csecp256k1

Haskell FFI bindings to bitcoin-core/secp256k1 (docs.ppad.tech/csecp256k1).
git clone git://git.ppad.tech/csecp256k1.git
Log | Files | Refs | README | LICENSE

hash_impl.h (14503B)

      1 /***********************************************************************
      2  * Copyright (c) 2014 Pieter Wuille                                    *
      3  * Distributed under the MIT software license, see the accompanying    *
      4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
      5  ***********************************************************************/
      6 
      7 #ifndef SECP256K1_HASH_IMPL_H
      8 #define SECP256K1_HASH_IMPL_H
      9 
     10 #include "hash.h"
     11 #include "util.h"
     12 
     13 #include <stdlib.h>
     14 #include <stdint.h>
     15 #include <string.h>
     16 
     17 #define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
     18 #define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
     19 #define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10))
     20 #define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7))
     21 #define sigma0(x) (((x) >> 7 | (x) << 25) ^ ((x) >> 18 | (x) << 14) ^ ((x) >> 3))
     22 #define sigma1(x) (((x) >> 17 | (x) << 15) ^ ((x) >> 19 | (x) << 13) ^ ((x) >> 10))
     23 
     24 #define Round(a,b,c,d,e,f,g,h,k,w) do { \
     25     uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \
     26     uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \
     27     (d) += t1; \
     28     (h) = t1 + t2; \
     29 } while(0)
     30 
     31 static void haskellsecp256k1_v0_1_0_sha256_initialize(haskellsecp256k1_v0_1_0_sha256 *hash) {
     32     hash->s[0] = 0x6a09e667ul;
     33     hash->s[1] = 0xbb67ae85ul;
     34     hash->s[2] = 0x3c6ef372ul;
     35     hash->s[3] = 0xa54ff53aul;
     36     hash->s[4] = 0x510e527ful;
     37     hash->s[5] = 0x9b05688cul;
     38     hash->s[6] = 0x1f83d9abul;
     39     hash->s[7] = 0x5be0cd19ul;
     40     hash->bytes = 0;
     41 }
     42 
     43 /** Perform one SHA-256 transformation, processing 16 big endian 32-bit words. */
     44 static void haskellsecp256k1_v0_1_0_sha256_transform(uint32_t* s, const unsigned char* buf) {
     45     uint32_t a = s[0], b = s[1], c = s[2], d = s[3], e = s[4], f = s[5], g = s[6], h = s[7];
     46     uint32_t w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15;
     47 
     48     Round(a, b, c, d, e, f, g, h, 0x428a2f98,  w0 = haskellsecp256k1_v0_1_0_read_be32(&buf[0]));
     49     Round(h, a, b, c, d, e, f, g, 0x71374491,  w1 = haskellsecp256k1_v0_1_0_read_be32(&buf[4]));
     50     Round(g, h, a, b, c, d, e, f, 0xb5c0fbcf,  w2 = haskellsecp256k1_v0_1_0_read_be32(&buf[8]));
     51     Round(f, g, h, a, b, c, d, e, 0xe9b5dba5,  w3 = haskellsecp256k1_v0_1_0_read_be32(&buf[12]));
     52     Round(e, f, g, h, a, b, c, d, 0x3956c25b,  w4 = haskellsecp256k1_v0_1_0_read_be32(&buf[16]));
     53     Round(d, e, f, g, h, a, b, c, 0x59f111f1,  w5 = haskellsecp256k1_v0_1_0_read_be32(&buf[20]));
     54     Round(c, d, e, f, g, h, a, b, 0x923f82a4,  w6 = haskellsecp256k1_v0_1_0_read_be32(&buf[24]));
     55     Round(b, c, d, e, f, g, h, a, 0xab1c5ed5,  w7 = haskellsecp256k1_v0_1_0_read_be32(&buf[28]));
     56     Round(a, b, c, d, e, f, g, h, 0xd807aa98,  w8 = haskellsecp256k1_v0_1_0_read_be32(&buf[32]));
     57     Round(h, a, b, c, d, e, f, g, 0x12835b01,  w9 = haskellsecp256k1_v0_1_0_read_be32(&buf[36]));
     58     Round(g, h, a, b, c, d, e, f, 0x243185be, w10 = haskellsecp256k1_v0_1_0_read_be32(&buf[40]));
     59     Round(f, g, h, a, b, c, d, e, 0x550c7dc3, w11 = haskellsecp256k1_v0_1_0_read_be32(&buf[44]));
     60     Round(e, f, g, h, a, b, c, d, 0x72be5d74, w12 = haskellsecp256k1_v0_1_0_read_be32(&buf[48]));
     61     Round(d, e, f, g, h, a, b, c, 0x80deb1fe, w13 = haskellsecp256k1_v0_1_0_read_be32(&buf[52]));
     62     Round(c, d, e, f, g, h, a, b, 0x9bdc06a7, w14 = haskellsecp256k1_v0_1_0_read_be32(&buf[56]));
     63     Round(b, c, d, e, f, g, h, a, 0xc19bf174, w15 = haskellsecp256k1_v0_1_0_read_be32(&buf[60]));
     64 
     65     Round(a, b, c, d, e, f, g, h, 0xe49b69c1, w0 += sigma1(w14) + w9 + sigma0(w1));
     66     Round(h, a, b, c, d, e, f, g, 0xefbe4786, w1 += sigma1(w15) + w10 + sigma0(w2));
     67     Round(g, h, a, b, c, d, e, f, 0x0fc19dc6, w2 += sigma1(w0) + w11 + sigma0(w3));
     68     Round(f, g, h, a, b, c, d, e, 0x240ca1cc, w3 += sigma1(w1) + w12 + sigma0(w4));
     69     Round(e, f, g, h, a, b, c, d, 0x2de92c6f, w4 += sigma1(w2) + w13 + sigma0(w5));
     70     Round(d, e, f, g, h, a, b, c, 0x4a7484aa, w5 += sigma1(w3) + w14 + sigma0(w6));
     71     Round(c, d, e, f, g, h, a, b, 0x5cb0a9dc, w6 += sigma1(w4) + w15 + sigma0(w7));
     72     Round(b, c, d, e, f, g, h, a, 0x76f988da, w7 += sigma1(w5) + w0 + sigma0(w8));
     73     Round(a, b, c, d, e, f, g, h, 0x983e5152, w8 += sigma1(w6) + w1 + sigma0(w9));
     74     Round(h, a, b, c, d, e, f, g, 0xa831c66d, w9 += sigma1(w7) + w2 + sigma0(w10));
     75     Round(g, h, a, b, c, d, e, f, 0xb00327c8, w10 += sigma1(w8) + w3 + sigma0(w11));
     76     Round(f, g, h, a, b, c, d, e, 0xbf597fc7, w11 += sigma1(w9) + w4 + sigma0(w12));
     77     Round(e, f, g, h, a, b, c, d, 0xc6e00bf3, w12 += sigma1(w10) + w5 + sigma0(w13));
     78     Round(d, e, f, g, h, a, b, c, 0xd5a79147, w13 += sigma1(w11) + w6 + sigma0(w14));
     79     Round(c, d, e, f, g, h, a, b, 0x06ca6351, w14 += sigma1(w12) + w7 + sigma0(w15));
     80     Round(b, c, d, e, f, g, h, a, 0x14292967, w15 += sigma1(w13) + w8 + sigma0(w0));
     81 
     82     Round(a, b, c, d, e, f, g, h, 0x27b70a85, w0 += sigma1(w14) + w9 + sigma0(w1));
     83     Round(h, a, b, c, d, e, f, g, 0x2e1b2138, w1 += sigma1(w15) + w10 + sigma0(w2));
     84     Round(g, h, a, b, c, d, e, f, 0x4d2c6dfc, w2 += sigma1(w0) + w11 + sigma0(w3));
     85     Round(f, g, h, a, b, c, d, e, 0x53380d13, w3 += sigma1(w1) + w12 + sigma0(w4));
     86     Round(e, f, g, h, a, b, c, d, 0x650a7354, w4 += sigma1(w2) + w13 + sigma0(w5));
     87     Round(d, e, f, g, h, a, b, c, 0x766a0abb, w5 += sigma1(w3) + w14 + sigma0(w6));
     88     Round(c, d, e, f, g, h, a, b, 0x81c2c92e, w6 += sigma1(w4) + w15 + sigma0(w7));
     89     Round(b, c, d, e, f, g, h, a, 0x92722c85, w7 += sigma1(w5) + w0 + sigma0(w8));
     90     Round(a, b, c, d, e, f, g, h, 0xa2bfe8a1, w8 += sigma1(w6) + w1 + sigma0(w9));
     91     Round(h, a, b, c, d, e, f, g, 0xa81a664b, w9 += sigma1(w7) + w2 + sigma0(w10));
     92     Round(g, h, a, b, c, d, e, f, 0xc24b8b70, w10 += sigma1(w8) + w3 + sigma0(w11));
     93     Round(f, g, h, a, b, c, d, e, 0xc76c51a3, w11 += sigma1(w9) + w4 + sigma0(w12));
     94     Round(e, f, g, h, a, b, c, d, 0xd192e819, w12 += sigma1(w10) + w5 + sigma0(w13));
     95     Round(d, e, f, g, h, a, b, c, 0xd6990624, w13 += sigma1(w11) + w6 + sigma0(w14));
     96     Round(c, d, e, f, g, h, a, b, 0xf40e3585, w14 += sigma1(w12) + w7 + sigma0(w15));
     97     Round(b, c, d, e, f, g, h, a, 0x106aa070, w15 += sigma1(w13) + w8 + sigma0(w0));
     98 
     99     Round(a, b, c, d, e, f, g, h, 0x19a4c116, w0 += sigma1(w14) + w9 + sigma0(w1));
    100     Round(h, a, b, c, d, e, f, g, 0x1e376c08, w1 += sigma1(w15) + w10 + sigma0(w2));
    101     Round(g, h, a, b, c, d, e, f, 0x2748774c, w2 += sigma1(w0) + w11 + sigma0(w3));
    102     Round(f, g, h, a, b, c, d, e, 0x34b0bcb5, w3 += sigma1(w1) + w12 + sigma0(w4));
    103     Round(e, f, g, h, a, b, c, d, 0x391c0cb3, w4 += sigma1(w2) + w13 + sigma0(w5));
    104     Round(d, e, f, g, h, a, b, c, 0x4ed8aa4a, w5 += sigma1(w3) + w14 + sigma0(w6));
    105     Round(c, d, e, f, g, h, a, b, 0x5b9cca4f, w6 += sigma1(w4) + w15 + sigma0(w7));
    106     Round(b, c, d, e, f, g, h, a, 0x682e6ff3, w7 += sigma1(w5) + w0 + sigma0(w8));
    107     Round(a, b, c, d, e, f, g, h, 0x748f82ee, w8 += sigma1(w6) + w1 + sigma0(w9));
    108     Round(h, a, b, c, d, e, f, g, 0x78a5636f, w9 += sigma1(w7) + w2 + sigma0(w10));
    109     Round(g, h, a, b, c, d, e, f, 0x84c87814, w10 += sigma1(w8) + w3 + sigma0(w11));
    110     Round(f, g, h, a, b, c, d, e, 0x8cc70208, w11 += sigma1(w9) + w4 + sigma0(w12));
    111     Round(e, f, g, h, a, b, c, d, 0x90befffa, w12 += sigma1(w10) + w5 + sigma0(w13));
    112     Round(d, e, f, g, h, a, b, c, 0xa4506ceb, w13 += sigma1(w11) + w6 + sigma0(w14));
    113     Round(c, d, e, f, g, h, a, b, 0xbef9a3f7, w14 + sigma1(w12) + w7 + sigma0(w15));
    114     Round(b, c, d, e, f, g, h, a, 0xc67178f2, w15 + sigma1(w13) + w8 + sigma0(w0));
    115 
    116     s[0] += a;
    117     s[1] += b;
    118     s[2] += c;
    119     s[3] += d;
    120     s[4] += e;
    121     s[5] += f;
    122     s[6] += g;
    123     s[7] += h;
    124 }
    125 
    126 static void haskellsecp256k1_v0_1_0_sha256_write(haskellsecp256k1_v0_1_0_sha256 *hash, const unsigned char *data, size_t len) {
    127     size_t bufsize = hash->bytes & 0x3F;
    128     hash->bytes += len;
    129     VERIFY_CHECK(hash->bytes >= len);
    130     while (len >= 64 - bufsize) {
    131         /* Fill the buffer, and process it. */
    132         size_t chunk_len = 64 - bufsize;
    133         memcpy(hash->buf + bufsize, data, chunk_len);
    134         data += chunk_len;
    135         len -= chunk_len;
    136         haskellsecp256k1_v0_1_0_sha256_transform(hash->s, hash->buf);
    137         bufsize = 0;
    138     }
    139     if (len) {
    140         /* Fill the buffer with what remains. */
    141         memcpy(hash->buf + bufsize, data, len);
    142     }
    143 }
    144 
    145 static void haskellsecp256k1_v0_1_0_sha256_finalize(haskellsecp256k1_v0_1_0_sha256 *hash, unsigned char *out32) {
    146     static const unsigned char pad[64] = {0x80};
    147     unsigned char sizedesc[8];
    148     int i;
    149     /* The maximum message size of SHA256 is 2^64-1 bits. */
    150     VERIFY_CHECK(hash->bytes < ((uint64_t)1 << 61));
    151     haskellsecp256k1_v0_1_0_write_be32(&sizedesc[0], hash->bytes >> 29);
    152     haskellsecp256k1_v0_1_0_write_be32(&sizedesc[4], hash->bytes << 3);
    153     haskellsecp256k1_v0_1_0_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64));
    154     haskellsecp256k1_v0_1_0_sha256_write(hash, sizedesc, 8);
    155     for (i = 0; i < 8; i++) {
    156         haskellsecp256k1_v0_1_0_write_be32(&out32[4*i], hash->s[i]);
    157         hash->s[i] = 0;
    158     }
    159 }
    160 
    161 /* Initializes a sha256 struct and writes the 64 byte string
    162  * SHA256(tag)||SHA256(tag) into it. */
    163 static void haskellsecp256k1_v0_1_0_sha256_initialize_tagged(haskellsecp256k1_v0_1_0_sha256 *hash, const unsigned char *tag, size_t taglen) {
    164     unsigned char buf[32];
    165     haskellsecp256k1_v0_1_0_sha256_initialize(hash);
    166     haskellsecp256k1_v0_1_0_sha256_write(hash, tag, taglen);
    167     haskellsecp256k1_v0_1_0_sha256_finalize(hash, buf);
    168 
    169     haskellsecp256k1_v0_1_0_sha256_initialize(hash);
    170     haskellsecp256k1_v0_1_0_sha256_write(hash, buf, 32);
    171     haskellsecp256k1_v0_1_0_sha256_write(hash, buf, 32);
    172 }
    173 
    174 static void haskellsecp256k1_v0_1_0_hmac_sha256_initialize(haskellsecp256k1_v0_1_0_hmac_sha256 *hash, const unsigned char *key, size_t keylen) {
    175     size_t n;
    176     unsigned char rkey[64];
    177     if (keylen <= sizeof(rkey)) {
    178         memcpy(rkey, key, keylen);
    179         memset(rkey + keylen, 0, sizeof(rkey) - keylen);
    180     } else {
    181         haskellsecp256k1_v0_1_0_sha256 sha256;
    182         haskellsecp256k1_v0_1_0_sha256_initialize(&sha256);
    183         haskellsecp256k1_v0_1_0_sha256_write(&sha256, key, keylen);
    184         haskellsecp256k1_v0_1_0_sha256_finalize(&sha256, rkey);
    185         memset(rkey + 32, 0, 32);
    186     }
    187 
    188     haskellsecp256k1_v0_1_0_sha256_initialize(&hash->outer);
    189     for (n = 0; n < sizeof(rkey); n++) {
    190         rkey[n] ^= 0x5c;
    191     }
    192     haskellsecp256k1_v0_1_0_sha256_write(&hash->outer, rkey, sizeof(rkey));
    193 
    194     haskellsecp256k1_v0_1_0_sha256_initialize(&hash->inner);
    195     for (n = 0; n < sizeof(rkey); n++) {
    196         rkey[n] ^= 0x5c ^ 0x36;
    197     }
    198     haskellsecp256k1_v0_1_0_sha256_write(&hash->inner, rkey, sizeof(rkey));
    199     memset(rkey, 0, sizeof(rkey));
    200 }
    201 
    202 static void haskellsecp256k1_v0_1_0_hmac_sha256_write(haskellsecp256k1_v0_1_0_hmac_sha256 *hash, const unsigned char *data, size_t size) {
    203     haskellsecp256k1_v0_1_0_sha256_write(&hash->inner, data, size);
    204 }
    205 
    206 static void haskellsecp256k1_v0_1_0_hmac_sha256_finalize(haskellsecp256k1_v0_1_0_hmac_sha256 *hash, unsigned char *out32) {
    207     unsigned char temp[32];
    208     haskellsecp256k1_v0_1_0_sha256_finalize(&hash->inner, temp);
    209     haskellsecp256k1_v0_1_0_sha256_write(&hash->outer, temp, 32);
    210     memset(temp, 0, 32);
    211     haskellsecp256k1_v0_1_0_sha256_finalize(&hash->outer, out32);
    212 }
    213 
    214 
    215 static void haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_initialize(haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen) {
    216     haskellsecp256k1_v0_1_0_hmac_sha256 hmac;
    217     static const unsigned char zero[1] = {0x00};
    218     static const unsigned char one[1] = {0x01};
    219 
    220     memset(rng->v, 0x01, 32); /* RFC6979 3.2.b. */
    221     memset(rng->k, 0x00, 32); /* RFC6979 3.2.c. */
    222 
    223     /* RFC6979 3.2.d. */
    224     haskellsecp256k1_v0_1_0_hmac_sha256_initialize(&hmac, rng->k, 32);
    225     haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, rng->v, 32);
    226     haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, zero, 1);
    227     haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, key, keylen);
    228     haskellsecp256k1_v0_1_0_hmac_sha256_finalize(&hmac, rng->k);
    229     haskellsecp256k1_v0_1_0_hmac_sha256_initialize(&hmac, rng->k, 32);
    230     haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, rng->v, 32);
    231     haskellsecp256k1_v0_1_0_hmac_sha256_finalize(&hmac, rng->v);
    232 
    233     /* RFC6979 3.2.f. */
    234     haskellsecp256k1_v0_1_0_hmac_sha256_initialize(&hmac, rng->k, 32);
    235     haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, rng->v, 32);
    236     haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, one, 1);
    237     haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, key, keylen);
    238     haskellsecp256k1_v0_1_0_hmac_sha256_finalize(&hmac, rng->k);
    239     haskellsecp256k1_v0_1_0_hmac_sha256_initialize(&hmac, rng->k, 32);
    240     haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, rng->v, 32);
    241     haskellsecp256k1_v0_1_0_hmac_sha256_finalize(&hmac, rng->v);
    242     rng->retry = 0;
    243 }
    244 
    245 static void haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_generate(haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen) {
    246     /* RFC6979 3.2.h. */
    247     static const unsigned char zero[1] = {0x00};
    248     if (rng->retry) {
    249         haskellsecp256k1_v0_1_0_hmac_sha256 hmac;
    250         haskellsecp256k1_v0_1_0_hmac_sha256_initialize(&hmac, rng->k, 32);
    251         haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, rng->v, 32);
    252         haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, zero, 1);
    253         haskellsecp256k1_v0_1_0_hmac_sha256_finalize(&hmac, rng->k);
    254         haskellsecp256k1_v0_1_0_hmac_sha256_initialize(&hmac, rng->k, 32);
    255         haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, rng->v, 32);
    256         haskellsecp256k1_v0_1_0_hmac_sha256_finalize(&hmac, rng->v);
    257     }
    258 
    259     while (outlen > 0) {
    260         haskellsecp256k1_v0_1_0_hmac_sha256 hmac;
    261         int now = outlen;
    262         haskellsecp256k1_v0_1_0_hmac_sha256_initialize(&hmac, rng->k, 32);
    263         haskellsecp256k1_v0_1_0_hmac_sha256_write(&hmac, rng->v, 32);
    264         haskellsecp256k1_v0_1_0_hmac_sha256_finalize(&hmac, rng->v);
    265         if (now > 32) {
    266             now = 32;
    267         }
    268         memcpy(out, rng->v, now);
    269         out += now;
    270         outlen -= now;
    271     }
    272 
    273     rng->retry = 1;
    274 }
    275 
    276 static void haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_finalize(haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256 *rng) {
    277     memset(rng->k, 0, 32);
    278     memset(rng->v, 0, 32);
    279     rng->retry = 0;
    280 }
    281 
    282 #undef Round
    283 #undef sigma1
    284 #undef sigma0
    285 #undef Sigma1
    286 #undef Sigma0
    287 #undef Maj
    288 #undef Ch
    289 
    290 #endif /* SECP256K1_HASH_IMPL_H */