diff --git a/src/crypto/sha3/fips202.c b/src/crypto/sha3/fips202.c index 8f95b21a4..18aceec62 100644 --- a/src/crypto/sha3/fips202.c +++ b/src/crypto/sha3/fips202.c @@ -21,12 +21,12 @@ * Returns the loaded 64-bit unsigned integer **************************************************/ static uint64_t load64(const uint8_t *x) { - uint64_t r = 0; - for (size_t i = 0; i < 8; ++i) { - r |= (uint64_t)x[i] << 8 * i; - } + uint64_t r = 0; + for (size_t i = 0; i < 8; ++i) { + r |= (uint64_t) x[i] << 8 * i; + } - return r; + return r; } /************************************************* @@ -38,9 +38,9 @@ static uint64_t load64(const uint8_t *x) { * - uint64_t u: input 64-bit unsigned integer **************************************************/ static void store64(uint8_t *x, uint64_t u) { - for (size_t i = 0; i < 8; ++i) { - x[i] = (uint8_t) (u >> 8 * i); - } + for (size_t i = 0; i < 8; ++i) { + x[i] = (uint8_t)(u >> 8 * i); + } } /* Keccak round constants */ @@ -56,8 +56,7 @@ static const uint64_t KeccakF_RoundConstants[NROUNDS] = { 0x8000000000008002ULL, 0x8000000000000080ULL, 0x000000000000800aULL, 0x800000008000000aULL, 0x8000000080008081ULL, 0x8000000000008080ULL, - 0x0000000080000001ULL, 0x8000000080008008ULL -}; + 0x0000000080000001ULL, 0x8000000080008008ULL}; /************************************************* * Name: KeccakF1600_StatePermute @@ -67,266 +66,266 @@ static const uint64_t KeccakF_RoundConstants[NROUNDS] = { * Arguments: - uint64_t *state: pointer to input/output Keccak state **************************************************/ static void KeccakF1600_StatePermute(uint64_t *state) { - int round; + int round; - uint64_t Aba, Abe, Abi, Abo, Abu; - uint64_t Aga, Age, Agi, Ago, Agu; - uint64_t Aka, Ake, Aki, Ako, Aku; - uint64_t Ama, Ame, Ami, Amo, Amu; - uint64_t Asa, Ase, Asi, Aso, Asu; - uint64_t BCa, BCe, BCi, BCo, BCu; - uint64_t Da, De, Di, Do, Du; - uint64_t Eba, Ebe, Ebi, Ebo, Ebu; - uint64_t Ega, Ege, Egi, Ego, Egu; - uint64_t Eka, Eke, Eki, Eko, Eku; - uint64_t Ema, Eme, Emi, Emo, Emu; - uint64_t Esa, Ese, Esi, Eso, Esu; + uint64_t Aba, Abe, Abi, Abo, Abu; + uint64_t Aga, Age, Agi, Ago, Agu; + uint64_t Aka, Ake, Aki, Ako, Aku; + uint64_t Ama, Ame, Ami, Amo, Amu; + uint64_t Asa, Ase, Asi, Aso, Asu; + uint64_t BCa, BCe, BCi, BCo, BCu; + uint64_t Da, De, Di, Do, Du; + uint64_t Eba, Ebe, Ebi, Ebo, Ebu; + uint64_t Ega, Ege, Egi, Ego, Egu; + uint64_t Eka, Eke, Eki, Eko, Eku; + uint64_t Ema, Eme, Emi, Emo, Emu; + uint64_t Esa, Ese, Esi, Eso, Esu; - // copyFromState(A, state) - Aba = state[0]; - Abe = state[1]; - Abi = state[2]; - Abo = state[3]; - Abu = state[4]; - Aga = state[5]; - Age = state[6]; - Agi = state[7]; - Ago = state[8]; - Agu = state[9]; - Aka = state[10]; - Ake = state[11]; - Aki = state[12]; - Ako = state[13]; - Aku = state[14]; - Ama = state[15]; - Ame = state[16]; - Ami = state[17]; - Amo = state[18]; - Amu = state[19]; - Asa = state[20]; - Ase = state[21]; - Asi = state[22]; - Aso = state[23]; - Asu = state[24]; + // copyFromState(A, state) + Aba = state[0]; + Abe = state[1]; + Abi = state[2]; + Abo = state[3]; + Abu = state[4]; + Aga = state[5]; + Age = state[6]; + Agi = state[7]; + Ago = state[8]; + Agu = state[9]; + Aka = state[10]; + Ake = state[11]; + Aki = state[12]; + Ako = state[13]; + Aku = state[14]; + Ama = state[15]; + Ame = state[16]; + Ami = state[17]; + Amo = state[18]; + Amu = state[19]; + Asa = state[20]; + Ase = state[21]; + Asi = state[22]; + Aso = state[23]; + Asu = state[24]; - for (round = 0; round < NROUNDS; round += 2) { - // prepareTheta - BCa = Aba ^ Aga ^ Aka ^ Ama ^ Asa; - BCe = Abe ^ Age ^ Ake ^ Ame ^ Ase; - BCi = Abi ^ Agi ^ Aki ^ Ami ^ Asi; - BCo = Abo ^ Ago ^ Ako ^ Amo ^ Aso; - BCu = Abu ^ Agu ^ Aku ^ Amu ^ Asu; + for (round = 0; round < NROUNDS; round += 2) { + // prepareTheta + BCa = Aba ^ Aga ^ Aka ^ Ama ^ Asa; + BCe = Abe ^ Age ^ Ake ^ Ame ^ Ase; + BCi = Abi ^ Agi ^ Aki ^ Ami ^ Asi; + BCo = Abo ^ Ago ^ Ako ^ Amo ^ Aso; + BCu = Abu ^ Agu ^ Aku ^ Amu ^ Asu; - // thetaRhoPiChiIotaPrepareTheta(round , A, E) - Da = BCu ^ ROL(BCe, 1); - De = BCa ^ ROL(BCi, 1); - Di = BCe ^ ROL(BCo, 1); - Do = BCi ^ ROL(BCu, 1); - Du = BCo ^ ROL(BCa, 1); + // thetaRhoPiChiIotaPrepareTheta(round , A, E) + Da = BCu ^ ROL(BCe, 1); + De = BCa ^ ROL(BCi, 1); + Di = BCe ^ ROL(BCo, 1); + Do = BCi ^ ROL(BCu, 1); + Du = BCo ^ ROL(BCa, 1); - Aba ^= Da; - BCa = Aba; - Age ^= De; - BCe = ROL(Age, 44); - Aki ^= Di; - BCi = ROL(Aki, 43); - Amo ^= Do; - BCo = ROL(Amo, 21); - Asu ^= Du; - BCu = ROL(Asu, 14); - Eba = BCa ^ ((~BCe) & BCi); - Eba ^= KeccakF_RoundConstants[round]; - Ebe = BCe ^ ((~BCi) & BCo); - Ebi = BCi ^ ((~BCo) & BCu); - Ebo = BCo ^ ((~BCu) & BCa); - Ebu = BCu ^ ((~BCa) & BCe); + Aba ^= Da; + BCa = Aba; + Age ^= De; + BCe = ROL(Age, 44); + Aki ^= Di; + BCi = ROL(Aki, 43); + Amo ^= Do; + BCo = ROL(Amo, 21); + Asu ^= Du; + BCu = ROL(Asu, 14); + Eba = BCa ^ ((~BCe) & BCi); + Eba ^= KeccakF_RoundConstants[round]; + Ebe = BCe ^ ((~BCi) & BCo); + Ebi = BCi ^ ((~BCo) & BCu); + Ebo = BCo ^ ((~BCu) & BCa); + Ebu = BCu ^ ((~BCa) & BCe); - Abo ^= Do; - BCa = ROL(Abo, 28); - Agu ^= Du; - BCe = ROL(Agu, 20); - Aka ^= Da; - BCi = ROL(Aka, 3); - Ame ^= De; - BCo = ROL(Ame, 45); - Asi ^= Di; - BCu = ROL(Asi, 61); - Ega = BCa ^ ((~BCe) & BCi); - Ege = BCe ^ ((~BCi) & BCo); - Egi = BCi ^ ((~BCo) & BCu); - Ego = BCo ^ ((~BCu) & BCa); - Egu = BCu ^ ((~BCa) & BCe); + Abo ^= Do; + BCa = ROL(Abo, 28); + Agu ^= Du; + BCe = ROL(Agu, 20); + Aka ^= Da; + BCi = ROL(Aka, 3); + Ame ^= De; + BCo = ROL(Ame, 45); + Asi ^= Di; + BCu = ROL(Asi, 61); + Ega = BCa ^ ((~BCe) & BCi); + Ege = BCe ^ ((~BCi) & BCo); + Egi = BCi ^ ((~BCo) & BCu); + Ego = BCo ^ ((~BCu) & BCa); + Egu = BCu ^ ((~BCa) & BCe); - Abe ^= De; - BCa = ROL(Abe, 1); - Agi ^= Di; - BCe = ROL(Agi, 6); - Ako ^= Do; - BCi = ROL(Ako, 25); - Amu ^= Du; - BCo = ROL(Amu, 8); - Asa ^= Da; - BCu = ROL(Asa, 18); - Eka = BCa ^ ((~BCe) & BCi); - Eke = BCe ^ ((~BCi) & BCo); - Eki = BCi ^ ((~BCo) & BCu); - Eko = BCo ^ ((~BCu) & BCa); - Eku = BCu ^ ((~BCa) & BCe); + Abe ^= De; + BCa = ROL(Abe, 1); + Agi ^= Di; + BCe = ROL(Agi, 6); + Ako ^= Do; + BCi = ROL(Ako, 25); + Amu ^= Du; + BCo = ROL(Amu, 8); + Asa ^= Da; + BCu = ROL(Asa, 18); + Eka = BCa ^ ((~BCe) & BCi); + Eke = BCe ^ ((~BCi) & BCo); + Eki = BCi ^ ((~BCo) & BCu); + Eko = BCo ^ ((~BCu) & BCa); + Eku = BCu ^ ((~BCa) & BCe); - Abu ^= Du; - BCa = ROL(Abu, 27); - Aga ^= Da; - BCe = ROL(Aga, 36); - Ake ^= De; - BCi = ROL(Ake, 10); - Ami ^= Di; - BCo = ROL(Ami, 15); - Aso ^= Do; - BCu = ROL(Aso, 56); - Ema = BCa ^ ((~BCe) & BCi); - Eme = BCe ^ ((~BCi) & BCo); - Emi = BCi ^ ((~BCo) & BCu); - Emo = BCo ^ ((~BCu) & BCa); - Emu = BCu ^ ((~BCa) & BCe); + Abu ^= Du; + BCa = ROL(Abu, 27); + Aga ^= Da; + BCe = ROL(Aga, 36); + Ake ^= De; + BCi = ROL(Ake, 10); + Ami ^= Di; + BCo = ROL(Ami, 15); + Aso ^= Do; + BCu = ROL(Aso, 56); + Ema = BCa ^ ((~BCe) & BCi); + Eme = BCe ^ ((~BCi) & BCo); + Emi = BCi ^ ((~BCo) & BCu); + Emo = BCo ^ ((~BCu) & BCa); + Emu = BCu ^ ((~BCa) & BCe); - Abi ^= Di; - BCa = ROL(Abi, 62); - Ago ^= Do; - BCe = ROL(Ago, 55); - Aku ^= Du; - BCi = ROL(Aku, 39); - Ama ^= Da; - BCo = ROL(Ama, 41); - Ase ^= De; - BCu = ROL(Ase, 2); - Esa = BCa ^ ((~BCe) & BCi); - Ese = BCe ^ ((~BCi) & BCo); - Esi = BCi ^ ((~BCo) & BCu); - Eso = BCo ^ ((~BCu) & BCa); - Esu = BCu ^ ((~BCa) & BCe); + Abi ^= Di; + BCa = ROL(Abi, 62); + Ago ^= Do; + BCe = ROL(Ago, 55); + Aku ^= Du; + BCi = ROL(Aku, 39); + Ama ^= Da; + BCo = ROL(Ama, 41); + Ase ^= De; + BCu = ROL(Ase, 2); + Esa = BCa ^ ((~BCe) & BCi); + Ese = BCe ^ ((~BCi) & BCo); + Esi = BCi ^ ((~BCo) & BCu); + Eso = BCo ^ ((~BCu) & BCa); + Esu = BCu ^ ((~BCa) & BCe); - // prepareTheta - BCa = Eba ^ Ega ^ Eka ^ Ema ^ Esa; - BCe = Ebe ^ Ege ^ Eke ^ Eme ^ Ese; - BCi = Ebi ^ Egi ^ Eki ^ Emi ^ Esi; - BCo = Ebo ^ Ego ^ Eko ^ Emo ^ Eso; - BCu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu; + // prepareTheta + BCa = Eba ^ Ega ^ Eka ^ Ema ^ Esa; + BCe = Ebe ^ Ege ^ Eke ^ Eme ^ Ese; + BCi = Ebi ^ Egi ^ Eki ^ Emi ^ Esi; + BCo = Ebo ^ Ego ^ Eko ^ Emo ^ Eso; + BCu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu; - // thetaRhoPiChiIotaPrepareTheta(round+1, E, A) - Da = BCu ^ ROL(BCe, 1); - De = BCa ^ ROL(BCi, 1); - Di = BCe ^ ROL(BCo, 1); - Do = BCi ^ ROL(BCu, 1); - Du = BCo ^ ROL(BCa, 1); + // thetaRhoPiChiIotaPrepareTheta(round+1, E, A) + Da = BCu ^ ROL(BCe, 1); + De = BCa ^ ROL(BCi, 1); + Di = BCe ^ ROL(BCo, 1); + Do = BCi ^ ROL(BCu, 1); + Du = BCo ^ ROL(BCa, 1); - Eba ^= Da; - BCa = Eba; - Ege ^= De; - BCe = ROL(Ege, 44); - Eki ^= Di; - BCi = ROL(Eki, 43); - Emo ^= Do; - BCo = ROL(Emo, 21); - Esu ^= Du; - BCu = ROL(Esu, 14); - Aba = BCa ^ ((~BCe) & BCi); - Aba ^= KeccakF_RoundConstants[round + 1]; - Abe = BCe ^ ((~BCi) & BCo); - Abi = BCi ^ ((~BCo) & BCu); - Abo = BCo ^ ((~BCu) & BCa); - Abu = BCu ^ ((~BCa) & BCe); + Eba ^= Da; + BCa = Eba; + Ege ^= De; + BCe = ROL(Ege, 44); + Eki ^= Di; + BCi = ROL(Eki, 43); + Emo ^= Do; + BCo = ROL(Emo, 21); + Esu ^= Du; + BCu = ROL(Esu, 14); + Aba = BCa ^ ((~BCe) & BCi); + Aba ^= KeccakF_RoundConstants[round + 1]; + Abe = BCe ^ ((~BCi) & BCo); + Abi = BCi ^ ((~BCo) & BCu); + Abo = BCo ^ ((~BCu) & BCa); + Abu = BCu ^ ((~BCa) & BCe); - Ebo ^= Do; - BCa = ROL(Ebo, 28); - Egu ^= Du; - BCe = ROL(Egu, 20); - Eka ^= Da; - BCi = ROL(Eka, 3); - Eme ^= De; - BCo = ROL(Eme, 45); - Esi ^= Di; - BCu = ROL(Esi, 61); - Aga = BCa ^ ((~BCe) & BCi); - Age = BCe ^ ((~BCi) & BCo); - Agi = BCi ^ ((~BCo) & BCu); - Ago = BCo ^ ((~BCu) & BCa); - Agu = BCu ^ ((~BCa) & BCe); + Ebo ^= Do; + BCa = ROL(Ebo, 28); + Egu ^= Du; + BCe = ROL(Egu, 20); + Eka ^= Da; + BCi = ROL(Eka, 3); + Eme ^= De; + BCo = ROL(Eme, 45); + Esi ^= Di; + BCu = ROL(Esi, 61); + Aga = BCa ^ ((~BCe) & BCi); + Age = BCe ^ ((~BCi) & BCo); + Agi = BCi ^ ((~BCo) & BCu); + Ago = BCo ^ ((~BCu) & BCa); + Agu = BCu ^ ((~BCa) & BCe); - Ebe ^= De; - BCa = ROL(Ebe, 1); - Egi ^= Di; - BCe = ROL(Egi, 6); - Eko ^= Do; - BCi = ROL(Eko, 25); - Emu ^= Du; - BCo = ROL(Emu, 8); - Esa ^= Da; - BCu = ROL(Esa, 18); - Aka = BCa ^ ((~BCe) & BCi); - Ake = BCe ^ ((~BCi) & BCo); - Aki = BCi ^ ((~BCo) & BCu); - Ako = BCo ^ ((~BCu) & BCa); - Aku = BCu ^ ((~BCa) & BCe); + Ebe ^= De; + BCa = ROL(Ebe, 1); + Egi ^= Di; + BCe = ROL(Egi, 6); + Eko ^= Do; + BCi = ROL(Eko, 25); + Emu ^= Du; + BCo = ROL(Emu, 8); + Esa ^= Da; + BCu = ROL(Esa, 18); + Aka = BCa ^ ((~BCe) & BCi); + Ake = BCe ^ ((~BCi) & BCo); + Aki = BCi ^ ((~BCo) & BCu); + Ako = BCo ^ ((~BCu) & BCa); + Aku = BCu ^ ((~BCa) & BCe); - Ebu ^= Du; - BCa = ROL(Ebu, 27); - Ega ^= Da; - BCe = ROL(Ega, 36); - Eke ^= De; - BCi = ROL(Eke, 10); - Emi ^= Di; - BCo = ROL(Emi, 15); - Eso ^= Do; - BCu = ROL(Eso, 56); - Ama = BCa ^ ((~BCe) & BCi); - Ame = BCe ^ ((~BCi) & BCo); - Ami = BCi ^ ((~BCo) & BCu); - Amo = BCo ^ ((~BCu) & BCa); - Amu = BCu ^ ((~BCa) & BCe); + Ebu ^= Du; + BCa = ROL(Ebu, 27); + Ega ^= Da; + BCe = ROL(Ega, 36); + Eke ^= De; + BCi = ROL(Eke, 10); + Emi ^= Di; + BCo = ROL(Emi, 15); + Eso ^= Do; + BCu = ROL(Eso, 56); + Ama = BCa ^ ((~BCe) & BCi); + Ame = BCe ^ ((~BCi) & BCo); + Ami = BCi ^ ((~BCo) & BCu); + Amo = BCo ^ ((~BCu) & BCa); + Amu = BCu ^ ((~BCa) & BCe); - Ebi ^= Di; - BCa = ROL(Ebi, 62); - Ego ^= Do; - BCe = ROL(Ego, 55); - Eku ^= Du; - BCi = ROL(Eku, 39); - Ema ^= Da; - BCo = ROL(Ema, 41); - Ese ^= De; - BCu = ROL(Ese, 2); - Asa = BCa ^ ((~BCe) & BCi); - Ase = BCe ^ ((~BCi) & BCo); - Asi = BCi ^ ((~BCo) & BCu); - Aso = BCo ^ ((~BCu) & BCa); - Asu = BCu ^ ((~BCa) & BCe); - } + Ebi ^= Di; + BCa = ROL(Ebi, 62); + Ego ^= Do; + BCe = ROL(Ego, 55); + Eku ^= Du; + BCi = ROL(Eku, 39); + Ema ^= Da; + BCo = ROL(Ema, 41); + Ese ^= De; + BCu = ROL(Ese, 2); + Asa = BCa ^ ((~BCe) & BCi); + Ase = BCe ^ ((~BCi) & BCo); + Asi = BCi ^ ((~BCo) & BCu); + Aso = BCo ^ ((~BCu) & BCa); + Asu = BCu ^ ((~BCa) & BCe); + } - // copyToState(state, A) - state[0] = Aba; - state[1] = Abe; - state[2] = Abi; - state[3] = Abo; - state[4] = Abu; - state[5] = Aga; - state[6] = Age; - state[7] = Agi; - state[8] = Ago; - state[9] = Agu; - state[10] = Aka; - state[11] = Ake; - state[12] = Aki; - state[13] = Ako; - state[14] = Aku; - state[15] = Ama; - state[16] = Ame; - state[17] = Ami; - state[18] = Amo; - state[19] = Amu; - state[20] = Asa; - state[21] = Ase; - state[22] = Asi; - state[23] = Aso; - state[24] = Asu; + // copyToState(state, A) + state[0] = Aba; + state[1] = Abe; + state[2] = Abi; + state[3] = Abo; + state[4] = Abu; + state[5] = Aga; + state[6] = Age; + state[7] = Agi; + state[8] = Ago; + state[9] = Agu; + state[10] = Aka; + state[11] = Ake; + state[12] = Aki; + state[13] = Ako; + state[14] = Aku; + state[15] = Ama; + state[16] = Ame; + state[17] = Ami; + state[18] = Amo; + state[19] = Amu; + state[20] = Asa; + state[21] = Ase; + state[22] = Asi; + state[23] = Aso; + state[24] = Asu; } /************************************************* @@ -344,35 +343,35 @@ static void KeccakF1600_StatePermute(uint64_t *state) { **************************************************/ static void keccak_absorb(uint64_t *s, uint32_t r, const uint8_t *m, size_t mlen, uint8_t p) { - size_t i; - uint8_t t[200]; + size_t i; + uint8_t t[200]; - /* Zero state */ - for (i = 0; i < 25; ++i) { - s[i] = 0; - } + /* Zero state */ + for (i = 0; i < 25; ++i) { + s[i] = 0; + } - while (mlen >= r) { - for (i = 0; i < r / 8; ++i) { - s[i] ^= load64(m + 8 * i); - } + while (mlen >= r) { + for (i = 0; i < r / 8; ++i) { + s[i] ^= load64(m + 8 * i); + } - KeccakF1600_StatePermute(s); - mlen -= r; - m += r; - } + KeccakF1600_StatePermute(s); + mlen -= r; + m += r; + } - for (i = 0; i < r; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[r - 1] |= 128; - for (i = 0; i < r / 8; ++i) { - s[i] ^= load64(t + 8 * i); - } + for (i = 0; i < r; ++i) { + t[i] = 0; + } + for (i = 0; i < mlen; ++i) { + t[i] = m[i]; + } + t[i] = p; + t[r - 1] |= 128; + for (i = 0; i < r / 8; ++i) { + s[i] ^= load64(t + 8 * i); + } } /************************************************* @@ -390,14 +389,14 @@ static void keccak_absorb(uint64_t *s, uint32_t r, const uint8_t *m, **************************************************/ static void keccak_squeezeblocks(uint8_t *h, size_t nblocks, uint64_t *s, uint32_t r) { - while (nblocks > 0) { - KeccakF1600_StatePermute(s); - for (size_t i = 0; i < (r >> 3); i++) { - store64(h + 8 * i, s[i]); - } - h += r; - nblocks--; - } + while (nblocks > 0) { + KeccakF1600_StatePermute(s); + for (size_t i = 0; i < (r >> 3); i++) { + store64(h + 8 * i, s[i]); + } + h += r; + nblocks--; + } } /************************************************* @@ -411,12 +410,12 @@ static void keccak_squeezeblocks(uint8_t *h, size_t nblocks, * that have not been permuted, or not-yet-squeezed bytes. **************************************************/ static void keccak_inc_init(uint64_t *s_inc) { - size_t i; + size_t i; - for (i = 0; i < 25; ++i) { - s_inc[i] = 0; - } - s_inc[25] = 0; + for (i = 0; i < 25; ++i) { + s_inc[i] = 0; + } + s_inc[25] = 0; } /************************************************* @@ -435,26 +434,26 @@ static void keccak_inc_init(uint64_t *s_inc) { **************************************************/ static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m, size_t mlen) { - size_t i; + size_t i; - /* Recall that s_inc[25] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[25] >= r) { - for (i = 0; i < r - s_inc[25]; i++) { - /* Take the i'th byte from message + /* Recall that s_inc[25] is the non-absorbed bytes xored into the state */ + while (mlen + s_inc[25] >= r) { + for (i = 0; i < r - s_inc[25]; i++) { + /* Take the i'th byte from message xor with the s_inc[25] + i'th byte of the state; little-endian */ - s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07)); - } - mlen -= (size_t)(r - s_inc[25]); - m += r - s_inc[25]; - s_inc[25] = 0; + s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t) m[i] << (8 * ((s_inc[25] + i) & 0x07)); + } + mlen -= (size_t)(r - s_inc[25]); + m += r - s_inc[25]; + s_inc[25] = 0; - KeccakF1600_StatePermute(s_inc); - } + KeccakF1600_StatePermute(s_inc); + } - for (i = 0; i < mlen; i++) { - s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07)); - } - s_inc[25] += mlen; + for (i = 0; i < mlen; i++) { + s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t) m[i] << (8 * ((s_inc[25] + i) & 0x07)); + } + s_inc[25] += mlen; } /************************************************* @@ -471,11 +470,11 @@ static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m, * Keccak-derived functions **************************************************/ static void keccak_inc_finalize(uint64_t *s_inc, uint32_t r, uint8_t p) { - /* After keccak_inc_absorb, we are guaranteed that s_inc[25] < r, + /* After keccak_inc_absorb, we are guaranteed that s_inc[25] < r, so we can always use one more byte for p in the current state. */ - s_inc[s_inc[25] >> 3] ^= (uint64_t)p << (8 * (s_inc[25] & 0x07)); - s_inc[(r - 1) >> 3] ^= (uint64_t)128 << (8 * ((r - 1) & 0x07)); - s_inc[25] = 0; + s_inc[s_inc[25] >> 3] ^= (uint64_t) p << (8 * (s_inc[25] & 0x07)); + s_inc[(r - 1) >> 3] ^= (uint64_t) 128 << (8 * ((r - 1) & 0x07)); + s_inc[25] = 0; } /************************************************* @@ -493,64 +492,63 @@ static void keccak_inc_finalize(uint64_t *s_inc, uint32_t r, uint8_t p) { **************************************************/ static void keccak_inc_squeeze(uint8_t *h, size_t outlen, uint64_t *s_inc, uint32_t r) { - size_t i; + size_t i; - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[25]; i++) { - /* There are s_inc[25] bytes left, so r - s_inc[25] is the first + /* First consume any bytes we still have sitting around */ + for (i = 0; i < outlen && i < s_inc[25]; i++) { + /* There are s_inc[25] bytes left, so r - s_inc[25] is the first available byte. We consume from there, i.e., up to r. */ - h[i] = (uint8_t)(s_inc[(r - s_inc[25] + i) >> 3] >> (8 * ((r - s_inc[25] + i) & 0x07))); - } - h += i; - outlen -= i; - s_inc[25] -= i; + h[i] = (uint8_t)(s_inc[(r - s_inc[25] + i) >> 3] >> (8 * ((r - s_inc[25] + i) & 0x07))); + } + h += i; + outlen -= i; + s_inc[25] -= i; - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - KeccakF1600_StatePermute(s_inc); + /* Then squeeze the remaining necessary blocks */ + while (outlen > 0) { + KeccakF1600_StatePermute(s_inc); - for (i = 0; i < outlen && i < r; i++) { - h[i] = (uint8_t)(s_inc[i >> 3] >> (8 * (i & 0x07))); - } - h += i; - outlen -= i; - s_inc[25] = r - i; - } + for (i = 0; i < outlen && i < r; i++) { + h[i] = (uint8_t)(s_inc[i >> 3] >> (8 * (i & 0x07))); + } + h += i; + outlen -= i; + s_inc[25] = r - i; + } } void shake128_inc_init(shake128incctx *state) { - keccak_inc_init(state->ctx); + keccak_inc_init(state->ctx); } void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen) { - keccak_inc_absorb(state->ctx, SHAKE128_RATE, input, inlen); + keccak_inc_absorb(state->ctx, SHAKE128_RATE, input, inlen); } void shake128_inc_finalize(shake128incctx *state) { - keccak_inc_finalize(state->ctx, SHAKE128_RATE, 0x1F); + keccak_inc_finalize(state->ctx, SHAKE128_RATE, 0x1F); } void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state) { - keccak_inc_squeeze(output, outlen, state->ctx, SHAKE128_RATE); + keccak_inc_squeeze(output, outlen, state->ctx, SHAKE128_RATE); } void shake256_inc_init(shake256incctx *state) { - keccak_inc_init(state->ctx); + keccak_inc_init(state->ctx); } void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen) { - keccak_inc_absorb(state->ctx, SHAKE256_RATE, input, inlen); + keccak_inc_absorb(state->ctx, SHAKE256_RATE, input, inlen); } void shake256_inc_finalize(shake256incctx *state) { - keccak_inc_finalize(state->ctx, SHAKE256_RATE, 0x1F); + keccak_inc_finalize(state->ctx, SHAKE256_RATE, 0x1F); } void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) { - keccak_inc_squeeze(output, outlen, state->ctx, SHAKE256_RATE); + keccak_inc_squeeze(output, outlen, state->ctx, SHAKE256_RATE); } - /************************************************* * Name: shake128_absorb * @@ -563,7 +561,7 @@ void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) * - size_t inlen: length of input in bytes **************************************************/ void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen) { - keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F); + keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F); } /************************************************* @@ -579,7 +577,7 @@ void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen) { * - shake128ctx *state: pointer to input/output Keccak state **************************************************/ void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) { - keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE); + keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE); } /************************************************* @@ -594,7 +592,7 @@ void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) * - size_t inlen: length of input in bytes **************************************************/ void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen) { - keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F); + keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F); } /************************************************* @@ -610,7 +608,7 @@ void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen) { * - shake256ctx *state: pointer to input/output Keccak state **************************************************/ void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state) { - keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE); + keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE); } /************************************************* @@ -625,22 +623,22 @@ void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state) **************************************************/ void shake128(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen) { - size_t nblocks = outlen / SHAKE128_RATE; - uint8_t t[SHAKE128_RATE]; - shake128ctx s; + size_t nblocks = outlen / SHAKE128_RATE; + uint8_t t[SHAKE128_RATE]; + shake128ctx s; - shake128_absorb(&s, input, inlen); - shake128_squeezeblocks(output, nblocks, &s); + shake128_absorb(&s, input, inlen); + shake128_squeezeblocks(output, nblocks, &s); - output += nblocks * SHAKE128_RATE; - outlen -= nblocks * SHAKE128_RATE; + output += nblocks * SHAKE128_RATE; + outlen -= nblocks * SHAKE128_RATE; - if (outlen) { - shake128_squeezeblocks(t, 1, &s); - for (size_t i = 0; i < outlen; ++i) { - output[i] = t[i]; - } - } + if (outlen) { + shake128_squeezeblocks(t, 1, &s); + for (size_t i = 0; i < outlen; ++i) { + output[i] = t[i]; + } + } } /************************************************* @@ -655,41 +653,41 @@ void shake128(uint8_t *output, size_t outlen, **************************************************/ void shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen) { - size_t nblocks = outlen / SHAKE256_RATE; - uint8_t t[SHAKE256_RATE]; - shake256ctx s; + size_t nblocks = outlen / SHAKE256_RATE; + uint8_t t[SHAKE256_RATE]; + shake256ctx s; - shake256_absorb(&s, input, inlen); - shake256_squeezeblocks(output, nblocks, &s); + shake256_absorb(&s, input, inlen); + shake256_squeezeblocks(output, nblocks, &s); - output += nblocks * SHAKE256_RATE; - outlen -= nblocks * SHAKE256_RATE; + output += nblocks * SHAKE256_RATE; + outlen -= nblocks * SHAKE256_RATE; - if (outlen) { - shake256_squeezeblocks(t, 1, &s); - for (size_t i = 0; i < outlen; ++i) { - output[i] = t[i]; - } - } + if (outlen) { + shake256_squeezeblocks(t, 1, &s); + for (size_t i = 0; i < outlen; ++i) { + output[i] = t[i]; + } + } } void sha3_256_inc_init(sha3_256incctx *state) { - keccak_inc_init(state->ctx); + keccak_inc_init(state->ctx); } void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen) { - keccak_inc_absorb(state->ctx, SHA3_256_RATE, input, inlen); + keccak_inc_absorb(state->ctx, SHA3_256_RATE, input, inlen); } void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state) { - uint8_t t[SHA3_256_RATE]; - keccak_inc_finalize(state->ctx, SHA3_256_RATE, 0x06); + uint8_t t[SHA3_256_RATE]; + keccak_inc_finalize(state->ctx, SHA3_256_RATE, 0x06); - keccak_squeezeblocks(t, 1, state->ctx, SHA3_256_RATE); + keccak_squeezeblocks(t, 1, state->ctx, SHA3_256_RATE); - for (size_t i = 0; i < 32; i++) { - output[i] = t[i]; - } + for (size_t i = 0; i < 32; i++) { + output[i] = t[i]; + } } /************************************************* @@ -702,37 +700,37 @@ void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state) { * - size_t inlen: length of input in bytes **************************************************/ void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen) { - uint64_t s[25]; - uint8_t t[SHA3_256_RATE]; + uint64_t s[25]; + uint8_t t[SHA3_256_RATE]; - /* Absorb input */ - keccak_absorb(s, SHA3_256_RATE, input, inlen, 0x06); + /* Absorb input */ + keccak_absorb(s, SHA3_256_RATE, input, inlen, 0x06); - /* Squeeze output */ - keccak_squeezeblocks(t, 1, s, SHA3_256_RATE); + /* Squeeze output */ + keccak_squeezeblocks(t, 1, s, SHA3_256_RATE); - for (size_t i = 0; i < 32; i++) { - output[i] = t[i]; - } + for (size_t i = 0; i < 32; i++) { + output[i] = t[i]; + } } void sha3_384_inc_init(sha3_384incctx *state) { - keccak_inc_init(state->ctx); + keccak_inc_init(state->ctx); } void sha3_384_inc_absorb(sha3_384incctx *state, const uint8_t *input, size_t inlen) { - keccak_inc_absorb(state->ctx, SHA3_384_RATE, input, inlen); + keccak_inc_absorb(state->ctx, SHA3_384_RATE, input, inlen); } void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state) { - uint8_t t[SHA3_384_RATE]; - keccak_inc_finalize(state->ctx, SHA3_384_RATE, 0x06); + uint8_t t[SHA3_384_RATE]; + keccak_inc_finalize(state->ctx, SHA3_384_RATE, 0x06); - keccak_squeezeblocks(t, 1, state->ctx, SHA3_384_RATE); + keccak_squeezeblocks(t, 1, state->ctx, SHA3_384_RATE); - for (size_t i = 0; i < 48; i++) { - output[i] = t[i]; - } + for (size_t i = 0; i < 48; i++) { + output[i] = t[i]; + } } /************************************************* @@ -745,37 +743,37 @@ void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state) { * - size_t inlen: length of input in bytes **************************************************/ void sha3_384(uint8_t *output, const uint8_t *input, size_t inlen) { - uint64_t s[25]; - uint8_t t[SHA3_384_RATE]; + uint64_t s[25]; + uint8_t t[SHA3_384_RATE]; - /* Absorb input */ - keccak_absorb(s, SHA3_384_RATE, input, inlen, 0x06); + /* Absorb input */ + keccak_absorb(s, SHA3_384_RATE, input, inlen, 0x06); - /* Squeeze output */ - keccak_squeezeblocks(t, 1, s, SHA3_384_RATE); + /* Squeeze output */ + keccak_squeezeblocks(t, 1, s, SHA3_384_RATE); - for (size_t i = 0; i < 48; i++) { - output[i] = t[i]; - } + for (size_t i = 0; i < 48; i++) { + output[i] = t[i]; + } } void sha3_512_inc_init(sha3_512incctx *state) { - keccak_inc_init(state->ctx); + keccak_inc_init(state->ctx); } void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen) { - keccak_inc_absorb(state->ctx, SHA3_512_RATE, input, inlen); + keccak_inc_absorb(state->ctx, SHA3_512_RATE, input, inlen); } void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state) { - uint8_t t[SHA3_512_RATE]; - keccak_inc_finalize(state->ctx, SHA3_512_RATE, 0x06); + uint8_t t[SHA3_512_RATE]; + keccak_inc_finalize(state->ctx, SHA3_512_RATE, 0x06); - keccak_squeezeblocks(t, 1, state->ctx, SHA3_512_RATE); + keccak_squeezeblocks(t, 1, state->ctx, SHA3_512_RATE); - for (size_t i = 0; i < 64; i++) { - output[i] = t[i]; - } + for (size_t i = 0; i < 64; i++) { + output[i] = t[i]; + } } /************************************************* @@ -788,16 +786,16 @@ void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state) { * - size_t inlen: length of input in bytes **************************************************/ void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen) { - uint64_t s[25]; - uint8_t t[SHA3_512_RATE]; + uint64_t s[25]; + uint8_t t[SHA3_512_RATE]; - /* Absorb input */ - keccak_absorb(s, SHA3_512_RATE, input, inlen, 0x06); + /* Absorb input */ + keccak_absorb(s, SHA3_512_RATE, input, inlen, 0x06); - /* Squeeze output */ - keccak_squeezeblocks(t, 1, s, SHA3_512_RATE); + /* Squeeze output */ + keccak_squeezeblocks(t, 1, s, SHA3_512_RATE); - for (size_t i = 0; i < 64; i++) { - output[i] = t[i]; - } + for (size_t i = 0; i < 64; i++) { + output[i] = t[i]; + } } diff --git a/src/crypto/sha3/sha3.h b/src/crypto/sha3/sha3.h index eb0685016..75d31af75 100644 --- a/src/crypto/sha3/sha3.h +++ b/src/crypto/sha3/sha3.h @@ -34,7 +34,7 @@ extern "C" { void OQS_SHA3_sha3_256(uint8_t *output, const uint8_t *input, size_t inplen); typedef struct { - uint64_t ctx[26]; + uint64_t ctx[26]; } OQS_SHA3_sha3_256_inc_ctx; void OQS_SHA3_sha3_256_inc_init(OQS_SHA3_sha3_256_inc_ctx *state); @@ -55,7 +55,7 @@ void OQS_SHA3_sha3_256_inc_finalize(uint8_t *output, OQS_SHA3_sha3_256_inc_ctx * void OQS_SHA3_sha3_384(uint8_t *output, const uint8_t *input, size_t inplen); typedef struct { - uint64_t ctx[26]; + uint64_t ctx[26]; } OQS_SHA3_sha3_384_inc_ctx; void OQS_SHA3_sha3_384_inc_init(OQS_SHA3_sha3_384_inc_ctx *state); @@ -76,7 +76,7 @@ void OQS_SHA3_sha3_384_inc_finalize(uint8_t *output, OQS_SHA3_sha3_384_inc_ctx * void OQS_SHA3_sha3_512(uint8_t *output, const uint8_t *input, size_t inplen); typedef struct { - uint64_t ctx[26]; + uint64_t ctx[26]; } OQS_SHA3_sha3_512_inc_ctx; void OQS_SHA3_sha3_512_inc_init(OQS_SHA3_sha3_512_inc_ctx *state); @@ -100,7 +100,7 @@ void OQS_SHA3_sha3_512_inc_finalize(uint8_t *output, OQS_SHA3_sha3_512_inc_ctx * void OQS_SHA3_shake128(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen); typedef struct { - uint64_t ctx[25]; + uint64_t ctx[25]; } OQS_SHA3_shake128_ctx; /** @@ -131,7 +131,7 @@ void OQS_SHA3_shake128_absorb(OQS_SHA3_shake128_ctx *state, const uint8_t *input void OQS_SHA3_shake128_squeezeblocks(uint8_t *output, size_t nblocks, OQS_SHA3_shake128_ctx *state); typedef struct { - uint64_t ctx[26]; + uint64_t ctx[26]; } OQS_SHA3_shake128_inc_ctx; /** @@ -178,7 +178,7 @@ void OQS_SHA3_shake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shak void OQS_SHA3_shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen); typedef struct { - uint64_t ctx[25]; + uint64_t ctx[25]; } OQS_SHA3_shake256_ctx; /** @@ -208,7 +208,7 @@ void OQS_SHA3_shake256_absorb(OQS_SHA3_shake256_ctx *state, const uint8_t *input void OQS_SHA3_shake256_squeezeblocks(uint8_t *output, size_t nblocks, OQS_SHA3_shake256_ctx *state); typedef struct { - uint64_t ctx[26]; + uint64_t ctx[26]; } OQS_SHA3_shake256_inc_ctx; /** @@ -249,7 +249,7 @@ void OQS_SHA3_cshake128_inc_absorb(OQS_SHA3_shake128_inc_ctx *state, const uint8 void OQS_SHA3_cshake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *state); void OQS_SHA3_cshake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *state); -void OQS_SHA3_cshake256(uint8_t *output, size_t outlen, const uint8_t *name, size_t namelen, const uint8_t* cstm, size_t cstmlen, const uint8_t *input, size_t inlen); +void OQS_SHA3_cshake256(uint8_t *output, size_t outlen, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen, const uint8_t *input, size_t inlen); void OQS_SHA3_cshake256_inc_init(OQS_SHA3_shake256_inc_ctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen); void OQS_SHA3_cshake256_inc_absorb(OQS_SHA3_shake256_inc_ctx *state, const uint8_t *input, size_t inlen); diff --git a/src/crypto/sha3/sha3_c.c b/src/crypto/sha3/sha3_c.c index 991e957ce..3896e2d95 100644 --- a/src/crypto/sha3/sha3_c.c +++ b/src/crypto/sha3/sha3_c.c @@ -75,7 +75,7 @@ void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, co for (size_t i = 0; i < 26; ++i) { state.ctx[i] = 0; } - + /* Note: This function doesn't align exactly to cSHAKE (SP800-185 3.2), which should produce SHAKE output if S and N = zero (sort of a customized custom-SHAKE function). Padding is hard-coded as the first 32 bits, plus 16 bits of fixed S, @@ -103,7 +103,6 @@ void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, co /* generate output */ OQS_SHA3_cshake128_inc_finalize(&state); OQS_SHA3_cshake128_inc_squeeze(output, outlen, &state); - } void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen) { @@ -141,5 +140,4 @@ void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, co /* generate output */ OQS_SHA3_cshake256_inc_finalize(&state); OQS_SHA3_cshake256_inc_squeeze(output, outlen, &state); - } diff --git a/src/crypto/sha3/sp800-185.c b/src/crypto/sha3/sp800-185.c index 1dcfe608e..90b62959e 100644 --- a/src/crypto/sha3/sp800-185.c +++ b/src/crypto/sha3/sp800-185.c @@ -2,87 +2,87 @@ #include static size_t left_encode(uint8_t *encbuf, size_t value) { - size_t n, i, v; + size_t n, i, v; - for (v = value, n = 0; v && (n < sizeof(size_t)); n++, v >>= 8) { - ; /* empty */ - } - if (n == 0) { - n = 1; - } - for (i = 1; i <= n; i++) { - encbuf[i] = (uint8_t)(value >> (8 * (n-i))); - } - encbuf[0] = (uint8_t)n; - return n + 1; + for (v = value, n = 0; v && (n < sizeof(size_t)); n++, v >>= 8) { + ; /* empty */ + } + if (n == 0) { + n = 1; + } + for (i = 1; i <= n; i++) { + encbuf[i] = (uint8_t)(value >> (8 * (n - i))); + } + encbuf[0] = (uint8_t) n; + return n + 1; } void cshake128_inc_init(shake128incctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) { - uint8_t encbuf[sizeof(size_t)+1]; + uint8_t encbuf[sizeof(size_t) + 1]; - shake128_inc_init(state); + shake128_inc_init(state); - shake128_inc_absorb(state, encbuf, left_encode(encbuf, SHAKE128_RATE)); + shake128_inc_absorb(state, encbuf, left_encode(encbuf, SHAKE128_RATE)); - shake128_inc_absorb(state, encbuf, left_encode(encbuf, namelen * 8)); - shake128_inc_absorb(state, name, namelen); + shake128_inc_absorb(state, encbuf, left_encode(encbuf, namelen * 8)); + shake128_inc_absorb(state, name, namelen); - shake128_inc_absorb(state, encbuf, left_encode(encbuf, cstmlen * 8)); - shake128_inc_absorb(state, cstm, cstmlen); + shake128_inc_absorb(state, encbuf, left_encode(encbuf, cstmlen * 8)); + shake128_inc_absorb(state, cstm, cstmlen); - if (state->ctx[25] != 0) { - state->ctx[25] = SHAKE128_RATE - 1; - encbuf[0] = 0; - shake128_inc_absorb(state, encbuf, 1); - } + if (state->ctx[25] != 0) { + state->ctx[25] = SHAKE128_RATE - 1; + encbuf[0] = 0; + shake128_inc_absorb(state, encbuf, 1); + } } void cshake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen) { - shake128_inc_absorb(state, input, inlen); + shake128_inc_absorb(state, input, inlen); } void cshake128_inc_finalize(shake128incctx *state) { - state->ctx[state->ctx[25] >> 3] ^= (uint64_t)0x04 << (8 * (state->ctx[25] & 0x07)); - state->ctx[(SHAKE128_RATE - 1) >> 3] ^= (uint64_t)128 << (8 * ((SHAKE128_RATE - 1) & 0x07)); - state->ctx[25] = 0; + state->ctx[state->ctx[25] >> 3] ^= (uint64_t) 0x04 << (8 * (state->ctx[25] & 0x07)); + state->ctx[(SHAKE128_RATE - 1) >> 3] ^= (uint64_t) 128 << (8 * ((SHAKE128_RATE - 1) & 0x07)); + state->ctx[25] = 0; } void cshake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state) { - shake128_inc_squeeze(output, outlen, state); + shake128_inc_squeeze(output, outlen, state); } void cshake256_inc_init(shake256incctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) { - uint8_t encbuf[sizeof(size_t)+1]; + uint8_t encbuf[sizeof(size_t) + 1]; - shake256_inc_init(state); + shake256_inc_init(state); - shake256_inc_absorb(state, encbuf, left_encode(encbuf, SHAKE256_RATE)); + shake256_inc_absorb(state, encbuf, left_encode(encbuf, SHAKE256_RATE)); - shake256_inc_absorb(state, encbuf, left_encode(encbuf, namelen * 8)); - shake256_inc_absorb(state, name, namelen); + shake256_inc_absorb(state, encbuf, left_encode(encbuf, namelen * 8)); + shake256_inc_absorb(state, name, namelen); - shake256_inc_absorb(state, encbuf, left_encode(encbuf, cstmlen * 8)); - shake256_inc_absorb(state, cstm, cstmlen); + shake256_inc_absorb(state, encbuf, left_encode(encbuf, cstmlen * 8)); + shake256_inc_absorb(state, cstm, cstmlen); - if (state->ctx[25] != 0) { - state->ctx[25] = SHAKE256_RATE - 1; - encbuf[0] = 0; - shake256_inc_absorb(state, encbuf, 1); - } + if (state->ctx[25] != 0) { + state->ctx[25] = SHAKE256_RATE - 1; + encbuf[0] = 0; + shake256_inc_absorb(state, encbuf, 1); + } } void cshake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen) { - shake256_inc_absorb(state, input, inlen); + shake256_inc_absorb(state, input, inlen); } void cshake256_inc_finalize(shake256incctx *state) { - state->ctx[state->ctx[25] >> 3] ^= (uint64_t)0x04 << (8 * (state->ctx[25] & 0x07)); - state->ctx[(SHAKE256_RATE - 1) >> 3] ^= (uint64_t)128 << (8 * ((SHAKE256_RATE - 1) & 0x07)); - state->ctx[25] = 0; + state->ctx[state->ctx[25] >> 3] ^= (uint64_t) 0x04 << (8 * (state->ctx[25] & 0x07)); + state->ctx[(SHAKE256_RATE - 1) >> 3] ^= (uint64_t) 128 << (8 * ((SHAKE256_RATE - 1) & 0x07)); + state->ctx[25] = 0; } void cshake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) { - shake256_inc_squeeze(output, outlen, state); + shake256_inc_squeeze(output, outlen, state); } /************************************************* @@ -103,11 +103,11 @@ void cshake128(uint8_t *output, size_t outlen, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen, const uint8_t *input, size_t inlen) { - shake128incctx state; - cshake128_inc_init(&state, name, namelen, cstm, cstmlen); - cshake128_inc_absorb(&state, input, inlen); - cshake128_inc_finalize(&state); - cshake128_inc_squeeze(output, outlen, &state); + shake128incctx state; + cshake128_inc_init(&state, name, namelen, cstm, cstmlen); + cshake128_inc_absorb(&state, input, inlen); + cshake128_inc_finalize(&state); + cshake128_inc_squeeze(output, outlen, &state); } /************************************************* @@ -128,9 +128,9 @@ void cshake256(uint8_t *output, size_t outlen, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen, const uint8_t *input, size_t inlen) { - shake256incctx state; - cshake256_inc_init(&state, name, namelen, cstm, cstmlen); - cshake256_inc_absorb(&state, input, inlen); - cshake256_inc_finalize(&state); - cshake256_inc_squeeze(output, outlen, &state); + shake256incctx state; + cshake256_inc_init(&state, name, namelen, cstm, cstmlen); + cshake256_inc_absorb(&state, input, inlen); + cshake256_inc_finalize(&state); + cshake256_inc_squeeze(output, outlen, &state); }