mirror of
https://github.com/kazu-yamamoto/crypton.git
synced 2024-10-04 15:57:47 +03:00
Remove decaf code related to SHAKE
Use cryptonite code instead.
This commit is contained in:
parent
4392ef57b8
commit
961dd63eaf
@ -1,219 +1,96 @@
|
||||
/**
|
||||
* @file decaf/shake.h
|
||||
* @copyright
|
||||
* Based on CC0 code by David Leon Gil, 2015 \n
|
||||
* Copyright (c) 2015 Cryptography Research, Inc. \n
|
||||
* Released under the MIT License. See LICENSE.txt for license information.
|
||||
* @author Mike Hamburg
|
||||
* @brief SHA-3-n and CRYPTONITE_DECAF_SHAKE-n instances.
|
||||
/*
|
||||
* Copyright (C) 2006-2009 Vincent Hanquez <vincent@snarc.org>
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
#ifndef CRYPTONITE_DECAF_SHAKE_H
|
||||
#define CRYPTONITE_DECAF_SHAKE_H
|
||||
|
||||
#ifndef __CRYPTONITE_DECAF_SHAKE_H__
|
||||
#define __CRYPTONITE_DECAF_SHAKE_H__
|
||||
|
||||
#include <stdint.h>
|
||||
#include <sys/types.h>
|
||||
#include <stdlib.h> /* for NULL */
|
||||
#include "cryptonite_sha3.h"
|
||||
|
||||
#include <decaf/common.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#define CHUNK_SIZE_32 0x80000000
|
||||
|
||||
typedef struct sha3_shake256_ctx
|
||||
{
|
||||
struct sha3_ctx sc[1];
|
||||
uint8_t filler[136]; // 200 - 2*(256/8)
|
||||
}
|
||||
cryptonite_decaf_shake256_ctx_t[1];
|
||||
|
||||
static inline void cryptonite_decaf_shake256_init(cryptonite_decaf_shake256_ctx_t ctx)
|
||||
{
|
||||
cryptonite_sha3_init(ctx -> sc, 256);
|
||||
}
|
||||
|
||||
static inline void cryptonite_decaf_shake256_update(cryptonite_decaf_shake256_ctx_t ctx, const uint8_t *in, size_t inlen)
|
||||
{
|
||||
#if __SIZE_MAX__ > UINT32_MAX
|
||||
// split data over 4 GB in 2-GB chunks
|
||||
while (inlen > UINT32_MAX) {
|
||||
cryptonite_sha3_update(ctx -> sc, in, CHUNK_SIZE_32);
|
||||
inlen -= CHUNK_SIZE_32;
|
||||
in += CHUNK_SIZE_32;
|
||||
}
|
||||
#endif
|
||||
cryptonite_sha3_update(ctx -> sc, in, (uint32_t) inlen);
|
||||
}
|
||||
|
||||
#ifndef INTERNAL_SPONGE_STRUCT
|
||||
/** Sponge container object for the various primitives. */
|
||||
typedef struct cryptonite_decaf_keccak_sponge_s {
|
||||
/** @cond internal */
|
||||
uint64_t opaque[26];
|
||||
/** @endcond */
|
||||
} cryptonite_decaf_keccak_sponge_s;
|
||||
|
||||
/** Convenience GMP-style one-element array version */
|
||||
typedef struct cryptonite_decaf_keccak_sponge_s cryptonite_decaf_keccak_sponge_t[1];
|
||||
|
||||
/** Parameters for sponge construction, distinguishing CRYPTONITE_DECAF_SHA3 and
|
||||
* CRYPTONITE_DECAF_SHAKE instances.
|
||||
*/
|
||||
struct cryptonite_decaf_kparams_s;
|
||||
static inline void cryptonite_decaf_shake256_output(cryptonite_decaf_shake256_ctx_t ctx, uint8_t *out, size_t outlen) {
|
||||
#if __SIZE_MAX__ > UINT32_MAX
|
||||
// split data over 4 GB in 2-GB chunks
|
||||
while (outlen > UINT32_MAX) {
|
||||
cryptonite_sha3_output(ctx -> sc, out, CHUNK_SIZE_32);
|
||||
outlen -= CHUNK_SIZE_32;
|
||||
out += CHUNK_SIZE_32;
|
||||
}
|
||||
#endif
|
||||
cryptonite_sha3_output(ctx -> sc, out, (uint32_t) outlen);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Initialize a sponge context object.
|
||||
* @param [out] sponge The object to initialize.
|
||||
* @param [in] params The sponge's parameter description.
|
||||
*/
|
||||
void cryptonite_decaf_sponge_init (
|
||||
cryptonite_decaf_keccak_sponge_t sponge,
|
||||
const struct cryptonite_decaf_kparams_s *params
|
||||
) CRYPTONITE_DECAF_API_VIS;
|
||||
static inline void cryptonite_decaf_shake256_final(cryptonite_decaf_shake256_ctx_t ctx, uint8_t *out, size_t outlen)
|
||||
{
|
||||
cryptonite_sha3_finalize_shake(ctx -> sc);
|
||||
cryptonite_decaf_shake256_output(ctx, out, outlen);
|
||||
|
||||
/**
|
||||
* @brief Absorb data into a CRYPTONITE_DECAF_SHA3 or CRYPTONITE_DECAF_SHAKE hash context.
|
||||
* @param [inout] sponge The context.
|
||||
* @param [in] in The input data.
|
||||
* @param [in] len The input data's length in bytes.
|
||||
* @return CRYPTONITE_DECAF_FAILURE if the sponge has already been used for output.
|
||||
* @return CRYPTONITE_DECAF_SUCCESS otherwise.
|
||||
*/
|
||||
cryptonite_decaf_error_t cryptonite_decaf_sha3_update (
|
||||
struct cryptonite_decaf_keccak_sponge_s * __restrict__ sponge,
|
||||
const uint8_t *in,
|
||||
size_t len
|
||||
) CRYPTONITE_DECAF_API_VIS;
|
||||
cryptonite_decaf_shake256_init(ctx);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Squeeze output data from a CRYPTONITE_DECAF_SHA3 or CRYPTONITE_DECAF_SHAKE hash context.
|
||||
* This does not destroy or re-initialize the hash context, and
|
||||
* cryptonite_decaf_sha3 output can be called more times.
|
||||
*
|
||||
* @param [inout] sponge The context.
|
||||
* @param [out] out The output data.
|
||||
* @param [in] len The requested output data length in bytes.
|
||||
* @return CRYPTONITE_DECAF_FAILURE if the sponge has exhausted its output capacity.
|
||||
* @return CRYPTONITE_DECAF_SUCCESS otherwise.
|
||||
*/
|
||||
cryptonite_decaf_error_t cryptonite_decaf_sha3_output (
|
||||
cryptonite_decaf_keccak_sponge_t sponge,
|
||||
uint8_t * __restrict__ out,
|
||||
size_t len
|
||||
) CRYPTONITE_DECAF_API_VIS;
|
||||
static inline void cryptonite_decaf_shake256_destroy(cryptonite_decaf_shake256_ctx_t ctx)
|
||||
{
|
||||
cryptonite_decaf_bzero(ctx, sizeof(*ctx));
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Squeeze output data from a CRYPTONITE_DECAF_SHA3 or CRYPTONITE_DECAF_SHAKE hash context.
|
||||
* This re-initializes the context to its starting parameters.
|
||||
*
|
||||
* @param [inout] sponge The context.
|
||||
* @param [out] out The output data.
|
||||
* @param [in] len The requested output data length in bytes.
|
||||
*/
|
||||
cryptonite_decaf_error_t cryptonite_decaf_sha3_final (
|
||||
cryptonite_decaf_keccak_sponge_t sponge,
|
||||
uint8_t * __restrict__ out,
|
||||
size_t len
|
||||
) CRYPTONITE_DECAF_API_VIS;
|
||||
static inline void cryptonite_decaf_shake256_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen)
|
||||
{
|
||||
cryptonite_decaf_shake256_ctx_t ctx;
|
||||
|
||||
/**
|
||||
* @brief Reset the sponge to the empty string.
|
||||
*
|
||||
* @param [inout] sponge The context.
|
||||
*/
|
||||
void cryptonite_decaf_sha3_reset (
|
||||
cryptonite_decaf_keccak_sponge_t sponge
|
||||
) CRYPTONITE_DECAF_API_VIS;
|
||||
cryptonite_decaf_shake256_init(ctx);
|
||||
cryptonite_decaf_shake256_update(ctx, in, inlen);
|
||||
|
||||
/**
|
||||
* @brief Return the default output length of the sponge construction,
|
||||
* for the purpose of C++ default operators.
|
||||
*
|
||||
* Returns n/8 for CRYPTONITE_DECAF_SHA3-n and 2n/8 for CRYPTONITE_DECAF_SHAKE-n.
|
||||
*/
|
||||
size_t cryptonite_decaf_sponge_default_output_bytes (
|
||||
const cryptonite_decaf_keccak_sponge_t sponge /**< [inout] The context. */
|
||||
) CRYPTONITE_DECAF_API_VIS;
|
||||
cryptonite_sha3_finalize_shake(ctx -> sc);
|
||||
cryptonite_decaf_shake256_output(ctx, out, outlen);
|
||||
|
||||
/**
|
||||
* @brief Return the default output length of the sponge construction,
|
||||
* for the purpose of C++ default operators.
|
||||
*
|
||||
* Returns n/8 for CRYPTONITE_DECAF_SHA3-n and SIZE_MAX for CRYPTONITE_DECAF_SHAKE-n.
|
||||
*/
|
||||
size_t cryptonite_decaf_sponge_max_output_bytes (
|
||||
const cryptonite_decaf_keccak_sponge_t sponge /**< [inout] The context. */
|
||||
) CRYPTONITE_DECAF_API_VIS;
|
||||
cryptonite_decaf_shake256_destroy(ctx);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Destroy a CRYPTONITE_DECAF_SHA3 or CRYPTONITE_DECAF_SHAKE sponge context by overwriting it with 0.
|
||||
* @param [out] sponge The context.
|
||||
*/
|
||||
void cryptonite_decaf_sponge_destroy (
|
||||
cryptonite_decaf_keccak_sponge_t sponge
|
||||
) CRYPTONITE_DECAF_API_VIS;
|
||||
|
||||
/**
|
||||
* @brief Hash (in) to (out)
|
||||
* @param [in] in The input data.
|
||||
* @param [in] inlen The length of the input data.
|
||||
* @param [out] out A buffer for the output data.
|
||||
* @param [in] outlen The length of the output data.
|
||||
* @param [in] params The parameters of the sponge hash.
|
||||
*/
|
||||
cryptonite_decaf_error_t cryptonite_decaf_sponge_hash (
|
||||
const uint8_t *in,
|
||||
size_t inlen,
|
||||
uint8_t *out,
|
||||
size_t outlen,
|
||||
const struct cryptonite_decaf_kparams_s *params
|
||||
) CRYPTONITE_DECAF_API_VIS;
|
||||
|
||||
/* FUTURE: expand/doxygenate individual CRYPTONITE_DECAF_SHAKE/CRYPTONITE_DECAF_SHA3 instances? */
|
||||
|
||||
/** @cond internal */
|
||||
#define CRYPTONITE_DECAF_DEC_SHAKE(n) \
|
||||
extern const struct cryptonite_decaf_kparams_s CRYPTONITE_DECAF_SHAKE##n##_params_s CRYPTONITE_DECAF_API_VIS; \
|
||||
typedef struct cryptonite_decaf_shake##n##_ctx_s { cryptonite_decaf_keccak_sponge_t s; } cryptonite_decaf_shake##n##_ctx_t[1]; \
|
||||
static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_init(cryptonite_decaf_shake##n##_ctx_t sponge) { \
|
||||
cryptonite_decaf_sponge_init(sponge->s, &CRYPTONITE_DECAF_SHAKE##n##_params_s); \
|
||||
} \
|
||||
static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_gen_init(cryptonite_decaf_keccak_sponge_t sponge) { \
|
||||
cryptonite_decaf_sponge_init(sponge, &CRYPTONITE_DECAF_SHAKE##n##_params_s); \
|
||||
} \
|
||||
static inline cryptonite_decaf_error_t CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_update(cryptonite_decaf_shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \
|
||||
return cryptonite_decaf_sha3_update(sponge->s, in, inlen); \
|
||||
} \
|
||||
static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_final(cryptonite_decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
|
||||
cryptonite_decaf_sha3_output(sponge->s, out, outlen); \
|
||||
cryptonite_decaf_sponge_init(sponge->s, &CRYPTONITE_DECAF_SHAKE##n##_params_s); \
|
||||
} \
|
||||
static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_output(cryptonite_decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
|
||||
cryptonite_decaf_sha3_output(sponge->s, out, outlen); \
|
||||
} \
|
||||
static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \
|
||||
cryptonite_decaf_sponge_hash(in,inlen,out,outlen,&CRYPTONITE_DECAF_SHAKE##n##_params_s); \
|
||||
} \
|
||||
static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_shake##n##_destroy( cryptonite_decaf_shake##n##_ctx_t sponge ) { \
|
||||
cryptonite_decaf_sponge_destroy(sponge->s); \
|
||||
}
|
||||
|
||||
#define CRYPTONITE_DECAF_DEC_SHA3(n) \
|
||||
extern const struct cryptonite_decaf_kparams_s CRYPTONITE_DECAF_SHA3_##n##_params_s CRYPTONITE_DECAF_API_VIS; \
|
||||
typedef struct cryptonite_decaf_sha3_##n##_ctx_s { cryptonite_decaf_keccak_sponge_t s; } cryptonite_decaf_sha3_##n##_ctx_t[1]; \
|
||||
static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_init(cryptonite_decaf_sha3_##n##_ctx_t sponge) { \
|
||||
cryptonite_decaf_sponge_init(sponge->s, &CRYPTONITE_DECAF_SHA3_##n##_params_s); \
|
||||
} \
|
||||
static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_gen_init(cryptonite_decaf_keccak_sponge_t sponge) { \
|
||||
cryptonite_decaf_sponge_init(sponge, &CRYPTONITE_DECAF_SHA3_##n##_params_s); \
|
||||
} \
|
||||
static inline cryptonite_decaf_error_t CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_update(cryptonite_decaf_sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \
|
||||
return cryptonite_decaf_sha3_update(sponge->s, in, inlen); \
|
||||
} \
|
||||
static inline cryptonite_decaf_error_t CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_final(cryptonite_decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
|
||||
cryptonite_decaf_error_t ret = cryptonite_decaf_sha3_output(sponge->s, out, outlen); \
|
||||
cryptonite_decaf_sponge_init(sponge->s, &CRYPTONITE_DECAF_SHA3_##n##_params_s); \
|
||||
return ret; \
|
||||
} \
|
||||
static inline cryptonite_decaf_error_t CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_output(cryptonite_decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
|
||||
return cryptonite_decaf_sha3_output(sponge->s, out, outlen); \
|
||||
} \
|
||||
static inline cryptonite_decaf_error_t CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \
|
||||
return cryptonite_decaf_sponge_hash(in,inlen,out,outlen,&CRYPTONITE_DECAF_SHA3_##n##_params_s); \
|
||||
} \
|
||||
static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_sha3_##n##_destroy(cryptonite_decaf_sha3_##n##_ctx_t sponge) { \
|
||||
cryptonite_decaf_sponge_destroy(sponge->s); \
|
||||
}
|
||||
/** @endcond */
|
||||
|
||||
CRYPTONITE_DECAF_DEC_SHAKE(128)
|
||||
CRYPTONITE_DECAF_DEC_SHAKE(256)
|
||||
CRYPTONITE_DECAF_DEC_SHA3(224)
|
||||
CRYPTONITE_DECAF_DEC_SHA3(256)
|
||||
CRYPTONITE_DECAF_DEC_SHA3(384)
|
||||
CRYPTONITE_DECAF_DEC_SHA3(512)
|
||||
#undef CRYPTONITE_DECAF_DEC_SHAKE
|
||||
#undef CRYPTONITE_DECAF_DEC_SHA3
|
||||
|
||||
#ifdef __cplusplus
|
||||
} /* extern "C" */
|
||||
#endif
|
||||
|
||||
#endif /* __CRYPTONITE_DECAF_SHAKE_H__ */
|
||||
|
@ -1,38 +0,0 @@
|
||||
/**
|
||||
* @cond internal
|
||||
* @file keccak_internal.h
|
||||
* @copyright
|
||||
* Copyright (c) 2016 Cryptography Research, Inc. \n
|
||||
* Released under the MIT License. See LICENSE.txt for license information.
|
||||
* @author Mike Hamburg
|
||||
* @brief Keccak internal interfaces. Will be used by STROBE once reintegrated.
|
||||
*/
|
||||
#ifndef __CRYPTONITE_DECAF_KECCAK_INTERNAL_H__
|
||||
#define __CRYPTONITE_DECAF_KECCAK_INTERNAL_H__ 1
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
/* The internal, non-opaque definition of the cryptonite_decaf_sponge struct. */
|
||||
typedef union {
|
||||
uint64_t w[25]; uint8_t b[25*8];
|
||||
} kdomain_t[1];
|
||||
|
||||
typedef struct cryptonite_decaf_kparams_s {
|
||||
uint8_t position, flags, rate, start_round, pad, rate_pad, max_out, remaining;
|
||||
} cryptonite_decaf_kparams_s, cryptonite_decaf_kparams_t[1];
|
||||
|
||||
typedef struct cryptonite_decaf_keccak_sponge_s {
|
||||
kdomain_t state;
|
||||
cryptonite_decaf_kparams_t params;
|
||||
} cryptonite_decaf_keccak_sponge_s, cryptonite_decaf_keccak_sponge_t[1];
|
||||
|
||||
#define INTERNAL_SPONGE_STRUCT 1
|
||||
|
||||
void __attribute__((noinline)) cryptonite_keccakf(kdomain_t state, uint8_t start_round);
|
||||
|
||||
static inline void dokeccak (cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge) {
|
||||
cryptonite_keccakf(cryptonite_decaf_sponge->state, cryptonite_decaf_sponge->params->start_round);
|
||||
cryptonite_decaf_sponge->params->position = 0;
|
||||
}
|
||||
|
||||
#endif /* __CRYPTONITE_DECAF_KECCAK_INTERNAL_H__ */
|
@ -1,39 +1 @@
|
||||
/* Subset of Mathias Panzenböck's portable endian code, public domain */
|
||||
|
||||
#ifndef __PORTABLE_ENDIAN_H__
|
||||
#define __PORTABLE_ENDIAN_H__
|
||||
|
||||
#if defined(__linux__) || defined(__CYGWIN__)
|
||||
# include <endian.h>
|
||||
#elif defined(__OpenBSD__)
|
||||
# include <sys/endian.h>
|
||||
#elif defined(__APPLE__)
|
||||
# include <libkern/OSByteOrder.h>
|
||||
# define htole64(x) OSSwapHostToLittleInt64(x)
|
||||
# define le64toh(x) OSSwapLittleToHostInt64(x)
|
||||
#elif defined(__NetBSD__) || defined(__FreeBSD__) || defined(__DragonFly__)
|
||||
# include <sys/endian.h>
|
||||
# ifndef le64toh
|
||||
# define le64toh(x) letoh64(x)
|
||||
# endif
|
||||
#elif defined(__sun) && defined(__SVR4)
|
||||
# include <sys/byteorder.h>
|
||||
# define htole64(x) LE_64(x)
|
||||
# define le64toh(x) LE_64(x)
|
||||
#elif defined(_WIN16) || defined(_WIN32) || defined(_WIN64) || defined(__WINDOWS__)
|
||||
# include <winsock2.h>
|
||||
# include <sys/param.h>
|
||||
# if BYTE_ORDER == LITTLE_ENDIAN
|
||||
# define htole64(x) (x)
|
||||
# define le64toh(x) (x)
|
||||
# elif BYTE_ORDER == BIG_ENDIAN
|
||||
# define htole64(x) __builtin_bswap64(x)
|
||||
# define le64toh(x) __builtin_bswap64(x)
|
||||
# else
|
||||
# error byte order not supported
|
||||
# endif
|
||||
#else
|
||||
# error platform not supported
|
||||
#endif
|
||||
|
||||
#endif // __PORTABLE_ENDIAN_H__
|
||||
/* portable_endian.h not used */
|
||||
|
@ -1,238 +0,0 @@
|
||||
/**
|
||||
* @cond internal
|
||||
* @file shake.c
|
||||
* @copyright
|
||||
* Uses public domain code by Mathias Panzenböck \n
|
||||
* Uses CC0 code by David Leon Gil, 2015 \n
|
||||
* Copyright (c) 2015 Cryptography Research, Inc. \n
|
||||
* Released under the MIT License. See LICENSE.txt for license information.
|
||||
* @author Mike Hamburg
|
||||
* @brief SHA-3-n and SHAKE-n instances.
|
||||
* @warning EXPERIMENTAL! The names, parameter orders etc are likely to change.
|
||||
*/
|
||||
|
||||
#define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s */
|
||||
#define _BSD_SOURCE 1 /* for endian */
|
||||
#define _DEFAULT_SOURCE 1 /* for endian with glibc 2.20 */
|
||||
#include <assert.h>
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "portable_endian.h"
|
||||
#include "keccak_internal.h"
|
||||
#include <decaf/shake.h>
|
||||
|
||||
#define FLAG_ABSORBING 'A'
|
||||
#define FLAG_SQUEEZING 'Z'
|
||||
|
||||
/** Constants. **/
|
||||
static const uint8_t pi[24] = {
|
||||
10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4,
|
||||
15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1
|
||||
};
|
||||
|
||||
#define RC_B(x,n) ((((x##ull)>>n)&1)<<((1<<n)-1))
|
||||
#define RC_X(x) (RC_B(x,0)|RC_B(x,1)|RC_B(x,2)|RC_B(x,3)|RC_B(x,4)|RC_B(x,5)|RC_B(x,6))
|
||||
static const uint64_t RC[24] = {
|
||||
RC_X(0x01), RC_X(0x1a), RC_X(0x5e), RC_X(0x70), RC_X(0x1f), RC_X(0x21),
|
||||
RC_X(0x79), RC_X(0x55), RC_X(0x0e), RC_X(0x0c), RC_X(0x35), RC_X(0x26),
|
||||
RC_X(0x3f), RC_X(0x4f), RC_X(0x5d), RC_X(0x53), RC_X(0x52), RC_X(0x48),
|
||||
RC_X(0x16), RC_X(0x66), RC_X(0x79), RC_X(0x58), RC_X(0x21), RC_X(0x74)
|
||||
};
|
||||
|
||||
static inline uint64_t rol(uint64_t x, int s) {
|
||||
return (x << s) | (x >> (64 - s));
|
||||
}
|
||||
|
||||
/* Helper macros to unroll the permutation. */
|
||||
#define REPEAT5(e) e e e e e
|
||||
#define FOR51(v, e) v = 0; REPEAT5(e; v += 1;)
|
||||
#ifndef SHAKE_NO_UNROLL_LOOPS
|
||||
# define FOR55(v, e) v = 0; REPEAT5(e; v += 5;)
|
||||
# define REPEAT24(e) e e e e e e e e e e e e e e e e e e e e e e e e
|
||||
#else
|
||||
# define FOR55(v, e) for (v=0; v<25; v+= 5) { e; }
|
||||
# define REPEAT24(e) {int _j=0; for (_j=0; _j<24; _j++) { e }}
|
||||
#endif
|
||||
|
||||
/*** The Keccak-f[1600] permutation ***/
|
||||
void cryptonite_keccakf(kdomain_t state, uint8_t start_round) {
|
||||
uint64_t* a = state->w;
|
||||
uint64_t b[5] = {0}, t, u;
|
||||
uint8_t x, y, i;
|
||||
|
||||
for (i=0; i<25; i++) a[i] = le64toh(a[i]);
|
||||
|
||||
for (i = start_round; i < 24; i++) {
|
||||
FOR51(x, b[x] = 0; )
|
||||
FOR55(y, FOR51(x, b[x] ^= a[x + y]; ))
|
||||
FOR55(y, FOR51(x,
|
||||
a[y + x] ^= b[(x + 4) % 5] ^ rol(b[(x + 1) % 5], 1);
|
||||
))
|
||||
// Rho and pi
|
||||
t = a[1];
|
||||
x = y = 0;
|
||||
REPEAT24(u = a[pi[x]]; y += x+1; a[pi[x]] = rol(t, y % 64); t = u; x++; )
|
||||
// Chi
|
||||
FOR55(y,
|
||||
FOR51(x, b[x] = a[y + x];)
|
||||
FOR51(x, a[y + x] = b[x] ^ ((~b[(x + 1) % 5]) & b[(x + 2) % 5]);)
|
||||
)
|
||||
// Iota
|
||||
a[0] ^= RC[i];
|
||||
}
|
||||
|
||||
for (i=0; i<25; i++) a[i] = htole64(a[i]);
|
||||
}
|
||||
|
||||
cryptonite_decaf_error_t cryptonite_decaf_sha3_update (
|
||||
struct cryptonite_decaf_keccak_sponge_s * __restrict__ cryptonite_decaf_sponge,
|
||||
const uint8_t *in,
|
||||
size_t len
|
||||
) {
|
||||
assert(cryptonite_decaf_sponge->params->position < cryptonite_decaf_sponge->params->rate);
|
||||
assert(cryptonite_decaf_sponge->params->rate < sizeof(cryptonite_decaf_sponge->state));
|
||||
assert(cryptonite_decaf_sponge->params->flags == FLAG_ABSORBING);
|
||||
while (len) {
|
||||
size_t cando = cryptonite_decaf_sponge->params->rate - cryptonite_decaf_sponge->params->position, i;
|
||||
uint8_t* state = &cryptonite_decaf_sponge->state->b[cryptonite_decaf_sponge->params->position];
|
||||
if (cando > len) {
|
||||
for (i = 0; i < len; i += 1) state[i] ^= in[i];
|
||||
cryptonite_decaf_sponge->params->position += len;
|
||||
break;
|
||||
} else {
|
||||
for (i = 0; i < cando; i += 1) state[i] ^= in[i];
|
||||
dokeccak(cryptonite_decaf_sponge);
|
||||
len -= cando;
|
||||
in += cando;
|
||||
}
|
||||
}
|
||||
return (cryptonite_decaf_sponge->params->flags == FLAG_ABSORBING) ? CRYPTONITE_DECAF_SUCCESS : CRYPTONITE_DECAF_FAILURE;
|
||||
}
|
||||
|
||||
cryptonite_decaf_error_t cryptonite_decaf_sha3_output (
|
||||
cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge,
|
||||
uint8_t * __restrict__ out,
|
||||
size_t len
|
||||
) {
|
||||
cryptonite_decaf_error_t ret = CRYPTONITE_DECAF_SUCCESS;
|
||||
assert(cryptonite_decaf_sponge->params->position < cryptonite_decaf_sponge->params->rate);
|
||||
assert(cryptonite_decaf_sponge->params->rate < sizeof(cryptonite_decaf_sponge->state));
|
||||
|
||||
if (cryptonite_decaf_sponge->params->max_out != 0xFF) {
|
||||
if (cryptonite_decaf_sponge->params->remaining >= len) {
|
||||
cryptonite_decaf_sponge->params->remaining -= len;
|
||||
} else {
|
||||
cryptonite_decaf_sponge->params->remaining = 0;
|
||||
ret = CRYPTONITE_DECAF_FAILURE;
|
||||
}
|
||||
}
|
||||
|
||||
switch (cryptonite_decaf_sponge->params->flags) {
|
||||
case FLAG_SQUEEZING: break;
|
||||
case FLAG_ABSORBING:
|
||||
{
|
||||
uint8_t* state = cryptonite_decaf_sponge->state->b;
|
||||
state[cryptonite_decaf_sponge->params->position] ^= cryptonite_decaf_sponge->params->pad;
|
||||
state[cryptonite_decaf_sponge->params->rate - 1] ^= cryptonite_decaf_sponge->params->rate_pad;
|
||||
dokeccak(cryptonite_decaf_sponge);
|
||||
cryptonite_decaf_sponge->params->flags = FLAG_SQUEEZING;
|
||||
break;
|
||||
}
|
||||
default:
|
||||
assert(0);
|
||||
}
|
||||
|
||||
while (len) {
|
||||
size_t cando = cryptonite_decaf_sponge->params->rate - cryptonite_decaf_sponge->params->position;
|
||||
uint8_t* state = &cryptonite_decaf_sponge->state->b[cryptonite_decaf_sponge->params->position];
|
||||
if (cando > len) {
|
||||
memcpy(out, state, len);
|
||||
cryptonite_decaf_sponge->params->position += len;
|
||||
return ret;
|
||||
} else {
|
||||
memcpy(out, state, cando);
|
||||
dokeccak(cryptonite_decaf_sponge);
|
||||
len -= cando;
|
||||
out += cando;
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
cryptonite_decaf_error_t cryptonite_decaf_sha3_final (
|
||||
cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge,
|
||||
uint8_t * __restrict__ out,
|
||||
size_t len
|
||||
) {
|
||||
cryptonite_decaf_error_t ret = cryptonite_decaf_sha3_output(cryptonite_decaf_sponge,out,len);
|
||||
cryptonite_decaf_sha3_reset(cryptonite_decaf_sponge);
|
||||
return ret;
|
||||
}
|
||||
|
||||
void cryptonite_decaf_sha3_reset (
|
||||
cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge
|
||||
) {
|
||||
cryptonite_decaf_sponge_init(cryptonite_decaf_sponge, cryptonite_decaf_sponge->params);
|
||||
cryptonite_decaf_sponge->params->flags = FLAG_ABSORBING;
|
||||
cryptonite_decaf_sponge->params->remaining = cryptonite_decaf_sponge->params->max_out;
|
||||
}
|
||||
|
||||
void cryptonite_decaf_sponge_destroy (cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge) { cryptonite_decaf_bzero(cryptonite_decaf_sponge, sizeof(cryptonite_decaf_keccak_sponge_t)); }
|
||||
|
||||
void cryptonite_decaf_sponge_init (
|
||||
cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge,
|
||||
const struct cryptonite_decaf_kparams_s *params
|
||||
) {
|
||||
memset(cryptonite_decaf_sponge->state, 0, sizeof(cryptonite_decaf_sponge->state));
|
||||
cryptonite_decaf_sponge->params[0] = params[0];
|
||||
cryptonite_decaf_sponge->params->position = 0;
|
||||
}
|
||||
|
||||
cryptonite_decaf_error_t cryptonite_decaf_sponge_hash (
|
||||
const uint8_t *in,
|
||||
size_t inlen,
|
||||
uint8_t *out,
|
||||
size_t outlen,
|
||||
const struct cryptonite_decaf_kparams_s *params
|
||||
) {
|
||||
cryptonite_decaf_keccak_sponge_t cryptonite_decaf_sponge;
|
||||
cryptonite_decaf_sponge_init(cryptonite_decaf_sponge, params);
|
||||
cryptonite_decaf_sha3_update(cryptonite_decaf_sponge, in, inlen);
|
||||
cryptonite_decaf_error_t ret = cryptonite_decaf_sha3_output(cryptonite_decaf_sponge, out, outlen);
|
||||
cryptonite_decaf_sponge_destroy(cryptonite_decaf_sponge);
|
||||
return ret;
|
||||
}
|
||||
|
||||
#define DEFSHAKE(n) \
|
||||
const struct cryptonite_decaf_kparams_s CRYPTONITE_DECAF_SHAKE##n##_params_s = \
|
||||
{ 0, FLAG_ABSORBING, 200-n/4, 0, 0x1f, 0x80, 0xFF, 0xFF };
|
||||
|
||||
#define DEFSHA3(n) \
|
||||
const struct cryptonite_decaf_kparams_s CRYPTONITE_DECAF_SHA3_##n##_params_s = \
|
||||
{ 0, FLAG_ABSORBING, 200-n/4, 0, 0x06, 0x80, n/8, n/8 };
|
||||
|
||||
size_t cryptonite_decaf_sponge_default_output_bytes (
|
||||
const cryptonite_decaf_keccak_sponge_t s
|
||||
) {
|
||||
return (s->params->max_out == 0xFF)
|
||||
? (200-s->params->rate)
|
||||
: ((200-s->params->rate)/2);
|
||||
}
|
||||
|
||||
size_t cryptonite_decaf_sponge_max_output_bytes (
|
||||
const cryptonite_decaf_keccak_sponge_t s
|
||||
) {
|
||||
return (s->params->max_out == 0xFF)
|
||||
? SIZE_MAX
|
||||
: (size_t)((200-s->params->rate)/2);
|
||||
}
|
||||
|
||||
DEFSHAKE(128)
|
||||
DEFSHAKE(256)
|
||||
DEFSHA3(224)
|
||||
DEFSHA3(256)
|
||||
DEFSHA3(384)
|
||||
DEFSHA3(512)
|
||||
|
||||
/* FUTURE: Keyak instances, etc */
|
@ -9,7 +9,6 @@ DEST_DIR="`dirname "$0"`"/..
|
||||
rm "$DEST_DIR"/*.c
|
||||
rm "$DEST_DIR"/include/constant_time.h
|
||||
rm "$DEST_DIR"/include/field.h
|
||||
rm "$DEST_DIR"/include/keccak_internal.h
|
||||
rm "$DEST_DIR"/include/portable_endian.h
|
||||
rm "$DEST_DIR"/include/word.h
|
||||
rm "$DEST_DIR"/include/decaf.h
|
||||
@ -18,7 +17,6 @@ rm "$DEST_DIR"/include/decaf/ed448.h
|
||||
rm "$DEST_DIR"/include/decaf/point_255.h
|
||||
rm "$DEST_DIR"/include/decaf/point_448.h
|
||||
rm "$DEST_DIR"/include/decaf/sha512.h
|
||||
rm "$DEST_DIR"/include/decaf/shake.h
|
||||
rm -r "$DEST_DIR"/include/arch_*
|
||||
rm -r "$DEST_DIR"/ed448goldilocks
|
||||
rm -r "$DEST_DIR"/p448
|
||||
|
@ -18,6 +18,9 @@
|
||||
#
|
||||
# * substitutions are performed in order to add a cryptonite_ prefix
|
||||
# to all external symbols
|
||||
#
|
||||
# * code related to SHAKE is replaced by cryptonite code, referenced from
|
||||
# a custom shake.h. As a consequence, portable_endian.h is not needed.
|
||||
|
||||
SRC_DIR="$1/src"
|
||||
DEST_DIR="`dirname "$0"`"/..
|
||||
@ -39,14 +42,11 @@ convert() {
|
||||
-e 's/P25519_SQRT_MINUS_ONE/CRYPTONITE_P25519_SQRT_MINUS_ONE/g'
|
||||
}
|
||||
|
||||
convert "$SRC_DIR"/shake.c "$DEST_DIR"
|
||||
convert "$SRC_DIR"/utils.c "$DEST_DIR"
|
||||
|
||||
mkdir -p "$DEST_DIR"/include
|
||||
convert "$SRC_DIR"/include/constant_time.h "$DEST_DIR"/include
|
||||
convert "$SRC_DIR"/include/field.h "$DEST_DIR"/include
|
||||
convert "$SRC_DIR"/include/keccak_internal.h "$DEST_DIR"/include
|
||||
convert "$SRC_DIR"/include/portable_endian.h "$DEST_DIR"/include
|
||||
convert "$SRC_DIR"/include/word.h "$DEST_DIR"/include
|
||||
|
||||
for ARCH in $ARCHITECTURES; do
|
||||
@ -59,7 +59,6 @@ convert "$SRC_DIR"/GENERATED/include/decaf.h "$DEST_DIR"/include
|
||||
convert "$SRC_DIR"/GENERATED/include/decaf/common.h "$DEST_DIR"/include/decaf
|
||||
convert "$SRC_DIR"/GENERATED/include/decaf/ed448.h "$DEST_DIR"/include/decaf
|
||||
convert "$SRC_DIR"/GENERATED/include/decaf/point_448.h "$DEST_DIR"/include/decaf
|
||||
convert "$SRC_DIR"/GENERATED/include/decaf/shake.h "$DEST_DIR"/include/decaf
|
||||
|
||||
for CURVE in ed448goldilocks; do
|
||||
mkdir -p "$DEST_DIR"/$CURVE
|
||||
@ -114,3 +113,7 @@ for FILE in point_255.h sha512.h; do
|
||||
/* Not needed if 448-only */
|
||||
EOF
|
||||
done
|
||||
|
||||
cat >"$DEST_DIR"/include/portable_endian.h <<EOF
|
||||
/* portable_endian.h not used */
|
||||
EOF
|
||||
|
@ -268,14 +268,12 @@ Library
|
||||
|
||||
if arch(x86_64)
|
||||
C-sources: cbits/decaf/utils.c
|
||||
, cbits/decaf/shake.c
|
||||
, cbits/decaf/cryptonite_p448_arch_ref64.c
|
||||
|
||||
include-dirs: cbits/decaf/include
|
||||
, cbits/decaf/include/arch_ref64
|
||||
else
|
||||
C-sources: cbits/decaf/utils.c
|
||||
, cbits/decaf/shake.c
|
||||
, cbits/decaf/cryptonite_p448_arch_32.c
|
||||
|
||||
include-dirs: cbits/decaf/include
|
||||
|
Loading…
Reference in New Issue
Block a user