mirror of
https://github.com/Atmosphere-NX/Atmosphere
synced 2024-11-14 00:56:35 +00:00
240 lines
8.5 KiB
C++
240 lines
8.5 KiB
C++
/*
|
|
* Copyright (c) Atmosphère-NX
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms and conditions of the GNU General Public License,
|
|
* version 2, as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
|
* more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
#include <vapours.hpp>
|
|
|
|
namespace ams::crypto::impl {
|
|
|
|
namespace {
|
|
|
|
constexpr auto NumRounds = 24;
|
|
|
|
constexpr const u64 IotaRoundConstant[NumRounds] = {
|
|
UINT64_C(0x0000000000000001), UINT64_C(0x0000000000008082),
|
|
UINT64_C(0x800000000000808A), UINT64_C(0x8000000080008000),
|
|
UINT64_C(0x000000000000808B), UINT64_C(0x0000000080000001),
|
|
UINT64_C(0x8000000080008081), UINT64_C(0x8000000000008009),
|
|
UINT64_C(0x000000000000008A), UINT64_C(0x0000000000000088),
|
|
UINT64_C(0x0000000080008009), UINT64_C(0x000000008000000A),
|
|
UINT64_C(0x000000008000808B), UINT64_C(0x800000000000008B),
|
|
UINT64_C(0x8000000000008089), UINT64_C(0x8000000000008003),
|
|
UINT64_C(0x8000000000008002), UINT64_C(0x8000000000000080),
|
|
UINT64_C(0x000000000000800A), UINT64_C(0x800000008000000A),
|
|
UINT64_C(0x8000000080008081), UINT64_C(0x8000000000008080),
|
|
UINT64_C(0x0000000080000001), UINT64_C(0x8000000080008008)
|
|
};
|
|
|
|
constexpr const int RhoShiftBit[NumRounds] = {
|
|
1, 3, 6, 10, 15, 21, 28, 36,
|
|
45, 55, 2, 14, 27, 41, 56, 8,
|
|
25, 43, 62, 18, 39, 61, 20, 44
|
|
};
|
|
|
|
constexpr const int RhoNextIndex[NumRounds] = {
|
|
10, 7, 11, 17, 18, 3, 5, 16,
|
|
8, 21, 24, 4, 15, 23, 19, 13,
|
|
12, 2, 20, 14, 22, 9, 6, 1
|
|
};
|
|
|
|
}
|
|
|
|
template<size_t HashSize>
|
|
void Sha3Impl<HashSize>::Initialize() {
|
|
/* Clear internal state. */
|
|
std::memset(m_internal_state, 0, sizeof(m_internal_state));
|
|
|
|
/* Reset buffered bytes. */
|
|
m_buffered_bytes = 0;
|
|
|
|
/* Set state. */
|
|
m_state = State_Initialized;
|
|
}
|
|
|
|
template<size_t HashSize>
|
|
void Sha3Impl<HashSize>::Update(const void *data, size_t size) {
|
|
/* Verify we're in a state to update. */
|
|
AMS_ASSERT(m_state == State_Initialized);
|
|
|
|
/* Process we have anything buffered. */
|
|
const u8 *data8 = static_cast<const u8 *>(data);
|
|
size_t remaining = size;
|
|
if (m_buffered_bytes > 0) {
|
|
/* Determine how much we can copy. */
|
|
const size_t copy_size = std::min(BlockSize - m_buffered_bytes, remaining);
|
|
|
|
/* Mix the bytes into our state. */
|
|
u8 *dst8 = reinterpret_cast<u8 *>(m_internal_state) + m_buffered_bytes;
|
|
for (size_t i = 0; i < copy_size; ++i) {
|
|
dst8[i] ^= data8[i];
|
|
}
|
|
|
|
/* Advance. */
|
|
data8 += copy_size;
|
|
remaining -= copy_size;
|
|
m_buffered_bytes += copy_size;
|
|
|
|
/* Process a block, if we filled one. */
|
|
if (m_buffered_bytes == BlockSize) {
|
|
this->ProcessBlock();
|
|
m_buffered_bytes = 0;
|
|
}
|
|
}
|
|
|
|
/* Process blocks, if we have any. */
|
|
while (remaining >= BlockSize) {
|
|
/* Mix the bytes into our state. */
|
|
u8 *dst8 = reinterpret_cast<u8 *>(m_internal_state);
|
|
for (size_t i = 0; i < BlockSize; ++i) {
|
|
dst8[i] ^= data8[i];
|
|
}
|
|
|
|
this->ProcessBlock();
|
|
|
|
data8 += BlockSize;
|
|
remaining -= BlockSize;
|
|
}
|
|
|
|
/* Copy any leftover data to our buffer. */
|
|
if (remaining > 0) {
|
|
u8 *dst8 = reinterpret_cast<u8 *>(m_internal_state);
|
|
for (size_t i = 0; i < remaining; ++i) {
|
|
dst8[i] ^= data8[i];
|
|
}
|
|
|
|
m_buffered_bytes = remaining;
|
|
}
|
|
}
|
|
|
|
template<size_t HashSize>
|
|
void Sha3Impl<HashSize>::GetHash(void *dst, size_t size) {
|
|
/* Verify we're in a state to get hash. */
|
|
AMS_ASSERT(m_state == State_Initialized || m_state == State_Done);
|
|
AMS_ASSERT(size >= HashSize);
|
|
AMS_UNUSED(size);
|
|
|
|
/* If we need to, process the last block. */
|
|
if (m_state == State_Initialized) {
|
|
this->ProcessLastBlock();
|
|
m_state = State_Done;
|
|
}
|
|
|
|
/* Copy the output hash. */
|
|
std::memcpy(dst, m_internal_state, HashSize);
|
|
}
|
|
|
|
template<size_t HashSize>
|
|
void Sha3Impl<HashSize>::InitializeWithContext(const Sha3Context *context) {
|
|
/* Check the context is for the right hash size. */
|
|
AMS_ASSERT(context->hash_size == HashSize);
|
|
|
|
/* Set buffered bytes. */
|
|
m_buffered_bytes = context->buffered_bytes;
|
|
|
|
/* Copy state in from the context. */
|
|
std::memcpy(m_internal_state, context->internal_state, sizeof(m_internal_state));
|
|
|
|
/* Reset other fields. */
|
|
m_state = State_Initialized;
|
|
}
|
|
|
|
template<size_t HashSize>
|
|
void Sha3Impl<HashSize>::GetContext(Sha3Context *context) const {
|
|
/* Check our state. */
|
|
AMS_ASSERT(m_state == State_Initialized);
|
|
|
|
/* Set the output hash size. */
|
|
context->hash_size = HashSize;
|
|
|
|
/* Set buffered bytes. */
|
|
context->buffered_bytes = m_buffered_bytes;
|
|
|
|
/* Copy out the context. */
|
|
std::memcpy(context->internal_state, m_internal_state, sizeof(context->internal_state));
|
|
}
|
|
|
|
template<size_t HashSize>
|
|
void Sha3Impl<HashSize>::ProcessBlock() {
|
|
/* Ensure correct endianness. */
|
|
if constexpr (util::IsBigEndian()) {
|
|
for (size_t i = 0; i < util::size(m_internal_state); ++i) {
|
|
m_internal_state[i] = util::LoadLittleEndian<u64>(m_internal_state + i);
|
|
}
|
|
}
|
|
|
|
/* Perform all rounds. */
|
|
uint64_t tmp, C[5];
|
|
for (auto round = 0; round < NumRounds; ++round) {
|
|
/* Handle theta. */
|
|
for (size_t i = 0; i < 5; ++i) {
|
|
C[i] = m_internal_state[i] ^ m_internal_state[i + 5] ^ m_internal_state[i + 10] ^ m_internal_state[i + 15] ^ m_internal_state[i + 20];
|
|
}
|
|
|
|
for (size_t i = 0; i < 5; ++i) {
|
|
tmp = C[(i + 4) % 5] ^ util::RotateLeft<u64>(C[(i + 1) % 5], 1);
|
|
for (size_t j = 0; j < 5; ++j) {
|
|
m_internal_state[5 * j + i] ^= tmp;
|
|
}
|
|
}
|
|
|
|
/* Handle rho/pi. */
|
|
tmp = m_internal_state[1];
|
|
for (size_t i = 0; i < NumRounds; ++i) {
|
|
const auto rho_next_idx = RhoNextIndex[i];
|
|
C[0] = m_internal_state[rho_next_idx];
|
|
m_internal_state[rho_next_idx] = util::RotateLeft<u64>(tmp, RhoShiftBit[i]);
|
|
tmp = C[0];
|
|
}
|
|
|
|
/* Handle chi. */
|
|
for (size_t i = 0; i < 5; ++i) {
|
|
for (size_t j = 0; j < 5; ++j) {
|
|
C[j] = m_internal_state[5 * i + j];
|
|
}
|
|
for (size_t j = 0; j < 5; ++j) {
|
|
m_internal_state[5 * i + j] ^= (~C[(j + 1) % 5]) & C[(j + 2) % 5];
|
|
}
|
|
}
|
|
|
|
/* Handle iota. */
|
|
m_internal_state[0] ^= IotaRoundConstant[round];
|
|
}
|
|
/* Ensure correct endianness. */
|
|
if constexpr (util::IsBigEndian()) {
|
|
for (size_t i = 0; i < util::size(m_internal_state); ++i) {
|
|
util::StoreLittleEndian<u64>(m_internal_state + i, m_internal_state[i]);
|
|
}
|
|
}
|
|
}
|
|
|
|
template<size_t HashSize>
|
|
void Sha3Impl<HashSize>::ProcessLastBlock() {
|
|
/* Mix final bits (011) into our state. */
|
|
reinterpret_cast<u8 *>(m_internal_state)[m_buffered_bytes] ^= 0b110;
|
|
|
|
/* Mix in the high bit of the last word in our block. */
|
|
constexpr u64 FinalMask = UINT64_C(0x8000000000000000);
|
|
m_internal_state[(BlockSize / sizeof(u64)) - 1] ^= FinalMask;
|
|
|
|
/* Process the last block. */
|
|
this->ProcessBlock();
|
|
}
|
|
|
|
/* Explicitly instantiate the supported hash sizes. */
|
|
template class Sha3Impl<224 / BITSIZEOF(u8)>;
|
|
template class Sha3Impl<256 / BITSIZEOF(u8)>;
|
|
template class Sha3Impl<384 / BITSIZEOF(u8)>;
|
|
template class Sha3Impl<512 / BITSIZEOF(u8)>;
|
|
|
|
}
|