From 6adbabaebd88e44bae8962703d2a5a74bb538c52 Mon Sep 17 00:00:00 2001 From: truthixify Date: Sun, 29 Dec 2024 08:36:16 +0100 Subject: [PATCH] no_std md6 implementation --- Cargo.lock | 9 + Cargo.toml | 1 + md6/.gitignore | 1 - md6/Cargo.toml | 27 ++ md6/README.md | 0 md6/src/compress.rs | 233 ++++++++++++++ md6/src/consts.rs | 21 ++ md6/src/lib.rs | 43 ++- md6/src/md6.rs | 684 ++++++++++++++++++++++++++-------------- md6/src/md6_compress.rs | 331 ------------------- md6/src/md6_consts.rs | 22 -- 11 files changed, 781 insertions(+), 591 deletions(-) delete mode 100644 md6/.gitignore create mode 100644 md6/README.md create mode 100644 md6/src/compress.rs create mode 100644 md6/src/consts.rs delete mode 100644 md6/src/md6_compress.rs delete mode 100644 md6/src/md6_consts.rs diff --git a/Cargo.lock b/Cargo.lock index f53521082..36b63ab9e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -244,6 +244,15 @@ dependencies = [ "hex-literal", ] +[[package]] +name = "md6" +version = "0.1.0" +dependencies = [ + "base16ct", + "digest", + "hex-literal", +] + [[package]] name = "ppv-lite86" version = "0.2.20" diff --git a/Cargo.toml b/Cargo.toml index e13018a46..3222cccfb 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,6 +12,7 @@ members = [ "md2", "md4", "md5", + "md6", "ripemd", "sha1", "sha1-checked", diff --git a/md6/.gitignore b/md6/.gitignore deleted file mode 100644 index ea8c4bf7f..000000000 --- a/md6/.gitignore +++ /dev/null @@ -1 +0,0 @@ -/target diff --git a/md6/Cargo.toml b/md6/Cargo.toml index 1f924e6b2..b338a5a44 100644 --- a/md6/Cargo.toml +++ b/md6/Cargo.toml @@ -1,6 +1,33 @@ [package] name = "md6" version = "0.1.0" +description = "MD6 hash function" +authors = ["RustCrypto Developers"] +license = "MIT OR Apache-2.0" +readme = "README.md" edition = "2021" +repository = "https://github.com/RustCrypto/hashes" +keywords = ["crypto", "md5", "hash", "digest"] +categories = ["cryptography", "no-std"] +rust-version = "1.81" + +[lib] +name = "md6" [dependencies] +digest = "=0.11.0-pre.9" + +[dev-dependencies] +digest = { version = "=0.11.0-pre.9", features = ["dev"] } +hex-literal = "0.4" +base16ct = { version = "0.2", features = ["alloc"] } + +[features] +default = ["oid", "std"] +std = ["digest/std"] +oid = ["digest/oid"] +zeroize = ["digest/zeroize"] + +[package.metadata.docs.rs] +all-features = true +rustdoc-args = ["--cfg", "docsrs"] diff --git a/md6/README.md b/md6/README.md new file mode 100644 index 000000000..e69de29bb diff --git a/md6/src/compress.rs b/md6/src/compress.rs new file mode 100644 index 000000000..10c96e536 --- /dev/null +++ b/md6/src/compress.rs @@ -0,0 +1,233 @@ +use crate::consts::*; + +const W: usize = MD6_W; // number of bits in a word (64) +const C: usize = MD6_C; // size of compression output in words (16) +const N: usize = MD6_N; // size of compression input block in words (89) +const Q: usize = MD6_Q; // Q words in a compression block (>= 0) (15) +const K: usize = MD6_K; // key words per compression block (>= 0) (8) +const U: usize = MD6_U; // words for unique node ID (0 or 64/w) +const V: usize = MD6_V; // words for control word (0 or 64/w) +const B: usize = MD6_B; // data words per compression block (> 0) (64) + +const T0: usize = 17; // index for linear feedback +const T1: usize = 18; // index for first input to first and +const T2: usize = 21; // index for second input to first and +const T3: usize = 31; // index for first input to second and +const T4: usize = 67; // index for second input to second and +const T5: usize = 89; // last tap + +macro_rules! call_loop_bodies { + ($w: ident, $s: expr, $i: expr) => { + if $w == 64 { + loop_body!(10, 11, 0, $s, $i); + loop_body!(5, 24, 1, $s, $i); + loop_body!(13, 9, 2, $s, $i); + loop_body!(10, 16, 3, $s, $i); + loop_body!(11, 15, 4, $s, $i); + loop_body!(12, 9, 5, $s, $i); + loop_body!(2, 27, 6, $s, $i); + loop_body!(7, 15, 7, $s, $i); + loop_body!(14, 6, 8, $s, $i); + loop_body!(15, 2, 9, $s, $i); + loop_body!(7, 29, 10, $s, $i); + loop_body!(13, 8, 11, $s, $i); + loop_body!(11, 15, 12, $s, $i); + loop_body!(7, 5, 13, $s, $i); + loop_body!(6, 31, 14, $s, $i); + loop_body!(12, 9, 15, $s, $i); + } else if $w == 32 { + loop_body!(5, 4, 0, $s, $i); + loop_body!(3, 7, 1, $s, $i); + loop_body!(6, 7, 2, $s, $i); + loop_body!(5, 9, 3, $s, $i); + loop_body!(4, 13, 4, $s, $i); + loop_body!(6, 8, 5, $s, $i); + loop_body!(7, 4, 6, $s, $i); + loop_body!(3, 14, 7, $s, $i); + loop_body!(5, 7, 8, $s, $i); + loop_body!(6, 4, 9, $s, $i); + loop_body!(5, 8, 10, $s, $i); + loop_body!(5, 11, 11, $s, $i); + loop_body!(4, 5, 12, $s, $i); + loop_body!(6, 8, 13, $s, $i); + loop_body!(7, 2, 14, $s, $i); + loop_body!(5, 11, 15, $s, $i); + } else if $w == 16 { + loop_body!(5, 6, 0, $s, $i); + loop_body!(4, 7, 1, $s, $i); + loop_body!(3, 2, 2, $s, $i); + loop_body!(5, 4, 3, $s, $i); + loop_body!(7, 2, 4, $s, $i); + loop_body!(5, 6, 5, $s, $i); + loop_body!(5, 3, 6, $s, $i); + loop_body!(2, 7, 7, $s, $i); + loop_body!(4, 5, 8, $s, $i); + loop_body!(3, 7, 9, $s, $i); + loop_body!(4, 6, 10, $s, $i); + loop_body!(3, 5, 11, $s, $i); + loop_body!(4, 5, 12, $s, $i); + loop_body!(7, 6, 13, $s, $i); + loop_body!(7, 4, 14, $s, $i); + loop_body!(2, 3, 15, $s, $i); + } else if $w == 8 { + loop_body!(3, 2, 0, $s, $i); + loop_body!(3, 4, 1, $s, $i); + loop_body!(3, 2, 2, $s, $i); + loop_body!(4, 3, 3, $s, $i); + loop_body!(3, 2, 4, $s, $i); + loop_body!(3, 2, 5, $s, $i); + loop_body!(3, 2, 6, $s, $i); + loop_body!(3, 4, 7, $s, $i); + loop_body!(2, 3, 8, $s, $i); + loop_body!(2, 3, 9, $s, $i); + loop_body!(3, 2, 10, $s, $i); + loop_body!(2, 3, 11, $s, $i); + loop_body!(2, 3, 12, $s, $i); + loop_body!(3, 4, 13, $s, $i); + loop_body!(2, 3, 14, $s, $i); + loop_body!(3, 4, 15, $s, $i); + } + }; +} + +fn get_s_constants(ws: usize) -> (Md6Word, Md6Word) { + match ws { + 64 => (0x0123456789abcdef, 0x7311c2812425cfa0), + 32 => (0x01234567, 0x7311c281), + 16 => (0x01234, 0x7311), + 8 => (0x01, 0x73), + _ => panic!("bad w"), + } +} + +fn main_compression_loop(a: &mut [Md6Word], r: usize) { + macro_rules! loop_body { + ($rs: expr, $ls: expr, $step: expr, $s: expr, $i: expr) => { + let mut x = $s; // feedback constant + x ^= a[$i + $step - T5]; // end-around feedback + x ^= a[$i + $step - T0]; // linear feedback + x ^= (a[$i + $step - T1] & a[$i + $step - T2]); // first quadratic term + x ^= (a[$i + $step - T3] & a[$i + $step - T4]); // second quadratic term + x ^= x >> $rs; // right shift + a[$i + $step] = x ^ (x << $ls); // left shift + }; + } + + // Get the initial values for `s` and `smask` based on the width `w`. + let (mut s, smask) = get_s_constants(W); + + let mut i = N; + let mut j = 0; + + while j < r * C { + // Call the loop bodies based on the value of `w`. + // This will perform the main computation for each step in the compression loop. + call_loop_bodies!(W, s, i); + + // Advance round constant s to the next round constant. + s = (s << 1) ^ (s >> (W - 1)) ^ (s & smask); + i += 16; + j += C; + } +} + +pub fn compress(c: &mut [Md6Word], n: &mut [Md6Word], r: usize, a: &mut [Md6Word]) { + // check that the input is sensible + assert!(!n.is_empty()); + assert!(!n.is_empty()); + assert!(r <= MD6_MAX_R); + assert!(!a.is_empty()); + + a[..n.len()].copy_from_slice(n); // copy n to front of a + + main_compression_loop(a, r); // do the main computation + + c.copy_from_slice(&a[((r - 1) * C + N)..((r - 1) * C + N + C)]); // output into c +} + +fn make_control_word( + r: usize, + l: usize, + z: usize, + p: usize, + keylen: usize, + d: usize, +) -> Md6ControlWord { + (0 as Md6ControlWord) << 60 // reserved width 4 bits + | (r as Md6ControlWord) << 48 // r width 12 bits + | (l as Md6ControlWord) << 40 // L width 8 bits + | (z as Md6ControlWord) << 36 // z width 4 bits + | (p as Md6ControlWord) << 20 // p width 16 bits + | (keylen as Md6ControlWord) << 12 // keylen width 8 bits + | (d as Md6ControlWord) // d width 12 bits +} + +pub fn make_node_id(ell: usize, i: Md6Word) -> Md6NodeID { + (ell as Md6NodeID) << 56 | i // ell width 8 bits, i width 56 bits +} + +pub fn pack( + n: &mut [Md6Word], + q: &[Md6Word], + k: [Md6Word; K], + ell: usize, + i: Md6Word, + r: usize, + l: usize, + z: usize, + p: usize, + keylen: usize, + d: usize, + b: [Md6Word; 64], +) { + let mut ni = 0; + + n[ni..ni + Q].copy_from_slice(&q[..Q]); // q: q in words 0--14 + ni += Q; + + n[ni..ni + K].copy_from_slice(&k[..K]); // k: key in words 15--22 + ni += K; + + let u = make_node_id(ell, i); // u: unique node ID in 23 + n[ni] = u; + ni += U; + + let v = make_control_word(r, l, z, p, keylen, d); // v: control word in 24 + n[ni] = v; + ni += V; + + n[ni..ni + B].copy_from_slice(&b[..B]); // b: data words 25--88 +} + +pub fn standard_compress( + c: &mut [Md6Word], + q: &[Md6Word], + k: [Md6Word; K], + ell: usize, + i: Md6Word, + r: usize, + l: usize, + z: usize, + p: usize, + keylen: usize, + d: usize, + b: [Md6Word; 64], +) { + let mut n = [0; MD6_N]; + let mut a = [0; 5000]; + + // check that the input values are sensible + assert!(!c.is_empty()); + assert!(!q.is_empty()); + assert!(!b.is_empty()); + assert!(r <= MD6_MAX_R); + assert!(l <= 255); + assert!(ell <= 255); + assert!(p <= B * W); + assert!(d <= C * W / 2); + assert!(!k.is_empty()); + + pack(&mut n, q, k, ell, i, r, l, z, p, keylen, d, b); // pack input data into N + + compress(c, &mut n, r, &mut a); // compress +} diff --git a/md6/src/consts.rs b/md6/src/consts.rs new file mode 100644 index 000000000..307b3d281 --- /dev/null +++ b/md6/src/consts.rs @@ -0,0 +1,21 @@ +/// MD6 constants related to standard mode of operation + +pub(crate) type Md6Word = u64; +pub(crate) type Md6ControlWord = u64; +pub(crate) type Md6NodeID = u64; + +pub(crate) const MD6_MAX_STACK_HEIGHT: usize = 29; // maximum stack height +pub(crate) const MD6_MAX_R: usize = 255; // maximum number of rounds +pub(crate) const MD6_DEFAULT_L: usize = 64; // large so that MD6 is fully hierarchical + +pub(crate) const MD6_W: usize = 64; // number of bits in a word +pub(crate) const MD6_C: usize = 16; // size of compression output in words +pub(crate) const MD6_N: usize = 89; // size of compression input block in words + +/// These five values give lengths of the components of compression +/// input block; they should sum to MD6_N. +pub(crate) const MD6_Q: usize = 15; // Q words in a compression block (>= 0) +pub(crate) const MD6_K: usize = 8; // key words per compression block (>= 0) +pub(crate) const MD6_U: usize = 64 / MD6_W; // words for unique node ID (0 or 64/w) +pub(crate) const MD6_V: usize = 64 / MD6_W; // words for control word (0 or 64/w) +pub(crate) const MD6_B: usize = 64; // data words per compression block (> 0) diff --git a/md6/src/lib.rs b/md6/src/lib.rs index f157d35f0..2c22534fa 100644 --- a/md6/src/lib.rs +++ b/md6/src/lib.rs @@ -1,13 +1,38 @@ -// Adapted from the original C code: https://github.com/brbsh/samp-plugin-md6 +#![no_std] +#![doc = include_str!("../README.md")] +#![doc( + html_logo_url = "https://raw.githubusercontent.com/RustCrypto/media/6ee8e381/logo.svg", + html_favicon_url = "https://raw.githubusercontent.com/RustCrypto/media/6ee8e381/logo.svg" +)] +#![cfg_attr(docsrs, feature(doc_auto_cfg))] +#![warn(missing_docs, rust_2018_idioms)] +mod compress; +pub(crate) mod consts; +mod md6; -#![allow(non_snake_case)] -#![allow(non_upper_case_globals)] -#![allow(non_camel_case_types)] +use digest::{ + consts::{U16, U28, U32, U48, U64, U8}, + core_api::{CoreWrapper, CtVariableCoreWrapper, RtVariableCoreWrapper}, +}; -mod md6; -mod md6_compress; -mod md6_consts; +pub use digest::{Digest, Update, VariableOutput}; + +use crate::md6::Md6VarCore; -pub use md6::*; -pub use md6_compress::*; +/// Md6 which allows variable output size at runtime +pub type Md6Var = RtVariableCoreWrapper; +/// Core hash function for Md6 generic over output size +pub type Md6Core = CtVariableCoreWrapper; +/// Md6 with 64-bit output +pub type Md6_64 = CoreWrapper>; +/// Md6 with 128-bit output +pub type Md6_128 = CoreWrapper>; +/// Md6 with 224-bit output +pub type Md6_224 = CoreWrapper>; +/// Md6 with 256-bit output +pub type Md6_256 = CoreWrapper>; +/// Md6 with 384-bit output +pub type Md6_384 = CoreWrapper>; +/// Md6 with 512-bit output +pub type Md6_512 = CoreWrapper>; diff --git a/md6/src/md6.rs b/md6/src/md6.rs index fc8e1bb92..2a5f12b7f 100644 --- a/md6/src/md6.rs +++ b/md6/src/md6.rs @@ -1,75 +1,340 @@ -use crate::md6_compress::*; -use crate::md6_consts::*; - -const w: usize = md6_w; // number of bits in a word (64) -const c: usize = md6_c; // size of compression output in words (16) -const k: usize = md6_k; // key words per compression block (8) -const b: usize = md6_b; // data words per compression block (64) - -pub struct MD6State { +use crate::compress::*; +use crate::consts::*; + +use core::fmt; +use digest::{ + block_buffer::Eager, + core_api::{ + AlgorithmName, Block, BlockSizeUser, Buffer, BufferKindUser, OutputSizeUser, Reset, + TruncSide, UpdateCore, VariableOutputCore, + }, + crypto_common::hazmat::{DeserializeStateError, SerializableState, SerializedState}, + typenum::{Unsigned, U128, U64}, + HashMarker, Output, +}; + +const W: usize = MD6_W; // number of bits in a word (64) +const C: usize = MD6_C; // size of compression output in words (16) +const K: usize = MD6_K; // key words per compression block (8) +const B: usize = MD6_B; // data words per compression block (64) + +pub struct Md6VarCore { d: usize, hashbitlen: usize, - hashval: [u8; c * (w / 8)], - hexhashval: [char; c * (w / 8) + 1], + hashval: [u8; C * (W / 8)], + hexhashval: [char; C * (W / 8) + 1], initialized: bool, bits_processed: usize, compression_calls: usize, finalized: bool, - K: [md6_word; k], + k: [Md6Word; K], keylen: usize, - L: usize, + l: usize, r: usize, top: usize, - B: [[md6_word; b]; md6_max_stack_height], - bits: [usize; md6_max_stack_height], - i_for_level: [md6_word; md6_max_stack_height], + b: [[Md6Word; B]; MD6_MAX_STACK_HEIGHT], + bits: [usize; MD6_MAX_STACK_HEIGHT], + i_for_level: [u64; MD6_MAX_STACK_HEIGHT], +} + +impl HashMarker for Md6VarCore {} + +impl BlockSizeUser for Md6VarCore { + type BlockSize = U128; +} + +impl BufferKindUser for Md6VarCore { + type BufferKind = Eager; +} + +impl OutputSizeUser for Md6VarCore { + type OutputSize = U64; +} + +impl UpdateCore for Md6VarCore { + #[inline] + fn update_blocks(&mut self, blocks: &[Block]) { + for block in blocks { + self.update(block, block.len() * 8); + } + } +} + +impl VariableOutputCore for Md6VarCore { + const TRUNC_SIDE: TruncSide = TruncSide::Left; + + #[inline] + fn new(output_size: usize) -> Result { + if output_size > Self::OutputSize::USIZE { + return Err(digest::InvalidOutputSize); + } + + Ok(Self::init(output_size * 8)) + } + + #[inline] + fn finalize_variable_core(&mut self, buffer: &mut Buffer, out: &mut Output) { + let databitlen = buffer.get_pos() * 8; + let block = buffer.pad_with_zeros(); + self.update(&block, databitlen); + + // Create a temporary buffer to store the hash value + let mut hashval = [0u8; 128]; + + // Finalize the hash computation + self.finalize(&mut hashval); + + // Copy the resulting hash value into the output slice + for (i, o) in out.iter_mut().enumerate() { + *o = hashval[i]; + } + } +} + +impl AlgorithmName for Md6VarCore { + fn write_alg_name(f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result { + f.write_str("Md6") + } +} + +impl Default for Md6VarCore { + #[inline] + fn default() -> Self { + Self::init(256) + } +} + +impl Reset for Md6VarCore { + #[inline] + fn reset(&mut self) { + *self = Self::init(self.d); + } +} + +impl fmt::Debug for Md6VarCore { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + f.write_str("Md6Core { ... }") + } +} + +impl Drop for Md6VarCore { + fn drop(&mut self) { + #[cfg(feature = "zeroize")] + { + self.hashval.zeroize(); + self.hexhashval.zeroize(); + self.k.zeroize(); + self.b.zeroize(); + self.bits.zeroize(); + self.i_for_level.zeroize(); + self.d.zeroize(); + self.hashbitlen.zeroize(); + self.keylen.zeroize(); + self.l.zeroize(); + self.r.zeroize(); + self.top.zeroize(); + self.compression_calls.zeroize(); + self.bits_processed.zeroize(); + self.initialized.zeroize(); + self.finalized.zeroize(); + } + } +} + +impl SerializableState for Md6VarCore { + type SerializedStateSize = U64; + + fn serialize(&self) -> SerializedState { + let mut serialized_state = SerializedState::::default(); + + // Serialize usize fields + serialized_state.copy_from_slice(&self.d.to_le_bytes()); + serialized_state.copy_from_slice(&self.hashbitlen.to_le_bytes()); + serialized_state.copy_from_slice(&self.bits_processed.to_le_bytes()); + serialized_state.copy_from_slice(&self.compression_calls.to_le_bytes()); + serialized_state.copy_from_slice(&self.keylen.to_le_bytes()); + serialized_state.copy_from_slice(&self.l.to_le_bytes()); + serialized_state.copy_from_slice(&self.r.to_le_bytes()); + serialized_state.copy_from_slice(&self.top.to_le_bytes()); + + // Serialize boolean fields + serialized_state.copy_from_slice(&(self.initialized as u8).to_le_bytes()); + serialized_state.copy_from_slice(&(self.finalized as u8).to_le_bytes()); + + // Serialize arrays + serialized_state.copy_from_slice(&self.hashval); + for &c in &self.hexhashval { + serialized_state.copy_from_slice(&(c as u32).to_le_bytes()); + } + for &word in &self.k { + serialized_state.copy_from_slice(&word.to_le_bytes()); + } + for row in &self.b { + for &word in row { + serialized_state.copy_from_slice(&word.to_le_bytes()); + } + } + for &bit in &self.bits { + serialized_state.copy_from_slice(&bit.to_le_bytes()); + } + for &level in &self.i_for_level { + serialized_state.copy_from_slice(&level.to_le_bytes()); + } + + serialized_state + } + + fn deserialize( + serialized_state: &SerializedState, + ) -> Result { + let mut offset = 0; + + // Helper function to read a usize from the serialized state + fn read_usize(serialized_state: &[u8], offset: &mut usize) -> usize { + let size = core::mem::size_of::(); + let mut buf = [0u8; core::mem::size_of::()]; + buf.copy_from_slice(&serialized_state[*offset..*offset + size]); + *offset += size; + usize::from_le_bytes(buf) + } + + // Helper function to read a u64 from the serialized state + fn read_u64(serialized_state: &[u8], offset: &mut usize) -> u64 { + let size = 8; + let mut buf = [0u8; 8]; + buf.copy_from_slice(&serialized_state[*offset..*offset + size]); + *offset += size; + u64::from_le_bytes(buf) + } + + // Helper function to read a boolean from the serialized state + fn read_bool(serialized: &[u8], offset: &mut usize) -> bool { + let val = serialized[*offset]; + *offset += 1; + val != 0 + } + + // Deserialize usize fields + let d = read_usize(serialized_state, &mut offset); + let hashbitlen = read_usize(serialized_state, &mut offset); + let bits_processed = read_usize(serialized_state, &mut offset); + let compression_calls = read_usize(serialized_state, &mut offset); + let keylen = read_usize(serialized_state, &mut offset); + let l = read_usize(serialized_state, &mut offset); + let r = read_usize(serialized_state, &mut offset); + let top = read_usize(serialized_state, &mut offset); + + // Deserialize boolean fields + let initialized = read_bool(serialized_state, &mut offset); + let finalized = read_bool(serialized_state, &mut offset); + + // Deserialize arrays + let hashval_len = C * (W / 8); + let mut hashval = [0u8; C * (W / 8)]; + hashval.copy_from_slice(&serialized_state[offset..offset + hashval_len]); + offset += hashval_len; + + let mut hexhashval = ['\0'; C * (W / 8) + 1]; + for c in &mut hexhashval { + let size = 4; + let mut buf = [0u8; 4]; + buf.copy_from_slice(&serialized_state[offset..offset + size]); + offset += size; + *c = char::from_u32(u32::from_le_bytes(buf)).expect("invalid char in serialized state"); + } + + let mut k = [0u64; K]; + for word in &mut k { + *word = read_u64(&serialized_state, &mut offset); + } + + let mut b = [[0u64; B]; MD6_MAX_STACK_HEIGHT]; + for row in &mut b { + for word in row.iter_mut() { + *word = read_u64(serialized_state, &mut offset); + } + } + + let mut bits = [0usize; MD6_MAX_STACK_HEIGHT]; + for bit in &mut bits { + *bit = read_usize(serialized_state, &mut offset); + } + + let mut i_for_level = [0u64; MD6_MAX_STACK_HEIGHT]; + for level in &mut i_for_level { + *level = read_u64(serialized_state, &mut offset); + } + + Ok(Self { + d, + hashbitlen, + hashval, + hexhashval, + initialized, + bits_processed, + compression_calls, + finalized, + k, + keylen, + l, + r, + top, + b, + bits, + i_for_level, + }) + } } -impl MD6State { - pub fn init(d: usize) -> Self { +impl Md6VarCore { + #[inline] + fn init(d: usize) -> Self { // - Self::full_init(d, None, 0, md6_default_L, md6_default_r(d, 0)) + Self::full_init(d, None, 0, MD6_DEFAULT_L, default_r(d, 0)) } - pub fn full_init(d: usize, key: Option>, keylen: usize, L: usize, r: usize) -> Self { + #[inline] + fn full_init(d: usize, key: Option<&[u8]>, keylen: usize, l: usize, r: usize) -> Self { if key.is_some() { - assert!(keylen <= k * (w / 8), "bad keylen"); + assert!(keylen <= K * (W / 8), "bad keylen"); } - assert!(!(d < 1 || d > 512 || d > w * c / 2), "bad hashlen"); + assert!(!(d < 1 || d > 512 || d > W * C / 2), "bad hashlen"); - let (K, keylen) = match key { + let (k, keylen) = match key { Some(key) if keylen > 0 => { - let mut key_bytes = vec![0x00; 64]; + let mut key_bytes = [0x00; 64]; key_bytes[..keylen.min(64)].copy_from_slice(&key[..keylen.min(64)]); - let k_words = bytes_to_words(&key_bytes); + let mut k_words = [0; K]; + + bytes_to_words(&key_bytes, &mut k_words); - (k_words.try_into().unwrap(), keylen) + (k_words, keylen) } - _ => ([0u64; k], 0), + _ => ([0u64; K], 0), }; - assert!(L <= 255, "bad L"); + assert!(l <= 255, "bad L"); assert!(r <= 255, "bad r"); let initialized = true; let finalized = false; let compression_calls = 0; let bits_processed = 0; - let hexhashval = ['\n'; c * (w / 8) + 1]; - let hashval = [0; c * (w / 8)]; + let hexhashval = ['\n'; C * (W / 8) + 1]; + let hashval = [0; C * (W / 8)]; let hashbitlen = 0; let top = 1; - let mut bits = [0; md6_max_stack_height]; - if L == 0 { - bits[1] = c * w + let mut bits = [0; MD6_MAX_STACK_HEIGHT]; + if l == 0 { + bits[1] = C * W }; - let B = [[0; b]; md6_max_stack_height]; - let i_for_level = [0; md6_max_stack_height]; + let b = [[0; B]; MD6_MAX_STACK_HEIGHT]; + let i_for_level = [0; MD6_MAX_STACK_HEIGHT]; - MD6State { + Md6VarCore { d, hashbitlen, hashval, @@ -78,48 +343,50 @@ impl MD6State { bits_processed, compression_calls, finalized, - K, + k, keylen, - L, + l, r, top, - B, + b, bits, i_for_level, } } - fn compress_block(&mut self, C: &mut Vec, ell: usize, z: usize) { + #[inline] + fn compress_block(&mut self, c: &mut [u64], ell: usize, z: usize) { // check that input values are sensible assert!(self.initialized, "state not init"); - assert!(ell < md6_max_stack_height + 1, "stackoverflow"); + assert!(ell < MD6_MAX_STACK_HEIGHT + 1, "stackoverflow"); self.compression_calls += 1; - let p = b * w - self.bits[ell]; // number of padding bits - let Q = get_Q(w); // Q constant + let p = B * W - self.bits[ell]; // number of padding bits + let q = get_round_constants(W); // Q constant - md6_standard_compress( - C, - Q, - self.K, + standard_compress( + c, + q, + self.k, ell, self.i_for_level[ell], self.r, - self.L, + self.l, z, p, self.keylen, self.d, - self.B[ell], + self.b[ell], ); self.bits[ell] = 0; // clear bits used count this level self.i_for_level[ell] += 1; // increment i for this level - self.B[ell] = [0; w]; // clear B for this level + self.b[ell] = [0; W]; // clear B for this level } + #[inline] fn process(&mut self, ell: usize, is_final: bool) { // check that input values are sensible assert!(self.initialized, "state not init"); @@ -127,47 +394,43 @@ impl MD6State { // not final -- more input will be coming if !is_final { // if this is a leaf, then we're done - if self.bits[ell] < b * w { + if self.bits[ell] < B * W { return; } - } else { - if ell == self.top { - if ell == self.L + 1 { - /* SEQ node */ - if self.bits[ell] == c * w && self.i_for_level[ell] > 0 { - return; - } - } else { - if ell > 1 && self.bits[ell] == c * w { - return; - } + } else if ell == self.top { + if ell == self.l + 1 { + // SEQ node + if self.bits[ell] == C * W && self.i_for_level[ell] > 0 { + return; } + } else if ell > 1 && self.bits[ell] == C * W { + return; } } - let mut C = vec![0x00; c]; // compression output - let z = if is_final && ell == self.top { 1 } else { 0 }; // is this the last block? + let mut c = [0x00; C]; // compression output + let z = if is_final && ell == self.top { 1 } else { 0 }; // is this the last block - self.compress_block(&mut C, ell, z); // compress block + self.compress_block(&mut c, ell, z); // compress block // if this is the last block, then we're done if z == 1 { - self.hashval = words_to_bytes(&C).try_into().unwrap(); + words_to_bytes(&c, &mut self.hashval); return; } - // where should result go? To "next level" - let next_level = (ell + 1).min(self.L + 1); + // where should result go To "next level" + let next_level = (ell + 1).min(self.l + 1); - if next_level == self.L + 1 + if next_level == self.l + 1 && self.i_for_level[next_level] == 0 && self.bits[next_level] == 0 { - self.bits[next_level] = c * w; + self.bits[next_level] = C * W; } - self.B[next_level] = C.try_into().unwrap(); // copy C onto the next level - self.bits[next_level] += c * w; + self.b[next_level][..C].copy_from_slice(&c); // copy c onto the next level + self.bits[next_level] += C * W; if next_level > self.top { self.top = next_level; @@ -176,14 +439,68 @@ impl MD6State { self.process(next_level, is_final); } - pub fn update(&mut self, data: Vec, databitlen: usize) { + #[inline] + fn append_bits(&mut self, src: &[u8], srclen: usize) { + if srclen == 0 { + return; + } + + let mut accum: u16 = 0; // Accumulates bits waiting to be moved, right-justified + let mut accumlen = 0; // Number of bits in accumulator + let destlen = self.bits[1]; + + // Initialize accum, accumlen, and destination index (di) + if destlen % 8 != 0 { + accumlen = destlen % 8; + accum = self.b[1][destlen / 8] as u16; // Grab partial byte from dest + accum >>= 8 - accumlen; // Right-justify it in accumulator + } + let mut di = destlen / 8; // Index of where next byte will go within dest + + // Ensure dest has enough space + let new_len = (destlen + srclen + 7) / 8; + if self.b[1].len() < new_len { + panic!("destination buffer is too small"); + } + + // Number of bytes (full or partial) in src + let srcbytes = (srclen + 7) / 8; + + for i in 0..srcbytes { + if i != srcbytes - 1 { + // Not the last byte + accum = (accum << 8) ^ src[i] as u16; + accumlen += 8; + } else { + // Last byte + let newbits = if srclen % 8 == 0 { 8 } else { srclen % 8 }; + accum = (accum << newbits) ^ ((src[i] as u16) >> (8 - newbits)); + accumlen += newbits; + } + + // Process as many high-order bits of accum as possible + while (i != srcbytes - 1 && accumlen >= 8) || (i == srcbytes - 1 && accumlen > 0) { + let numbits = 8.min(accumlen); + let mut bits = accum >> (accumlen - numbits); // Right justified + bits <<= 8 - numbits; // Left justified + bits &= 0xff00 >> numbits; // Mask + let bits = bits as u8; + self.b[1][di] = bits as u64; // Save + di += 1; + accumlen -= numbits; + } + } + } + + #[inline] + fn update(&mut self, data: &[u8], databitlen: usize) { // check that input values are sensible assert!(self.initialized, "state not init"); assert!(!data.is_empty(), "null data"); let mut j = 0; while j < databitlen { - let portion_size = (databitlen - j).min(b * w - self.bits[1]); + let portion_size = (databitlen - j).min(B * W - self.bits[1]); if (portion_size % 8 == 0) && (self.bits[1] % 8 == 0) && (j % 8 == 0) { let start = j / 8; let end = start + portion_size / 8; @@ -195,26 +512,27 @@ impl MD6State { let index_u64 = i / 8; let shift_amount = (7 - i % 8) * 8; - self.B[1][(self.bits[1] / 64) + index_u64] |= (byte as u64) << shift_amount; + self.b[1][(self.bits[1] / 64) + index_u64] |= (byte as u64) << shift_amount; i += 1; } } else { - append_bits(&mut self.B[1].to_vec(), self.bits[1], &data[j / 8..], portion_size); + self.append_bits(&data[j / 8..], portion_size); } j += portion_size; self.bits[1] += portion_size; self.bits_processed += portion_size; - if self.bits[1] == b * w && j < databitlen { + if self.bits[1] == B * W && j < databitlen { self.process(1, false); } } } + #[inline] fn compute_hex_hashval(&mut self) { - let hex_digits = vec![ + let hex_digits = [ '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', ]; @@ -226,17 +544,18 @@ impl MD6State { self.hexhashval[(self.d + 3) / 4] = '\n'; } + #[inline] fn trim_hashval(&mut self) { let full_or_partial_bytes = (self.d + 7) / 8; let bits = self.d % 8; // move relevant bytes to the front for i in 0..full_or_partial_bytes { - self.hashval[i] = self.hashval[c * (w / 8) - full_or_partial_bytes + i]; + self.hashval[i] = self.hashval[C * (W / 8) - full_or_partial_bytes + i]; } // zero out following byte - for i in full_or_partial_bytes..(c * (w / 8)) { + for i in full_or_partial_bytes..(C * (W / 8)) { self.hashval[i] = 0; } @@ -244,14 +563,15 @@ impl MD6State { if bits > 0 { for i in 0..full_or_partial_bytes { self.hashval[i] <<= 8 - bits; - if (i + 1) < c * (w / 8) { + if (i + 1) < C * (W / 8) { self.hashval[i] |= self.hashval[i + 1] >> bits; } } } } - pub fn finalize(&mut self, hashval: &mut Vec) { + #[inline] + fn finalize(&mut self, hashval: &mut [u8]) { // check that input values are sensible if !self.initialized { panic!("state not init"); @@ -282,8 +602,8 @@ impl MD6State { // self.trim_hashval(); - if hashval.is_empty() { - hashval.extend(&self.hashval); + if hashval.iter().all(|&x| x == 0) { + hashval.copy_from_slice(&self.hashval); } self.compute_hex_hashval(); @@ -292,10 +612,9 @@ impl MD6State { } } -fn get_Q(wq: usize) -> Vec { - let mut Q = Vec::new(); - if wq == 64 { - Q = vec![ +const fn get_round_constants(w: usize) -> &'static [Md6Word] { + if w == 64 { + &[ 0x7311c2812425cfa0, 0x6432286434aac8e7, 0xb60450e9ef68b7c1, @@ -311,17 +630,17 @@ fn get_Q(wq: usize) -> Vec { 0xc878c1dd04c4b633, 0x3b72066c7a1552ac, 0x0d6f3522631effcb, - ]; - } else if wq == 32 { - Q = vec![ + ] + } else if w == 32 { + &[ 0x7311c281, 0x2425cfa0, 0x64322864, 0x34aac8e7, 0xb60450e9, 0xef68b7c1, 0xe8fb2390, 0x8d9f06f1, 0xdd2e76cb, 0xa691e5bf, 0x0cd0d63b, 0x2c30bc41, 0x1f8ccf68, 0x23058f8a, 0x54e5ed5b, 0x88e3775d, 0x4ad12aae, 0x0a6d6031, 0x3e7f16bb, 0x88222e0d, 0x8af8671d, 0x3fb50c2c, 0x995ad117, 0x8bd25c31, 0xc878c1dd, 0x04c4b633, 0x3b72066c, 0x7a1552ac, 0x0d6f3522, 0x631effcb, ] - } else if wq == 16 { - Q = vec![ + } else if w == 16 { + &[ 0x7311, 0xc281, 0x2425, 0xcfa0, 0x6432, 0x2864, 0x34aa, 0xc8e7, 0xb604, 0x50e9, 0xef68, 0xb7c1, 0xe8fb, 0x2390, 0x8d9f, 0x06f1, 0xdd2e, 0x76cb, 0xa691, 0xe5bf, 0x0cd0, 0xd63b, 0x2c30, 0xbc41, 0x1f8c, 0xcf68, 0x2305, 0x8f8a, 0x54e5, 0xed5b, 0x88e3, 0x775d, 0x4ad1, @@ -329,8 +648,8 @@ fn get_Q(wq: usize) -> Vec { 0x995a, 0xd117, 0x8bd2, 0x5c31, 0xc878, 0xc1dd, 0x04c4, 0xb633, 0x3b72, 0x066c, 0x7a15, 0x52ac, 0x0d6f, 0x3522, 0x631e, 0xffcb, ] - } else if w == 8 { - Q = vec![ + } else if W == 8 { + &[ 0x73, 0x11, 0xc2, 0x81, 0x24, 0x25, 0xcf, 0xa0, 0x64, 0x32, 0x28, 0x64, 0x34, 0xaa, 0xc8, 0xe7, 0xb6, 0x04, 0x50, 0xe9, 0xef, 0x68, 0xb7, 0xc1, 0xe8, 0xfb, 0x23, 0x90, 0x8d, 0x9f, 0x06, 0xf1, 0xdd, 0x2e, 0x76, 0xcb, 0xa6, 0x91, 0xe5, 0xbf, 0x0c, 0xd0, @@ -341,64 +660,12 @@ fn get_Q(wq: usize) -> Vec { 0xc1, 0xdd, 0x04, 0xc4, 0xb6, 0x33, 0x3b, 0x72, 0x06, 0x6c, 0x7a, 0x15, 0x52, 0xac, 0x0d, 0x6f, 0x35, 0x22, 0x63, 0x1e, 0xff, 0xcb, ] - } - - Q -} - -fn append_bits(dest: &mut Vec, destlen: usize, src: &[u8], srclen: usize) { - if srclen == 0 { - return; - } - - let mut accum: u16 = 0; // Accumulates bits waiting to be moved, right-justified - let mut accumlen = 0; // Number of bits in accumulator - - // Initialize accum, accumlen, and destination index (di) - if destlen % 8 != 0 { - accumlen = destlen % 8; - accum = dest[destlen / 8] as u16; // Grab partial byte from dest - accum >>= 8 - accumlen; // Right-justify it in accumulator - } - let mut di = destlen / 8; // Index of where next byte will go within dest - - // Ensure dest has enough space - let new_len = (destlen + srclen + 7) / 8; - if dest.len() < new_len { - dest.resize(new_len, 0); - } - - // Number of bytes (full or partial) in src - let srcbytes = (srclen + 7) / 8; - - for i in 0..srcbytes { - if i != srcbytes - 1 { - // Not the last byte - accum = (accum << 8) | src[i] as u16; - accumlen += 8; - } else { - // Last byte - let newbits = if srclen % 8 == 0 { 8 } else { srclen % 8 }; - accum = (accum << newbits) | ((src[i] as u16) >> (8 - newbits)); - accumlen += newbits; - } - - // Process as many high-order bits of accum as possible - while (i != srcbytes - 1 && accumlen >= 8) || (i == srcbytes - 1 && accumlen > 0) { - let numbits = std::cmp::min(8, accumlen); - let mut bits = (accum >> (accumlen - numbits)) as u16; // Right justified - bits <<= 8 - numbits; // Left justified - bits &= 0xff00 >> numbits; // Mask - let bits = bits as u8; - dest[di] = bits as u64; // Save - di += 1; - accumlen -= numbits; - } + } else { + panic!("bad w") } } - -fn md6_default_r(d: usize, keylen: usize) -> usize { +fn default_r(d: usize, keylen: usize) -> usize { // Default number of rounds is forty plus floor(d/4) let mut r = 40 + (d / 4); @@ -410,89 +677,50 @@ fn md6_default_r(d: usize, keylen: usize) -> usize { r } -fn bytes_to_words(bytes: &[u8]) -> Vec { - // Convert bytes to words - bytes - .chunks(8) - .map(|chunk| { - chunk - .iter() - .rev() - .fold(0u64, |acc, &byte| (acc << 8) | u64::from(byte)) - }) - .collect() -} - -fn words_to_bytes(words: &[u64]) -> Vec { - // Convert words to bytes - words - .iter() - .flat_map(|&word| (0..8).rev().map(move |shift| (word >> (shift * 8)) as u8)) - .collect() -} +fn bytes_to_words(bytes: &[u8], output: &mut [u64]) -> usize { + let mut bytes_len = bytes.len(); -pub fn md6_full_hash( - d: usize, - data: Vec, - databitlen: usize, - key: Option>, - keylen: usize, - L: usize, - r: usize, - hashval: &mut Vec, -) { - let mut st = MD6State::full_init(d, key, keylen, L, r); - st.update(data, databitlen); - st.finalize(hashval); -} + assert!(bytes_len != 0, "input slice should not be null"); -pub fn md6_hash(d: usize, data: Vec, databitlen: usize, hashval: &mut Vec) { - md6_full_hash( - d, - data, - databitlen, - None, - 0, - md6_default_L, - md6_default_r(d, 0), - hashval, + assert!( + core::mem::size_of_val(output) >= bytes_len, + "output slice is too small." ); -} -#[test] -fn test_md6() { - // Test from https://web.archive.org/web/20170812072847/https://groups.csail.mit.edu/cis/md6/submitted-2008-10-27/Supporting_Documentation/md6_report.pdf - let test_vector: [(&str, usize, Option>, usize, usize, usize, &str); 1] = [ - ( - "abc", - 256, - None, - 0, - md6_default_L, - 5, - "8854c14dc284f840ed71ad7ba542855ce189633e48c797a55121a746be48cec8", - ), - ]; - - for (msg, hashbitlen, key, keylen, L, r, expected_hex) in test_vector { - let mut output = vec![]; - - md6_full_hash( - hashbitlen, - msg.as_bytes().to_vec(), - msg.as_bytes().len() * 8, - key, - keylen, - L, - r, - &mut output, - ); + let words_to_write = if bytes_len % size_of::() != 0 { + bytes_len / size_of::() + 1 + } else { + bytes_len / size_of::() + }; + + for i in 0..words_to_write { + let mut word: u64 = 0; + for j in 0..core::cmp::min(size_of::(), bytes_len) { + word |= u64::from(bytes[i * size_of::() + j]) << (8 * (size_of::() - 1 - j)); + } + output[i] = word; - let digest_hex = output[..hashbitlen / 8] - .into_iter() - .map(|o| format!("{:02x}", o)) - .collect::(); + if i != words_to_write - 1 { + bytes_len -= size_of::(); + } + } + + words_to_write +} - assert_eq!(digest_hex, expected_hex); +fn words_to_bytes(words: &[u64], output: &mut [u8]) { + assert!( + output.len() == words.len() * 8, + "output slice is too small." + ); + + for (i, &word) in words.iter().enumerate() { + for shift in (0..8).rev() { + let byte = (word >> (shift * 8)) as u8; + output[i * 8 + (7 - shift)] = byte; + } } } + +#[cfg(feature = "zeroize")] +impl ZeroizeOnDrop for Md6VarCore {} diff --git a/md6/src/md6_compress.rs b/md6/src/md6_compress.rs deleted file mode 100644 index 42b29be9e..000000000 --- a/md6/src/md6_compress.rs +++ /dev/null @@ -1,331 +0,0 @@ -use crate::md6_consts::*; - -const w: usize = md6_w; // number of bits in a word (64) -const c: usize = md6_c; // size of compression output in words (16) -const n: usize = md6_n; // size of compression input block in words (89) -const q: usize = md6_q; // Q words in a compression block (>= 0) (15) -const k: usize = md6_k; // key words per compression block (>= 0) (8) -const u: usize = md6_u; // words for unique node ID (0 or 64/w) -const v: usize = md6_v; // words for control word (0 or 64/w) -const b: usize = md6_b; // data words per compression block (> 0) (64) - -const t0: usize = 17; // index for linear feedback -const t1: usize = 18; // index for first input to first and -const t2: usize = 21; // index for second input to first and -const t3: usize = 31; // index for first input to second and -const t4: usize = 67; // index for second input to second and -const t5: usize = 89; // last tap - -/// Macro to call loop bodies based on the value of `w`. -/// -/// This macro takes three arguments: -/// - `w`: The md6_word parameter which determines the set of loop bodies to call. -/// - `S`: A round constant passed to the `loop_body` macro. -/// - `i`: An index passed to the `loop_body` macro. -/// -/// Depending on the value of `w`, this macro will call a specific set of `loop_body` invocations -/// with predefined parameters. The possible values for `w` are 64, 32, 16, and 8. Each value -/// corresponds to a different set of `loop_body` calls with specific parameters. -/// -/// # Parameters -/// - `w`: The md6_word parameter (must be one of 64, 32, 16, or 8). -/// - `S`: A round constant to be passed to each `loop_body` call. -/// - `i`: An index to be passed to each `loop_body` call. -macro_rules! call_loop_bodies { - ($w: ident, $S: expr, $i: expr) => { - if $w == 64 { - loop_body!(10, 11, 0, $S, $i); - loop_body!(5, 24, 1, $S, $i); - loop_body!(13, 9, 2, $S, $i); - loop_body!(10, 16, 3, $S, $i); - loop_body!(11, 15, 4, $S, $i); - loop_body!(12, 9, 5, $S, $i); - loop_body!(2, 27, 6, $S, $i); - loop_body!(7, 15, 7, $S, $i); - loop_body!(14, 6, 8, $S, $i); - loop_body!(15, 2, 9, $S, $i); - loop_body!(7, 29, 10, $S, $i); - loop_body!(13, 8, 11, $S, $i); - loop_body!(11, 15, 12, $S, $i); - loop_body!(7, 5, 13, $S, $i); - loop_body!(6, 31, 14, $S, $i); - loop_body!(12, 9, 15, $S, $i); - } else if $w == 32 { - loop_body!(5, 4, 0, $S, $i); - loop_body!(3, 7, 1, $S, $i); - loop_body!(6, 7, 2, $S, $i); - loop_body!(5, 9, 3, $S, $i); - loop_body!(4, 13, 4, $S, $i); - loop_body!(6, 8, 5, $S, $i); - loop_body!(7, 4, 6, $S, $i); - loop_body!(3, 14, 7, $S, $i); - loop_body!(5, 7, 8, $S, $i); - loop_body!(6, 4, 9, $S, $i); - loop_body!(5, 8, 10, $S, $i); - loop_body!(5, 11, 11, $S, $i); - loop_body!(4, 5, 12, $S, $i); - loop_body!(6, 8, 13, $S, $i); - loop_body!(7, 2, 14, $S, $i); - loop_body!(5, 11, 15, $S, $i); - } else if $w == 16 { - loop_body!(5, 6, 0, $S, $i); - loop_body!(4, 7, 1, $S, $i); - loop_body!(3, 2, 2, $S, $i); - loop_body!(5, 4, 3, $S, $i); - loop_body!(7, 2, 4, $S, $i); - loop_body!(5, 6, 5, $S, $i); - loop_body!(5, 3, 6, $S, $i); - loop_body!(2, 7, 7, $S, $i); - loop_body!(4, 5, 8, $S, $i); - loop_body!(3, 7, 9, $S, $i); - loop_body!(4, 6, 10, $S, $i); - loop_body!(3, 5, 11, $S, $i); - loop_body!(4, 5, 12, $S, $i); - loop_body!(7, 6, 13, $S, $i); - loop_body!(7, 4, 14, $S, $i); - loop_body!(2, 3, 15, $S, $i); - } else if $w == 8 { - loop_body!(3, 2, 0, $S, $i); - loop_body!(3, 4, 1, $S, $i); - loop_body!(3, 2, 2, $S, $i); - loop_body!(4, 3, 3, $S, $i); - loop_body!(3, 2, 4, $S, $i); - loop_body!(3, 2, 5, $S, $i); - loop_body!(3, 2, 6, $S, $i); - loop_body!(3, 4, 7, $S, $i); - loop_body!(2, 3, 8, $S, $i); - loop_body!(2, 3, 9, $S, $i); - loop_body!(3, 2, 10, $S, $i); - loop_body!(2, 3, 11, $S, $i); - loop_body!(2, 3, 12, $S, $i); - loop_body!(3, 4, 13, $S, $i); - loop_body!(2, 3, 14, $S, $i); - loop_body!(3, 4, 15, $S, $i); - } - }; -} - -/// Returns the initial values for `S` and `Smask` based on the width `ws`. -/// -/// # Parameters -/// - `ws`: The width parameter (must be one of 64, 32, 16, or 8). -/// -/// # Returns -/// A tuple containing the initial values for `S` and `Smask`. -/// -/// # Panics -/// Panics if `ws` is not one of the expected values. -fn get_S_vals(ws: usize) -> (md6_word, md6_word) { - match ws { - 64 => (0x0123456789abcdef, 0x7311c2812425cfa0), - 32 => (0x01234567, 0x7311c281), - 16 => (0x01234, 0x7311), - 8 => (0x01, 0x73), - _ => panic!("bad w"), - } -} - -/// Main compression loop for MD6. -/// -/// This function performs the main compression loop for the MD6 hash function. -/// -/// # Parameters -/// - `A`: A mutable reference to a vector of `md6_word` values. -/// - `r`: The number of rounds to perform. -fn md6_main_compression_loop(A: &mut Vec, r: usize) { - macro_rules! loop_body { - ($rs: expr, $ls: expr, $step: expr, $S: expr, $i: expr) => { - let mut x = $S; // feedback constant - x ^= A[$i + $step - t5]; // end-around feedback - x ^= A[$i + $step - t0]; // linear feedback - x ^= (A[$i + $step - t1] & A[$i + $step - t2]); // first quadratic term - x ^= (A[$i + $step - t3] & A[$i + $step - t4]); // second quadratic term - x ^= x >> $rs; // right shift - A[$i + $step] = x ^ (x << $ls); // left shift - }; - } - - // Get the initial values for `S` and `Smask` based on the width `w`. - let (mut S, Smask) = get_S_vals(w); - - let mut i = n; - let mut j = 0; - - while j < r * c { - // Call the loop bodies based on the value of `w`. - // This will perform the main computation for each step in the compression loop. - call_loop_bodies!(w, S, i); - - // Advance round constant S to the next round constant. - S = (S << 1) ^ (S >> (w - 1)) ^ (S & Smask); - i += 16; - j += c; - } -} - -/// Compresses the input data using the MD6 compression function. -/// -/// # Parameters -/// - `C`: A mutable reference to a vector of `md6_word` values (output). -/// - `N`: A mutable reference to a vector of `md6_word` values (input). -/// - `r`: The number of rounds to perform. -/// - `A`: A mutable reference to a vector of `md6_word` values (working space). -/// -/// # Panics -/// Panics if any of the input vectors are empty or if `r` exceeds `md6_max_r`. -pub fn md6_compress(C: &mut Vec, N: &mut Vec, r: usize, A: &mut Vec) { - // check that the input is sensible - assert!(!N.is_empty()); - assert!(!C.is_empty()); - assert!(r <= md6_max_r); - assert!(!A.is_empty()); - - A[..N.len()].copy_from_slice(&N); // copy N to front of A - - md6_main_compression_loop(A, r); // do the main computation - - C.copy_from_slice(&A[((r - 1) * c + n)..((r - 1) * c + n + c)]); // output into C -} - -/// Creates a control word for the MD6 hash function. -/// -/// # Parameters -/// - `r`: The number of rounds. -/// - `L`: The level of the node. -/// - `z`: The final node indicator. -/// - `p`: The padding length. -/// - `keylen`: The length of the key. -/// - `d`: The digest length. -/// -/// # Returns -/// The control word as an `md6_control_word`. -fn md6_make_control_word( - r: usize, - L: usize, - z: usize, - p: usize, - keylen: usize, - d: usize, -) -> md6_control_word { - let V = (0 as md6_control_word) << 60 // reserved width 4 bits - | (r as md6_control_word) << 48 // r width 12 bits - | (L as md6_control_word) << 40 // L width 8 bits - | (z as md6_control_word) << 36 // z width 4 bits - | (p as md6_control_word) << 20 // p width 16 bits - | (keylen as md6_control_word) << 12 // keylen width 8 bits - | (d as md6_control_word); // d width 12 bits - V -} - -/// Creates a node ID for the MD6 hash function. -/// -/// # Parameters -/// - `ell`: The level of the node. -/// - `i`: The index of the node. -/// -/// # Returns -/// The node ID as an `md6_nodeID`. -pub fn md6_make_nodeID(ell: usize, i: md6_word) -> md6_nodeID { - let U: md6_nodeID = (ell as md6_nodeID) << 56 | i; // ell width 8 bits, i width 56 bits - - U -} - -/// Packs the input data into the `N` vector for the MD6 compression function. -/// -/// # Parameters -/// - `N`: A mutable reference to a vector of `md6_word` values (output). -/// - `Q`: A vector of `md6_word` values (input). -/// - `K`: An array of `md6_word` values (key). -/// - `ell`: The level of the node. -/// - `i`: The index of the node. -/// - `r`: The number of rounds. -/// - `L`: The level of the node. -/// - `z`: The final node indicator. -/// - `p`: The padding length. -/// - `keylen`: The length of the key. -/// - `d`: The digest length. -/// - `B`: An array of `md6_word` values (input block). -pub fn md6_pack( - N: &mut Vec, - Q: Vec, - K: [md6_word; k], - ell: usize, - i: md6_word, - r: usize, - L: usize, - z: usize, - p: usize, - keylen: usize, - d: usize, - B: [md6_word; 64], -) { - let mut ni = 0; - - N[ni..ni + q].copy_from_slice(&Q[..q]); // Q: Q in words 0--14 - ni += q; - - N[ni..ni + k].copy_from_slice(&K[..k]); // K: key in words 15--22 - ni += k; - - let U = md6_make_nodeID(ell, i); // U: unique node ID in 23 - N[ni] = U; - ni += u; - - let V = md6_make_control_word(r, L, z, p, keylen, d); // V: control word in 24 - N[ni] = V; - ni += v; - - N[ni..ni + b].copy_from_slice(&B[..b]); // B: data words 25--88 -} - -/// Standard compression function for the MD6 hash function. -/// -/// # Parameters -/// - `C`: A mutable reference to a vector of `md6_word` values (output). -/// - `Q`: A vector of `md6_word` values (input). -/// - `K`: An array of `md6_word` values (key). -/// - `ell`: The level of the node. -/// - `i`: The index of the node. -/// - `r`: The number of rounds. -/// - `L`: The level of the node. -/// - `z`: The final node indicator. -/// - `p`: The padding length. -/// - `keylen`: The length of the key. -/// - `d`: The digest length. -/// - `B`: An array of `md6_word` values (input block). -/// -/// # Panics -/// Panics if any of the input vectors are empty or if any of the parameters are out of range. -pub fn md6_standard_compress( - C: &mut Vec, - Q: Vec, - K: [md6_word; k], - ell: usize, - i: md6_word, - r: usize, - L: usize, - z: usize, - p: usize, - keylen: usize, - d: usize, - B: [md6_word; 64], -) { - let mut N = vec![0; md6_n]; - let mut A = vec![0; 5000]; - - // check that the input values are sensible - assert!(!C.is_empty()); - assert!(!Q.is_empty()); - assert!(!B.is_empty()); - assert!(r <= md6_max_r); - assert!(L <= 255); - assert!(ell <= 255); - assert!(p <= b * w); - assert!(d <= c * w / 2); - assert!(!K.is_empty()); - - md6_pack(&mut N, Q, K, ell, i, r, L, z, p, keylen, d, B); // pack input data into N - - md6_compress(C, &mut N, r, &mut A); // compress -} diff --git a/md6/src/md6_consts.rs b/md6/src/md6_consts.rs deleted file mode 100644 index 38727028c..000000000 --- a/md6/src/md6_consts.rs +++ /dev/null @@ -1,22 +0,0 @@ - -/// MD6 constants related to standard mode of operation - -pub type md6_word = u64; -pub type md6_control_word = u64; -pub type md6_nodeID = u64; - -pub const md6_max_stack_height: usize = 29; // maximum stack height -pub const md6_max_r: usize = 255; // maximum number of rounds -pub const md6_default_L: usize = 64; // large so that MD6 is fully hierarchical - -pub const md6_w: usize = 64; // number of bits in a word -pub const md6_c: usize = 16; // size of compression output in words -pub const md6_n: usize = 89; // size of compression input block in words - -/// These five values give lengths of the components of compression -/// input block; they should sum to md6_n. -pub const md6_q: usize = 15; // Q words in a compression block (>= 0) -pub const md6_k: usize = 8; // key words per compression block (>= 0) -pub const md6_u: usize = 64 / md6_w; // words for unique node ID (0 or 64/w) -pub const md6_v: usize = 64 / md6_w; // words for control word (0 or 64/w) -pub const md6_b: usize = 64; // data words per compression block (> 0)