xref: /optee_os/core/lib/libtomcrypt/src/hashes/rmd160.c (revision 9f34db38245c9b3a4e6e7e63eb78a75e23ab2da3) 
1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
2 /* SPDX-License-Identifier: Unlicense */
3 #include "tomcrypt_private.h"
4 
5 /**
6    @file rmd160.c
7    RMD160 hash function
8 */
9 
10 /* Implementation of LTC_RIPEMD-160 based on the source by Antoon Bosselaers, ESAT-COSIC
11  *
12  * This source has been radically overhauled to be portable and work within
13  * the LibTomCrypt API by Tom St Denis
14  */
15 
16 #ifdef LTC_RIPEMD160
17 
18 const struct ltc_hash_descriptor rmd160_desc =
19 {
20     "rmd160",
21     9,
22     20,
23     64,
24 
25     /* OID */
26    { 1, 3, 36, 3, 2, 1,  },
27    6,
28 
29     &rmd160_init,
30     &rmd160_process,
31     &rmd160_done,
32     &rmd160_test,
33     NULL
34 };
35 
36 /* the five basic functions F(), G() and H() */
37 #define F(x, y, z)        ((x) ^ (y) ^ (z))
38 #define G(x, y, z)        (((x) & (y)) | (~(x) & (z)))
39 #define H(x, y, z)        (((x) | ~(y)) ^ (z))
40 #define I(x, y, z)        (((x) & (z)) | ((y) & ~(z)))
41 #define J(x, y, z)        ((x) ^ ((y) | ~(z)))
42 
43 /* the ten basic operations FF() through III() */
44 #define FF(a, b, c, d, e, x, s)        \
45       (a) += F((b), (c), (d)) + (x);\
46       (a) = ROLc((a), (s)) + (e);\
47       (c) = ROLc((c), 10);
48 
49 #define GG(a, b, c, d, e, x, s)        \
50       (a) += G((b), (c), (d)) + (x) + 0x5a827999UL;\
51       (a) = ROLc((a), (s)) + (e);\
52       (c) = ROLc((c), 10);
53 
54 #define HH(a, b, c, d, e, x, s)        \
55       (a) += H((b), (c), (d)) + (x) + 0x6ed9eba1UL;\
56       (a) = ROLc((a), (s)) + (e);\
57       (c) = ROLc((c), 10);
58 
59 #define II(a, b, c, d, e, x, s)        \
60       (a) += I((b), (c), (d)) + (x) + 0x8f1bbcdcUL;\
61       (a) = ROLc((a), (s)) + (e);\
62       (c) = ROLc((c), 10);
63 
64 #define JJ(a, b, c, d, e, x, s)        \
65       (a) += J((b), (c), (d)) + (x) + 0xa953fd4eUL;\
66       (a) = ROLc((a), (s)) + (e);\
67       (c) = ROLc((c), 10);
68 
69 #define FFF(a, b, c, d, e, x, s)        \
70       (a) += F((b), (c), (d)) + (x);\
71       (a) = ROLc((a), (s)) + (e);\
72       (c) = ROLc((c), 10);
73 
74 #define GGG(a, b, c, d, e, x, s)        \
75       (a) += G((b), (c), (d)) + (x) + 0x7a6d76e9UL;\
76       (a) = ROLc((a), (s)) + (e);\
77       (c) = ROLc((c), 10);
78 
79 #define HHH(a, b, c, d, e, x, s)        \
80       (a) += H((b), (c), (d)) + (x) + 0x6d703ef3UL;\
81       (a) = ROLc((a), (s)) + (e);\
82       (c) = ROLc((c), 10);
83 
84 #define III(a, b, c, d, e, x, s)        \
85       (a) += I((b), (c), (d)) + (x) + 0x5c4dd124UL;\
86       (a) = ROLc((a), (s)) + (e);\
87       (c) = ROLc((c), 10);
88 
89 #define JJJ(a, b, c, d, e, x, s)        \
90       (a) += J((b), (c), (d)) + (x) + 0x50a28be6UL;\
91       (a) = ROLc((a), (s)) + (e);\
92       (c) = ROLc((c), 10);
93 
94 
95 #ifdef LTC_CLEAN_STACK
96 static int ss_rmd160_compress(hash_state *md, const unsigned char *buf)
97 #else
98 static int  s_rmd160_compress(hash_state *md, const unsigned char *buf)
99 #endif
100 {
101    ulong32 aa,bb,cc,dd,ee,aaa,bbb,ccc,ddd,eee,X[16];
102    int i;
103 
104    /* load words X */
105    for (i = 0; i < 16; i++){
106       LOAD32L(X[i], buf + (4 * i));
107    }
108 
109    /* load state */
110    aa = aaa = md->rmd160.state[0];
111    bb = bbb = md->rmd160.state[1];
112    cc = ccc = md->rmd160.state[2];
113    dd = ddd = md->rmd160.state[3];
114    ee = eee = md->rmd160.state[4];
115 
116    /* round 1 */
117    FF(aa, bb, cc, dd, ee, X[ 0], 11);
118    FF(ee, aa, bb, cc, dd, X[ 1], 14);
119    FF(dd, ee, aa, bb, cc, X[ 2], 15);
120    FF(cc, dd, ee, aa, bb, X[ 3], 12);
121    FF(bb, cc, dd, ee, aa, X[ 4],  5);
122    FF(aa, bb, cc, dd, ee, X[ 5],  8);
123    FF(ee, aa, bb, cc, dd, X[ 6],  7);
124    FF(dd, ee, aa, bb, cc, X[ 7],  9);
125    FF(cc, dd, ee, aa, bb, X[ 8], 11);
126    FF(bb, cc, dd, ee, aa, X[ 9], 13);
127    FF(aa, bb, cc, dd, ee, X[10], 14);
128    FF(ee, aa, bb, cc, dd, X[11], 15);
129    FF(dd, ee, aa, bb, cc, X[12],  6);
130    FF(cc, dd, ee, aa, bb, X[13],  7);
131    FF(bb, cc, dd, ee, aa, X[14],  9);
132    FF(aa, bb, cc, dd, ee, X[15],  8);
133 
134    /* round 2 */
135    GG(ee, aa, bb, cc, dd, X[ 7],  7);
136    GG(dd, ee, aa, bb, cc, X[ 4],  6);
137    GG(cc, dd, ee, aa, bb, X[13],  8);
138    GG(bb, cc, dd, ee, aa, X[ 1], 13);
139    GG(aa, bb, cc, dd, ee, X[10], 11);
140    GG(ee, aa, bb, cc, dd, X[ 6],  9);
141    GG(dd, ee, aa, bb, cc, X[15],  7);
142    GG(cc, dd, ee, aa, bb, X[ 3], 15);
143    GG(bb, cc, dd, ee, aa, X[12],  7);
144    GG(aa, bb, cc, dd, ee, X[ 0], 12);
145    GG(ee, aa, bb, cc, dd, X[ 9], 15);
146    GG(dd, ee, aa, bb, cc, X[ 5],  9);
147    GG(cc, dd, ee, aa, bb, X[ 2], 11);
148    GG(bb, cc, dd, ee, aa, X[14],  7);
149    GG(aa, bb, cc, dd, ee, X[11], 13);
150    GG(ee, aa, bb, cc, dd, X[ 8], 12);
151 
152    /* round 3 */
153    HH(dd, ee, aa, bb, cc, X[ 3], 11);
154    HH(cc, dd, ee, aa, bb, X[10], 13);
155    HH(bb, cc, dd, ee, aa, X[14],  6);
156    HH(aa, bb, cc, dd, ee, X[ 4],  7);
157    HH(ee, aa, bb, cc, dd, X[ 9], 14);
158    HH(dd, ee, aa, bb, cc, X[15],  9);
159    HH(cc, dd, ee, aa, bb, X[ 8], 13);
160    HH(bb, cc, dd, ee, aa, X[ 1], 15);
161    HH(aa, bb, cc, dd, ee, X[ 2], 14);
162    HH(ee, aa, bb, cc, dd, X[ 7],  8);
163    HH(dd, ee, aa, bb, cc, X[ 0], 13);
164    HH(cc, dd, ee, aa, bb, X[ 6],  6);
165    HH(bb, cc, dd, ee, aa, X[13],  5);
166    HH(aa, bb, cc, dd, ee, X[11], 12);
167    HH(ee, aa, bb, cc, dd, X[ 5],  7);
168    HH(dd, ee, aa, bb, cc, X[12],  5);
169 
170    /* round 4 */
171    II(cc, dd, ee, aa, bb, X[ 1], 11);
172    II(bb, cc, dd, ee, aa, X[ 9], 12);
173    II(aa, bb, cc, dd, ee, X[11], 14);
174    II(ee, aa, bb, cc, dd, X[10], 15);
175    II(dd, ee, aa, bb, cc, X[ 0], 14);
176    II(cc, dd, ee, aa, bb, X[ 8], 15);
177    II(bb, cc, dd, ee, aa, X[12],  9);
178    II(aa, bb, cc, dd, ee, X[ 4],  8);
179    II(ee, aa, bb, cc, dd, X[13],  9);
180    II(dd, ee, aa, bb, cc, X[ 3], 14);
181    II(cc, dd, ee, aa, bb, X[ 7],  5);
182    II(bb, cc, dd, ee, aa, X[15],  6);
183    II(aa, bb, cc, dd, ee, X[14],  8);
184    II(ee, aa, bb, cc, dd, X[ 5],  6);
185    II(dd, ee, aa, bb, cc, X[ 6],  5);
186    II(cc, dd, ee, aa, bb, X[ 2], 12);
187 
188    /* round 5 */
189    JJ(bb, cc, dd, ee, aa, X[ 4],  9);
190    JJ(aa, bb, cc, dd, ee, X[ 0], 15);
191    JJ(ee, aa, bb, cc, dd, X[ 5],  5);
192    JJ(dd, ee, aa, bb, cc, X[ 9], 11);
193    JJ(cc, dd, ee, aa, bb, X[ 7],  6);
194    JJ(bb, cc, dd, ee, aa, X[12],  8);
195    JJ(aa, bb, cc, dd, ee, X[ 2], 13);
196    JJ(ee, aa, bb, cc, dd, X[10], 12);
197    JJ(dd, ee, aa, bb, cc, X[14],  5);
198    JJ(cc, dd, ee, aa, bb, X[ 1], 12);
199    JJ(bb, cc, dd, ee, aa, X[ 3], 13);
200    JJ(aa, bb, cc, dd, ee, X[ 8], 14);
201    JJ(ee, aa, bb, cc, dd, X[11], 11);
202    JJ(dd, ee, aa, bb, cc, X[ 6],  8);
203    JJ(cc, dd, ee, aa, bb, X[15],  5);
204    JJ(bb, cc, dd, ee, aa, X[13],  6);
205 
206    /* parallel round 1 */
207    JJJ(aaa, bbb, ccc, ddd, eee, X[ 5],  8);
208    JJJ(eee, aaa, bbb, ccc, ddd, X[14],  9);
209    JJJ(ddd, eee, aaa, bbb, ccc, X[ 7],  9);
210    JJJ(ccc, ddd, eee, aaa, bbb, X[ 0], 11);
211    JJJ(bbb, ccc, ddd, eee, aaa, X[ 9], 13);
212    JJJ(aaa, bbb, ccc, ddd, eee, X[ 2], 15);
213    JJJ(eee, aaa, bbb, ccc, ddd, X[11], 15);
214    JJJ(ddd, eee, aaa, bbb, ccc, X[ 4],  5);
215    JJJ(ccc, ddd, eee, aaa, bbb, X[13],  7);
216    JJJ(bbb, ccc, ddd, eee, aaa, X[ 6],  7);
217    JJJ(aaa, bbb, ccc, ddd, eee, X[15],  8);
218    JJJ(eee, aaa, bbb, ccc, ddd, X[ 8], 11);
219    JJJ(ddd, eee, aaa, bbb, ccc, X[ 1], 14);
220    JJJ(ccc, ddd, eee, aaa, bbb, X[10], 14);
221    JJJ(bbb, ccc, ddd, eee, aaa, X[ 3], 12);
222    JJJ(aaa, bbb, ccc, ddd, eee, X[12],  6);
223 
224    /* parallel round 2 */
225    III(eee, aaa, bbb, ccc, ddd, X[ 6],  9);
226    III(ddd, eee, aaa, bbb, ccc, X[11], 13);
227    III(ccc, ddd, eee, aaa, bbb, X[ 3], 15);
228    III(bbb, ccc, ddd, eee, aaa, X[ 7],  7);
229    III(aaa, bbb, ccc, ddd, eee, X[ 0], 12);
230    III(eee, aaa, bbb, ccc, ddd, X[13],  8);
231    III(ddd, eee, aaa, bbb, ccc, X[ 5],  9);
232    III(ccc, ddd, eee, aaa, bbb, X[10], 11);
233    III(bbb, ccc, ddd, eee, aaa, X[14],  7);
234    III(aaa, bbb, ccc, ddd, eee, X[15],  7);
235    III(eee, aaa, bbb, ccc, ddd, X[ 8], 12);
236    III(ddd, eee, aaa, bbb, ccc, X[12],  7);
237    III(ccc, ddd, eee, aaa, bbb, X[ 4],  6);
238    III(bbb, ccc, ddd, eee, aaa, X[ 9], 15);
239    III(aaa, bbb, ccc, ddd, eee, X[ 1], 13);
240    III(eee, aaa, bbb, ccc, ddd, X[ 2], 11);
241 
242    /* parallel round 3 */
243    HHH(ddd, eee, aaa, bbb, ccc, X[15],  9);
244    HHH(ccc, ddd, eee, aaa, bbb, X[ 5],  7);
245    HHH(bbb, ccc, ddd, eee, aaa, X[ 1], 15);
246    HHH(aaa, bbb, ccc, ddd, eee, X[ 3], 11);
247    HHH(eee, aaa, bbb, ccc, ddd, X[ 7],  8);
248    HHH(ddd, eee, aaa, bbb, ccc, X[14],  6);
249    HHH(ccc, ddd, eee, aaa, bbb, X[ 6],  6);
250    HHH(bbb, ccc, ddd, eee, aaa, X[ 9], 14);
251    HHH(aaa, bbb, ccc, ddd, eee, X[11], 12);
252    HHH(eee, aaa, bbb, ccc, ddd, X[ 8], 13);
253    HHH(ddd, eee, aaa, bbb, ccc, X[12],  5);
254    HHH(ccc, ddd, eee, aaa, bbb, X[ 2], 14);
255    HHH(bbb, ccc, ddd, eee, aaa, X[10], 13);
256    HHH(aaa, bbb, ccc, ddd, eee, X[ 0], 13);
257    HHH(eee, aaa, bbb, ccc, ddd, X[ 4],  7);
258    HHH(ddd, eee, aaa, bbb, ccc, X[13],  5);
259 
260    /* parallel round 4 */
261    GGG(ccc, ddd, eee, aaa, bbb, X[ 8], 15);
262    GGG(bbb, ccc, ddd, eee, aaa, X[ 6],  5);
263    GGG(aaa, bbb, ccc, ddd, eee, X[ 4],  8);
264    GGG(eee, aaa, bbb, ccc, ddd, X[ 1], 11);
265    GGG(ddd, eee, aaa, bbb, ccc, X[ 3], 14);
266    GGG(ccc, ddd, eee, aaa, bbb, X[11], 14);
267    GGG(bbb, ccc, ddd, eee, aaa, X[15],  6);
268    GGG(aaa, bbb, ccc, ddd, eee, X[ 0], 14);
269    GGG(eee, aaa, bbb, ccc, ddd, X[ 5],  6);
270    GGG(ddd, eee, aaa, bbb, ccc, X[12],  9);
271    GGG(ccc, ddd, eee, aaa, bbb, X[ 2], 12);
272    GGG(bbb, ccc, ddd, eee, aaa, X[13],  9);
273    GGG(aaa, bbb, ccc, ddd, eee, X[ 9], 12);
274    GGG(eee, aaa, bbb, ccc, ddd, X[ 7],  5);
275    GGG(ddd, eee, aaa, bbb, ccc, X[10], 15);
276    GGG(ccc, ddd, eee, aaa, bbb, X[14],  8);
277 
278    /* parallel round 5 */
279    FFF(bbb, ccc, ddd, eee, aaa, X[12] ,  8);
280    FFF(aaa, bbb, ccc, ddd, eee, X[15] ,  5);
281    FFF(eee, aaa, bbb, ccc, ddd, X[10] , 12);
282    FFF(ddd, eee, aaa, bbb, ccc, X[ 4] ,  9);
283    FFF(ccc, ddd, eee, aaa, bbb, X[ 1] , 12);
284    FFF(bbb, ccc, ddd, eee, aaa, X[ 5] ,  5);
285    FFF(aaa, bbb, ccc, ddd, eee, X[ 8] , 14);
286    FFF(eee, aaa, bbb, ccc, ddd, X[ 7] ,  6);
287    FFF(ddd, eee, aaa, bbb, ccc, X[ 6] ,  8);
288    FFF(ccc, ddd, eee, aaa, bbb, X[ 2] , 13);
289    FFF(bbb, ccc, ddd, eee, aaa, X[13] ,  6);
290    FFF(aaa, bbb, ccc, ddd, eee, X[14] ,  5);
291    FFF(eee, aaa, bbb, ccc, ddd, X[ 0] , 15);
292    FFF(ddd, eee, aaa, bbb, ccc, X[ 3] , 13);
293    FFF(ccc, ddd, eee, aaa, bbb, X[ 9] , 11);
294    FFF(bbb, ccc, ddd, eee, aaa, X[11] , 11);
295 
296    /* combine results */
297    ddd += cc + md->rmd160.state[1];               /* final result for md->rmd160.state[0] */
298    md->rmd160.state[1] = md->rmd160.state[2] + dd + eee;
299    md->rmd160.state[2] = md->rmd160.state[3] + ee + aaa;
300    md->rmd160.state[3] = md->rmd160.state[4] + aa + bbb;
301    md->rmd160.state[4] = md->rmd160.state[0] + bb + ccc;
302    md->rmd160.state[0] = ddd;
303 
304    return CRYPT_OK;
305 }
306 
307 #ifdef LTC_CLEAN_STACK
308 static int s_rmd160_compress(hash_state *md, const unsigned char *buf)
309 {
310    int err;
311    err = ss_rmd160_compress(md, buf);
312    burn_stack(sizeof(ulong32) * 26 + sizeof(int));
313    return err;
314 }
315 #endif
316 
317 /**
318    Initialize the hash state
319    @param md   The hash state you wish to initialize
320    @return CRYPT_OK if successful
321 */
322 int rmd160_init(hash_state * md)
323 {
324    LTC_ARGCHK(md != NULL);
325    md->rmd160.state[0] = 0x67452301UL;
326    md->rmd160.state[1] = 0xefcdab89UL;
327    md->rmd160.state[2] = 0x98badcfeUL;
328    md->rmd160.state[3] = 0x10325476UL;
329    md->rmd160.state[4] = 0xc3d2e1f0UL;
330    md->rmd160.curlen   = 0;
331    md->rmd160.length   = 0;
332    return CRYPT_OK;
333 }
334 
335 /**
336    Process a block of memory though the hash
337    @param md     The hash state
338    @param in     The data to hash
339    @param inlen  The length of the data (octets)
340    @return CRYPT_OK if successful
341 */
342 HASH_PROCESS(rmd160_process, s_rmd160_compress, rmd160, 64)
343 
344 /**
345    Terminate the hash to get the digest
346    @param md  The hash state
347    @param out [out] The destination of the hash (20 bytes)
348    @return CRYPT_OK if successful
349 */
350 int rmd160_done(hash_state * md, unsigned char *out)
351 {
352     int i;
353 
354     LTC_ARGCHK(md  != NULL);
355     LTC_ARGCHK(out != NULL);
356 
357     if (md->rmd160.curlen >= sizeof(md->rmd160.buf)) {
358        return CRYPT_INVALID_ARG;
359     }
360 
361 
362     /* increase the length of the message */
363     md->rmd160.length += md->rmd160.curlen * 8;
364 
365     /* append the '1' bit */
366     md->rmd160.buf[md->rmd160.curlen++] = (unsigned char)0x80;
367 
368     /* if the length is currently above 56 bytes we append zeros
369      * then compress.  Then we can fall back to padding zeros and length
370      * encoding like normal.
371      */
372     if (md->rmd160.curlen > 56) {
373         while (md->rmd160.curlen < 64) {
374             md->rmd160.buf[md->rmd160.curlen++] = (unsigned char)0;
375         }
376         s_rmd160_compress(md, md->rmd160.buf);
377         md->rmd160.curlen = 0;
378     }
379 
380     /* pad upto 56 bytes of zeroes */
381     while (md->rmd160.curlen < 56) {
382         md->rmd160.buf[md->rmd160.curlen++] = (unsigned char)0;
383     }
384 
385     /* store length */
386     STORE64L(md->rmd160.length, md->rmd160.buf+56);
387     s_rmd160_compress(md, md->rmd160.buf);
388 
389     /* copy output */
390     for (i = 0; i < 5; i++) {
391         STORE32L(md->rmd160.state[i], out+(4*i));
392     }
393 #ifdef LTC_CLEAN_STACK
394     zeromem(md, sizeof(hash_state));
395 #endif
396     return CRYPT_OK;
397 }
398 
399 /**
400   Self-test the hash
401   @return CRYPT_OK if successful, CRYPT_NOP if self-tests have been disabled
402 */
403 int rmd160_test(void)
404 {
405 #ifndef LTC_TEST
406    return CRYPT_NOP;
407 #else
408    static const struct {
409         const char *msg;
410         unsigned char hash[20];
411    } tests[] = {
412    { "",
413      { 0x9c, 0x11, 0x85, 0xa5, 0xc5, 0xe9, 0xfc, 0x54, 0x61, 0x28,
414        0x08, 0x97, 0x7e, 0xe8, 0xf5, 0x48, 0xb2, 0x25, 0x8d, 0x31 }
415    },
416    { "a",
417      { 0x0b, 0xdc, 0x9d, 0x2d, 0x25, 0x6b, 0x3e, 0xe9, 0xda, 0xae,
418        0x34, 0x7b, 0xe6, 0xf4, 0xdc, 0x83, 0x5a, 0x46, 0x7f, 0xfe }
419    },
420    { "abc",
421      { 0x8e, 0xb2, 0x08, 0xf7, 0xe0, 0x5d, 0x98, 0x7a, 0x9b, 0x04,
422        0x4a, 0x8e, 0x98, 0xc6, 0xb0, 0x87, 0xf1, 0x5a, 0x0b, 0xfc }
423    },
424    { "message digest",
425      { 0x5d, 0x06, 0x89, 0xef, 0x49, 0xd2, 0xfa, 0xe5, 0x72, 0xb8,
426        0x81, 0xb1, 0x23, 0xa8, 0x5f, 0xfa, 0x21, 0x59, 0x5f, 0x36 }
427    },
428    { "abcdefghijklmnopqrstuvwxyz",
429      { 0xf7, 0x1c, 0x27, 0x10, 0x9c, 0x69, 0x2c, 0x1b, 0x56, 0xbb,
430        0xdc, 0xeb, 0x5b, 0x9d, 0x28, 0x65, 0xb3, 0x70, 0x8d, 0xbc }
431    },
432    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
433      { 0x12, 0xa0, 0x53, 0x38, 0x4a, 0x9c, 0x0c, 0x88, 0xe4, 0x05,
434        0xa0, 0x6c, 0x27, 0xdc, 0xf4, 0x9a, 0xda, 0x62, 0xeb, 0x2b }
435    }
436    };
437 
438    int i;
439    unsigned char tmp[20];
440    hash_state md;
441 
442    for (i = 0; i < (int)(sizeof(tests)/sizeof(tests[0])); i++) {
443        rmd160_init(&md);
444        rmd160_process(&md, (unsigned char *)tests[i].msg, XSTRLEN(tests[i].msg));
445        rmd160_done(&md, tmp);
446        if (compare_testvector(tmp, sizeof(tmp), tests[i].hash, sizeof(tests[i].hash), "RIPEMD160", i)) {
447           return CRYPT_FAIL_TESTVECTOR;
448        }
449    }
450    return CRYPT_OK;
451 #endif
452 }
453 
454 #endif
455 
456