1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
2 /* SPDX-License-Identifier: Unlicense */
3 
4 #include "tomcrypt_private.h"
5 
6 /**
7   @file chc.c
8   CHC support. (Tom St Denis)
9 */
10 
11 #ifdef LTC_CHC_HASH
12 
13 #define UNDEFED_HASH  -17
14 
15 /* chc settings */
16 static int            cipher_idx=UNDEFED_HASH,        /* which cipher */
17                       cipher_blocksize;               /* blocksize of cipher */
18 
19 
20 const struct ltc_hash_descriptor chc_desc = {
21    "chc_hash", 12, 0, 0, { 0 }, 0,
22    &chc_init,
23    &chc_process,
24    &chc_done,
25    &chc_test,
26    NULL
27 };
28 
29 /**
30   Initialize the CHC state with a given cipher
31   @param cipher  The index of the cipher you wish to bind
32   @return CRYPT_OK if successful
33 */
chc_register(int cipher)34 int chc_register(int cipher)
35 {
36    int err, kl, idx;
37 
38    if ((err = cipher_is_valid(cipher)) != CRYPT_OK) {
39       return err;
40    }
41 
42    /* will it be valid? */
43    kl = cipher_descriptor[cipher]->block_length;
44 
45    /* must be >64 bit block */
46    if (kl <= 8) {
47       return CRYPT_INVALID_CIPHER;
48    }
49 
50    /* can we use the ideal keysize? */
51    if ((err = cipher_descriptor[cipher]->keysize(&kl)) != CRYPT_OK) {
52       return err;
53    }
54    /* we require that key size == block size be a valid choice */
55    if (kl != cipher_descriptor[cipher]->block_length) {
56       return CRYPT_INVALID_CIPHER;
57    }
58 
59    /* determine if chc_hash has been register_hash'ed already */
60    if ((err = hash_is_valid(idx = find_hash("chc_hash"))) != CRYPT_OK) {
61       return err;
62    }
63 
64    /* store into descriptor */
65    hash_descriptor[idx]->hashsize  =
66    hash_descriptor[idx]->blocksize = cipher_descriptor[cipher]->block_length;
67 
68    /* store the idx and block size */
69    cipher_idx       = cipher;
70    cipher_blocksize = cipher_descriptor[cipher]->block_length;
71    return CRYPT_OK;
72 }
73 
74 /**
75    Initialize the hash state
76    @param md   The hash state you wish to initialize
77    @return CRYPT_OK if successful
78 */
chc_init(hash_state * md)79 int chc_init(hash_state *md)
80 {
81    symmetric_key *key;
82    unsigned char  buf[MAXBLOCKSIZE];
83    int            err;
84 
85    LTC_ARGCHK(md != NULL);
86 
87    /* is the cipher valid? */
88    if ((err = cipher_is_valid(cipher_idx)) != CRYPT_OK) {
89       return err;
90    }
91 
92    if (cipher_blocksize != cipher_descriptor[cipher_idx]->block_length) {
93       return CRYPT_INVALID_CIPHER;
94    }
95 
96    if ((key = XMALLOC(sizeof(*key))) == NULL) {
97       return CRYPT_MEM;
98    }
99 
100    /* zero key and what not */
101    zeromem(buf, cipher_blocksize);
102    if ((err = cipher_descriptor[cipher_idx]->setup(buf, cipher_blocksize, 0, key)) != CRYPT_OK) {
103       XFREE(key);
104       return err;
105    }
106 
107    /* encrypt zero block */
108    cipher_descriptor[cipher_idx]->ecb_encrypt(buf, md->chc.state, key);
109 
110    /* zero other members */
111    md->chc.length = 0;
112    md->chc.curlen = 0;
113    zeromem(md->chc.buf, sizeof(md->chc.buf));
114    XFREE(key);
115    return CRYPT_OK;
116 }
117 
118 /*
119    key    <= state
120    T0,T1  <= block
121    T0     <= encrypt T0
122    state  <= state xor T0 xor T1
123 */
s_chc_compress(hash_state * md,const unsigned char * buf)124 static int s_chc_compress(hash_state *md, const unsigned char *buf)
125 {
126    unsigned char  T[2][MAXBLOCKSIZE];
127    symmetric_key *key;
128    int            err, x;
129 
130    if ((key = XMALLOC(sizeof(*key))) == NULL) {
131       return CRYPT_MEM;
132    }
133    if ((err = cipher_descriptor[cipher_idx]->setup(md->chc.state, cipher_blocksize, 0, key)) != CRYPT_OK) {
134       XFREE(key);
135       return err;
136    }
137    XMEMCPY(T[1], buf, cipher_blocksize);
138    cipher_descriptor[cipher_idx]->ecb_encrypt(buf, T[0], key);
139    for (x = 0; x < cipher_blocksize; x++) {
140        md->chc.state[x] ^= T[0][x] ^ T[1][x];
141    }
142 #ifdef LTC_CLEAN_STACK
143    zeromem(T, sizeof(T));
144    zeromem(key, sizeof(*key));
145 #endif
146    XFREE(key);
147    return CRYPT_OK;
148 }
149 
150 /**
151    Function for processing blocks
152    @param md   The hash state
153    @param buf  The data to hash
154    @param len  The length of the data (octets)
155    @return CRYPT_OK if successful
156 */
157 static int ss_chc_process(hash_state * md, const unsigned char *in, unsigned long inlen);
158 static HASH_PROCESS(ss_chc_process, s_chc_compress, chc, (unsigned long)cipher_blocksize)
159 
160 /**
161    Process a block of memory though the hash
162    @param md   The hash state
163    @param in   The data to hash
164    @param inlen  The length of the data (octets)
165    @return CRYPT_OK if successful
166 */
chc_process(hash_state * md,const unsigned char * in,unsigned long inlen)167 int chc_process(hash_state * md, const unsigned char *in, unsigned long inlen)
168 {
169    int err;
170 
171    LTC_ARGCHK(md   != NULL);
172    LTC_ARGCHK(in  != NULL);
173 
174    /* is the cipher valid? */
175    if ((err = cipher_is_valid(cipher_idx)) != CRYPT_OK) {
176       return err;
177    }
178    if (cipher_blocksize != cipher_descriptor[cipher_idx]->block_length) {
179       return CRYPT_INVALID_CIPHER;
180    }
181 
182    return ss_chc_process(md, in, inlen);
183 }
184 
185 /**
186    Terminate the hash to get the digest
187    @param md   The hash state
188    @param out [out] The destination of the hash (length of the block size of the block cipher)
189    @return CRYPT_OK if successful
190 */
chc_done(hash_state * md,unsigned char * out)191 int chc_done(hash_state *md, unsigned char *out)
192 {
193     int err;
194 
195     LTC_ARGCHK(md   != NULL);
196     LTC_ARGCHK(out  != NULL);
197 
198     /* is the cipher valid? */
199     if ((err = cipher_is_valid(cipher_idx)) != CRYPT_OK) {
200        return err;
201     }
202     if (cipher_blocksize != cipher_descriptor[cipher_idx]->block_length) {
203        return CRYPT_INVALID_CIPHER;
204     }
205 
206     if (md->chc.curlen >= sizeof(md->chc.buf)) {
207        return CRYPT_INVALID_ARG;
208     }
209 
210     /* increase the length of the message */
211     md->chc.length += md->chc.curlen * 8;
212 
213     /* append the '1' bit */
214     md->chc.buf[md->chc.curlen++] = (unsigned char)0x80;
215 
216     /* if the length is currently above l-8 bytes we append zeros
217      * then compress.  Then we can fall back to padding zeros and length
218      * encoding like normal.
219      */
220     if (md->chc.curlen > (unsigned long)(cipher_blocksize - 8)) {
221         while (md->chc.curlen < (unsigned long)cipher_blocksize) {
222             md->chc.buf[md->chc.curlen++] = (unsigned char)0;
223         }
224         s_chc_compress(md, md->chc.buf);
225         md->chc.curlen = 0;
226     }
227 
228     /* pad upto l-8 bytes of zeroes */
229     while (md->chc.curlen < (unsigned long)(cipher_blocksize - 8)) {
230         md->chc.buf[md->chc.curlen++] = (unsigned char)0;
231     }
232 
233     /* store length */
234     STORE64L(md->chc.length, md->chc.buf+(cipher_blocksize-8));
235     s_chc_compress(md, md->chc.buf);
236 
237     /* copy output */
238     XMEMCPY(out, md->chc.state, cipher_blocksize);
239 
240 #ifdef LTC_CLEAN_STACK
241     zeromem(md, sizeof(hash_state));
242 #endif
243     return CRYPT_OK;
244 }
245 
246 /**
247   Self-test the hash
248   @return CRYPT_OK if successful, CRYPT_NOP if self-tests have been disabled
249 */
chc_test(void)250 int chc_test(void)
251 {
252 #ifndef LTC_TEST
253    return CRYPT_NOP;
254 #else
255    static const struct {
256       unsigned char *msg,
257                      hash[MAXBLOCKSIZE];
258       int            len;
259    } tests[] = {
260 {
261    (unsigned char *)"hello world",
262    { 0xcf, 0x57, 0x9d, 0xc3, 0x0a, 0x0e, 0xea, 0x61,
263      0x0d, 0x54, 0x47, 0xc4, 0x3c, 0x06, 0xf5, 0x4e },
264    16
265 }
266 };
267    int i, oldhashidx, idx, err;
268    unsigned char tmp[MAXBLOCKSIZE];
269    hash_state md;
270 
271    /* AES can be under rijndael or aes... try to find it */
272    if ((idx = find_cipher("aes")) == -1) {
273       if ((idx = find_cipher("rijndael")) == -1) {
274          return CRYPT_NOP;
275       }
276    }
277    oldhashidx = cipher_idx;
278    chc_register(idx);
279 
280    for (i = 0; i < (int)(sizeof(tests)/sizeof(tests[0])); i++) {
281        if ((err = chc_init(&md)) != CRYPT_OK) {
282           return err;
283        }
284        if ((err = chc_process(&md, tests[i].msg, XSTRLEN((char *)tests[i].msg))) != CRYPT_OK) {
285           return err;
286        }
287        if ((err = chc_done(&md, tmp)) != CRYPT_OK) {
288           return err;
289        }
290        if (compare_testvector(tmp, tests[i].len, tests[i].hash, tests[i].len, "CHC", i)) {
291           return CRYPT_FAIL_TESTVECTOR;
292        }
293    }
294    if (oldhashidx != UNDEFED_HASH) {
295       chc_register(oldhashidx);
296    }
297 
298    return CRYPT_OK;
299 #endif
300 }
301 
302 #endif
303