#define __DECAF_ED448_H__ 1
#include "point_448.h"
-#include "shake.h"
#ifdef __cplusplus
extern "C" {
/** Does EdDSA support non-contextual signatures? */
#define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0
-/** Prehash context renaming macros. */
-#define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s
-#define decaf_ed448_prehash_ctx_t decaf_shake256_ctx_t
-#define decaf_ed448_prehash_update decaf_shake256_update
-#define decaf_ed448_prehash_destroy decaf_shake256_destroy
-
/** EdDSA encoding ratio. */
#define DECAF_448_EDDSA_ENCODE_RATIO 4
const uint8_t *context,
size_t context_len
) __attribute__((nonnull(1,2,3,4)));
-
-/**
- * @brief Prehash initialization, with contexts if supported.
- *
- * @param [out] hash The hash object to be initialized.
- */
-void decaf_ed448_prehash_init (
- decaf_ed448_prehash_ctx_t hash
-) __attribute__((nonnull(1)));
/**
* @brief EdDSA signature verification.
#include "curve448_lcl.h"
#include "word.h"
#include "ed448.h"
-#include "shake.h"
#include <string.h>
#include "internal/numbers.h"
#define API_NAME "decaf_448"
-#define hash_ctx_t decaf_shake256_ctx_t
-#define hash_init decaf_shake256_init
-#define hash_update decaf_shake256_update
-#define hash_final decaf_shake256_final
-#define hash_destroy decaf_shake256_destroy
-#define hash_hash decaf_shake256_hash
-
#define NO_CONTEXT DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS
#define EDDSA_USE_SIGMA_ISOGENY 0
#define COFACTOR 4
return DECAF_SUCCESS;
}
-void decaf_ed448_prehash_init (
- hash_ctx_t hash
-) {
- hash_init(hash);
-}
-
/* In this file because it uses the hash */
decaf_error_t decaf_ed448_convert_private_key_to_x448 (
uint8_t x[DECAF_X448_PRIVATE_BYTES],
+++ /dev/null
-/**
- * @cond internal
- * @file keccak_internal.h
- * @copyright
- * Copyright (c) 2016 Cryptography Research, Inc. \n
- * Released under the MIT License. See LICENSE.txt for license information.
- * @author Mike Hamburg
- * @brief Keccak internal interfaces. Will be used by STROBE once reintegrated.
- */
-#ifndef __DECAF_KECCAK_INTERNAL_H__
-#define __DECAF_KECCAK_INTERNAL_H__ 1
-
-#include <stdint.h>
-
-/* The internal, non-opaque definition of the decaf_sponge struct. */
-typedef union {
- uint64_t w[25]; uint8_t b[25*8];
-} kdomain_t[1];
-
-typedef struct decaf_kparams_s {
- uint8_t position, flags, rate, start_round, pad, rate_pad, max_out, remaining;
-} decaf_kparams_s, decaf_kparams_t[1];
-
-typedef struct decaf_keccak_sponge_s {
- kdomain_t state;
- decaf_kparams_t params;
-} decaf_keccak_sponge_s, decaf_keccak_sponge_t[1];
-
-#define INTERNAL_SPONGE_STRUCT 1
-
-void __attribute__((noinline)) keccakf(kdomain_t state, uint8_t start_round);
-
-static inline void dokeccak (decaf_keccak_sponge_t decaf_sponge) {
- keccakf(decaf_sponge->state, decaf_sponge->params->start_round);
- decaf_sponge->params->position = 0;
-}
-
-#endif /* __DECAF_KECCAK_INTERNAL_H__ */
+++ /dev/null
-/**
- * @cond internal
- * @file shake.c
- * @copyright
- * Uses public domain code by Mathias Panzenböck \n
- * Uses CC0 code by David Leon Gil, 2015 \n
- * Copyright (c) 2015 Cryptography Research, Inc. \n
- * Released under the MIT License. See LICENSE.txt for license information.
- * @author Mike Hamburg
- * @brief SHA-3-n and SHAKE-n instances.
- * @warning EXPERIMENTAL! The names, parameter orders etc are likely to change.
- */
-
-#define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s */
-#define _BSD_SOURCE 1 /* for endian */
-#define _DEFAULT_SOURCE 1 /* for endian with glibc 2.20 */
-#include <assert.h>
-#include <stdint.h>
-#include <string.h>
-#include <openssl/crypto.h>
-
-#include "portable_endian.h"
-#include "keccak_internal.h"
-#include "shake.h"
-
-#define FLAG_ABSORBING 'A'
-#define FLAG_SQUEEZING 'Z'
-
-/** Constants. **/
-static const uint8_t pi[24] = {
- 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4,
- 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1
-};
-
-#define RC_B(x,n) ((((x##ull)>>n)&1)<<((1<<n)-1))
-#define RC_X(x) (RC_B(x,0)|RC_B(x,1)|RC_B(x,2)|RC_B(x,3)|RC_B(x,4)|RC_B(x,5)|RC_B(x,6))
-static const uint64_t RC[24] = {
- RC_X(0x01), RC_X(0x1a), RC_X(0x5e), RC_X(0x70), RC_X(0x1f), RC_X(0x21),
- RC_X(0x79), RC_X(0x55), RC_X(0x0e), RC_X(0x0c), RC_X(0x35), RC_X(0x26),
- RC_X(0x3f), RC_X(0x4f), RC_X(0x5d), RC_X(0x53), RC_X(0x52), RC_X(0x48),
- RC_X(0x16), RC_X(0x66), RC_X(0x79), RC_X(0x58), RC_X(0x21), RC_X(0x74)
-};
-
-static inline uint64_t rol(uint64_t x, int s) {
- return (x << s) | (x >> (64 - s));
-}
-
-/* Helper macros to unroll the permutation. */
-#define REPEAT5(e) e e e e e
-#define FOR51(v, e) v = 0; REPEAT5(e; v += 1;)
-#ifndef SHAKE_NO_UNROLL_LOOPS
-# define FOR55(v, e) v = 0; REPEAT5(e; v += 5;)
-# define REPEAT24(e) e e e e e e e e e e e e e e e e e e e e e e e e
-#else
-# define FOR55(v, e) for (v=0; v<25; v+= 5) { e; }
-# define REPEAT24(e) {int _j=0; for (_j=0; _j<24; _j++) { e }}
-#endif
-
-/*** The Keccak-f[1600] permutation ***/
-void keccakf(kdomain_t state, uint8_t start_round) {
- uint64_t* a = state->w;
- uint64_t b[5] = {0}, t, u;
- uint8_t x, y, i;
-
- for (i=0; i<25; i++) a[i] = le64toh(a[i]);
-
- for (i = start_round; i < 24; i++) {
- FOR51(x, b[x] = 0; )
- FOR55(y, FOR51(x, b[x] ^= a[x + y]; ))
- FOR55(y, FOR51(x,
- a[y + x] ^= b[(x + 4) % 5] ^ rol(b[(x + 1) % 5], 1);
- ))
- // Rho and pi
- t = a[1];
- x = y = 0;
- REPEAT24(u = a[pi[x]]; y += x+1; a[pi[x]] = rol(t, y % 64); t = u; x++; )
- // Chi
- FOR55(y,
- FOR51(x, b[x] = a[y + x];)
- FOR51(x, a[y + x] = b[x] ^ ((~b[(x + 1) % 5]) & b[(x + 2) % 5]);)
- )
- // Iota
- a[0] ^= RC[i];
- }
-
- for (i=0; i<25; i++) a[i] = htole64(a[i]);
-}
-
-decaf_error_t decaf_sha3_update (
- struct decaf_keccak_sponge_s * __restrict__ decaf_sponge,
- const uint8_t *in,
- size_t len
-) {
- assert(decaf_sponge->params->position < decaf_sponge->params->rate);
- assert(decaf_sponge->params->rate < sizeof(decaf_sponge->state));
- assert(decaf_sponge->params->flags == FLAG_ABSORBING);
- while (len) {
- size_t cando = decaf_sponge->params->rate - decaf_sponge->params->position, i;
- uint8_t* state = &decaf_sponge->state->b[decaf_sponge->params->position];
- if (cando > len) {
- for (i = 0; i < len; i += 1) state[i] ^= in[i];
- decaf_sponge->params->position += len;
- break;
- } else {
- for (i = 0; i < cando; i += 1) state[i] ^= in[i];
- dokeccak(decaf_sponge);
- len -= cando;
- in += cando;
- }
- }
- return (decaf_sponge->params->flags == FLAG_ABSORBING) ? DECAF_SUCCESS : DECAF_FAILURE;
-}
-
-decaf_error_t decaf_sha3_output (
- decaf_keccak_sponge_t decaf_sponge,
- uint8_t * __restrict__ out,
- size_t len
-) {
- decaf_error_t ret = DECAF_SUCCESS;
- assert(decaf_sponge->params->position < decaf_sponge->params->rate);
- assert(decaf_sponge->params->rate < sizeof(decaf_sponge->state));
-
- if (decaf_sponge->params->max_out != 0xFF) {
- if (decaf_sponge->params->remaining >= len) {
- decaf_sponge->params->remaining -= len;
- } else {
- decaf_sponge->params->remaining = 0;
- ret = DECAF_FAILURE;
- }
- }
-
- switch (decaf_sponge->params->flags) {
- case FLAG_SQUEEZING: break;
- case FLAG_ABSORBING:
- {
- uint8_t* state = decaf_sponge->state->b;
- state[decaf_sponge->params->position] ^= decaf_sponge->params->pad;
- state[decaf_sponge->params->rate - 1] ^= decaf_sponge->params->rate_pad;
- dokeccak(decaf_sponge);
- decaf_sponge->params->flags = FLAG_SQUEEZING;
- break;
- }
- default:
- assert(0);
- }
-
- while (len) {
- size_t cando = decaf_sponge->params->rate - decaf_sponge->params->position;
- uint8_t* state = &decaf_sponge->state->b[decaf_sponge->params->position];
- if (cando > len) {
- memcpy(out, state, len);
- decaf_sponge->params->position += len;
- return ret;
- } else {
- memcpy(out, state, cando);
- dokeccak(decaf_sponge);
- len -= cando;
- out += cando;
- }
- }
- return ret;
-}
-
-decaf_error_t decaf_sha3_final (
- decaf_keccak_sponge_t decaf_sponge,
- uint8_t * __restrict__ out,
- size_t len
-) {
- decaf_error_t ret = decaf_sha3_output(decaf_sponge,out,len);
- decaf_sha3_reset(decaf_sponge);
- return ret;
-}
-
-void decaf_sha3_reset (
- decaf_keccak_sponge_t decaf_sponge
-) {
- decaf_sha3_init(decaf_sponge, decaf_sponge->params);
- decaf_sponge->params->flags = FLAG_ABSORBING;
- decaf_sponge->params->remaining = decaf_sponge->params->max_out;
-}
-
-void decaf_sha3_destroy (decaf_keccak_sponge_t decaf_sponge) {
- OPENSSL_cleanse(decaf_sponge, sizeof(decaf_keccak_sponge_t));
-}
-
-void decaf_sha3_init (
- decaf_keccak_sponge_t decaf_sponge,
- const struct decaf_kparams_s *params
-) {
- memset(decaf_sponge->state, 0, sizeof(decaf_sponge->state));
- decaf_sponge->params[0] = params[0];
- decaf_sponge->params->position = 0;
-}
-
-decaf_error_t decaf_sha3_hash (
- uint8_t *out,
- size_t outlen,
- const uint8_t *in,
- size_t inlen,
- const struct decaf_kparams_s *params
-) {
- decaf_keccak_sponge_t decaf_sponge;
- decaf_sha3_init(decaf_sponge, params);
- decaf_sha3_update(decaf_sponge, in, inlen);
- decaf_error_t ret = decaf_sha3_output(decaf_sponge, out, outlen);
- decaf_sha3_destroy(decaf_sponge);
- return ret;
-}
-
-#define DEFSHAKE(n) \
- const struct decaf_kparams_s DECAF_SHAKE##n##_params_s = \
- { 0, FLAG_ABSORBING, 200-n/4, 0, 0x1f, 0x80, 0xFF, 0xFF };
-
-#define DEFSHA3(n) \
- const struct decaf_kparams_s DECAF_SHA3_##n##_params_s = \
- { 0, FLAG_ABSORBING, 200-n/4, 0, 0x06, 0x80, n/8, n/8 };
-
-size_t decaf_sha3_default_output_bytes (
- const decaf_keccak_sponge_t s
-) {
- return (s->params->max_out == 0xFF)
- ? (200-s->params->rate)
- : ((200-s->params->rate)/2);
-}
-
-size_t decaf_sha3_max_output_bytes (
- const decaf_keccak_sponge_t s
-) {
- return (s->params->max_out == 0xFF)
- ? SIZE_MAX
- : (size_t)((200-s->params->rate)/2);
-}
-
-DEFSHAKE(128)
-DEFSHAKE(256)
-DEFSHA3(224)
-DEFSHA3(256)
-DEFSHA3(384)
-DEFSHA3(512)
-
-/* FUTURE: Keyak instances, etc */
+++ /dev/null
-/**
- * @file decaf/shake.h
- * @copyright
- * Based on CC0 code by David Leon Gil, 2015 \n
- * Copyright (c) 2015 Cryptography Research, Inc. \n
- * Released under the MIT License. See LICENSE.txt for license information.
- * @author Mike Hamburg
- * @brief SHA-3-n and DECAF_SHAKE-n instances.
- */
-
-#ifndef __DECAF_SHAKE_H__
-#define __DECAF_SHAKE_H__
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <stdlib.h> /* for NULL */
-
-#include "curve448utils.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifndef INTERNAL_SPONGE_STRUCT
- /** Sponge container object for the various primitives. */
- typedef struct decaf_keccak_sponge_s {
- /** @cond internal */
- uint64_t opaque[26];
- /** @endcond */
- } decaf_keccak_sponge_s;
-
- /** Convenience GMP-style one-element array version */
- typedef struct decaf_keccak_sponge_s decaf_keccak_sponge_t[1];
-
- /** Parameters for sponge construction, distinguishing DECAF_SHA3 and
- * DECAF_SHAKE instances.
- */
- struct decaf_kparams_s;
-#endif
-
-/**
- * @brief Initialize a sponge context object.
- * @param [out] sponge The object to initialize.
- * @param [in] params The sponge's parameter description.
- */
-void decaf_sha3_init (
- decaf_keccak_sponge_t sponge,
- const struct decaf_kparams_s *params
-);
-
-/**
- * @brief Absorb data into a DECAF_SHA3 or DECAF_SHAKE hash context.
- * @param [inout] sponge The context.
- * @param [in] in The input data.
- * @param [in] len The input data's length in bytes.
- * @return DECAF_FAILURE if the sponge has already been used for output.
- * @return DECAF_SUCCESS otherwise.
- */
-decaf_error_t decaf_sha3_update (
- struct decaf_keccak_sponge_s * __restrict__ sponge,
- const uint8_t *in,
- size_t len
-);
-
-/**
- * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.
- * This does not destroy or re-initialize the hash context, and
- * decaf_sha3 output can be called more times.
- *
- * @param [inout] sponge The context.
- * @param [out] out The output data.
- * @param [in] len The requested output data length in bytes.
- * @return DECAF_FAILURE if the sponge has exhausted its output capacity.
- * @return DECAF_SUCCESS otherwise.
- */
-decaf_error_t decaf_sha3_output (
- decaf_keccak_sponge_t sponge,
- uint8_t * __restrict__ out,
- size_t len
-);
-
-/**
- * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.
- * This re-initializes the context to its starting parameters.
- *
- * @param [inout] sponge The context.
- * @param [out] out The output data.
- * @param [in] len The requested output data length in bytes.
- */
-decaf_error_t decaf_sha3_final (
- decaf_keccak_sponge_t sponge,
- uint8_t * __restrict__ out,
- size_t len
-);
-
-/**
- * @brief Reset the sponge to the empty string.
- *
- * @param [inout] sponge The context.
- */
-void decaf_sha3_reset (
- decaf_keccak_sponge_t sponge
-);
-
-/**
- * @brief Return the default output length of the sponge construction,
- * for the purpose of C++ default operators.
- *
- * Returns n/8 for DECAF_SHA3-n and 2n/8 for DECAF_SHAKE-n.
- */
-size_t decaf_sha3_default_output_bytes (
- const decaf_keccak_sponge_t sponge /**< [inout] The context. */
-);
-
-/**
- * @brief Return the default output length of the sponge construction,
- * for the purpose of C++ default operators.
- *
- * Returns n/8 for DECAF_SHA3-n and SIZE_MAX for DECAF_SHAKE-n.
- */
-size_t decaf_sha3_max_output_bytes (
- const decaf_keccak_sponge_t sponge /**< [inout] The context. */
-);
-
-/**
- * @brief Destroy a DECAF_SHA3 or DECAF_SHAKE sponge context by overwriting it with 0.
- * @param [out] sponge The context.
- */
-void decaf_sha3_destroy (
- decaf_keccak_sponge_t sponge
-);
-
-/**
- * @brief Hash (in) to (out)
- * @param [in] in The input data.
- * @param [in] inlen The length of the input data.
- * @param [out] out A buffer for the output data.
- * @param [in] outlen The length of the output data.
- * @param [in] params The parameters of the sponge hash.
- */
-decaf_error_t decaf_sha3_hash (
- uint8_t *out,
- size_t outlen,
- const uint8_t *in,
- size_t inlen,
- const struct decaf_kparams_s *params
-);
-
-/* FUTURE: expand/doxygenate individual DECAF_SHAKE/DECAF_SHA3 instances? */
-
-/** @cond internal */
-#define DECAF_DEC_SHAKE(n) \
- extern const struct decaf_kparams_s DECAF_SHAKE##n##_params_s; \
- typedef struct decaf_shake##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_shake##n##_ctx_t[1]; \
- static inline void decaf_shake##n##_init(decaf_shake##n##_ctx_t sponge) { \
- decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \
- } \
- static inline void decaf_shake##n##_gen_init(decaf_keccak_sponge_t sponge) { \
- decaf_sha3_init(sponge, &DECAF_SHAKE##n##_params_s); \
- } \
- static inline decaf_error_t decaf_shake##n##_update(decaf_shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \
- return decaf_sha3_update(sponge->s, in, inlen); \
- } \
- static inline void decaf_shake##n##_final(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
- decaf_sha3_output(sponge->s, out, outlen); \
- decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \
- } \
- static inline void decaf_shake##n##_output(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
- decaf_sha3_output(sponge->s, out, outlen); \
- } \
- static inline void decaf_shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \
- decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHAKE##n##_params_s); \
- } \
- static inline void decaf_shake##n##_destroy( decaf_shake##n##_ctx_t sponge ) { \
- decaf_sha3_destroy(sponge->s); \
- }
-
-#define DECAF_DEC_SHA3(n) \
- extern const struct decaf_kparams_s DECAF_SHA3_##n##_params_s; \
- typedef struct decaf_sha3_##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_sha3_##n##_ctx_t[1]; \
- static inline void decaf_sha3_##n##_init(decaf_sha3_##n##_ctx_t sponge) { \
- decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \
- } \
- static inline void decaf_sha3_##n##_gen_init(decaf_keccak_sponge_t sponge) { \
- decaf_sha3_init(sponge, &DECAF_SHA3_##n##_params_s); \
- } \
- static inline decaf_error_t decaf_sha3_##n##_update(decaf_sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \
- return decaf_sha3_update(sponge->s, in, inlen); \
- } \
- static inline decaf_error_t decaf_sha3_##n##_final(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
- decaf_error_t ret = decaf_sha3_output(sponge->s, out, outlen); \
- decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \
- return ret; \
- } \
- static inline decaf_error_t decaf_sha3_##n##_output(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
- return decaf_sha3_output(sponge->s, out, outlen); \
- } \
- static inline decaf_error_t decaf_sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \
- return decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHA3_##n##_params_s); \
- } \
- static inline void decaf_sha3_##n##_destroy(decaf_sha3_##n##_ctx_t sponge) { \
- decaf_sha3_destroy(sponge->s); \
- }
-/** @endcond */
-
-DECAF_DEC_SHAKE(128)
-DECAF_DEC_SHAKE(256)
-DECAF_DEC_SHA3(224)
-DECAF_DEC_SHA3(256)
-DECAF_DEC_SHA3(384)
-DECAF_DEC_SHA3(512)
-#undef DECAF_DEC_SHAKE
-#undef DECAF_DEC_SHA3
-
-#ifdef __cplusplus
-} /* extern "C" */
-#endif
-
-#endif /* __DECAF_SHAKE_H__ */
projects / oweals / openssl.git / commitdiff