From 6ecf69b6e67ff552aaf2ab8062be072aba062e0e Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Thu, 15 Aug 2013 01:18:51 +0200 Subject: Add small SHA256 implementation The NaCl implementation has a code size of more than 10KiB. --- src/CMakeLists.txt | 1 + src/protocol_ec25519_fhmqvc.c | 85 ++++++++++++++------------ src/sha256.c | 139 ++++++++++++++++++++++++++++++++++++++++++ src/sha256.h | 39 ++++++++++++ 4 files changed, 225 insertions(+), 39 deletions(-) create mode 100644 src/sha256.c create mode 100644 src/sha256.h diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 1fe0873..6c507ae 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -29,6 +29,7 @@ add_executable(fastd receive.c resolve.c send.c + sha256.c shell.c socket.c task.c diff --git a/src/protocol_ec25519_fhmqvc.c b/src/protocol_ec25519_fhmqvc.c index 01d2103..f6c170b 100644 --- a/src/protocol_ec25519_fhmqvc.c +++ b/src/protocol_ec25519_fhmqvc.c @@ -27,19 +27,18 @@ #include "fastd.h" #include "handshake.h" #include "peer.h" +#include "sha256.h" #include "task.h" -#include #include #include -#include #define PUBLICKEYBYTES 32 #define SECRETKEYBYTES 32 #define HMACBYTES crypto_auth_hmacsha256_BYTES -#define HASHBYTES crypto_hash_sha256_BYTES +#define HASHBYTES FASTD_SHA256_HASH_BYTES #if HASHBYTES != crypto_auth_hmacsha256_KEYBYTES @@ -279,16 +278,16 @@ static void respond_handshake(fastd_context_t *ctx, const fastd_socket_t *sock, const handshake_key_t *handshake_key, const ecc_int256_t *peer_handshake_key, const fastd_handshake_t *handshake, const fastd_method_t *method) { pr_debug(ctx, "responding handshake with %P[%I]...", peer, remote_addr); - uint8_t hashinput[5*PUBLICKEYBYTES]; + uint8_t hashinput[2*PUBLICKEYBYTES]; uint8_t hashbuf[HASHBYTES]; uint8_t hmacbuf[HMACBYTES]; - memcpy(hashinput, handshake_key->public_key.p, PUBLICKEYBYTES); - memcpy(hashinput+PUBLICKEYBYTES, peer_handshake_key->p, PUBLICKEYBYTES); - memcpy(hashinput+2*PUBLICKEYBYTES, ctx->conf->protocol_config->public_key.p, PUBLICKEYBYTES); - memcpy(hashinput+3*PUBLICKEYBYTES, peer->protocol_config->public_key.p, PUBLICKEYBYTES); - - crypto_hash_sha256(hashbuf, hashinput, 4*PUBLICKEYBYTES); + fastd_sha256_blocks(hashbuf, + handshake_key->public_key.p, + peer_handshake_key->p, + ctx->conf->protocol_config->public_key.p, + peer->protocol_config->public_key.p, + NULL); ecc_int256_t d = {{0}}, e = {{0}}, eb, s; @@ -323,8 +322,13 @@ static void respond_handshake(fastd_context_t *ctx, const fastd_socket_t *sock, ecc_25519_store_packed(&sigma, &work); uint8_t shared_handshake_key[HASHBYTES]; - memcpy(hashinput+4*PUBLICKEYBYTES, sigma.p, PUBLICKEYBYTES); - crypto_hash_sha256(shared_handshake_key, hashinput, 5*PUBLICKEYBYTES); + fastd_sha256_blocks(shared_handshake_key, + handshake_key->public_key.p, + peer_handshake_key->p, + ctx->conf->protocol_config->public_key.p, + peer->protocol_config->public_key.p, + sigma.p, + NULL); memcpy(hashinput, ctx->conf->protocol_config->public_key.p, PUBLICKEYBYTES); memcpy(hashinput+PUBLICKEYBYTES, handshake_key->public_key.p, PUBLICKEYBYTES); @@ -346,9 +350,6 @@ static bool establish(fastd_context_t *ctx, fastd_peer_t *peer, const fastd_meth const fastd_peer_address_t *local_addr, const fastd_peer_address_t *remote_addr, bool initiator, const ecc_int256_t *A, const ecc_int256_t *B, const ecc_int256_t *X, const ecc_int256_t *Y, const ecc_int256_t *sigma, uint64_t serial) { - uint8_t hashinput[5*PUBLICKEYBYTES]; - uint8_t hash[HASHBYTES]; - if (serial <= peer->protocol_state->last_serial) { pr_debug(ctx, "ignoring handshake from %P[%I] because of handshake key reuse", peer, remote_addr); return false; @@ -372,12 +373,8 @@ static bool establish(fastd_context_t *ctx, fastd_peer_t *peer, const fastd_meth peer->protocol_state->old_session = (protocol_session_t){}; } - memcpy(hashinput, X->p, PUBLICKEYBYTES); - memcpy(hashinput+PUBLICKEYBYTES, Y->p, PUBLICKEYBYTES); - memcpy(hashinput+2*PUBLICKEYBYTES, A->p, PUBLICKEYBYTES); - memcpy(hashinput+3*PUBLICKEYBYTES, B->p, PUBLICKEYBYTES); - memcpy(hashinput+4*PUBLICKEYBYTES, sigma->p, PUBLICKEYBYTES); - crypto_hash_sha256(hash, hashinput, 5*PUBLICKEYBYTES); + uint8_t hash[HASHBYTES]; + fastd_sha256_blocks(hash, X->p, Y->p, A->p, B->p, sigma->p, NULL); peer->protocol_state->session.established = ctx->now; peer->protocol_state->session.handshakes_cleaned = false; @@ -410,16 +407,16 @@ static void finish_handshake(fastd_context_t *ctx, fastd_socket_t *sock, const f const fastd_handshake_t *handshake, const fastd_method_t *method) { pr_debug(ctx, "finishing handshake with %P[%I]...", peer, remote_addr); - uint8_t hashinput[5*PUBLICKEYBYTES]; + uint8_t hashinput[2*PUBLICKEYBYTES]; uint8_t hashbuf[HASHBYTES]; uint8_t hmacbuf[HMACBYTES]; - memcpy(hashinput, peer_handshake_key->p, PUBLICKEYBYTES); - memcpy(hashinput+PUBLICKEYBYTES, handshake_key->public_key.p, PUBLICKEYBYTES); - memcpy(hashinput+2*PUBLICKEYBYTES, peer->protocol_config->public_key.p, PUBLICKEYBYTES); - memcpy(hashinput+3*PUBLICKEYBYTES, ctx->conf->protocol_config->public_key.p, PUBLICKEYBYTES); - - crypto_hash_sha256(hashbuf, hashinput, 4*PUBLICKEYBYTES); + fastd_sha256_blocks(hashbuf, + peer_handshake_key->p, + handshake_key->public_key.p, + peer->protocol_config->public_key.p, + ctx->conf->protocol_config->public_key.p, + NULL); ecc_int256_t d = {{0}}, e = {{0}}, da, s; @@ -454,8 +451,13 @@ static void finish_handshake(fastd_context_t *ctx, fastd_socket_t *sock, const f ecc_25519_store_packed(&sigma, &work); uint8_t shared_handshake_key[HASHBYTES]; - memcpy(hashinput+4*PUBLICKEYBYTES, sigma.p, PUBLICKEYBYTES); - crypto_hash_sha256(shared_handshake_key, hashinput, 5*PUBLICKEYBYTES); + fastd_sha256_blocks(shared_handshake_key, + peer_handshake_key->p, + handshake_key->public_key.p, + peer->protocol_config->public_key.p, + ctx->conf->protocol_config->public_key.p, + sigma.p, + NULL); memcpy(hashinput, peer->protocol_config->public_key.p, PUBLICKEYBYTES); memcpy(hashinput+PUBLICKEYBYTES, peer_handshake_key->p, PUBLICKEYBYTES); @@ -489,15 +491,15 @@ static void handle_finish_handshake(fastd_context_t *ctx, fastd_socket_t *sock, const fastd_handshake_t *handshake, const fastd_method_t *method) { pr_debug(ctx, "handling handshake finish with %P[%I]...", peer, remote_addr); - uint8_t hashinput[5*PUBLICKEYBYTES]; + uint8_t hashinput[2*PUBLICKEYBYTES]; uint8_t hashbuf[HASHBYTES]; - memcpy(hashinput, handshake_key->public_key.p, PUBLICKEYBYTES); - memcpy(hashinput+PUBLICKEYBYTES, peer_handshake_key->p, PUBLICKEYBYTES); - memcpy(hashinput+2*PUBLICKEYBYTES, ctx->conf->protocol_config->public_key.p, PUBLICKEYBYTES); - memcpy(hashinput+3*PUBLICKEYBYTES, peer->protocol_config->public_key.p, PUBLICKEYBYTES); - - crypto_hash_sha256(hashbuf, hashinput, 4*PUBLICKEYBYTES); + fastd_sha256_blocks(hashbuf, + handshake_key->public_key.p, + peer_handshake_key->p, + ctx->conf->protocol_config->public_key.p, + peer->protocol_config->public_key.p, + NULL); ecc_int256_t d = {{0}}, e = {{0}}, eb, s; @@ -532,8 +534,13 @@ static void handle_finish_handshake(fastd_context_t *ctx, fastd_socket_t *sock, ecc_25519_store_packed(&sigma, &work); uint8_t shared_handshake_key[HASHBYTES]; - memcpy(hashinput+4*PUBLICKEYBYTES, sigma.p, PUBLICKEYBYTES); - crypto_hash_sha256(shared_handshake_key, hashinput, 5*PUBLICKEYBYTES); + fastd_sha256_blocks(shared_handshake_key, + handshake_key->public_key.p, + peer_handshake_key->p, + ctx->conf->protocol_config->public_key.p, + peer->protocol_config->public_key.p, + sigma.p, + NULL); memcpy(hashinput, peer->protocol_config->public_key.p, PUBLICKEYBYTES); memcpy(hashinput+PUBLICKEYBYTES, peer_handshake_key->p, PUBLICKEYBYTES); diff --git a/src/sha256.c b/src/sha256.c new file mode 100644 index 0000000..639185c --- /dev/null +++ b/src/sha256.c @@ -0,0 +1,139 @@ +/* + Copyright (c) 2012-2013, Matthias Schiffer + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ + + +#include "sha256.h" + +#include +#include +#include + +#include + + +static inline uint32_t rotr(uint32_t x, int r) { + return (x >> r) | (x << (32-r)); +} + +void fastd_sha256_blocks(uint8_t out[FASTD_SHA256_HASH_BYTES], ...) { + static const uint32_t k[64] = { + 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, + 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, + 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, + 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, + 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, + 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, + 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, + 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 + }; + + uint32_t h[8] = { + 0x6a09e667, + 0xbb67ae85, + 0x3c6ef372, + 0xa54ff53a, + 0x510e527f, + 0x9b05688c, + 0x1f83d9ab, + 0x5be0cd19 + }; + unsigned count = 0, i; + va_list ap; + const uint32_t *in1, *in2; + + va_start(ap, out); + + do { + uint32_t w[64], v[8]; + + in1 = va_arg(ap, const uint32_t*); + + if (in1) { + count++; + in2 = va_arg(ap, const uint32_t*); + + if (in2) + count++; + } + else { + in2 = NULL; + } + + if (in1) { + for (i = 0; i < 8; i++) + w[i] = ntohl(in1[i]); + } + else { + w[0] = 0x80000000; + memset(w+1, 0, 7*sizeof(uint32_t)); + } + + if (in2) { + for (i = 0; i < 8; i++) + w[i+8] = ntohl(in2[i]); + } + else { + w[8] = in1 ? 0x80000000 : 0; + memset(w+9, 0, 6*sizeof(uint32_t)); + w[15] = count << 8; + } + + for (i = 16; i < 64; i++) { + uint32_t s0 = rotr(w[i-15], 7) ^ rotr(w[i-15], 18) ^ (w[i-15] >> 3); + uint32_t s1 = rotr(w[i-2], 17) ^ rotr(w[i-2], 19) ^ (w[i-2] >> 10); + w[i] = w[i-16] + s0 + w[i-7] + s1; + } + + memcpy(v, h, sizeof(v)); + + for (i = 0; i < 64; i++) { + uint32_t s1 = rotr(v[4], 6) ^ rotr(v[4], 11) ^ rotr(v[4], 25); + uint32_t ch = (v[4] & v[5]) ^ ((~v[4]) & v[6]); + uint32_t temp1 = v[7] + s1 + ch + k[i] + w[i]; + uint32_t s0 = rotr(v[0], 2) ^ rotr(v[0], 13) ^ rotr(v[0], 22); + uint32_t maj = (v[0] & v[1]) ^ (v[0] & v[2]) ^ (v[1] & v[2]); + uint32_t temp2 = s0 + maj; + + v[7] = v[6]; + v[6] = v[5]; + v[5] = v[4]; + v[4] = v[3] + temp1; + v[3] = v[2]; + v[2] = v[1]; + v[1] = v[0]; + v[0] = temp1 + temp2; + } + + for (i = 0; i < 8; i++) + h[i] += v[i]; + + } while (in1 && in2); + + va_end(ap); + + uint32_t *out32 = (uint32_t*)out; + for (i = 0; i < 8; i++) + out32[i] = htonl(h[i]); +} diff --git a/src/sha256.h b/src/sha256.h new file mode 100644 index 0000000..c6acadb --- /dev/null +++ b/src/sha256.h @@ -0,0 +1,39 @@ +/* + Copyright (c) 2012-2013, Matthias Schiffer + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ + + +#ifndef _FASTD_SHA256_H_ +#define _FASTD_SHA256_H_ + +#include + + +#define FASTD_SHA256_HASH_BYTES 32 +#define FASTD_SHA256_HASH_BLOCK_BYTES 32 + + +void fastd_sha256_blocks(uint8_t out[FASTD_SHA256_HASH_BYTES], ...); + +#endif /* _FASTD_SHA256_H_ */ -- cgit v1.2.3