sharpetronics/liboqs
1
0
Fork 0
mirror of https://github.com/open-quantum-safe/liboqs.git synced 2025-11-22 00:09:23 -05:00
Code Issues Projects Releases Wiki Activity

Sync with PQClean and update hashing API (#616)

Browse Source 
* Sync with PQClean commit 6de728361e33ad3a5a6997e0896ff9fe8e44a999

* Revise SHA-2 API to match PQClean

* Revise SHA-3 API to match PQClean

* Fix compiler warning

* Fix typo

[skip ci]

* Fix typo

[skip ci]
This commit is contained in:
Douglas Stebila 2020-02-16 15:47:49 -05:00 committed by GitHub
parent c868c6ceef
commit a6f426044b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
93 changed files with 1501 additions and 297 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/algorithms/kem_kyber.md
View File

@ -29,7 +29,7 @@ Implementation
--------------
- **Source of implementation:** https://github.com/PQClean/PQClean
- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52
- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999
- **License:** Public domain
- **Language:** C
- **Constant-time:** Yes

2
docs/algorithms/kem_ledacrypt.md
View File

@ -25,7 +25,7 @@ Implementation
--------------
- **Source of implementation:** https://github.com/PQClean/PQClean/ based on https://github.com/LEDAcrypt/LEDAcrypt
- **Implementation version:** https://github.com/PQClean/PQClean/commit/dcad0bd878eb32d60e3296628c5267ecc401064c
- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999
- **License:** Public domain
- **Language:** C
- **Constant-time:** No

2
docs/algorithms/kem_newhope.md
View File

@ -23,7 +23,7 @@ Implementation
--------------
- **Source of implementation:** https://github.com/PQClean/PQClean
- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52
- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999
- **License:** Public domain
- **Language:** C
- **Constant-time:** Yes

2
docs/algorithms/kem_ntru.md
View File

@ -24,7 +24,7 @@ Implementation
--------------
- **Source of implementation:** NIST Round 2 submission, via https://github.com/PQClean/PQClean
- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52
- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999
- **License:** Public domain
- **Language:** C
- **Architectures supported in liboqs master branch**: x86, x64

2
docs/algorithms/kem_saber.md
View File

@ -25,7 +25,7 @@ Implementation
--------------
- **Source of implementation:** https://github.com/PQClean/PQClean/ based on https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871
- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52
- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999
- **License:** Public domain
- **Language:** C
- **Constant-time:** Yes

4
docs/algorithms/kem_threebears.md
View File

@ -27,8 +27,8 @@ Parameter sets
Implementation
--------------
- **Source of implementation:** https://github.com/PQClean/PQClean/commit/dcad0bd878eb32d60e3296628c5267ecc401064c
- **Implementation version:** https://sourceforge.net/p/threebears/code/ci/f4ce0ebfc84a5e01a75bfc8297b6d175e993cfa4/
- **Source of implementation:** https://sourceforge.net/p/threebears/code/ci/f4ce0ebfc84a5e01a75bfc8297b6d175e993cfa4/
- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999
- **License:** MIT License
- **Language:** C
- **Constant-time:** Yes

2
docs/algorithms/sig_dilithium.md
View File

@ -26,7 +26,7 @@ Implementation
--------------
- **Source of implementation:** https://github.com/PQClean/PQClean
- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52
- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999
- **License:** public domain
- **Language:** C
- **Constant-time:** Yes

2
docs/algorithms/sig_mqdss.md
View File

@ -24,7 +24,7 @@ Implementation
--------------
- **Source of implementation:** https://github.com/PQClean/PQClean, originally from https://github.com/joostrijneveld/MQDSS/commit/0c64d4d67a37051c1299a3049a5bb8984ca27ecc
- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52
- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999
- **License:** CC0 1.0 Universal
- **Language:** C
- **Constant-time:** Yes

2
docs/algorithms/sig_sphincs.md
View File

@ -58,7 +58,7 @@ Implementation
--------------
- **Source of implementation:** https://github.com/PQClean/PQClean
- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52
- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999
- **License:** CC0 1.0 Universal
- **Language:** C
- **Constant-time:** Yes

23
src/common/pqclean_shims/fips202.h
View File

@ -8,32 +8,55 @@
#define shake128ctx OQS_SHA3_shake128_ctx
#define shake128_absorb OQS_SHA3_shake128_absorb
#define shake128_squeezeblocks OQS_SHA3_shake128_squeezeblocks
#define shake128_ctx_release OQS_SHA3_shake128_ctx_release
#define shake128_ctx_clone OQS_SHA3_shake128_ctx_clone
#define SHAKE256_RATE OQS_SHA3_SHAKE256_RATE
#define shake256 OQS_SHA3_shake256
#define shake256ctx OQS_SHA3_shake256_ctx
#define shake256_absorb OQS_SHA3_shake256_absorb
#define shake256_squeezeblocks OQS_SHA3_shake256_squeezeblocks
#define shake256_ctx_release OQS_SHA3_shake256_ctx_release
#define shake256_ctx_clone OQS_SHA3_shake256_ctx_clone
#define SHA3_256_RATE OQS_SHA3_SHA3_256_RATE
#define sha3_256 OQS_SHA3_sha3_256
#define sha3_256_inc_init OQS_SHA3_sha3_256_inc_init
#define sha3_256_inc_absorb OQS_SHA3_sha3_256_inc_absorb
#define sha3_256_inc_finalize OQS_SHA3_sha3_256_inc_finalize
#define sha3_256_inc_ctx_clone OQS_SHA3_sha3_256_inc_ctx_clone
#define sha3_256_inc_ctx_release OQS_SHA3_sha3_256_inc_ctx_release
#define SHA3_384_RATE OQS_SHA3_SHA3_384_RATE
#define sha3_384 OQS_SHA3_sha3_384
#define sha3_384_inc_init OQS_SHA3_sha3_384_inc_init
#define sha3_384_inc_absorb OQS_SHA3_sha3_384_inc_absorb
#define sha3_384_inc_finalize OQS_SHA3_sha3_384_inc_finalize
#define sha3_384_inc_ctx_clone OQS_SHA3_sha3_384_inc_ctx_clone
#define sha3_384_inc_ctx_release OQS_SHA3_sha3_384_inc_ctx_release
#define SHA3_512_RATE OQS_SHA3_SHA3_512_RATE
#define sha3_512 OQS_SHA3_sha3_512
#define sha3_512_inc_init OQS_SHA3_sha3_512_inc_init
#define sha3_512_inc_absorb OQS_SHA3_sha3_512_inc_absorb
#define sha3_512_inc_finalize OQS_SHA3_sha3_512_inc_finalize
#define sha3_512_inc_ctx_clone OQS_SHA3_sha3_512_inc_ctx_clone
#define sha3_512_inc_ctx_release OQS_SHA3_sha3_512_inc_ctx_release
#define shake128incctx OQS_SHA3_shake128_inc_ctx
#define shake128_inc_init OQS_SHA3_shake128_inc_init
#define shake128_inc_absorb OQS_SHA3_shake128_inc_absorb
#define shake128_inc_finalize OQS_SHA3_shake128_inc_finalize
#define shake128_inc_squeeze OQS_SHA3_shake128_inc_squeeze
#define shake128_inc_ctx_release OQS_SHA3_shake128_inc_ctx_release
#define shake128_inc_ctx_clone OQS_SHA3_shake128_inc_ctx_clone
#define shake256incctx OQS_SHA3_shake256_inc_ctx
#define shake256_inc_init OQS_SHA3_shake256_inc_init
#define shake256_inc_absorb OQS_SHA3_shake256_inc_absorb
#define shake256_inc_finalize OQS_SHA3_shake256_inc_finalize
#define shake256_inc_squeeze OQS_SHA3_shake256_inc_squeeze
#define shake256_inc_ctx_release OQS_SHA3_shake256_inc_ctx_release
#define shake256_inc_ctx_clone OQS_SHA3_shake256_inc_ctx_clone
#endif

25
src/common/pqclean_shims/sha2.h
View File

@ -7,12 +7,25 @@
#define sha384 OQS_SHA2_sha384
#define sha512 OQS_SHA2_sha512
typedef void *sha256ctx;
#define sha256ctx OQS_SHA2_sha256_ctx
#define sha256_inc_init OQS_SHA2_sha256_inc_init
#define sha256_inc_blocks(state, in, inblocks) OQS_SHA2_sha256_inc_blocks(*(state), in, inblocks)
#define sha256_inc_finalize(out, state, in, inlen) OQS_SHA2_sha256_inc_finalize(out, *(state), in, inlen)
#define sha256_inc_destroy(state) OQS_SHA2_sha256_inc_destroy(*(state))
#define sha256_inc_clone_state(stateout, statein) OQS_SHA2_sha256_inc_clone_state(stateout, *(statein))
#define sha256_inc_ctx_clone OQS_SHA2_sha256_inc_ctx_clone
#define sha256_inc_ctx_release OQS_SHA2_sha256_inc_ctx_release
#define sha256_inc_blocks OQS_SHA2_sha256_inc_blocks
#define sha256_inc_finalize OQS_SHA2_sha256_inc_finalize
#define sha384ctx OQS_SHA2_sha384_ctx
#define sha384_inc_init OQS_SHA2_sha384_inc_init
#define sha384_inc_ctx_clone OQS_SHA2_sha384_inc_ctx_clone
#define sha384_inc_ctx_release OQS_SHA2_sha384_inc_ctx_release
#define sha384_inc_blocks OQS_SHA2_sha384_inc_blocks
#define sha384_inc_finalize OQS_SHA2_sha384_inc_finalize
#define sha512ctx OQS_SHA2_sha512_ctx
#define sha512_inc_init OQS_SHA2_sha512_inc_init
#define sha512_inc_ctx_clone OQS_SHA2_sha512_inc_ctx_clone
#define sha512_inc_ctx_release OQS_SHA2_sha512_inc_ctx_release
#define sha512_inc_blocks OQS_SHA2_sha512_inc_blocks
#define sha512_inc_finalize OQS_SHA2_sha512_inc_finalize
#endif

4
src/common/pqclean_shims/sp800-185.h
View File

@ -10,12 +10,16 @@
#define cshake128_inc_absorb OQS_SHA3_cshake128_inc_absorb
#define cshake128_inc_finalize OQS_SHA3_cshake128_inc_finalize
#define cshake128_inc_squeeze OQS_SHA3_cshake128_inc_squeeze
#define cshake128_inc_ctx_release OQS_SHA3_cshake128_inc_ctx_release
#define cshake128_inc_ctx_clone OQS_SHA3_cshake128_inc_ctx_clone
#define cshake128 OQS_SHA3_cshake128
#define cshake256_inc_init OQS_SHA3_cshake256_inc_init
#define cshake256_inc_absorb OQS_SHA3_cshake256_inc_absorb
#define cshake256_inc_finalize OQS_SHA3_cshake256_inc_finalize
#define cshake256_inc_squeeze OQS_SHA3_cshake256_inc_squeeze
#define cshake256_inc_ctx_release OQS_SHA3_cshake256_inc_ctx_release
#define cshake256_inc_ctx_clone OQS_SHA3_cshake256_inc_ctx_clone
#define cshake256 OQS_SHA3_cshake256
#endif

6
src/crypto/aes/aes_ossl.c
View File

@ -92,7 +92,7 @@ void OQS_AES256_load_schedule(const uint8_t *key, void **schedule, int for_encry
void OQS_AES256_free_schedule(void *schedule) {
// actually same code as AES 128
return OQS_AES128_free_schedule(schedule);
OQS_AES128_free_schedule(schedule);
}
void OQS_AES256_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
@ -111,12 +111,12 @@ void OQS_AES256_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len,
void OQS_AES256_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
// actually same code as AES 128
return OQS_AES128_ECB_enc_sch(plaintext, plaintext_len, schedule, ciphertext);
OQS_AES128_ECB_enc_sch(plaintext, plaintext_len, schedule, ciphertext);
}
void OQS_AES256_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
// actually same code as AES 128
return OQS_AES128_ECB_dec_sch(ciphertext, ciphertext_len, schedule, plaintext);
OQS_AES128_ECB_dec_sch(ciphertext, ciphertext_len, schedule, plaintext);
}
void OQS_AES256_CTR_sch(const uint8_t *iv, size_t iv_len, const void *schedule, uint8_t *out, size_t out_len) {

198
src/crypto/sha2/sha2.h
View File

@ -31,58 +31,44 @@ extern "C" {
*/
void OQS_SHA2_sha256(uint8_t *output, const uint8_t *input, size_t inplen);
/**
* \brief Process a message with SHA-384 and return the hash code in the output byte array.
*
* \warning The output array must be at least 48 bytes in length.
*
* \param output The output byte array
* \param input The message input byte array
* \param inplen The number of message bytes to process
*/
void OQS_SHA2_sha384(uint8_t *output, const uint8_t *input, size_t inplen);
/**
* \brief Process a message with SHA-512 and return the hash code in the output byte array.
*
* \warning The output array must be at least 64 bytes in length.
*
* \param output The output byte array
* \param input The message input byte array
* \param inplen The number of message bytes to process
*/
void OQS_SHA2_sha512(uint8_t *output, const uint8_t *input, size_t inplen);
/** Data structure for the state of the SHA-256 incremental hashing API. */
typedef struct {
/** Internal state */
void *ctx;
} OQS_SHA2_sha256_ctx;
/**
* \brief Allocate and initialize the state for the SHA-256 incremental hashing API.
*
* \warning The state must be released by the OQS_SHA2_sha256_inc_finalize function.
* \warning The state must be released by OQS_SHA2_sha256_inc_finalize
* or OQS_SHA2_sha256_inc_ctx_release.
*
* \param state Pointer to the state
*/
void OQS_SHA2_sha256_inc_init(void **state);
void OQS_SHA2_sha256_inc_init(OQS_SHA2_sha256_ctx *state);
/**
* \brief Duplicate state for the SHA-256 incremental hashing API.
*
* \warning The new stateout must be released by the OQS_SHA2_sha256_inc_destroy
* function or the OQS_SHA2_sha256_inc_finalize function..
* \warning dest must be allocated by the caller. Caller is responsible
* for releasing dest by calling either OQS_SHA3_sha3_256_inc_finalize or
* OQS_SHA3_sha3_256_inc_ctx_release.
*
* \param stateout Pointer to the duplicated state
* \param statein The state to duplicate
* \param dest The function state to copy into; must be initialized
* \param src The function state to copy; must be initialized
*/
void OQS_SHA2_sha256_inc_clone_state(void **stateout, const void *statein);
void OQS_SHA2_sha256_inc_ctx_clone(OQS_SHA2_sha256_ctx *dest, const OQS_SHA2_sha256_ctx *src);
/**
* \brief Process blocks with SHA-256 and update the state.
*
* \warning The state must be initialized by OQS_SHA2_sha256_inc_init or OQS_SHA2_sha256_inc_clone_state.
* \warning The state must be initialized by OQS_SHA2_sha256_inc_init or OQS_SHA2_sha256_inc_ctx_clone.
*
* \param state The state to update
* \param in Message input byte array
* \param inblocks The number of blocks of message bytes to process
*/
void OQS_SHA2_sha256_inc_blocks(void *state, const uint8_t *in, size_t inblocks);
void OQS_SHA2_sha256_inc_blocks(OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inblocks);
/**
* \brief Process more message bytes with SHA-256 and return the hash code in the output byte array.
@ -96,7 +82,7 @@ void OQS_SHA2_sha256_inc_blocks(void *state, const uint8_t *in, size_t inblocks)
* \param in Additional message input byte array
* \param inlen The number of additional message bytes to process
*/
void OQS_SHA2_sha256_inc_finalize(uint8_t *out, void *state, const uint8_t *in, size_t inlen);
void OQS_SHA2_sha256_inc_finalize(uint8_t *out, OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inlen);
/**
* \brief Destroy state.
@ -106,7 +92,155 @@ void OQS_SHA2_sha256_inc_finalize(uint8_t *out, void *state, const uint8_t *in,
*
* \param state The state
*/
void OQS_SHA2_sha256_inc_destroy(void *state);
void OQS_SHA2_sha256_inc_ctx_release(OQS_SHA2_sha256_ctx *state);
/**
* \brief Process a message with SHA-384 and return the hash code in the output byte array.
*
* \warning The output array must be at least 48 bytes in length.
*
* \param output The output byte array
* \param input The message input byte array
* \param inplen The number of message bytes to process
*/
void OQS_SHA2_sha384(uint8_t *output, const uint8_t *input, size_t inplen);
/** Data structure for the state of the SHA-384 incremental hashing API. */
typedef struct {
/** Internal state. */
void *ctx;
} OQS_SHA2_sha384_ctx;
/**
* \brief Allocate and initialize the state for the SHA-384 incremental hashing API.
*
* \warning The state must be released by OQS_SHA2_sha384_inc_finalize
* or OQS_SHA2_sha384_inc_ctx_release.
*
* \param state Pointer to the state
*/
void OQS_SHA2_sha384_inc_init(OQS_SHA2_sha384_ctx *state);
/**
* \brief Duplicate state for the SHA-384 incremental hashing API.
*
* \warning dest must be allocated by the caller. Caller is responsible
* for releasing dest by calling either OQS_SHA3_sha3_384_inc_finalize or
* OQS_SHA3_sha3_384_inc_ctx_release.
*
* \param dest The function state to copy into; must be initialized
* \param src The function state to copy; must be initialized
*/
void OQS_SHA2_sha384_inc_ctx_clone(OQS_SHA2_sha384_ctx *dest, const OQS_SHA2_sha384_ctx *src);
/**
* \brief Process blocks with SHA-384 and update the state.
*
* \warning The state must be initialized by OQS_SHA2_sha384_inc_init or OQS_SHA2_sha384_inc_ctx_clone.
*
* \param state The state to update
* \param in Message input byte array
* \param inblocks The number of blocks of message bytes to process
*/
void OQS_SHA2_sha384_inc_blocks(OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inblocks);
/**
* \brief Process more message bytes with SHA-384 and return the hash code in the output byte array.
*
* \warning The output array must be at least 48 bytes in length. The state is
* deallocated by this function and can not be used again after calling
* this function without calling OQS_SHA2_sha384_inc_init again.
*
* \param out The output byte array
* \param state The state
* \param in Additional message input byte array
* \param inlen The number of additional message bytes to process
*/
void OQS_SHA2_sha384_inc_finalize(uint8_t *out, OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inlen);
/**
* \brief Destroy state.
*
* \warning The state is deallocated by this function and can not be used again after calling
* this function without calling OQS_SHA2_sha384_inc_init again.
*
* \param state The state
*/
void OQS_SHA2_sha384_inc_ctx_release(OQS_SHA2_sha384_ctx *state);
/**
* \brief Process a message with SHA-512 and return the hash code in the output byte array.
*
* \warning The output array must be at least 64 bytes in length.
*
* \param output The output byte array
* \param input The message input byte array
* \param inplen The number of message bytes to process
*/
void OQS_SHA2_sha512(uint8_t *output, const uint8_t *input, size_t inplen);
/** Data structure for the state of the SHA-512 incremental hashing API. */
typedef struct {
/** Internal state. */
void *ctx;
} OQS_SHA2_sha512_ctx;
/**
* \brief Allocate and initialize the state for the SHA-512 incremental hashing API.
*
* \warning The state must be released by OQS_SHA2_sha512_inc_finalize
* or OQS_SHA2_sha512_inc_ctx_release.
*
* \param state Pointer to the state
*/
void OQS_SHA2_sha512_inc_init(OQS_SHA2_sha512_ctx *state);
/**
* \brief Duplicate state for the SHA-512 incremental hashing API.
*
* \warning dest must be allocated by the caller. Caller is responsible
* for releasing dest by calling either OQS_SHA3_sha3_512_inc_finalize or
* OQS_SHA3_sha3_512_inc_ctx_release.
*
* \param dest The function state to copy into; must be initialized
* \param src The function state to copy; must be initialized
*/
void OQS_SHA2_sha512_inc_ctx_clone(OQS_SHA2_sha512_ctx *dest, const OQS_SHA2_sha512_ctx *src);
/**
* \brief Process blocks with SHA-512 and update the state.
*
* \warning The state must be initialized by OQS_SHA2_sha512_inc_init or OQS_SHA2_sha512_inc_ctx_clone.
*
* \param state The state to update
* \param in Message input byte array
* \param inblocks The number of blocks of message bytes to process
*/
void OQS_SHA2_sha512_inc_blocks(OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inblocks);
/**
* \brief Process more message bytes with SHA-512 and return the hash code in the output byte array.
*
* \warning The output array must be at least 64 bytes in length. The state is
* deallocated by this function and can not be used again after calling
* this function without calling OQS_SHA2_sha512_inc_init again.
*
* \param out The output byte array
* \param state The state
* \param in Additional message input byte array
* \param inlen The number of additional message bytes to process
*/
void OQS_SHA2_sha512_inc_finalize(uint8_t *out, OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inlen);
/**
* \brief Destroy state.
*
* \warning The state is deallocated by this function and can not be used again after calling
* this function without calling OQS_SHA2_sha512_inc_init again.
*
* \param state The state
*/
void OQS_SHA2_sha512_inc_ctx_release(OQS_SHA2_sha512_ctx *state);
#if defined(__cplusplus)
} // extern "C"

368
src/crypto/sha2/sha2_c.c
View File

@ -2,12 +2,56 @@
#include "sha2.h"
#define PQC_SHA256CTX_BYTES 40
#define PQC_SHA512CTX_BYTES 72
typedef struct {
uint8_t *ctx;
} sha224ctx;
#define sha224_inc_init oqs_sha2_sha224_inc_init
#define sha224_inc_ctx_clone oqs_sha2_sha224_inc_ctx_clone
#define sha224_inc_ctx_release oqs_sha2_sha224_inc_ctx_release
#define sha224_inc_blocks oqs_sha2_sha224_inc_blocks
#define sha224_inc_finalize oqs_sha2_sha224_inc_finalize
#define sha224 oqs_sha2_sha224
typedef struct {
uint8_t *ctx;
} sha256ctx;
#define sha256_inc_init oqs_sha2_sha256_inc_init
#define sha256_inc_ctx_clone oqs_sha2_sha256_inc_ctx_clone
#define sha256_inc_ctx_release oqs_sha2_sha256_inc_ctx_release
#define sha256_inc_blocks oqs_sha2_sha256_inc_blocks
#define sha256_inc_finalize oqs_sha2_sha256_inc_finalize
#define sha256 OQS_SHA2_sha256
typedef struct {
uint8_t *ctx;
} sha384ctx;
#define sha384_inc_init oqs_sha2_sha384_inc_init
#define sha384_inc_ctx_clone oqs_sha2_sha384_inc_ctx_clone
#define sha384_inc_ctx_release oqs_sha2_sha384_inc_ctx_release
#define sha384_inc_blocks oqs_sha2_sha384_inc_blocks
#define sha384_inc_finalize oqs_sha2_sha384_inc_finalize
#define sha384 OQS_SHA2_sha384
typedef struct {
uint8_t *ctx;
} sha512ctx;
#define sha512_inc_init oqs_sha2_sha512_inc_init
#define sha512_inc_ctx_clone oqs_sha2_sha512_inc_ctx_clone
#define sha512_inc_ctx_release oqs_sha2_sha512_inc_ctx_release
#define sha512_inc_blocks oqs_sha2_sha512_inc_blocks
#define sha512_inc_finalize oqs_sha2_sha512_inc_finalize
#define sha512 OQS_SHA2_sha512
/* Based on the public domain implementation in
* crypto_hash/sha512/ref/ from http://bench.cr.yp.to/supercop.html
* by D. J. Bernstein */
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
static uint32_t load_bigendian_32(const uint8_t *x) {
@ -57,10 +101,10 @@ static void store_bigendian_64(uint8_t *x, uint64_t u) {
#define Ch(x, y, z) (((x) & (y)) ^ (~(x) & (z)))
#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
#define Sigma0_32(x) (ROTR_32(x, 2) ^ ROTR_32(x, 13) ^ ROTR_32(x, 22))
#define Sigma1_32(x) (ROTR_32(x, 6) ^ ROTR_32(x, 11) ^ ROTR_32(x, 25))
#define sigma0_32(x) (ROTR_32(x, 7) ^ ROTR_32(x, 18) ^ SHR(x, 3))
#define sigma1_32(x) (ROTR_32(x, 17) ^ ROTR_32(x, 19) ^ SHR(x, 10))
#define Sigma0_32(x) (ROTR_32(x, 2) ^ ROTR_32(x,13) ^ ROTR_32(x,22))
#define Sigma1_32(x) (ROTR_32(x, 6) ^ ROTR_32(x,11) ^ ROTR_32(x,25))
#define sigma0_32(x) (ROTR_32(x, 7) ^ ROTR_32(x,18) ^ SHR(x, 3))
#define sigma1_32(x) (ROTR_32(x,17) ^ ROTR_32(x,19) ^ SHR(x,10))
#define Sigma0_64(x) (ROTR_64(x, 28) ^ ROTR_64(x, 34) ^ ROTR_64(x, 39))
#define Sigma1_64(x) (ROTR_64(x, 14) ^ ROTR_64(x, 18) ^ ROTR_64(x, 41))
@ -162,16 +206,16 @@ static size_t crypto_hashblocks_sha256(uint8_t *statebytes,
state[7] = h;
while (inlen >= 64) {
uint32_t w0 = load_bigendian_32(in + 0);
uint32_t w1 = load_bigendian_32(in + 4);
uint32_t w2 = load_bigendian_32(in + 8);
uint32_t w3 = load_bigendian_32(in + 12);
uint32_t w4 = load_bigendian_32(in + 16);
uint32_t w5 = load_bigendian_32(in + 20);
uint32_t w6 = load_bigendian_32(in + 24);
uint32_t w7 = load_bigendian_32(in + 28);
uint32_t w8 = load_bigendian_32(in + 32);
uint32_t w9 = load_bigendian_32(in + 36);
uint32_t w0 = load_bigendian_32(in + 0);
uint32_t w1 = load_bigendian_32(in + 4);
uint32_t w2 = load_bigendian_32(in + 8);
uint32_t w3 = load_bigendian_32(in + 12);
uint32_t w4 = load_bigendian_32(in + 16);
uint32_t w5 = load_bigendian_32(in + 20);
uint32_t w6 = load_bigendian_32(in + 24);
uint32_t w7 = load_bigendian_32(in + 28);
uint32_t w8 = load_bigendian_32(in + 32);
uint32_t w9 = load_bigendian_32(in + 36);
uint32_t w10 = load_bigendian_32(in + 40);
uint32_t w11 = load_bigendian_32(in + 44);
uint32_t w12 = load_bigendian_32(in + 48);
@ -463,6 +507,13 @@ static size_t crypto_hashblocks_sha512(uint8_t *statebytes,
return inlen;
}
static const uint8_t iv_224[32] = {
0xc1, 0x05, 0x9e, 0xd8, 0x36, 0x7c, 0xd5, 0x07,
0x30, 0x70, 0xdd, 0x17, 0xf7, 0x0e, 0x59, 0x39,
0xff, 0xc0, 0x0b, 0x31, 0x68, 0x58, 0x15, 0x11,
0x64, 0xf9, 0x8f, 0xa7, 0xbe, 0xfa, 0x4f, 0xa4
};
static const uint8_t iv_256[32] = {
0x6a, 0x09, 0xe6, 0x67, 0xbb, 0x67, 0xae, 0x85,
0x3c, 0x6e, 0xf3, 0x72, 0xa5, 0x4f, 0xf5, 0x3a,
@ -488,21 +539,24 @@ static const uint8_t iv_512[64] = {
0x6b, 0x5b, 0xe0, 0xcd, 0x19, 0x13, 0x7e, 0x21, 0x79
};
typedef struct {
uint8_t ctx[40];
} sha256ctx;
void sha224_inc_init(sha224ctx *state) {
state->ctx = malloc(PQC_SHA256CTX_BYTES);
if (state->ctx == NULL) {
exit(111);
}
for (size_t i = 0; i < 32; ++i) {
state->ctx[i] = iv_224[i];
}
for (size_t i = 32; i < 40; ++i) {
state->ctx[i] = 0;
}
}
typedef struct {
uint8_t ctx[72];
} sha384ctx;
typedef struct {
uint8_t ctx[72];
} sha512ctx;
void OQS_SHA2_sha256_inc_init(void **_state) {
*_state = malloc(sizeof(sha256ctx));
sha256ctx *state = (sha256ctx *) (*_state);
void sha256_inc_init(sha256ctx *state) {
state->ctx = malloc(PQC_SHA256CTX_BYTES);
if (state->ctx == NULL) {
exit(111);
}
for (size_t i = 0; i < 32; ++i) {
state->ctx[i] = iv_256[i];
}
@ -511,7 +565,11 @@ void OQS_SHA2_sha256_inc_init(void **_state) {
}
}
static void sha384_inc_init(sha384ctx *state) {
void sha384_inc_init(sha384ctx *state) {
state->ctx = malloc(PQC_SHA512CTX_BYTES);
if (state->ctx == NULL) {
exit(111);
}
for (size_t i = 0; i < 64; ++i) {
state->ctx[i] = iv_384[i];
}
@ -520,7 +578,11 @@ static void sha384_inc_init(sha384ctx *state) {
}
}
static void sha512_inc_init(sha512ctx *state) {
void sha512_inc_init(sha512ctx *state) {
state->ctx = malloc(PQC_SHA512CTX_BYTES);
if (state->ctx == NULL) {
exit(111);
}
for (size_t i = 0; i < 64; ++i) {
state->ctx[i] = iv_512[i];
}
@ -529,15 +591,59 @@ static void sha512_inc_init(sha512ctx *state) {
}
}
void OQS_SHA2_sha256_inc_clone_state(void **_stateout, const void *_statein) {
*_stateout = malloc(sizeof(sha256ctx));
sha256ctx *stateout = (sha256ctx *) (*_stateout);
sha256ctx *statein = (sha256ctx *) _statein;
memcpy(stateout->ctx, statein->ctx, 40);
void sha224_inc_ctx_clone(sha224ctx *stateout, const sha224ctx *statein) {
stateout->ctx = malloc(PQC_SHA256CTX_BYTES);
if (stateout->ctx == NULL) {
exit(111);
}
memcpy(stateout->ctx, statein->ctx, PQC_SHA256CTX_BYTES);
}
void OQS_SHA2_sha256_inc_blocks(void *_state, const uint8_t *in, size_t inblocks) {
sha256ctx *state = (sha256ctx *) _state;
void sha256_inc_ctx_clone(sha256ctx *stateout, const sha256ctx *statein) {
stateout->ctx = malloc(PQC_SHA256CTX_BYTES);
if (stateout->ctx == NULL) {
exit(111);
}
memcpy(stateout->ctx, statein->ctx, PQC_SHA256CTX_BYTES);
}
void sha384_inc_ctx_clone(sha384ctx *stateout, const sha384ctx *statein) {
stateout->ctx = malloc(PQC_SHA512CTX_BYTES);
if (stateout->ctx == NULL) {
exit(111);
}
memcpy(stateout->ctx, statein->ctx, PQC_SHA512CTX_BYTES);
}
void sha512_inc_ctx_clone(sha512ctx *stateout, const sha512ctx *statein) {
stateout->ctx = malloc(PQC_SHA512CTX_BYTES);
if (stateout->ctx == NULL) {
exit(111);
}
memcpy(stateout->ctx, statein->ctx, PQC_SHA512CTX_BYTES);
}
/* Destroy the hash state. */
void sha224_inc_ctx_release(sha224ctx *state) {
free(state->ctx); // IGNORE free-check
}
/* Destroy the hash state. */
void sha256_inc_ctx_release(sha256ctx *state) {
free(state->ctx); // IGNORE free-check
}
/* Destroy the hash state. */
void sha384_inc_ctx_release(sha384ctx *state) {
free(state->ctx); // IGNORE free-check
}
/* Destroy the hash state. */
void sha512_inc_ctx_release(sha512ctx *state) {
free(state->ctx); // IGNORE free-check
}
void sha256_inc_blocks(sha256ctx *state, const uint8_t *in, size_t inblocks) {
uint64_t bytes = load_bigendian_64(state->ctx + 32);
crypto_hashblocks_sha256(state->ctx, in, 64 * inblocks);
@ -546,8 +652,24 @@ void OQS_SHA2_sha256_inc_blocks(void *_state, const uint8_t *in, size_t inblocks
store_bigendian_64(state->ctx + 32, bytes);
}
void OQS_SHA2_sha256_inc_finalize(uint8_t *out, void *_state, const uint8_t *in, size_t inlen) {
sha256ctx *state = (sha256ctx *) _state;
void sha224_inc_blocks(sha224ctx *state, const uint8_t *in, size_t inblocks) {
sha256_inc_blocks((sha256ctx *) state, in, inblocks);
}
void sha512_inc_blocks(sha512ctx *state, const uint8_t *in, size_t inblocks) {
uint64_t bytes = load_bigendian_64(state->ctx + 64);
crypto_hashblocks_sha512(state->ctx, in, 128 * inblocks);
bytes += 128 * inblocks;
store_bigendian_64(state->ctx + 64, bytes);
}
void sha384_inc_blocks(sha384ctx *state, const uint8_t *in, size_t inblocks) {
sha512_inc_blocks((sha512ctx *) state, in, inblocks);
}
void sha256_inc_finalize(uint8_t *out, sha256ctx *state, const uint8_t *in, size_t inlen) {
uint8_t padded[128];
uint64_t bytes = load_bigendian_64(state->ctx + 32) + inlen;
@ -565,41 +687,46 @@ void OQS_SHA2_sha256_inc_finalize(uint8_t *out, void *_state, const uint8_t *in,
for (size_t i = inlen + 1; i < 56; ++i) {
padded[i] = 0;
}
padded[56] = (uint8_t)(bytes >> 53);
padded[57] = (uint8_t)(bytes >> 45);
padded[58] = (uint8_t)(bytes >> 37);
padded[59] = (uint8_t)(bytes >> 29);
padded[60] = (uint8_t)(bytes >> 21);
padded[61] = (uint8_t)(bytes >> 13);
padded[62] = (uint8_t)(bytes >> 5);
padded[63] = (uint8_t)(bytes << 3);
padded[56] = (uint8_t) (bytes >> 53);
padded[57] = (uint8_t) (bytes >> 45);
padded[58] = (uint8_t) (bytes >> 37);
padded[59] = (uint8_t) (bytes >> 29);
padded[60] = (uint8_t) (bytes >> 21);
padded[61] = (uint8_t) (bytes >> 13);
padded[62] = (uint8_t) (bytes >> 5);
padded[63] = (uint8_t) (bytes << 3);
crypto_hashblocks_sha256(state->ctx, padded, 64);
} else {
for (size_t i = inlen + 1; i < 120; ++i) {
padded[i] = 0;
}
padded[120] = (uint8_t)(bytes >> 53);
padded[121] = (uint8_t)(bytes >> 45);
padded[122] = (uint8_t)(bytes >> 37);
padded[123] = (uint8_t)(bytes >> 29);
padded[124] = (uint8_t)(bytes >> 21);
padded[125] = (uint8_t)(bytes >> 13);
padded[126] = (uint8_t)(bytes >> 5);
padded[127] = (uint8_t)(bytes << 3);
padded[120] = (uint8_t) (bytes >> 53);
padded[121] = (uint8_t) (bytes >> 45);
padded[122] = (uint8_t) (bytes >> 37);
padded[123] = (uint8_t) (bytes >> 29);
padded[124] = (uint8_t) (bytes >> 21);
padded[125] = (uint8_t) (bytes >> 13);
padded[126] = (uint8_t) (bytes >> 5);
padded[127] = (uint8_t) (bytes << 3);
crypto_hashblocks_sha256(state->ctx, padded, 128);
}
for (size_t i = 0; i < 32; ++i) {
out[i] = state->ctx[i];
}
OQS_SHA2_sha256_inc_destroy(state);
sha256_inc_ctx_release(state);
}
void OQS_SHA2_sha256_inc_destroy(void *state) {
OQS_MEM_secure_free(state, sizeof(sha256ctx));
void sha224_inc_finalize(uint8_t *out, sha224ctx *state, const uint8_t *in, size_t inlen) {
uint8_t tmp[32];
sha256_inc_finalize(tmp, (sha256ctx *)state, in, inlen);
for (size_t i = 0; i < 28; ++i) {
out[i] = tmp[i];
}
}
static void sha512_inc_finalize(uint8_t *out, sha512ctx *state, const uint8_t *in, size_t inlen) {
void sha512_inc_finalize(uint8_t *out, sha512ctx *state, const uint8_t *in, size_t inlen) {
uint8_t padded[256];
uint64_t bytes = load_bigendian_64(state->ctx + 64) + inlen;
@ -617,62 +744,131 @@ static void sha512_inc_finalize(uint8_t *out, sha512ctx *state, const uint8_t *i
for (size_t i = inlen + 1; i < 119; ++i) {
padded[i] = 0;
}
padded[119] = (uint8_t)(bytes >> 61);
padded[120] = (uint8_t)(bytes >> 53);
padded[121] = (uint8_t)(bytes >> 45);
padded[122] = (uint8_t)(bytes >> 37);
padded[123] = (uint8_t)(bytes >> 29);
padded[124] = (uint8_t)(bytes >> 21);
padded[125] = (uint8_t)(bytes >> 13);
padded[126] = (uint8_t)(bytes >> 5);
padded[127] = (uint8_t)(bytes << 3);
padded[119] = (uint8_t) (bytes >> 61);
padded[120] = (uint8_t) (bytes >> 53);
padded[121] = (uint8_t) (bytes >> 45);
padded[122] = (uint8_t) (bytes >> 37);
padded[123] = (uint8_t) (bytes >> 29);
padded[124] = (uint8_t) (bytes >> 21);
padded[125] = (uint8_t) (bytes >> 13);
padded[126] = (uint8_t) (bytes >> 5);
padded[127] = (uint8_t) (bytes << 3);
crypto_hashblocks_sha512(state->ctx, padded, 128);
} else {
for (size_t i = inlen + 1; i < 247; ++i) {
padded[i] = 0;
}
padded[247] = (uint8_t)(bytes >> 61);
padded[248] = (uint8_t)(bytes >> 53);
padded[249] = (uint8_t)(bytes >> 45);
padded[250] = (uint8_t)(bytes >> 37);
padded[251] = (uint8_t)(bytes >> 29);
padded[252] = (uint8_t)(bytes >> 21);
padded[253] = (uint8_t)(bytes >> 13);
padded[254] = (uint8_t)(bytes >> 5);
padded[255] = (uint8_t)(bytes << 3);
padded[247] = (uint8_t) (bytes >> 61);
padded[248] = (uint8_t) (bytes >> 53);
padded[249] = (uint8_t) (bytes >> 45);
padded[250] = (uint8_t) (bytes >> 37);
padded[251] = (uint8_t) (bytes >> 29);
padded[252] = (uint8_t) (bytes >> 21);
padded[253] = (uint8_t) (bytes >> 13);
padded[254] = (uint8_t) (bytes >> 5);
padded[255] = (uint8_t) (bytes << 3);
crypto_hashblocks_sha512(state->ctx, padded, 256);
}
for (size_t i = 0; i < 64; ++i) {
out[i] = state->ctx[i];
}
sha512_inc_ctx_release(state);
}
static void sha384_inc_finalize(uint8_t *out, sha384ctx *state, const uint8_t *in, size_t inlen) {
sha512_inc_finalize(state->ctx, (sha512ctx *) state, in, inlen);
void sha384_inc_finalize(uint8_t *out, sha384ctx *state, const uint8_t *in, size_t inlen) {
uint8_t tmp[64];
sha512_inc_finalize(tmp, (sha512ctx *)state, in, inlen);
for (size_t i = 0; i < 48; ++i) {
out[i] = state->ctx[i];
out[i] = tmp[i];
}
}
void OQS_SHA2_sha256(uint8_t *out, const uint8_t *in, size_t inlen) {
sha256ctx *state = NULL;
void sha224(uint8_t *out, const uint8_t *in, size_t inlen) {
sha224ctx state;
OQS_SHA2_sha256_inc_init((void **) &state);
OQS_SHA2_sha256_inc_finalize(out, state, in, inlen);
sha224_inc_init(&state);
sha224_inc_finalize(out, &state, in, inlen);
}
void OQS_SHA2_sha384(uint8_t *out, const uint8_t *in, size_t inlen) {
void sha256(uint8_t *out, const uint8_t *in, size_t inlen) {
sha256ctx state;
sha256_inc_init(&state);
sha256_inc_finalize(out, &state, in, inlen);
}
void sha384(uint8_t *out, const uint8_t *in, size_t inlen) {
sha384ctx state;
sha384_inc_init(&state);
sha384_inc_finalize(out, &state, in, inlen);
}
void OQS_SHA2_sha512(uint8_t *out, const uint8_t *in, size_t inlen) {
void sha512(uint8_t *out, const uint8_t *in, size_t inlen) {
sha512ctx state;
sha512_inc_init(&state);
sha512_inc_finalize(out, &state, in, inlen);
}
void OQS_SHA2_sha256_inc_init(OQS_SHA2_sha256_ctx *state) {
oqs_sha2_sha256_inc_init((sha256ctx *) state);
}
void OQS_SHA2_sha256_inc_ctx_clone(OQS_SHA2_sha256_ctx *dest, const OQS_SHA2_sha256_ctx *src) {
oqs_sha2_sha256_inc_ctx_clone((sha256ctx *) dest, (sha256ctx *) src);
}
void OQS_SHA2_sha256_inc_ctx_release(OQS_SHA2_sha256_ctx *state) {
oqs_sha2_sha256_inc_ctx_release((sha256ctx *) state);
}
void OQS_SHA2_sha256_inc_blocks(OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inblocks) {
oqs_sha2_sha256_inc_blocks((sha256ctx *) state, in, inblocks);
}
void OQS_SHA2_sha256_inc_finalize(uint8_t *out, OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inlen) {
oqs_sha2_sha256_inc_finalize(out, (sha256ctx *) state, in, inlen);
}
void OQS_SHA2_sha384_inc_init(OQS_SHA2_sha384_ctx *state) {
oqs_sha2_sha384_inc_init((sha384ctx *) state);
}
void OQS_SHA2_sha384_inc_ctx_clone(OQS_SHA2_sha384_ctx *dest, const OQS_SHA2_sha384_ctx *src) {
oqs_sha2_sha384_inc_ctx_clone((sha384ctx *) dest, (sha384ctx *) src);
}
void OQS_SHA2_sha384_inc_ctx_release(OQS_SHA2_sha384_ctx *state) {
oqs_sha2_sha384_inc_ctx_release((sha384ctx *) state);
}
void OQS_SHA2_sha384_inc_blocks(OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inblocks) {
oqs_sha2_sha384_inc_blocks((sha384ctx *) state, in, inblocks);
}
void OQS_SHA2_sha384_inc_finalize(uint8_t *out, OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inlen) {
oqs_sha2_sha384_inc_finalize(out, (sha384ctx *) state, in, inlen);
}
void OQS_SHA2_sha512_inc_init(OQS_SHA2_sha512_ctx *state) {
oqs_sha2_sha512_inc_init((sha512ctx *) state);
}
void OQS_SHA2_sha512_inc_ctx_clone(OQS_SHA2_sha512_ctx *dest, const OQS_SHA2_sha512_ctx *src) {
oqs_sha2_sha512_inc_ctx_clone((sha512ctx *) dest, (sha512ctx *) src);
}
void OQS_SHA2_sha512_inc_ctx_release(OQS_SHA2_sha512_ctx *state) {
oqs_sha2_sha512_inc_ctx_release((sha512ctx *) state);
}
void OQS_SHA2_sha512_inc_blocks(OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inblocks) {
oqs_sha2_sha512_inc_blocks((sha512ctx *) state, in, inblocks);
}
void OQS_SHA2_sha512_inc_finalize(uint8_t *out, OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inlen) {
oqs_sha2_sha512_inc_finalize(out, (sha512ctx *) state, in, inlen);
}

94
src/crypto/sha2/sha2_ossl.c
View File

@ -41,38 +41,102 @@ void OQS_SHA2_sha512(uint8_t *output, const uint8_t *input, size_t inplen) {
do_hash(output, input, inplen, md);
}
void OQS_SHA2_sha256_inc_init(void **state) {
#define SHA2_BLOCK_SIZE 64
void OQS_SHA2_sha256_inc_init(OQS_SHA2_sha256_ctx *state) {
EVP_MD_CTX *mdctx;
const EVP_MD *md = NULL;
md = EVP_sha256();
assert(md != NULL);
mdctx = EVP_MD_CTX_new();
EVP_DigestInit_ex(mdctx, md, NULL);
*state = mdctx;
state->ctx = mdctx;
}
#define SHA2_BLOCK_SIZE 64
void OQS_SHA2_sha256_inc_blocks(void *state, const uint8_t *in, size_t inblocks) {
EVP_DigestUpdate((EVP_MD_CTX *) state, in, inblocks * SHA2_BLOCK_SIZE);
void OQS_SHA2_sha256_inc_blocks(OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inblocks) {
EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inblocks * SHA2_BLOCK_SIZE);
}
void OQS_SHA2_sha256_inc_finalize(uint8_t *out, void *state, const uint8_t *in, size_t inlen) {
void OQS_SHA2_sha256_inc_finalize(uint8_t *out, OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inlen) {
unsigned int md_len;
if (inlen > 0) {
EVP_DigestUpdate((EVP_MD_CTX *) state, in, inlen);
EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inlen);
}
EVP_DigestFinal_ex((EVP_MD_CTX *) state, out, &md_len);
EVP_MD_CTX_free((EVP_MD_CTX *) state);
EVP_DigestFinal_ex((EVP_MD_CTX *) state->ctx, out, &md_len);
EVP_MD_CTX_free((EVP_MD_CTX *) state->ctx);
}
void OQS_SHA2_sha256_inc_destroy(void *state) {
EVP_MD_CTX_destroy((EVP_MD_CTX *) state);
void OQS_SHA2_sha256_inc_ctx_release(OQS_SHA2_sha256_ctx *state) {
EVP_MD_CTX_destroy((EVP_MD_CTX *) state->ctx);
}
void OQS_SHA2_sha256_inc_clone_state(void **stateout, const void *statein) {
OQS_SHA2_sha256_inc_init(stateout);
EVP_MD_CTX_copy_ex(*stateout, statein);
void OQS_SHA2_sha256_inc_ctx_clone(OQS_SHA2_sha256_ctx *dest, const OQS_SHA2_sha256_ctx *src) {
OQS_SHA2_sha256_inc_init(dest);
EVP_MD_CTX_copy_ex((EVP_MD_CTX *) dest->ctx, (EVP_MD_CTX *) src->ctx);
}
void OQS_SHA2_sha384_inc_init(OQS_SHA2_sha384_ctx *state) {
EVP_MD_CTX *mdctx;
const EVP_MD *md = NULL;
md = EVP_sha384();
assert(md != NULL);
mdctx = EVP_MD_CTX_new();
EVP_DigestInit_ex(mdctx, md, NULL);
state->ctx = mdctx;
}
void OQS_SHA2_sha384_inc_blocks(OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inblocks) {
EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inblocks * SHA2_BLOCK_SIZE);
}
void OQS_SHA2_sha384_inc_finalize(uint8_t *out, OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inlen) {
unsigned int md_len;
if (inlen > 0) {
EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inlen);
}
EVP_DigestFinal_ex((EVP_MD_CTX *) state->ctx, out, &md_len);
EVP_MD_CTX_free((EVP_MD_CTX *) state->ctx);
}
void OQS_SHA2_sha384_inc_ctx_release(OQS_SHA2_sha384_ctx *state) {
EVP_MD_CTX_destroy((EVP_MD_CTX *) state->ctx);
}
void OQS_SHA2_sha384_inc_ctx_clone(OQS_SHA2_sha384_ctx *dest, const OQS_SHA2_sha384_ctx *src) {
OQS_SHA2_sha384_inc_init(dest);
EVP_MD_CTX_copy_ex((EVP_MD_CTX *) dest->ctx, (EVP_MD_CTX *) src->ctx);
}
void OQS_SHA2_sha512_inc_init(OQS_SHA2_sha512_ctx *state) {
EVP_MD_CTX *mdctx;
const EVP_MD *md = NULL;
md = EVP_sha512();
assert(md != NULL);
mdctx = EVP_MD_CTX_new();
EVP_DigestInit_ex(mdctx, md, NULL);
state->ctx = mdctx;
}
void OQS_SHA2_sha512_inc_blocks(OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inblocks) {
EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inblocks * SHA2_BLOCK_SIZE);
}
void OQS_SHA2_sha512_inc_finalize(uint8_t *out, OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inlen) {
unsigned int md_len;
if (inlen > 0) {
EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inlen);
}
EVP_DigestFinal_ex((EVP_MD_CTX *) state->ctx, out, &md_len);
EVP_MD_CTX_free((EVP_MD_CTX *) state->ctx);
}
void OQS_SHA2_sha512_inc_ctx_release(OQS_SHA2_sha512_ctx *state) {
EVP_MD_CTX_destroy((EVP_MD_CTX *) state->ctx);
}
void OQS_SHA2_sha512_inc_ctx_clone(OQS_SHA2_sha512_ctx *dest, const OQS_SHA2_sha512_ctx *src) {
OQS_SHA2_sha512_inc_init(dest);
EVP_MD_CTX_copy_ex((EVP_MD_CTX *) dest->ctx, (EVP_MD_CTX *) src->ctx);
}
#endif

142
src/crypto/sha3/fips202.c
View File

@ -7,6 +7,11 @@
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#define PQC_SHAKEINCCTX_BYTES (sizeof(uint64_t)*26)
#define PQC_SHAKECTX_BYTES (sizeof(uint64_t)*25)
#define NROUNDS 24
#define ROL(a, offset) (((a) << (offset)) ^ ((a) >> (64 - (offset))))
@ -23,7 +28,7 @@
static uint64_t load64(const uint8_t *x) {
uint64_t r = 0;
for (size_t i = 0; i < 8; ++i) {
r |= (uint64_t) x[i] << 8 * i;
r |= (uint64_t)x[i] << 8 * i;
}
return r;
@ -39,7 +44,7 @@ static uint64_t load64(const uint8_t *x) {
**************************************************/
static void store64(uint8_t *x, uint64_t u) {
for (size_t i = 0; i < 8; ++i) {
x[i] = (uint8_t)(u >> 8 * i);
x[i] = (uint8_t) (u >> 8 * i);
}
}
@ -439,10 +444,10 @@ static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m,
/* Recall that s_inc[25] is the non-absorbed bytes xored into the state */
while (mlen + s_inc[25] >= r) {
for (i = 0; i < r - s_inc[25]; i++) {
for (i = 0; i < r - (uint32_t)s_inc[25]; i++) {
/* Take the i'th byte from message
xor with the s_inc[25] + i'th byte of the state; little-endian */
s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t) m[i] << (8 * ((s_inc[25] + i) & 0x07));
s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07));
}
mlen -= (size_t)(r - s_inc[25]);
m += r - s_inc[25];
@ -452,7 +457,7 @@ static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m,
}
for (i = 0; i < mlen; i++) {
s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t) m[i] << (8 * ((s_inc[25] + i) & 0x07));
s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07));
}
s_inc[25] += mlen;
}
@ -473,8 +478,8 @@ static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m,
static void keccak_inc_finalize(uint64_t *s_inc, uint32_t r, uint8_t p) {
/* After keccak_inc_absorb, we are guaranteed that s_inc[25] < r,
so we can always use one more byte for p in the current state. */
s_inc[s_inc[25] >> 3] ^= (uint64_t) p << (8 * (s_inc[25] & 0x07));
s_inc[(r - 1) >> 3] ^= (uint64_t) 128 << (8 * ((r - 1) & 0x07));
s_inc[s_inc[25] >> 3] ^= (uint64_t)p << (8 * (s_inc[25] & 0x07));
s_inc[(r - 1) >> 3] ^= (uint64_t)128 << (8 * ((r - 1) & 0x07));
s_inc[25] = 0;
}
@ -519,6 +524,10 @@ static void keccak_inc_squeeze(uint8_t *h, size_t outlen,
}
void shake128_inc_init(shake128incctx *state) {
state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
if (state->ctx == NULL) {
exit(111);
}
keccak_inc_init(state->ctx);
}
@ -534,7 +543,23 @@ void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state)
keccak_inc_squeeze(output, outlen, state->ctx, SHAKE128_RATE);
}
void shake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src) {
dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
if (dest->ctx == NULL) {
exit(111);
}
memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
}
void shake128_inc_ctx_release(shake128incctx *state) {
free(state->ctx); // IGNORE free-check
}
void shake256_inc_init(shake256incctx *state) {
state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
if (state->ctx == NULL) {
exit(111);
}
keccak_inc_init(state->ctx);
}
@ -550,6 +575,19 @@ void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state)
keccak_inc_squeeze(output, outlen, state->ctx, SHAKE256_RATE);
}
void shake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src) {
dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
if (dest->ctx == NULL) {
exit(111);
}
memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
}
void shake256_inc_ctx_release(shake256incctx *state) {
free(state->ctx); // IGNORE free-check
}
/*************************************************
* Name: shake128_absorb
*
@ -562,6 +600,10 @@ void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state)
* - size_t inlen: length of input in bytes
**************************************************/
void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen) {
state->ctx = malloc(PQC_SHAKECTX_BYTES);
if (state->ctx == NULL) {
exit(111);
}
keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F);
}
@ -581,6 +623,19 @@ void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state)
keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE);
}
void shake128_ctx_clone(shake128ctx *dest, const shake128ctx *src) {
dest->ctx = malloc(PQC_SHAKECTX_BYTES);
if (dest->ctx == NULL) {
exit(111);
}
memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES);
}
/** Release the allocated state. Call only once. */
void shake128_ctx_release(shake128ctx *state) {
free(state->ctx); // IGNORE free-check
}
/*************************************************
* Name: shake256_absorb
*
@ -593,6 +648,10 @@ void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state)
* - size_t inlen: length of input in bytes
**************************************************/
void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen) {
state->ctx = malloc(PQC_SHAKECTX_BYTES);
if (state->ctx == NULL) {
exit(111);
}
keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F);
}
@ -612,6 +671,19 @@ void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state)
keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE);
}
void shake256_ctx_clone(shake256ctx *dest, const shake256ctx *src) {
dest->ctx = malloc(PQC_SHAKECTX_BYTES);
if (dest->ctx == NULL) {
exit(111);
}
memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES);
}
/** Release the allocated state. Call only once. */
void shake256_ctx_release(shake256ctx *state) {
free(state->ctx); // IGNORE free-check
}
/*************************************************
* Name: shake128
*
@ -640,6 +712,7 @@ void shake128(uint8_t *output, size_t outlen,
output[i] = t[i];
}
}
shake128_ctx_release(&s);
}
/*************************************************
@ -670,12 +743,29 @@ void shake256(uint8_t *output, size_t outlen,
output[i] = t[i];
}
}
shake256_ctx_release(&s);
}
void sha3_256_inc_init(sha3_256incctx *state) {
state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
if (state->ctx == NULL) {
exit(111);
}
keccak_inc_init(state->ctx);
}
void sha3_256_inc_ctx_clone(sha3_256incctx *dest, const sha3_256incctx *src) {
dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
if (dest->ctx == NULL) {
exit(111);
}
memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
}
void sha3_256_inc_ctx_release(sha3_256incctx *state) {
free(state->ctx); // IGNORE free-check
}
void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen) {
keccak_inc_absorb(state->ctx, SHA3_256_RATE, input, inlen);
}
@ -686,6 +776,8 @@ void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state) {
keccak_squeezeblocks(t, 1, state->ctx, SHA3_256_RATE);
sha3_256_inc_ctx_release(state);
for (size_t i = 0; i < 32; i++) {
output[i] = t[i];
}
@ -716,19 +808,37 @@ void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen) {
}
void sha3_384_inc_init(sha3_384incctx *state) {
state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
if (state->ctx == NULL) {
exit(111);
}
keccak_inc_init(state->ctx);
}
void sha3_384_inc_ctx_clone(sha3_384incctx *dest, const sha3_384incctx *src) {
dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
if (dest->ctx == NULL) {
exit(111);
}
memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
}
void sha3_384_inc_absorb(sha3_384incctx *state, const uint8_t *input, size_t inlen) {
keccak_inc_absorb(state->ctx, SHA3_384_RATE, input, inlen);
}
void sha3_384_inc_ctx_release(sha3_384incctx *state) {
free(state->ctx); // IGNORE free-check
}
void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state) {
uint8_t t[SHA3_384_RATE];
keccak_inc_finalize(state->ctx, SHA3_384_RATE, 0x06);
keccak_squeezeblocks(t, 1, state->ctx, SHA3_384_RATE);
sha3_384_inc_ctx_release(state);
for (size_t i = 0; i < 48; i++) {
output[i] = t[i];
}
@ -759,19 +869,37 @@ void sha3_384(uint8_t *output, const uint8_t *input, size_t inlen) {
}
void sha3_512_inc_init(sha3_512incctx *state) {
state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
if (state->ctx == NULL) {
exit(111);
}
keccak_inc_init(state->ctx);
}
void sha3_512_inc_ctx_clone(sha3_512incctx *dest, const sha3_512incctx *src) {
dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
if (dest->ctx == NULL) {
exit(111);
}
memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
}
void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen) {
keccak_inc_absorb(state->ctx, SHA3_512_RATE, input, inlen);
}
void sha3_512_inc_ctx_release(sha3_512incctx *state) {
free(state->ctx); // IGNORE free-check
}
void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state) {
uint8_t t[SHA3_512_RATE];
keccak_inc_finalize(state->ctx, SHA3_512_RATE, 0x06);
keccak_squeezeblocks(t, 1, state->ctx, SHA3_512_RATE);
sha3_512_inc_ctx_release(state);
for (size_t i = 0; i < 64; i++) {
output[i] = t[i];
}

266
src/crypto/sha3/sha3.h
View File

@ -39,13 +39,17 @@ void OQS_SHA3_sha3_256(uint8_t *output, const uint8_t *input, size_t inplen);
/** Data structure for the state of the SHA3-256 incremental hashing API. */
typedef struct {
/** Internal state. */
uint64_t ctx[26];
void *ctx;
} OQS_SHA3_sha3_256_inc_ctx;
/**
* \brief Initialize the state for the SHA3-256 incremental hashing API.
*
* \param state The function state to be initialized; must be allocated
* \warning State must be allovated by the caller. Caller is responsible
* for releasing state by calling either OQS_SHA3_sha3_256_inc_finalize or
* OQS_SHA3_sha3_256_inc_ctx_release.
*
* \param state The function state to be initialized; must be allocated.
*/
void OQS_SHA3_sha3_256_inc_init(OQS_SHA3_sha3_256_inc_ctx *state);
@ -64,21 +68,44 @@ void OQS_SHA3_sha3_256_inc_absorb(OQS_SHA3_sha3_256_inc_ctx *state, const uint8_
/**
* \brief The SHA3-256 squeeze/finalize function.
* Permutes and extracts the state to an output byte array.
* Releases state.
*
* \warning Output array must be allocated.
*
* State cannot be used after this without re-calling OQS_SHA3_sha3_256_inc_init.
* \param output The output byte array
* \param state The function state; must be initialized
*/
void OQS_SHA3_sha3_256_inc_finalize(uint8_t *output, OQS_SHA3_sha3_256_inc_ctx *state);
/**
* \brief Release the state for the SHA3-256 incremental API.
*
* \warning State cannot be used after this without re-calling OQS_SHA3_sha3_256_inc_init.
*
* \param state The function state; must be initialized
*/
void OQS_SHA3_sha3_256_inc_ctx_release(OQS_SHA3_sha3_256_inc_ctx *state);
/**
* \brief Clone the state for the SHA3-256 incremental API.
*
* \warning dest must be allocated by the caller. Caller is responsible
* for releasing dest by calling either OQS_SHA3_sha3_256_inc_finalize or
* OQS_SHA3_sha3_256_inc_ctx_release.
*
* \param dest The function state to copy into; must be initialized
* \param src The function state to copy; must be initialized
*/
void OQS_SHA3_sha3_256_inc_ctx_clone(OQS_SHA3_sha3_256_inc_ctx *dest, const OQS_SHA3_sha3_256_inc_ctx *src);
/** The SHA-384 byte absorption rate */
#define OQS_SHA3_SHA3_384_RATE 104
/**
* \brief Process a message with SHA3-384 and return the hash code in the output byte array.
*
* \warning The output array must be at least 32 bytes in length.
* \warning The output array must be at least 48 bytes in length.
*
* \param output The output byte array
* \param input The message input byte array
@ -89,13 +116,17 @@ void OQS_SHA3_sha3_384(uint8_t *output, const uint8_t *input, size_t inplen);
/** Data structure for the state of the SHA3-384 incremental hashing API. */
typedef struct {
/** Internal state. */
uint64_t ctx[26];
void *ctx;
} OQS_SHA3_sha3_384_inc_ctx;
/**
* \brief Initialize the state for the SHA3-384 incremental hashing API.
*
* \param state The function state to be initialized; must be allocated
* \warning State must be allovated by the caller. Caller is responsible
* for releasing state by calling either OQS_SHA3_sha3_384_inc_finalize or
* OQS_SHA3_sha3_384_inc_ctx_release.
*
* \param state The function state to be initialized; must be allocated.
*/
void OQS_SHA3_sha3_384_inc_init(OQS_SHA3_sha3_384_inc_ctx *state);
@ -114,14 +145,37 @@ void OQS_SHA3_sha3_384_inc_absorb(OQS_SHA3_sha3_384_inc_ctx *state, const uint8_
/**
* \brief The SHA3-384 squeeze/finalize function.
* Permutes and extracts the state to an output byte array.
* Releases state.
*
* \warning Output array must be allocated.
*
* State cannot be used after this without re-calling OQS_SHA3_sha3_384_inc_init.
* \param output The output byte array
* \param state The function state; must be initialized
*/
void OQS_SHA3_sha3_384_inc_finalize(uint8_t *output, OQS_SHA3_sha3_384_inc_ctx *state);
/**
* \brief Release the state for the SHA3-384 incremental API.
*
* \warning State cannot be used after this without re-calling OQS_SHA3_sha3_384_inc_init.
*
* \param state The function state; must be initialized
*/
void OQS_SHA3_sha3_384_inc_ctx_release(OQS_SHA3_sha3_384_inc_ctx *state);
/**
* \brief Clone the state for the SHA3-384 incremental API.
*
* \warning dest must be allovated by the caller. Caller is responsible
* for releasing dest by calling either OQS_SHA3_sha3_384_inc_finalize or
* OQS_SHA3_sha3_384_inc_ctx_release.
*
* \param dest The function state to copy into; must be initialized
* \param src The function state to copy; must be initialized
*/
void OQS_SHA3_sha3_384_inc_ctx_clone(OQS_SHA3_sha3_384_inc_ctx *dest, const OQS_SHA3_sha3_384_inc_ctx *src);
/** The SHA-512 byte absorption rate */
#define OQS_SHA3_SHA3_512_RATE 72
@ -139,13 +193,17 @@ void OQS_SHA3_sha3_512(uint8_t *output, const uint8_t *input, size_t inplen);
/** Data structure for the state of the SHA3-512 incremental hashing API. */
typedef struct {
/** Internal state. */
uint64_t ctx[26];
void *ctx;
} OQS_SHA3_sha3_512_inc_ctx;
/**
* \brief Initialize the state for the SHA3-512 incremental hashing API.
*
* \param state The function state to be initialized; must be allocated
* \warning State must be allovated by the caller. Caller is responsible
* for releasing state by calling either OQS_SHA3_sha3_512_inc_finalize or
* OQS_SHA3_sha3_512_inc_ctx_release.
*
* \param state The function state to be initialized; must be allocated.
*/
void OQS_SHA3_sha3_512_inc_init(OQS_SHA3_sha3_512_inc_ctx *state);
@ -162,16 +220,39 @@ void OQS_SHA3_sha3_512_inc_init(OQS_SHA3_sha3_512_inc_ctx *state);
void OQS_SHA3_sha3_512_inc_absorb(OQS_SHA3_sha3_512_inc_ctx *state, const uint8_t *input, size_t inlen);
/**
* \brief The SHA3-512 finalize/squeeze function.
* \brief The SHA3-512 squeeze/finalize function.
* Permutes and extracts the state to an output byte array.
* Releases state.
*
* \warning Output array must be allocated.
*
* State cannot be used after this without re-calling OQS_SHA3_sha3_512_inc_init.
* \param output The output byte array
* \param state The function state; must be initialized
*/
void OQS_SHA3_sha3_512_inc_finalize(uint8_t *output, OQS_SHA3_sha3_512_inc_ctx *state);
/**
* \brief Release the state for the SHA3-512 incremental API.
*
* \warning State cannot be used after this without re-calling OQS_SHA3_sha3_512_inc_init.
*
* \param state The function state; must be initialized
*/
void OQS_SHA3_sha3_512_inc_ctx_release(OQS_SHA3_sha3_512_inc_ctx *state);
/**
* \brief Clone the state for the SHA3-512 incremental API.
*
* \warning dest must be allovated by the caller. Caller is responsible
* for releasing dest by calling either OQS_SHA3_sha3_512_inc_finalize or
* OQS_SHA3_sha3_512_inc_ctx_release.
*
* \param dest The function state to copy into; must be initialized
* \param src The function state to copy; must be initialized
*/
void OQS_SHA3_sha3_512_inc_ctx_clone(OQS_SHA3_sha3_512_inc_ctx *dest, const OQS_SHA3_sha3_512_inc_ctx *src);
/* SHAKE */
/** The SHAKE-128 byte absorption rate */
@ -192,7 +273,7 @@ void OQS_SHA3_shake128(uint8_t *output, size_t outlen, const uint8_t *input, siz
/** Data structure for the state of the SHAKE128 non-incremental hashing API. */
typedef struct {
/** Internal state. */
uint64_t ctx[25];
void *ctx;
} OQS_SHA3_shake128_ctx;
/**
@ -201,7 +282,8 @@ typedef struct {
* Should be used in conjunction with the shake128_squeezeblocks function.
*
* \warning Finalizes the seed state, should not be used in consecutive calls.
* State must be allocated by the caller.
* State must be allocated by the caller. State msut be freed by calling
* OQS_SHA3_shake128_ctx_release.
*
* \param state The function state; must be allocated
* \param input The input seed byte array
@ -222,18 +304,36 @@ void OQS_SHA3_shake128_absorb(OQS_SHA3_shake128_ctx *state, const uint8_t *input
*/
void OQS_SHA3_shake128_squeezeblocks(uint8_t *output, size_t nblocks, OQS_SHA3_shake128_ctx *state);
/**
* \brief Frees the state for SHAKE-128.
*
* \param state The state to free
*/
void OQS_SHA3_shake128_ctx_release(OQS_SHA3_shake128_ctx *state);
/**
* \brief Copies the state for SHAKE-128.
*
* \warning dest must be allocated. dest must be freed by calling
* OQS_SHA3_shake128_ctx_release.
*
* \param dest The state to copy into
* \param src The state to copy from
*/
void OQS_SHA3_shake128_ctx_clone(OQS_SHA3_shake128_ctx *dest, const OQS_SHA3_shake128_ctx *src);
/** Data structure for the state of the SHAKE-128 incremental hashing API. */
typedef struct {
/** Internal state. */
uint64_t ctx[26];
void *ctx;
} OQS_SHA3_shake128_inc_ctx;
/**
* \brief Initialize the state for the SHAKE-128 incremental hashing API.
*
* \param s_inc The function state to be initialized; must be allocated
* \param state The function state to be initialized; must be allocated
*/
void OQS_SHA3_shake128_inc_init(OQS_SHA3_shake128_inc_ctx *s_inc);
void OQS_SHA3_shake128_inc_init(OQS_SHA3_shake128_inc_ctx *state);
/**
* \brief The SHAKE-128 absorb function.
@ -241,18 +341,18 @@ void OQS_SHA3_shake128_inc_init(OQS_SHA3_shake128_inc_ctx *s_inc);
*
* \warning State must be initialized by the caller.
*
* \param s_inc state
* \param state The function state; must be initialized
* \param input input buffer
* \param inlen length of input buffer
*/
void OQS_SHA3_shake128_inc_absorb(OQS_SHA3_shake128_inc_ctx *s_inc, const uint8_t *input, size_t inlen);
void OQS_SHA3_shake128_inc_absorb(OQS_SHA3_shake128_inc_ctx *state, const uint8_t *input, size_t inlen);
/**
* \brief The SHAKE-128 finalize function.
*
* \param s_inc The function state; must be initialized
* \param state The function state; must be initialized
*/
void OQS_SHA3_shake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *s_inc);
void OQS_SHA3_shake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *state);
/**
* \brief The SHAKE-128 squeeze function.
@ -260,9 +360,27 @@ void OQS_SHA3_shake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *s_inc);
*
* \param output output buffer
* \param outlen bytes of outbut buffer
* \param s_inc The function state; must be initialized
* \param state The function state; must be initialized
*/
void OQS_SHA3_shake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *s_inc);
void OQS_SHA3_shake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *state);
/**
* \brief Frees the state for the SHAKE-128 incremental hashing API.
*
* \param state The state to free
*/
void OQS_SHA3_shake128_inc_ctx_release(OQS_SHA3_shake128_inc_ctx *state);
/**
* \brief Copies the state for the SHAKE-128 incremental hashing API.
*
* \warning dest must be allocated. dest must be freed by calling
* OQS_SHA3_shake128_inc_ctx_release.
*
* \param dest The state to copy into
* \param src The state to copy from
*/
void OQS_SHA3_shake128_inc_ctx_clone(OQS_SHA3_shake128_inc_ctx *dest, const OQS_SHA3_shake128_inc_ctx *src);
/** The SHAKE-256 byte absorption rate */
#define OQS_SHA3_SHAKE256_RATE 136
@ -279,10 +397,10 @@ void OQS_SHA3_shake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shak
*/
void OQS_SHA3_shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen);
/** Data structure for the state of the SHAKE-256 non-incremental hashing API. */
/** Data structure for the state of the SHAKE256 non-incremental hashing API. */
typedef struct {
/** Internal state. */
uint64_t ctx[25];
void *ctx;
} OQS_SHA3_shake256_ctx;
/**
@ -291,9 +409,10 @@ typedef struct {
* Should be used in conjunction with the shake256_squeezeblocks function.
*
* \warning Finalizes the seed state, should not be used in consecutive calls.
* State must be initialized (and zeroed) by the caller.
* State must be allocated by the caller. State msut be freed by calling
* OQS_SHA3_shake256_ctx_release.
*
* \param state The function state; must be pre-initialized
* \param state The function state; must be allocated
* \param input The input seed byte array
* \param inplen The number of seed bytes to process
*/
@ -302,27 +421,46 @@ void OQS_SHA3_shake256_absorb(OQS_SHA3_shake256_ctx *state, const uint8_t *input
/**
* \brief The SHAKE-256 squeeze function.
* Permutes and extracts the state to an output byte array.
* Should be used in conjunction with the shake256_absorb function.
*
* \warning Output array must be initialized to a multiple of the byte rate.
*
* \param output The output byte array
* \param nblocks The number of blocks to extract
* \param state The function state; must be pre-initialized
* \param state The function state; must be allocated
*/
void OQS_SHA3_shake256_squeezeblocks(uint8_t *output, size_t nblocks, OQS_SHA3_shake256_ctx *state);
/**
* \brief Frees the state for SHAKE-256.
*
* \param state The state to free
*/
void OQS_SHA3_shake256_ctx_release(OQS_SHA3_shake256_ctx *state);
/**
* \brief Copies the state for SHAKE-256.
*
* \warning dest must be allocated. dest must be freed by calling
* OQS_SHA3_shake256_ctx_release.
*
* \param dest The state to copy into
* \param src The state to copy from
*/
void OQS_SHA3_shake256_ctx_clone(OQS_SHA3_shake256_ctx *dest, const OQS_SHA3_shake256_ctx *src);
/** Data structure for the state of the SHAKE-256 incremental hashing API. */
typedef struct {
/** Internal state. */
uint64_t ctx[26];
void *ctx;
} OQS_SHA3_shake256_inc_ctx;
/**
* \brief Initialize the state for the SHAKE-256 incremental hashing API.
*
* \param s_inc The function state to be initialized; must be allocated
* \param state The function state to be initialized; must be allocated
*/
void OQS_SHA3_shake256_inc_init(OQS_SHA3_shake256_inc_ctx *s_inc);
void OQS_SHA3_shake256_inc_init(OQS_SHA3_shake256_inc_ctx *state);
/**
* \brief The SHAKE-256 absorb function.
@ -330,18 +468,18 @@ void OQS_SHA3_shake256_inc_init(OQS_SHA3_shake256_inc_ctx *s_inc);
*
* \warning State must be initialized by the caller.
*
* \param s_inc state
* \param state The function state; must be initialized
* \param input input buffer
* \param inlen length of input buffer
*/
void OQS_SHA3_shake256_inc_absorb(OQS_SHA3_shake256_inc_ctx *s_inc, const uint8_t *input, size_t inlen);
void OQS_SHA3_shake256_inc_absorb(OQS_SHA3_shake256_inc_ctx *state, const uint8_t *input, size_t inlen);
/**
* \brief The SHAKE-256 finalize function.
*
* \param s_inc The function state; must be initialized
* \param state The function state; must be initialized
*/
void OQS_SHA3_shake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *s_inc);
void OQS_SHA3_shake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *state);
/**
* \brief The SHAKE-256 squeeze function.
@ -349,9 +487,27 @@ void OQS_SHA3_shake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *s_inc);
*
* \param output output buffer
* \param outlen bytes of outbut buffer
* \param s_inc state
* \param state The function state; must be initialized
*/
void OQS_SHA3_shake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake256_inc_ctx *s_inc);
void OQS_SHA3_shake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake256_inc_ctx *state);
/**
* \brief Frees the state for the SHAKE-256 incremental hashing API.
*
* \param state The state to free
*/
void OQS_SHA3_shake256_inc_ctx_release(OQS_SHA3_shake256_inc_ctx *state);
/**
* \brief Copies the state for the SHAKE-256 incremental hashing API.
*
* \warning dest must be allocated. dest must be freed by calling
* OQS_SHA3_shake256_inc_ctx_release.
*
* \param dest The state to copy into
* \param src The state to copy from
*/
void OQS_SHA3_shake256_inc_ctx_clone(OQS_SHA3_shake256_inc_ctx *dest, const OQS_SHA3_shake256_inc_ctx *src);
/* cSHAKE */
@ -412,6 +568,24 @@ void OQS_SHA3_cshake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *state);
*/
void OQS_SHA3_cshake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *state);
/**
* \brief Free the cSHAKE-128 incremental context.
*
* \param state The function state; must be initialized
*/
void OQS_SHA3_cshake128_inc_ctx_release(OQS_SHA3_shake128_inc_ctx *state);
/**
* \brief Copies the state for the cSHAKE-128 incremental hashing API.
*
* \warning dest must be allocated. dest must be freed by calling
* OQS_SHA3_cshake128_inc_ctx_release.
*
* \param dest The state to copy into
* \param src The state to copy from
*/
void OQS_SHA3_cshake128_inc_ctx_clone(OQS_SHA3_shake128_inc_ctx *dest, const OQS_SHA3_shake128_inc_ctx *src);
/**
* \brief Seed a cSHAKE-256 instance and generate pseudo-random output.
* Permutes and extracts the state to an output byte array.
@ -465,10 +639,28 @@ void OQS_SHA3_cshake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *state);
*
* \param output output buffer
* \param outlen bytes of outbut buffer
* \param state The function state, must be initialized
* \param state The function state; must be initialized
*/
void OQS_SHA3_cshake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake256_inc_ctx *state);
/**
* \brief Free the cSHAKE-256 incremental context.
*
* \param state The function state; must be initialized
*/
void OQS_SHA3_cshake256_inc_ctx_release(OQS_SHA3_shake256_inc_ctx *state);
/**
* \brief Copies the state for the cSHAKE-256 incremental hashing API.
*
* \warning dest must be allocated. dest must be freed by calling
* OQS_SHA3_cshake256_inc_ctx_release.
*
* \param dest The state to copy into
* \param src The state to copy from
*/
void OQS_SHA3_cshake256_inc_ctx_clone(OQS_SHA3_shake256_inc_ctx *dest, const OQS_SHA3_shake256_inc_ctx *src);
/**
* \brief Seed a cSHAKE-128 instance and generate pseudo-random output, using a "simplified" customization string.
* Permutes and extracts the state to an output byte array.

270
src/crypto/sha3/sha3_c.c
View File

@ -1,6 +1,6 @@
/**
* \file sha3_c.c
* \brief Implementation of the OQS SHA3 API via the files fips202.c and sp800-185.c
* \brief Implementation of the OQS SHA3 API via the files fips202.c
* from PQClean (https://github.com/PQClean/PQClean/tree/master/common)
*/
@ -15,10 +15,14 @@
#define sha3_256 oqs_unused_SHA3_sha3_256
#endif
#define sha3_256incctx OQS_SHA3_sha3_256_inc_ctx
#define sha3_256_inc_init OQS_SHA3_sha3_256_inc_init
#define sha3_256_inc_absorb OQS_SHA3_sha3_256_inc_absorb
#define sha3_256_inc_finalize OQS_SHA3_sha3_256_inc_finalize
typedef struct {
uint64_t *ctx;
} sha3_256incctx;
#define sha3_256_inc_init oqs_sha3_sha3_256_inc_init
#define sha3_256_inc_absorb oqs_sha3_sha3_256_inc_absorb
#define sha3_256_inc_finalize oqs_sha3_sha3_256_inc_finalize
#define sha3_256_inc_ctx_release oqs_sha3_sha3_256_inc_ctx_release
#define sha3_256_inc_ctx_clone oqs_sha3_sha3_256_inc_ctx_clone
#define SHA3_384_RATE OQS_SHA3_SHA3_384_RATE
#ifndef USE_SHA3_OPENSSL
@ -27,10 +31,14 @@
#define sha3_384 oqs_unused_SHA3_sha3_384
#endif
#define sha3_384incctx OQS_SHA3_sha3_384_inc_ctx
#define sha3_384_inc_init OQS_SHA3_sha3_384_inc_init
#define sha3_384_inc_absorb OQS_SHA3_sha3_384_inc_absorb
#define sha3_384_inc_finalize OQS_SHA3_sha3_384_inc_finalize
typedef struct {
uint64_t *ctx;
} sha3_384incctx;
#define sha3_384_inc_init oqs_sha3_sha3_384_inc_init
#define sha3_384_inc_absorb oqs_sha3_sha3_384_inc_absorb
#define sha3_384_inc_finalize oqs_sha3_sha3_384_inc_finalize
#define sha3_384_inc_ctx_release oqs_sha3_sha3_384_inc_ctx_release
#define sha3_384_inc_ctx_clone oqs_sha3_sha3_384_inc_ctx_clone
#define SHA3_512_RATE OQS_SHA3_SHA3_512_RATE
#ifndef USE_SHA3_OPENSSL
@ -39,10 +47,14 @@
#define sha3_512 oqs_unused_SHA3_sha3_512
#endif
#define sha3_512incctx OQS_SHA3_sha3_512_inc_ctx
#define sha3_512_inc_init OQS_SHA3_sha3_512_inc_init
#define sha3_512_inc_absorb OQS_SHA3_sha3_512_inc_absorb
#define sha3_512_inc_finalize OQS_SHA3_sha3_512_inc_finalize
typedef struct {
uint64_t *ctx;
} sha3_512incctx;
#define sha3_512_inc_init oqs_sha3_sha3_512_inc_init
#define sha3_512_inc_absorb oqs_sha3_sha3_512_inc_absorb
#define sha3_512_inc_finalize oqs_sha3_sha3_512_inc_finalize
#define sha3_512_inc_ctx_release oqs_sha3_sha3_512_inc_ctx_release
#define sha3_512_inc_ctx_clone oqs_sha3_sha3_512_inc_ctx_clone
#define SHAKE128_RATE OQS_SHA3_SHAKE128_RATE
#ifndef USE_SHA3_OPENSSL
@ -51,15 +63,23 @@
#define shake128 oqs_unused_SHA3_shake128
#endif
#define shake128ctx OQS_SHA3_shake128_ctx
#define shake128_absorb OQS_SHA3_shake128_absorb
#define shake128_squeezeblocks OQS_SHA3_shake128_squeezeblocks
typedef struct {
uint64_t *ctx;
} shake128ctx;
#define shake128_absorb oqs_sha3_shake128_absorb
#define shake128_squeezeblocks oqs_sha3_shake128_squeezeblocks
#define shake128_ctx_release oqs_sha3_shake128_ctx_release
#define shake128_ctx_clone oqs_sha3_shake128_ctx_clone
#define shake128incctx OQS_SHA3_shake128_inc_ctx
#define shake128_inc_init OQS_SHA3_shake128_inc_init
#define shake128_inc_absorb OQS_SHA3_shake128_inc_absorb
#define shake128_inc_finalize OQS_SHA3_shake128_inc_finalize
#define shake128_inc_squeeze OQS_SHA3_shake128_inc_squeeze
typedef struct {
uint64_t *ctx;
} shake128incctx;
#define shake128_inc_init oqs_sha3_shake128_inc_init
#define shake128_inc_absorb oqs_sha3_shake128_inc_absorb
#define shake128_inc_finalize oqs_sha3_shake128_inc_finalize
#define shake128_inc_squeeze oqs_sha3_shake128_inc_squeeze
#define shake128_inc_ctx_release oqs_sha3_shake128_inc_ctx_release
#define shake128_inc_ctx_clone oqs_sha3_shake128_inc_ctx_clone
#define SHAKE256_RATE OQS_SHA3_SHAKE256_RATE
#ifndef USE_SHA3_OPENSSL
@ -68,41 +88,201 @@
#define shake256 oqs_unused_SHA3_shake256
#endif
#define shake256ctx OQS_SHA3_shake256_ctx
#define shake256_absorb OQS_SHA3_shake256_absorb
#define shake256_squeezeblocks OQS_SHA3_shake256_squeezeblocks
typedef struct {
uint64_t *ctx;
} shake256ctx;
#define shake256_absorb oqs_sha3_shake256_absorb
#define shake256_squeezeblocks oqs_sha3_shake256_squeezeblocks
#define shake256_ctx_release oqs_sha3_shake256_ctx_release
#define shake256_ctx_clone oqs_sha3_shake256_ctx_clone
#define shake256incctx OQS_SHA3_shake256_inc_ctx
#define shake256_inc_init OQS_SHA3_shake256_inc_init
#define shake256_inc_absorb OQS_SHA3_shake256_inc_absorb
#define shake256_inc_finalize OQS_SHA3_shake256_inc_finalize
#define shake256_inc_squeeze OQS_SHA3_shake256_inc_squeeze
typedef struct {
uint64_t *ctx;
} shake256incctx;
#define shake256_inc_init oqs_sha3_shake256_inc_init
#define shake256_inc_absorb oqs_sha3_shake256_inc_absorb
#define shake256_inc_finalize oqs_sha3_shake256_inc_finalize
#define shake256_inc_squeeze oqs_sha3_shake256_inc_squeeze
#define shake256_inc_ctx_release oqs_sha3_shake256_inc_ctx_release
#define shake256_inc_ctx_clone oqs_sha3_shake256_inc_ctx_clone
#include "fips202.c"
void OQS_SHA3_sha3_256_inc_init(OQS_SHA3_sha3_256_inc_ctx *state) {
oqs_sha3_sha3_256_inc_init((sha3_256incctx *) state);
}
void OQS_SHA3_sha3_256_inc_absorb(OQS_SHA3_sha3_256_inc_ctx *state, const uint8_t *input, size_t inlen) {
oqs_sha3_sha3_256_inc_absorb((sha3_256incctx *) state, input, inlen);
}
void OQS_SHA3_sha3_256_inc_finalize(uint8_t *output, OQS_SHA3_sha3_256_inc_ctx *state) {
oqs_sha3_sha3_256_inc_finalize(output, (sha3_256incctx *) state);
}
void OQS_SHA3_sha3_256_inc_ctx_release(OQS_SHA3_sha3_256_inc_ctx *state) {
oqs_sha3_sha3_256_inc_ctx_release((sha3_256incctx *) state);
}
void OQS_SHA3_sha3_256_inc_ctx_clone(OQS_SHA3_sha3_256_inc_ctx *dest, const OQS_SHA3_sha3_256_inc_ctx *src) {
oqs_sha3_sha3_256_inc_ctx_clone((sha3_256incctx *) dest, (const sha3_256incctx *) src);
}
void OQS_SHA3_sha3_384_inc_init(OQS_SHA3_sha3_384_inc_ctx *state) {
oqs_sha3_sha3_384_inc_init((sha3_384incctx *) state);
}
void OQS_SHA3_sha3_384_inc_absorb(OQS_SHA3_sha3_384_inc_ctx *state, const uint8_t *input, size_t inlen) {
oqs_sha3_sha3_384_inc_absorb((sha3_384incctx *) state, input, inlen);
}
void OQS_SHA3_sha3_384_inc_finalize(uint8_t *output, OQS_SHA3_sha3_384_inc_ctx *state) {
oqs_sha3_sha3_384_inc_finalize(output, (sha3_384incctx *) state);
}
void OQS_SHA3_sha3_384_inc_ctx_release(OQS_SHA3_sha3_384_inc_ctx *state) {
oqs_sha3_sha3_384_inc_ctx_release((sha3_384incctx *) state);
}
void OQS_SHA3_sha3_384_inc_ctx_clone(OQS_SHA3_sha3_384_inc_ctx *dest, const OQS_SHA3_sha3_384_inc_ctx *src) {
oqs_sha3_sha3_384_inc_ctx_clone((sha3_384incctx *) dest, (const sha3_384incctx *) src);
}
void OQS_SHA3_sha3_512_inc_init(OQS_SHA3_sha3_512_inc_ctx *state) {
oqs_sha3_sha3_512_inc_init((sha3_512incctx *) state);
}
void OQS_SHA3_sha3_512_inc_absorb(OQS_SHA3_sha3_512_inc_ctx *state, const uint8_t *input, size_t inlen) {
oqs_sha3_sha3_512_inc_absorb((sha3_512incctx *) state, input, inlen);
}
void OQS_SHA3_sha3_512_inc_finalize(uint8_t *output, OQS_SHA3_sha3_512_inc_ctx *state) {
oqs_sha3_sha3_512_inc_finalize(output, (sha3_512incctx *) state);
}
void OQS_SHA3_sha3_512_inc_ctx_release(OQS_SHA3_sha3_512_inc_ctx *state) {
oqs_sha3_sha3_512_inc_ctx_release((sha3_512incctx *) state);
}
void OQS_SHA3_sha3_512_inc_ctx_clone(OQS_SHA3_sha3_512_inc_ctx *dest, const OQS_SHA3_sha3_512_inc_ctx *src) {
oqs_sha3_sha3_512_inc_ctx_clone((sha3_512incctx *) dest, (const sha3_512incctx *) src);
}
void OQS_SHA3_shake128_absorb(OQS_SHA3_shake128_ctx *state, const uint8_t *input, size_t inplen) {
oqs_sha3_shake128_absorb((shake128ctx *) state, input, inplen);
}
void OQS_SHA3_shake128_squeezeblocks(uint8_t *output, size_t nblocks, OQS_SHA3_shake128_ctx *state) {
oqs_sha3_shake128_squeezeblocks(output, nblocks, (shake128ctx *) state);
}
void OQS_SHA3_shake128_ctx_release(OQS_SHA3_shake128_ctx *state) {
oqs_sha3_shake128_ctx_release((shake128ctx *) state);
}
void OQS_SHA3_shake128_ctx_clone(OQS_SHA3_shake128_ctx *dest, const OQS_SHA3_shake128_ctx *src) {
oqs_sha3_shake128_ctx_clone((shake128ctx *) dest, (const shake128ctx *) src);
}
void OQS_SHA3_shake128_inc_init(OQS_SHA3_shake128_inc_ctx *state) {
oqs_sha3_shake128_inc_init((shake128incctx *) state);
}
void OQS_SHA3_shake128_inc_absorb(OQS_SHA3_shake128_inc_ctx *state, const uint8_t *input, size_t inlen) {
oqs_sha3_shake128_inc_absorb((shake128incctx *) state, input, inlen);
}
void OQS_SHA3_shake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *state) {
oqs_sha3_shake128_inc_finalize((shake128incctx *) state);
}
void OQS_SHA3_shake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *state) {
oqs_sha3_shake128_inc_squeeze(output, outlen, (shake128incctx *) state);
}
void OQS_SHA3_shake128_inc_ctx_release(OQS_SHA3_shake128_inc_ctx *state) {
oqs_sha3_shake128_inc_ctx_release((shake128incctx *) state);
}
void OQS_SHA3_shake128_inc_ctx_clone(OQS_SHA3_shake128_inc_ctx *dest, const OQS_SHA3_shake128_inc_ctx *src) {
oqs_sha3_shake128_inc_ctx_clone((shake128incctx *) dest, (const shake128incctx *) src);
}
void OQS_SHA3_shake256_absorb(OQS_SHA3_shake256_ctx *state, const uint8_t *input, size_t inplen) {
oqs_sha3_shake256_absorb((shake256ctx *) state, input, inplen);
}
void OQS_SHA3_shake256_squeezeblocks(uint8_t *output, size_t nblocks, OQS_SHA3_shake256_ctx *state) {
oqs_sha3_shake256_squeezeblocks(output, nblocks, (shake256ctx *) state);
}
void OQS_SHA3_shake256_ctx_release(OQS_SHA3_shake256_ctx *state) {
oqs_sha3_shake256_ctx_release((shake256ctx *) state);
}
void OQS_SHA3_shake256_ctx_clone(OQS_SHA3_shake256_ctx *dest, const OQS_SHA3_shake256_ctx *src) {
oqs_sha3_shake256_ctx_clone((shake256ctx *) dest, (const shake256ctx *) src);
}
void OQS_SHA3_shake256_inc_init(OQS_SHA3_shake256_inc_ctx *state) {
oqs_sha3_shake256_inc_init((shake256incctx *) state);
}
void OQS_SHA3_shake256_inc_absorb(OQS_SHA3_shake256_inc_ctx *state, const uint8_t *input, size_t inlen) {
oqs_sha3_shake256_inc_absorb((shake256incctx *) state, input, inlen);
}
void OQS_SHA3_shake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *state) {
oqs_sha3_shake256_inc_finalize((shake256incctx *) state);
}
void OQS_SHA3_shake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake256_inc_ctx *state) {
oqs_sha3_shake256_inc_squeeze(output, outlen, (shake256incctx *) state);
}
void OQS_SHA3_shake256_inc_ctx_release(OQS_SHA3_shake256_inc_ctx *state) {
oqs_sha3_shake256_inc_ctx_release((shake256incctx *) state);
}
void OQS_SHA3_shake256_inc_ctx_clone(OQS_SHA3_shake256_inc_ctx *dest, const OQS_SHA3_shake256_inc_ctx *src) {
oqs_sha3_shake256_inc_ctx_clone((shake256incctx *) dest, (const shake256incctx *) src);
}
#define cshake128 OQS_SHA3_cshake128
#define cshake128_inc_init OQS_SHA3_cshake128_inc_init
#define cshake128_inc_absorb OQS_SHA3_cshake128_inc_absorb
#define cshake128_inc_finalize OQS_SHA3_cshake128_inc_finalize
#define cshake128_inc_squeeze OQS_SHA3_cshake128_inc_squeeze
#define cshake128_inc_init oqs_sha3_cshake128_inc_init
#define cshake128_inc_absorb oqs_sha3_cshake128_inc_absorb
#define cshake128_inc_finalize oqs_sha3_cshake128_inc_finalize
#define cshake128_inc_squeeze oqs_sha3_cshake128_inc_squeeze
#define cshake128_inc_ctx_release oqs_sha3_cshake128_inc_ctx_release
#define cshake128_inc_ctx_clone oqs_sha3_cshake128_inc_ctx_clone
#define cshake256 OQS_SHA3_cshake256
#define cshake256_inc_init OQS_SHA3_cshake256_inc_init
#define cshake256_inc_absorb OQS_SHA3_cshake256_inc_absorb
#define cshake256_inc_finalize OQS_SHA3_cshake256_inc_finalize
#define cshake256_inc_squeeze OQS_SHA3_cshake256_inc_squeeze
#define cshake256_inc_init oqs_sha3_cshake256_inc_init
#define cshake256_inc_absorb oqs_sha3_cshake256_inc_absorb
#define cshake256_inc_finalize oqs_sha3_cshake256_inc_finalize
#define cshake256_inc_squeeze oqs_sha3_cshake256_inc_squeeze
#define cshake256_inc_ctx_release oqs_sha3_cshake256_inc_ctx_release
#define cshake256_inc_ctx_clone oqs_sha3_cshake256_inc_ctx_clone
#include "sp800-185.c"
void OQS_SHA3_cshake128_inc_init(OQS_SHA3_shake128_inc_ctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) {
oqs_sha3_cshake128_inc_init((shake128incctx *) state, name, namelen, cstm, cstmlen);
}
void OQS_SHA3_cshake128_inc_absorb(OQS_SHA3_shake128_inc_ctx *state, const uint8_t *input, size_t inlen) {
oqs_sha3_cshake128_inc_absorb((shake128incctx *) state, input, inlen);
}
void OQS_SHA3_cshake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *state) {
oqs_sha3_cshake128_inc_finalize((shake128incctx *) state);
}
void OQS_SHA3_cshake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *state) {
oqs_sha3_cshake128_inc_squeeze(output, outlen, (shake128incctx *) state);
}
void OQS_SHA3_cshake128_inc_ctx_release(OQS_SHA3_shake128_inc_ctx *state) {
oqs_sha3_cshake128_inc_ctx_release((shake128incctx *) state);
}
void OQS_SHA3_cshake128_inc_ctx_clone(OQS_SHA3_shake128_inc_ctx *dest, const OQS_SHA3_shake128_inc_ctx *src) {
oqs_sha3_cshake128_inc_ctx_clone((shake128incctx *) dest, (const shake128incctx *) src);
}
void OQS_SHA3_cshake256_inc_init(OQS_SHA3_shake256_inc_ctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) {
oqs_sha3_cshake256_inc_init((shake256incctx *) state, name, namelen, cstm, cstmlen);
}
void OQS_SHA3_cshake256_inc_absorb(OQS_SHA3_shake256_inc_ctx *state, const uint8_t *input, size_t inlen) {
oqs_sha3_cshake256_inc_absorb((shake256incctx *) state, input, inlen);
}
void OQS_SHA3_cshake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *state) {
oqs_sha3_cshake256_inc_finalize((shake256incctx *) state);
}
void OQS_SHA3_cshake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake256_inc_ctx *state) {
oqs_sha3_cshake256_inc_squeeze(output, outlen, (shake256incctx *) state);
}
void OQS_SHA3_cshake256_inc_ctx_release(OQS_SHA3_shake256_inc_ctx *state) {
oqs_sha3_cshake256_inc_ctx_release((shake256incctx *) state);
}
void OQS_SHA3_cshake256_inc_ctx_clone(OQS_SHA3_shake256_inc_ctx *dest, const OQS_SHA3_shake256_inc_ctx *src) {
oqs_sha3_cshake256_inc_ctx_clone((shake256incctx *) dest, (const shake256incctx *) src);
}
void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen) {
OQS_SHA3_shake128_inc_ctx state;
for (size_t i = 0; i < 26; ++i) {
state.ctx[i] = 0;
}
OQS_SHA3_shake128_inc_init(&state);
/* Note: This function doesn't align exactly to cSHAKE (SP800-185 3.2), which should produce
SHAKE output if S and N = zero (sort of a customized custom-SHAKE function).
@ -120,7 +300,7 @@ void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, co
sep[6] = cstm & 0xFF;
sep[7] = cstm >> 8;
state.ctx[0] = load64(sep);
((shake128incctx *) &state)->ctx[0] = load64(sep);
/* transform the domain string */
KeccakF1600_StatePermute(state.ctx);
@ -131,15 +311,14 @@ void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, co
/* generate output */
OQS_SHA3_cshake128_inc_finalize(&state);
OQS_SHA3_cshake128_inc_squeeze(output, outlen, &state);
OQS_SHA3_shake128_inc_ctx_release(&state);
}
void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen) {
OQS_SHA3_shake256_inc_ctx state;
for (size_t i = 0; i < 26; ++i) {
state.ctx[i] = 0;
}
OQS_SHA3_shake256_inc_init(&state);
/* Note: This function doesn't align exactly to cSHAKE (SP800-185 3.2), which should produce
SHAKE output if S and N = zero (sort of a customized custom-SHAKE function).
@ -157,7 +336,7 @@ void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, co
sep[6] = cstm & 0xFF;
sep[7] = cstm >> 8;
state.ctx[0] = load64(sep);
((shake256incctx *) &state)->ctx[0] = load64(sep);
/* transform the domain string */
KeccakF1600_StatePermute(state.ctx);
@ -168,4 +347,5 @@ void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, co
/* generate output */
OQS_SHA3_cshake256_inc_finalize(&state);
OQS_SHA3_cshake256_inc_squeeze(output, outlen, &state);
OQS_SHA3_shake256_inc_ctx_release(&state);
}

32
src/crypto/sha3/sp800-185.c
View File

@ -13,12 +13,12 @@ static size_t left_encode(uint8_t *encbuf, size_t value) {
for (i = 1; i <= n; i++) {
encbuf[i] = (uint8_t)(value >> (8 * (n - i)));
}
encbuf[0] = (uint8_t) n;
encbuf[0] = (uint8_t)n;
return n + 1;
}
void cshake128_inc_init(shake128incctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) {
uint8_t encbuf[sizeof(size_t) + 1];
uint8_t encbuf[sizeof(size_t) +1];
shake128_inc_init(state);
@ -42,8 +42,8 @@ void cshake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t in
}
void cshake128_inc_finalize(shake128incctx *state) {
state->ctx[state->ctx[25] >> 3] ^= (uint64_t) 0x04 << (8 * (state->ctx[25] & 0x07));
state->ctx[(SHAKE128_RATE - 1) >> 3] ^= (uint64_t) 128 << (8 * ((SHAKE128_RATE - 1) & 0x07));
state->ctx[state->ctx[25] >> 3] ^= (uint64_t)0x04 << (8 * (state->ctx[25] & 0x07));
state->ctx[(SHAKE128_RATE - 1) >> 3] ^= (uint64_t)128 << (8 * ((SHAKE128_RATE - 1) & 0x07));
state->ctx[25] = 0;
}
@ -51,8 +51,16 @@ void cshake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state
shake128_inc_squeeze(output, outlen, state);
}
void cshake128_inc_ctx_release(shake128incctx *state) {
shake128_inc_ctx_release(state);
}
void cshake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src) {
shake128_inc_ctx_clone(dest, src);
}
void cshake256_inc_init(shake256incctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) {
uint8_t encbuf[sizeof(size_t) + 1];
uint8_t encbuf[sizeof(size_t) +1];
shake256_inc_init(state);
@ -76,8 +84,8 @@ void cshake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t in
}
void cshake256_inc_finalize(shake256incctx *state) {
state->ctx[state->ctx[25] >> 3] ^= (uint64_t) 0x04 << (8 * (state->ctx[25] & 0x07));
state->ctx[(SHAKE256_RATE - 1) >> 3] ^= (uint64_t) 128 << (8 * ((SHAKE256_RATE - 1) & 0x07));
state->ctx[state->ctx[25] >> 3] ^= (uint64_t)0x04 << (8 * (state->ctx[25] & 0x07));
state->ctx[(SHAKE256_RATE - 1) >> 3] ^= (uint64_t)128 << (8 * ((SHAKE256_RATE - 1) & 0x07));
state->ctx[25] = 0;
}
@ -85,6 +93,14 @@ void cshake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state
shake256_inc_squeeze(output, outlen, state);
}
void cshake256_inc_ctx_release(shake256incctx *state) {
shake256_inc_ctx_release(state);
}
void cshake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src) {
shake256_inc_ctx_clone(dest, src);
}
/*************************************************
* Name: cshake128
*
@ -108,6 +124,7 @@ void cshake128(uint8_t *output, size_t outlen,
cshake128_inc_absorb(&state, input, inlen);
cshake128_inc_finalize(&state);
cshake128_inc_squeeze(output, outlen, &state);
cshake128_inc_ctx_release(&state);
}
/*************************************************
@ -133,4 +150,5 @@ void cshake256(uint8_t *output, size_t outlen,
cshake256_inc_absorb(&state, input, inlen);
cshake256_inc_finalize(&state);
cshake256_inc_squeeze(output, outlen, &state);
cshake256_inc_ctx_release(&state);
}

5
src/kem/kyber/pqclean_kyber1024-90s_clean/aes256ctr.c
View File

@ -93,3 +93,8 @@ void PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nbl
aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp);
s->ctr += (uint32_t) (4 * nblocks);
}
/** Free the AES ctx **/
void PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) {
aes256_ctx_release(&s->sk_exp);
}

1
src/kem/kyber/pqclean_kyber1024-90s_clean/aes256ctr.h
View File

@ -15,5 +15,6 @@ typedef struct {
void PQCLEAN_KYBER102490S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce);
void PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y);
void PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s);
void PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s);
#endif

1
src/kem/kyber/pqclean_kyber1024-90s_clean/indcpa.c
View File

@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
}
}
}
xof_ctx_release(&state);
}
/*************************************************

1
src/kem/kyber/pqclean_kyber1024-90s_clean/symmetric.h
View File

@ -11,6 +11,7 @@
#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
#define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb(STATE, IN, X, Y)
#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define xof_ctx_release(STATE) PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(STATE)
#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER102490S_CLEAN_aes256_prf(OUT, OUTBYTES, KEY, NONCE)
#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)

1
src/kem/kyber/pqclean_kyber1024_clean/indcpa.c
View File

@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
}
}
}
xof_ctx_release(&state);
}
/*************************************************

1
src/kem/kyber/pqclean_kyber1024_clean/symmetric.h
View File

@ -18,6 +18,7 @@ void PQCLEAN_KYBER1024_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const
#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
#define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER1024_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y)
#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER1024_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define xof_ctx_release(STATE)
#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER1024_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)

5
src/kem/kyber/pqclean_kyber512-90s_clean/aes256ctr.c
View File

@ -93,3 +93,8 @@ void PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblo
aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp);
s->ctr += (uint32_t) (4 * nblocks);
}
/** Free the AES ctx **/
void PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) {
aes256_ctx_release(&s->sk_exp);
}

1
src/kem/kyber/pqclean_kyber512-90s_clean/aes256ctr.h
View File

@ -15,5 +15,6 @@ typedef struct {
void PQCLEAN_KYBER51290S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce);
void PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y);
void PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s);
void PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s);
#endif

1
src/kem/kyber/pqclean_kyber512-90s_clean/indcpa.c
View File

@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
}
}
}
xof_ctx_release(&state);
}
/*************************************************

1
src/kem/kyber/pqclean_kyber512-90s_clean/symmetric.h
View File

@ -11,6 +11,7 @@
#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
#define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(STATE, IN, X, Y)
#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define xof_ctx_release(STATE) PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(STATE)
#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER51290S_CLEAN_aes256_prf(OUT, OUTBYTES, KEY, NONCE)
#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)

1
src/kem/kyber/pqclean_kyber512_clean/indcpa.c
View File

@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
}
}
}
xof_ctx_release(&state);
}
/*************************************************

1
src/kem/kyber/pqclean_kyber512_clean/symmetric.h
View File

@ -18,6 +18,7 @@ void PQCLEAN_KYBER512_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const u
#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
#define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER512_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y)
#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER512_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define xof_ctx_release(STATE)
#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER512_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)

5
src/kem/kyber/pqclean_kyber768-90s_clean/aes256ctr.c
View File

@ -93,3 +93,8 @@ void PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblo
aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp);
s->ctr += (uint32_t) (4 * nblocks);
}
/** Free the AES ctx **/
void PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) {
aes256_ctx_release(&s->sk_exp);
}

1
src/kem/kyber/pqclean_kyber768-90s_clean/aes256ctr.h
View File

@ -15,5 +15,6 @@ typedef struct {
void PQCLEAN_KYBER76890S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce);
void PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y);
void PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s);
void PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s);
#endif

1
src/kem/kyber/pqclean_kyber768-90s_clean/indcpa.c
View File

@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
}
}
}
xof_ctx_release(&state);
}
/*************************************************

1
src/kem/kyber/pqclean_kyber768-90s_clean/symmetric.h
View File

@ -11,6 +11,7 @@
#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
#define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb(STATE, IN, X, Y)
#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define xof_ctx_release(STATE) PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(STATE)
#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER76890S_CLEAN_aes256_prf(OUT, OUTBYTES, KEY, NONCE)
#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)

1
src/kem/kyber/pqclean_kyber768_clean/indcpa.c
View File

@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) {
}
}
}
xof_ctx_release(&state);
}
/*************************************************

1
src/kem/kyber/pqclean_kyber768_clean/symmetric.h
View File

@ -18,6 +18,7 @@ void PQCLEAN_KYBER768_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const u
#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
#define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER768_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y)
#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER768_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define xof_ctx_release(STATE)
#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER768_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)

13
src/kem/threebears/pqclean_babybear-ephem_clean/threebears.c
View File

@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) {
cshake256_inc_absorb(&ctx, &iv, 1);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(c, sizeof(c), &ctx);
cshake256_inc_ctx_release(&ctx);
PQCLEAN_BABYBEAREPHEM_CLEAN_expand(matrix, c);
}
@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) {
uint8_t c[DIGITS];
shake256incctx ctx2;
memcpy(&ctx2, ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, ctx);
cshake256_inc_absorb(&ctx2, &iv, 1);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(c, DIGITS, &ctx2);
for (size_t i = 0; i < DIGITS; i++) {
x[i] = (limb_t)(psi(c[i]) + PQCLEAN_BABYBEAREPHEM_CLEAN_modulus(i));
}
cshake256_inc_ctx_release(&ctx2);
}
/* Expand public key from private key */
@ -74,9 +76,10 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN);
cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES);
memcpy(&ctx2, &ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, &ctx);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2);
cshake256_inc_ctx_release(&ctx2);
for (uint8_t i = 0; i < DIM; i++) {
noise(sk_expanded[i], &ctx, i);
@ -89,6 +92,7 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
}
PQCLEAN_BABYBEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c);
}
cshake256_inc_ctx_release(&ctx);
}
/* Encapsulate a shared secret and return it */
@ -135,6 +139,8 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_encapsulate(
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS);
cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES);
cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES);
@ -152,6 +158,7 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_encapsulate(
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
}
/* Decapsulate a shared secret and return it */
@ -199,6 +206,7 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_decapsulate(
/* Recalculate matrix seed */
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
/* Re-run the key derivation from encaps */
threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS);
@ -207,4 +215,5 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_decapsulate(
cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
}

11
src/kem/threebears/pqclean_babybear_clean/threebears.c
View File

@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) {
cshake256_inc_absorb(&ctx, &iv, 1);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(c, sizeof(c), &ctx);
cshake256_inc_ctx_release(&ctx);
PQCLEAN_BABYBEAR_CLEAN_expand(matrix, c);
}
@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) {
uint8_t c[DIGITS];
shake256incctx ctx2;
memcpy(&ctx2, ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, ctx);
cshake256_inc_absorb(&ctx2, &iv, 1);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(c, DIGITS, &ctx2);
for (size_t i = 0; i < DIGITS; i++) {
x[i] = (limb_t)(psi(c[i]) + PQCLEAN_BABYBEAR_CLEAN_modulus(i));
}
cshake256_inc_ctx_release(&ctx2);
}
/* Expand public key from private key */
@ -74,9 +76,10 @@ void PQCLEAN_BABYBEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN);
cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES);
memcpy(&ctx2, &ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, &ctx);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2);
cshake256_inc_ctx_release(&ctx2);
for (uint8_t i = 0; i < DIM; i++) {
noise(sk_expanded[i], &ctx, i);
@ -89,6 +92,7 @@ void PQCLEAN_BABYBEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
}
PQCLEAN_BABYBEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c);
}
cshake256_inc_ctx_release(&ctx);
}
/* Encapsulate a shared secret and return it */
@ -147,6 +151,7 @@ void PQCLEAN_BABYBEAR_CLEAN_encapsulate(
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
}
/* Decapsulate a shared secret and return it */
@ -210,6 +215,7 @@ void PQCLEAN_BABYBEAR_CLEAN_decapsulate(
cshake256_inc_absorb(&ctx, &sep, 1);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
/* Calculate PRF */
threebears_hash_init(&ctx, HASH_PURPOSE_PRF);
@ -217,6 +223,7 @@ void PQCLEAN_BABYBEAR_CLEAN_decapsulate(
cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) {
shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok));

13
src/kem/threebears/pqclean_mamabear-ephem_clean/threebears.c
View File

@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) {
cshake256_inc_absorb(&ctx, &iv, 1);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(c, sizeof(c), &ctx);
cshake256_inc_ctx_release(&ctx);
PQCLEAN_MAMABEAREPHEM_CLEAN_expand(matrix, c);
}
@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) {
uint8_t c[DIGITS];
shake256incctx ctx2;
memcpy(&ctx2, ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, ctx);
cshake256_inc_absorb(&ctx2, &iv, 1);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(c, DIGITS, &ctx2);
for (size_t i = 0; i < DIGITS; i++) {
x[i] = (limb_t)(psi(c[i]) + PQCLEAN_MAMABEAREPHEM_CLEAN_modulus(i));
}
cshake256_inc_ctx_release(&ctx2);
}
/* Expand public key from private key */
@ -74,9 +76,10 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN);
cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES);
memcpy(&ctx2, &ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, &ctx);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2);
cshake256_inc_ctx_release(&ctx2);
for (uint8_t i = 0; i < DIM; i++) {
noise(sk_expanded[i], &ctx, i);
@ -89,6 +92,7 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
}
PQCLEAN_MAMABEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c);
}
cshake256_inc_ctx_release(&ctx);
}
/* Encapsulate a shared secret and return it */
@ -135,6 +139,8 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_encapsulate(
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS);
cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES);
cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES);
@ -152,6 +158,7 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_encapsulate(
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
}
/* Decapsulate a shared secret and return it */
@ -199,6 +206,7 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_decapsulate(
/* Recalculate matrix seed */
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
/* Re-run the key derivation from encaps */
threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS);
@ -207,4 +215,5 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_decapsulate(
cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
}

11
src/kem/threebears/pqclean_mamabear_clean/threebears.c
View File

@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) {
cshake256_inc_absorb(&ctx, &iv, 1);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(c, sizeof(c), &ctx);
cshake256_inc_ctx_release(&ctx);
PQCLEAN_MAMABEAR_CLEAN_expand(matrix, c);
}
@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) {
uint8_t c[DIGITS];
shake256incctx ctx2;
memcpy(&ctx2, ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, ctx);
cshake256_inc_absorb(&ctx2, &iv, 1);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(c, DIGITS, &ctx2);
for (size_t i = 0; i < DIGITS; i++) {
x[i] = (limb_t)(psi(c[i]) + PQCLEAN_MAMABEAR_CLEAN_modulus(i));
}
cshake256_inc_ctx_release(&ctx2);
}
/* Expand public key from private key */
@ -74,9 +76,10 @@ void PQCLEAN_MAMABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN);
cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES);
memcpy(&ctx2, &ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, &ctx);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2);
cshake256_inc_ctx_release(&ctx2);
for (uint8_t i = 0; i < DIM; i++) {
noise(sk_expanded[i], &ctx, i);
@ -89,6 +92,7 @@ void PQCLEAN_MAMABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
}
PQCLEAN_MAMABEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c);
}
cshake256_inc_ctx_release(&ctx);
}
/* Encapsulate a shared secret and return it */
@ -147,6 +151,7 @@ void PQCLEAN_MAMABEAR_CLEAN_encapsulate(
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
}
/* Decapsulate a shared secret and return it */
@ -210,6 +215,7 @@ void PQCLEAN_MAMABEAR_CLEAN_decapsulate(
cshake256_inc_absorb(&ctx, &sep, 1);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
/* Calculate PRF */
threebears_hash_init(&ctx, HASH_PURPOSE_PRF);
@ -217,6 +223,7 @@ void PQCLEAN_MAMABEAR_CLEAN_decapsulate(
cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) {
shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok));

13
src/kem/threebears/pqclean_papabear-ephem_clean/threebears.c
View File

@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) {
cshake256_inc_absorb(&ctx, &iv, 1);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(c, sizeof(c), &ctx);
cshake256_inc_ctx_release(&ctx);
PQCLEAN_PAPABEAREPHEM_CLEAN_expand(matrix, c);
}
@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) {
uint8_t c[DIGITS];
shake256incctx ctx2;
memcpy(&ctx2, ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, ctx);
cshake256_inc_absorb(&ctx2, &iv, 1);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(c, DIGITS, &ctx2);
for (size_t i = 0; i < DIGITS; i++) {
x[i] = (limb_t)(psi(c[i]) + PQCLEAN_PAPABEAREPHEM_CLEAN_modulus(i));
}
cshake256_inc_ctx_release(&ctx2);
}
/* Expand public key from private key */
@ -74,9 +76,10 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN);
cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES);
memcpy(&ctx2, &ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, &ctx);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2);
cshake256_inc_ctx_release(&ctx2);
for (uint8_t i = 0; i < DIM; i++) {
noise(sk_expanded[i], &ctx, i);
@ -89,6 +92,7 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
}
PQCLEAN_PAPABEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c);
}
cshake256_inc_ctx_release(&ctx);
}
/* Encapsulate a shared secret and return it */
@ -135,6 +139,8 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_encapsulate(
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS);
cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES);
cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES);
@ -152,6 +158,7 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_encapsulate(
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
}
/* Decapsulate a shared secret and return it */
@ -199,6 +206,7 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_decapsulate(
/* Recalculate matrix seed */
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
/* Re-run the key derivation from encaps */
threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS);
@ -207,4 +215,5 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_decapsulate(
cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
}

11
src/kem/threebears/pqclean_papabear_clean/threebears.c
View File

@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) {
cshake256_inc_absorb(&ctx, &iv, 1);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(c, sizeof(c), &ctx);
cshake256_inc_ctx_release(&ctx);
PQCLEAN_PAPABEAR_CLEAN_expand(matrix, c);
}
@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) {
uint8_t c[DIGITS];
shake256incctx ctx2;
memcpy(&ctx2, ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, ctx);
cshake256_inc_absorb(&ctx2, &iv, 1);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(c, DIGITS, &ctx2);
for (size_t i = 0; i < DIGITS; i++) {
x[i] = (limb_t)(psi(c[i]) + PQCLEAN_PAPABEAR_CLEAN_modulus(i));
}
cshake256_inc_ctx_release(&ctx2);
}
/* Expand public key from private key */
@ -74,9 +76,10 @@ void PQCLEAN_PAPABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN);
cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES);
memcpy(&ctx2, &ctx, sizeof(ctx2));
cshake256_inc_ctx_clone(&ctx2, &ctx);
cshake256_inc_finalize(&ctx2);
cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2);
cshake256_inc_ctx_release(&ctx2);
for (uint8_t i = 0; i < DIM; i++) {
noise(sk_expanded[i], &ctx, i);
@ -89,6 +92,7 @@ void PQCLEAN_PAPABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) {
}
PQCLEAN_PAPABEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c);
}
cshake256_inc_ctx_release(&ctx);
}
/* Encapsulate a shared secret and return it */
@ -147,6 +151,7 @@ void PQCLEAN_PAPABEAR_CLEAN_encapsulate(
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
}
/* Decapsulate a shared secret and return it */
@ -210,6 +215,7 @@ void PQCLEAN_PAPABEAR_CLEAN_decapsulate(
cshake256_inc_absorb(&ctx, &sep, 1);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
/* Calculate PRF */
threebears_hash_init(&ctx, HASH_PURPOSE_PRF);
@ -217,6 +223,7 @@ void PQCLEAN_PAPABEAR_CLEAN_decapsulate(
cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES);
cshake256_inc_finalize(&ctx);
cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx);
cshake256_inc_ctx_release(&ctx);
for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) {
shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok));

3
src/sig/dilithium/pqclean_dilithium2_clean/poly.c
View File

@ -315,6 +315,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform(poly *a,
stream128_squeezeblocks(buf + off, 1, &state);
ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
}
stream128_ctx_release(&state);
}
/*************************************************
@ -385,6 +386,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_eta(poly *a,
stream128_squeezeblocks(buf, 1, &state);
ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES);
}
stream128_ctx_release(&state);
}
/*************************************************
@ -472,6 +474,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_gamma1m1(poly *a,
stream256_squeezeblocks(buf + off, 1, &state);
ctr += rej_gamma1m1(a->coeffs + ctr, N - ctr, buf, buflen);
}
stream256_ctx_release(&state);
}
/*************************************************

2
src/sig/dilithium/pqclean_dilithium2_clean/symmetric.h
View File

@ -10,8 +10,10 @@
#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
#define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_CLEAN_shake128_stream_init(STATE, SEED, NONCE)
#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define stream128_ctx_release(STATE) shake128_ctx_release(STATE)
#define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_CLEAN_shake256_stream_init(STATE, SEED, NONCE)
#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define stream256_ctx_release(STATE) shake256_ctx_release(STATE)
#define STREAM128_BLOCKBYTES SHAKE128_RATE
#define STREAM256_BLOCKBYTES SHAKE256_RATE

3
src/sig/dilithium/pqclean_dilithium3_clean/poly.c
View File

@ -315,6 +315,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform(poly *a,
stream128_squeezeblocks(buf + off, 1, &state);
ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
}
stream128_ctx_release(&state);
}
/*************************************************
@ -385,6 +386,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_eta(poly *a,
stream128_squeezeblocks(buf, 1, &state);
ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES);
}
stream128_ctx_release(&state);
}
/*************************************************
@ -472,6 +474,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_gamma1m1(poly *a,
stream256_squeezeblocks(buf + off, 1, &state);
ctr += rej_gamma1m1(a->coeffs + ctr, N - ctr, buf, buflen);
}
stream256_ctx_release(&state);
}
/*************************************************

2
src/sig/dilithium/pqclean_dilithium3_clean/symmetric.h
View File

@ -10,8 +10,10 @@
#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
#define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_CLEAN_shake128_stream_init(STATE, SEED, NONCE)
#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define stream128_ctx_release(STATE) shake128_ctx_release(STATE)
#define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_CLEAN_shake256_stream_init(STATE, SEED, NONCE)
#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define stream256_ctx_release(STATE) shake256_ctx_release(STATE)
#define STREAM128_BLOCKBYTES SHAKE128_RATE
#define STREAM256_BLOCKBYTES SHAKE256_RATE

3
src/sig/dilithium/pqclean_dilithium4_clean/poly.c
View File

@ -315,6 +315,7 @@ void PQCLEAN_DILITHIUM4_CLEAN_poly_uniform(poly *a,
stream128_squeezeblocks(buf + off, 1, &state);
ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
}
stream128_ctx_release(&state);
}
/*************************************************
@ -385,6 +386,7 @@ void PQCLEAN_DILITHIUM4_CLEAN_poly_uniform_eta(poly *a,
stream128_squeezeblocks(buf, 1, &state);
ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES);
}
stream128_ctx_release(&state);
}
/*************************************************
@ -472,6 +474,7 @@ void PQCLEAN_DILITHIUM4_CLEAN_poly_uniform_gamma1m1(poly *a,
stream256_squeezeblocks(buf + off, 1, &state);
ctr += rej_gamma1m1(a->coeffs + ctr, N - ctr, buf, buflen);
}
stream256_ctx_release(&state);
}
/*************************************************

2
src/sig/dilithium/pqclean_dilithium4_clean/symmetric.h
View File

@ -10,8 +10,10 @@
#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES)
#define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM4_CLEAN_shake128_stream_init(STATE, SEED, NONCE)
#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define stream128_ctx_release(STATE) shake128_ctx_release(STATE)
#define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM4_CLEAN_shake256_stream_init(STATE, SEED, NONCE)
#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define stream256_ctx_release(STATE) shake256_ctx_release(STATE)
#define STREAM128_BLOCKBYTES SHAKE128_RATE
#define STREAM256_BLOCKBYTES SHAKE256_RATE

2
src/sig/mqdss/pqclean_mqdss-48_clean/gf31.c
View File

@ -63,6 +63,7 @@ void PQCLEAN_MQDSS48_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *s
}
}
}
shake256_ctx_release(&shakestate);
}
/* Given a seed, samples len gf31 elements, transposed into unsigned range,
@ -84,6 +85,7 @@ void PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(signed char *out, int len, const uns
}
}
}
shake256_ctx_release(&shakestate);
}
/* Unpacks an array of packed GF31 elements to one element per gf31.

6
src/sig/mqdss/pqclean_mqdss-48_clean/sign.c
View File

@ -120,6 +120,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R.
shake256_inc_ctx_release(&state);
memcpy(pk, skbuf, SEED_BYTES);
PQCLEAN_MQDSS48_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES);
@ -133,6 +134,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(D, HASH_BYTES, &state);
shake256_inc_ctx_release(&state);
sig += HASH_BYTES; // Compensate for prefixed R.
@ -193,6 +195,8 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(t1 + i * N, t1 + i * N);
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(e1 + i * N, e1 + i * N);
}
shake256_ctx_release(&shakestate);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS);
@ -264,6 +268,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(D, HASH_BYTES, &state);
shake256_inc_ctx_release(&state);
sig += HASH_BYTES;
@ -328,6 +333,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES);
sig += NPACKED_BYTES + 2 * HASH_BYTES;
}
shake256_ctx_release(&shakestate);
H(c, c, HASH_BYTES * ROUNDS * 2);
if (memcmp(c, sigma0, HASH_BYTES) != 0) {

2
src/sig/mqdss/pqclean_mqdss-64_clean/gf31.c
View File

@ -63,6 +63,7 @@ void PQCLEAN_MQDSS64_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *s
}
}
}
shake256_ctx_release(&shakestate);
}
/* Given a seed, samples len gf31 elements, transposed into unsigned range,
@ -84,6 +85,7 @@ void PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(signed char *out, int len, const uns
}
}
}
shake256_ctx_release(&shakestate);
}
/* Unpacks an array of packed GF31 elements to one element per gf31.

6
src/sig/mqdss/pqclean_mqdss-64_clean/sign.c
View File

@ -120,6 +120,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R.
shake256_inc_ctx_release(&state);
memcpy(pk, skbuf, SEED_BYTES);
PQCLEAN_MQDSS64_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES);
@ -133,6 +134,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(D, HASH_BYTES, &state);
shake256_inc_ctx_release(&state);
sig += HASH_BYTES; // Compensate for prefixed R.
@ -193,6 +195,8 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature(
PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(t1 + i * N, t1 + i * N);
PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(e1 + i * N, e1 + i * N);
}
shake256_ctx_release(&shakestate);
PQCLEAN_MQDSS64_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS);
PQCLEAN_MQDSS64_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS);
@ -264,6 +268,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(D, HASH_BYTES, &state);
shake256_inc_ctx_release(&state);
sig += HASH_BYTES;
@ -328,6 +333,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify(
memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES);
sig += NPACKED_BYTES + 2 * HASH_BYTES;
}
shake256_ctx_release(&shakestate);
H(c, c, HASH_BYTES * ROUNDS * 2);
if (memcmp(c, sigma0, HASH_BYTES) != 0) {

2
src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/thash_sha256_robust.c
View File

@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_thash(
PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_SHA256_ADDR_BYTES);
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N; i++) {
buf[PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

2
src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/thash_sha256_simple.c
View File

@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_thash(
(void)pub_seed; /* Suppress an 'unused parameter' warning. */
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_compress_address(buf, addr);
memcpy(buf + PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_N);

2
src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/thash_sha256_robust.c
View File

@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_thash(
PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_SHA256_ADDR_BYTES);
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N; i++) {
buf[PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

2
src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/thash_sha256_simple.c
View File

@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_thash(
(void)pub_seed; /* Suppress an 'unused parameter' warning. */
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_compress_address(buf, addr);
memcpy(buf + PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_N);

2
src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/thash_sha256_robust.c
View File

@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_thash(
PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_SHA256_ADDR_BYTES);
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N; i++) {
buf[PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

2
src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/thash_sha256_simple.c
View File

@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_thash(
(void)pub_seed; /* Suppress an 'unused parameter' warning. */
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_compress_address(buf, addr);
memcpy(buf + PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_N);

2
src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/thash_sha256_robust.c
View File

@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_thash(
PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_SHA256_ADDR_BYTES);
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N; i++) {
buf[PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

2
src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/thash_sha256_simple.c
View File

@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_thash(
(void)pub_seed; /* Suppress an 'unused parameter' warning. */
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_compress_address(buf, addr);
memcpy(buf + PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_N);

2
src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/thash_sha256_robust.c
View File

@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_thash(
PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_SHA256_ADDR_BYTES);
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N; i++) {
buf[PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

2
src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/thash_sha256_simple.c
View File

@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_thash(
(void)pub_seed; /* Suppress an 'unused parameter' warning. */
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_compress_address(buf, addr);
memcpy(buf + PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_N);

2
src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/thash_sha256_robust.c
View File

@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_thash(
PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_SHA256_ADDR_BYTES);
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N; i++) {
buf[PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

2
src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/hash_sha256.c
View File

@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_initialize_hash_function(
/* Clean up hash state */
void PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) {
sha256_inc_destroy(hash_state_seeded);
sha256_inc_ctx_release(hash_state_seeded);
}
/*

2
src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/thash_sha256_simple.c
View File

@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_thash(
(void)pub_seed; /* Suppress an 'unused parameter' warning. */
/* Retrieve precomputed state containing pub_seed */
sha256_inc_clone_state(&sha2_state, hash_state_seeded);
sha256_inc_ctx_clone(&sha2_state, hash_state_seeded);
PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_compress_address(buf, addr);
memcpy(buf + PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_N);

2
src/sig/sphincs/pqclean_sphincs-shake256-128f-robust_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_FORS_MSG_BYTES;

2
src/sig/sphincs/pqclean_sphincs-shake256-128f-simple_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_FORS_MSG_BYTES;

2
src/sig/sphincs/pqclean_sphincs-shake256-128s-robust_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_FORS_MSG_BYTES;

2
src/sig/sphincs/pqclean_sphincs-shake256-128s-simple_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_FORS_MSG_BYTES;

2
src/sig/sphincs/pqclean_sphincs-shake256-192f-robust_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_FORS_MSG_BYTES;

2
src/sig/sphincs/pqclean_sphincs-shake256-192f-simple_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_FORS_MSG_BYTES;

2
src/sig/sphincs/pqclean_sphincs-shake256-192s-robust_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_FORS_MSG_BYTES;

2
src/sig/sphincs/pqclean_sphincs-shake256-192s-simple_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_FORS_MSG_BYTES;

2
src/sig/sphincs/pqclean_sphincs-shake256-256f-robust_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_FORS_MSG_BYTES;

2
src/sig/sphincs/pqclean_sphincs-shake256-256f-simple_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_FORS_MSG_BYTES;

2
src/sig/sphincs/pqclean_sphincs-shake256-256s-robust_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_FORS_MSG_BYTES;

2
src/sig/sphincs/pqclean_sphincs-shake256-256s-simple_clean/hash_shake256.c
View File

@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_gen_message_random(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_N, &state);
shake256_inc_ctx_release(&state);
(void)hash_state_seeded; /* Prevent unused parameter warning. */
}
@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_hash_message(
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_DGST_BYTES, &state);
shake256_inc_ctx_release(&state);
memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_FORS_MSG_BYTES);
bufp += PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_FORS_MSG_BYTES;

128
tests/test_hash.c
View File

@ -59,36 +59,131 @@ int do_sha256(void) {
OQS_SHA2_sha256(output, msg, msg_len);
// run incremental SHA-256 API
uint8_t output_inc[32];
void *state;
OQS_SHA2_sha256_ctx state;
OQS_SHA2_sha256_inc_init(&state);
// clone state
void *state2;
OQS_SHA2_sha256_inc_clone_state(&state2, state);
OQS_SHA2_sha256_ctx state2;
OQS_SHA2_sha256_inc_ctx_clone(&state2, &state);
// hash with first state
if (msg_len > 64) {
OQS_SHA2_sha256_inc_blocks(state, msg, 1);
OQS_SHA2_sha256_inc_finalize(output_inc, state, &msg[64], msg_len - 64);
OQS_SHA2_sha256_inc_blocks(&state, msg, 1);
OQS_SHA2_sha256_inc_finalize(output_inc, &state, &msg[64], msg_len - 64);
} else {
OQS_SHA2_sha256_inc_finalize(output_inc, state, msg, msg_len);
OQS_SHA2_sha256_inc_finalize(output_inc, &state, msg, msg_len);
}
if (memcmp(output, output_inc, 32) != 0) {
free(msg);
fprintf(stderr, "ERROR: Incremental API does not match main API\n");
free(msg);
return -2;
}
// hash with second state
if (msg_len > 64) {
OQS_SHA2_sha256_inc_blocks(state2, msg, 1);
OQS_SHA2_sha256_inc_finalize(output_inc, state2, &msg[64], msg_len - 64);
OQS_SHA2_sha256_inc_blocks(&state2, msg, 1);
OQS_SHA2_sha256_inc_finalize(output_inc, &state2, &msg[64], msg_len - 64);
} else {
OQS_SHA2_sha256_inc_finalize(output_inc, state2, msg, msg_len);
OQS_SHA2_sha256_inc_finalize(output_inc, &state2, msg, msg_len);
}
free(msg);
if (memcmp(output, output_inc, 32) != 0) {
fprintf(stderr, "ERROR: Incremental API with cloned state does not match main API\n");
free(msg);
return -3;
}
print_hex(output, 32);
free(msg);
return 0;
}
int do_sha384(void) {
// read message from stdin
uint8_t *msg;
size_t msg_len;
if (read_stdin(&msg, &msg_len) != 0) {
fprintf(stderr, "ERROR: malloc failure\n");
return -1;
}
// run main SHA-384 API
uint8_t output[48];
OQS_SHA2_sha384(output, msg, msg_len);
// run incremental SHA-384 API
uint8_t output_inc[48];
OQS_SHA2_sha384_ctx state;
OQS_SHA2_sha384_inc_init(&state);
// clone state
OQS_SHA2_sha384_ctx state2;
OQS_SHA2_sha384_inc_ctx_clone(&state2, &state);
// hash with first state
if (msg_len > 64) {
OQS_SHA2_sha384_inc_blocks(&state, msg, 1);
OQS_SHA2_sha384_inc_finalize(output_inc, &state, &msg[64], msg_len - 64);
} else {
OQS_SHA2_sha384_inc_finalize(output_inc, &state, msg, msg_len);
}
if (memcmp(output, output_inc, 48) != 0) {
fprintf(stderr, "ERROR: Incremental API does not match main API\n");
free(msg);
return -2;
}
// hash with second state
if (msg_len > 64) {
OQS_SHA2_sha384_inc_blocks(&state2, msg, 1);
OQS_SHA2_sha384_inc_finalize(output_inc, &state2, &msg[64], msg_len - 64);
} else {
OQS_SHA2_sha384_inc_finalize(output_inc, &state2, msg, msg_len);
}
if (memcmp(output, output_inc, 48) != 0) {
fprintf(stderr, "ERROR: Incremental API with cloned state does not match main API\n");
free(msg);
return -3;
}
print_hex(output, 48);
free(msg);
return 0;
}
int do_sha512(void) {
// read message from stdin
uint8_t *msg;
size_t msg_len;
if (read_stdin(&msg, &msg_len) != 0) {
fprintf(stderr, "ERROR: malloc failure\n");
return -1;
}
// run main SHA-512 API
uint8_t output[64];
OQS_SHA2_sha512(output, msg, msg_len);
// run incremental SHA-512 API
uint8_t output_inc[64];
OQS_SHA2_sha512_ctx state;
OQS_SHA2_sha512_inc_init(&state);
// clone state
OQS_SHA2_sha512_ctx state2;
OQS_SHA2_sha512_inc_ctx_clone(&state2, &state);
// hash with first state
if (msg_len > 64) {
OQS_SHA2_sha512_inc_blocks(&state, msg, 1);
OQS_SHA2_sha512_inc_finalize(output_inc, &state, &msg[64], msg_len - 64);
} else {
OQS_SHA2_sha512_inc_finalize(output_inc, &state, msg, msg_len);
}
if (memcmp(output, output_inc, 64) != 0) {
fprintf(stderr, "ERROR: Incremental API does not match main API\n");
free(msg);
return -2;
}
// hash with second state
if (msg_len > 64) {
OQS_SHA2_sha512_inc_blocks(&state2, msg, 1);
OQS_SHA2_sha512_inc_finalize(output_inc, &state2, &msg[64], msg_len - 64);
} else {
OQS_SHA2_sha512_inc_finalize(output_inc, &state2, msg, msg_len);
}
if (memcmp(output, output_inc, 64) != 0) {
fprintf(stderr, "ERROR: Incremental API with cloned state does not match main API\n");
free(msg);
return -3;
}
print_hex(output, 64);
free(msg);
return 0;
}
@ -105,13 +200,14 @@ int do_arbitrary_hash(void (*hash)(uint8_t *, const uint8_t *, size_t), size_t h
hash(output, msg, msg_len);
print_hex(output, hash_len);
free(output);
free(msg);
return 0;
}
int main(int argc, char **argv) {
if (argc != 2) {
fprintf(stderr, "Usage: test_hash algname\n");
fprintf(stderr, " algname: sha256, sha384, sha512\n");
fprintf(stderr, " algname: sha256, sha384, sha512, sha256inc, sha384inc, sha512inc\n");
fprintf(stderr, " test_hash reads input from stdin and outputs hash value as hex string to stdout");
printf("\n");
print_system_info();
@ -120,8 +216,14 @@ int main(int argc, char **argv) {
char *hash_alg = argv[1];
if (strcmp(hash_alg, "sha256") == 0) {
if (strcmp(hash_alg, "sha256inc") == 0) {
return do_sha256();
} else if (strcmp(hash_alg, "sha384inc") == 0) {
return do_sha384();
} else if (strcmp(hash_alg, "sha512inc") == 0) {
return do_sha512();
} else if (strcmp(hash_alg, "sha256") == 0) {
return do_arbitrary_hash(&OQS_SHA2_sha256, 32);
} else if (strcmp(hash_alg, "sha384") == 0) {
return do_arbitrary_hash(&OQS_SHA2_sha384, 48);
} else if (strcmp(hash_alg, "sha512") == 0) {

15
tests/test_hash.py
View File

@ -26,6 +26,11 @@ def test_sha256(msg):
input = msg.encode(),
)
assert(output.rstrip() == hashlib.sha256(msg.encode()).hexdigest())
output = helpers.run_subprocess(
[helpers.path_to_executable('test_hash'), 'sha256inc'],
input = msg.encode(),
)
assert(output.rstrip() == hashlib.sha256(msg.encode()).hexdigest())
@helpers.filtered_test
@pytest.mark.parametrize('msg', ['', 'a', 'abc', '1234567890123456789012345678901678901567890'])
@ -36,6 +41,11 @@ def test_sha384(msg):
input = msg.encode(),
)
assert(output.rstrip() == hashlib.sha384(msg.encode()).hexdigest())
output = helpers.run_subprocess(
[helpers.path_to_executable('test_hash'), 'sha384inc'],
input = msg.encode(),
)
assert(output.rstrip() == hashlib.sha384(msg.encode()).hexdigest())
@helpers.filtered_test
@pytest.mark.parametrize('msg', ['', 'a', 'abc', '1234567890123456789012345678901678901567890'])
@ -46,6 +56,11 @@ def test_sha512(msg):
input = msg.encode(),
)
assert(output.rstrip() == hashlib.sha512(msg.encode()).hexdigest())
output = helpers.run_subprocess(
[helpers.path_to_executable('test_hash'), 'sha512inc'],
input = msg.encode(),
)
assert(output.rstrip() == hashlib.sha512(msg.encode()).hexdigest())
if __name__ == "__main__":
import sys

2
tests/test_sha3.c
View File

@ -455,6 +455,7 @@ int shake_128_kat_test(void) {
clear8(hash, OQS_SHA3_SHAKE128_RATE * 4);
OQS_SHA3_shake128_absorb(&state, msg1600, 200);
OQS_SHA3_shake128_squeezeblocks(hash, 4, &state);
OQS_SHA3_shake128_ctx_release(&state);
if (are_equal8(hash, exp1600, 512) == EXIT_FAILURE) {
status = EXIT_FAILURE;
@ -589,6 +590,7 @@ int shake_256_kat_test(void) {
clear8(hash, OQS_SHA3_SHAKE256_RATE * 4);
OQS_SHA3_shake256_absorb(&state, msg1600, 200);
OQS_SHA3_shake256_squeezeblocks(hash, 4, &state);
OQS_SHA3_shake256_ctx_release(&state);
if (are_equal8(hash, exp1600, 512) == EXIT_FAILURE) {
status = EXIT_FAILURE;