ref: 009439541d2c6e8af2596f8fb1b4df85861fd212
dir: /third_party/boringssl/src/crypto/spx/spx_thash.c/
/* Copyright (c) 2023, Google LLC
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <openssl/base.h>
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <openssl/sha.h>
#include "./spx_params.h"
#include "./spx_util.h"
#include "./spx_thash.h"
static void spx_thash(uint8_t *output, const uint8_t *input,
size_t input_blocks, const uint8_t pk_seed[SPX_N],
uint8_t addr[32]) {
uint8_t hash[32];
SHA256_CTX sha256;
SHA256_Init(&sha256);
// Process pubseed with padding to full block.
// TODO: This could be precomputed instead as it will be the same across all
// hash calls.
uint8_t padded_pk_seed[64] = {0};
memcpy(padded_pk_seed, pk_seed, SPX_N);
SHA256_Update(&sha256, padded_pk_seed, sizeof(padded_pk_seed));
SHA256_Update(&sha256, addr, SPX_SHA256_ADDR_BYTES);
SHA256_Update(&sha256, input, input_blocks * SPX_N);
SHA256_Final(hash, &sha256);
memcpy(output, hash, SPX_N);
}
void spx_thash_f(uint8_t *output, const uint8_t input[SPX_N],
const uint8_t pk_seed[SPX_N], uint8_t addr[32]) {
spx_thash(output, input, 1, pk_seed, addr);
}
void spx_thash_h(uint8_t *output, const uint8_t input[2 * SPX_N],
const uint8_t pk_seed[SPX_N], uint8_t addr[32]) {
spx_thash(output, input, 2, pk_seed, addr);
}
void spx_thash_hmsg(uint8_t *output, const uint8_t r[SPX_N],
const uint8_t pk_seed[SPX_N], const uint8_t pk_root[SPX_N],
const uint8_t *msg, size_t msg_len) {
// MGF1-SHA-256(R || PK.seed || SHA-256(R || PK.seed || PK.root || M), m)
// input_buffer stores R || PK_SEED || SHA256(..) || 4-byte index
uint8_t input_buffer[2 * SPX_N + 32 + 4] = {0};
memcpy(input_buffer, r, SPX_N);
memcpy(input_buffer + SPX_N, pk_seed, SPX_N);
// Inner hash
SHA256_CTX ctx;
SHA256_Init(&ctx);
SHA256_Update(&ctx, r, SPX_N);
SHA256_Update(&ctx, pk_seed, SPX_N);
SHA256_Update(&ctx, pk_root, SPX_N);
SHA256_Update(&ctx, msg, msg_len);
// Write directly into the input buffer
SHA256_Final(input_buffer + 2 * SPX_N, &ctx);
// MGF1-SHA-256
uint8_t output_buffer[3 * 32];
// Need to call SHA256 3 times for message digest.
static_assert(SPX_DIGEST_SIZE <= sizeof(output_buffer),
"not enough room for hashes");
SHA256(input_buffer, sizeof(input_buffer), output_buffer);
input_buffer[2 * SPX_N + 32 + 3] = 1;
SHA256(input_buffer, sizeof(input_buffer), output_buffer + 32);
input_buffer[2 * SPX_N + 32 + 3] = 2;
SHA256(input_buffer, sizeof(input_buffer), output_buffer + 64);
memcpy(output, output_buffer, SPX_DIGEST_SIZE);
}
void spx_thash_prf(uint8_t *output, const uint8_t pk_seed[SPX_N],
const uint8_t sk_seed[SPX_N], uint8_t addr[32]) {
spx_thash(output, sk_seed, 1, pk_seed, addr);
}
void spx_thash_prfmsg(uint8_t *output, const uint8_t sk_prf[SPX_N],
const uint8_t opt_rand[SPX_N], const uint8_t *msg,
size_t msg_len) {
// Compute HMAC-SHA256(sk_prf, opt_rand || msg). We inline HMAC to avoid an
// allocation.
uint8_t hmac_key[SHA256_CBLOCK] = {0};
static_assert(SPX_N <= SHA256_CBLOCK, "HMAC key is larger than block size");
memcpy(hmac_key, sk_prf, SPX_N);
for (size_t i = 0; i < sizeof(hmac_key); i++) {
hmac_key[i] ^= 0x36;
}
uint8_t hash[SHA256_DIGEST_LENGTH];
SHA256_CTX ctx;
SHA256_Init(&ctx);
SHA256_Update(&ctx, hmac_key, sizeof(hmac_key));
SHA256_Update(&ctx, opt_rand, SPX_N);
SHA256_Update(&ctx, msg, msg_len);
SHA256_Final(hash, &ctx);
for (size_t i = 0; i < sizeof(hmac_key); i++) {
hmac_key[i] ^= 0x36 ^ 0x5c;
}
SHA256_Init(&ctx);
SHA256_Update(&ctx, hmac_key, sizeof(hmac_key));
SHA256_Update(&ctx, hash, sizeof(hash));
SHA256_Final(hash, &ctx);
// Truncate to SPX_N bytes
memcpy(output, hash, SPX_N);
}
void spx_thash_tl(uint8_t *output, const uint8_t input[SPX_WOTS_BYTES],
const uint8_t pk_seed[SPX_N], uint8_t addr[32]) {
spx_thash(output, input, SPX_WOTS_LEN, pk_seed, addr);
}
void spx_thash_tk(uint8_t *output, const uint8_t input[SPX_FORS_TREES * SPX_N],
const uint8_t pk_seed[SPX_N], uint8_t addr[32]) {
spx_thash(output, input, SPX_FORS_TREES, pk_seed, addr);
}