Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • nettle/nettle
  • briansmith/nettle
  • ajlawrence/nettle
  • mhoffmann/nettle
  • devnexen/nettle
  • wiml/nettle
  • lumag/nettle
  • michaelweiser/nettle
  • aberaud/nettle
  • mamonet/nettle
  • npocs/nettle
  • babelouest/nettle
  • ueno/nettle
  • rth/nettle
  • justus/nettle
15 results
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 1530 additions and 3 deletions
arm64/crypto/sha1-compress.asm 0 → 100644
View file @ 53c76a47
C arm64/crypto/sha1-compress.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
C This implementation uses the SHA-1 instructions of Armv8 crypto
C extension.
C SHA1C: SHA1 hash update (choose)
C SHA1H: SHA1 fixed rotate
C SHA1M: SHA1 hash update (majority)
C SHA1P: SHA1 hash update (parity)
C SHA1SU0: SHA1 schedule update 0
C SHA1SU1: SHA1 schedule update 1
.file "sha1-compress.asm"
.arch armv8-a+crypto
.text
C Register usage:
define(`STATE', `x0')
define(`INPUT', `x1')
define(`CONST0', `v0')
define(`CONST1', `v1')
define(`CONST2', `v2')
define(`CONST3', `v3')
define(`MSG0', `v4')
define(`MSG1', `v5')
define(`MSG2', `v6')
define(`MSG3', `v7')
define(`ABCD', `v16')
define(`ABCD_SAVED', `v17')
define(`E0', `v18')
define(`E0_SAVED', `v19')
define(`E1', `v20')
define(`TMP', `v21')
C void nettle_sha1_compress(uint32_t *state, const uint8_t *input)
PROLOGUE(nettle_sha1_compress)
C Initialize constants
mov w2,#0x7999
movk w2,#0x5A82,lsl #16
dup CONST0.4s,w2
mov w2,#0xEBA1
movk w2,#0x6ED9,lsl #16
dup CONST1.4s,w2
mov w2,#0xBCDC
movk w2,#0x8F1B,lsl #16
dup CONST2.4s,w2
mov w2,#0xC1D6
movk w2,#0xCA62,lsl #16
dup CONST3.4s,w2
C Load state
add x2,STATE,#16
movi E0.4s,#0
ld1 {ABCD.4s},[STATE]
ld1 {E0.s}[0],[x2]
C Save state
mov ABCD_SAVED.16b,ABCD.16b
mov E0_SAVED.16b,E0.16b
C Load message
ld1 {MSG0.16b,MSG1.16b,MSG2.16b,MSG3.16b},[INPUT]
C Reverse for little endian
rev32 MSG0.16b,MSG0.16b
rev32 MSG1.16b,MSG1.16b
rev32 MSG2.16b,MSG2.16b
rev32 MSG3.16b,MSG3.16b
C Rounds 0-3
add TMP.4s,MSG0.4s,CONST0.4s
sha1h SFP(E1),SFP(ABCD)
sha1c QFP(ABCD),SFP(E0),TMP.4s
sha1su0 MSG0.4s,MSG1.4s,MSG2.4s
C Rounds 4-7
add TMP.4s,MSG1.4s,CONST0.4s
sha1h SFP(E0),SFP(ABCD)
sha1c QFP(ABCD),SFP(E1),TMP.4s
sha1su1 MSG0.4s,MSG3.4s
sha1su0 MSG1.4s,MSG2.4s,MSG3.4s
C Rounds 8-11
add TMP.4s,MSG2.4s,CONST0.4s
sha1h SFP(E1),SFP(ABCD)
sha1c QFP(ABCD),SFP(E0),TMP.4s
sha1su1 MSG1.4s,MSG0.4s
sha1su0 MSG2.4s,MSG3.4s,MSG0.4s
C Rounds 12-15
add TMP.4s,MSG3.4s,CONST0.4s
sha1h SFP(E0),SFP(ABCD)
sha1c QFP(ABCD),SFP(E1),TMP.4s
sha1su1 MSG2.4s,MSG1.4s
sha1su0 MSG3.4s,MSG0.4s,MSG1.4s
C Rounds 16-19
add TMP.4s,MSG0.4s,CONST0.4s
sha1h SFP(E1),SFP(ABCD)
sha1c QFP(ABCD),SFP(E0),TMP.4s
sha1su1 MSG3.4s,MSG2.4s
sha1su0 MSG0.4s,MSG1.4s,MSG2.4s
C Rounds 20-23
add TMP.4s,MSG1.4s,CONST1.4s
sha1h SFP(E0),SFP(ABCD)
sha1p QFP(ABCD),SFP(E1),TMP.4s
sha1su1 MSG0.4s,MSG3.4s
sha1su0 MSG1.4s,MSG2.4s,MSG3.4s
C Rounds 24-27
add TMP.4s,MSG2.4s,CONST1.4s
sha1h SFP(E1),SFP(ABCD)
sha1p QFP(ABCD),SFP(E0),TMP.4s
sha1su1 MSG1.4s,MSG0.4s
sha1su0 MSG2.4s,MSG3.4s,MSG0.4s
C Rounds 28-31
add TMP.4s,MSG3.4s,CONST1.4s
sha1h SFP(E0),SFP(ABCD)
sha1p QFP(ABCD),SFP(E1),TMP.4s
sha1su1 MSG2.4s,MSG1.4s
sha1su0 MSG3.4s,MSG0.4s,MSG1.4s
C Rounds 32-35
add TMP.4s,MSG0.4s,CONST1.4s
sha1h SFP(E1),SFP(ABCD)
sha1p QFP(ABCD),SFP(E0),TMP.4s
sha1su1 MSG3.4s,MSG2.4s
sha1su0 MSG0.4s,MSG1.4s,MSG2.4s
C Rounds 36-39
add TMP.4s,MSG1.4s,CONST1.4s
sha1h SFP(E0),SFP(ABCD)
sha1p QFP(ABCD),SFP(E1),TMP.4s
sha1su1 MSG0.4s,MSG3.4s
sha1su0 MSG1.4s,MSG2.4s,MSG3.4s
C Rounds 40-43
add TMP.4s,MSG2.4s,CONST2.4s
sha1h SFP(E1),SFP(ABCD)
sha1m QFP(ABCD),SFP(E0),TMP.4s
sha1su1 MSG1.4s,MSG0.4s
sha1su0 MSG2.4s,MSG3.4s,MSG0.4s
C Rounds 44-47
add TMP.4s,MSG3.4s,CONST2.4s
sha1h SFP(E0),SFP(ABCD)
sha1m QFP(ABCD),SFP(E1),TMP.4s
sha1su1 MSG2.4s,MSG1.4s
sha1su0 MSG3.4s,MSG0.4s,MSG1.4s
C Rounds 48-51
add TMP.4s,MSG0.4s,CONST2.4s
sha1h SFP(E1),SFP(ABCD)
sha1m QFP(ABCD),SFP(E0),TMP.4s
sha1su1 MSG3.4s,MSG2.4s
sha1su0 MSG0.4s,MSG1.4s,MSG2.4s
C Rounds 52-55
add TMP.4s,MSG1.4s,CONST2.4s
sha1h SFP(E0),SFP(ABCD)
sha1m QFP(ABCD),SFP(E1),TMP.4s
sha1su1 MSG0.4s,MSG3.4s
sha1su0 MSG1.4s,MSG2.4s,MSG3.4s
C Rounds 56-59
add TMP.4s,MSG2.4s,CONST2.4s
sha1h SFP(E1),SFP(ABCD)
sha1m QFP(ABCD),SFP(E0),TMP.4s
sha1su1 MSG1.4s,MSG0.4s
sha1su0 MSG2.4s,MSG3.4s,MSG0.4s
C Rounds 60-63
add TMP.4s,MSG3.4s,CONST3.4s
sha1h SFP(E0),SFP(ABCD)
sha1p QFP(ABCD),SFP(E1),TMP.4s
sha1su1 MSG2.4s,MSG1.4s
sha1su0 MSG3.4s,MSG0.4s,MSG1.4s
C Rounds 64-67
add TMP.4s,MSG0.4s,CONST3.4s
sha1h SFP(E1),SFP(ABCD)
sha1p QFP(ABCD),SFP(E0),TMP.4s
sha1su1 MSG3.4s,MSG2.4s
sha1su0 MSG0.4s,MSG1.4s,MSG2.4s
C Rounds 68-71
add TMP.4s,MSG1.4s,CONST3.4s
sha1h SFP(E0),SFP(ABCD)
sha1p QFP(ABCD),SFP(E1),TMP.4s
sha1su1 MSG0.4s,MSG3.4s
C Rounds 72-75
add TMP.4s,MSG2.4s,CONST3.4s
sha1h SFP(E1),SFP(ABCD)
sha1p QFP(ABCD),SFP(E0),TMP.4s
C Rounds 76-79
add TMP.4s,MSG3.4s,CONST3.4s
sha1h SFP(E0),SFP(ABCD)
sha1p QFP(ABCD),SFP(E1),TMP.4s
C Combine state
add E0.4s,E0.4s,E0_SAVED.4s
add ABCD.4s,ABCD.4s,ABCD_SAVED.4s
C Store state
st1 {ABCD.4s},[STATE]
st1 {E0.s}[0],[x2]
ret
EPILOGUE(nettle_sha1_compress)
arm64/crypto/sha256-compress-n.asm 0 → 100644
View file @ 53c76a47
C arm64/crypto/sha256-compress-n.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
C This implementation uses the SHA-256 instructions of Armv8 crypto
C extension.
C SHA256H: SHA256 hash update (part 1)
C SHA256H2: SHA256 hash update (part 2)
C SHA256SU0: SHA256 schedule update 0
C SHA256SU1: SHA256 schedule update 1
.file "sha256-compress-n.asm"
.arch armv8-a+crypto
.text
C Register usage:
define(`STATE', `x0')
define(`K', `x1')
define(`BLOCKS', `x2')
define(`INPUT', `x3')
define(`MSG0', `v0')
define(`MSG1', `v1')
define(`MSG2', `v2')
define(`MSG3', `v3')
define(`STATE0', `v4')
define(`STATE1', `v5')
define(`CONST', `v6')
define(`TMP', `v7')
define(`STATE0_SAVED', `v16')
define(`STATE1_SAVED', `v17')
C const uint8_t *
C _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k,
C size_t blocks, const uint8_t *input)
PROLOGUE(_nettle_sha256_compress_n)
cbz BLOCKS, .Lend
C Load state
ld1 {STATE0.4s,STATE1.4s},[STATE]
.Loop:
C Save state
mov STATE0_SAVED.16b,STATE0.16b
mov STATE1_SAVED.16b,STATE1.16b
C Load message
ld1 {MSG0.16b,MSG1.16b,MSG2.16b,MSG3.16b},[INPUT],#64
C Reverse for little endian
rev32 MSG0.16b,MSG0.16b
rev32 MSG1.16b,MSG1.16b
rev32 MSG2.16b,MSG2.16b
rev32 MSG3.16b,MSG3.16b
C Rounds 0-3
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG0.4s,CONST.4s
sha256su0 MSG0.4s,MSG1.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(STATE0_SAVED),CONST.4s
sha256su1 MSG0.4s,MSG2.4s,MSG3.4s
C Rounds 4-7
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG1.4s,CONST.4s
sha256su0 MSG1.4s,MSG2.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
sha256su1 MSG1.4s,MSG3.4s,MSG0.4s
C Rounds 8-11
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG2.4s,CONST.4s
sha256su0 MSG2.4s,MSG3.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
sha256su1 MSG2.4s,MSG0.4s,MSG1.4s
C Rounds 12-15
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG3.4s,CONST.4s
sha256su0 MSG3.4s,MSG0.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
sha256su1 MSG3.4s,MSG1.4s,MSG2.4s
C Rounds 16-19
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG0.4s,CONST.4s
sha256su0 MSG0.4s,MSG1.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
sha256su1 MSG0.4s,MSG2.4s,MSG3.4s
C Rounds 20-23
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG1.4s,CONST.4s
sha256su0 MSG1.4s,MSG2.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
sha256su1 MSG1.4s,MSG3.4s,MSG0.4s
C Rounds 24-27
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG2.4s,CONST.4s
sha256su0 MSG2.4s,MSG3.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
sha256su1 MSG2.4s,MSG0.4s,MSG1.4s
C Rounds 28-31
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG3.4s,CONST.4s
sha256su0 MSG3.4s,MSG0.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
sha256su1 MSG3.4s,MSG1.4s,MSG2.4s
C Rounds 32-35
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG0.4s,CONST.4s
sha256su0 MSG0.4s,MSG1.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
sha256su1 MSG0.4s,MSG2.4s,MSG3.4s
C Rounds 36-39
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG1.4s,CONST.4s
sha256su0 MSG1.4s,MSG2.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
sha256su1 MSG1.4s,MSG3.4s,MSG0.4s
C Rounds 40-43
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG2.4s,CONST.4s
sha256su0 MSG2.4s,MSG3.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
sha256su1 MSG2.4s,MSG0.4s,MSG1.4s
C Rounds 44-47
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG3.4s,CONST.4s
sha256su0 MSG3.4s,MSG0.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
sha256su1 MSG3.4s,MSG1.4s,MSG2.4s
C Rounds 48-51
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG0.4s,CONST.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
C Rounds 52-55
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG1.4s,CONST.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
C Rounds 56-59
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K],#16
add CONST.4s,MSG2.4s,CONST.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
C Rounds 60-63
mov TMP.16b,STATE0.16b
ld1 {CONST.4s},[K]
add CONST.4s,MSG3.4s,CONST.4s
sha256h QFP(STATE0),QFP(STATE1),CONST.4s
sha256h2 QFP(STATE1),QFP(TMP),CONST.4s
C Combine state
add STATE0.4s,STATE0.4s,STATE0_SAVED.4s
add STATE1.4s,STATE1.4s,STATE1_SAVED.4s
subs BLOCKS, BLOCKS, #1
sub K, K, #240
b.ne .Loop
C Store state
st1 {STATE0.4s,STATE1.4s},[STATE]
.Lend:
mov x0, INPUT
ret
EPILOGUE(_nettle_sha256_compress_n)
arm64/fat/aes128-decrypt-2.asm 0 → 100644
View file @ 53c76a47
C arm64/fat/aes128-decrypt.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
dnl PROLOGUE(nettle_aes128_decrypt) picked up by configure
define(`fat_transform', `_$1_arm64')
include_src(`arm64/crypto/aes128-decrypt.asm')
arm64/fat/aes128-encrypt-2.asm 0 → 100644
View file @ 53c76a47
C arm64/fat/aes128-encrypt.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
dnl PROLOGUE(nettle_aes128_encrypt) picked up by configure
define(`fat_transform', `_$1_arm64')
include_src(`arm64/crypto/aes128-encrypt.asm')
arm64/fat/aes192-decrypt-2.asm 0 → 100644
View file @ 53c76a47
C arm64/fat/aes192-decrypt.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
dnl PROLOGUE(nettle_aes192_decrypt) picked up by configure
define(`fat_transform', `_$1_arm64')
include_src(`arm64/crypto/aes192-decrypt.asm')
arm64/fat/aes192-encrypt-2.asm 0 → 100644
View file @ 53c76a47
C arm64/fat/aes192-encrypt.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
dnl PROLOGUE(nettle_aes192_encrypt) picked up by configure
define(`fat_transform', `_$1_arm64')
include_src(`arm64/crypto/aes192-encrypt.asm')
arm64/fat/aes256-decrypt-2.asm 0 → 100644
View file @ 53c76a47
C arm64/fat/aes256-decrypt.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
dnl PROLOGUE(nettle_aes256_decrypt) picked up by configure
define(`fat_transform', `_$1_arm64')
include_src(`arm64/crypto/aes256-decrypt.asm')
arm64/fat/aes256-encrypt-2.asm 0 → 100644
View file @ 53c76a47
C arm64/fat/aes256-encrypt.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
dnl PROLOGUE(nettle_aes256_encrypt) picked up by configure
define(`fat_transform', `_$1_arm64')
include_src(`arm64/crypto/aes256-encrypt.asm')
arm64/fat/ghash-set-key-2.asm 0 → 100644
View file @ 53c76a47
C arm64/fat/ghash-set-key.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
dnl picked up by configure
dnl PROLOGUE(_nettle_ghash_set_key)
define(`fat_transform', `$1_arm64')
include_src(`arm64/crypto/ghash-set-key.asm')
arm64/fat/ghash-update-2.asm 0 → 100644
View file @ 53c76a47
C arm64/fat/ghash-update.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
dnl picked up by configure
dnl PROLOGUE(_nettle_ghash_update)
define(`fat_transform', `$1_arm64')
include_src(`arm64/crypto/ghash-update.asm')
arm64/fat/sha1-compress-2.asm 0 → 100644
View file @ 53c76a47
C arm64/fat/sha1-compress-2.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
dnl PROLOGUE(nettle_sha1_compress) picked up by configure
define(`fat_transform', `_$1_arm64')
include_src(`arm64/crypto/sha1-compress.asm')
arm64/fat/sha256-compress-n-2.asm 0 → 100644
View file @ 53c76a47
C arm64/fat/sha256-compress-n-2.asm
ifelse(`
Copyright (C) 2021 Mamone Tarsha
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
')
dnl PROLOGUE(_nettle_sha256_compress_n) picked up by configure
define(`fat_transform', `$1_arm64')
include_src(`arm64/crypto/sha256-compress-n.asm')
arm64/machine.m4 0 → 100644
View file @ 53c76a47
C Get 32-bit floating-point register from vector register
C SFP(VR)
define(`SFP',``s'substr($1,1,len($1))')
C Get 128-bit floating-point register from vector register
C QFP(VR)
define(`QFP',``q'substr($1,1,len($1))')
C AES encryption round of 1-block
C AESE_ROUND_1B(BLOCK, KEY)
define(`AESE_ROUND_1B', m4_assert_numargs(2)`
aese $1.16b,$2.16b
aesmc $1.16b,$1.16b
')
C AES last encryption round of 1-block
C AESE_LAST_ROUND_1B(BLOCK, KEY0, KEY1)
define(`AESE_LAST_ROUND_1B', m4_assert_numargs(3)`
aese $1.16b,$2.16b
eor $1.16b,$1.16b,$3.16b
')
C AES decryption round of 1-block
C AESD_ROUND_1B(BLOCK, KEY)
define(`AESD_ROUND_1B', m4_assert_numargs(2)`
aesd $1.16b,$2.16b
aesimc $1.16b,$1.16b
')
C AES last decryption round of 1-block
C AESD_LAST_ROUND_1B(BLOCK, KEY0, KEY1)
define(`AESD_LAST_ROUND_1B', m4_assert_numargs(3)`
aesd $1.16b,$2.16b
eor $1.16b,$1.16b,$3.16b
')
C AES encryption round of 4-blocks
C AESE_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY)
define(`AESE_ROUND_4B', m4_assert_numargs(5)`
AESE_ROUND_1B($1,$5)
AESE_ROUND_1B($2,$5)
AESE_ROUND_1B($3,$5)
AESE_ROUND_1B($4,$5)
')
C AES last encryption round of 4-blocks
C AESE_LAST_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY0, KEY1)
define(`AESE_LAST_ROUND_4B', m4_assert_numargs(6)`
AESE_LAST_ROUND_1B($1,$5,$6)
AESE_LAST_ROUND_1B($2,$5,$6)
AESE_LAST_ROUND_1B($3,$5,$6)
AESE_LAST_ROUND_1B($4,$5,$6)
')
C AES decryption round of 4-blocks
C AESD_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY)
define(`AESD_ROUND_4B', m4_assert_numargs(5)`
AESD_ROUND_1B($1,$5)
AESD_ROUND_1B($2,$5)
AESD_ROUND_1B($3,$5)
AESD_ROUND_1B($4,$5)
')
C AES last decryption round of 4-blocks
C AESD_LAST_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY0, KEY1)
define(`AESD_LAST_ROUND_4B', m4_assert_numargs(6)`
AESD_LAST_ROUND_1B($1,$5,$6)
AESD_LAST_ROUND_1B($2,$5,$6)
AESD_LAST_ROUND_1B($3,$5,$6)
AESD_LAST_ROUND_1B($4,$5,$6)
')
asm.m4
View file @ 53c76a47
changequote(<,>)dnl
changecom(!,<
>)dnl
divert(-1)
dnl FORTRAN style comment character
define(`C', `
dnl')dnl
dnl Disable m4 comment processing, since the default, #, is used for
dnl constants on some architectures, in particular ARM.
changecom()dnl
dnl Including files from the srcdir
define(`include_src', `include(srcdir/$1)')dnl
dnl default definition, changed in fat builds
define(`fat_transform', `$1')
define(`C_NAME', `SYMBOL_PREFIX`'fat_transform($1)')
dnl Pseudo ops
define(`DECLARE_FUNC',
`ifelse(ELF_STYLE,yes,
`.type $1,TYPE_FUNCTION',
COFF_STYLE, yes,
`.def $1
.scl 2
.type 32
.endef',
`')')
define(`GMP_NUMB_BITS',`')dnl
define(`PROLOGUE',
`.globl C_NAME($1)
DECLARE_FUNC(C_NAME($1))
C_NAME($1): ASM_X86_ENDBR')
define(`EPILOGUE',
`ifelse(ELF_STYLE,yes,
`.size C_NAME($1), . - C_NAME($1)',`')')
define(`m4_log2', `m4_log2_internal($1,1,0)')
define(`m4_log2_internal',
`ifelse($3, 10, `not-a-power-of-two',
$1, $2, $3,
`m4_log2_internal($1, eval(2*$2), eval(1 + $3))')')
dnl Argument to ALIGN is always in bytes, and converted to a
dnl logarithmic .align if necessary.
define(`ALIGN',
`.align ifelse(ALIGN_LOG,yes,`m4_log2($1)',$1)
')
define(`IF_BE', `ifelse(
WORDS_BIGENDIAN,yes,`$1',
WORDS_BIGENDIAN,no,`$2',
`errprint(`Unsupported endianness value',WORDS_BIGENDIAN,`
')
m4exit(1)')')
define(`IF_LE', `IF_BE(`$2', `$1')')
dnl Struct defining macros
dnl STRUCTURE(prefix)
define(`STRUCTURE', `define(`SOFFSET', 0)define(`SPREFIX', `$1')')dnl
dnl STRUCT(name, size)
define(`STRUCT',
`define(SPREFIX`_'$1, SOFFSET)dnl
define(`SOFFSET', eval(SOFFSET + ($2)))')dnl
dnl UCHAR(name)
define(`UCHAR', `STRUCT(`$1', 1)')dnl
dnl UNSIGNED(name)
define(`UNSIGNED', `STRUCT(`$1', 4)')dnl
dnl Offsets in aes_table
define(AES_SBOX_SIZE, 256)dnl
define(AES_TABLE_SIZE, 1024)dnl
STRUCTURE(AES)
STRUCT(SBOX, AES_SBOX_SIZE)
STRUCT(TABLE0, AES_TABLE_SIZE)
STRUCT(TABLE1, AES_TABLE_SIZE)
STRUCT(TABLE2, AES_TABLE_SIZE)
STRUCT(TABLE3, AES_TABLE_SIZE)
C For 64-bit implementation
STRUCTURE(P1305)
STRUCT(R0, 8)
STRUCT(R1, 8)
STRUCT(S0, 8)
STRUCT(S1, 8)
STRUCT(H0, 8)
STRUCT(H1, 8)
STRUCT(H2, 8)
divert
asn1.h 0 → 100644
View file @ 53c76a47
/* asn1.h
Limited support for ASN.1 DER decoding.
Copyright (C) 2005 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#ifndef NETTLE_ASN1_H_INCLUDED
#define NETTLE_ASN1_H_INCLUDED
#include "nettle-types.h"
#ifdef __cplusplus
extern "C" {
#endif
/* Name mangling */
#define asn1_der_iterator_first nettle_asn1_der_iterator_first
#define asn1_der_iterator_next nettle_asn1_der_iterator_next
#define asn1_der_decode_constructed nettle_asn1_der_decode_constructed
#define asn1_der_decode_constructed_last nettle_asn1_der_decode_constructed_last
#define asn1_der_decode_bitstring nettle_asn1_der_decode_bitstring
#define asn1_der_decode_bitstring_last nettle_asn1_der_decode_bitstring_last
#define asn1_der_get_uint32 nettle_asn1_der_get_uint32
#define asn1_der_get_bignum nettle_asn1_der_get_bignum
/* enum asn1_type keeps the class number and the constructive in bits
13-14, and the constructive flag in bit 12. The remaining 14 bits
are the tag (although currently, only tags in the range 0-30 are
supported). */
enum
{
ASN1_TYPE_CONSTRUCTED = 1 << 12,
ASN1_CLASS_UNIVERSAL = 0,
ASN1_CLASS_APPLICATION = 1 << 13,
ASN1_CLASS_CONTEXT_SPECIFIC = 2 << 13,
ASN1_CLASS_PRIVATE = 3 << 13,
ASN1_CLASS_MASK = 3 << 13,
ASN1_CLASS_SHIFT = 13,
};
enum asn1_type
{
ASN1_BOOLEAN = 1,
ASN1_INTEGER = 2,
ASN1_BITSTRING = 3,
ASN1_OCTETSTRING = 4,
ASN1_NULL = 5,
ASN1_IDENTIFIER = 6,
ASN1_REAL = 9,
ASN1_ENUMERATED = 10,
ASN1_UTF8STRING = 12,
ASN1_SEQUENCE = 16 | ASN1_TYPE_CONSTRUCTED,
ASN1_SET = 17 | ASN1_TYPE_CONSTRUCTED,
ASN1_PRINTABLESTRING = 19,
ASN1_TELETEXSTRING = 20,
ASN1_IA5STRING = 22,
ASN1_UTC = 23,
ASN1_UNIVERSALSTRING = 28,
ASN1_BMPSTRING = 30,
};
enum asn1_iterator_result
{
ASN1_ITERATOR_ERROR,
ASN1_ITERATOR_PRIMITIVE,
ASN1_ITERATOR_CONSTRUCTED,
ASN1_ITERATOR_END,
};
/* Parsing DER objects. */
struct asn1_der_iterator
{
size_t buffer_length;
const uint8_t *buffer;
/* Next object to parse. */
size_t pos;
enum asn1_type type;
/* Pointer to the current object */
size_t length;
const uint8_t *data;
};
/* Initializes the iterator. */
enum asn1_iterator_result
asn1_der_iterator_first(struct asn1_der_iterator *iterator,
size_t length, const uint8_t *input);
enum asn1_iterator_result
asn1_der_iterator_next(struct asn1_der_iterator *iterator);
/* Starts parsing of a constructed object. */
enum asn1_iterator_result
asn1_der_decode_constructed(struct asn1_der_iterator *i,
struct asn1_der_iterator *contents);
/* For the common case that we have a sequence at the end of the
object. Checks that the current object is the final one, and then
reinitializes the iterator to parse its ontents. */
enum asn1_iterator_result
asn1_der_decode_constructed_last(struct asn1_der_iterator *i);
enum asn1_iterator_result
asn1_der_decode_bitstring(struct asn1_der_iterator *i,
struct asn1_der_iterator *contents);
enum asn1_iterator_result
asn1_der_decode_bitstring_last(struct asn1_der_iterator *i);
/* All these functions return 1 on success, 0 on failure */
int
asn1_der_get_uint32(struct asn1_der_iterator *i,
uint32_t *x);
#ifdef __cplusplus
}
#endif
#endif /* NETTLE_ASN1_H_INCLUDED */
balloon-sha1.c 0 → 100644
View file @ 53c76a47
/* balloon-sha1.c
Balloon password-hashing algorithm.
Copyright (C) 2022 Zoltan Fridrich
Copyright (C) 2022 Red Hat, Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "balloon.h"
#include "sha1.h"
void
balloon_sha1(size_t s_cost, size_t t_cost,
size_t passwd_length, const uint8_t *passwd,
size_t salt_length, const uint8_t *salt,
uint8_t *scratch, uint8_t *dst)
{
struct sha1_ctx ctx;
sha1_init(&ctx);
balloon(&ctx,
(nettle_hash_update_func*)sha1_update,
(nettle_hash_digest_func*)sha1_digest,
SHA1_DIGEST_SIZE, s_cost, t_cost,
passwd_length, passwd, salt_length, salt, scratch, dst);
}
balloon-sha256.c 0 → 100644
View file @ 53c76a47
/* balloon-sha256.c
Balloon password-hashing algorithm.
Copyright (C) 2022 Zoltan Fridrich
Copyright (C) 2022 Red Hat, Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "balloon.h"
#include "sha2.h"
void
balloon_sha256(size_t s_cost, size_t t_cost,
size_t passwd_length, const uint8_t *passwd,
size_t salt_length, const uint8_t *salt,
uint8_t *scratch, uint8_t *dst)
{
struct sha256_ctx ctx;
sha256_init(&ctx);
balloon(&ctx,
(nettle_hash_update_func*)sha256_update,
(nettle_hash_digest_func*)sha256_digest,
SHA256_DIGEST_SIZE, s_cost, t_cost,
passwd_length, passwd, salt_length, salt, scratch, dst);
}
balloon-sha384.c 0 → 100644
View file @ 53c76a47
/* balloon-sha384.c
Balloon password-hashing algorithm.
Copyright (C) 2022 Zoltan Fridrich
Copyright (C) 2022 Red Hat, Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "balloon.h"
#include "sha2.h"
void
balloon_sha384(size_t s_cost, size_t t_cost,
size_t passwd_length, const uint8_t *passwd,
size_t salt_length, const uint8_t *salt,
uint8_t *scratch, uint8_t *dst)
{
struct sha384_ctx ctx;
sha384_init(&ctx);
balloon(&ctx,
(nettle_hash_update_func*)sha384_update,
(nettle_hash_digest_func*)sha384_digest,
SHA384_DIGEST_SIZE, s_cost, t_cost,
passwd_length, passwd, salt_length, salt, scratch, dst);
}
balloon-sha512.c 0 → 100644
View file @ 53c76a47
/* balloon-sha512.c
Balloon password-hashing algorithm.
Copyright (C) 2022 Zoltan Fridrich
Copyright (C) 2022 Red Hat, Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "balloon.h"
#include "sha2.h"
void
balloon_sha512(size_t s_cost, size_t t_cost,
size_t passwd_length, const uint8_t *passwd,
size_t salt_length, const uint8_t *salt,
uint8_t *scratch, uint8_t *dst)
{
struct sha512_ctx ctx;
sha512_init(&ctx);
balloon(&ctx,
(nettle_hash_update_func*)sha512_update,
(nettle_hash_digest_func*)sha512_digest,
SHA512_DIGEST_SIZE, s_cost, t_cost,
passwd_length, passwd, salt_length, salt, scratch, dst);
}
balloon.c 0 → 100644
View file @ 53c76a47
/* balloon.c
Balloon password-hashing algorithm.
Copyright (C) 2022 Zoltan Fridrich
Copyright (C) 2022 Red Hat, Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
/* For a description of the algorithm, see:
* Boneh, D., Corrigan-Gibbs, H., Schechter, S. (2017, May 12). Balloon Hashing:
* A Memory-Hard Function Providing Provable Protection Against Sequential Attacks.
* Retrieved Sep 1, 2022, from https://eprint.iacr.org/2016/027.pdf
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <string.h>
#include "balloon.h"
#include "macros.h"
#define DELTA 3
static void
hash(void *ctx,
nettle_hash_update_func *update,
nettle_hash_digest_func *digest,
uint64_t cnt,
size_t a_len, const uint8_t *a,
size_t b_len, const uint8_t *b,
uint8_t *dst)
{
uint8_t tmp[8];
LE_WRITE_UINT64(tmp, cnt);
update(ctx, sizeof(tmp), tmp);
if (a && a_len)
update(ctx, a_len, a);
if (b && b_len)
update(ctx, b_len, b);
digest(ctx, dst);
}
static void
hash_ints(void *ctx,
nettle_hash_update_func *update,
nettle_hash_digest_func *digest,
uint64_t i, uint64_t j, uint64_t k,
uint8_t *dst)
{
uint8_t tmp[24];
LE_WRITE_UINT64(tmp, i);
LE_WRITE_UINT64(tmp + 8, j);
LE_WRITE_UINT64(tmp + 16, k);
update(ctx, sizeof(tmp), tmp);
digest(ctx, dst);
}
/* Takes length bytes long big number stored
* in little endian format and computes modulus
*/
static size_t
block_to_int(size_t length, const uint8_t *block, size_t mod)
{
size_t i = length, r = 0;
while (i--)
{
r = (r << 8) + block[i];
r %= mod;
}
return r;
}
void
balloon(void *hash_ctx,
nettle_hash_update_func *update,
nettle_hash_digest_func *digest,
size_t digest_size, size_t s_cost, size_t t_cost,
size_t passwd_length, const uint8_t *passwd,
size_t salt_length, const uint8_t *salt,
uint8_t *scratch, uint8_t *dst)
{
const size_t BS = digest_size;
uint8_t *block = scratch;
uint8_t *buf = scratch + BS;
size_t i, j, k, cnt = 0;
hash(hash_ctx, update, digest,
cnt++, passwd_length, passwd, salt_length, salt, buf);
for (i = 1; i < s_cost; ++i)
hash(hash_ctx, update, digest,
cnt++, BS, buf + (i - 1) * BS, 0, NULL, buf + i * BS);
for (i = 0; i < t_cost; ++i)
{
for (j = 0; j < s_cost; ++j)
{
hash(hash_ctx, update, digest,
cnt++, BS, buf + (j ? j - 1 : s_cost - 1) * BS,
BS, buf + j * BS, buf + j * BS);
for (k = 0; k < DELTA; ++k)
{
hash_ints(hash_ctx, update, digest, i, j, k, block);
hash(hash_ctx, update, digest,
cnt++, salt_length, salt, BS, block, block);
hash(hash_ctx, update, digest,
cnt++, BS, buf + j * BS,
BS, buf + block_to_int(BS, block, s_cost) * BS,
buf + j * BS);
}
}
}
memcpy(dst, buf + (s_cost - 1) * BS, BS);
}
size_t
balloon_itch(size_t digest_size, size_t s_cost)
{
return (s_cost + 1) * digest_size;
}