xref: /freebsd/crypto/openssh/xmss_hash.c (revision dd41de95a84d979615a2ef11df6850622bf6184e)
1 /* $OpenBSD: xmss_hash.c,v 1.2 2018/02/26 03:56:44 dtucker Exp $ */
2 /*
3 hash.c version 20160722
4 Andreas Hülsing
5 Joost Rijneveld
6 Public domain.
7 */
8 
9 #include "includes.h"
10 #ifdef WITH_XMSS
11 
12 #include "xmss_hash_address.h"
13 #include "xmss_commons.h"
14 #include "xmss_hash.h"
15 
16 #include <stddef.h>
17 #ifdef HAVE_STDINT_H
18 #include <stdint.h>
19 #endif
20 #include <stdio.h>
21 #include <string.h>
22 #include <openssl/sha.h>
23 #include <openssl/hmac.h>
24 #include <openssl/evp.h>
25 
26 int core_hash_SHA2(unsigned char *, const unsigned int, const unsigned char *,
27     unsigned int, const unsigned char *, unsigned long long, unsigned int);
28 
29 unsigned char* addr_to_byte(unsigned char *bytes, const uint32_t addr[8]){
30 #if IS_LITTLE_ENDIAN==1
31   int i = 0;
32   for(i=0;i<8;i++)
33     to_byte(bytes+i*4, addr[i],4);
34   return bytes;
35 #else
36   memcpy(bytes, addr, 32);
37   return bytes;
38 #endif
39 }
40 
41 int core_hash_SHA2(unsigned char *out, const unsigned int type, const unsigned char *key, unsigned int keylen, const unsigned char *in, unsigned long long inlen, unsigned int n){
42   unsigned long long i = 0;
43   unsigned char buf[inlen + n + keylen];
44 
45   // Input is (toByte(X, 32) || KEY || M)
46 
47   // set toByte
48   to_byte(buf, type, n);
49 
50   for (i=0; i < keylen; i++) {
51     buf[i+n] = key[i];
52   }
53 
54   for (i=0; i < inlen; i++) {
55     buf[keylen + n + i] = in[i];
56   }
57 
58   if (n == 32) {
59     SHA256(buf, inlen + keylen + n, out);
60     return 0;
61   }
62   else {
63     if (n == 64) {
64       SHA512(buf, inlen + keylen + n, out);
65       return 0;
66     }
67   }
68   return 1;
69 }
70 
71 /**
72  * Implements PRF
73  */
74 int prf(unsigned char *out, const unsigned char *in, const unsigned char *key, unsigned int keylen)
75 {
76   return core_hash_SHA2(out, 3, key, keylen, in, 32, keylen);
77 }
78 
79 /*
80  * Implemts H_msg
81  */
82 int h_msg(unsigned char *out, const unsigned char *in, unsigned long long inlen, const unsigned char *key, const unsigned int keylen, const unsigned int n)
83 {
84   if (keylen != 3*n){
85     // H_msg takes 3n-bit keys, but n does not match the keylength of keylen
86     return -1;
87   }
88   return core_hash_SHA2(out, 2, key, keylen, in, inlen, n);
89 }
90 
91 /**
92  * We assume the left half is in in[0]...in[n-1]
93  */
94 int hash_h(unsigned char *out, const unsigned char *in, const unsigned char *pub_seed, uint32_t addr[8], const unsigned int n)
95 {
96 
97   unsigned char buf[2*n];
98   unsigned char key[n];
99   unsigned char bitmask[2*n];
100   unsigned char byte_addr[32];
101   unsigned int i;
102 
103   setKeyAndMask(addr, 0);
104   addr_to_byte(byte_addr, addr);
105   prf(key, byte_addr, pub_seed, n);
106   // Use MSB order
107   setKeyAndMask(addr, 1);
108   addr_to_byte(byte_addr, addr);
109   prf(bitmask, byte_addr, pub_seed, n);
110   setKeyAndMask(addr, 2);
111   addr_to_byte(byte_addr, addr);
112   prf(bitmask+n, byte_addr, pub_seed, n);
113   for (i = 0; i < 2*n; i++) {
114     buf[i] = in[i] ^ bitmask[i];
115   }
116   return core_hash_SHA2(out, 1, key, n, buf, 2*n, n);
117 }
118 
119 int hash_f(unsigned char *out, const unsigned char *in, const unsigned char *pub_seed, uint32_t addr[8], const unsigned int n)
120 {
121   unsigned char buf[n];
122   unsigned char key[n];
123   unsigned char bitmask[n];
124   unsigned char byte_addr[32];
125   unsigned int i;
126 
127   setKeyAndMask(addr, 0);
128   addr_to_byte(byte_addr, addr);
129   prf(key, byte_addr, pub_seed, n);
130 
131   setKeyAndMask(addr, 1);
132   addr_to_byte(byte_addr, addr);
133   prf(bitmask, byte_addr, pub_seed, n);
134 
135   for (i = 0; i < n; i++) {
136     buf[i] = in[i] ^ bitmask[i];
137   }
138   return core_hash_SHA2(out, 0, key, n, buf, n, n);
139 }
140 #endif /* WITH_XMSS */
141