github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/hash_impl.h (about) 1 /*********************************************************************** 2 * Copyright (c) 2014 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 #ifndef SECP256K1_HASH_IMPL_H 8 #define SECP256K1_HASH_IMPL_H 9 10 #include "hash.h" 11 #include "util.h" 12 13 #include <stdlib.h> 14 #include <stdint.h> 15 #include <string.h> 16 17 #define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) 18 #define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) 19 #define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10)) 20 #define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7)) 21 #define sigma0(x) (((x) >> 7 | (x) << 25) ^ ((x) >> 18 | (x) << 14) ^ ((x) >> 3)) 22 #define sigma1(x) (((x) >> 17 | (x) << 15) ^ ((x) >> 19 | (x) << 13) ^ ((x) >> 10)) 23 24 #define Round(a,b,c,d,e,f,g,h,k,w) do { \ 25 uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \ 26 uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \ 27 (d) += t1; \ 28 (h) = t1 + t2; \ 29 } while(0) 30 31 static void secp256k1_sha256_initialize(secp256k1_sha256 *hash) { 32 hash->s[0] = 0x6a09e667ul; 33 hash->s[1] = 0xbb67ae85ul; 34 hash->s[2] = 0x3c6ef372ul; 35 hash->s[3] = 0xa54ff53aul; 36 hash->s[4] = 0x510e527ful; 37 hash->s[5] = 0x9b05688cul; 38 hash->s[6] = 0x1f83d9abul; 39 hash->s[7] = 0x5be0cd19ul; 40 hash->bytes = 0; 41 } 42 43 /** Perform one SHA-256 transformation, processing 16 big endian 32-bit words. */ 44 static void secp256k1_sha256_transform(uint32_t* s, const unsigned char* buf) { 45 uint32_t a = s[0], b = s[1], c = s[2], d = s[3], e = s[4], f = s[5], g = s[6], h = s[7]; 46 uint32_t w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15; 47 48 Round(a, b, c, d, e, f, g, h, 0x428a2f98, w0 = secp256k1_read_be32(&buf[0])); 49 Round(h, a, b, c, d, e, f, g, 0x71374491, w1 = secp256k1_read_be32(&buf[4])); 50 Round(g, h, a, b, c, d, e, f, 0xb5c0fbcf, w2 = secp256k1_read_be32(&buf[8])); 51 Round(f, g, h, a, b, c, d, e, 0xe9b5dba5, w3 = secp256k1_read_be32(&buf[12])); 52 Round(e, f, g, h, a, b, c, d, 0x3956c25b, w4 = secp256k1_read_be32(&buf[16])); 53 Round(d, e, f, g, h, a, b, c, 0x59f111f1, w5 = secp256k1_read_be32(&buf[20])); 54 Round(c, d, e, f, g, h, a, b, 0x923f82a4, w6 = secp256k1_read_be32(&buf[24])); 55 Round(b, c, d, e, f, g, h, a, 0xab1c5ed5, w7 = secp256k1_read_be32(&buf[28])); 56 Round(a, b, c, d, e, f, g, h, 0xd807aa98, w8 = secp256k1_read_be32(&buf[32])); 57 Round(h, a, b, c, d, e, f, g, 0x12835b01, w9 = secp256k1_read_be32(&buf[36])); 58 Round(g, h, a, b, c, d, e, f, 0x243185be, w10 = secp256k1_read_be32(&buf[40])); 59 Round(f, g, h, a, b, c, d, e, 0x550c7dc3, w11 = secp256k1_read_be32(&buf[44])); 60 Round(e, f, g, h, a, b, c, d, 0x72be5d74, w12 = secp256k1_read_be32(&buf[48])); 61 Round(d, e, f, g, h, a, b, c, 0x80deb1fe, w13 = secp256k1_read_be32(&buf[52])); 62 Round(c, d, e, f, g, h, a, b, 0x9bdc06a7, w14 = secp256k1_read_be32(&buf[56])); 63 Round(b, c, d, e, f, g, h, a, 0xc19bf174, w15 = secp256k1_read_be32(&buf[60])); 64 65 Round(a, b, c, d, e, f, g, h, 0xe49b69c1, w0 += sigma1(w14) + w9 + sigma0(w1)); 66 Round(h, a, b, c, d, e, f, g, 0xefbe4786, w1 += sigma1(w15) + w10 + sigma0(w2)); 67 Round(g, h, a, b, c, d, e, f, 0x0fc19dc6, w2 += sigma1(w0) + w11 + sigma0(w3)); 68 Round(f, g, h, a, b, c, d, e, 0x240ca1cc, w3 += sigma1(w1) + w12 + sigma0(w4)); 69 Round(e, f, g, h, a, b, c, d, 0x2de92c6f, w4 += sigma1(w2) + w13 + sigma0(w5)); 70 Round(d, e, f, g, h, a, b, c, 0x4a7484aa, w5 += sigma1(w3) + w14 + sigma0(w6)); 71 Round(c, d, e, f, g, h, a, b, 0x5cb0a9dc, w6 += sigma1(w4) + w15 + sigma0(w7)); 72 Round(b, c, d, e, f, g, h, a, 0x76f988da, w7 += sigma1(w5) + w0 + sigma0(w8)); 73 Round(a, b, c, d, e, f, g, h, 0x983e5152, w8 += sigma1(w6) + w1 + sigma0(w9)); 74 Round(h, a, b, c, d, e, f, g, 0xa831c66d, w9 += sigma1(w7) + w2 + sigma0(w10)); 75 Round(g, h, a, b, c, d, e, f, 0xb00327c8, w10 += sigma1(w8) + w3 + sigma0(w11)); 76 Round(f, g, h, a, b, c, d, e, 0xbf597fc7, w11 += sigma1(w9) + w4 + sigma0(w12)); 77 Round(e, f, g, h, a, b, c, d, 0xc6e00bf3, w12 += sigma1(w10) + w5 + sigma0(w13)); 78 Round(d, e, f, g, h, a, b, c, 0xd5a79147, w13 += sigma1(w11) + w6 + sigma0(w14)); 79 Round(c, d, e, f, g, h, a, b, 0x06ca6351, w14 += sigma1(w12) + w7 + sigma0(w15)); 80 Round(b, c, d, e, f, g, h, a, 0x14292967, w15 += sigma1(w13) + w8 + sigma0(w0)); 81 82 Round(a, b, c, d, e, f, g, h, 0x27b70a85, w0 += sigma1(w14) + w9 + sigma0(w1)); 83 Round(h, a, b, c, d, e, f, g, 0x2e1b2138, w1 += sigma1(w15) + w10 + sigma0(w2)); 84 Round(g, h, a, b, c, d, e, f, 0x4d2c6dfc, w2 += sigma1(w0) + w11 + sigma0(w3)); 85 Round(f, g, h, a, b, c, d, e, 0x53380d13, w3 += sigma1(w1) + w12 + sigma0(w4)); 86 Round(e, f, g, h, a, b, c, d, 0x650a7354, w4 += sigma1(w2) + w13 + sigma0(w5)); 87 Round(d, e, f, g, h, a, b, c, 0x766a0abb, w5 += sigma1(w3) + w14 + sigma0(w6)); 88 Round(c, d, e, f, g, h, a, b, 0x81c2c92e, w6 += sigma1(w4) + w15 + sigma0(w7)); 89 Round(b, c, d, e, f, g, h, a, 0x92722c85, w7 += sigma1(w5) + w0 + sigma0(w8)); 90 Round(a, b, c, d, e, f, g, h, 0xa2bfe8a1, w8 += sigma1(w6) + w1 + sigma0(w9)); 91 Round(h, a, b, c, d, e, f, g, 0xa81a664b, w9 += sigma1(w7) + w2 + sigma0(w10)); 92 Round(g, h, a, b, c, d, e, f, 0xc24b8b70, w10 += sigma1(w8) + w3 + sigma0(w11)); 93 Round(f, g, h, a, b, c, d, e, 0xc76c51a3, w11 += sigma1(w9) + w4 + sigma0(w12)); 94 Round(e, f, g, h, a, b, c, d, 0xd192e819, w12 += sigma1(w10) + w5 + sigma0(w13)); 95 Round(d, e, f, g, h, a, b, c, 0xd6990624, w13 += sigma1(w11) + w6 + sigma0(w14)); 96 Round(c, d, e, f, g, h, a, b, 0xf40e3585, w14 += sigma1(w12) + w7 + sigma0(w15)); 97 Round(b, c, d, e, f, g, h, a, 0x106aa070, w15 += sigma1(w13) + w8 + sigma0(w0)); 98 99 Round(a, b, c, d, e, f, g, h, 0x19a4c116, w0 += sigma1(w14) + w9 + sigma0(w1)); 100 Round(h, a, b, c, d, e, f, g, 0x1e376c08, w1 += sigma1(w15) + w10 + sigma0(w2)); 101 Round(g, h, a, b, c, d, e, f, 0x2748774c, w2 += sigma1(w0) + w11 + sigma0(w3)); 102 Round(f, g, h, a, b, c, d, e, 0x34b0bcb5, w3 += sigma1(w1) + w12 + sigma0(w4)); 103 Round(e, f, g, h, a, b, c, d, 0x391c0cb3, w4 += sigma1(w2) + w13 + sigma0(w5)); 104 Round(d, e, f, g, h, a, b, c, 0x4ed8aa4a, w5 += sigma1(w3) + w14 + sigma0(w6)); 105 Round(c, d, e, f, g, h, a, b, 0x5b9cca4f, w6 += sigma1(w4) + w15 + sigma0(w7)); 106 Round(b, c, d, e, f, g, h, a, 0x682e6ff3, w7 += sigma1(w5) + w0 + sigma0(w8)); 107 Round(a, b, c, d, e, f, g, h, 0x748f82ee, w8 += sigma1(w6) + w1 + sigma0(w9)); 108 Round(h, a, b, c, d, e, f, g, 0x78a5636f, w9 += sigma1(w7) + w2 + sigma0(w10)); 109 Round(g, h, a, b, c, d, e, f, 0x84c87814, w10 += sigma1(w8) + w3 + sigma0(w11)); 110 Round(f, g, h, a, b, c, d, e, 0x8cc70208, w11 += sigma1(w9) + w4 + sigma0(w12)); 111 Round(e, f, g, h, a, b, c, d, 0x90befffa, w12 += sigma1(w10) + w5 + sigma0(w13)); 112 Round(d, e, f, g, h, a, b, c, 0xa4506ceb, w13 += sigma1(w11) + w6 + sigma0(w14)); 113 Round(c, d, e, f, g, h, a, b, 0xbef9a3f7, w14 + sigma1(w12) + w7 + sigma0(w15)); 114 Round(b, c, d, e, f, g, h, a, 0xc67178f2, w15 + sigma1(w13) + w8 + sigma0(w0)); 115 116 s[0] += a; 117 s[1] += b; 118 s[2] += c; 119 s[3] += d; 120 s[4] += e; 121 s[5] += f; 122 s[6] += g; 123 s[7] += h; 124 } 125 126 static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t len) { 127 size_t bufsize = hash->bytes & 0x3F; 128 hash->bytes += len; 129 VERIFY_CHECK(hash->bytes >= len); 130 while (len >= 64 - bufsize) { 131 /* Fill the buffer, and process it. */ 132 size_t chunk_len = 64 - bufsize; 133 memcpy(hash->buf + bufsize, data, chunk_len); 134 data += chunk_len; 135 len -= chunk_len; 136 secp256k1_sha256_transform(hash->s, hash->buf); 137 bufsize = 0; 138 } 139 if (len) { 140 /* Fill the buffer with what remains. */ 141 memcpy(hash->buf + bufsize, data, len); 142 } 143 } 144 145 static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32) { 146 static const unsigned char pad[64] = {0x80}; 147 unsigned char sizedesc[8]; 148 int i; 149 /* The maximum message size of SHA256 is 2^64-1 bits. */ 150 VERIFY_CHECK(hash->bytes < ((uint64_t)1 << 61)); 151 secp256k1_write_be32(&sizedesc[0], hash->bytes >> 29); 152 secp256k1_write_be32(&sizedesc[4], hash->bytes << 3); 153 secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); 154 secp256k1_sha256_write(hash, sizedesc, 8); 155 for (i = 0; i < 8; i++) { 156 secp256k1_write_be32(&out32[4*i], hash->s[i]); 157 hash->s[i] = 0; 158 } 159 } 160 161 /* Initializes a sha256 struct and writes the 64 byte string 162 * SHA256(tag)||SHA256(tag) into it. */ 163 static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen) { 164 unsigned char buf[32]; 165 secp256k1_sha256_initialize(hash); 166 secp256k1_sha256_write(hash, tag, taglen); 167 secp256k1_sha256_finalize(hash, buf); 168 169 secp256k1_sha256_initialize(hash); 170 secp256k1_sha256_write(hash, buf, 32); 171 secp256k1_sha256_write(hash, buf, 32); 172 } 173 174 static void secp256k1_sha256_clear(secp256k1_sha256 *hash) { 175 secp256k1_memclear(hash, sizeof(*hash)); 176 } 177 178 static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t keylen) { 179 size_t n; 180 unsigned char rkey[64]; 181 if (keylen <= sizeof(rkey)) { 182 memcpy(rkey, key, keylen); 183 memset(rkey + keylen, 0, sizeof(rkey) - keylen); 184 } else { 185 secp256k1_sha256 sha256; 186 secp256k1_sha256_initialize(&sha256); 187 secp256k1_sha256_write(&sha256, key, keylen); 188 secp256k1_sha256_finalize(&sha256, rkey); 189 memset(rkey + 32, 0, 32); 190 } 191 192 secp256k1_sha256_initialize(&hash->outer); 193 for (n = 0; n < sizeof(rkey); n++) { 194 rkey[n] ^= 0x5c; 195 } 196 secp256k1_sha256_write(&hash->outer, rkey, sizeof(rkey)); 197 198 secp256k1_sha256_initialize(&hash->inner); 199 for (n = 0; n < sizeof(rkey); n++) { 200 rkey[n] ^= 0x5c ^ 0x36; 201 } 202 secp256k1_sha256_write(&hash->inner, rkey, sizeof(rkey)); 203 secp256k1_memclear(rkey, sizeof(rkey)); 204 } 205 206 static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size) { 207 secp256k1_sha256_write(&hash->inner, data, size); 208 } 209 210 static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32) { 211 unsigned char temp[32]; 212 secp256k1_sha256_finalize(&hash->inner, temp); 213 secp256k1_sha256_write(&hash->outer, temp, 32); 214 secp256k1_memclear(temp, sizeof(temp)); 215 secp256k1_sha256_finalize(&hash->outer, out32); 216 } 217 218 static void secp256k1_hmac_sha256_clear(secp256k1_hmac_sha256 *hash) { 219 secp256k1_memclear(hash, sizeof(*hash)); 220 } 221 222 static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen) { 223 secp256k1_hmac_sha256 hmac; 224 static const unsigned char zero[1] = {0x00}; 225 static const unsigned char one[1] = {0x01}; 226 227 memset(rng->v, 0x01, 32); /* RFC6979 3.2.b. */ 228 memset(rng->k, 0x00, 32); /* RFC6979 3.2.c. */ 229 230 /* RFC6979 3.2.d. */ 231 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 232 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 233 secp256k1_hmac_sha256_write(&hmac, zero, 1); 234 secp256k1_hmac_sha256_write(&hmac, key, keylen); 235 secp256k1_hmac_sha256_finalize(&hmac, rng->k); 236 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 237 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 238 secp256k1_hmac_sha256_finalize(&hmac, rng->v); 239 240 /* RFC6979 3.2.f. */ 241 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 242 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 243 secp256k1_hmac_sha256_write(&hmac, one, 1); 244 secp256k1_hmac_sha256_write(&hmac, key, keylen); 245 secp256k1_hmac_sha256_finalize(&hmac, rng->k); 246 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 247 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 248 secp256k1_hmac_sha256_finalize(&hmac, rng->v); 249 rng->retry = 0; 250 } 251 252 static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen) { 253 /* RFC6979 3.2.h. */ 254 static const unsigned char zero[1] = {0x00}; 255 if (rng->retry) { 256 secp256k1_hmac_sha256 hmac; 257 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 258 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 259 secp256k1_hmac_sha256_write(&hmac, zero, 1); 260 secp256k1_hmac_sha256_finalize(&hmac, rng->k); 261 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 262 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 263 secp256k1_hmac_sha256_finalize(&hmac, rng->v); 264 } 265 266 while (outlen > 0) { 267 secp256k1_hmac_sha256 hmac; 268 int now = outlen; 269 secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32); 270 secp256k1_hmac_sha256_write(&hmac, rng->v, 32); 271 secp256k1_hmac_sha256_finalize(&hmac, rng->v); 272 if (now > 32) { 273 now = 32; 274 } 275 memcpy(out, rng->v, now); 276 out += now; 277 outlen -= now; 278 } 279 280 rng->retry = 1; 281 } 282 283 static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng) { 284 (void) rng; 285 } 286 287 static void secp256k1_rfc6979_hmac_sha256_clear(secp256k1_rfc6979_hmac_sha256 *rng) { 288 secp256k1_memclear(rng, sizeof(*rng)); 289 } 290 291 #undef Round 292 #undef sigma1 293 #undef sigma0 294 #undef Sigma1 295 #undef Sigma0 296 #undef Maj 297 #undef Ch 298 299 #endif /* SECP256K1_HASH_IMPL_H */