1 /*
2 * IDI,NTNU
3 *
4 * CDDL HEADER START
5 *
6 * The contents of this file are subject to the terms of the
7 * Common Development and Distribution License (the "License").
8 * You may not use this file except in compliance with the License.
9 *
10 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
11 * or http://opensource.org/licenses/CDDL-1.0.
12 * See the License for the specific language governing permissions
13 * and limitations under the License.
14 *
15 * When distributing Covered Code, include this CDDL HEADER in each
16 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
17 * If applicable, add the following below this CDDL HEADER, with the
18 * fields enclosed by brackets "[]" replaced with your own identifying
19 * information: Portions Copyright [yyyy] [name of copyright owner]
20 *
21 * CDDL HEADER END
22 *
23 * Copyright (C) 2009, 2010, Jorn Amundsen <jorn.amundsen@ntnu.no>
24 *
25 * Tweaked Edon-R implementation for SUPERCOP, based on NIST API.
26 *
27 * $Id: edonr.c 517 2013-02-17 20:34:39Z joern $
28 */
29 /*
30 * Portions copyright (c) 2013, Saso Kiselkov, All rights reserved
31 */
32
33 #include <sys/edonr.h>
34
35 /* for memcpy() */
36 #include <sys/systm.h>
37
38 /* big endian support, provides no-op's if run on little endian hosts */
39 #include "edonr_byteorder.h"
40
41 #define hashState224(x) ((x)->pipe->p256)
42 #define hashState256(x) ((x)->pipe->p256)
43 #define hashState384(x) ((x)->pipe->p512)
44 #define hashState512(x) ((x)->pipe->p512)
45
46 /* shift and rotate shortcuts */
47 #define shl(x, n) ((x) << n)
48 #define shr(x, n) ((x) >> n)
49
50 #define rotl32(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
51 #define rotr32(x, n) (((x) >> (n)) | ((x) << (32 - (n))))
52
53 #define rotl64(x, n) (((x) << (n)) | ((x) >> (64 - (n))))
54 #define rotr64(x, n) (((x) >> (n)) | ((x) << (64 - (n))))
55
56 #if !defined(__C99_RESTRICT)
57 #define restrict /* restrict */
58 #endif
59
60 /* EdonR224 initial double chaining pipe */
61 static const uint32_t i224p2[16] = {
62 0x00010203ul, 0x04050607ul, 0x08090a0bul, 0x0c0d0e0ful,
63 0x10111213ul, 0x14151617ul, 0x18191a1bul, 0x1c1d1e1ful,
64 0x20212223ul, 0x24252627ul, 0x28292a2bul, 0x2c2d2e2ful,
65 0x30313233ul, 0x34353637ul, 0x38393a3bul, 0x3c3d3e3ful,
66 };
67
68 /* EdonR256 initial double chaining pipe */
69 static const uint32_t i256p2[16] = {
70 0x40414243ul, 0x44454647ul, 0x48494a4bul, 0x4c4d4e4ful,
71 0x50515253ul, 0x54555657ul, 0x58595a5bul, 0x5c5d5e5ful,
72 0x60616263ul, 0x64656667ul, 0x68696a6bul, 0x6c6d6e6ful,
73 0x70717273ul, 0x74757677ul, 0x78797a7bul, 0x7c7d7e7ful,
74 };
75
76 /* EdonR384 initial double chaining pipe */
77 static const uint64_t i384p2[16] = {
78 0x0001020304050607ull, 0x08090a0b0c0d0e0full,
79 0x1011121314151617ull, 0x18191a1b1c1d1e1full,
80 0x2021222324252627ull, 0x28292a2b2c2d2e2full,
81 0x3031323334353637ull, 0x38393a3b3c3d3e3full,
82 0x4041424344454647ull, 0x48494a4b4c4d4e4full,
83 0x5051525354555657ull, 0x58595a5b5c5d5e5full,
84 0x6061626364656667ull, 0x68696a6b6c6d6e6full,
85 0x7071727374757677ull, 0x78797a7b7c7d7e7full
86 };
87
88 /* EdonR512 initial double chaining pipe */
89 static const uint64_t i512p2[16] = {
90 0x8081828384858687ull, 0x88898a8b8c8d8e8full,
91 0x9091929394959697ull, 0x98999a9b9c9d9e9full,
92 0xa0a1a2a3a4a5a6a7ull, 0xa8a9aaabacadaeafull,
93 0xb0b1b2b3b4b5b6b7ull, 0xb8b9babbbcbdbebfull,
94 0xc0c1c2c3c4c5c6c7ull, 0xc8c9cacbcccdcecfull,
95 0xd0d1d2d3d4d5d6d7ull, 0xd8d9dadbdcdddedfull,
96 0xe0e1e2e3e4e5e6e7ull, 0xe8e9eaebecedeeefull,
97 0xf0f1f2f3f4f5f6f7ull, 0xf8f9fafbfcfdfeffull
98 };
99
100 /*
101 * First Latin Square
102 * 0 7 1 3 2 4 6 5
103 * 4 1 7 6 3 0 5 2
104 * 7 0 4 2 5 3 1 6
105 * 1 4 0 5 6 2 7 3
106 * 2 3 6 7 1 5 0 4
107 * 5 2 3 1 7 6 4 0
108 * 3 6 5 0 4 7 2 1
109 * 6 5 2 4 0 1 3 7
110 */
111 #define LS1_256(c, x0, x1, x2, x3, x4, x5, x6, x7)\
112 {\
113 uint32_t x04, x17, x23, x56, x07, x26;\
114 \
115 x04 = x0+x4, x17 = x1+x7, x07 = x04+x17;\
116 s0 = c + x07 + x2;\
117 s1 = rotl32(x07 + x3, 4);\
118 s2 = rotl32(x07 + x6, 8);\
119 x23 = x2 + x3;\
120 s5 = rotl32(x04 + x23 + x5, 22);\
121 x56 = x5 + x6;\
122 s6 = rotl32(x17 + x56 + x0, 24);\
123 x26 = x23+x56;\
124 s3 = rotl32(x26 + x7, 13);\
125 s4 = rotl32(x26 + x1, 17);\
126 s7 = rotl32(x26 + x4, 29);\
127 }
128
129 #define LS1_512(c, x0, x1, x2, x3, x4, x5, x6, x7)\
130 {\
131 uint64_t x04, x17, x23, x56, x07, x26;\
132 \
133 x04 = x0+x4, x17 = x1+x7, x07 = x04+x17;\
134 s0 = c + x07 + x2;\
135 s1 = rotl64(x07 + x3, 5);\
136 s2 = rotl64(x07 + x6, 15);\
137 x23 = x2 + x3;\
138 s5 = rotl64(x04 + x23 + x5, 40);\
139 x56 = x5 + x6;\
140 s6 = rotl64(x17 + x56 + x0, 50);\
141 x26 = x23+x56;\
142 s3 = rotl64(x26 + x7, 22);\
143 s4 = rotl64(x26 + x1, 31);\
144 s7 = rotl64(x26 + x4, 59);\
145 }
146
147 /*
148 * Second Orthogonal Latin Square
149 * 0 4 2 3 1 6 5 7
150 * 7 6 3 2 5 4 1 0
151 * 5 3 1 6 0 2 7 4
152 * 1 0 5 4 3 7 2 6
153 * 2 1 0 7 4 5 6 3
154 * 3 5 7 0 6 1 4 2
155 * 4 7 6 1 2 0 3 5
156 * 6 2 4 5 7 3 0 1
157 */
158 #define LS2_256(c, y0, y1, y2, y3, y4, y5, y6, y7)\
159 {\
160 uint32_t y01, y25, y34, y67, y04, y05, y27, y37;\
161 \
162 y01 = y0+y1, y25 = y2+y5, y05 = y01+y25;\
163 t0 = ~c + y05 + y7;\
164 t2 = rotl32(y05 + y3, 9);\
165 y34 = y3+y4, y04 = y01+y34;\
166 t1 = rotl32(y04 + y6, 5);\
167 t4 = rotl32(y04 + y5, 15);\
168 y67 = y6+y7, y37 = y34+y67;\
169 t3 = rotl32(y37 + y2, 11);\
170 t7 = rotl32(y37 + y0, 27);\
171 y27 = y25+y67;\
172 t5 = rotl32(y27 + y4, 20);\
173 t6 = rotl32(y27 + y1, 25);\
174 }
175
176 #define LS2_512(c, y0, y1, y2, y3, y4, y5, y6, y7)\
177 {\
178 uint64_t y01, y25, y34, y67, y04, y05, y27, y37;\
179 \
180 y01 = y0+y1, y25 = y2+y5, y05 = y01+y25;\
181 t0 = ~c + y05 + y7;\
182 t2 = rotl64(y05 + y3, 19);\
183 y34 = y3+y4, y04 = y01+y34;\
184 t1 = rotl64(y04 + y6, 10);\
185 t4 = rotl64(y04 + y5, 36);\
186 y67 = y6+y7, y37 = y34+y67;\
187 t3 = rotl64(y37 + y2, 29);\
188 t7 = rotl64(y37 + y0, 55);\
189 y27 = y25+y67;\
190 t5 = rotl64(y27 + y4, 44);\
191 t6 = rotl64(y27 + y1, 48);\
192 }
193
194 #define quasi_exform256(r0, r1, r2, r3, r4, r5, r6, r7)\
195 {\
196 uint32_t s04, s17, s23, s56, t01, t25, t34, t67;\
197 \
198 s04 = s0 ^ s4, t01 = t0 ^ t1;\
199 r0 = (s04 ^ s1) + (t01 ^ t5);\
200 t67 = t6 ^ t7;\
201 r1 = (s04 ^ s7) + (t2 ^ t67);\
202 s23 = s2 ^ s3;\
203 r7 = (s23 ^ s5) + (t4 ^ t67);\
204 t34 = t3 ^ t4;\
205 r3 = (s23 ^ s4) + (t0 ^ t34);\
206 s56 = s5 ^ s6;\
207 r5 = (s3 ^ s56) + (t34 ^ t6);\
208 t25 = t2 ^ t5;\
209 r6 = (s2 ^ s56) + (t25 ^ t7);\
210 s17 = s1 ^ s7;\
211 r4 = (s0 ^ s17) + (t1 ^ t25);\
212 r2 = (s17 ^ s6) + (t01 ^ t3);\
213 }
214
215 #define quasi_exform512(r0, r1, r2, r3, r4, r5, r6, r7)\
216 {\
217 uint64_t s04, s17, s23, s56, t01, t25, t34, t67;\
218 \
219 s04 = s0 ^ s4, t01 = t0 ^ t1;\
220 r0 = (s04 ^ s1) + (t01 ^ t5);\
221 t67 = t6 ^ t7;\
222 r1 = (s04 ^ s7) + (t2 ^ t67);\
223 s23 = s2 ^ s3;\
224 r7 = (s23 ^ s5) + (t4 ^ t67);\
225 t34 = t3 ^ t4;\
226 r3 = (s23 ^ s4) + (t0 ^ t34);\
227 s56 = s5 ^ s6;\
228 r5 = (s3 ^ s56) + (t34 ^ t6);\
229 t25 = t2 ^ t5;\
230 r6 = (s2 ^ s56) + (t25 ^ t7);\
231 s17 = s1 ^ s7;\
232 r4 = (s0 ^ s17) + (t1 ^ t25);\
233 r2 = (s17 ^ s6) + (t01 ^ t3);\
234 }
235
236 static size_t
237 Q256(size_t bitlen, const uint32_t *data, uint32_t *restrict p)
238 {
239 size_t bl;
240
241 for (bl = bitlen; bl >= EdonR256_BLOCK_BITSIZE;
242 bl -= EdonR256_BLOCK_BITSIZE, data += 16) {
243 uint32_t s0, s1, s2, s3, s4, s5, s6, s7, t0, t1, t2, t3, t4,
244 t5, t6, t7;
245 uint32_t p0, p1, p2, p3, p4, p5, p6, p7, q0, q1, q2, q3, q4,
246 q5, q6, q7;
247 const uint32_t defix = 0xaaaaaaaa;
248 #if defined(MACHINE_IS_BIG_ENDIAN)
249 uint32_t swp0, swp1, swp2, swp3, swp4, swp5, swp6, swp7, swp8,
250 swp9, swp10, swp11, swp12, swp13, swp14, swp15;
251 #define d(j) swp##j
252 #define s32(j) ld_swap32((uint32_t *)data+j, swp##j)
253 #else
254 #define d(j) data[j]
255 #endif
256
257 /* First row of quasigroup e-transformations */
258 #if defined(MACHINE_IS_BIG_ENDIAN)
259 s32(8);
260 s32(9);
261 s32(10);
262 s32(11);
263 s32(12);
264 s32(13);
265 s32(14);
266 s32(15);
267 #endif
268 LS1_256(defix, d(15), d(14), d(13), d(12), d(11), d(10), d(9),
269 d(8));
270 #if defined(MACHINE_IS_BIG_ENDIAN)
271 s32(0);
272 s32(1);
273 s32(2);
274 s32(3);
275 s32(4);
276 s32(5);
277 s32(6);
278 s32(7);
279 #undef s32
280 #endif
281 LS2_256(defix, d(0), d(1), d(2), d(3), d(4), d(5), d(6), d(7));
282 quasi_exform256(p0, p1, p2, p3, p4, p5, p6, p7);
283
284 LS1_256(defix, p0, p1, p2, p3, p4, p5, p6, p7);
285 LS2_256(defix, d(8), d(9), d(10), d(11), d(12), d(13), d(14),
286 d(15));
287 quasi_exform256(q0, q1, q2, q3, q4, q5, q6, q7);
288
289 /* Second row of quasigroup e-transformations */
290 LS1_256(defix, p[8], p[9], p[10], p[11], p[12], p[13], p[14],
291 p[15]);
292 LS2_256(defix, p0, p1, p2, p3, p4, p5, p6, p7);
293 quasi_exform256(p0, p1, p2, p3, p4, p5, p6, p7);
294
295 LS1_256(defix, p0, p1, p2, p3, p4, p5, p6, p7);
296 LS2_256(defix, q0, q1, q2, q3, q4, q5, q6, q7);
297 quasi_exform256(q0, q1, q2, q3, q4, q5, q6, q7);
298
299 /* Third row of quasigroup e-transformations */
300 LS1_256(defix, p0, p1, p2, p3, p4, p5, p6, p7);
301 LS2_256(defix, p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
302 quasi_exform256(p0, p1, p2, p3, p4, p5, p6, p7);
303
304 LS1_256(defix, q0, q1, q2, q3, q4, q5, q6, q7);
305 LS2_256(defix, p0, p1, p2, p3, p4, p5, p6, p7);
306 quasi_exform256(q0, q1, q2, q3, q4, q5, q6, q7);
307
308 /* Fourth row of quasigroup e-transformations */
309 LS1_256(defix, d(7), d(6), d(5), d(4), d(3), d(2), d(1), d(0));
310 LS2_256(defix, p0, p1, p2, p3, p4, p5, p6, p7);
311 quasi_exform256(p0, p1, p2, p3, p4, p5, p6, p7);
312
313 LS1_256(defix, p0, p1, p2, p3, p4, p5, p6, p7);
314 LS2_256(defix, q0, q1, q2, q3, q4, q5, q6, q7);
315 quasi_exform256(q0, q1, q2, q3, q4, q5, q6, q7);
316
317 /* Edon-R tweak on the original SHA-3 Edon-R submission. */
318 p[0] ^= d(8) ^ p0;
319 p[1] ^= d(9) ^ p1;
320 p[2] ^= d(10) ^ p2;
321 p[3] ^= d(11) ^ p3;
322 p[4] ^= d(12) ^ p4;
323 p[5] ^= d(13) ^ p5;
324 p[6] ^= d(14) ^ p6;
325 p[7] ^= d(15) ^ p7;
326 p[8] ^= d(0) ^ q0;
327 p[9] ^= d(1) ^ q1;
328 p[10] ^= d(2) ^ q2;
329 p[11] ^= d(3) ^ q3;
330 p[12] ^= d(4) ^ q4;
331 p[13] ^= d(5) ^ q5;
332 p[14] ^= d(6) ^ q6;
333 p[15] ^= d(7) ^ q7;
334 }
335
336 #undef d
337 return (bitlen - bl);
338 }
339
340 #if defined(__IBMC__) && defined(_AIX) && defined(__64BIT__)
341 static inline size_t
342 #else
343 static size_t
344 #endif
345 Q512(size_t bitlen, const uint64_t *data, uint64_t *restrict p)
346 {
347 size_t bl;
348
349 for (bl = bitlen; bl >= EdonR512_BLOCK_BITSIZE;
350 bl -= EdonR512_BLOCK_BITSIZE, data += 16) {
351 uint64_t s0, s1, s2, s3, s4, s5, s6, s7, t0, t1, t2, t3, t4,
352 t5, t6, t7;
353 uint64_t p0, p1, p2, p3, p4, p5, p6, p7, q0, q1, q2, q3, q4,
354 q5, q6, q7;
355 const uint64_t defix = 0xaaaaaaaaaaaaaaaaull;
356 #if defined(MACHINE_IS_BIG_ENDIAN)
357 uint64_t swp0, swp1, swp2, swp3, swp4, swp5, swp6, swp7, swp8,
358 swp9, swp10, swp11, swp12, swp13, swp14, swp15;
359 #define d(j) swp##j
360 #define s64(j) ld_swap64((uint64_t *)data+j, swp##j)
361 #else
362 #define d(j) data[j]
363 #endif
364
365 /* First row of quasigroup e-transformations */
366 #if defined(MACHINE_IS_BIG_ENDIAN)
367 s64(8);
368 s64(9);
369 s64(10);
370 s64(11);
371 s64(12);
372 s64(13);
373 s64(14);
374 s64(15);
375 #endif
376 LS1_512(defix, d(15), d(14), d(13), d(12), d(11), d(10), d(9),
377 d(8));
378 #if defined(MACHINE_IS_BIG_ENDIAN)
379 s64(0);
380 s64(1);
381 s64(2);
382 s64(3);
383 s64(4);
384 s64(5);
385 s64(6);
386 s64(7);
387 #undef s64
388 #endif
389 LS2_512(defix, d(0), d(1), d(2), d(3), d(4), d(5), d(6), d(7));
390 quasi_exform512(p0, p1, p2, p3, p4, p5, p6, p7);
391
392 LS1_512(defix, p0, p1, p2, p3, p4, p5, p6, p7);
393 LS2_512(defix, d(8), d(9), d(10), d(11), d(12), d(13), d(14),
394 d(15));
395 quasi_exform512(q0, q1, q2, q3, q4, q5, q6, q7);
396
397 /* Second row of quasigroup e-transformations */
398 LS1_512(defix, p[8], p[9], p[10], p[11], p[12], p[13], p[14],
399 p[15]);
400 LS2_512(defix, p0, p1, p2, p3, p4, p5, p6, p7);
401 quasi_exform512(p0, p1, p2, p3, p4, p5, p6, p7);
402
403 LS1_512(defix, p0, p1, p2, p3, p4, p5, p6, p7);
404 LS2_512(defix, q0, q1, q2, q3, q4, q5, q6, q7);
405 quasi_exform512(q0, q1, q2, q3, q4, q5, q6, q7);
406
407 /* Third row of quasigroup e-transformations */
408 LS1_512(defix, p0, p1, p2, p3, p4, p5, p6, p7);
409 LS2_512(defix, p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
410 quasi_exform512(p0, p1, p2, p3, p4, p5, p6, p7);
411
412 LS1_512(defix, q0, q1, q2, q3, q4, q5, q6, q7);
413 LS2_512(defix, p0, p1, p2, p3, p4, p5, p6, p7);
414 quasi_exform512(q0, q1, q2, q3, q4, q5, q6, q7);
415
416 /* Fourth row of quasigroup e-transformations */
417 LS1_512(defix, d(7), d(6), d(5), d(4), d(3), d(2), d(1), d(0));
418 LS2_512(defix, p0, p1, p2, p3, p4, p5, p6, p7);
419 quasi_exform512(p0, p1, p2, p3, p4, p5, p6, p7);
420
421 LS1_512(defix, p0, p1, p2, p3, p4, p5, p6, p7);
422 LS2_512(defix, q0, q1, q2, q3, q4, q5, q6, q7);
423 quasi_exform512(q0, q1, q2, q3, q4, q5, q6, q7);
424
425 /* Edon-R tweak on the original SHA-3 Edon-R submission. */
426 p[0] ^= d(8) ^ p0;
427 p[1] ^= d(9) ^ p1;
428 p[2] ^= d(10) ^ p2;
429 p[3] ^= d(11) ^ p3;
430 p[4] ^= d(12) ^ p4;
431 p[5] ^= d(13) ^ p5;
432 p[6] ^= d(14) ^ p6;
433 p[7] ^= d(15) ^ p7;
434 p[8] ^= d(0) ^ q0;
435 p[9] ^= d(1) ^ q1;
436 p[10] ^= d(2) ^ q2;
437 p[11] ^= d(3) ^ q3;
438 p[12] ^= d(4) ^ q4;
439 p[13] ^= d(5) ^ q5;
440 p[14] ^= d(6) ^ q6;
441 p[15] ^= d(7) ^ q7;
442 }
443
444 #undef d
445 return (bitlen - bl);
446 }
447
448 void
449 EdonRInit(EdonRState *state, size_t hashbitlen)
450 {
451 switch (hashbitlen) {
452 case 224:
453 state->hashbitlen = 224;
454 state->bits_processed = 0;
455 state->unprocessed_bits = 0;
456 (void) memcpy(hashState224(state)->DoublePipe, i224p2,
457 16 * sizeof (uint32_t));
458 break;
459
460 case 256:
461 state->hashbitlen = 256;
462 state->bits_processed = 0;
463 state->unprocessed_bits = 0;
464 (void) memcpy(hashState256(state)->DoublePipe, i256p2,
465 16 * sizeof (uint32_t));
466 break;
467
468 case 384:
469 state->hashbitlen = 384;
470 state->bits_processed = 0;
471 state->unprocessed_bits = 0;
472 (void) memcpy(hashState384(state)->DoublePipe, i384p2,
473 16 * sizeof (uint64_t));
474 break;
475
476 case 512:
477 state->hashbitlen = 512;
478 state->bits_processed = 0;
479 state->unprocessed_bits = 0;
480 (void) memcpy(hashState224(state)->DoublePipe, i512p2,
481 16 * sizeof (uint64_t));
482 break;
483
484 default:
485 ASSERT(0);
486 }
487 }
488
489
490 void
491 EdonRUpdate(EdonRState *state, const uint8_t *data, size_t databitlen)
492 {
493 uint32_t *data32;
494 uint64_t *data64;
495
496 size_t bits_processed;
497
498 switch (state->hashbitlen) {
499 case 224:
500 case 256:
501 if (state->unprocessed_bits > 0) {
502 ASSERT(state->unprocessed_bits + databitlen <=
503 EdonR256_BLOCK_SIZE * 8);
504
505 /* LastBytes = databitlen / 8 */
506 int LastBytes = (int) databitlen >> 3;
507
508 (void) memcpy(hashState256(state)->LastPart
509 + (state->unprocessed_bits >> 3), data,
510 LastBytes);
511 state->unprocessed_bits += (int) databitlen;
512 databitlen = state->unprocessed_bits;
513 /* LINTED E_BAD_PTR_CAST_ALIGN */
514 data32 = (uint32_t *) hashState256(state)->LastPart;
515 } else
516 /* LINTED E_BAD_PTR_CAST_ALIGN */
517 data32 = (uint32_t *) data;
518
519 bits_processed = Q256(databitlen, data32,
520 hashState256(state)->DoublePipe);
521 state->bits_processed += bits_processed;
522 databitlen -= bits_processed;
523 state->unprocessed_bits = (int) databitlen;
524 if (databitlen > 0) {
525 /* LastBytes = Ceil(databitlen / 8) */
526 int LastBytes =
527 ((~(((-(int) databitlen) >> 3) & 0x01ff)) +
528 1) & 0x01ff;
529
530 data32 += bits_processed >> 5; /* byte size update */
531 (void) memcpy(hashState256(state)->LastPart, data32,
532 LastBytes);
533 }
534 break;
535
536 case 384:
537 case 512:
538 if (state->unprocessed_bits > 0) {
539 ASSERT(state->unprocessed_bits + databitlen <=
540 EdonR512_BLOCK_SIZE * 8);
541 /* LastBytes = databitlen / 8 */
542 int LastBytes = (int) databitlen >> 3;
543
544 (void) memcpy(hashState512(state)->LastPart
545 + (state->unprocessed_bits >> 3), data,
546 LastBytes);
547 state->unprocessed_bits += (int) databitlen;
548 databitlen = state->unprocessed_bits;
549 /* LINTED E_BAD_PTR_CAST_ALIGN */
550 data64 = (uint64_t *) hashState512(state)->LastPart;
551 } else
552 /* LINTED E_BAD_PTR_CAST_ALIGN */
553 data64 = (uint64_t *) data;
554
555
556 bits_processed = Q512(databitlen, data64,
557 hashState512(state)->DoublePipe);
558 state->bits_processed += bits_processed;
559 databitlen -= bits_processed;
560 state->unprocessed_bits = (int) databitlen;
561 if (databitlen > 0) {
562 /* LastBytes = Ceil(databitlen / 8) */
563 int LastBytes =
564 ((~(((-(int) databitlen) >> 3) & 0x03ff)) +
565 1) & 0x03ff;
566
567 data64 += bits_processed >> 6; /* byte size update */
568 (void) memcpy(hashState512(state)->LastPart, data64,
569 LastBytes);
570 }
571 break;
572
573 default:
574 ASSERT(0);
575 }
576 }
577
578 void
579 EdonRFinal(EdonRState *state, uint8_t *hashval)
580 {
581 uint32_t *data32;
582 uint64_t *data64, num_bits;
583
584 size_t databitlen;
585 int LastByte, PadOnePosition;
586
587 num_bits = state->bits_processed + state->unprocessed_bits;
588
589 switch (state->hashbitlen) {
590 case 224:
591 case 256:
592 LastByte = (int) state->unprocessed_bits >> 3;
593 PadOnePosition = 7 - (state->unprocessed_bits & 0x07);
594 hashState256(state)->LastPart[LastByte] =
595 (hashState256(state)->LastPart[LastByte]
596 & (0xff << (PadOnePosition +
597 1))) ^ (0x01 << PadOnePosition);
598 /* LINTED E_BAD_PTR_CAST_ALIGN */
599 data64 = (uint64_t *) hashState256(state)->LastPart;
600
601 if (state->unprocessed_bits < 448) {
602 (void) memset((hashState256(state)->LastPart) +
603 LastByte + 1, 0x00,
604 EdonR256_BLOCK_SIZE - LastByte - 9);
605 databitlen = EdonR256_BLOCK_SIZE * 8;
606 #if defined(MACHINE_IS_BIG_ENDIAN)
607 st_swap64(num_bits, data64 + 7);
608 #else
609 data64[7] = num_bits;
610 #endif
611 } else {
612 (void) memset((hashState256(state)->LastPart) +
613 LastByte + 1, 0x00,
614 EdonR256_BLOCK_SIZE * 2 - LastByte - 9);
615 databitlen = EdonR256_BLOCK_SIZE * 16;
616 #if defined(MACHINE_IS_BIG_ENDIAN)
617 st_swap64(num_bits, data64 + 15);
618 #else
619 data64[15] = num_bits;
620 #endif
621 }
622
623 /* LINTED E_BAD_PTR_CAST_ALIGN */
624 data32 = (uint32_t *) hashState256(state)->LastPart;
625 state->bits_processed += Q256(databitlen, data32,
626 hashState256(state)->DoublePipe);
627 break;
628
629 case 384:
630 case 512:
631 LastByte = (int) state->unprocessed_bits >> 3;
632 PadOnePosition = 7 - (state->unprocessed_bits & 0x07);
633 hashState512(state)->LastPart[LastByte] =
634 (hashState512(state)->LastPart[LastByte]
635 & (0xff << (PadOnePosition +
636 1))) ^ (0x01 << PadOnePosition);
637 /* LINTED E_BAD_PTR_CAST_ALIGN */
638 data64 = (uint64_t *) hashState512(state)->LastPart;
639
640 if (state->unprocessed_bits < 960) {
641 (void) memset((hashState512(state)->LastPart) +
642 LastByte + 1, 0x00,
643 EdonR512_BLOCK_SIZE - LastByte - 9);
644 databitlen = EdonR512_BLOCK_SIZE * 8;
645 #if defined(MACHINE_IS_BIG_ENDIAN)
646 st_swap64(num_bits, data64 + 15);
647 #else
648 data64[15] = num_bits;
649 #endif
650 } else {
651 (void) memset((hashState512(state)->LastPart) +
652 LastByte + 1, 0x00,
653 EdonR512_BLOCK_SIZE * 2 - LastByte - 9);
654 databitlen = EdonR512_BLOCK_SIZE * 16;
655 #if defined(MACHINE_IS_BIG_ENDIAN)
656 st_swap64(num_bits, data64 + 31);
657 #else
658 data64[31] = num_bits;
659 #endif
660 }
661
662 state->bits_processed += Q512(databitlen, data64,
663 hashState512(state)->DoublePipe);
664 break;
665
666 default:
667 ASSERT(0); /* This should never happen */
668 }
669
670
671 switch (state->hashbitlen) {
672 case 224: {
673 #if defined(MACHINE_IS_BIG_ENDIAN)
674 uint32_t *d32 = (uint32_t *) hashval;
675 uint32_t *s32 = hashState224(state)->DoublePipe + 9;
676 int j;
677
678 for (j = 0; j < EdonR224_DIGEST_SIZE >> 2; j++)
679 st_swap32(s32[j], d32 + j);
680 #else
681 (void) memcpy(hashval, hashState256(state)->DoublePipe + 9,
682 EdonR224_DIGEST_SIZE);
683 #endif
684 break;
685 }
686 case 256: {
687 #if defined(MACHINE_IS_BIG_ENDIAN)
688 uint32_t *d32 = (uint32_t *) hashval;
689 uint32_t *s32 = hashState224(state)->DoublePipe + 8;
690 int j;
691
692 for (j = 0; j < EdonR256_DIGEST_SIZE >> 2; j++)
693 st_swap32(s32[j], d32 + j);
694 #else
695 (void) memcpy(hashval, hashState256(state)->DoublePipe + 8,
696 EdonR256_DIGEST_SIZE);
697 #endif
698 break;
699 }
700 case 384: {
701 #if defined(MACHINE_IS_BIG_ENDIAN)
702 uint64_t *d64 = (uint64_t *) hashval;
703 uint64_t *s64 = hashState384(state)->DoublePipe + 10;
704 int j;
705
706 for (j = 0; j < EdonR384_DIGEST_SIZE >> 3; j++)
707 st_swap64(s64[j], d64 + j);
708 #else
709 (void) memcpy(hashval, hashState384(state)->DoublePipe + 10,
710 EdonR384_DIGEST_SIZE);
711 #endif
712 break;
713 }
714 case 512: {
715 #if defined(MACHINE_IS_BIG_ENDIAN)
716 uint64_t *d64 = (uint64_t *) hashval;
717 uint64_t *s64 = hashState512(state)->DoublePipe + 8;
718 int j;
719
720 for (j = 0; j < EdonR512_DIGEST_SIZE >> 3; j++)
721 st_swap64(s64[j], d64 + j);
722 #else
723 (void) memcpy(hashval, hashState512(state)->DoublePipe + 8,
724 EdonR512_DIGEST_SIZE);
725 #endif
726 break;
727 }
728
729 default:
730 ASSERT(0); /* This should never happen */
731 }
732 }
733
734
735 void
736 EdonRHash(size_t hashbitlen, const uint8_t *data, size_t databitlen,
737 uint8_t *hashval)
738 {
739 EdonRState state;
740
741 EdonRInit(&state, hashbitlen);
742 EdonRUpdate(&state, data, databitlen);
743 EdonRFinal(&state, hashval);
744 }