/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
static int Hash_df(DRBG* drbg, byte* out, word32 outSz, byte type,
const byte* inA, word32 inASz,
const byte* inB, word32 inBSz)
{
byte ctr;
int i;
int len;
word32 bits = (outSz * 8); /* reverse byte order */
Sha256 sha;
byte digest[SHA256_DIGEST_SIZE];
(void)drbg;
#ifdef LITTLE_ENDIAN_ORDER
bits = ByteReverseWord32(bits);
#endif
len = (outSz / OUTPUT_BLOCK_LEN)
+ ((outSz % OUTPUT_BLOCK_LEN) ? 1 : 0);
for (i = 0, ctr = 1; i < len; i++, ctr++)
{
if (wc_InitSha256(&sha) != 0)
return DRBG_FAILURE;
if (wc_Sha256Update(&sha, &ctr, sizeof(ctr)) != 0)
return DRBG_FAILURE;
if (wc_Sha256Update(&sha, (byte*)&bits, sizeof(bits)) != 0)
return DRBG_FAILURE;
/* churning V is the only string that doesn't have the type added */
if (type != drbgInitV)
if (wc_Sha256Update(&sha, &type, sizeof(type)) != 0)
return DRBG_FAILURE;
if (wc_Sha256Update(&sha, inA, inASz) != 0)
return DRBG_FAILURE;
if (inB != NULL && inBSz > 0)
if (wc_Sha256Update(&sha, inB, inBSz) != 0)
return DRBG_FAILURE;
if (wc_Sha256Final(&sha, digest) != 0)
return DRBG_FAILURE;
if (outSz > OUTPUT_BLOCK_LEN) {
XMEMCPY(out, digest, OUTPUT_BLOCK_LEN);
outSz -= OUTPUT_BLOCK_LEN;
out += OUTPUT_BLOCK_LEN;
}
else {
XMEMCPY(out, digest, outSz);
}
}
ForceZero(digest, sizeof(digest));
return DRBG_SUCCESS;
}
static void DesProcessBlock(Des* des, const byte* in, byte* out)
{
word32 l, r;
XMEMCPY(&l, in, sizeof(l));
XMEMCPY(&r, in + sizeof(l), sizeof(r));
#ifdef LITTLE_ENDIAN_ORDER
l = ByteReverseWord32(l);
r = ByteReverseWord32(r);
#endif
IPERM(&l,&r);
DesRawProcessBlock(&l, &r, des->key);
FPERM(&l,&r);
#ifdef LITTLE_ENDIAN_ORDER
l = ByteReverseWord32(l);
r = ByteReverseWord32(r);
#endif
XMEMCPY(out, &r, sizeof(r));
XMEMCPY(out + sizeof(r), &l, sizeof(l));
}
/* One round of Salsa20/8.
* Code taken from RFC 7914: scrypt PBKDF.
*
* out Output buffer.
* in Input data to hash.
*/
static void scryptSalsa(word32* out, word32* in)
{
int i;
word32 x[16];
#ifdef LITTLE_ENDIAN_ORDER
for (i = 0; i < 16; ++i)
x[i] = in[i];
#else
for (i = 0; i < 16; i++)
x[i] = ByteReverseWord32(in[i]);
#endif
for (i = 8; i > 0; i -= 2) {
x[ 4] ^= R(x[ 0] + x[12], 7); x[ 8] ^= R(x[ 4] + x[ 0], 9);
x[12] ^= R(x[ 8] + x[ 4], 13); x[ 0] ^= R(x[12] + x[ 8], 18);
x[ 9] ^= R(x[ 5] + x[ 1], 7); x[13] ^= R(x[ 9] + x[ 5], 9);
x[ 1] ^= R(x[13] + x[ 9], 13); x[ 5] ^= R(x[ 1] + x[13], 18);
x[14] ^= R(x[10] + x[ 6], 7); x[ 2] ^= R(x[14] + x[10], 9);
x[ 6] ^= R(x[ 2] + x[14], 13); x[10] ^= R(x[ 6] + x[ 2], 18);
x[ 3] ^= R(x[15] + x[11], 7); x[ 7] ^= R(x[ 3] + x[15], 9);
x[11] ^= R(x[ 7] + x[ 3], 13); x[15] ^= R(x[11] + x[ 7], 18);
x[ 1] ^= R(x[ 0] + x[ 3], 7); x[ 2] ^= R(x[ 1] + x[ 0], 9);
x[ 3] ^= R(x[ 2] + x[ 1], 13); x[ 0] ^= R(x[ 3] + x[ 2], 18);
x[ 6] ^= R(x[ 5] + x[ 4], 7); x[ 7] ^= R(x[ 6] + x[ 5], 9);
x[ 4] ^= R(x[ 7] + x[ 6], 13); x[ 5] ^= R(x[ 4] + x[ 7], 18);
x[11] ^= R(x[10] + x[ 9], 7); x[ 8] ^= R(x[11] + x[10], 9);
x[ 9] ^= R(x[ 8] + x[11], 13); x[10] ^= R(x[ 9] + x[ 8], 18);
x[12] ^= R(x[15] + x[14], 7); x[13] ^= R(x[12] + x[15], 9);
x[14] ^= R(x[13] + x[12], 13); x[15] ^= R(x[14] + x[13], 18);
}
#ifdef LITTLE_ENDIAN_ORDER
for (i = 0; i < 16; ++i)
out[i] = in[i] + x[i];
#else
for (i = 0; i < 16; i++)
out[i] = ByteReverseWord32(in[i] + x[i]);
#endif
}
static void Des3ProcessBlock(Des3* des, const byte* in, byte* out)
{
word32 l, r;
memcpy(&l, in, sizeof(l));
memcpy(&r, in + sizeof(l), sizeof(r));
#ifdef LITTLE_ENDIAN_ORDER
l = ByteReverseWord32(l);
r = ByteReverseWord32(r);
#endif
IPERM(&l,&r);
DesRawProcessBlock(&l, &r, des->key[0]);
DesRawProcessBlock(&r, &l, des->key[1]);
DesRawProcessBlock(&l, &r, des->key[2]);
FPERM(&l,&r);
#ifdef LITTLE_ENDIAN_ORDER
l = ByteReverseWord32(l);
r = ByteReverseWord32(r);
#endif
memcpy(out, &r, sizeof(r));
memcpy(out + sizeof(r), &l, sizeof(l));
}
static int Hash_df(RNG* rng, byte* out, word32 outSz, byte type, byte* inA, word32 inASz,
byte* inB, word32 inBSz, byte* inC, word32 inCSz)
{
byte ctr;
int i;
int len;
word32 bits = (outSz * 8); /* reverse byte order */
#ifdef LITTLE_ENDIAN_ORDER
bits = ByteReverseWord32(bits);
#endif
len = (outSz / SHA256_DIGEST_SIZE)
+ ((outSz % SHA256_DIGEST_SIZE) ? 1 : 0);
for (i = 0, ctr = 1; i < len; i++, ctr++)
{
if (InitSha256(&rng->sha) != 0)
return DBRG_ERROR;
Sha256Update(&rng->sha, &ctr, sizeof(ctr));
Sha256Update(&rng->sha, (byte*)&bits, sizeof(bits));
/* churning V is the only string that doesn't have
* the type added */
if (type != dbrgInitV)
Sha256Update(&rng->sha, &type, sizeof(type));
Sha256Update(&rng->sha, inA, inASz);
if (inB != NULL && inBSz > 0)
Sha256Update(&rng->sha, inB, inBSz);
if (inC != NULL && inCSz > 0)
Sha256Update(&rng->sha, inC, inCSz);
Sha256Final(&rng->sha, rng->digest);
if (outSz > SHA256_DIGEST_SIZE) {
XMEMCPY(out, rng->digest, SHA256_DIGEST_SIZE);
outSz -= SHA256_DIGEST_SIZE;
out += SHA256_DIGEST_SIZE;
}
else {
XMEMCPY(out, rng->digest, outSz);
}
}
return DBRG_SUCCESS;
}
/* Returns: DRBG_SUCCESS or DRBG_FAILURE */
static int Hash_df(DRBG* drbg, byte* out, word32 outSz, byte type,
const byte* inA, word32 inASz,
const byte* inB, word32 inBSz)
{
int ret = DRBG_FAILURE;
byte ctr;
int i;
int len;
word32 bits = (outSz * 8); /* reverse byte order */
Sha256 sha;
DECLARE_VAR(digest, byte, SHA256_DIGEST_SIZE, drbg->heap);
(void)drbg;
#ifdef WOLFSSL_ASYNC_CRYPT
if (digest == NULL)
return DRBG_FAILURE;
#endif
#ifdef LITTLE_ENDIAN_ORDER
bits = ByteReverseWord32(bits);
#endif
len = (outSz / OUTPUT_BLOCK_LEN)
+ ((outSz % OUTPUT_BLOCK_LEN) ? 1 : 0);
for (i = 0, ctr = 1; i < len; i++, ctr++) {
#ifdef WOLFSSL_ASYNC_CRYPT
ret = wc_InitSha256_ex(&sha, drbg->heap, drbg->devId);
#else
ret = wc_InitSha256(&sha);
#endif
if (ret != 0)
break;
if (ret == 0)
ret = wc_Sha256Update(&sha, &ctr, sizeof(ctr));
if (ret == 0)
ret = wc_Sha256Update(&sha, (byte*)&bits, sizeof(bits));
if (ret == 0) {
/* churning V is the only string that doesn't have the type added */
if (type != drbgInitV)
ret = wc_Sha256Update(&sha, &type, sizeof(type));
}
if (ret == 0)
ret = wc_Sha256Update(&sha, inA, inASz);
if (ret == 0) {
if (inB != NULL && inBSz > 0)
ret = wc_Sha256Update(&sha, inB, inBSz);
}
if (ret == 0)
ret = wc_Sha256Final(&sha, digest);
wc_Sha256Free(&sha);
if (ret == 0) {
if (outSz > OUTPUT_BLOCK_LEN) {
XMEMCPY(out, digest, OUTPUT_BLOCK_LEN);
outSz -= OUTPUT_BLOCK_LEN;
out += OUTPUT_BLOCK_LEN;
}
else {
XMEMCPY(out, digest, outSz);
}
}
}
ForceZero(digest, SHA256_DIGEST_SIZE);
FREE_VAR(digest, drbg->heap);
return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
}