From 2799d385406077f6726cd91c9edb18be12d37dc3 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 28 Nov 2017 12:23:33 +0000 Subject: [PATCH] Remove the old shake256 implementation We have fully converted curve448 to use the OpenSSL shake256 implementation so we can now remove the old one. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/5105) --- crypto/ec/curve448/ed448.h | 16 -- crypto/ec/curve448/eddsa.c | 14 -- crypto/ec/curve448/keccak_internal.h | 38 ----- crypto/ec/curve448/shake.c | 241 --------------------------- crypto/ec/curve448/shake.h | 219 ------------------------ 5 files changed, 528 deletions(-) delete mode 100644 crypto/ec/curve448/keccak_internal.h delete mode 100644 crypto/ec/curve448/shake.c delete mode 100644 crypto/ec/curve448/shake.h diff --git a/crypto/ec/curve448/ed448.h b/crypto/ec/curve448/ed448.h index 915908270b..73ad77ff27 100644 --- a/crypto/ec/curve448/ed448.h +++ b/crypto/ec/curve448/ed448.h @@ -16,7 +16,6 @@ #define __DECAF_ED448_H__ 1 #include "point_448.h" -#include "shake.h" #ifdef __cplusplus extern "C" { @@ -34,12 +33,6 @@ extern "C" { /** Does EdDSA support non-contextual signatures? */ #define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0 -/** Prehash context renaming macros. */ -#define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s -#define decaf_ed448_prehash_ctx_t decaf_shake256_ctx_t -#define decaf_ed448_prehash_update decaf_shake256_update -#define decaf_ed448_prehash_destroy decaf_shake256_destroy - /** EdDSA encoding ratio. */ #define DECAF_448_EDDSA_ENCODE_RATIO 4 @@ -109,15 +102,6 @@ decaf_error_t decaf_ed448_sign_prehash ( const uint8_t *context, size_t context_len ) __attribute__((nonnull(1,2,3,4))); - -/** - * @brief Prehash initialization, with contexts if supported. - * - * @param [out] hash The hash object to be initialized. - */ -void decaf_ed448_prehash_init ( - decaf_ed448_prehash_ctx_t hash -) __attribute__((nonnull(1))); /** * @brief EdDSA signature verification. diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index b220a6fa2d..241bffd7c7 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -18,19 +18,11 @@ #include "curve448_lcl.h" #include "word.h" #include "ed448.h" -#include "shake.h" #include #include "internal/numbers.h" #define API_NAME "decaf_448" -#define hash_ctx_t decaf_shake256_ctx_t -#define hash_init decaf_shake256_init -#define hash_update decaf_shake256_update -#define hash_final decaf_shake256_final -#define hash_destroy decaf_shake256_destroy -#define hash_hash decaf_shake256_hash - #define NO_CONTEXT DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS #define EDDSA_USE_SIGMA_ISOGENY 0 #define COFACTOR 4 @@ -117,12 +109,6 @@ static decaf_error_t hash_init_with_dom( return DECAF_SUCCESS; } -void decaf_ed448_prehash_init ( - hash_ctx_t hash -) { - hash_init(hash); -} - /* In this file because it uses the hash */ decaf_error_t decaf_ed448_convert_private_key_to_x448 ( uint8_t x[DECAF_X448_PRIVATE_BYTES], diff --git a/crypto/ec/curve448/keccak_internal.h b/crypto/ec/curve448/keccak_internal.h deleted file mode 100644 index 15d1be4507..0000000000 --- a/crypto/ec/curve448/keccak_internal.h +++ /dev/null @@ -1,38 +0,0 @@ -/** - * @cond internal - * @file keccak_internal.h - * @copyright - * Copyright (c) 2016 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * @author Mike Hamburg - * @brief Keccak internal interfaces. Will be used by STROBE once reintegrated. - */ -#ifndef __DECAF_KECCAK_INTERNAL_H__ -#define __DECAF_KECCAK_INTERNAL_H__ 1 - -#include - -/* The internal, non-opaque definition of the decaf_sponge struct. */ -typedef union { - uint64_t w[25]; uint8_t b[25*8]; -} kdomain_t[1]; - -typedef struct decaf_kparams_s { - uint8_t position, flags, rate, start_round, pad, rate_pad, max_out, remaining; -} decaf_kparams_s, decaf_kparams_t[1]; - -typedef struct decaf_keccak_sponge_s { - kdomain_t state; - decaf_kparams_t params; -} decaf_keccak_sponge_s, decaf_keccak_sponge_t[1]; - -#define INTERNAL_SPONGE_STRUCT 1 - -void __attribute__((noinline)) keccakf(kdomain_t state, uint8_t start_round); - -static inline void dokeccak (decaf_keccak_sponge_t decaf_sponge) { - keccakf(decaf_sponge->state, decaf_sponge->params->start_round); - decaf_sponge->params->position = 0; -} - -#endif /* __DECAF_KECCAK_INTERNAL_H__ */ diff --git a/crypto/ec/curve448/shake.c b/crypto/ec/curve448/shake.c deleted file mode 100644 index fc119f2e8e..0000000000 --- a/crypto/ec/curve448/shake.c +++ /dev/null @@ -1,241 +0,0 @@ -/** - * @cond internal - * @file shake.c - * @copyright - * Uses public domain code by Mathias Panzenböck \n - * Uses CC0 code by David Leon Gil, 2015 \n - * Copyright (c) 2015 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * @author Mike Hamburg - * @brief SHA-3-n and SHAKE-n instances. - * @warning EXPERIMENTAL! The names, parameter orders etc are likely to change. - */ - -#define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s */ -#define _BSD_SOURCE 1 /* for endian */ -#define _DEFAULT_SOURCE 1 /* for endian with glibc 2.20 */ -#include -#include -#include -#include - -#include "portable_endian.h" -#include "keccak_internal.h" -#include "shake.h" - -#define FLAG_ABSORBING 'A' -#define FLAG_SQUEEZING 'Z' - -/** Constants. **/ -static const uint8_t pi[24] = { - 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, - 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1 -}; - -#define RC_B(x,n) ((((x##ull)>>n)&1)<<((1<> (64 - s)); -} - -/* Helper macros to unroll the permutation. */ -#define REPEAT5(e) e e e e e -#define FOR51(v, e) v = 0; REPEAT5(e; v += 1;) -#ifndef SHAKE_NO_UNROLL_LOOPS -# define FOR55(v, e) v = 0; REPEAT5(e; v += 5;) -# define REPEAT24(e) e e e e e e e e e e e e e e e e e e e e e e e e -#else -# define FOR55(v, e) for (v=0; v<25; v+= 5) { e; } -# define REPEAT24(e) {int _j=0; for (_j=0; _j<24; _j++) { e }} -#endif - -/*** The Keccak-f[1600] permutation ***/ -void keccakf(kdomain_t state, uint8_t start_round) { - uint64_t* a = state->w; - uint64_t b[5] = {0}, t, u; - uint8_t x, y, i; - - for (i=0; i<25; i++) a[i] = le64toh(a[i]); - - for (i = start_round; i < 24; i++) { - FOR51(x, b[x] = 0; ) - FOR55(y, FOR51(x, b[x] ^= a[x + y]; )) - FOR55(y, FOR51(x, - a[y + x] ^= b[(x + 4) % 5] ^ rol(b[(x + 1) % 5], 1); - )) - // Rho and pi - t = a[1]; - x = y = 0; - REPEAT24(u = a[pi[x]]; y += x+1; a[pi[x]] = rol(t, y % 64); t = u; x++; ) - // Chi - FOR55(y, - FOR51(x, b[x] = a[y + x];) - FOR51(x, a[y + x] = b[x] ^ ((~b[(x + 1) % 5]) & b[(x + 2) % 5]);) - ) - // Iota - a[0] ^= RC[i]; - } - - for (i=0; i<25; i++) a[i] = htole64(a[i]); -} - -decaf_error_t decaf_sha3_update ( - struct decaf_keccak_sponge_s * __restrict__ decaf_sponge, - const uint8_t *in, - size_t len -) { - assert(decaf_sponge->params->position < decaf_sponge->params->rate); - assert(decaf_sponge->params->rate < sizeof(decaf_sponge->state)); - assert(decaf_sponge->params->flags == FLAG_ABSORBING); - while (len) { - size_t cando = decaf_sponge->params->rate - decaf_sponge->params->position, i; - uint8_t* state = &decaf_sponge->state->b[decaf_sponge->params->position]; - if (cando > len) { - for (i = 0; i < len; i += 1) state[i] ^= in[i]; - decaf_sponge->params->position += len; - break; - } else { - for (i = 0; i < cando; i += 1) state[i] ^= in[i]; - dokeccak(decaf_sponge); - len -= cando; - in += cando; - } - } - return (decaf_sponge->params->flags == FLAG_ABSORBING) ? DECAF_SUCCESS : DECAF_FAILURE; -} - -decaf_error_t decaf_sha3_output ( - decaf_keccak_sponge_t decaf_sponge, - uint8_t * __restrict__ out, - size_t len -) { - decaf_error_t ret = DECAF_SUCCESS; - assert(decaf_sponge->params->position < decaf_sponge->params->rate); - assert(decaf_sponge->params->rate < sizeof(decaf_sponge->state)); - - if (decaf_sponge->params->max_out != 0xFF) { - if (decaf_sponge->params->remaining >= len) { - decaf_sponge->params->remaining -= len; - } else { - decaf_sponge->params->remaining = 0; - ret = DECAF_FAILURE; - } - } - - switch (decaf_sponge->params->flags) { - case FLAG_SQUEEZING: break; - case FLAG_ABSORBING: - { - uint8_t* state = decaf_sponge->state->b; - state[decaf_sponge->params->position] ^= decaf_sponge->params->pad; - state[decaf_sponge->params->rate - 1] ^= decaf_sponge->params->rate_pad; - dokeccak(decaf_sponge); - decaf_sponge->params->flags = FLAG_SQUEEZING; - break; - } - default: - assert(0); - } - - while (len) { - size_t cando = decaf_sponge->params->rate - decaf_sponge->params->position; - uint8_t* state = &decaf_sponge->state->b[decaf_sponge->params->position]; - if (cando > len) { - memcpy(out, state, len); - decaf_sponge->params->position += len; - return ret; - } else { - memcpy(out, state, cando); - dokeccak(decaf_sponge); - len -= cando; - out += cando; - } - } - return ret; -} - -decaf_error_t decaf_sha3_final ( - decaf_keccak_sponge_t decaf_sponge, - uint8_t * __restrict__ out, - size_t len -) { - decaf_error_t ret = decaf_sha3_output(decaf_sponge,out,len); - decaf_sha3_reset(decaf_sponge); - return ret; -} - -void decaf_sha3_reset ( - decaf_keccak_sponge_t decaf_sponge -) { - decaf_sha3_init(decaf_sponge, decaf_sponge->params); - decaf_sponge->params->flags = FLAG_ABSORBING; - decaf_sponge->params->remaining = decaf_sponge->params->max_out; -} - -void decaf_sha3_destroy (decaf_keccak_sponge_t decaf_sponge) { - OPENSSL_cleanse(decaf_sponge, sizeof(decaf_keccak_sponge_t)); -} - -void decaf_sha3_init ( - decaf_keccak_sponge_t decaf_sponge, - const struct decaf_kparams_s *params -) { - memset(decaf_sponge->state, 0, sizeof(decaf_sponge->state)); - decaf_sponge->params[0] = params[0]; - decaf_sponge->params->position = 0; -} - -decaf_error_t decaf_sha3_hash ( - uint8_t *out, - size_t outlen, - const uint8_t *in, - size_t inlen, - const struct decaf_kparams_s *params -) { - decaf_keccak_sponge_t decaf_sponge; - decaf_sha3_init(decaf_sponge, params); - decaf_sha3_update(decaf_sponge, in, inlen); - decaf_error_t ret = decaf_sha3_output(decaf_sponge, out, outlen); - decaf_sha3_destroy(decaf_sponge); - return ret; -} - -#define DEFSHAKE(n) \ - const struct decaf_kparams_s DECAF_SHAKE##n##_params_s = \ - { 0, FLAG_ABSORBING, 200-n/4, 0, 0x1f, 0x80, 0xFF, 0xFF }; - -#define DEFSHA3(n) \ - const struct decaf_kparams_s DECAF_SHA3_##n##_params_s = \ - { 0, FLAG_ABSORBING, 200-n/4, 0, 0x06, 0x80, n/8, n/8 }; - -size_t decaf_sha3_default_output_bytes ( - const decaf_keccak_sponge_t s -) { - return (s->params->max_out == 0xFF) - ? (200-s->params->rate) - : ((200-s->params->rate)/2); -} - -size_t decaf_sha3_max_output_bytes ( - const decaf_keccak_sponge_t s -) { - return (s->params->max_out == 0xFF) - ? SIZE_MAX - : (size_t)((200-s->params->rate)/2); -} - -DEFSHAKE(128) -DEFSHAKE(256) -DEFSHA3(224) -DEFSHA3(256) -DEFSHA3(384) -DEFSHA3(512) - -/* FUTURE: Keyak instances, etc */ diff --git a/crypto/ec/curve448/shake.h b/crypto/ec/curve448/shake.h deleted file mode 100644 index 51b44345e1..0000000000 --- a/crypto/ec/curve448/shake.h +++ /dev/null @@ -1,219 +0,0 @@ -/** - * @file decaf/shake.h - * @copyright - * Based on CC0 code by David Leon Gil, 2015 \n - * Copyright (c) 2015 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. - * @author Mike Hamburg - * @brief SHA-3-n and DECAF_SHAKE-n instances. - */ - -#ifndef __DECAF_SHAKE_H__ -#define __DECAF_SHAKE_H__ - -#include -#include -#include /* for NULL */ - -#include "curve448utils.h" - -#ifdef __cplusplus -extern "C" { -#endif - -#ifndef INTERNAL_SPONGE_STRUCT - /** Sponge container object for the various primitives. */ - typedef struct decaf_keccak_sponge_s { - /** @cond internal */ - uint64_t opaque[26]; - /** @endcond */ - } decaf_keccak_sponge_s; - - /** Convenience GMP-style one-element array version */ - typedef struct decaf_keccak_sponge_s decaf_keccak_sponge_t[1]; - - /** Parameters for sponge construction, distinguishing DECAF_SHA3 and - * DECAF_SHAKE instances. - */ - struct decaf_kparams_s; -#endif - -/** - * @brief Initialize a sponge context object. - * @param [out] sponge The object to initialize. - * @param [in] params The sponge's parameter description. - */ -void decaf_sha3_init ( - decaf_keccak_sponge_t sponge, - const struct decaf_kparams_s *params -); - -/** - * @brief Absorb data into a DECAF_SHA3 or DECAF_SHAKE hash context. - * @param [inout] sponge The context. - * @param [in] in The input data. - * @param [in] len The input data's length in bytes. - * @return DECAF_FAILURE if the sponge has already been used for output. - * @return DECAF_SUCCESS otherwise. - */ -decaf_error_t decaf_sha3_update ( - struct decaf_keccak_sponge_s * __restrict__ sponge, - const uint8_t *in, - size_t len -); - -/** - * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context. - * This does not destroy or re-initialize the hash context, and - * decaf_sha3 output can be called more times. - * - * @param [inout] sponge The context. - * @param [out] out The output data. - * @param [in] len The requested output data length in bytes. - * @return DECAF_FAILURE if the sponge has exhausted its output capacity. - * @return DECAF_SUCCESS otherwise. - */ -decaf_error_t decaf_sha3_output ( - decaf_keccak_sponge_t sponge, - uint8_t * __restrict__ out, - size_t len -); - -/** - * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context. - * This re-initializes the context to its starting parameters. - * - * @param [inout] sponge The context. - * @param [out] out The output data. - * @param [in] len The requested output data length in bytes. - */ -decaf_error_t decaf_sha3_final ( - decaf_keccak_sponge_t sponge, - uint8_t * __restrict__ out, - size_t len -); - -/** - * @brief Reset the sponge to the empty string. - * - * @param [inout] sponge The context. - */ -void decaf_sha3_reset ( - decaf_keccak_sponge_t sponge -); - -/** - * @brief Return the default output length of the sponge construction, - * for the purpose of C++ default operators. - * - * Returns n/8 for DECAF_SHA3-n and 2n/8 for DECAF_SHAKE-n. - */ -size_t decaf_sha3_default_output_bytes ( - const decaf_keccak_sponge_t sponge /**< [inout] The context. */ -); - -/** - * @brief Return the default output length of the sponge construction, - * for the purpose of C++ default operators. - * - * Returns n/8 for DECAF_SHA3-n and SIZE_MAX for DECAF_SHAKE-n. - */ -size_t decaf_sha3_max_output_bytes ( - const decaf_keccak_sponge_t sponge /**< [inout] The context. */ -); - -/** - * @brief Destroy a DECAF_SHA3 or DECAF_SHAKE sponge context by overwriting it with 0. - * @param [out] sponge The context. - */ -void decaf_sha3_destroy ( - decaf_keccak_sponge_t sponge -); - -/** - * @brief Hash (in) to (out) - * @param [in] in The input data. - * @param [in] inlen The length of the input data. - * @param [out] out A buffer for the output data. - * @param [in] outlen The length of the output data. - * @param [in] params The parameters of the sponge hash. - */ -decaf_error_t decaf_sha3_hash ( - uint8_t *out, - size_t outlen, - const uint8_t *in, - size_t inlen, - const struct decaf_kparams_s *params -); - -/* FUTURE: expand/doxygenate individual DECAF_SHAKE/DECAF_SHA3 instances? */ - -/** @cond internal */ -#define DECAF_DEC_SHAKE(n) \ - extern const struct decaf_kparams_s DECAF_SHAKE##n##_params_s; \ - typedef struct decaf_shake##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_shake##n##_ctx_t[1]; \ - static inline void decaf_shake##n##_init(decaf_shake##n##_ctx_t sponge) { \ - decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \ - } \ - static inline void decaf_shake##n##_gen_init(decaf_keccak_sponge_t sponge) { \ - decaf_sha3_init(sponge, &DECAF_SHAKE##n##_params_s); \ - } \ - static inline decaf_error_t decaf_shake##n##_update(decaf_shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \ - return decaf_sha3_update(sponge->s, in, inlen); \ - } \ - static inline void decaf_shake##n##_final(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - decaf_sha3_output(sponge->s, out, outlen); \ - decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \ - } \ - static inline void decaf_shake##n##_output(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - decaf_sha3_output(sponge->s, out, outlen); \ - } \ - static inline void decaf_shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \ - decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHAKE##n##_params_s); \ - } \ - static inline void decaf_shake##n##_destroy( decaf_shake##n##_ctx_t sponge ) { \ - decaf_sha3_destroy(sponge->s); \ - } - -#define DECAF_DEC_SHA3(n) \ - extern const struct decaf_kparams_s DECAF_SHA3_##n##_params_s; \ - typedef struct decaf_sha3_##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_sha3_##n##_ctx_t[1]; \ - static inline void decaf_sha3_##n##_init(decaf_sha3_##n##_ctx_t sponge) { \ - decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \ - } \ - static inline void decaf_sha3_##n##_gen_init(decaf_keccak_sponge_t sponge) { \ - decaf_sha3_init(sponge, &DECAF_SHA3_##n##_params_s); \ - } \ - static inline decaf_error_t decaf_sha3_##n##_update(decaf_sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \ - return decaf_sha3_update(sponge->s, in, inlen); \ - } \ - static inline decaf_error_t decaf_sha3_##n##_final(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - decaf_error_t ret = decaf_sha3_output(sponge->s, out, outlen); \ - decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \ - return ret; \ - } \ - static inline decaf_error_t decaf_sha3_##n##_output(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ - return decaf_sha3_output(sponge->s, out, outlen); \ - } \ - static inline decaf_error_t decaf_sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \ - return decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHA3_##n##_params_s); \ - } \ - static inline void decaf_sha3_##n##_destroy(decaf_sha3_##n##_ctx_t sponge) { \ - decaf_sha3_destroy(sponge->s); \ - } -/** @endcond */ - -DECAF_DEC_SHAKE(128) -DECAF_DEC_SHAKE(256) -DECAF_DEC_SHA3(224) -DECAF_DEC_SHA3(256) -DECAF_DEC_SHA3(384) -DECAF_DEC_SHA3(512) -#undef DECAF_DEC_SHAKE -#undef DECAF_DEC_SHA3 - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* __DECAF_SHAKE_H__ */ -- 2.25.1