int keylen, const unsigned int n) 83 { 84 if (keylen != 3*n){ 85 // H_msg takes 3n-bit keys, but n does not match the keylength of keylen 86 return -1; 87 } 88 return core_hash_SHA2(out, 2, key, keylen, in, inlen, n); 89 } 90 91 /** 92 * We assume the left half is in in[0]...in[n-1] 93 */ 94 int hash_h(unsigned char *out, const unsigned char *in, const unsigned char *pub_seed, uint32_t addr[8], const unsigned int n) 95 { 96 97 unsigned char buf[2*n]; 98 unsigned char key[n]; 99 unsigned char bitmask[2*n]; 100 unsigned char byte_addr[32]; 101 unsigned int i; 102 103 setKeyAndMask(addr, 0); 104 addr_to_byte(byte_addr, addr); 105 prf(key, byte_addr, pub_seed, n); 106 // Use MSB order 107 setKeyAndMask(addr, 1); 108 addr_to_byte(byte_addr, addr); 109 prf(bitmask, byte_addr, pub_seed, n); 110 setKeyAndMask(addr, 2); 111 addr_to_byte(byte_addr, addr); 112 prf(bitmask+n, byte_addr, pub_seed, n); 113 for (i = 0; i < 2*n; i++) { 114 buf[i] = in[i] ^ bitmask[i]; 115 } 116 return core_hash_SHA2(out, 1, key, n, buf, 2*n, n); 117 } 118 119 int hash_f(unsigned char *out, const unsigned char *in, const unsigned char *pub_seed, uint32_t addr[8], const unsigned int n) 120 { 121 unsigned char buf[n]; 122 unsigned char key[n]; 123 unsigned char bitmask[n]; 124 unsigned char byte_addr[32]; 125 unsigned int i; 126 127 setKeyAndMask(addr, 0); 128 addr_to_byte(byte_addr, addr); 129 prf(key, byte_addr, pub_seed, n); 130 131 setKeyAndMask(addr, 1); 132 addr_to_byte(byte_addr, addr); 133 prf(bitmask, byte_addr, pub_seed, n); 134 135 for (i = 0; i < n; i++) { 136 buf[i] = in[i] ^ bitmask[i]; 137 } 138 return core_hash_SHA2(out, 0, key, n, buf, n, n); 139 } 140 #endif /* WITH_XMSS */ 141