diff --git a/cbits/decaf/include/decaf/shake.h b/cbits/decaf/include/decaf/shake.h index 52eb1bf..e4cd9e4 100644 --- a/cbits/decaf/include/decaf/shake.h +++ b/cbits/decaf/include/decaf/shake.h @@ -1,219 +1,96 @@ -/** - * @file decaf/shake.h - * @copyright - * Based on CC0 code by David Leon Gil, 2015 \n - * Copyright (c) 2015 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * @author Mike Hamburg - * @brief SHA-3-n and CRYPTONITE_DECAF_SHAKE-n instances. +/* + * Copyright (C) 2006-2009 Vincent Hanquez + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#ifndef CRYPTONITE_DECAF_SHAKE_H +#define CRYPTONITE_DECAF_SHAKE_H -#ifndef __CRYPTONITE_DECAF_SHAKE_H__ -#define __CRYPTONITE_DECAF_SHAKE_H__ - -#include -#include -#include /* for NULL */ +#include "cryptonite_sha3.h" #include -#ifdef __cplusplus -extern "C" { +#define CHUNK_SIZE_32 0x80000000 + +typedef struct sha3_shake256_ctx +{ + struct sha3_ctx sc[1]; + uint8_t filler[136]; // 200 - 2*(256/8) +} +cryptonite_decaf_shake256_ctx_t[1]; + +static inline void cryptonite_decaf_shake256_init(cryptonite_decaf_shake256_ctx_t ctx) +{ + cryptonite_sha3_init(ctx -> sc, 256); +} + +static inline void cryptonite_decaf_shake256_update(cryptonite_decaf_shake256_ctx_t ctx, const uint8_t *in, size_t inlen) +{ +#if __SIZE_MAX__ > UINT32_MAX + // split data over 4 GB in 2-GB chunks + while (inlen > UINT32_MAX) { + cryptonite_sha3_update(ctx -> sc, in, CHUNK_SIZE_32); + inlen -= CHUNK_SIZE_32; + in += CHUNK_SIZE_32; + } #endif + cryptonite_sha3_update(ctx -> sc, in, (uint32_t) inlen); +} -#ifndef INTERNAL_SPONGE_STRUCT - /** Sponge container object for the various primitives. */ - typedef struct cryptonite_decaf_keccak_sponge_s { - /** @cond internal */ - uint64_t opaque[26]; - /** @endcond */ - } cryptonite_decaf_keccak_sponge_s; - - /** Convenience GMP-style one-element array version */ - typedef struct cryptonite_decaf_keccak_sponge_s cryptonite_decaf_keccak_sponge_t[1]; - - /** Parameters for sponge construction, distinguishing CRYPTONITE_DECAF_SHA3 and - * CRYPTONITE_DECAF_SHAKE instances. - */ - struct cryptonite_decaf_kparams_s; +static inline void cryptonite_decaf_shake256_output(cryptonite_decaf_shake256_ctx_t ctx, uint8_t *out, size_t outlen) { +#if __SIZE_MAX__ > UINT32_MAX + // split data over 4 GB in 2-GB chunks + while (outlen > UINT32_MAX) { + cryptonite_sha3_output(ctx -> sc, out, CHUNK_SIZE_32); + outlen -= CHUNK_SIZE_32; + out += CHUNK_SIZE_32; + } #endif + cryptonite_sha3_output(ctx -> sc, out, (uint32_t) outlen); +} -/** - * @brief Initialize a sponge context object. - * @param [out] sponge The object to initialize. - * @param [in] params The sponge's parameter description. - */ -void cryptonite_decaf_sponge_init ( - cryptonite_decaf_keccak_sponge_t sponge, - const struct cryptonite_decaf_kparams_s *params -) CRYPTONITE_DECAF_API_VIS; +static inline void cryptonite_decaf_shake256_final(cryptonite_decaf_shake256_ctx_t ctx, uint8_t *out, size_t outlen) +{ + cryptonite_sha3_finalize_shake(ctx -> sc); + cryptonite_decaf_shake256_output(ctx, out, outlen); -/** - * @brief Absorb data into a CRYPTONITE_DECAF_SHA3 or CRYPTONITE_DECAF_SHAKE hash context. - * @param [inout] sponge The context. - * @param [in] in The input data. - * @param [in] len The input data's length in bytes. - * @return CRYPTONITE_DECAF_FAILURE if the sponge has already been used for output. - * @return CRYPTONITE_DECAF_SUCCESS otherwise. - */ -cryptonite_decaf_error_t cryptonite_decaf_sha3_update ( - struct cryptonite_decaf_keccak_sponge_s * __restrict__ sponge, - const uint8_t *in, - size_t len -) CRYPTONITE_DECAF_API_VIS; + cryptonite_decaf_shake256_init(ctx); +} -/** - * @brief Squeeze output data from a CRYPTONITE_DECAF_SHA3 or CRYPTONITE_DECAF_SHAKE hash context. - * This does not destroy or re-initialize the hash context, and - * cryptonite_decaf_sha3 output can be called more times. - * - * @param [inout] sponge The context. - * @param [out] out The output data. - * @param [in] len The requested output data length in bytes. - * @return CRYPTONITE_DECAF_FAILURE if the sponge has exhausted its output capacity. - * @return CRYPTONITE_DECAF_SUCCESS otherwise. - */ -cryptonite_decaf_error_t cryptonite_decaf_sha3_output ( - cryptonite_decaf_keccak_sponge_t sponge, - uint8_t * __restrict__ out, - size_t len -) CRYPTONITE_DECAF_API_VIS; +static inline void cryptonite_decaf_shake256_destroy(cryptonite_decaf_shake256_ctx_t ctx) +{ + cryptonite_decaf_bzero(ctx, sizeof(*ctx)); +} -/** - * @brief Squeeze output data from a CRYPTONITE_DECAF_SHA3 or CRYPTONITE_DECAF_SHAKE hash context. - * This re-initializes the context to its starting parameters. - * - * @param [inout] sponge The context. - * @param [out] out The output data. - * @param [in] len The requested output data length in bytes. - */ -cryptonite_decaf_error_t cryptonite_decaf_sha3_final ( - cryptonite_decaf_keccak_sponge_t sponge, - uint8_t * __restrict__ out, - size_t len -) CRYPTONITE_DECAF_API_VIS; +static inline void cryptonite_decaf_shake256_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) +{ + cryptonite_decaf_shake256_ctx_t ctx; -/** - * @brief Reset the sponge to the empty string. - * - * @param [inout] sponge The context. - */ -void cryptonite_decaf_sha3_reset ( - cryptonite_decaf_keccak_sponge_t sponge -) CRYPTONITE_DECAF_API_VIS; + cryptonite_decaf_shake256_init(ctx); + cryptonite_decaf_shake256_update(ctx, in, inlen); -/** - * @brief Return the default output length of the sponge construction, - * for the purpose of C++ default operators. - * - * Returns n/8 for CRYPTONITE_DECAF_SHA3-n and 2n/8 for CRYPTONITE_DECAF_SHAKE-n. - */ -size_t cryptonite_decaf_sponge_default_output_bytes ( - const cryptonite_decaf_keccak_sponge_t sponge /**< [inout] The context. */ -) CRYPTONITE_DECAF_API_VIS; + cryptonite_sha3_finalize_shake(ctx -> sc); + cryptonite_decaf_shake256_output(ctx, out, outlen); -/** - * @brief Return the default output length of the sponge construction, - * for the purpose of C++ default operators. - * - * Returns n/8 for CRYPTONITE_DECAF_SHA3-n and SIZE_MAX for CRYPTONITE_DECAF_SHAKE-n. - */ -size_t cryptonite_decaf_sponge_max_output_bytes ( - const cryptonite_decaf_keccak_sponge_t sponge /**< [inout] The context. */ -) CRYPTONITE_DECAF_API_VIS; + cryptonite_decaf_shake256_destroy(ctx); +} -/** - * @brief Destroy a CRYPTONITE_DECAF_SHA3 or CRYPTONITE_DECAF_SHAKE sponge context by overwriting it with 0. - * @param [out] sponge The context. - */ -void cryptonite_decaf_sponge_destroy ( - cryptonite_decaf_keccak_sponge_t sponge -) CRYPTONITE_DECAF_API_VIS; - -/** - * @brief Hash (in) to (out) - * @param [in] in The input data. - * @param [in] inlen The length of the input data. - * @param [out] out A buffer for the output data. - * @param [in] outlen The length of the output data. - * @param [in] params The parameters of the sponge hash. - */ -cryptonite_decaf_error_t cryptonite_decaf_sponge_hash ( - const uint8_t *in, - size_t inlen, - uint8_t *out, - size_t outlen, - const struct cryptonite_decaf_kparams_s *params -) CRYPTONITE_DECAF_API_VIS; - -/* FUTURE: expand/doxygenate individual CRYPTONITE_DECAF_SHAKE/CRYPTONITE_DECAF_SHA3 instances? */ - -/** @cond internal */ -#define CRYPTONITE_DECAF_DEC_SHAKE(n) \ - extern const struct cryptonite_decaf_kparams_s CRYPTONITE_DECAF_SHAKE##n##_params_s CRYPTONITE_DECAF_API_VIS; \ - typedef struct cryptonite_decaf_shake##n##_ctx_s { cryptonite_decaf_keccak_sponge_t s; } cryptonite_decaf_shake##n##_ctx_t[1]; \ - static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_init(cryptonite_decaf_shake##n##_ctx_t sponge) { \ - cryptonite_decaf_sponge_init(sponge->s, &CRYPTONITE_DECAF_SHAKE##n##_params_s); \ - } \ - static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_gen_init(cryptonite_decaf_keccak_sponge_t sponge) { \ - cryptonite_decaf_sponge_init(sponge, &CRYPTONITE_DECAF_SHAKE##n##_params_s); \ - } \ - static inline cryptonite_decaf_error_t CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_update(cryptonite_decaf_shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \ - return cryptonite_decaf_sha3_update(sponge->s, in, inlen); \ - } \ - static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_final(cryptonite_decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - cryptonite_decaf_sha3_output(sponge->s, out, outlen); \ - cryptonite_decaf_sponge_init(sponge->s, &CRYPTONITE_DECAF_SHAKE##n##_params_s); \ - } \ - static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_output(cryptonite_decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - cryptonite_decaf_sha3_output(sponge->s, out, outlen); \ - } \ - static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \ - cryptonite_decaf_sponge_hash(in,inlen,out,outlen,&CRYPTONITE_DECAF_SHAKE##n##_params_s); \ - } \ - static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_destroy( cryptonite_decaf_shake##n##_ctx_t sponge ) { \ - cryptonite_decaf_sponge_destroy(sponge->s); \ - } - -#define CRYPTONITE_DECAF_DEC_SHA3(n) \ - extern const struct cryptonite_decaf_kparams_s CRYPTONITE_DECAF_SHA3_##n##_params_s CRYPTONITE_DECAF_API_VIS; \ - typedef struct cryptonite_decaf_sha3_##n##_ctx_s { cryptonite_decaf_keccak_sponge_t s; } cryptonite_decaf_sha3_##n##_ctx_t[1]; \ - static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_init(cryptonite_decaf_sha3_##n##_ctx_t sponge) { \ - cryptonite_decaf_sponge_init(sponge->s, &CRYPTONITE_DECAF_SHA3_##n##_params_s); \ - } \ - static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_gen_init(cryptonite_decaf_keccak_sponge_t sponge) { \ - cryptonite_decaf_sponge_init(sponge, &CRYPTONITE_DECAF_SHA3_##n##_params_s); \ - } \ - static inline cryptonite_decaf_error_t CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_update(cryptonite_decaf_sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \ - return cryptonite_decaf_sha3_update(sponge->s, in, inlen); \ - } \ - static inline cryptonite_decaf_error_t CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_final(cryptonite_decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - cryptonite_decaf_error_t ret = cryptonite_decaf_sha3_output(sponge->s, out, outlen); \ - cryptonite_decaf_sponge_init(sponge->s, &CRYPTONITE_DECAF_SHA3_##n##_params_s); \ - return ret; \ - } \ - static inline cryptonite_decaf_error_t CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_output(cryptonite_decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - return cryptonite_decaf_sha3_output(sponge->s, out, outlen); \ - } \ - static inline cryptonite_decaf_error_t CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \ - return cryptonite_decaf_sponge_hash(in,inlen,out,outlen,&CRYPTONITE_DECAF_SHA3_##n##_params_s); \ - } \ - static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_destroy(cryptonite_decaf_sha3_##n##_ctx_t sponge) { \ - cryptonite_decaf_sponge_destroy(sponge->s); \ - } -/** @endcond */ - -CRYPTONITE_DECAF_DEC_SHAKE(128) -CRYPTONITE_DECAF_DEC_SHAKE(256) -CRYPTONITE_DECAF_DEC_SHA3(224) -CRYPTONITE_DECAF_DEC_SHA3(256) -CRYPTONITE_DECAF_DEC_SHA3(384) -CRYPTONITE_DECAF_DEC_SHA3(512) -#undef CRYPTONITE_DECAF_DEC_SHAKE -#undef CRYPTONITE_DECAF_DEC_SHA3 - -#ifdef __cplusplus -} /* extern "C" */ #endif - -#endif /* __CRYPTONITE_DECAF_SHAKE_H__ */ diff --git a/cbits/decaf/include/keccak_internal.h b/cbits/decaf/include/keccak_internal.h deleted file mode 100644 index e5e7bad..0000000 --- a/cbits/decaf/include/keccak_internal.h +++ /dev/null @@ -1,38 +0,0 @@ -/** - * @cond internal - * @file keccak_internal.h - * @copyright - * Copyright (c) 2016 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * @author Mike Hamburg - * @brief Keccak internal interfaces. Will be used by STROBE once reintegrated. - */ -#ifndef __CRYPTONITE_DECAF_KECCAK_INTERNAL_H__ -#define __CRYPTONITE_DECAF_KECCAK_INTERNAL_H__ 1 - -#include - -/* The internal, non-opaque definition of the cryptonite_decaf_sponge struct. */ -typedef union { - uint64_t w[25]; uint8_t b[25*8]; -} kdomain_t[1]; - -typedef struct cryptonite_decaf_kparams_s { - uint8_t position, flags, rate, start_round, pad, rate_pad, max_out, remaining; -} cryptonite_decaf_kparams_s, cryptonite_decaf_kparams_t[1]; - -typedef struct cryptonite_decaf_keccak_sponge_s { - kdomain_t state; - cryptonite_decaf_kparams_t params; -} cryptonite_decaf_keccak_sponge_s, cryptonite_decaf_keccak_sponge_t[1]; - -#define INTERNAL_SPONGE_STRUCT 1 - -void __attribute__((noinline)) cryptonite_keccakf(kdomain_t state, uint8_t start_round); - -static inline void dokeccak (cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge) { - cryptonite_keccakf(cryptonite_decaf_sponge->state, cryptonite_decaf_sponge->params->start_round); - cryptonite_decaf_sponge->params->position = 0; -} - -#endif /* __CRYPTONITE_DECAF_KECCAK_INTERNAL_H__ */ diff --git a/cbits/decaf/include/portable_endian.h b/cbits/decaf/include/portable_endian.h index 5cbfca7..5d3668e 100644 --- a/cbits/decaf/include/portable_endian.h +++ b/cbits/decaf/include/portable_endian.h @@ -1,39 +1 @@ -/* Subset of Mathias Panzenböck's portable endian code, public domain */ - -#ifndef __PORTABLE_ENDIAN_H__ -#define __PORTABLE_ENDIAN_H__ - -#if defined(__linux__) || defined(__CYGWIN__) -# include -#elif defined(__OpenBSD__) -# include -#elif defined(__APPLE__) -# include -# define htole64(x) OSSwapHostToLittleInt64(x) -# define le64toh(x) OSSwapLittleToHostInt64(x) -#elif defined(__NetBSD__) || defined(__FreeBSD__) || defined(__DragonFly__) -# include -# ifndef le64toh -# define le64toh(x) letoh64(x) -# endif -#elif defined(__sun) && defined(__SVR4) -# include -# define htole64(x) LE_64(x) -# define le64toh(x) LE_64(x) -#elif defined(_WIN16) || defined(_WIN32) || defined(_WIN64) || defined(__WINDOWS__) -# include -# include -# if BYTE_ORDER == LITTLE_ENDIAN -# define htole64(x) (x) -# define le64toh(x) (x) -# elif BYTE_ORDER == BIG_ENDIAN -# define htole64(x) __builtin_bswap64(x) -# define le64toh(x) __builtin_bswap64(x) -# else -# error byte order not supported -# endif -#else -# error platform not supported -#endif - -#endif // __PORTABLE_ENDIAN_H__ +/* portable_endian.h not used */ diff --git a/cbits/decaf/shake.c b/cbits/decaf/shake.c deleted file mode 100644 index 1e81351..0000000 --- a/cbits/decaf/shake.c +++ /dev/null @@ -1,238 +0,0 @@ -/** - * @cond internal - * @file shake.c - * @copyright - * Uses public domain code by Mathias Panzenböck \n - * Uses CC0 code by David Leon Gil, 2015 \n - * Copyright (c) 2015 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * @author Mike Hamburg - * @brief SHA-3-n and SHAKE-n instances. - * @warning EXPERIMENTAL! The names, parameter orders etc are likely to change. - */ - -#define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s */ -#define _BSD_SOURCE 1 /* for endian */ -#define _DEFAULT_SOURCE 1 /* for endian with glibc 2.20 */ -#include -#include -#include - -#include "portable_endian.h" -#include "keccak_internal.h" -#include - -#define FLAG_ABSORBING 'A' -#define FLAG_SQUEEZING 'Z' - -/** Constants. **/ -static const uint8_t pi[24] = { - 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, - 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1 -}; - -#define RC_B(x,n) ((((x##ull)>>n)&1)<<((1<> (64 - s)); -} - -/* Helper macros to unroll the permutation. */ -#define REPEAT5(e) e e e e e -#define FOR51(v, e) v = 0; REPEAT5(e; v += 1;) -#ifndef SHAKE_NO_UNROLL_LOOPS -# define FOR55(v, e) v = 0; REPEAT5(e; v += 5;) -# define REPEAT24(e) e e e e e e e e e e e e e e e e e e e e e e e e -#else -# define FOR55(v, e) for (v=0; v<25; v+= 5) { e; } -# define REPEAT24(e) {int _j=0; for (_j=0; _j<24; _j++) { e }} -#endif - -/*** The Keccak-f[1600] permutation ***/ -void cryptonite_keccakf(kdomain_t state, uint8_t start_round) { - uint64_t* a = state->w; - uint64_t b[5] = {0}, t, u; - uint8_t x, y, i; - - for (i=0; i<25; i++) a[i] = le64toh(a[i]); - - for (i = start_round; i < 24; i++) { - FOR51(x, b[x] = 0; ) - FOR55(y, FOR51(x, b[x] ^= a[x + y]; )) - FOR55(y, FOR51(x, - a[y + x] ^= b[(x + 4) % 5] ^ rol(b[(x + 1) % 5], 1); - )) - // Rho and pi - t = a[1]; - x = y = 0; - REPEAT24(u = a[pi[x]]; y += x+1; a[pi[x]] = rol(t, y % 64); t = u; x++; ) - // Chi - FOR55(y, - FOR51(x, b[x] = a[y + x];) - FOR51(x, a[y + x] = b[x] ^ ((~b[(x + 1) % 5]) & b[(x + 2) % 5]);) - ) - // Iota - a[0] ^= RC[i]; - } - - for (i=0; i<25; i++) a[i] = htole64(a[i]); -} - -cryptonite_decaf_error_t cryptonite_decaf_sha3_update ( - struct cryptonite_decaf_keccak_sponge_s * __restrict__ cryptonite_decaf_sponge, - const uint8_t *in, - size_t len -) { - assert(cryptonite_decaf_sponge->params->position < cryptonite_decaf_sponge->params->rate); - assert(cryptonite_decaf_sponge->params->rate < sizeof(cryptonite_decaf_sponge->state)); - assert(cryptonite_decaf_sponge->params->flags == FLAG_ABSORBING); - while (len) { - size_t cando = cryptonite_decaf_sponge->params->rate - cryptonite_decaf_sponge->params->position, i; - uint8_t* state = &cryptonite_decaf_sponge->state->b[cryptonite_decaf_sponge->params->position]; - if (cando > len) { - for (i = 0; i < len; i += 1) state[i] ^= in[i]; - cryptonite_decaf_sponge->params->position += len; - break; - } else { - for (i = 0; i < cando; i += 1) state[i] ^= in[i]; - dokeccak(cryptonite_decaf_sponge); - len -= cando; - in += cando; - } - } - return (cryptonite_decaf_sponge->params->flags == FLAG_ABSORBING) ? CRYPTONITE_DECAF_SUCCESS : CRYPTONITE_DECAF_FAILURE; -} - -cryptonite_decaf_error_t cryptonite_decaf_sha3_output ( - cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge, - uint8_t * __restrict__ out, - size_t len -) { - cryptonite_decaf_error_t ret = CRYPTONITE_DECAF_SUCCESS; - assert(cryptonite_decaf_sponge->params->position < cryptonite_decaf_sponge->params->rate); - assert(cryptonite_decaf_sponge->params->rate < sizeof(cryptonite_decaf_sponge->state)); - - if (cryptonite_decaf_sponge->params->max_out != 0xFF) { - if (cryptonite_decaf_sponge->params->remaining >= len) { - cryptonite_decaf_sponge->params->remaining -= len; - } else { - cryptonite_decaf_sponge->params->remaining = 0; - ret = CRYPTONITE_DECAF_FAILURE; - } - } - - switch (cryptonite_decaf_sponge->params->flags) { - case FLAG_SQUEEZING: break; - case FLAG_ABSORBING: - { - uint8_t* state = cryptonite_decaf_sponge->state->b; - state[cryptonite_decaf_sponge->params->position] ^= cryptonite_decaf_sponge->params->pad; - state[cryptonite_decaf_sponge->params->rate - 1] ^= cryptonite_decaf_sponge->params->rate_pad; - dokeccak(cryptonite_decaf_sponge); - cryptonite_decaf_sponge->params->flags = FLAG_SQUEEZING; - break; - } - default: - assert(0); - } - - while (len) { - size_t cando = cryptonite_decaf_sponge->params->rate - cryptonite_decaf_sponge->params->position; - uint8_t* state = &cryptonite_decaf_sponge->state->b[cryptonite_decaf_sponge->params->position]; - if (cando > len) { - memcpy(out, state, len); - cryptonite_decaf_sponge->params->position += len; - return ret; - } else { - memcpy(out, state, cando); - dokeccak(cryptonite_decaf_sponge); - len -= cando; - out += cando; - } - } - return ret; -} - -cryptonite_decaf_error_t cryptonite_decaf_sha3_final ( - cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge, - uint8_t * __restrict__ out, - size_t len -) { - cryptonite_decaf_error_t ret = cryptonite_decaf_sha3_output(cryptonite_decaf_sponge,out,len); - cryptonite_decaf_sha3_reset(cryptonite_decaf_sponge); - return ret; -} - -void cryptonite_decaf_sha3_reset ( - cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge -) { - cryptonite_decaf_sponge_init(cryptonite_decaf_sponge, cryptonite_decaf_sponge->params); - cryptonite_decaf_sponge->params->flags = FLAG_ABSORBING; - cryptonite_decaf_sponge->params->remaining = cryptonite_decaf_sponge->params->max_out; -} - -void cryptonite_decaf_sponge_destroy (cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge) { cryptonite_decaf_bzero(cryptonite_decaf_sponge, sizeof(cryptonite_decaf_keccak_sponge_t)); } - -void cryptonite_decaf_sponge_init ( - cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge, - const struct cryptonite_decaf_kparams_s *params -) { - memset(cryptonite_decaf_sponge->state, 0, sizeof(cryptonite_decaf_sponge->state)); - cryptonite_decaf_sponge->params[0] = params[0]; - cryptonite_decaf_sponge->params->position = 0; -} - -cryptonite_decaf_error_t cryptonite_decaf_sponge_hash ( - const uint8_t *in, - size_t inlen, - uint8_t *out, - size_t outlen, - const struct cryptonite_decaf_kparams_s *params -) { - cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge; - cryptonite_decaf_sponge_init(cryptonite_decaf_sponge, params); - cryptonite_decaf_sha3_update(cryptonite_decaf_sponge, in, inlen); - cryptonite_decaf_error_t ret = cryptonite_decaf_sha3_output(cryptonite_decaf_sponge, out, outlen); - cryptonite_decaf_sponge_destroy(cryptonite_decaf_sponge); - return ret; -} - -#define DEFSHAKE(n) \ - const struct cryptonite_decaf_kparams_s CRYPTONITE_DECAF_SHAKE##n##_params_s = \ - { 0, FLAG_ABSORBING, 200-n/4, 0, 0x1f, 0x80, 0xFF, 0xFF }; - -#define DEFSHA3(n) \ - const struct cryptonite_decaf_kparams_s CRYPTONITE_DECAF_SHA3_##n##_params_s = \ - { 0, FLAG_ABSORBING, 200-n/4, 0, 0x06, 0x80, n/8, n/8 }; - -size_t cryptonite_decaf_sponge_default_output_bytes ( - const cryptonite_decaf_keccak_sponge_t s -) { - return (s->params->max_out == 0xFF) - ? (200-s->params->rate) - : ((200-s->params->rate)/2); -} - -size_t cryptonite_decaf_sponge_max_output_bytes ( - const cryptonite_decaf_keccak_sponge_t s -) { - return (s->params->max_out == 0xFF) - ? SIZE_MAX - : (size_t)((200-s->params->rate)/2); -} - -DEFSHAKE(128) -DEFSHAKE(256) -DEFSHA3(224) -DEFSHA3(256) -DEFSHA3(384) -DEFSHA3(512) - -/* FUTURE: Keyak instances, etc */ diff --git a/cbits/decaf/tools/clean.sh b/cbits/decaf/tools/clean.sh index 4d35952..20883e4 100755 --- a/cbits/decaf/tools/clean.sh +++ b/cbits/decaf/tools/clean.sh @@ -9,7 +9,6 @@ DEST_DIR="`dirname "$0"`"/.. rm "$DEST_DIR"/*.c rm "$DEST_DIR"/include/constant_time.h rm "$DEST_DIR"/include/field.h -rm "$DEST_DIR"/include/keccak_internal.h rm "$DEST_DIR"/include/portable_endian.h rm "$DEST_DIR"/include/word.h rm "$DEST_DIR"/include/decaf.h @@ -18,7 +17,6 @@ rm "$DEST_DIR"/include/decaf/ed448.h rm "$DEST_DIR"/include/decaf/point_255.h rm "$DEST_DIR"/include/decaf/point_448.h rm "$DEST_DIR"/include/decaf/sha512.h -rm "$DEST_DIR"/include/decaf/shake.h rm -r "$DEST_DIR"/include/arch_* rm -r "$DEST_DIR"/ed448goldilocks rm -r "$DEST_DIR"/p448 diff --git a/cbits/decaf/tools/generate.sh b/cbits/decaf/tools/generate.sh index e3177b0..0a3f441 100755 --- a/cbits/decaf/tools/generate.sh +++ b/cbits/decaf/tools/generate.sh @@ -18,6 +18,9 @@ # # * substitutions are performed in order to add a cryptonite_ prefix # to all external symbols +# +# * code related to SHAKE is replaced by cryptonite code, referenced from +# a custom shake.h. As a consequence, portable_endian.h is not needed. SRC_DIR="$1/src" DEST_DIR="`dirname "$0"`"/.. @@ -39,14 +42,11 @@ convert() { -e 's/P25519_SQRT_MINUS_ONE/CRYPTONITE_P25519_SQRT_MINUS_ONE/g' } -convert "$SRC_DIR"/shake.c "$DEST_DIR" convert "$SRC_DIR"/utils.c "$DEST_DIR" mkdir -p "$DEST_DIR"/include convert "$SRC_DIR"/include/constant_time.h "$DEST_DIR"/include convert "$SRC_DIR"/include/field.h "$DEST_DIR"/include -convert "$SRC_DIR"/include/keccak_internal.h "$DEST_DIR"/include -convert "$SRC_DIR"/include/portable_endian.h "$DEST_DIR"/include convert "$SRC_DIR"/include/word.h "$DEST_DIR"/include for ARCH in $ARCHITECTURES; do @@ -59,7 +59,6 @@ convert "$SRC_DIR"/GENERATED/include/decaf.h "$DEST_DIR"/include convert "$SRC_DIR"/GENERATED/include/decaf/common.h "$DEST_DIR"/include/decaf convert "$SRC_DIR"/GENERATED/include/decaf/ed448.h "$DEST_DIR"/include/decaf convert "$SRC_DIR"/GENERATED/include/decaf/point_448.h "$DEST_DIR"/include/decaf -convert "$SRC_DIR"/GENERATED/include/decaf/shake.h "$DEST_DIR"/include/decaf for CURVE in ed448goldilocks; do mkdir -p "$DEST_DIR"/$CURVE @@ -114,3 +113,7 @@ for FILE in point_255.h sha512.h; do /* Not needed if 448-only */ EOF done + +cat >"$DEST_DIR"/include/portable_endian.h <