github.com/aquanetwork/aquachain@v1.7.8/crypto/secp256k1/libsecp256k1/src/hash_impl.h (about) 1 /********************************************************************** 2 * Copyright (c) 2014 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 #ifndef SECP256K1_HASH_IMPL_H 8 #define SECP256K1_HASH_IMPL_H 9 10 #include "hash.h" 11 12 #include <stdlib.h> 13 #include <stdint.h> 14 #include <string.h> 15 16 #define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) 17 #define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) 18 #define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) 19 #define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) 20 #define sigma0(x) (((x) >> 7 | (x) << 25) ^ ((x) >> 18 | (x) << 14) ^ ((x) >> 3)) 21 #define sigma1(x) (((x) >> 17 | (x) << 15) ^ ((x) >> 19 | (x) << 13) ^ ((x) >> 10)) 22 23 #define Round(a,b,c,d,e,f,g,h,k,w) do { \ 24 uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ 25 uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ 26 (d) += t1; \ 27 (h) = t1 + t2; \ 28 } while(0) 29 30 #ifdef WORDS_BIGENDIAN 31 #define BE32(x) (x) 32 #else 33 #define BE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24)) 34 #endif 35 36 static void secp256k1_sha256_initialize(secp256k1_sha256 *hash) { 37 hash->s[0] = 0x6a09e667ul; 38 hash->s[1] = 0xbb67ae85ul; 39 hash->s[2] = 0x3c6ef372ul; 40 hash->s[3] = 0xa54ff53aul; 41 hash->s[4] = 0x510e527ful; 42 hash->s[5] = 0x9b05688cul; 43 hash->s[6] = 0x1f83d9abul; 44 hash->s[7] = 0x5be0cd19ul; 45 hash->bytes = 0; 46 } 47 48 /** Perform one SHA-256 transformation, processing 16 big endian 32-bit words. */ 49 static void secp256k1_sha256_transform(uint32_t* s, const uint32_t* chunk) { 50 uint32_t a = s[0], b = s[1], c = s[2], d = s[3], e = s[4], f = s[5], g = s[6], h = s[7]; 51 uint32_t w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15; 52 53 Round(a, b, c, d, e, f, g, h, 0x428a2f98, w0 = BE32(chunk[0])); 54 Round(h, a, b, c, d, e, f, g, 0x71374491, w1 = BE32(chunk[1])); 55 Round(g, h, a, b, c, d, e, f, 0xb5c0fbcf, w2 = BE32(chunk[2])); 56 Round(f, g, h, a, b, c, d, e, 0xe9b5dba5, w3 = BE32(chunk[3])); 57 Round(e, f, g, h, a, b, c, d, 0x3956c25b, w4 = BE32(chunk[4])); 58 Round(d, e, f, g, h, a, b, c, 0x59f111f1, w5 = BE32(chunk[5])); 59 Round(c, d, e, f, g, h, a, b, 0x923f82a4, w6 = BE32(chunk[6])); 60 Round(b, c, d, e, f, g, h, a, 0xab1c5ed5, w7 = BE32(chunk[7])); 61 Round(a, b, c, d, e, f, g, h, 0xd807aa98, w8 = BE32(chunk[8])); 62 Round(h, a, b, c, d, e, f, g, 0x12835b01, w9 = BE32(chunk[9])); 63 Round(g, h, a, b, c, d, e, f, 0x243185be, w10 = BE32(chunk[10])); 64 Round(f, g, h, a, b, c, d, e, 0x550c7dc3, w11 = BE32(chunk[11])); 65 Round(e, f, g, h, a, b, c, d, 0x72be5d74, w12 = BE32(chunk[12])); 66 Round(d, e, f, g, h, a, b, c, 0x80deb1fe, w13 = BE32(chunk[13])); 67 Round(c, d, e, f, g, h, a, b, 0x9bdc06a7, w14 = BE32(chunk[14])); 68 Round(b, c, d, e, f, g, h, a, 0xc19bf174, w15 = BE32(chunk[15])); 69 70 Round(a, b, c, d, e, f, g, h, 0xe49b69c1, w0 += sigma1(w14) + w9 + sigma0(w1)); 71 Round(h, a, b, c, d, e, f, g, 0xefbe4786, w1 += sigma1(w15) + w10 + sigma0(w2)); 72 Round(g, h, a, b, c, d, e, f, 0x0fc19dc6, w2 += sigma1(w0) + w11 + sigma0(w3)); 73 Round(f, g, h, a, b, c, d, e, 0x240ca1cc, w3 += sigma1(w1) + w12 + sigma0(w4)); 74 Round(e, f, g, h, a, b, c, d, 0x2de92c6f, w4 += sigma1(w2) + w13 + sigma0(w5)); 75 Round(d, e, f, g, h, a, b, c, 0x4a7484aa, w5 += sigma1(w3) + w14 + sigma0(w6)); 76 Round(c, d, e, f, g, h, a, b, 0x5cb0a9dc, w6 += sigma1(w4) + w15 + sigma0(w7)); 77 Round(b, c, d, e, f, g, h, a, 0x76f988da, w7 += sigma1(w5) + w0 + sigma0(w8)); 78 Round(a, b, c, d, e, f, g, h, 0x983e5152, w8 += sigma1(w6) + w1 + sigma0(w9)); 79 Round(h, a, b, c, d, e, f, g, 0xa831c66d, w9 += sigma1(w7) + w2 + sigma0(w10)); 80 Round(g, h, a, b, c, d, e, f, 0xb00327c8, w10 += sigma1(w8) + w3 + sigma0(w11)); 81 Round(f, g, h, a, b, c, d, e, 0xbf597fc7, w11 += sigma1(w9) + w4 + sigma0(w12)); 82 Round(e, f, g, h, a, b, c, d, 0xc6e00bf3, w12 += sigma1(w10) + w5 + sigma0(w13)); 83 Round(d, e, f, g, h, a, b, c, 0xd5a79147, w13 += sigma1(w11) + w6 + sigma0(w14)); 84 Round(c, d, e, f, g, h, a, b, 0x06ca6351, w14 += sigma1(w12) + w7 + sigma0(w15)); 85 Round(b, c, d, e, f, g, h, a, 0x14292967, w15 += sigma1(w13) + w8 + sigma0(w0)); 86 87 Round(a, b, c, d, e, f, g, h, 0x27b70a85, w0 += sigma1(w14) + w9 + sigma0(w1)); 88 Round(h, a, b, c, d, e, f, g, 0x2e1b2138, w1 += sigma1(w15) + w10 + sigma0(w2)); 89 Round(g, h, a, b, c, d, e, f, 0x4d2c6dfc, w2 += sigma1(w0) + w11 + sigma0(w3)); 90 Round(f, g, h, a, b, c, d, e, 0x53380d13, w3 += sigma1(w1) + w12 + sigma0(w4)); 91 Round(e, f, g, h, a, b, c, d, 0x650a7354, w4 += sigma1(w2) + w13 + sigma0(w5)); 92 Round(d, e, f, g, h, a, b, c, 0x766a0abb, w5 += sigma1(w3) + w14 + sigma0(w6)); 93 Round(c, d, e, f, g, h, a, b, 0x81c2c92e, w6 += sigma1(w4) + w15 + sigma0(w7)); 94 Round(b, c, d, e, f, g, h, a, 0x92722c85, w7 += sigma1(w5) + w0 + sigma0(w8)); 95 Round(a, b, c, d, e, f, g, h, 0xa2bfe8a1, w8 += sigma1(w6) + w1 + sigma0(w9)); 96 Round(h, a, b, c, d, e, f, g, 0xa81a664b, w9 += sigma1(w7) + w2 + sigma0(w10)); 97 Round(g, h, a, b, c, d, e, f, 0xc24b8b70, w10 += sigma1(w8) + w3 + sigma0(w11)); 98 Round(f, g, h, a, b, c, d, e, 0xc76c51a3, w11 += sigma1(w9) + w4 + sigma0(w12)); 99 Round(e, f, g, h, a, b, c, d, 0xd192e819, w12 += sigma1(w10) + w5 + sigma0(w13)); 100 Round(d, e, f, g, h, a, b, c, 0xd6990624, w13 += sigma1(w11) + w6 + sigma0(w14)); 101 Round(c, d, e, f, g, h, a, b, 0xf40e3585, w14 += sigma1(w12) + w7 + sigma0(w15)); 102 Round(b, c, d, e, f, g, h, a, 0x106aa070, w15 += sigma1(w13) + w8 + sigma0(w0)); 103 104 Round(a, b, c, d, e, f, g, h, 0x19a4c116, w0 += sigma1(w14) + w9 + sigma0(w1)); 105 Round(h, a, b, c, d, e, f, g, 0x1e376c08, w1 += sigma1(w15) + w10 + sigma0(w2)); 106 Round(g, h, a, b, c, d, e, f, 0x2748774c, w2 += sigma1(w0) + w11 + sigma0(w3)); 107 Round(f, g, h, a, b, c, d, e, 0x34b0bcb5, w3 += sigma1(w1) + w12 + sigma0(w4)); 108 Round(e, f, g, h, a, b, c, d, 0x391c0cb3, w4 += sigma1(w2) + w13 + sigma0(w5)); 109 Round(d, e, f, g, h, a, b, c, 0x4ed8aa4a, w5 += sigma1(w3) + w14 + sigma0(w6)); 110 Round(c, d, e, f, g, h, a, b, 0x5b9cca4f, w6 += sigma1(w4) + w15 + sigma0(w7)); 111 Round(b, c, d, e, f, g, h, a, 0x682e6ff3, w7 += sigma1(w5) + w0 + sigma0(w8)); 112 Round(a, b, c, d, e, f, g, h, 0x748f82ee, w8 += sigma1(w6) + w1 + sigma0(w9)); 113 Round(h, a, b, c, d, e, f, g, 0x78a5636f, w9 += sigma1(w7) + w2 + sigma0(w10)); 114 Round(g, h, a, b, c, d, e, f, 0x84c87814, w10 += sigma1(w8) + w3 + sigma0(w11)); 115 Round(f, g, h, a, b, c, d, e, 0x8cc70208, w11 += sigma1(w9) + w4 + sigma0(w12)); 116 Round(e, f, g, h, a, b, c, d, 0x90befffa, w12 += sigma1(w10) + w5 + sigma0(w13)); 117 Round(d, e, f, g, h, a, b, c, 0xa4506ceb, w13 += sigma1(w11) + w6 + sigma0(w14)); 118 Round(c, d, e, f, g, h, a, b, 0xbef9a3f7, w14 + sigma1(w12) + w7 + sigma0(w15)); 119 Round(b, c, d, e, f, g, h, a, 0xc67178f2, w15 + sigma1(w13) + w8 + sigma0(w0)); 120 121 s[0] += a; 122 s[1] += b; 123 s[2] += c; 124 s[3] += d; 125 s[4] += e; 126 s[5] += f; 127 s[6] += g; 128 s[7] += h; 129 } 130 131 static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { 132 size_t bufsize = hash->bytes & 0x3F; 133 hash->bytes += len; 134 while (bufsize + len >= 64) { 135 /* Fill the buffer, and process it. */ 136 size_t chunk_len = 64 - bufsize; 137 memcpy(((unsigned char*)hash->buf) + bufsize, data, chunk_len); 138 data += chunk_len; 139 len -= chunk_len; 140 secp256k1_sha256_transform(hash->s, hash->buf); 141 bufsize = 0; 142 } 143 if (len) { 144 /* Fill the buffer with what remains. */ 145 memcpy(((unsigned char*)hash->buf) + bufsize, data, len); 146 } 147 } 148 149 static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32) { 150 static const unsigned char pad[64] = {0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 151 uint32_t sizedesc[2]; 152 uint32_t out[8]; 153 int i = 0; 154 sizedesc[0] = BE32(hash->bytes >> 29); 155 sizedesc[1] = BE32(hash->bytes << 3); 156 secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); 157 secp256k1_sha256_write(hash, (const unsigned char*)sizedesc, 8); 158 for (i = 0; i < 8; i++) { 159 out[i] = BE32(hash->s[i]); 160 hash->s[i] = 0; 161 } 162 memcpy(out32, (const unsigned char*)out, 32); 163 } 164 165 static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t keylen) { 166 size_t n; 167 unsigned char rkey[64]; 168 if (keylen <= sizeof(rkey)) { 169 memcpy(rkey, key, keylen); 170 memset(rkey + keylen, 0, sizeof(rkey) - keylen); 171 } else { 172 secp256k1_sha256 sha256; 173 secp256k1_sha256_initialize(&sha256); 174 secp256k1_sha256_write(&sha256, key, keylen); 175 secp256k1_sha256_finalize(&sha256, rkey); 176 memset(rkey + 32, 0, 32); 177 } 178 179 secp256k1_sha256_initialize(&hash->outer); 180 for (n = 0; n < sizeof(rkey); n++) { 181 rkey[n] ^= 0x5c; 182 } 183 secp256k1_sha256_write(&hash->outer, rkey, sizeof(rkey)); 184 185 secp256k1_sha256_initialize(&hash->inner); 186 for (n = 0; n < sizeof(rkey); n++) { 187 rkey[n] ^= 0x5c ^ 0x36; 188 } 189 secp256k1_sha256_write(&hash->inner, rkey, sizeof(rkey)); 190 memset(rkey, 0, sizeof(rkey)); 191 } 192 193 static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size) { 194 secp256k1_sha256_write(&hash->inner, data, size); 195 } 196 197 static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32) { 198 unsigned char temp[32]; 199 secp256k1_sha256_finalize(&hash->inner, temp); 200 secp256k1_sha256_write(&hash->outer, temp, 32); 201 memset(temp, 0, 32); 202 secp256k1_sha256_finalize(&hash->outer, out32); 203 } 204 205 206 static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen) { 207 secp256k1_hmac_sha256 hmac; 208 static const unsigned char zero[1] = {0x00}; 209 static const unsigned char one[1] = {0x01}; 210 211 memset(rng->v, 0x01, 32); /* RFC6979 3.2.b. */ 212 memset(rng->k, 0x00, 32); /* RFC6979 3.2.c. */ 213 214 /* RFC6979 3.2.d. */ 215 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 216 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 217 secp256k1_hmac_sha256_write(&hmac, zero, 1); 218 secp256k1_hmac_sha256_write(&hmac, key, keylen); 219 secp256k1_hmac_sha256_finalize(&hmac, rng->k); 220 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 221 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 222 secp256k1_hmac_sha256_finalize(&hmac, rng->v); 223 224 /* RFC6979 3.2.f. */ 225 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 226 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 227 secp256k1_hmac_sha256_write(&hmac, one, 1); 228 secp256k1_hmac_sha256_write(&hmac, key, keylen); 229 secp256k1_hmac_sha256_finalize(&hmac, rng->k); 230 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 231 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 232 secp256k1_hmac_sha256_finalize(&hmac, rng->v); 233 rng->retry = 0; 234 } 235 236 static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen) { 237 /* RFC6979 3.2.h. */ 238 static const unsigned char zero[1] = {0x00}; 239 if (rng->retry) { 240 secp256k1_hmac_sha256 hmac; 241 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 242 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 243 secp256k1_hmac_sha256_write(&hmac, zero, 1); 244 secp256k1_hmac_sha256_finalize(&hmac, rng->k); 245 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 246 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 247 secp256k1_hmac_sha256_finalize(&hmac, rng->v); 248 } 249 250 while (outlen > 0) { 251 secp256k1_hmac_sha256 hmac; 252 int now = outlen; 253 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 254 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 255 secp256k1_hmac_sha256_finalize(&hmac, rng->v); 256 if (now > 32) { 257 now = 32; 258 } 259 memcpy(out, rng->v, now); 260 out += now; 261 outlen -= now; 262 } 263 264 rng->retry = 1; 265 } 266 267 static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng) { 268 memset(rng->k, 0, 32); 269 memset(rng->v, 0, 32); 270 rng->retry = 0; 271 } 272 273 #undef BE32 274 #undef Round 275 #undef sigma1 276 #undef sigma0 277 #undef Sigma1 278 #undef Sigma0 279 #undef Maj 280 #undef Ch 281 282 #endif /* SECP256K1_HASH_IMPL_H */