diff --git a/docs/algorithms/kem_kyber.md b/docs/algorithms/kem_kyber.md index 4eebd265e..0f438105e 100644 --- a/docs/algorithms/kem_kyber.md +++ b/docs/algorithms/kem_kyber.md @@ -29,7 +29,7 @@ Implementation -------------- - **Source of implementation:** https://github.com/PQClean/PQClean -- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52 +- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999 - **License:** Public domain - **Language:** C - **Constant-time:** Yes diff --git a/docs/algorithms/kem_ledacrypt.md b/docs/algorithms/kem_ledacrypt.md index fd8be6f5a..b755b0ed1 100644 --- a/docs/algorithms/kem_ledacrypt.md +++ b/docs/algorithms/kem_ledacrypt.md @@ -25,7 +25,7 @@ Implementation -------------- - **Source of implementation:** https://github.com/PQClean/PQClean/ based on https://github.com/LEDAcrypt/LEDAcrypt -- **Implementation version:** https://github.com/PQClean/PQClean/commit/dcad0bd878eb32d60e3296628c5267ecc401064c +- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999 - **License:** Public domain - **Language:** C - **Constant-time:** No diff --git a/docs/algorithms/kem_newhope.md b/docs/algorithms/kem_newhope.md index f7214df90..13834982c 100644 --- a/docs/algorithms/kem_newhope.md +++ b/docs/algorithms/kem_newhope.md @@ -23,7 +23,7 @@ Implementation -------------- - **Source of implementation:** https://github.com/PQClean/PQClean -- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52 +- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999 - **License:** Public domain - **Language:** C - **Constant-time:** Yes diff --git a/docs/algorithms/kem_ntru.md b/docs/algorithms/kem_ntru.md index fa0e80512..774772838 100644 --- a/docs/algorithms/kem_ntru.md +++ b/docs/algorithms/kem_ntru.md @@ -24,7 +24,7 @@ Implementation -------------- - **Source of implementation:** NIST Round 2 submission, via https://github.com/PQClean/PQClean -- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52 +- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999 - **License:** Public domain - **Language:** C - **Architectures supported in liboqs master branch**: x86, x64 diff --git a/docs/algorithms/kem_saber.md b/docs/algorithms/kem_saber.md index e2b05b9c8..aa3376ef3 100644 --- a/docs/algorithms/kem_saber.md +++ b/docs/algorithms/kem_saber.md @@ -25,7 +25,7 @@ Implementation -------------- - **Source of implementation:** https://github.com/PQClean/PQClean/ based on https://github.com/KULeuven-COSIC/SABER/commit/14ede83f1ff3bcc41f0464543542366c68b55871 -- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52 +- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999 - **License:** Public domain - **Language:** C - **Constant-time:** Yes diff --git a/docs/algorithms/kem_threebears.md b/docs/algorithms/kem_threebears.md index a9ad3aa68..7b7497e16 100644 --- a/docs/algorithms/kem_threebears.md +++ b/docs/algorithms/kem_threebears.md @@ -27,8 +27,8 @@ Parameter sets Implementation -------------- -- **Source of implementation:** https://github.com/PQClean/PQClean/commit/dcad0bd878eb32d60e3296628c5267ecc401064c -- **Implementation version:** https://sourceforge.net/p/threebears/code/ci/f4ce0ebfc84a5e01a75bfc8297b6d175e993cfa4/ +- **Source of implementation:** https://sourceforge.net/p/threebears/code/ci/f4ce0ebfc84a5e01a75bfc8297b6d175e993cfa4/ +- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999 - **License:** MIT License - **Language:** C - **Constant-time:** Yes diff --git a/docs/algorithms/sig_dilithium.md b/docs/algorithms/sig_dilithium.md index a41a7948c..95a43996b 100644 --- a/docs/algorithms/sig_dilithium.md +++ b/docs/algorithms/sig_dilithium.md @@ -26,7 +26,7 @@ Implementation -------------- - **Source of implementation:** https://github.com/PQClean/PQClean -- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52 +- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999 - **License:** public domain - **Language:** C - **Constant-time:** Yes diff --git a/docs/algorithms/sig_mqdss.md b/docs/algorithms/sig_mqdss.md index c68d65841..4632f37cb 100644 --- a/docs/algorithms/sig_mqdss.md +++ b/docs/algorithms/sig_mqdss.md @@ -24,7 +24,7 @@ Implementation -------------- - **Source of implementation:** https://github.com/PQClean/PQClean, originally from https://github.com/joostrijneveld/MQDSS/commit/0c64d4d67a37051c1299a3049a5bb8984ca27ecc -- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52 +- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999 - **License:** CC0 1.0 Universal - **Language:** C - **Constant-time:** Yes diff --git a/docs/algorithms/sig_sphincs.md b/docs/algorithms/sig_sphincs.md index 65c5794fb..994c0a1d0 100644 --- a/docs/algorithms/sig_sphincs.md +++ b/docs/algorithms/sig_sphincs.md @@ -58,7 +58,7 @@ Implementation -------------- - **Source of implementation:** https://github.com/PQClean/PQClean -- **Implementation version:** https://github.com/PQClean/PQClean/commit/7729c76b3e41c1bbecafdf9c05efdcfe5e9b2f52 +- **Implementation version:** https://github.com/PQClean/PQClean/commit/6de728361e33ad3a5a6997e0896ff9fe8e44a999 - **License:** CC0 1.0 Universal - **Language:** C - **Constant-time:** Yes diff --git a/src/common/pqclean_shims/fips202.h b/src/common/pqclean_shims/fips202.h index cfd5a3b8d..a7c237072 100644 --- a/src/common/pqclean_shims/fips202.h +++ b/src/common/pqclean_shims/fips202.h @@ -8,32 +8,55 @@ #define shake128ctx OQS_SHA3_shake128_ctx #define shake128_absorb OQS_SHA3_shake128_absorb #define shake128_squeezeblocks OQS_SHA3_shake128_squeezeblocks +#define shake128_ctx_release OQS_SHA3_shake128_ctx_release +#define shake128_ctx_clone OQS_SHA3_shake128_ctx_clone #define SHAKE256_RATE OQS_SHA3_SHAKE256_RATE #define shake256 OQS_SHA3_shake256 #define shake256ctx OQS_SHA3_shake256_ctx #define shake256_absorb OQS_SHA3_shake256_absorb #define shake256_squeezeblocks OQS_SHA3_shake256_squeezeblocks +#define shake256_ctx_release OQS_SHA3_shake256_ctx_release +#define shake256_ctx_clone OQS_SHA3_shake256_ctx_clone #define SHA3_256_RATE OQS_SHA3_SHA3_256_RATE #define sha3_256 OQS_SHA3_sha3_256 +#define sha3_256_inc_init OQS_SHA3_sha3_256_inc_init +#define sha3_256_inc_absorb OQS_SHA3_sha3_256_inc_absorb +#define sha3_256_inc_finalize OQS_SHA3_sha3_256_inc_finalize +#define sha3_256_inc_ctx_clone OQS_SHA3_sha3_256_inc_ctx_clone +#define sha3_256_inc_ctx_release OQS_SHA3_sha3_256_inc_ctx_release #define SHA3_384_RATE OQS_SHA3_SHA3_384_RATE #define sha3_384 OQS_SHA3_sha3_384 +#define sha3_384_inc_init OQS_SHA3_sha3_384_inc_init +#define sha3_384_inc_absorb OQS_SHA3_sha3_384_inc_absorb +#define sha3_384_inc_finalize OQS_SHA3_sha3_384_inc_finalize +#define sha3_384_inc_ctx_clone OQS_SHA3_sha3_384_inc_ctx_clone +#define sha3_384_inc_ctx_release OQS_SHA3_sha3_384_inc_ctx_release #define SHA3_512_RATE OQS_SHA3_SHA3_512_RATE #define sha3_512 OQS_SHA3_sha3_512 +#define sha3_512_inc_init OQS_SHA3_sha3_512_inc_init +#define sha3_512_inc_absorb OQS_SHA3_sha3_512_inc_absorb +#define sha3_512_inc_finalize OQS_SHA3_sha3_512_inc_finalize +#define sha3_512_inc_ctx_clone OQS_SHA3_sha3_512_inc_ctx_clone +#define sha3_512_inc_ctx_release OQS_SHA3_sha3_512_inc_ctx_release #define shake128incctx OQS_SHA3_shake128_inc_ctx #define shake128_inc_init OQS_SHA3_shake128_inc_init #define shake128_inc_absorb OQS_SHA3_shake128_inc_absorb #define shake128_inc_finalize OQS_SHA3_shake128_inc_finalize #define shake128_inc_squeeze OQS_SHA3_shake128_inc_squeeze +#define shake128_inc_ctx_release OQS_SHA3_shake128_inc_ctx_release +#define shake128_inc_ctx_clone OQS_SHA3_shake128_inc_ctx_clone #define shake256incctx OQS_SHA3_shake256_inc_ctx #define shake256_inc_init OQS_SHA3_shake256_inc_init #define shake256_inc_absorb OQS_SHA3_shake256_inc_absorb #define shake256_inc_finalize OQS_SHA3_shake256_inc_finalize #define shake256_inc_squeeze OQS_SHA3_shake256_inc_squeeze +#define shake256_inc_ctx_release OQS_SHA3_shake256_inc_ctx_release +#define shake256_inc_ctx_clone OQS_SHA3_shake256_inc_ctx_clone #endif diff --git a/src/common/pqclean_shims/sha2.h b/src/common/pqclean_shims/sha2.h index 215ca372e..8a41941f7 100644 --- a/src/common/pqclean_shims/sha2.h +++ b/src/common/pqclean_shims/sha2.h @@ -7,12 +7,25 @@ #define sha384 OQS_SHA2_sha384 #define sha512 OQS_SHA2_sha512 -typedef void *sha256ctx; - +#define sha256ctx OQS_SHA2_sha256_ctx #define sha256_inc_init OQS_SHA2_sha256_inc_init -#define sha256_inc_blocks(state, in, inblocks) OQS_SHA2_sha256_inc_blocks(*(state), in, inblocks) -#define sha256_inc_finalize(out, state, in, inlen) OQS_SHA2_sha256_inc_finalize(out, *(state), in, inlen) -#define sha256_inc_destroy(state) OQS_SHA2_sha256_inc_destroy(*(state)) -#define sha256_inc_clone_state(stateout, statein) OQS_SHA2_sha256_inc_clone_state(stateout, *(statein)) +#define sha256_inc_ctx_clone OQS_SHA2_sha256_inc_ctx_clone +#define sha256_inc_ctx_release OQS_SHA2_sha256_inc_ctx_release +#define sha256_inc_blocks OQS_SHA2_sha256_inc_blocks +#define sha256_inc_finalize OQS_SHA2_sha256_inc_finalize + +#define sha384ctx OQS_SHA2_sha384_ctx +#define sha384_inc_init OQS_SHA2_sha384_inc_init +#define sha384_inc_ctx_clone OQS_SHA2_sha384_inc_ctx_clone +#define sha384_inc_ctx_release OQS_SHA2_sha384_inc_ctx_release +#define sha384_inc_blocks OQS_SHA2_sha384_inc_blocks +#define sha384_inc_finalize OQS_SHA2_sha384_inc_finalize + +#define sha512ctx OQS_SHA2_sha512_ctx +#define sha512_inc_init OQS_SHA2_sha512_inc_init +#define sha512_inc_ctx_clone OQS_SHA2_sha512_inc_ctx_clone +#define sha512_inc_ctx_release OQS_SHA2_sha512_inc_ctx_release +#define sha512_inc_blocks OQS_SHA2_sha512_inc_blocks +#define sha512_inc_finalize OQS_SHA2_sha512_inc_finalize #endif diff --git a/src/common/pqclean_shims/sp800-185.h b/src/common/pqclean_shims/sp800-185.h index e9d2071ae..2374e9924 100644 --- a/src/common/pqclean_shims/sp800-185.h +++ b/src/common/pqclean_shims/sp800-185.h @@ -10,12 +10,16 @@ #define cshake128_inc_absorb OQS_SHA3_cshake128_inc_absorb #define cshake128_inc_finalize OQS_SHA3_cshake128_inc_finalize #define cshake128_inc_squeeze OQS_SHA3_cshake128_inc_squeeze +#define cshake128_inc_ctx_release OQS_SHA3_cshake128_inc_ctx_release +#define cshake128_inc_ctx_clone OQS_SHA3_cshake128_inc_ctx_clone #define cshake128 OQS_SHA3_cshake128 #define cshake256_inc_init OQS_SHA3_cshake256_inc_init #define cshake256_inc_absorb OQS_SHA3_cshake256_inc_absorb #define cshake256_inc_finalize OQS_SHA3_cshake256_inc_finalize #define cshake256_inc_squeeze OQS_SHA3_cshake256_inc_squeeze +#define cshake256_inc_ctx_release OQS_SHA3_cshake256_inc_ctx_release +#define cshake256_inc_ctx_clone OQS_SHA3_cshake256_inc_ctx_clone #define cshake256 OQS_SHA3_cshake256 #endif diff --git a/src/crypto/aes/aes_ossl.c b/src/crypto/aes/aes_ossl.c index b3e4f2c6f..7ffee1bb7 100644 --- a/src/crypto/aes/aes_ossl.c +++ b/src/crypto/aes/aes_ossl.c @@ -92,7 +92,7 @@ void OQS_AES256_load_schedule(const uint8_t *key, void **schedule, int for_encry void OQS_AES256_free_schedule(void *schedule) { // actually same code as AES 128 - return OQS_AES128_free_schedule(schedule); + OQS_AES128_free_schedule(schedule); } void OQS_AES256_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) { @@ -111,12 +111,12 @@ void OQS_AES256_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, void OQS_AES256_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) { // actually same code as AES 128 - return OQS_AES128_ECB_enc_sch(plaintext, plaintext_len, schedule, ciphertext); + OQS_AES128_ECB_enc_sch(plaintext, plaintext_len, schedule, ciphertext); } void OQS_AES256_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) { // actually same code as AES 128 - return OQS_AES128_ECB_dec_sch(ciphertext, ciphertext_len, schedule, plaintext); + OQS_AES128_ECB_dec_sch(ciphertext, ciphertext_len, schedule, plaintext); } void OQS_AES256_CTR_sch(const uint8_t *iv, size_t iv_len, const void *schedule, uint8_t *out, size_t out_len) { diff --git a/src/crypto/sha2/sha2.h b/src/crypto/sha2/sha2.h index ef01a60a6..486a03085 100644 --- a/src/crypto/sha2/sha2.h +++ b/src/crypto/sha2/sha2.h @@ -31,58 +31,44 @@ extern "C" { */ void OQS_SHA2_sha256(uint8_t *output, const uint8_t *input, size_t inplen); -/** - * \brief Process a message with SHA-384 and return the hash code in the output byte array. - * - * \warning The output array must be at least 48 bytes in length. - * - * \param output The output byte array - * \param input The message input byte array - * \param inplen The number of message bytes to process - */ -void OQS_SHA2_sha384(uint8_t *output, const uint8_t *input, size_t inplen); - -/** - * \brief Process a message with SHA-512 and return the hash code in the output byte array. - * - * \warning The output array must be at least 64 bytes in length. - * - * \param output The output byte array - * \param input The message input byte array - * \param inplen The number of message bytes to process - */ -void OQS_SHA2_sha512(uint8_t *output, const uint8_t *input, size_t inplen); +/** Data structure for the state of the SHA-256 incremental hashing API. */ +typedef struct { + /** Internal state */ + void *ctx; +} OQS_SHA2_sha256_ctx; /** * \brief Allocate and initialize the state for the SHA-256 incremental hashing API. * - * \warning The state must be released by the OQS_SHA2_sha256_inc_finalize function. + * \warning The state must be released by OQS_SHA2_sha256_inc_finalize + * or OQS_SHA2_sha256_inc_ctx_release. * * \param state Pointer to the state */ -void OQS_SHA2_sha256_inc_init(void **state); +void OQS_SHA2_sha256_inc_init(OQS_SHA2_sha256_ctx *state); /** * \brief Duplicate state for the SHA-256 incremental hashing API. * - * \warning The new stateout must be released by the OQS_SHA2_sha256_inc_destroy - * function or the OQS_SHA2_sha256_inc_finalize function.. + * \warning dest must be allocated by the caller. Caller is responsible + * for releasing dest by calling either OQS_SHA3_sha3_256_inc_finalize or + * OQS_SHA3_sha3_256_inc_ctx_release. * - * \param stateout Pointer to the duplicated state - * \param statein The state to duplicate + * \param dest The function state to copy into; must be initialized + * \param src The function state to copy; must be initialized */ -void OQS_SHA2_sha256_inc_clone_state(void **stateout, const void *statein); +void OQS_SHA2_sha256_inc_ctx_clone(OQS_SHA2_sha256_ctx *dest, const OQS_SHA2_sha256_ctx *src); /** * \brief Process blocks with SHA-256 and update the state. * - * \warning The state must be initialized by OQS_SHA2_sha256_inc_init or OQS_SHA2_sha256_inc_clone_state. + * \warning The state must be initialized by OQS_SHA2_sha256_inc_init or OQS_SHA2_sha256_inc_ctx_clone. * * \param state The state to update * \param in Message input byte array * \param inblocks The number of blocks of message bytes to process */ -void OQS_SHA2_sha256_inc_blocks(void *state, const uint8_t *in, size_t inblocks); +void OQS_SHA2_sha256_inc_blocks(OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inblocks); /** * \brief Process more message bytes with SHA-256 and return the hash code in the output byte array. @@ -96,7 +82,7 @@ void OQS_SHA2_sha256_inc_blocks(void *state, const uint8_t *in, size_t inblocks) * \param in Additional message input byte array * \param inlen The number of additional message bytes to process */ -void OQS_SHA2_sha256_inc_finalize(uint8_t *out, void *state, const uint8_t *in, size_t inlen); +void OQS_SHA2_sha256_inc_finalize(uint8_t *out, OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inlen); /** * \brief Destroy state. @@ -106,7 +92,155 @@ void OQS_SHA2_sha256_inc_finalize(uint8_t *out, void *state, const uint8_t *in, * * \param state The state */ -void OQS_SHA2_sha256_inc_destroy(void *state); +void OQS_SHA2_sha256_inc_ctx_release(OQS_SHA2_sha256_ctx *state); + +/** + * \brief Process a message with SHA-384 and return the hash code in the output byte array. + * + * \warning The output array must be at least 48 bytes in length. + * + * \param output The output byte array + * \param input The message input byte array + * \param inplen The number of message bytes to process + */ +void OQS_SHA2_sha384(uint8_t *output, const uint8_t *input, size_t inplen); + +/** Data structure for the state of the SHA-384 incremental hashing API. */ +typedef struct { + /** Internal state. */ + void *ctx; +} OQS_SHA2_sha384_ctx; + +/** + * \brief Allocate and initialize the state for the SHA-384 incremental hashing API. + * + * \warning The state must be released by OQS_SHA2_sha384_inc_finalize + * or OQS_SHA2_sha384_inc_ctx_release. + * + * \param state Pointer to the state + */ +void OQS_SHA2_sha384_inc_init(OQS_SHA2_sha384_ctx *state); + +/** + * \brief Duplicate state for the SHA-384 incremental hashing API. + * + * \warning dest must be allocated by the caller. Caller is responsible + * for releasing dest by calling either OQS_SHA3_sha3_384_inc_finalize or + * OQS_SHA3_sha3_384_inc_ctx_release. + * + * \param dest The function state to copy into; must be initialized + * \param src The function state to copy; must be initialized + */ +void OQS_SHA2_sha384_inc_ctx_clone(OQS_SHA2_sha384_ctx *dest, const OQS_SHA2_sha384_ctx *src); + +/** + * \brief Process blocks with SHA-384 and update the state. + * + * \warning The state must be initialized by OQS_SHA2_sha384_inc_init or OQS_SHA2_sha384_inc_ctx_clone. + * + * \param state The state to update + * \param in Message input byte array + * \param inblocks The number of blocks of message bytes to process + */ +void OQS_SHA2_sha384_inc_blocks(OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inblocks); + +/** + * \brief Process more message bytes with SHA-384 and return the hash code in the output byte array. + * + * \warning The output array must be at least 48 bytes in length. The state is + * deallocated by this function and can not be used again after calling + * this function without calling OQS_SHA2_sha384_inc_init again. + * + * \param out The output byte array + * \param state The state + * \param in Additional message input byte array + * \param inlen The number of additional message bytes to process + */ +void OQS_SHA2_sha384_inc_finalize(uint8_t *out, OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inlen); + +/** + * \brief Destroy state. + * + * \warning The state is deallocated by this function and can not be used again after calling + * this function without calling OQS_SHA2_sha384_inc_init again. + * + * \param state The state + */ +void OQS_SHA2_sha384_inc_ctx_release(OQS_SHA2_sha384_ctx *state); + +/** + * \brief Process a message with SHA-512 and return the hash code in the output byte array. + * + * \warning The output array must be at least 64 bytes in length. + * + * \param output The output byte array + * \param input The message input byte array + * \param inplen The number of message bytes to process + */ +void OQS_SHA2_sha512(uint8_t *output, const uint8_t *input, size_t inplen); + +/** Data structure for the state of the SHA-512 incremental hashing API. */ +typedef struct { + /** Internal state. */ + void *ctx; +} OQS_SHA2_sha512_ctx; + +/** + * \brief Allocate and initialize the state for the SHA-512 incremental hashing API. + * + * \warning The state must be released by OQS_SHA2_sha512_inc_finalize + * or OQS_SHA2_sha512_inc_ctx_release. + * + * \param state Pointer to the state + */ +void OQS_SHA2_sha512_inc_init(OQS_SHA2_sha512_ctx *state); + +/** + * \brief Duplicate state for the SHA-512 incremental hashing API. + * + * \warning dest must be allocated by the caller. Caller is responsible + * for releasing dest by calling either OQS_SHA3_sha3_512_inc_finalize or + * OQS_SHA3_sha3_512_inc_ctx_release. + * + * \param dest The function state to copy into; must be initialized + * \param src The function state to copy; must be initialized + */ +void OQS_SHA2_sha512_inc_ctx_clone(OQS_SHA2_sha512_ctx *dest, const OQS_SHA2_sha512_ctx *src); + +/** + * \brief Process blocks with SHA-512 and update the state. + * + * \warning The state must be initialized by OQS_SHA2_sha512_inc_init or OQS_SHA2_sha512_inc_ctx_clone. + * + * \param state The state to update + * \param in Message input byte array + * \param inblocks The number of blocks of message bytes to process + */ +void OQS_SHA2_sha512_inc_blocks(OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inblocks); + +/** + * \brief Process more message bytes with SHA-512 and return the hash code in the output byte array. + * + * \warning The output array must be at least 64 bytes in length. The state is + * deallocated by this function and can not be used again after calling + * this function without calling OQS_SHA2_sha512_inc_init again. + * + * \param out The output byte array + * \param state The state + * \param in Additional message input byte array + * \param inlen The number of additional message bytes to process + */ +void OQS_SHA2_sha512_inc_finalize(uint8_t *out, OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inlen); + +/** + * \brief Destroy state. + * + * \warning The state is deallocated by this function and can not be used again after calling + * this function without calling OQS_SHA2_sha512_inc_init again. + * + * \param state The state + */ +void OQS_SHA2_sha512_inc_ctx_release(OQS_SHA2_sha512_ctx *state); #if defined(__cplusplus) } // extern "C" diff --git a/src/crypto/sha2/sha2_c.c b/src/crypto/sha2/sha2_c.c index 19c3c63a8..82b271038 100644 --- a/src/crypto/sha2/sha2_c.c +++ b/src/crypto/sha2/sha2_c.c @@ -2,12 +2,56 @@ #include "sha2.h" +#define PQC_SHA256CTX_BYTES 40 +#define PQC_SHA512CTX_BYTES 72 + +typedef struct { + uint8_t *ctx; +} sha224ctx; +#define sha224_inc_init oqs_sha2_sha224_inc_init +#define sha224_inc_ctx_clone oqs_sha2_sha224_inc_ctx_clone +#define sha224_inc_ctx_release oqs_sha2_sha224_inc_ctx_release +#define sha224_inc_blocks oqs_sha2_sha224_inc_blocks +#define sha224_inc_finalize oqs_sha2_sha224_inc_finalize +#define sha224 oqs_sha2_sha224 + +typedef struct { + uint8_t *ctx; +} sha256ctx; +#define sha256_inc_init oqs_sha2_sha256_inc_init +#define sha256_inc_ctx_clone oqs_sha2_sha256_inc_ctx_clone +#define sha256_inc_ctx_release oqs_sha2_sha256_inc_ctx_release +#define sha256_inc_blocks oqs_sha2_sha256_inc_blocks +#define sha256_inc_finalize oqs_sha2_sha256_inc_finalize +#define sha256 OQS_SHA2_sha256 + +typedef struct { + uint8_t *ctx; +} sha384ctx; +#define sha384_inc_init oqs_sha2_sha384_inc_init +#define sha384_inc_ctx_clone oqs_sha2_sha384_inc_ctx_clone +#define sha384_inc_ctx_release oqs_sha2_sha384_inc_ctx_release +#define sha384_inc_blocks oqs_sha2_sha384_inc_blocks +#define sha384_inc_finalize oqs_sha2_sha384_inc_finalize +#define sha384 OQS_SHA2_sha384 + +typedef struct { + uint8_t *ctx; +} sha512ctx; +#define sha512_inc_init oqs_sha2_sha512_inc_init +#define sha512_inc_ctx_clone oqs_sha2_sha512_inc_ctx_clone +#define sha512_inc_ctx_release oqs_sha2_sha512_inc_ctx_release +#define sha512_inc_blocks oqs_sha2_sha512_inc_blocks +#define sha512_inc_finalize oqs_sha2_sha512_inc_finalize +#define sha512 OQS_SHA2_sha512 + /* Based on the public domain implementation in * crypto_hash/sha512/ref/ from http://bench.cr.yp.to/supercop.html * by D. J. Bernstein */ #include #include +#include #include static uint32_t load_bigendian_32(const uint8_t *x) { @@ -57,10 +101,10 @@ static void store_bigendian_64(uint8_t *x, uint64_t u) { #define Ch(x, y, z) (((x) & (y)) ^ (~(x) & (z))) #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) -#define Sigma0_32(x) (ROTR_32(x, 2) ^ ROTR_32(x, 13) ^ ROTR_32(x, 22)) -#define Sigma1_32(x) (ROTR_32(x, 6) ^ ROTR_32(x, 11) ^ ROTR_32(x, 25)) -#define sigma0_32(x) (ROTR_32(x, 7) ^ ROTR_32(x, 18) ^ SHR(x, 3)) -#define sigma1_32(x) (ROTR_32(x, 17) ^ ROTR_32(x, 19) ^ SHR(x, 10)) +#define Sigma0_32(x) (ROTR_32(x, 2) ^ ROTR_32(x,13) ^ ROTR_32(x,22)) +#define Sigma1_32(x) (ROTR_32(x, 6) ^ ROTR_32(x,11) ^ ROTR_32(x,25)) +#define sigma0_32(x) (ROTR_32(x, 7) ^ ROTR_32(x,18) ^ SHR(x, 3)) +#define sigma1_32(x) (ROTR_32(x,17) ^ ROTR_32(x,19) ^ SHR(x,10)) #define Sigma0_64(x) (ROTR_64(x, 28) ^ ROTR_64(x, 34) ^ ROTR_64(x, 39)) #define Sigma1_64(x) (ROTR_64(x, 14) ^ ROTR_64(x, 18) ^ ROTR_64(x, 41)) @@ -162,16 +206,16 @@ static size_t crypto_hashblocks_sha256(uint8_t *statebytes, state[7] = h; while (inlen >= 64) { - uint32_t w0 = load_bigendian_32(in + 0); - uint32_t w1 = load_bigendian_32(in + 4); - uint32_t w2 = load_bigendian_32(in + 8); - uint32_t w3 = load_bigendian_32(in + 12); - uint32_t w4 = load_bigendian_32(in + 16); - uint32_t w5 = load_bigendian_32(in + 20); - uint32_t w6 = load_bigendian_32(in + 24); - uint32_t w7 = load_bigendian_32(in + 28); - uint32_t w8 = load_bigendian_32(in + 32); - uint32_t w9 = load_bigendian_32(in + 36); + uint32_t w0 = load_bigendian_32(in + 0); + uint32_t w1 = load_bigendian_32(in + 4); + uint32_t w2 = load_bigendian_32(in + 8); + uint32_t w3 = load_bigendian_32(in + 12); + uint32_t w4 = load_bigendian_32(in + 16); + uint32_t w5 = load_bigendian_32(in + 20); + uint32_t w6 = load_bigendian_32(in + 24); + uint32_t w7 = load_bigendian_32(in + 28); + uint32_t w8 = load_bigendian_32(in + 32); + uint32_t w9 = load_bigendian_32(in + 36); uint32_t w10 = load_bigendian_32(in + 40); uint32_t w11 = load_bigendian_32(in + 44); uint32_t w12 = load_bigendian_32(in + 48); @@ -463,6 +507,13 @@ static size_t crypto_hashblocks_sha512(uint8_t *statebytes, return inlen; } +static const uint8_t iv_224[32] = { + 0xc1, 0x05, 0x9e, 0xd8, 0x36, 0x7c, 0xd5, 0x07, + 0x30, 0x70, 0xdd, 0x17, 0xf7, 0x0e, 0x59, 0x39, + 0xff, 0xc0, 0x0b, 0x31, 0x68, 0x58, 0x15, 0x11, + 0x64, 0xf9, 0x8f, 0xa7, 0xbe, 0xfa, 0x4f, 0xa4 +}; + static const uint8_t iv_256[32] = { 0x6a, 0x09, 0xe6, 0x67, 0xbb, 0x67, 0xae, 0x85, 0x3c, 0x6e, 0xf3, 0x72, 0xa5, 0x4f, 0xf5, 0x3a, @@ -488,21 +539,24 @@ static const uint8_t iv_512[64] = { 0x6b, 0x5b, 0xe0, 0xcd, 0x19, 0x13, 0x7e, 0x21, 0x79 }; -typedef struct { - uint8_t ctx[40]; -} sha256ctx; +void sha224_inc_init(sha224ctx *state) { + state->ctx = malloc(PQC_SHA256CTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } + for (size_t i = 0; i < 32; ++i) { + state->ctx[i] = iv_224[i]; + } + for (size_t i = 32; i < 40; ++i) { + state->ctx[i] = 0; + } +} -typedef struct { - uint8_t ctx[72]; -} sha384ctx; - -typedef struct { - uint8_t ctx[72]; -} sha512ctx; - -void OQS_SHA2_sha256_inc_init(void **_state) { - *_state = malloc(sizeof(sha256ctx)); - sha256ctx *state = (sha256ctx *) (*_state); +void sha256_inc_init(sha256ctx *state) { + state->ctx = malloc(PQC_SHA256CTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } for (size_t i = 0; i < 32; ++i) { state->ctx[i] = iv_256[i]; } @@ -511,7 +565,11 @@ void OQS_SHA2_sha256_inc_init(void **_state) { } } -static void sha384_inc_init(sha384ctx *state) { +void sha384_inc_init(sha384ctx *state) { + state->ctx = malloc(PQC_SHA512CTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } for (size_t i = 0; i < 64; ++i) { state->ctx[i] = iv_384[i]; } @@ -520,7 +578,11 @@ static void sha384_inc_init(sha384ctx *state) { } } -static void sha512_inc_init(sha512ctx *state) { +void sha512_inc_init(sha512ctx *state) { + state->ctx = malloc(PQC_SHA512CTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } for (size_t i = 0; i < 64; ++i) { state->ctx[i] = iv_512[i]; } @@ -529,15 +591,59 @@ static void sha512_inc_init(sha512ctx *state) { } } -void OQS_SHA2_sha256_inc_clone_state(void **_stateout, const void *_statein) { - *_stateout = malloc(sizeof(sha256ctx)); - sha256ctx *stateout = (sha256ctx *) (*_stateout); - sha256ctx *statein = (sha256ctx *) _statein; - memcpy(stateout->ctx, statein->ctx, 40); +void sha224_inc_ctx_clone(sha224ctx *stateout, const sha224ctx *statein) { + stateout->ctx = malloc(PQC_SHA256CTX_BYTES); + if (stateout->ctx == NULL) { + exit(111); + } + memcpy(stateout->ctx, statein->ctx, PQC_SHA256CTX_BYTES); } -void OQS_SHA2_sha256_inc_blocks(void *_state, const uint8_t *in, size_t inblocks) { - sha256ctx *state = (sha256ctx *) _state; +void sha256_inc_ctx_clone(sha256ctx *stateout, const sha256ctx *statein) { + stateout->ctx = malloc(PQC_SHA256CTX_BYTES); + if (stateout->ctx == NULL) { + exit(111); + } + memcpy(stateout->ctx, statein->ctx, PQC_SHA256CTX_BYTES); +} + +void sha384_inc_ctx_clone(sha384ctx *stateout, const sha384ctx *statein) { + stateout->ctx = malloc(PQC_SHA512CTX_BYTES); + if (stateout->ctx == NULL) { + exit(111); + } + memcpy(stateout->ctx, statein->ctx, PQC_SHA512CTX_BYTES); +} + +void sha512_inc_ctx_clone(sha512ctx *stateout, const sha512ctx *statein) { + stateout->ctx = malloc(PQC_SHA512CTX_BYTES); + if (stateout->ctx == NULL) { + exit(111); + } + memcpy(stateout->ctx, statein->ctx, PQC_SHA512CTX_BYTES); +} + +/* Destroy the hash state. */ +void sha224_inc_ctx_release(sha224ctx *state) { + free(state->ctx); // IGNORE free-check +} + +/* Destroy the hash state. */ +void sha256_inc_ctx_release(sha256ctx *state) { + free(state->ctx); // IGNORE free-check +} + +/* Destroy the hash state. */ +void sha384_inc_ctx_release(sha384ctx *state) { + free(state->ctx); // IGNORE free-check +} + +/* Destroy the hash state. */ +void sha512_inc_ctx_release(sha512ctx *state) { + free(state->ctx); // IGNORE free-check +} + +void sha256_inc_blocks(sha256ctx *state, const uint8_t *in, size_t inblocks) { uint64_t bytes = load_bigendian_64(state->ctx + 32); crypto_hashblocks_sha256(state->ctx, in, 64 * inblocks); @@ -546,8 +652,24 @@ void OQS_SHA2_sha256_inc_blocks(void *_state, const uint8_t *in, size_t inblocks store_bigendian_64(state->ctx + 32, bytes); } -void OQS_SHA2_sha256_inc_finalize(uint8_t *out, void *_state, const uint8_t *in, size_t inlen) { - sha256ctx *state = (sha256ctx *) _state; +void sha224_inc_blocks(sha224ctx *state, const uint8_t *in, size_t inblocks) { + sha256_inc_blocks((sha256ctx *) state, in, inblocks); +} + +void sha512_inc_blocks(sha512ctx *state, const uint8_t *in, size_t inblocks) { + uint64_t bytes = load_bigendian_64(state->ctx + 64); + + crypto_hashblocks_sha512(state->ctx, in, 128 * inblocks); + bytes += 128 * inblocks; + + store_bigendian_64(state->ctx + 64, bytes); +} + +void sha384_inc_blocks(sha384ctx *state, const uint8_t *in, size_t inblocks) { + sha512_inc_blocks((sha512ctx *) state, in, inblocks); +} + +void sha256_inc_finalize(uint8_t *out, sha256ctx *state, const uint8_t *in, size_t inlen) { uint8_t padded[128]; uint64_t bytes = load_bigendian_64(state->ctx + 32) + inlen; @@ -565,41 +687,46 @@ void OQS_SHA2_sha256_inc_finalize(uint8_t *out, void *_state, const uint8_t *in, for (size_t i = inlen + 1; i < 56; ++i) { padded[i] = 0; } - padded[56] = (uint8_t)(bytes >> 53); - padded[57] = (uint8_t)(bytes >> 45); - padded[58] = (uint8_t)(bytes >> 37); - padded[59] = (uint8_t)(bytes >> 29); - padded[60] = (uint8_t)(bytes >> 21); - padded[61] = (uint8_t)(bytes >> 13); - padded[62] = (uint8_t)(bytes >> 5); - padded[63] = (uint8_t)(bytes << 3); + padded[56] = (uint8_t) (bytes >> 53); + padded[57] = (uint8_t) (bytes >> 45); + padded[58] = (uint8_t) (bytes >> 37); + padded[59] = (uint8_t) (bytes >> 29); + padded[60] = (uint8_t) (bytes >> 21); + padded[61] = (uint8_t) (bytes >> 13); + padded[62] = (uint8_t) (bytes >> 5); + padded[63] = (uint8_t) (bytes << 3); crypto_hashblocks_sha256(state->ctx, padded, 64); } else { for (size_t i = inlen + 1; i < 120; ++i) { padded[i] = 0; } - padded[120] = (uint8_t)(bytes >> 53); - padded[121] = (uint8_t)(bytes >> 45); - padded[122] = (uint8_t)(bytes >> 37); - padded[123] = (uint8_t)(bytes >> 29); - padded[124] = (uint8_t)(bytes >> 21); - padded[125] = (uint8_t)(bytes >> 13); - padded[126] = (uint8_t)(bytes >> 5); - padded[127] = (uint8_t)(bytes << 3); + padded[120] = (uint8_t) (bytes >> 53); + padded[121] = (uint8_t) (bytes >> 45); + padded[122] = (uint8_t) (bytes >> 37); + padded[123] = (uint8_t) (bytes >> 29); + padded[124] = (uint8_t) (bytes >> 21); + padded[125] = (uint8_t) (bytes >> 13); + padded[126] = (uint8_t) (bytes >> 5); + padded[127] = (uint8_t) (bytes << 3); crypto_hashblocks_sha256(state->ctx, padded, 128); } for (size_t i = 0; i < 32; ++i) { out[i] = state->ctx[i]; } - OQS_SHA2_sha256_inc_destroy(state); + sha256_inc_ctx_release(state); } -void OQS_SHA2_sha256_inc_destroy(void *state) { - OQS_MEM_secure_free(state, sizeof(sha256ctx)); +void sha224_inc_finalize(uint8_t *out, sha224ctx *state, const uint8_t *in, size_t inlen) { + uint8_t tmp[32]; + sha256_inc_finalize(tmp, (sha256ctx *)state, in, inlen); + + for (size_t i = 0; i < 28; ++i) { + out[i] = tmp[i]; + } } -static void sha512_inc_finalize(uint8_t *out, sha512ctx *state, const uint8_t *in, size_t inlen) { +void sha512_inc_finalize(uint8_t *out, sha512ctx *state, const uint8_t *in, size_t inlen) { uint8_t padded[256]; uint64_t bytes = load_bigendian_64(state->ctx + 64) + inlen; @@ -617,62 +744,131 @@ static void sha512_inc_finalize(uint8_t *out, sha512ctx *state, const uint8_t *i for (size_t i = inlen + 1; i < 119; ++i) { padded[i] = 0; } - padded[119] = (uint8_t)(bytes >> 61); - padded[120] = (uint8_t)(bytes >> 53); - padded[121] = (uint8_t)(bytes >> 45); - padded[122] = (uint8_t)(bytes >> 37); - padded[123] = (uint8_t)(bytes >> 29); - padded[124] = (uint8_t)(bytes >> 21); - padded[125] = (uint8_t)(bytes >> 13); - padded[126] = (uint8_t)(bytes >> 5); - padded[127] = (uint8_t)(bytes << 3); + padded[119] = (uint8_t) (bytes >> 61); + padded[120] = (uint8_t) (bytes >> 53); + padded[121] = (uint8_t) (bytes >> 45); + padded[122] = (uint8_t) (bytes >> 37); + padded[123] = (uint8_t) (bytes >> 29); + padded[124] = (uint8_t) (bytes >> 21); + padded[125] = (uint8_t) (bytes >> 13); + padded[126] = (uint8_t) (bytes >> 5); + padded[127] = (uint8_t) (bytes << 3); crypto_hashblocks_sha512(state->ctx, padded, 128); } else { for (size_t i = inlen + 1; i < 247; ++i) { padded[i] = 0; } - padded[247] = (uint8_t)(bytes >> 61); - padded[248] = (uint8_t)(bytes >> 53); - padded[249] = (uint8_t)(bytes >> 45); - padded[250] = (uint8_t)(bytes >> 37); - padded[251] = (uint8_t)(bytes >> 29); - padded[252] = (uint8_t)(bytes >> 21); - padded[253] = (uint8_t)(bytes >> 13); - padded[254] = (uint8_t)(bytes >> 5); - padded[255] = (uint8_t)(bytes << 3); + padded[247] = (uint8_t) (bytes >> 61); + padded[248] = (uint8_t) (bytes >> 53); + padded[249] = (uint8_t) (bytes >> 45); + padded[250] = (uint8_t) (bytes >> 37); + padded[251] = (uint8_t) (bytes >> 29); + padded[252] = (uint8_t) (bytes >> 21); + padded[253] = (uint8_t) (bytes >> 13); + padded[254] = (uint8_t) (bytes >> 5); + padded[255] = (uint8_t) (bytes << 3); crypto_hashblocks_sha512(state->ctx, padded, 256); } for (size_t i = 0; i < 64; ++i) { out[i] = state->ctx[i]; } + sha512_inc_ctx_release(state); } -static void sha384_inc_finalize(uint8_t *out, sha384ctx *state, const uint8_t *in, size_t inlen) { - sha512_inc_finalize(state->ctx, (sha512ctx *) state, in, inlen); +void sha384_inc_finalize(uint8_t *out, sha384ctx *state, const uint8_t *in, size_t inlen) { + uint8_t tmp[64]; + sha512_inc_finalize(tmp, (sha512ctx *)state, in, inlen); for (size_t i = 0; i < 48; ++i) { - out[i] = state->ctx[i]; + out[i] = tmp[i]; } } -void OQS_SHA2_sha256(uint8_t *out, const uint8_t *in, size_t inlen) { - sha256ctx *state = NULL; +void sha224(uint8_t *out, const uint8_t *in, size_t inlen) { + sha224ctx state; - OQS_SHA2_sha256_inc_init((void **) &state); - OQS_SHA2_sha256_inc_finalize(out, state, in, inlen); + sha224_inc_init(&state); + sha224_inc_finalize(out, &state, in, inlen); } -void OQS_SHA2_sha384(uint8_t *out, const uint8_t *in, size_t inlen) { +void sha256(uint8_t *out, const uint8_t *in, size_t inlen) { + sha256ctx state; + + sha256_inc_init(&state); + sha256_inc_finalize(out, &state, in, inlen); +} + +void sha384(uint8_t *out, const uint8_t *in, size_t inlen) { sha384ctx state; sha384_inc_init(&state); sha384_inc_finalize(out, &state, in, inlen); } -void OQS_SHA2_sha512(uint8_t *out, const uint8_t *in, size_t inlen) { +void sha512(uint8_t *out, const uint8_t *in, size_t inlen) { sha512ctx state; sha512_inc_init(&state); sha512_inc_finalize(out, &state, in, inlen); } + +void OQS_SHA2_sha256_inc_init(OQS_SHA2_sha256_ctx *state) { + oqs_sha2_sha256_inc_init((sha256ctx *) state); +} + +void OQS_SHA2_sha256_inc_ctx_clone(OQS_SHA2_sha256_ctx *dest, const OQS_SHA2_sha256_ctx *src) { + oqs_sha2_sha256_inc_ctx_clone((sha256ctx *) dest, (sha256ctx *) src); +} + +void OQS_SHA2_sha256_inc_ctx_release(OQS_SHA2_sha256_ctx *state) { + oqs_sha2_sha256_inc_ctx_release((sha256ctx *) state); +} + +void OQS_SHA2_sha256_inc_blocks(OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inblocks) { + oqs_sha2_sha256_inc_blocks((sha256ctx *) state, in, inblocks); +} + +void OQS_SHA2_sha256_inc_finalize(uint8_t *out, OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inlen) { + oqs_sha2_sha256_inc_finalize(out, (sha256ctx *) state, in, inlen); +} + +void OQS_SHA2_sha384_inc_init(OQS_SHA2_sha384_ctx *state) { + oqs_sha2_sha384_inc_init((sha384ctx *) state); +} + +void OQS_SHA2_sha384_inc_ctx_clone(OQS_SHA2_sha384_ctx *dest, const OQS_SHA2_sha384_ctx *src) { + oqs_sha2_sha384_inc_ctx_clone((sha384ctx *) dest, (sha384ctx *) src); +} + +void OQS_SHA2_sha384_inc_ctx_release(OQS_SHA2_sha384_ctx *state) { + oqs_sha2_sha384_inc_ctx_release((sha384ctx *) state); +} + +void OQS_SHA2_sha384_inc_blocks(OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inblocks) { + oqs_sha2_sha384_inc_blocks((sha384ctx *) state, in, inblocks); +} + +void OQS_SHA2_sha384_inc_finalize(uint8_t *out, OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inlen) { + oqs_sha2_sha384_inc_finalize(out, (sha384ctx *) state, in, inlen); +} + +void OQS_SHA2_sha512_inc_init(OQS_SHA2_sha512_ctx *state) { + oqs_sha2_sha512_inc_init((sha512ctx *) state); +} + +void OQS_SHA2_sha512_inc_ctx_clone(OQS_SHA2_sha512_ctx *dest, const OQS_SHA2_sha512_ctx *src) { + oqs_sha2_sha512_inc_ctx_clone((sha512ctx *) dest, (sha512ctx *) src); +} + +void OQS_SHA2_sha512_inc_ctx_release(OQS_SHA2_sha512_ctx *state) { + oqs_sha2_sha512_inc_ctx_release((sha512ctx *) state); +} + +void OQS_SHA2_sha512_inc_blocks(OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inblocks) { + oqs_sha2_sha512_inc_blocks((sha512ctx *) state, in, inblocks); +} + +void OQS_SHA2_sha512_inc_finalize(uint8_t *out, OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inlen) { + oqs_sha2_sha512_inc_finalize(out, (sha512ctx *) state, in, inlen); +} diff --git a/src/crypto/sha2/sha2_ossl.c b/src/crypto/sha2/sha2_ossl.c index 7fe12ca33..3564e6e5d 100644 --- a/src/crypto/sha2/sha2_ossl.c +++ b/src/crypto/sha2/sha2_ossl.c @@ -41,38 +41,102 @@ void OQS_SHA2_sha512(uint8_t *output, const uint8_t *input, size_t inplen) { do_hash(output, input, inplen, md); } -void OQS_SHA2_sha256_inc_init(void **state) { +#define SHA2_BLOCK_SIZE 64 + +void OQS_SHA2_sha256_inc_init(OQS_SHA2_sha256_ctx *state) { EVP_MD_CTX *mdctx; const EVP_MD *md = NULL; md = EVP_sha256(); assert(md != NULL); mdctx = EVP_MD_CTX_new(); EVP_DigestInit_ex(mdctx, md, NULL); - *state = mdctx; + state->ctx = mdctx; } -#define SHA2_BLOCK_SIZE 64 - -void OQS_SHA2_sha256_inc_blocks(void *state, const uint8_t *in, size_t inblocks) { - EVP_DigestUpdate((EVP_MD_CTX *) state, in, inblocks * SHA2_BLOCK_SIZE); +void OQS_SHA2_sha256_inc_blocks(OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inblocks) { + EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inblocks * SHA2_BLOCK_SIZE); } -void OQS_SHA2_sha256_inc_finalize(uint8_t *out, void *state, const uint8_t *in, size_t inlen) { +void OQS_SHA2_sha256_inc_finalize(uint8_t *out, OQS_SHA2_sha256_ctx *state, const uint8_t *in, size_t inlen) { unsigned int md_len; if (inlen > 0) { - EVP_DigestUpdate((EVP_MD_CTX *) state, in, inlen); + EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inlen); } - EVP_DigestFinal_ex((EVP_MD_CTX *) state, out, &md_len); - EVP_MD_CTX_free((EVP_MD_CTX *) state); + EVP_DigestFinal_ex((EVP_MD_CTX *) state->ctx, out, &md_len); + EVP_MD_CTX_free((EVP_MD_CTX *) state->ctx); } -void OQS_SHA2_sha256_inc_destroy(void *state) { - EVP_MD_CTX_destroy((EVP_MD_CTX *) state); +void OQS_SHA2_sha256_inc_ctx_release(OQS_SHA2_sha256_ctx *state) { + EVP_MD_CTX_destroy((EVP_MD_CTX *) state->ctx); } -void OQS_SHA2_sha256_inc_clone_state(void **stateout, const void *statein) { - OQS_SHA2_sha256_inc_init(stateout); - EVP_MD_CTX_copy_ex(*stateout, statein); +void OQS_SHA2_sha256_inc_ctx_clone(OQS_SHA2_sha256_ctx *dest, const OQS_SHA2_sha256_ctx *src) { + OQS_SHA2_sha256_inc_init(dest); + EVP_MD_CTX_copy_ex((EVP_MD_CTX *) dest->ctx, (EVP_MD_CTX *) src->ctx); +} + +void OQS_SHA2_sha384_inc_init(OQS_SHA2_sha384_ctx *state) { + EVP_MD_CTX *mdctx; + const EVP_MD *md = NULL; + md = EVP_sha384(); + assert(md != NULL); + mdctx = EVP_MD_CTX_new(); + EVP_DigestInit_ex(mdctx, md, NULL); + state->ctx = mdctx; +} + +void OQS_SHA2_sha384_inc_blocks(OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inblocks) { + EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inblocks * SHA2_BLOCK_SIZE); +} + +void OQS_SHA2_sha384_inc_finalize(uint8_t *out, OQS_SHA2_sha384_ctx *state, const uint8_t *in, size_t inlen) { + unsigned int md_len; + if (inlen > 0) { + EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inlen); + } + EVP_DigestFinal_ex((EVP_MD_CTX *) state->ctx, out, &md_len); + EVP_MD_CTX_free((EVP_MD_CTX *) state->ctx); +} + +void OQS_SHA2_sha384_inc_ctx_release(OQS_SHA2_sha384_ctx *state) { + EVP_MD_CTX_destroy((EVP_MD_CTX *) state->ctx); +} + +void OQS_SHA2_sha384_inc_ctx_clone(OQS_SHA2_sha384_ctx *dest, const OQS_SHA2_sha384_ctx *src) { + OQS_SHA2_sha384_inc_init(dest); + EVP_MD_CTX_copy_ex((EVP_MD_CTX *) dest->ctx, (EVP_MD_CTX *) src->ctx); +} + +void OQS_SHA2_sha512_inc_init(OQS_SHA2_sha512_ctx *state) { + EVP_MD_CTX *mdctx; + const EVP_MD *md = NULL; + md = EVP_sha512(); + assert(md != NULL); + mdctx = EVP_MD_CTX_new(); + EVP_DigestInit_ex(mdctx, md, NULL); + state->ctx = mdctx; +} + +void OQS_SHA2_sha512_inc_blocks(OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inblocks) { + EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inblocks * SHA2_BLOCK_SIZE); +} + +void OQS_SHA2_sha512_inc_finalize(uint8_t *out, OQS_SHA2_sha512_ctx *state, const uint8_t *in, size_t inlen) { + unsigned int md_len; + if (inlen > 0) { + EVP_DigestUpdate((EVP_MD_CTX *) state->ctx, in, inlen); + } + EVP_DigestFinal_ex((EVP_MD_CTX *) state->ctx, out, &md_len); + EVP_MD_CTX_free((EVP_MD_CTX *) state->ctx); +} + +void OQS_SHA2_sha512_inc_ctx_release(OQS_SHA2_sha512_ctx *state) { + EVP_MD_CTX_destroy((EVP_MD_CTX *) state->ctx); +} + +void OQS_SHA2_sha512_inc_ctx_clone(OQS_SHA2_sha512_ctx *dest, const OQS_SHA2_sha512_ctx *src) { + OQS_SHA2_sha512_inc_init(dest); + EVP_MD_CTX_copy_ex((EVP_MD_CTX *) dest->ctx, (EVP_MD_CTX *) src->ctx); } #endif diff --git a/src/crypto/sha3/fips202.c b/src/crypto/sha3/fips202.c index dc745d271..30437e3f1 100644 --- a/src/crypto/sha3/fips202.c +++ b/src/crypto/sha3/fips202.c @@ -7,6 +7,11 @@ #include #include +#include +#include + +#define PQC_SHAKEINCCTX_BYTES (sizeof(uint64_t)*26) +#define PQC_SHAKECTX_BYTES (sizeof(uint64_t)*25) #define NROUNDS 24 #define ROL(a, offset) (((a) << (offset)) ^ ((a) >> (64 - (offset)))) @@ -23,7 +28,7 @@ static uint64_t load64(const uint8_t *x) { uint64_t r = 0; for (size_t i = 0; i < 8; ++i) { - r |= (uint64_t) x[i] << 8 * i; + r |= (uint64_t)x[i] << 8 * i; } return r; @@ -39,7 +44,7 @@ static uint64_t load64(const uint8_t *x) { **************************************************/ static void store64(uint8_t *x, uint64_t u) { for (size_t i = 0; i < 8; ++i) { - x[i] = (uint8_t)(u >> 8 * i); + x[i] = (uint8_t) (u >> 8 * i); } } @@ -439,10 +444,10 @@ static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m, /* Recall that s_inc[25] is the non-absorbed bytes xored into the state */ while (mlen + s_inc[25] >= r) { - for (i = 0; i < r - s_inc[25]; i++) { + for (i = 0; i < r - (uint32_t)s_inc[25]; i++) { /* Take the i'th byte from message xor with the s_inc[25] + i'th byte of the state; little-endian */ - s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t) m[i] << (8 * ((s_inc[25] + i) & 0x07)); + s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07)); } mlen -= (size_t)(r - s_inc[25]); m += r - s_inc[25]; @@ -452,7 +457,7 @@ static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m, } for (i = 0; i < mlen; i++) { - s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t) m[i] << (8 * ((s_inc[25] + i) & 0x07)); + s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07)); } s_inc[25] += mlen; } @@ -473,8 +478,8 @@ static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m, static void keccak_inc_finalize(uint64_t *s_inc, uint32_t r, uint8_t p) { /* After keccak_inc_absorb, we are guaranteed that s_inc[25] < r, so we can always use one more byte for p in the current state. */ - s_inc[s_inc[25] >> 3] ^= (uint64_t) p << (8 * (s_inc[25] & 0x07)); - s_inc[(r - 1) >> 3] ^= (uint64_t) 128 << (8 * ((r - 1) & 0x07)); + s_inc[s_inc[25] >> 3] ^= (uint64_t)p << (8 * (s_inc[25] & 0x07)); + s_inc[(r - 1) >> 3] ^= (uint64_t)128 << (8 * ((r - 1) & 0x07)); s_inc[25] = 0; } @@ -519,6 +524,10 @@ static void keccak_inc_squeeze(uint8_t *h, size_t outlen, } void shake128_inc_init(shake128incctx *state) { + state->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_inc_init(state->ctx); } @@ -534,7 +543,23 @@ void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state) keccak_inc_squeeze(output, outlen, state->ctx, SHAKE128_RATE); } +void shake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src) { + dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES); +} + +void shake128_inc_ctx_release(shake128incctx *state) { + free(state->ctx); // IGNORE free-check +} + void shake256_inc_init(shake256incctx *state) { + state->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_inc_init(state->ctx); } @@ -550,6 +575,19 @@ void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) keccak_inc_squeeze(output, outlen, state->ctx, SHAKE256_RATE); } +void shake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src) { + dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES); +} + +void shake256_inc_ctx_release(shake256incctx *state) { + free(state->ctx); // IGNORE free-check +} + + /************************************************* * Name: shake128_absorb * @@ -562,6 +600,10 @@ void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) * - size_t inlen: length of input in bytes **************************************************/ void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen) { + state->ctx = malloc(PQC_SHAKECTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F); } @@ -581,6 +623,19 @@ void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE); } +void shake128_ctx_clone(shake128ctx *dest, const shake128ctx *src) { + dest->ctx = malloc(PQC_SHAKECTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES); +} + +/** Release the allocated state. Call only once. */ +void shake128_ctx_release(shake128ctx *state) { + free(state->ctx); // IGNORE free-check +} + /************************************************* * Name: shake256_absorb * @@ -593,6 +648,10 @@ void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) * - size_t inlen: length of input in bytes **************************************************/ void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen) { + state->ctx = malloc(PQC_SHAKECTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F); } @@ -612,6 +671,19 @@ void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state) keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE); } +void shake256_ctx_clone(shake256ctx *dest, const shake256ctx *src) { + dest->ctx = malloc(PQC_SHAKECTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES); +} + +/** Release the allocated state. Call only once. */ +void shake256_ctx_release(shake256ctx *state) { + free(state->ctx); // IGNORE free-check +} + /************************************************* * Name: shake128 * @@ -640,6 +712,7 @@ void shake128(uint8_t *output, size_t outlen, output[i] = t[i]; } } + shake128_ctx_release(&s); } /************************************************* @@ -670,12 +743,29 @@ void shake256(uint8_t *output, size_t outlen, output[i] = t[i]; } } + shake256_ctx_release(&s); } void sha3_256_inc_init(sha3_256incctx *state) { + state->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_inc_init(state->ctx); } +void sha3_256_inc_ctx_clone(sha3_256incctx *dest, const sha3_256incctx *src) { + dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES); +} + +void sha3_256_inc_ctx_release(sha3_256incctx *state) { + free(state->ctx); // IGNORE free-check +} + void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen) { keccak_inc_absorb(state->ctx, SHA3_256_RATE, input, inlen); } @@ -686,6 +776,8 @@ void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state) { keccak_squeezeblocks(t, 1, state->ctx, SHA3_256_RATE); + sha3_256_inc_ctx_release(state); + for (size_t i = 0; i < 32; i++) { output[i] = t[i]; } @@ -716,19 +808,37 @@ void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen) { } void sha3_384_inc_init(sha3_384incctx *state) { + state->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_inc_init(state->ctx); } +void sha3_384_inc_ctx_clone(sha3_384incctx *dest, const sha3_384incctx *src) { + dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES); +} + void sha3_384_inc_absorb(sha3_384incctx *state, const uint8_t *input, size_t inlen) { keccak_inc_absorb(state->ctx, SHA3_384_RATE, input, inlen); } +void sha3_384_inc_ctx_release(sha3_384incctx *state) { + free(state->ctx); // IGNORE free-check +} + void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state) { uint8_t t[SHA3_384_RATE]; keccak_inc_finalize(state->ctx, SHA3_384_RATE, 0x06); keccak_squeezeblocks(t, 1, state->ctx, SHA3_384_RATE); + sha3_384_inc_ctx_release(state); + for (size_t i = 0; i < 48; i++) { output[i] = t[i]; } @@ -759,19 +869,37 @@ void sha3_384(uint8_t *output, const uint8_t *input, size_t inlen) { } void sha3_512_inc_init(sha3_512incctx *state) { + state->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_inc_init(state->ctx); } +void sha3_512_inc_ctx_clone(sha3_512incctx *dest, const sha3_512incctx *src) { + dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES); +} + void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen) { keccak_inc_absorb(state->ctx, SHA3_512_RATE, input, inlen); } +void sha3_512_inc_ctx_release(sha3_512incctx *state) { + free(state->ctx); // IGNORE free-check +} + void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state) { uint8_t t[SHA3_512_RATE]; keccak_inc_finalize(state->ctx, SHA3_512_RATE, 0x06); keccak_squeezeblocks(t, 1, state->ctx, SHA3_512_RATE); + sha3_512_inc_ctx_release(state); + for (size_t i = 0; i < 64; i++) { output[i] = t[i]; } diff --git a/src/crypto/sha3/sha3.h b/src/crypto/sha3/sha3.h index d6d67c256..19faa160b 100644 --- a/src/crypto/sha3/sha3.h +++ b/src/crypto/sha3/sha3.h @@ -39,13 +39,17 @@ void OQS_SHA3_sha3_256(uint8_t *output, const uint8_t *input, size_t inplen); /** Data structure for the state of the SHA3-256 incremental hashing API. */ typedef struct { /** Internal state. */ - uint64_t ctx[26]; + void *ctx; } OQS_SHA3_sha3_256_inc_ctx; /** * \brief Initialize the state for the SHA3-256 incremental hashing API. * - * \param state The function state to be initialized; must be allocated + * \warning State must be allovated by the caller. Caller is responsible + * for releasing state by calling either OQS_SHA3_sha3_256_inc_finalize or + * OQS_SHA3_sha3_256_inc_ctx_release. + * + * \param state The function state to be initialized; must be allocated. */ void OQS_SHA3_sha3_256_inc_init(OQS_SHA3_sha3_256_inc_ctx *state); @@ -64,21 +68,44 @@ void OQS_SHA3_sha3_256_inc_absorb(OQS_SHA3_sha3_256_inc_ctx *state, const uint8_ /** * \brief The SHA3-256 squeeze/finalize function. * Permutes and extracts the state to an output byte array. + * Releases state. * * \warning Output array must be allocated. - * + * State cannot be used after this without re-calling OQS_SHA3_sha3_256_inc_init. + * \param output The output byte array * \param state The function state; must be initialized */ void OQS_SHA3_sha3_256_inc_finalize(uint8_t *output, OQS_SHA3_sha3_256_inc_ctx *state); +/** + * \brief Release the state for the SHA3-256 incremental API. + * + * \warning State cannot be used after this without re-calling OQS_SHA3_sha3_256_inc_init. + * + * \param state The function state; must be initialized + */ +void OQS_SHA3_sha3_256_inc_ctx_release(OQS_SHA3_sha3_256_inc_ctx *state); + +/** + * \brief Clone the state for the SHA3-256 incremental API. + * + * \warning dest must be allocated by the caller. Caller is responsible + * for releasing dest by calling either OQS_SHA3_sha3_256_inc_finalize or + * OQS_SHA3_sha3_256_inc_ctx_release. + * + * \param dest The function state to copy into; must be initialized + * \param src The function state to copy; must be initialized + */ +void OQS_SHA3_sha3_256_inc_ctx_clone(OQS_SHA3_sha3_256_inc_ctx *dest, const OQS_SHA3_sha3_256_inc_ctx *src); + /** The SHA-384 byte absorption rate */ #define OQS_SHA3_SHA3_384_RATE 104 /** * \brief Process a message with SHA3-384 and return the hash code in the output byte array. * - * \warning The output array must be at least 32 bytes in length. + * \warning The output array must be at least 48 bytes in length. * * \param output The output byte array * \param input The message input byte array @@ -89,13 +116,17 @@ void OQS_SHA3_sha3_384(uint8_t *output, const uint8_t *input, size_t inplen); /** Data structure for the state of the SHA3-384 incremental hashing API. */ typedef struct { /** Internal state. */ - uint64_t ctx[26]; + void *ctx; } OQS_SHA3_sha3_384_inc_ctx; /** * \brief Initialize the state for the SHA3-384 incremental hashing API. * - * \param state The function state to be initialized; must be allocated + * \warning State must be allovated by the caller. Caller is responsible + * for releasing state by calling either OQS_SHA3_sha3_384_inc_finalize or + * OQS_SHA3_sha3_384_inc_ctx_release. + * + * \param state The function state to be initialized; must be allocated. */ void OQS_SHA3_sha3_384_inc_init(OQS_SHA3_sha3_384_inc_ctx *state); @@ -114,14 +145,37 @@ void OQS_SHA3_sha3_384_inc_absorb(OQS_SHA3_sha3_384_inc_ctx *state, const uint8_ /** * \brief The SHA3-384 squeeze/finalize function. * Permutes and extracts the state to an output byte array. + * Releases state. * * \warning Output array must be allocated. - * + * State cannot be used after this without re-calling OQS_SHA3_sha3_384_inc_init. + * \param output The output byte array * \param state The function state; must be initialized */ void OQS_SHA3_sha3_384_inc_finalize(uint8_t *output, OQS_SHA3_sha3_384_inc_ctx *state); +/** + * \brief Release the state for the SHA3-384 incremental API. + * + * \warning State cannot be used after this without re-calling OQS_SHA3_sha3_384_inc_init. + * + * \param state The function state; must be initialized + */ +void OQS_SHA3_sha3_384_inc_ctx_release(OQS_SHA3_sha3_384_inc_ctx *state); + +/** + * \brief Clone the state for the SHA3-384 incremental API. + * + * \warning dest must be allovated by the caller. Caller is responsible + * for releasing dest by calling either OQS_SHA3_sha3_384_inc_finalize or + * OQS_SHA3_sha3_384_inc_ctx_release. + * + * \param dest The function state to copy into; must be initialized + * \param src The function state to copy; must be initialized + */ +void OQS_SHA3_sha3_384_inc_ctx_clone(OQS_SHA3_sha3_384_inc_ctx *dest, const OQS_SHA3_sha3_384_inc_ctx *src); + /** The SHA-512 byte absorption rate */ #define OQS_SHA3_SHA3_512_RATE 72 @@ -139,13 +193,17 @@ void OQS_SHA3_sha3_512(uint8_t *output, const uint8_t *input, size_t inplen); /** Data structure for the state of the SHA3-512 incremental hashing API. */ typedef struct { /** Internal state. */ - uint64_t ctx[26]; + void *ctx; } OQS_SHA3_sha3_512_inc_ctx; /** * \brief Initialize the state for the SHA3-512 incremental hashing API. * - * \param state The function state to be initialized; must be allocated + * \warning State must be allovated by the caller. Caller is responsible + * for releasing state by calling either OQS_SHA3_sha3_512_inc_finalize or + * OQS_SHA3_sha3_512_inc_ctx_release. + * + * \param state The function state to be initialized; must be allocated. */ void OQS_SHA3_sha3_512_inc_init(OQS_SHA3_sha3_512_inc_ctx *state); @@ -162,16 +220,39 @@ void OQS_SHA3_sha3_512_inc_init(OQS_SHA3_sha3_512_inc_ctx *state); void OQS_SHA3_sha3_512_inc_absorb(OQS_SHA3_sha3_512_inc_ctx *state, const uint8_t *input, size_t inlen); /** - * \brief The SHA3-512 finalize/squeeze function. + * \brief The SHA3-512 squeeze/finalize function. * Permutes and extracts the state to an output byte array. + * Releases state. * * \warning Output array must be allocated. - * + * State cannot be used after this without re-calling OQS_SHA3_sha3_512_inc_init. + * \param output The output byte array * \param state The function state; must be initialized */ void OQS_SHA3_sha3_512_inc_finalize(uint8_t *output, OQS_SHA3_sha3_512_inc_ctx *state); +/** + * \brief Release the state for the SHA3-512 incremental API. + * + * \warning State cannot be used after this without re-calling OQS_SHA3_sha3_512_inc_init. + * + * \param state The function state; must be initialized + */ +void OQS_SHA3_sha3_512_inc_ctx_release(OQS_SHA3_sha3_512_inc_ctx *state); + +/** + * \brief Clone the state for the SHA3-512 incremental API. + * + * \warning dest must be allovated by the caller. Caller is responsible + * for releasing dest by calling either OQS_SHA3_sha3_512_inc_finalize or + * OQS_SHA3_sha3_512_inc_ctx_release. + * + * \param dest The function state to copy into; must be initialized + * \param src The function state to copy; must be initialized + */ +void OQS_SHA3_sha3_512_inc_ctx_clone(OQS_SHA3_sha3_512_inc_ctx *dest, const OQS_SHA3_sha3_512_inc_ctx *src); + /* SHAKE */ /** The SHAKE-128 byte absorption rate */ @@ -192,7 +273,7 @@ void OQS_SHA3_shake128(uint8_t *output, size_t outlen, const uint8_t *input, siz /** Data structure for the state of the SHAKE128 non-incremental hashing API. */ typedef struct { /** Internal state. */ - uint64_t ctx[25]; + void *ctx; } OQS_SHA3_shake128_ctx; /** @@ -201,7 +282,8 @@ typedef struct { * Should be used in conjunction with the shake128_squeezeblocks function. * * \warning Finalizes the seed state, should not be used in consecutive calls. - * State must be allocated by the caller. + * State must be allocated by the caller. State msut be freed by calling + * OQS_SHA3_shake128_ctx_release. * * \param state The function state; must be allocated * \param input The input seed byte array @@ -222,18 +304,36 @@ void OQS_SHA3_shake128_absorb(OQS_SHA3_shake128_ctx *state, const uint8_t *input */ void OQS_SHA3_shake128_squeezeblocks(uint8_t *output, size_t nblocks, OQS_SHA3_shake128_ctx *state); +/** + * \brief Frees the state for SHAKE-128. + * + * \param state The state to free + */ +void OQS_SHA3_shake128_ctx_release(OQS_SHA3_shake128_ctx *state); + +/** + * \brief Copies the state for SHAKE-128. + * + * \warning dest must be allocated. dest must be freed by calling + * OQS_SHA3_shake128_ctx_release. + * + * \param dest The state to copy into + * \param src The state to copy from + */ +void OQS_SHA3_shake128_ctx_clone(OQS_SHA3_shake128_ctx *dest, const OQS_SHA3_shake128_ctx *src); + /** Data structure for the state of the SHAKE-128 incremental hashing API. */ typedef struct { /** Internal state. */ - uint64_t ctx[26]; + void *ctx; } OQS_SHA3_shake128_inc_ctx; /** * \brief Initialize the state for the SHAKE-128 incremental hashing API. * - * \param s_inc The function state to be initialized; must be allocated + * \param state The function state to be initialized; must be allocated */ -void OQS_SHA3_shake128_inc_init(OQS_SHA3_shake128_inc_ctx *s_inc); +void OQS_SHA3_shake128_inc_init(OQS_SHA3_shake128_inc_ctx *state); /** * \brief The SHAKE-128 absorb function. @@ -241,18 +341,18 @@ void OQS_SHA3_shake128_inc_init(OQS_SHA3_shake128_inc_ctx *s_inc); * * \warning State must be initialized by the caller. * - * \param s_inc state + * \param state The function state; must be initialized * \param input input buffer * \param inlen length of input buffer */ -void OQS_SHA3_shake128_inc_absorb(OQS_SHA3_shake128_inc_ctx *s_inc, const uint8_t *input, size_t inlen); +void OQS_SHA3_shake128_inc_absorb(OQS_SHA3_shake128_inc_ctx *state, const uint8_t *input, size_t inlen); /** * \brief The SHAKE-128 finalize function. * - * \param s_inc The function state; must be initialized + * \param state The function state; must be initialized */ -void OQS_SHA3_shake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *s_inc); +void OQS_SHA3_shake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *state); /** * \brief The SHAKE-128 squeeze function. @@ -260,9 +360,27 @@ void OQS_SHA3_shake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *s_inc); * * \param output output buffer * \param outlen bytes of outbut buffer - * \param s_inc The function state; must be initialized + * \param state The function state; must be initialized */ -void OQS_SHA3_shake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *s_inc); +void OQS_SHA3_shake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *state); + +/** + * \brief Frees the state for the SHAKE-128 incremental hashing API. + * + * \param state The state to free + */ +void OQS_SHA3_shake128_inc_ctx_release(OQS_SHA3_shake128_inc_ctx *state); + +/** + * \brief Copies the state for the SHAKE-128 incremental hashing API. + * + * \warning dest must be allocated. dest must be freed by calling + * OQS_SHA3_shake128_inc_ctx_release. + * + * \param dest The state to copy into + * \param src The state to copy from + */ +void OQS_SHA3_shake128_inc_ctx_clone(OQS_SHA3_shake128_inc_ctx *dest, const OQS_SHA3_shake128_inc_ctx *src); /** The SHAKE-256 byte absorption rate */ #define OQS_SHA3_SHAKE256_RATE 136 @@ -279,10 +397,10 @@ void OQS_SHA3_shake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shak */ void OQS_SHA3_shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen); -/** Data structure for the state of the SHAKE-256 non-incremental hashing API. */ +/** Data structure for the state of the SHAKE256 non-incremental hashing API. */ typedef struct { /** Internal state. */ - uint64_t ctx[25]; + void *ctx; } OQS_SHA3_shake256_ctx; /** @@ -291,9 +409,10 @@ typedef struct { * Should be used in conjunction with the shake256_squeezeblocks function. * * \warning Finalizes the seed state, should not be used in consecutive calls. - * State must be initialized (and zeroed) by the caller. + * State must be allocated by the caller. State msut be freed by calling + * OQS_SHA3_shake256_ctx_release. * - * \param state The function state; must be pre-initialized + * \param state The function state; must be allocated * \param input The input seed byte array * \param inplen The number of seed bytes to process */ @@ -302,27 +421,46 @@ void OQS_SHA3_shake256_absorb(OQS_SHA3_shake256_ctx *state, const uint8_t *input /** * \brief The SHAKE-256 squeeze function. * Permutes and extracts the state to an output byte array. + * Should be used in conjunction with the shake256_absorb function. * * \warning Output array must be initialized to a multiple of the byte rate. * * \param output The output byte array * \param nblocks The number of blocks to extract - * \param state The function state; must be pre-initialized + * \param state The function state; must be allocated */ void OQS_SHA3_shake256_squeezeblocks(uint8_t *output, size_t nblocks, OQS_SHA3_shake256_ctx *state); +/** + * \brief Frees the state for SHAKE-256. + * + * \param state The state to free + */ +void OQS_SHA3_shake256_ctx_release(OQS_SHA3_shake256_ctx *state); + +/** + * \brief Copies the state for SHAKE-256. + * + * \warning dest must be allocated. dest must be freed by calling + * OQS_SHA3_shake256_ctx_release. + * + * \param dest The state to copy into + * \param src The state to copy from + */ +void OQS_SHA3_shake256_ctx_clone(OQS_SHA3_shake256_ctx *dest, const OQS_SHA3_shake256_ctx *src); + /** Data structure for the state of the SHAKE-256 incremental hashing API. */ typedef struct { /** Internal state. */ - uint64_t ctx[26]; + void *ctx; } OQS_SHA3_shake256_inc_ctx; /** * \brief Initialize the state for the SHAKE-256 incremental hashing API. * - * \param s_inc The function state to be initialized; must be allocated + * \param state The function state to be initialized; must be allocated */ -void OQS_SHA3_shake256_inc_init(OQS_SHA3_shake256_inc_ctx *s_inc); +void OQS_SHA3_shake256_inc_init(OQS_SHA3_shake256_inc_ctx *state); /** * \brief The SHAKE-256 absorb function. @@ -330,18 +468,18 @@ void OQS_SHA3_shake256_inc_init(OQS_SHA3_shake256_inc_ctx *s_inc); * * \warning State must be initialized by the caller. * - * \param s_inc state + * \param state The function state; must be initialized * \param input input buffer * \param inlen length of input buffer */ -void OQS_SHA3_shake256_inc_absorb(OQS_SHA3_shake256_inc_ctx *s_inc, const uint8_t *input, size_t inlen); +void OQS_SHA3_shake256_inc_absorb(OQS_SHA3_shake256_inc_ctx *state, const uint8_t *input, size_t inlen); /** * \brief The SHAKE-256 finalize function. * - * \param s_inc The function state; must be initialized + * \param state The function state; must be initialized */ -void OQS_SHA3_shake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *s_inc); +void OQS_SHA3_shake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *state); /** * \brief The SHAKE-256 squeeze function. @@ -349,9 +487,27 @@ void OQS_SHA3_shake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *s_inc); * * \param output output buffer * \param outlen bytes of outbut buffer - * \param s_inc state + * \param state The function state; must be initialized */ -void OQS_SHA3_shake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake256_inc_ctx *s_inc); +void OQS_SHA3_shake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake256_inc_ctx *state); + +/** + * \brief Frees the state for the SHAKE-256 incremental hashing API. + * + * \param state The state to free + */ +void OQS_SHA3_shake256_inc_ctx_release(OQS_SHA3_shake256_inc_ctx *state); + +/** + * \brief Copies the state for the SHAKE-256 incremental hashing API. + * + * \warning dest must be allocated. dest must be freed by calling + * OQS_SHA3_shake256_inc_ctx_release. + * + * \param dest The state to copy into + * \param src The state to copy from + */ +void OQS_SHA3_shake256_inc_ctx_clone(OQS_SHA3_shake256_inc_ctx *dest, const OQS_SHA3_shake256_inc_ctx *src); /* cSHAKE */ @@ -412,6 +568,24 @@ void OQS_SHA3_cshake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *state); */ void OQS_SHA3_cshake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *state); +/** + * \brief Free the cSHAKE-128 incremental context. + * + * \param state The function state; must be initialized + */ +void OQS_SHA3_cshake128_inc_ctx_release(OQS_SHA3_shake128_inc_ctx *state); + +/** + * \brief Copies the state for the cSHAKE-128 incremental hashing API. + * + * \warning dest must be allocated. dest must be freed by calling + * OQS_SHA3_cshake128_inc_ctx_release. + * + * \param dest The state to copy into + * \param src The state to copy from + */ +void OQS_SHA3_cshake128_inc_ctx_clone(OQS_SHA3_shake128_inc_ctx *dest, const OQS_SHA3_shake128_inc_ctx *src); + /** * \brief Seed a cSHAKE-256 instance and generate pseudo-random output. * Permutes and extracts the state to an output byte array. @@ -465,10 +639,28 @@ void OQS_SHA3_cshake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *state); * * \param output output buffer * \param outlen bytes of outbut buffer - * \param state The function state, must be initialized + * \param state The function state; must be initialized */ void OQS_SHA3_cshake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake256_inc_ctx *state); +/** + * \brief Free the cSHAKE-256 incremental context. + * + * \param state The function state; must be initialized + */ +void OQS_SHA3_cshake256_inc_ctx_release(OQS_SHA3_shake256_inc_ctx *state); + +/** + * \brief Copies the state for the cSHAKE-256 incremental hashing API. + * + * \warning dest must be allocated. dest must be freed by calling + * OQS_SHA3_cshake256_inc_ctx_release. + * + * \param dest The state to copy into + * \param src The state to copy from + */ +void OQS_SHA3_cshake256_inc_ctx_clone(OQS_SHA3_shake256_inc_ctx *dest, const OQS_SHA3_shake256_inc_ctx *src); + /** * \brief Seed a cSHAKE-128 instance and generate pseudo-random output, using a "simplified" customization string. * Permutes and extracts the state to an output byte array. diff --git a/src/crypto/sha3/sha3_c.c b/src/crypto/sha3/sha3_c.c index 756ec13bd..3eccc2215 100644 --- a/src/crypto/sha3/sha3_c.c +++ b/src/crypto/sha3/sha3_c.c @@ -1,6 +1,6 @@ /** * \file sha3_c.c -* \brief Implementation of the OQS SHA3 API via the files fips202.c and sp800-185.c +* \brief Implementation of the OQS SHA3 API via the files fips202.c * from PQClean (https://github.com/PQClean/PQClean/tree/master/common) */ @@ -15,10 +15,14 @@ #define sha3_256 oqs_unused_SHA3_sha3_256 #endif -#define sha3_256incctx OQS_SHA3_sha3_256_inc_ctx -#define sha3_256_inc_init OQS_SHA3_sha3_256_inc_init -#define sha3_256_inc_absorb OQS_SHA3_sha3_256_inc_absorb -#define sha3_256_inc_finalize OQS_SHA3_sha3_256_inc_finalize +typedef struct { + uint64_t *ctx; +} sha3_256incctx; +#define sha3_256_inc_init oqs_sha3_sha3_256_inc_init +#define sha3_256_inc_absorb oqs_sha3_sha3_256_inc_absorb +#define sha3_256_inc_finalize oqs_sha3_sha3_256_inc_finalize +#define sha3_256_inc_ctx_release oqs_sha3_sha3_256_inc_ctx_release +#define sha3_256_inc_ctx_clone oqs_sha3_sha3_256_inc_ctx_clone #define SHA3_384_RATE OQS_SHA3_SHA3_384_RATE #ifndef USE_SHA3_OPENSSL @@ -27,10 +31,14 @@ #define sha3_384 oqs_unused_SHA3_sha3_384 #endif -#define sha3_384incctx OQS_SHA3_sha3_384_inc_ctx -#define sha3_384_inc_init OQS_SHA3_sha3_384_inc_init -#define sha3_384_inc_absorb OQS_SHA3_sha3_384_inc_absorb -#define sha3_384_inc_finalize OQS_SHA3_sha3_384_inc_finalize +typedef struct { + uint64_t *ctx; +} sha3_384incctx; +#define sha3_384_inc_init oqs_sha3_sha3_384_inc_init +#define sha3_384_inc_absorb oqs_sha3_sha3_384_inc_absorb +#define sha3_384_inc_finalize oqs_sha3_sha3_384_inc_finalize +#define sha3_384_inc_ctx_release oqs_sha3_sha3_384_inc_ctx_release +#define sha3_384_inc_ctx_clone oqs_sha3_sha3_384_inc_ctx_clone #define SHA3_512_RATE OQS_SHA3_SHA3_512_RATE #ifndef USE_SHA3_OPENSSL @@ -39,10 +47,14 @@ #define sha3_512 oqs_unused_SHA3_sha3_512 #endif -#define sha3_512incctx OQS_SHA3_sha3_512_inc_ctx -#define sha3_512_inc_init OQS_SHA3_sha3_512_inc_init -#define sha3_512_inc_absorb OQS_SHA3_sha3_512_inc_absorb -#define sha3_512_inc_finalize OQS_SHA3_sha3_512_inc_finalize +typedef struct { + uint64_t *ctx; +} sha3_512incctx; +#define sha3_512_inc_init oqs_sha3_sha3_512_inc_init +#define sha3_512_inc_absorb oqs_sha3_sha3_512_inc_absorb +#define sha3_512_inc_finalize oqs_sha3_sha3_512_inc_finalize +#define sha3_512_inc_ctx_release oqs_sha3_sha3_512_inc_ctx_release +#define sha3_512_inc_ctx_clone oqs_sha3_sha3_512_inc_ctx_clone #define SHAKE128_RATE OQS_SHA3_SHAKE128_RATE #ifndef USE_SHA3_OPENSSL @@ -51,15 +63,23 @@ #define shake128 oqs_unused_SHA3_shake128 #endif -#define shake128ctx OQS_SHA3_shake128_ctx -#define shake128_absorb OQS_SHA3_shake128_absorb -#define shake128_squeezeblocks OQS_SHA3_shake128_squeezeblocks +typedef struct { + uint64_t *ctx; +} shake128ctx; +#define shake128_absorb oqs_sha3_shake128_absorb +#define shake128_squeezeblocks oqs_sha3_shake128_squeezeblocks +#define shake128_ctx_release oqs_sha3_shake128_ctx_release +#define shake128_ctx_clone oqs_sha3_shake128_ctx_clone -#define shake128incctx OQS_SHA3_shake128_inc_ctx -#define shake128_inc_init OQS_SHA3_shake128_inc_init -#define shake128_inc_absorb OQS_SHA3_shake128_inc_absorb -#define shake128_inc_finalize OQS_SHA3_shake128_inc_finalize -#define shake128_inc_squeeze OQS_SHA3_shake128_inc_squeeze +typedef struct { + uint64_t *ctx; +} shake128incctx; +#define shake128_inc_init oqs_sha3_shake128_inc_init +#define shake128_inc_absorb oqs_sha3_shake128_inc_absorb +#define shake128_inc_finalize oqs_sha3_shake128_inc_finalize +#define shake128_inc_squeeze oqs_sha3_shake128_inc_squeeze +#define shake128_inc_ctx_release oqs_sha3_shake128_inc_ctx_release +#define shake128_inc_ctx_clone oqs_sha3_shake128_inc_ctx_clone #define SHAKE256_RATE OQS_SHA3_SHAKE256_RATE #ifndef USE_SHA3_OPENSSL @@ -68,41 +88,201 @@ #define shake256 oqs_unused_SHA3_shake256 #endif -#define shake256ctx OQS_SHA3_shake256_ctx -#define shake256_absorb OQS_SHA3_shake256_absorb -#define shake256_squeezeblocks OQS_SHA3_shake256_squeezeblocks +typedef struct { + uint64_t *ctx; +} shake256ctx; +#define shake256_absorb oqs_sha3_shake256_absorb +#define shake256_squeezeblocks oqs_sha3_shake256_squeezeblocks +#define shake256_ctx_release oqs_sha3_shake256_ctx_release +#define shake256_ctx_clone oqs_sha3_shake256_ctx_clone -#define shake256incctx OQS_SHA3_shake256_inc_ctx -#define shake256_inc_init OQS_SHA3_shake256_inc_init -#define shake256_inc_absorb OQS_SHA3_shake256_inc_absorb -#define shake256_inc_finalize OQS_SHA3_shake256_inc_finalize -#define shake256_inc_squeeze OQS_SHA3_shake256_inc_squeeze +typedef struct { + uint64_t *ctx; +} shake256incctx; +#define shake256_inc_init oqs_sha3_shake256_inc_init +#define shake256_inc_absorb oqs_sha3_shake256_inc_absorb +#define shake256_inc_finalize oqs_sha3_shake256_inc_finalize +#define shake256_inc_squeeze oqs_sha3_shake256_inc_squeeze +#define shake256_inc_ctx_release oqs_sha3_shake256_inc_ctx_release +#define shake256_inc_ctx_clone oqs_sha3_shake256_inc_ctx_clone #include "fips202.c" +void OQS_SHA3_sha3_256_inc_init(OQS_SHA3_sha3_256_inc_ctx *state) { + oqs_sha3_sha3_256_inc_init((sha3_256incctx *) state); +} +void OQS_SHA3_sha3_256_inc_absorb(OQS_SHA3_sha3_256_inc_ctx *state, const uint8_t *input, size_t inlen) { + oqs_sha3_sha3_256_inc_absorb((sha3_256incctx *) state, input, inlen); +} +void OQS_SHA3_sha3_256_inc_finalize(uint8_t *output, OQS_SHA3_sha3_256_inc_ctx *state) { + oqs_sha3_sha3_256_inc_finalize(output, (sha3_256incctx *) state); +} +void OQS_SHA3_sha3_256_inc_ctx_release(OQS_SHA3_sha3_256_inc_ctx *state) { + oqs_sha3_sha3_256_inc_ctx_release((sha3_256incctx *) state); +} +void OQS_SHA3_sha3_256_inc_ctx_clone(OQS_SHA3_sha3_256_inc_ctx *dest, const OQS_SHA3_sha3_256_inc_ctx *src) { + oqs_sha3_sha3_256_inc_ctx_clone((sha3_256incctx *) dest, (const sha3_256incctx *) src); +} + +void OQS_SHA3_sha3_384_inc_init(OQS_SHA3_sha3_384_inc_ctx *state) { + oqs_sha3_sha3_384_inc_init((sha3_384incctx *) state); +} +void OQS_SHA3_sha3_384_inc_absorb(OQS_SHA3_sha3_384_inc_ctx *state, const uint8_t *input, size_t inlen) { + oqs_sha3_sha3_384_inc_absorb((sha3_384incctx *) state, input, inlen); +} +void OQS_SHA3_sha3_384_inc_finalize(uint8_t *output, OQS_SHA3_sha3_384_inc_ctx *state) { + oqs_sha3_sha3_384_inc_finalize(output, (sha3_384incctx *) state); +} +void OQS_SHA3_sha3_384_inc_ctx_release(OQS_SHA3_sha3_384_inc_ctx *state) { + oqs_sha3_sha3_384_inc_ctx_release((sha3_384incctx *) state); +} +void OQS_SHA3_sha3_384_inc_ctx_clone(OQS_SHA3_sha3_384_inc_ctx *dest, const OQS_SHA3_sha3_384_inc_ctx *src) { + oqs_sha3_sha3_384_inc_ctx_clone((sha3_384incctx *) dest, (const sha3_384incctx *) src); +} + +void OQS_SHA3_sha3_512_inc_init(OQS_SHA3_sha3_512_inc_ctx *state) { + oqs_sha3_sha3_512_inc_init((sha3_512incctx *) state); +} +void OQS_SHA3_sha3_512_inc_absorb(OQS_SHA3_sha3_512_inc_ctx *state, const uint8_t *input, size_t inlen) { + oqs_sha3_sha3_512_inc_absorb((sha3_512incctx *) state, input, inlen); +} +void OQS_SHA3_sha3_512_inc_finalize(uint8_t *output, OQS_SHA3_sha3_512_inc_ctx *state) { + oqs_sha3_sha3_512_inc_finalize(output, (sha3_512incctx *) state); +} +void OQS_SHA3_sha3_512_inc_ctx_release(OQS_SHA3_sha3_512_inc_ctx *state) { + oqs_sha3_sha3_512_inc_ctx_release((sha3_512incctx *) state); +} +void OQS_SHA3_sha3_512_inc_ctx_clone(OQS_SHA3_sha3_512_inc_ctx *dest, const OQS_SHA3_sha3_512_inc_ctx *src) { + oqs_sha3_sha3_512_inc_ctx_clone((sha3_512incctx *) dest, (const sha3_512incctx *) src); +} + +void OQS_SHA3_shake128_absorb(OQS_SHA3_shake128_ctx *state, const uint8_t *input, size_t inplen) { + oqs_sha3_shake128_absorb((shake128ctx *) state, input, inplen); +} +void OQS_SHA3_shake128_squeezeblocks(uint8_t *output, size_t nblocks, OQS_SHA3_shake128_ctx *state) { + oqs_sha3_shake128_squeezeblocks(output, nblocks, (shake128ctx *) state); +} +void OQS_SHA3_shake128_ctx_release(OQS_SHA3_shake128_ctx *state) { + oqs_sha3_shake128_ctx_release((shake128ctx *) state); +} +void OQS_SHA3_shake128_ctx_clone(OQS_SHA3_shake128_ctx *dest, const OQS_SHA3_shake128_ctx *src) { + oqs_sha3_shake128_ctx_clone((shake128ctx *) dest, (const shake128ctx *) src); +} + +void OQS_SHA3_shake128_inc_init(OQS_SHA3_shake128_inc_ctx *state) { + oqs_sha3_shake128_inc_init((shake128incctx *) state); +} +void OQS_SHA3_shake128_inc_absorb(OQS_SHA3_shake128_inc_ctx *state, const uint8_t *input, size_t inlen) { + oqs_sha3_shake128_inc_absorb((shake128incctx *) state, input, inlen); +} +void OQS_SHA3_shake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *state) { + oqs_sha3_shake128_inc_finalize((shake128incctx *) state); +} +void OQS_SHA3_shake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *state) { + oqs_sha3_shake128_inc_squeeze(output, outlen, (shake128incctx *) state); +} +void OQS_SHA3_shake128_inc_ctx_release(OQS_SHA3_shake128_inc_ctx *state) { + oqs_sha3_shake128_inc_ctx_release((shake128incctx *) state); +} +void OQS_SHA3_shake128_inc_ctx_clone(OQS_SHA3_shake128_inc_ctx *dest, const OQS_SHA3_shake128_inc_ctx *src) { + oqs_sha3_shake128_inc_ctx_clone((shake128incctx *) dest, (const shake128incctx *) src); +} + +void OQS_SHA3_shake256_absorb(OQS_SHA3_shake256_ctx *state, const uint8_t *input, size_t inplen) { + oqs_sha3_shake256_absorb((shake256ctx *) state, input, inplen); +} +void OQS_SHA3_shake256_squeezeblocks(uint8_t *output, size_t nblocks, OQS_SHA3_shake256_ctx *state) { + oqs_sha3_shake256_squeezeblocks(output, nblocks, (shake256ctx *) state); +} +void OQS_SHA3_shake256_ctx_release(OQS_SHA3_shake256_ctx *state) { + oqs_sha3_shake256_ctx_release((shake256ctx *) state); +} +void OQS_SHA3_shake256_ctx_clone(OQS_SHA3_shake256_ctx *dest, const OQS_SHA3_shake256_ctx *src) { + oqs_sha3_shake256_ctx_clone((shake256ctx *) dest, (const shake256ctx *) src); +} + +void OQS_SHA3_shake256_inc_init(OQS_SHA3_shake256_inc_ctx *state) { + oqs_sha3_shake256_inc_init((shake256incctx *) state); +} +void OQS_SHA3_shake256_inc_absorb(OQS_SHA3_shake256_inc_ctx *state, const uint8_t *input, size_t inlen) { + oqs_sha3_shake256_inc_absorb((shake256incctx *) state, input, inlen); +} +void OQS_SHA3_shake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *state) { + oqs_sha3_shake256_inc_finalize((shake256incctx *) state); +} +void OQS_SHA3_shake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake256_inc_ctx *state) { + oqs_sha3_shake256_inc_squeeze(output, outlen, (shake256incctx *) state); +} +void OQS_SHA3_shake256_inc_ctx_release(OQS_SHA3_shake256_inc_ctx *state) { + oqs_sha3_shake256_inc_ctx_release((shake256incctx *) state); +} +void OQS_SHA3_shake256_inc_ctx_clone(OQS_SHA3_shake256_inc_ctx *dest, const OQS_SHA3_shake256_inc_ctx *src) { + oqs_sha3_shake256_inc_ctx_clone((shake256incctx *) dest, (const shake256incctx *) src); +} + #define cshake128 OQS_SHA3_cshake128 -#define cshake128_inc_init OQS_SHA3_cshake128_inc_init -#define cshake128_inc_absorb OQS_SHA3_cshake128_inc_absorb -#define cshake128_inc_finalize OQS_SHA3_cshake128_inc_finalize -#define cshake128_inc_squeeze OQS_SHA3_cshake128_inc_squeeze +#define cshake128_inc_init oqs_sha3_cshake128_inc_init +#define cshake128_inc_absorb oqs_sha3_cshake128_inc_absorb +#define cshake128_inc_finalize oqs_sha3_cshake128_inc_finalize +#define cshake128_inc_squeeze oqs_sha3_cshake128_inc_squeeze +#define cshake128_inc_ctx_release oqs_sha3_cshake128_inc_ctx_release +#define cshake128_inc_ctx_clone oqs_sha3_cshake128_inc_ctx_clone #define cshake256 OQS_SHA3_cshake256 -#define cshake256_inc_init OQS_SHA3_cshake256_inc_init -#define cshake256_inc_absorb OQS_SHA3_cshake256_inc_absorb -#define cshake256_inc_finalize OQS_SHA3_cshake256_inc_finalize -#define cshake256_inc_squeeze OQS_SHA3_cshake256_inc_squeeze +#define cshake256_inc_init oqs_sha3_cshake256_inc_init +#define cshake256_inc_absorb oqs_sha3_cshake256_inc_absorb +#define cshake256_inc_finalize oqs_sha3_cshake256_inc_finalize +#define cshake256_inc_squeeze oqs_sha3_cshake256_inc_squeeze +#define cshake256_inc_ctx_release oqs_sha3_cshake256_inc_ctx_release +#define cshake256_inc_ctx_clone oqs_sha3_cshake256_inc_ctx_clone #include "sp800-185.c" +void OQS_SHA3_cshake128_inc_init(OQS_SHA3_shake128_inc_ctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) { + oqs_sha3_cshake128_inc_init((shake128incctx *) state, name, namelen, cstm, cstmlen); +} +void OQS_SHA3_cshake128_inc_absorb(OQS_SHA3_shake128_inc_ctx *state, const uint8_t *input, size_t inlen) { + oqs_sha3_cshake128_inc_absorb((shake128incctx *) state, input, inlen); +} +void OQS_SHA3_cshake128_inc_finalize(OQS_SHA3_shake128_inc_ctx *state) { + oqs_sha3_cshake128_inc_finalize((shake128incctx *) state); +} +void OQS_SHA3_cshake128_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake128_inc_ctx *state) { + oqs_sha3_cshake128_inc_squeeze(output, outlen, (shake128incctx *) state); +} +void OQS_SHA3_cshake128_inc_ctx_release(OQS_SHA3_shake128_inc_ctx *state) { + oqs_sha3_cshake128_inc_ctx_release((shake128incctx *) state); +} +void OQS_SHA3_cshake128_inc_ctx_clone(OQS_SHA3_shake128_inc_ctx *dest, const OQS_SHA3_shake128_inc_ctx *src) { + oqs_sha3_cshake128_inc_ctx_clone((shake128incctx *) dest, (const shake128incctx *) src); +} + +void OQS_SHA3_cshake256_inc_init(OQS_SHA3_shake256_inc_ctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) { + oqs_sha3_cshake256_inc_init((shake256incctx *) state, name, namelen, cstm, cstmlen); +} +void OQS_SHA3_cshake256_inc_absorb(OQS_SHA3_shake256_inc_ctx *state, const uint8_t *input, size_t inlen) { + oqs_sha3_cshake256_inc_absorb((shake256incctx *) state, input, inlen); +} +void OQS_SHA3_cshake256_inc_finalize(OQS_SHA3_shake256_inc_ctx *state) { + oqs_sha3_cshake256_inc_finalize((shake256incctx *) state); +} +void OQS_SHA3_cshake256_inc_squeeze(uint8_t *output, size_t outlen, OQS_SHA3_shake256_inc_ctx *state) { + oqs_sha3_cshake256_inc_squeeze(output, outlen, (shake256incctx *) state); +} +void OQS_SHA3_cshake256_inc_ctx_release(OQS_SHA3_shake256_inc_ctx *state) { + oqs_sha3_cshake256_inc_ctx_release((shake256incctx *) state); +} +void OQS_SHA3_cshake256_inc_ctx_clone(OQS_SHA3_shake256_inc_ctx *dest, const OQS_SHA3_shake256_inc_ctx *src) { + oqs_sha3_cshake256_inc_ctx_clone((shake256incctx *) dest, (const shake256incctx *) src); +} + void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen) { OQS_SHA3_shake128_inc_ctx state; - for (size_t i = 0; i < 26; ++i) { - state.ctx[i] = 0; - } + OQS_SHA3_shake128_inc_init(&state); /* Note: This function doesn't align exactly to cSHAKE (SP800-185 3.2), which should produce SHAKE output if S and N = zero (sort of a customized custom-SHAKE function). @@ -120,7 +300,7 @@ void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, co sep[6] = cstm & 0xFF; sep[7] = cstm >> 8; - state.ctx[0] = load64(sep); + ((shake128incctx *) &state)->ctx[0] = load64(sep); /* transform the domain string */ KeccakF1600_StatePermute(state.ctx); @@ -131,15 +311,14 @@ void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, co /* generate output */ OQS_SHA3_cshake128_inc_finalize(&state); OQS_SHA3_cshake128_inc_squeeze(output, outlen, &state); + OQS_SHA3_shake128_inc_ctx_release(&state); } void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen) { OQS_SHA3_shake256_inc_ctx state; - for (size_t i = 0; i < 26; ++i) { - state.ctx[i] = 0; - } + OQS_SHA3_shake256_inc_init(&state); /* Note: This function doesn't align exactly to cSHAKE (SP800-185 3.2), which should produce SHAKE output if S and N = zero (sort of a customized custom-SHAKE function). @@ -157,7 +336,7 @@ void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, co sep[6] = cstm & 0xFF; sep[7] = cstm >> 8; - state.ctx[0] = load64(sep); + ((shake256incctx *) &state)->ctx[0] = load64(sep); /* transform the domain string */ KeccakF1600_StatePermute(state.ctx); @@ -168,4 +347,5 @@ void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, co /* generate output */ OQS_SHA3_cshake256_inc_finalize(&state); OQS_SHA3_cshake256_inc_squeeze(output, outlen, &state); + OQS_SHA3_shake256_inc_ctx_release(&state); } diff --git a/src/crypto/sha3/sp800-185.c b/src/crypto/sha3/sp800-185.c index 90b62959e..6d837aef3 100644 --- a/src/crypto/sha3/sp800-185.c +++ b/src/crypto/sha3/sp800-185.c @@ -13,12 +13,12 @@ static size_t left_encode(uint8_t *encbuf, size_t value) { for (i = 1; i <= n; i++) { encbuf[i] = (uint8_t)(value >> (8 * (n - i))); } - encbuf[0] = (uint8_t) n; + encbuf[0] = (uint8_t)n; return n + 1; } void cshake128_inc_init(shake128incctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) { - uint8_t encbuf[sizeof(size_t) + 1]; + uint8_t encbuf[sizeof(size_t) +1]; shake128_inc_init(state); @@ -42,8 +42,8 @@ void cshake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t in } void cshake128_inc_finalize(shake128incctx *state) { - state->ctx[state->ctx[25] >> 3] ^= (uint64_t) 0x04 << (8 * (state->ctx[25] & 0x07)); - state->ctx[(SHAKE128_RATE - 1) >> 3] ^= (uint64_t) 128 << (8 * ((SHAKE128_RATE - 1) & 0x07)); + state->ctx[state->ctx[25] >> 3] ^= (uint64_t)0x04 << (8 * (state->ctx[25] & 0x07)); + state->ctx[(SHAKE128_RATE - 1) >> 3] ^= (uint64_t)128 << (8 * ((SHAKE128_RATE - 1) & 0x07)); state->ctx[25] = 0; } @@ -51,8 +51,16 @@ void cshake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state shake128_inc_squeeze(output, outlen, state); } +void cshake128_inc_ctx_release(shake128incctx *state) { + shake128_inc_ctx_release(state); +} + +void cshake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src) { + shake128_inc_ctx_clone(dest, src); +} + void cshake256_inc_init(shake256incctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) { - uint8_t encbuf[sizeof(size_t) + 1]; + uint8_t encbuf[sizeof(size_t) +1]; shake256_inc_init(state); @@ -76,8 +84,8 @@ void cshake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t in } void cshake256_inc_finalize(shake256incctx *state) { - state->ctx[state->ctx[25] >> 3] ^= (uint64_t) 0x04 << (8 * (state->ctx[25] & 0x07)); - state->ctx[(SHAKE256_RATE - 1) >> 3] ^= (uint64_t) 128 << (8 * ((SHAKE256_RATE - 1) & 0x07)); + state->ctx[state->ctx[25] >> 3] ^= (uint64_t)0x04 << (8 * (state->ctx[25] & 0x07)); + state->ctx[(SHAKE256_RATE - 1) >> 3] ^= (uint64_t)128 << (8 * ((SHAKE256_RATE - 1) & 0x07)); state->ctx[25] = 0; } @@ -85,6 +93,14 @@ void cshake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state shake256_inc_squeeze(output, outlen, state); } +void cshake256_inc_ctx_release(shake256incctx *state) { + shake256_inc_ctx_release(state); +} + +void cshake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src) { + shake256_inc_ctx_clone(dest, src); +} + /************************************************* * Name: cshake128 * @@ -108,6 +124,7 @@ void cshake128(uint8_t *output, size_t outlen, cshake128_inc_absorb(&state, input, inlen); cshake128_inc_finalize(&state); cshake128_inc_squeeze(output, outlen, &state); + cshake128_inc_ctx_release(&state); } /************************************************* @@ -133,4 +150,5 @@ void cshake256(uint8_t *output, size_t outlen, cshake256_inc_absorb(&state, input, inlen); cshake256_inc_finalize(&state); cshake256_inc_squeeze(output, outlen, &state); + cshake256_inc_ctx_release(&state); } diff --git a/src/kem/kyber/pqclean_kyber1024-90s_clean/aes256ctr.c b/src/kem/kyber/pqclean_kyber1024-90s_clean/aes256ctr.c index 2af282aea..1e81589d5 100644 --- a/src/kem/kyber/pqclean_kyber1024-90s_clean/aes256ctr.c +++ b/src/kem/kyber/pqclean_kyber1024-90s_clean/aes256ctr.c @@ -93,3 +93,8 @@ void PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nbl aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp); s->ctr += (uint32_t) (4 * nblocks); } + +/** Free the AES ctx **/ +void PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) { + aes256_ctx_release(&s->sk_exp); +} diff --git a/src/kem/kyber/pqclean_kyber1024-90s_clean/aes256ctr.h b/src/kem/kyber/pqclean_kyber1024-90s_clean/aes256ctr.h index efc9675ce..bc2d7483a 100644 --- a/src/kem/kyber/pqclean_kyber1024-90s_clean/aes256ctr.h +++ b/src/kem/kyber/pqclean_kyber1024-90s_clean/aes256ctr.h @@ -15,5 +15,6 @@ typedef struct { void PQCLEAN_KYBER102490S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); void PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y); void PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s); +void PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s); #endif diff --git a/src/kem/kyber/pqclean_kyber1024-90s_clean/indcpa.c b/src/kem/kyber/pqclean_kyber1024-90s_clean/indcpa.c index 1cb5a326c..3092c6a5e 100644 --- a/src/kem/kyber/pqclean_kyber1024-90s_clean/indcpa.c +++ b/src/kem/kyber/pqclean_kyber1024-90s_clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/src/kem/kyber/pqclean_kyber1024-90s_clean/symmetric.h b/src/kem/kyber/pqclean_kyber1024-90s_clean/symmetric.h index 57eb91dde..df1faa565 100644 --- a/src/kem/kyber/pqclean_kyber1024-90s_clean/symmetric.h +++ b/src/kem/kyber/pqclean_kyber1024-90s_clean/symmetric.h @@ -11,6 +11,7 @@ #define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER102490S_CLEAN_aes256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) diff --git a/src/kem/kyber/pqclean_kyber1024_clean/indcpa.c b/src/kem/kyber/pqclean_kyber1024_clean/indcpa.c index 755463bdf..e8bfa1c05 100644 --- a/src/kem/kyber/pqclean_kyber1024_clean/indcpa.c +++ b/src/kem/kyber/pqclean_kyber1024_clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/src/kem/kyber/pqclean_kyber1024_clean/symmetric.h b/src/kem/kyber/pqclean_kyber1024_clean/symmetric.h index f40318241..ae5c7c997 100644 --- a/src/kem/kyber/pqclean_kyber1024_clean/symmetric.h +++ b/src/kem/kyber/pqclean_kyber1024_clean/symmetric.h @@ -18,6 +18,7 @@ void PQCLEAN_KYBER1024_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER1024_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER1024_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER1024_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) diff --git a/src/kem/kyber/pqclean_kyber512-90s_clean/aes256ctr.c b/src/kem/kyber/pqclean_kyber512-90s_clean/aes256ctr.c index fcf2af5c2..7d536f302 100644 --- a/src/kem/kyber/pqclean_kyber512-90s_clean/aes256ctr.c +++ b/src/kem/kyber/pqclean_kyber512-90s_clean/aes256ctr.c @@ -93,3 +93,8 @@ void PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblo aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp); s->ctr += (uint32_t) (4 * nblocks); } + +/** Free the AES ctx **/ +void PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) { + aes256_ctx_release(&s->sk_exp); +} diff --git a/src/kem/kyber/pqclean_kyber512-90s_clean/aes256ctr.h b/src/kem/kyber/pqclean_kyber512-90s_clean/aes256ctr.h index 98279b0b5..3efa25673 100644 --- a/src/kem/kyber/pqclean_kyber512-90s_clean/aes256ctr.h +++ b/src/kem/kyber/pqclean_kyber512-90s_clean/aes256ctr.h @@ -15,5 +15,6 @@ typedef struct { void PQCLEAN_KYBER51290S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); void PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y); void PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s); +void PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s); #endif diff --git a/src/kem/kyber/pqclean_kyber512-90s_clean/indcpa.c b/src/kem/kyber/pqclean_kyber512-90s_clean/indcpa.c index 6e031f041..72cd842bf 100644 --- a/src/kem/kyber/pqclean_kyber512-90s_clean/indcpa.c +++ b/src/kem/kyber/pqclean_kyber512-90s_clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/src/kem/kyber/pqclean_kyber512-90s_clean/symmetric.h b/src/kem/kyber/pqclean_kyber512-90s_clean/symmetric.h index 537da9bef..e1bc27433 100644 --- a/src/kem/kyber/pqclean_kyber512-90s_clean/symmetric.h +++ b/src/kem/kyber/pqclean_kyber512-90s_clean/symmetric.h @@ -11,6 +11,7 @@ #define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER51290S_CLEAN_aes256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) diff --git a/src/kem/kyber/pqclean_kyber512_clean/indcpa.c b/src/kem/kyber/pqclean_kyber512_clean/indcpa.c index 7b6d40bc7..41db35be6 100644 --- a/src/kem/kyber/pqclean_kyber512_clean/indcpa.c +++ b/src/kem/kyber/pqclean_kyber512_clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/src/kem/kyber/pqclean_kyber512_clean/symmetric.h b/src/kem/kyber/pqclean_kyber512_clean/symmetric.h index a49b5c026..8b58c0c32 100644 --- a/src/kem/kyber/pqclean_kyber512_clean/symmetric.h +++ b/src/kem/kyber/pqclean_kyber512_clean/symmetric.h @@ -18,6 +18,7 @@ void PQCLEAN_KYBER512_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const u #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER512_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER512_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER512_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) diff --git a/src/kem/kyber/pqclean_kyber768-90s_clean/aes256ctr.c b/src/kem/kyber/pqclean_kyber768-90s_clean/aes256ctr.c index 555da9196..950ab45b7 100644 --- a/src/kem/kyber/pqclean_kyber768-90s_clean/aes256ctr.c +++ b/src/kem/kyber/pqclean_kyber768-90s_clean/aes256ctr.c @@ -93,3 +93,8 @@ void PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblo aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp); s->ctr += (uint32_t) (4 * nblocks); } + +/** Free the AES ctx **/ +void PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) { + aes256_ctx_release(&s->sk_exp); +} diff --git a/src/kem/kyber/pqclean_kyber768-90s_clean/aes256ctr.h b/src/kem/kyber/pqclean_kyber768-90s_clean/aes256ctr.h index feb50ea10..35facbeb6 100644 --- a/src/kem/kyber/pqclean_kyber768-90s_clean/aes256ctr.h +++ b/src/kem/kyber/pqclean_kyber768-90s_clean/aes256ctr.h @@ -15,5 +15,6 @@ typedef struct { void PQCLEAN_KYBER76890S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); void PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y); void PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s); +void PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s); #endif diff --git a/src/kem/kyber/pqclean_kyber768-90s_clean/indcpa.c b/src/kem/kyber/pqclean_kyber768-90s_clean/indcpa.c index 517a12653..babde479f 100644 --- a/src/kem/kyber/pqclean_kyber768-90s_clean/indcpa.c +++ b/src/kem/kyber/pqclean_kyber768-90s_clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/src/kem/kyber/pqclean_kyber768-90s_clean/symmetric.h b/src/kem/kyber/pqclean_kyber768-90s_clean/symmetric.h index 29c68a9f4..681ea3d7c 100644 --- a/src/kem/kyber/pqclean_kyber768-90s_clean/symmetric.h +++ b/src/kem/kyber/pqclean_kyber768-90s_clean/symmetric.h @@ -11,6 +11,7 @@ #define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER76890S_CLEAN_aes256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) diff --git a/src/kem/kyber/pqclean_kyber768_clean/indcpa.c b/src/kem/kyber/pqclean_kyber768_clean/indcpa.c index 723fafd96..776f233b4 100644 --- a/src/kem/kyber/pqclean_kyber768_clean/indcpa.c +++ b/src/kem/kyber/pqclean_kyber768_clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/src/kem/kyber/pqclean_kyber768_clean/symmetric.h b/src/kem/kyber/pqclean_kyber768_clean/symmetric.h index a31f00b03..cd688df99 100644 --- a/src/kem/kyber/pqclean_kyber768_clean/symmetric.h +++ b/src/kem/kyber/pqclean_kyber768_clean/symmetric.h @@ -18,6 +18,7 @@ void PQCLEAN_KYBER768_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const u #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER768_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER768_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER768_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) diff --git a/src/kem/threebears/pqclean_babybear-ephem_clean/threebears.c b/src/kem/threebears/pqclean_babybear-ephem_clean/threebears.c index 9ba84b8bd..2c2b37965 100644 --- a/src/kem/threebears/pqclean_babybear-ephem_clean/threebears.c +++ b/src/kem/threebears/pqclean_babybear-ephem_clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_BABYBEAREPHEM_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_BABYBEAREPHEM_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_BABYBEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -135,6 +139,8 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); + threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES); @@ -152,6 +158,7 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -199,6 +206,7 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_decapsulate( /* Recalculate matrix seed */ cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Re-run the key derivation from encaps */ threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); @@ -207,4 +215,5 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } diff --git a/src/kem/threebears/pqclean_babybear_clean/threebears.c b/src/kem/threebears/pqclean_babybear_clean/threebears.c index b6d886b7f..70fa05e0b 100644 --- a/src/kem/threebears/pqclean_babybear_clean/threebears.c +++ b/src/kem/threebears/pqclean_babybear_clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_BABYBEAR_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_BABYBEAR_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_BABYBEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_BABYBEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_BABYBEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -147,6 +151,7 @@ void PQCLEAN_BABYBEAR_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -210,6 +215,7 @@ void PQCLEAN_BABYBEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &sep, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Calculate PRF */ threebears_hash_init(&ctx, HASH_PURPOSE_PRF); @@ -217,6 +223,7 @@ void PQCLEAN_BABYBEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok)); diff --git a/src/kem/threebears/pqclean_mamabear-ephem_clean/threebears.c b/src/kem/threebears/pqclean_mamabear-ephem_clean/threebears.c index 12580fbeb..c343ebe78 100644 --- a/src/kem/threebears/pqclean_mamabear-ephem_clean/threebears.c +++ b/src/kem/threebears/pqclean_mamabear-ephem_clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_MAMABEAREPHEM_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_MAMABEAREPHEM_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_MAMABEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -135,6 +139,8 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); + threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES); @@ -152,6 +158,7 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -199,6 +206,7 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_decapsulate( /* Recalculate matrix seed */ cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Re-run the key derivation from encaps */ threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); @@ -207,4 +215,5 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } diff --git a/src/kem/threebears/pqclean_mamabear_clean/threebears.c b/src/kem/threebears/pqclean_mamabear_clean/threebears.c index f3864de85..5636d79d7 100644 --- a/src/kem/threebears/pqclean_mamabear_clean/threebears.c +++ b/src/kem/threebears/pqclean_mamabear_clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_MAMABEAR_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_MAMABEAR_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_MAMABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_MAMABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_MAMABEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -147,6 +151,7 @@ void PQCLEAN_MAMABEAR_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -210,6 +215,7 @@ void PQCLEAN_MAMABEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &sep, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Calculate PRF */ threebears_hash_init(&ctx, HASH_PURPOSE_PRF); @@ -217,6 +223,7 @@ void PQCLEAN_MAMABEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok)); diff --git a/src/kem/threebears/pqclean_papabear-ephem_clean/threebears.c b/src/kem/threebears/pqclean_papabear-ephem_clean/threebears.c index fe1cd38bf..b278e1b5a 100644 --- a/src/kem/threebears/pqclean_papabear-ephem_clean/threebears.c +++ b/src/kem/threebears/pqclean_papabear-ephem_clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_PAPABEAREPHEM_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_PAPABEAREPHEM_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_PAPABEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -135,6 +139,8 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); + threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES); @@ -152,6 +158,7 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -199,6 +206,7 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_decapsulate( /* Recalculate matrix seed */ cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Re-run the key derivation from encaps */ threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); @@ -207,4 +215,5 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } diff --git a/src/kem/threebears/pqclean_papabear_clean/threebears.c b/src/kem/threebears/pqclean_papabear_clean/threebears.c index a14d59b47..e99b902b6 100644 --- a/src/kem/threebears/pqclean_papabear_clean/threebears.c +++ b/src/kem/threebears/pqclean_papabear_clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_PAPABEAR_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_PAPABEAR_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_PAPABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_PAPABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_PAPABEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -147,6 +151,7 @@ void PQCLEAN_PAPABEAR_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -210,6 +215,7 @@ void PQCLEAN_PAPABEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &sep, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Calculate PRF */ threebears_hash_init(&ctx, HASH_PURPOSE_PRF); @@ -217,6 +223,7 @@ void PQCLEAN_PAPABEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok)); diff --git a/src/sig/dilithium/pqclean_dilithium2_clean/poly.c b/src/sig/dilithium/pqclean_dilithium2_clean/poly.c index e44ecae8a..733efb171 100644 --- a/src/sig/dilithium/pqclean_dilithium2_clean/poly.c +++ b/src/sig/dilithium/pqclean_dilithium2_clean/poly.c @@ -315,6 +315,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform(poly *a, stream128_squeezeblocks(buf + off, 1, &state); ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); } + stream128_ctx_release(&state); } /************************************************* @@ -385,6 +386,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_eta(poly *a, stream128_squeezeblocks(buf, 1, &state); ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); } + stream128_ctx_release(&state); } /************************************************* @@ -472,6 +474,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_gamma1m1(poly *a, stream256_squeezeblocks(buf + off, 1, &state); ctr += rej_gamma1m1(a->coeffs + ctr, N - ctr, buf, buflen); } + stream256_ctx_release(&state); } /************************************************* diff --git a/src/sig/dilithium/pqclean_dilithium2_clean/symmetric.h b/src/sig/dilithium/pqclean_dilithium2_clean/symmetric.h index b36694ccf..ee2b81032 100644 --- a/src/sig/dilithium/pqclean_dilithium2_clean/symmetric.h +++ b/src/sig/dilithium/pqclean_dilithium2_clean/symmetric.h @@ -10,8 +10,10 @@ #define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_CLEAN_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream128_ctx_release(STATE) shake128_ctx_release(STATE) #define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_CLEAN_shake256_stream_init(STATE, SEED, NONCE) #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream256_ctx_release(STATE) shake256_ctx_release(STATE) #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE diff --git a/src/sig/dilithium/pqclean_dilithium3_clean/poly.c b/src/sig/dilithium/pqclean_dilithium3_clean/poly.c index 5eed60580..84273caba 100644 --- a/src/sig/dilithium/pqclean_dilithium3_clean/poly.c +++ b/src/sig/dilithium/pqclean_dilithium3_clean/poly.c @@ -315,6 +315,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform(poly *a, stream128_squeezeblocks(buf + off, 1, &state); ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); } + stream128_ctx_release(&state); } /************************************************* @@ -385,6 +386,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_eta(poly *a, stream128_squeezeblocks(buf, 1, &state); ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); } + stream128_ctx_release(&state); } /************************************************* @@ -472,6 +474,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_gamma1m1(poly *a, stream256_squeezeblocks(buf + off, 1, &state); ctr += rej_gamma1m1(a->coeffs + ctr, N - ctr, buf, buflen); } + stream256_ctx_release(&state); } /************************************************* diff --git a/src/sig/dilithium/pqclean_dilithium3_clean/symmetric.h b/src/sig/dilithium/pqclean_dilithium3_clean/symmetric.h index d90623d66..736f17440 100644 --- a/src/sig/dilithium/pqclean_dilithium3_clean/symmetric.h +++ b/src/sig/dilithium/pqclean_dilithium3_clean/symmetric.h @@ -10,8 +10,10 @@ #define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_CLEAN_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream128_ctx_release(STATE) shake128_ctx_release(STATE) #define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_CLEAN_shake256_stream_init(STATE, SEED, NONCE) #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream256_ctx_release(STATE) shake256_ctx_release(STATE) #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE diff --git a/src/sig/dilithium/pqclean_dilithium4_clean/poly.c b/src/sig/dilithium/pqclean_dilithium4_clean/poly.c index d44ecaac1..993fe3ecc 100644 --- a/src/sig/dilithium/pqclean_dilithium4_clean/poly.c +++ b/src/sig/dilithium/pqclean_dilithium4_clean/poly.c @@ -315,6 +315,7 @@ void PQCLEAN_DILITHIUM4_CLEAN_poly_uniform(poly *a, stream128_squeezeblocks(buf + off, 1, &state); ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); } + stream128_ctx_release(&state); } /************************************************* @@ -385,6 +386,7 @@ void PQCLEAN_DILITHIUM4_CLEAN_poly_uniform_eta(poly *a, stream128_squeezeblocks(buf, 1, &state); ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); } + stream128_ctx_release(&state); } /************************************************* @@ -472,6 +474,7 @@ void PQCLEAN_DILITHIUM4_CLEAN_poly_uniform_gamma1m1(poly *a, stream256_squeezeblocks(buf + off, 1, &state); ctr += rej_gamma1m1(a->coeffs + ctr, N - ctr, buf, buflen); } + stream256_ctx_release(&state); } /************************************************* diff --git a/src/sig/dilithium/pqclean_dilithium4_clean/symmetric.h b/src/sig/dilithium/pqclean_dilithium4_clean/symmetric.h index 4102ddce6..117f5640f 100644 --- a/src/sig/dilithium/pqclean_dilithium4_clean/symmetric.h +++ b/src/sig/dilithium/pqclean_dilithium4_clean/symmetric.h @@ -10,8 +10,10 @@ #define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM4_CLEAN_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream128_ctx_release(STATE) shake128_ctx_release(STATE) #define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM4_CLEAN_shake256_stream_init(STATE, SEED, NONCE) #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream256_ctx_release(STATE) shake256_ctx_release(STATE) #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE diff --git a/src/sig/mqdss/pqclean_mqdss-48_clean/gf31.c b/src/sig/mqdss/pqclean_mqdss-48_clean/gf31.c index 9a5f2df00..a3838e302 100644 --- a/src/sig/mqdss/pqclean_mqdss-48_clean/gf31.c +++ b/src/sig/mqdss/pqclean_mqdss-48_clean/gf31.c @@ -63,6 +63,7 @@ void PQCLEAN_MQDSS48_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *s } } } + shake256_ctx_release(&shakestate); } /* Given a seed, samples len gf31 elements, transposed into unsigned range, @@ -84,6 +85,7 @@ void PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(signed char *out, int len, const uns } } } + shake256_ctx_release(&shakestate); } /* Unpacks an array of packed GF31 elements to one element per gf31. diff --git a/src/sig/mqdss/pqclean_mqdss-48_clean/sign.c b/src/sig/mqdss/pqclean_mqdss-48_clean/sign.c index 01d67ef94..fe4f2b75b 100644 --- a/src/sig/mqdss/pqclean_mqdss-48_clean/sign.c +++ b/src/sig/mqdss/pqclean_mqdss-48_clean/sign.c @@ -120,6 +120,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R. + shake256_inc_ctx_release(&state); memcpy(pk, skbuf, SEED_BYTES); PQCLEAN_MQDSS48_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); @@ -133,6 +134,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(D, HASH_BYTES, &state); + shake256_inc_ctx_release(&state); sig += HASH_BYTES; // Compensate for prefixed R. @@ -193,6 +195,8 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(t1 + i * N, t1 + i * N); PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(e1 + i * N, e1 + i * N); } + shake256_ctx_release(&shakestate); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS); PQCLEAN_MQDSS48_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS); @@ -264,6 +268,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(D, HASH_BYTES, &state); + shake256_inc_ctx_release(&state); sig += HASH_BYTES; @@ -328,6 +333,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify( memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES); sig += NPACKED_BYTES + 2 * HASH_BYTES; } + shake256_ctx_release(&shakestate); H(c, c, HASH_BYTES * ROUNDS * 2); if (memcmp(c, sigma0, HASH_BYTES) != 0) { diff --git a/src/sig/mqdss/pqclean_mqdss-64_clean/gf31.c b/src/sig/mqdss/pqclean_mqdss-64_clean/gf31.c index 54bb7da5c..dac416b09 100644 --- a/src/sig/mqdss/pqclean_mqdss-64_clean/gf31.c +++ b/src/sig/mqdss/pqclean_mqdss-64_clean/gf31.c @@ -63,6 +63,7 @@ void PQCLEAN_MQDSS64_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *s } } } + shake256_ctx_release(&shakestate); } /* Given a seed, samples len gf31 elements, transposed into unsigned range, @@ -84,6 +85,7 @@ void PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(signed char *out, int len, const uns } } } + shake256_ctx_release(&shakestate); } /* Unpacks an array of packed GF31 elements to one element per gf31. diff --git a/src/sig/mqdss/pqclean_mqdss-64_clean/sign.c b/src/sig/mqdss/pqclean_mqdss-64_clean/sign.c index 189b70f87..702cbdf8b 100644 --- a/src/sig/mqdss/pqclean_mqdss-64_clean/sign.c +++ b/src/sig/mqdss/pqclean_mqdss-64_clean/sign.c @@ -120,6 +120,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R. + shake256_inc_ctx_release(&state); memcpy(pk, skbuf, SEED_BYTES); PQCLEAN_MQDSS64_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); @@ -133,6 +134,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(D, HASH_BYTES, &state); + shake256_inc_ctx_release(&state); sig += HASH_BYTES; // Compensate for prefixed R. @@ -193,6 +195,8 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(t1 + i * N, t1 + i * N); PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(e1 + i * N, e1 + i * N); } + shake256_ctx_release(&shakestate); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS); PQCLEAN_MQDSS64_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS); @@ -264,6 +268,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(D, HASH_BYTES, &state); + shake256_inc_ctx_release(&state); sig += HASH_BYTES; @@ -328,6 +333,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify( memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES); sig += NPACKED_BYTES + 2 * HASH_BYTES; } + shake256_ctx_release(&shakestate); H(c, c, HASH_BYTES * ROUNDS * 2); if (memcmp(c, sigma0, HASH_BYTES) != 0) { diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/hash_sha256.c index 357891095..65e799073 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/thash_sha256_robust.c b/src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/thash_sha256_robust.c index 65040d18a..27d59115b 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/thash_sha256_robust.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/hash_sha256.c index b65f66220..0420a41cb 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/thash_sha256_simple.c b/src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/thash_sha256_simple.c index 0e8178f52..ef0d3a93a 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/thash_sha256_simple.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_N); diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/hash_sha256.c index 92a341727..744670a87 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/thash_sha256_robust.c b/src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/thash_sha256_robust.c index 1f4ef3b9f..a10b1a82e 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/thash_sha256_robust.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/hash_sha256.c index 132e9ced2..b2334d191 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/thash_sha256_simple.c b/src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/thash_sha256_simple.c index 2dae21a72..4695df981 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/thash_sha256_simple.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_N); diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/hash_sha256.c index 9a1bfa04a..490b60b90 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/thash_sha256_robust.c b/src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/thash_sha256_robust.c index b38f3e15d..8a289d072 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/thash_sha256_robust.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/hash_sha256.c index f5e71ffb0..5a5e5c3a9 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/thash_sha256_simple.c b/src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/thash_sha256_simple.c index 00021971e..445aab667 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/thash_sha256_simple.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_N); diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/hash_sha256.c index 1747e4daf..88f7c47eb 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/thash_sha256_robust.c b/src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/thash_sha256_robust.c index 9b94cb206..996c7b322 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/thash_sha256_robust.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/hash_sha256.c index c5b39a3db..8b7aeee2f 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/thash_sha256_simple.c b/src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/thash_sha256_simple.c index 80f7a37ee..7a59f4e8b 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/thash_sha256_simple.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_N); diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/hash_sha256.c index b119a1903..ccd819765 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/thash_sha256_robust.c b/src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/thash_sha256_robust.c index 8a414fcd4..3e33b1ff1 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/thash_sha256_robust.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/hash_sha256.c index 32d9f2437..a35f2ac06 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/thash_sha256_simple.c b/src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/thash_sha256_simple.c index 4b66e0f41..333a97122 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/thash_sha256_simple.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_N); diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/hash_sha256.c index 4c4308615..a8264f8ae 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/thash_sha256_robust.c b/src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/thash_sha256_robust.c index 1982e7601..88c9e0884 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/thash_sha256_robust.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/hash_sha256.c b/src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/hash_sha256.c index b5535d109..2948d690c 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/hash_sha256.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/thash_sha256_simple.c b/src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/thash_sha256_simple.c index 9748b01c5..44023c41e 100644 --- a/src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/thash_sha256_simple.c +++ b/src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_N); diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-128f-robust_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-128f-robust_clean/hash_shake256.c index 16fb398d8..f350f0b9b 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-128f-robust_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-128f-robust_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-128f-simple_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-128f-simple_clean/hash_shake256.c index 7eae1bbb2..1719f18a5 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-128f-simple_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-128f-simple_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-128s-robust_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-128s-robust_clean/hash_shake256.c index 672eb4ae6..53a998143 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-128s-robust_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-128s-robust_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-128s-simple_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-128s-simple_clean/hash_shake256.c index b1ea7f765..7fca240cc 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-128s-simple_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-128s-simple_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-192f-robust_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-192f-robust_clean/hash_shake256.c index 7f6155eff..08e93bf66 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-192f-robust_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-192f-robust_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-192f-simple_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-192f-simple_clean/hash_shake256.c index 83f1350cd..81d055a56 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-192f-simple_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-192f-simple_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-192s-robust_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-192s-robust_clean/hash_shake256.c index e2a85598e..facef0b49 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-192s-robust_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-192s-robust_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-192s-simple_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-192s-simple_clean/hash_shake256.c index 828e4d4ed..26c5d9123 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-192s-simple_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-192s-simple_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-256f-robust_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-256f-robust_clean/hash_shake256.c index 38dc0a1eb..750baedc1 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-256f-robust_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-256f-robust_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-256f-simple_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-256f-simple_clean/hash_shake256.c index 204d60962..dfc285bfa 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-256f-simple_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-256f-simple_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-256s-robust_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-256s-robust_clean/hash_shake256.c index d76b6a06f..ebf85a81a 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-256s-robust_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-256s-robust_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/src/sig/sphincs/pqclean_sphincs-shake256-256s-simple_clean/hash_shake256.c b/src/sig/sphincs/pqclean_sphincs-shake256-256s-simple_clean/hash_shake256.c index a5b564957..2ef61e2a0 100644 --- a/src/sig/sphincs/pqclean_sphincs-shake256-256s-simple_clean/hash_shake256.c +++ b/src/sig/sphincs/pqclean_sphincs-shake256-256s-simple_clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/tests/test_hash.c b/tests/test_hash.c index f4ee4c60e..88846f38a 100644 --- a/tests/test_hash.c +++ b/tests/test_hash.c @@ -59,36 +59,131 @@ int do_sha256(void) { OQS_SHA2_sha256(output, msg, msg_len); // run incremental SHA-256 API uint8_t output_inc[32]; - void *state; + OQS_SHA2_sha256_ctx state; OQS_SHA2_sha256_inc_init(&state); // clone state - void *state2; - OQS_SHA2_sha256_inc_clone_state(&state2, state); + OQS_SHA2_sha256_ctx state2; + OQS_SHA2_sha256_inc_ctx_clone(&state2, &state); // hash with first state if (msg_len > 64) { - OQS_SHA2_sha256_inc_blocks(state, msg, 1); - OQS_SHA2_sha256_inc_finalize(output_inc, state, &msg[64], msg_len - 64); + OQS_SHA2_sha256_inc_blocks(&state, msg, 1); + OQS_SHA2_sha256_inc_finalize(output_inc, &state, &msg[64], msg_len - 64); } else { - OQS_SHA2_sha256_inc_finalize(output_inc, state, msg, msg_len); + OQS_SHA2_sha256_inc_finalize(output_inc, &state, msg, msg_len); } if (memcmp(output, output_inc, 32) != 0) { - free(msg); fprintf(stderr, "ERROR: Incremental API does not match main API\n"); + free(msg); return -2; } // hash with second state if (msg_len > 64) { - OQS_SHA2_sha256_inc_blocks(state2, msg, 1); - OQS_SHA2_sha256_inc_finalize(output_inc, state2, &msg[64], msg_len - 64); + OQS_SHA2_sha256_inc_blocks(&state2, msg, 1); + OQS_SHA2_sha256_inc_finalize(output_inc, &state2, &msg[64], msg_len - 64); } else { - OQS_SHA2_sha256_inc_finalize(output_inc, state2, msg, msg_len); + OQS_SHA2_sha256_inc_finalize(output_inc, &state2, msg, msg_len); } - free(msg); if (memcmp(output, output_inc, 32) != 0) { fprintf(stderr, "ERROR: Incremental API with cloned state does not match main API\n"); + free(msg); return -3; } print_hex(output, 32); + free(msg); + return 0; +} + +int do_sha384(void) { + // read message from stdin + uint8_t *msg; + size_t msg_len; + if (read_stdin(&msg, &msg_len) != 0) { + fprintf(stderr, "ERROR: malloc failure\n"); + return -1; + } + // run main SHA-384 API + uint8_t output[48]; + OQS_SHA2_sha384(output, msg, msg_len); + // run incremental SHA-384 API + uint8_t output_inc[48]; + OQS_SHA2_sha384_ctx state; + OQS_SHA2_sha384_inc_init(&state); + // clone state + OQS_SHA2_sha384_ctx state2; + OQS_SHA2_sha384_inc_ctx_clone(&state2, &state); + // hash with first state + if (msg_len > 64) { + OQS_SHA2_sha384_inc_blocks(&state, msg, 1); + OQS_SHA2_sha384_inc_finalize(output_inc, &state, &msg[64], msg_len - 64); + } else { + OQS_SHA2_sha384_inc_finalize(output_inc, &state, msg, msg_len); + } + if (memcmp(output, output_inc, 48) != 0) { + fprintf(stderr, "ERROR: Incremental API does not match main API\n"); + free(msg); + return -2; + } + // hash with second state + if (msg_len > 64) { + OQS_SHA2_sha384_inc_blocks(&state2, msg, 1); + OQS_SHA2_sha384_inc_finalize(output_inc, &state2, &msg[64], msg_len - 64); + } else { + OQS_SHA2_sha384_inc_finalize(output_inc, &state2, msg, msg_len); + } + if (memcmp(output, output_inc, 48) != 0) { + fprintf(stderr, "ERROR: Incremental API with cloned state does not match main API\n"); + free(msg); + return -3; + } + print_hex(output, 48); + free(msg); + return 0; +} + +int do_sha512(void) { + // read message from stdin + uint8_t *msg; + size_t msg_len; + if (read_stdin(&msg, &msg_len) != 0) { + fprintf(stderr, "ERROR: malloc failure\n"); + return -1; + } + // run main SHA-512 API + uint8_t output[64]; + OQS_SHA2_sha512(output, msg, msg_len); + // run incremental SHA-512 API + uint8_t output_inc[64]; + OQS_SHA2_sha512_ctx state; + OQS_SHA2_sha512_inc_init(&state); + // clone state + OQS_SHA2_sha512_ctx state2; + OQS_SHA2_sha512_inc_ctx_clone(&state2, &state); + // hash with first state + if (msg_len > 64) { + OQS_SHA2_sha512_inc_blocks(&state, msg, 1); + OQS_SHA2_sha512_inc_finalize(output_inc, &state, &msg[64], msg_len - 64); + } else { + OQS_SHA2_sha512_inc_finalize(output_inc, &state, msg, msg_len); + } + if (memcmp(output, output_inc, 64) != 0) { + fprintf(stderr, "ERROR: Incremental API does not match main API\n"); + free(msg); + return -2; + } + // hash with second state + if (msg_len > 64) { + OQS_SHA2_sha512_inc_blocks(&state2, msg, 1); + OQS_SHA2_sha512_inc_finalize(output_inc, &state2, &msg[64], msg_len - 64); + } else { + OQS_SHA2_sha512_inc_finalize(output_inc, &state2, msg, msg_len); + } + if (memcmp(output, output_inc, 64) != 0) { + fprintf(stderr, "ERROR: Incremental API with cloned state does not match main API\n"); + free(msg); + return -3; + } + print_hex(output, 64); + free(msg); return 0; } @@ -105,13 +200,14 @@ int do_arbitrary_hash(void (*hash)(uint8_t *, const uint8_t *, size_t), size_t h hash(output, msg, msg_len); print_hex(output, hash_len); free(output); + free(msg); return 0; } int main(int argc, char **argv) { if (argc != 2) { fprintf(stderr, "Usage: test_hash algname\n"); - fprintf(stderr, " algname: sha256, sha384, sha512\n"); + fprintf(stderr, " algname: sha256, sha384, sha512, sha256inc, sha384inc, sha512inc\n"); fprintf(stderr, " test_hash reads input from stdin and outputs hash value as hex string to stdout"); printf("\n"); print_system_info(); @@ -120,8 +216,14 @@ int main(int argc, char **argv) { char *hash_alg = argv[1]; - if (strcmp(hash_alg, "sha256") == 0) { + if (strcmp(hash_alg, "sha256inc") == 0) { return do_sha256(); + } else if (strcmp(hash_alg, "sha384inc") == 0) { + return do_sha384(); + } else if (strcmp(hash_alg, "sha512inc") == 0) { + return do_sha512(); + } else if (strcmp(hash_alg, "sha256") == 0) { + return do_arbitrary_hash(&OQS_SHA2_sha256, 32); } else if (strcmp(hash_alg, "sha384") == 0) { return do_arbitrary_hash(&OQS_SHA2_sha384, 48); } else if (strcmp(hash_alg, "sha512") == 0) { diff --git a/tests/test_hash.py b/tests/test_hash.py index 31945cb30..d7c04670c 100644 --- a/tests/test_hash.py +++ b/tests/test_hash.py @@ -26,6 +26,11 @@ def test_sha256(msg): input = msg.encode(), ) assert(output.rstrip() == hashlib.sha256(msg.encode()).hexdigest()) + output = helpers.run_subprocess( + [helpers.path_to_executable('test_hash'), 'sha256inc'], + input = msg.encode(), + ) + assert(output.rstrip() == hashlib.sha256(msg.encode()).hexdigest()) @helpers.filtered_test @pytest.mark.parametrize('msg', ['', 'a', 'abc', '1234567890123456789012345678901678901567890']) @@ -36,6 +41,11 @@ def test_sha384(msg): input = msg.encode(), ) assert(output.rstrip() == hashlib.sha384(msg.encode()).hexdigest()) + output = helpers.run_subprocess( + [helpers.path_to_executable('test_hash'), 'sha384inc'], + input = msg.encode(), + ) + assert(output.rstrip() == hashlib.sha384(msg.encode()).hexdigest()) @helpers.filtered_test @pytest.mark.parametrize('msg', ['', 'a', 'abc', '1234567890123456789012345678901678901567890']) @@ -46,6 +56,11 @@ def test_sha512(msg): input = msg.encode(), ) assert(output.rstrip() == hashlib.sha512(msg.encode()).hexdigest()) + output = helpers.run_subprocess( + [helpers.path_to_executable('test_hash'), 'sha512inc'], + input = msg.encode(), + ) + assert(output.rstrip() == hashlib.sha512(msg.encode()).hexdigest()) if __name__ == "__main__": import sys diff --git a/tests/test_sha3.c b/tests/test_sha3.c index 829603c48..885065d91 100644 --- a/tests/test_sha3.c +++ b/tests/test_sha3.c @@ -455,6 +455,7 @@ int shake_128_kat_test(void) { clear8(hash, OQS_SHA3_SHAKE128_RATE * 4); OQS_SHA3_shake128_absorb(&state, msg1600, 200); OQS_SHA3_shake128_squeezeblocks(hash, 4, &state); + OQS_SHA3_shake128_ctx_release(&state); if (are_equal8(hash, exp1600, 512) == EXIT_FAILURE) { status = EXIT_FAILURE; @@ -589,6 +590,7 @@ int shake_256_kat_test(void) { clear8(hash, OQS_SHA3_SHAKE256_RATE * 4); OQS_SHA3_shake256_absorb(&state, msg1600, 200); OQS_SHA3_shake256_squeezeblocks(hash, 4, &state); + OQS_SHA3_shake256_ctx_release(&state); if (are_equal8(hash, exp1600, 512) == EXIT_FAILURE) { status = EXIT_FAILURE;