From 65a6a63e08d3eed8069cf1cda5664a6c98ab7c8f Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Tue, 11 Feb 2020 11:15:14 +0100 Subject: [PATCH] Put all common primitives on the heap (#266) * Put AES ctx on the heap This forces people to use the ``ctx_release`` functions, because otherwise there will be leaks * Put fips202 on the heap * Add much more docs for fips202.h * fixup! Put fips202 on the heap * Put SHA2 on the heap-supporting API * Fix clang-tidy warnings * Fix unreachable free() in falcon * Fix McEliece8192128f-sse GNU Makefile --- CONTRIBUTING.md | 7 +- common/aes.c | 22 +++- common/aes.h | 15 ++- common/fips202.c | 124 ++++++++++++++++++ common/fips202.h | 93 +++++++++++-- common/sha2.c | 97 +++++++++----- common/sha2.h | 37 +++--- common/sp800-185.c | 18 +++ common/sp800-185.h | 4 + crypto_kem/babybear-ephem/clean/threebears.c | 13 +- crypto_kem/babybear/clean/threebears.c | 11 +- crypto_kem/kyber1024-90s/avx2/aes256ctr.c | 1 - crypto_kem/kyber1024-90s/avx2/symmetric.h | 1 + crypto_kem/kyber1024-90s/clean/aes256ctr.c | 5 + crypto_kem/kyber1024-90s/clean/aes256ctr.h | 1 + crypto_kem/kyber1024-90s/clean/indcpa.c | 1 + crypto_kem/kyber1024-90s/clean/symmetric.h | 1 + crypto_kem/kyber1024/avx2/symmetric.h | 1 + crypto_kem/kyber1024/clean/indcpa.c | 1 + crypto_kem/kyber1024/clean/symmetric.h | 1 + crypto_kem/kyber512-90s/avx2/aes256ctr.c | 1 - crypto_kem/kyber512-90s/avx2/symmetric.h | 1 + crypto_kem/kyber512-90s/clean/aes256ctr.c | 5 + crypto_kem/kyber512-90s/clean/aes256ctr.h | 1 + crypto_kem/kyber512-90s/clean/indcpa.c | 1 + crypto_kem/kyber512-90s/clean/symmetric.h | 1 + crypto_kem/kyber512/avx2/symmetric.h | 1 + crypto_kem/kyber512/clean/indcpa.c | 1 + crypto_kem/kyber512/clean/symmetric.h | 1 + crypto_kem/kyber768-90s/avx2/aes256ctr.c | 1 - crypto_kem/kyber768-90s/avx2/symmetric.h | 1 + crypto_kem/kyber768-90s/clean/aes256ctr.c | 5 + crypto_kem/kyber768-90s/clean/aes256ctr.h | 1 + crypto_kem/kyber768-90s/clean/indcpa.c | 1 + crypto_kem/kyber768-90s/clean/symmetric.h | 1 + crypto_kem/kyber768/avx2/symmetric.h | 1 + crypto_kem/kyber768/clean/indcpa.c | 1 + crypto_kem/kyber768/clean/symmetric.h | 1 + crypto_kem/mamabear-ephem/clean/threebears.c | 13 +- crypto_kem/mamabear/clean/threebears.c | 11 +- crypto_kem/papabear-ephem/clean/threebears.c | 13 +- crypto_kem/papabear/clean/threebears.c | 11 +- crypto_sign/dilithium2/avx2/poly.c | 3 + crypto_sign/dilithium2/avx2/symmetric.h | 2 + crypto_sign/dilithium2/clean/poly.c | 3 + crypto_sign/dilithium2/clean/symmetric.h | 2 + crypto_sign/dilithium3/avx2/poly.c | 3 + crypto_sign/dilithium3/avx2/symmetric.h | 2 + crypto_sign/dilithium3/clean/poly.c | 3 + crypto_sign/dilithium3/clean/symmetric.h | 2 + crypto_sign/dilithium4/avx2/poly.c | 3 + crypto_sign/dilithium4/avx2/symmetric.h | 2 + crypto_sign/dilithium4/clean/poly.c | 3 + crypto_sign/dilithium4/clean/symmetric.h | 2 + crypto_sign/falcon-1024/clean/inner.h | 1 + crypto_sign/falcon-1024/clean/pqclean.c | 4 + crypto_sign/falcon-512/clean/inner.h | 1 + crypto_sign/falcon-512/clean/pqclean.c | 4 + crypto_sign/mqdss-48/clean/gf31.c | 2 + crypto_sign/mqdss-48/clean/sign.c | 6 + crypto_sign/mqdss-64/clean/gf31.c | 2 + crypto_sign/mqdss-64/clean/sign.c | 6 + .../rainbowIIIc-classic/clean/utils_prng.c | 2 + .../clean/utils_prng.c | 2 + .../rainbowIIIc-cyclic/clean/utils_prng.c | 2 + .../rainbowIa-classic/clean/utils_prng.c | 2 + .../clean/utils_prng.c | 2 + .../rainbowIa-cyclic/clean/utils_prng.c | 2 + .../rainbowVc-classic/clean/utils_prng.c | 2 + .../clean/utils_prng.c | 2 + .../rainbowVc-cyclic/clean/utils_prng.c | 2 + .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_robust.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_robust.c | 2 +- .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_simple.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_simple.c | 2 +- .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_robust.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_robust.c | 2 +- .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_simple.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_simple.c | 2 +- .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_robust.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_robust.c | 2 +- .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_simple.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_simple.c | 2 +- .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_robust.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_robust.c | 2 +- .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_simple.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_simple.c | 2 +- .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_robust.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_robust.c | 2 +- .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_simple.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_simple.c | 2 +- .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_robust.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_robust.c | 2 +- .../avx2/hash_sha256.c | 6 +- .../avx2/thash_sha256_simple.c | 2 +- .../clean/hash_sha256.c | 2 +- .../clean/thash_sha256_simple.c | 2 +- .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + .../avx2/hash_shake256.c | 2 + .../clean/hash_shake256.c | 2 + test/common/nistkatrng.c | 1 + test/test_common/fips202.c | 20 ++- test/test_valgrind.py | 1 + 146 files changed, 632 insertions(+), 184 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 382cbe6f..4261c11a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -57,7 +57,12 @@ See the section [API](#API) below. astyle --project crypto_kem/yourschemename/clean/*.[ch] ``` 4. You may run the tests in the `tests/` folder. See the `README` for how to run the test suite. - 5. Migrate your use of AES, SHA-2, and SHA-3 to the API in the `common` directory. Note that if you use the AES API, you must use the `aes128_keyexp` routine (or 192 or 256) to expand the key into a key schedule object, then use `aes128_ctx_release` to release the key schedule object once you're finished with it. + 5. Migrate your use of AES, SHA-2, and SHA-3 to the API in the `common` directory. + Note that if you use the AES API, you must use the `aes128_keyexp` routine (or 192 or 256) to expand the key into a key schedule object, + then use `aes128_ctx_release` to release the key schedule object once you're finished with it. + For the SHAKE API, use the appropriate `_ctx_release` functions. + For fixed-output functions SHA-2 and SHA-3, the `_finalize` function will free the state. + If you need to make copies of any of the states of these primitives, use the appropriate functions. 5. Create `Makefile` and `Makefile.Microsoft_nmake` files to compile your scheme as static library. * We suggest you copy these from `crypto_kem/kyber768/clean` and modify them to suit your scheme. diff --git a/common/aes.c b/common/aes.c index 4d365fd5..ff2ec125 100644 --- a/common/aes.c +++ b/common/aes.c @@ -577,6 +577,11 @@ static void aes_ctr(unsigned char *out, size_t outlen, const unsigned char *iv, void aes128_keyexp(aes128ctx *r, const unsigned char *key) { uint64_t skey[22]; + r->sk_exp = malloc(sizeof(uint64_t) * PQC_AES128_STATESIZE); + if (r->sk_exp == NULL) { + exit(111); + } + br_aes_ct64_keysched(skey, key, 16); br_aes_ct64_skey_expand(r->sk_exp, skey, 10); } @@ -584,6 +589,10 @@ void aes128_keyexp(aes128ctx *r, const unsigned char *key) { void aes192_keyexp(aes192ctx *r, const unsigned char *key) { uint64_t skey[26]; + r->sk_exp = malloc(sizeof(uint64_t) * PQC_AES192_STATESIZE); + if (r->sk_exp == NULL) { + exit(111); + } br_aes_ct64_keysched(skey, key, 24); br_aes_ct64_skey_expand(r->sk_exp, skey, 12); @@ -592,6 +601,10 @@ void aes192_keyexp(aes192ctx *r, const unsigned char *key) { void aes256_keyexp(aes256ctx *r, const unsigned char *key) { uint64_t skey[30]; + r->sk_exp = malloc(sizeof(uint64_t) * PQC_AES256_STATESIZE); + if (r->sk_exp == NULL) { + exit(111); + } br_aes_ct64_keysched(skey, key, 32); br_aes_ct64_skey_expand(r->sk_exp, skey, 14); @@ -623,17 +636,14 @@ void aes256_ctr(unsigned char *out, size_t outlen, const unsigned char *iv, cons } void aes128_ctx_release(aes128ctx *r) { - // no-op for PQClean's basic AES operation - (void) r; + free(r->sk_exp); } void aes192_ctx_release(aes192ctx *r) { - // no-op for PQClean's basic AES operation - (void) r; + free(r->sk_exp); } void aes256_ctx_release(aes256ctx *r) { - // no-op for PQClean's basic AES operation - (void) r; + free(r->sk_exp); } diff --git a/common/aes.h b/common/aes.h index 22da4b08..a590c8c4 100644 --- a/common/aes.h +++ b/common/aes.h @@ -10,29 +10,36 @@ #define AESCTR_NONCEBYTES 12 #define AES_BLOCKBYTES 16 +// We've put these states on the heap to make sure ctx_release is used. +#define PQC_AES128_STATESIZE 88 typedef struct { - uint64_t sk_exp[88]; + uint64_t* sk_exp; } aes128ctx; +#define PQC_AES192_STATESIZE 104 typedef struct { - uint64_t sk_exp[104]; + uint64_t* sk_exp; } aes192ctx; +#define PQC_AES256_STATESIZE 120 typedef struct { - uint64_t sk_exp[120]; + uint64_t* sk_exp; } aes256ctx; +/** Initializes the context **/ void aes128_keyexp(aes128ctx *r, const unsigned char *key); void aes128_ecb(unsigned char *out, const unsigned char *in, size_t nblocks, const aes128ctx *ctx); void aes128_ctr(unsigned char *out, size_t outlen, const unsigned char *iv, const aes128ctx *ctx); +/** Frees the context **/ void aes128_ctx_release(aes128ctx *r); +/** Initializes the context **/ void aes192_keyexp(aes192ctx *r, const unsigned char *key); void aes192_ecb(unsigned char *out, const unsigned char *in, size_t nblocks, const aes192ctx *ctx); @@ -42,12 +49,14 @@ void aes192_ctr(unsigned char *out, size_t outlen, const unsigned char *iv, cons void aes192_ctx_release(aes192ctx *r); +/** Initializes the context **/ void aes256_keyexp(aes256ctx *r, const unsigned char *key); void aes256_ecb(unsigned char *out, const unsigned char *in, size_t nblocks, const aes256ctx *ctx); void aes256_ctr(unsigned char *out, size_t outlen, const unsigned char *iv, const aes256ctx *ctx); +/** Frees the context **/ void aes256_ctx_release(aes256ctx *r); diff --git a/common/fips202.c b/common/fips202.c index 76b0cb71..6a13446b 100644 --- a/common/fips202.c +++ b/common/fips202.c @@ -7,6 +7,8 @@ #include #include +#include +#include #include "fips202.h" @@ -521,6 +523,10 @@ static void keccak_inc_squeeze(uint8_t *h, size_t outlen, } void shake128_inc_init(shake128incctx *state) { + state->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_inc_init(state->ctx); } @@ -536,7 +542,23 @@ void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state) keccak_inc_squeeze(output, outlen, state->ctx, SHAKE128_RATE); } +void shake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src) { + dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES); +} + +void shake128_inc_ctx_release(shake128incctx *state) { + free(state->ctx); +} + void shake256_inc_init(shake256incctx *state) { + state->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_inc_init(state->ctx); } @@ -552,6 +574,18 @@ void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) keccak_inc_squeeze(output, outlen, state->ctx, SHAKE256_RATE); } +void shake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src) { + dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES); +} + +void shake256_inc_ctx_release(shake256incctx *state) { + free(state->ctx); +} + /************************************************* * Name: shake128_absorb @@ -565,6 +599,10 @@ void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) * - size_t inlen: length of input in bytes **************************************************/ void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen) { + state->ctx = malloc(PQC_SHAKECTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F); } @@ -584,6 +622,19 @@ void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE); } +void shake128_ctx_clone(shake128ctx *dest, const shake128ctx *src) { + dest->ctx = malloc(PQC_SHAKECTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES); +} + +/** Release the allocated state. Call only once. */ +void shake128_ctx_release(shake128ctx *state) { + free(state->ctx); +} + /************************************************* * Name: shake256_absorb * @@ -596,6 +647,10 @@ void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) * - size_t inlen: length of input in bytes **************************************************/ void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen) { + state->ctx = malloc(PQC_SHAKECTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F); } @@ -615,6 +670,19 @@ void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state) keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE); } +void shake256_ctx_clone(shake256ctx *dest, const shake256ctx *src) { + dest->ctx = malloc(PQC_SHAKECTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES); +} + +/** Release the allocated state. Call only once. */ +void shake256_ctx_release(shake256ctx *state) { + free(state->ctx); +} + /************************************************* * Name: shake128 * @@ -643,6 +711,7 @@ void shake128(uint8_t *output, size_t outlen, output[i] = t[i]; } } + shake128_ctx_release(&s); } /************************************************* @@ -673,12 +742,29 @@ void shake256(uint8_t *output, size_t outlen, output[i] = t[i]; } } + shake256_ctx_release(&s); } void sha3_256_inc_init(sha3_256incctx *state) { + state->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_inc_init(state->ctx); } +void sha3_256_inc_ctx_clone(sha3_256incctx *dest, const sha3_256incctx *src) { + dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES); +} + +void sha3_256_inc_ctx_release(sha3_256incctx *state) { + free(state->ctx); +} + void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen) { keccak_inc_absorb(state->ctx, SHA3_256_RATE, input, inlen); } @@ -689,6 +775,8 @@ void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state) { keccak_squeezeblocks(t, 1, state->ctx, SHA3_256_RATE); + sha3_256_inc_ctx_release(state); + for (size_t i = 0; i < 32; i++) { output[i] = t[i]; } @@ -719,19 +807,37 @@ void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen) { } void sha3_384_inc_init(sha3_384incctx *state) { + state->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_inc_init(state->ctx); } +void sha3_384_inc_ctx_clone(sha3_384incctx *dest, const sha3_384incctx *src) { + dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES); +} + void sha3_384_inc_absorb(sha3_384incctx *state, const uint8_t *input, size_t inlen) { keccak_inc_absorb(state->ctx, SHA3_384_RATE, input, inlen); } +void sha3_384_inc_ctx_release(sha3_384incctx *state) { + free(state->ctx); +} + void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state) { uint8_t t[SHA3_384_RATE]; keccak_inc_finalize(state->ctx, SHA3_384_RATE, 0x06); keccak_squeezeblocks(t, 1, state->ctx, SHA3_384_RATE); + sha3_384_inc_ctx_release(state); + for (size_t i = 0; i < 48; i++) { output[i] = t[i]; } @@ -762,19 +868,37 @@ void sha3_384(uint8_t *output, const uint8_t *input, size_t inlen) { } void sha3_512_inc_init(sha3_512incctx *state) { + state->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } keccak_inc_init(state->ctx); } +void sha3_512_inc_ctx_clone(sha3_512incctx *dest, const sha3_512incctx *src) { + dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES); + if (dest->ctx == NULL) { + exit(111); + } + memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES); +} + void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen) { keccak_inc_absorb(state->ctx, SHA3_512_RATE, input, inlen); } +void sha3_512_inc_ctx_release(sha3_512incctx *state) { + free(state->ctx); +} + void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state) { uint8_t t[SHA3_512_RATE]; keccak_inc_finalize(state->ctx, SHA3_512_RATE, 0x06); keccak_squeezeblocks(t, 1, state->ctx, SHA3_512_RATE); + sha3_512_inc_ctx_release(state); + for (size_t i = 0; i < 64; i++) { output[i] = t[i]; } diff --git a/common/fips202.h b/common/fips202.h index 5d62b284..d3fda811 100644 --- a/common/fips202.h +++ b/common/fips202.h @@ -11,80 +11,157 @@ #define SHA3_512_RATE 72 +#define PQC_SHAKEINCCTX_BYTES (sizeof(uint64_t)*26) +#define PQC_SHAKECTX_BYTES (sizeof(uint64_t)*25) + // Context for incremental API typedef struct { - uint64_t ctx[26]; + uint64_t* ctx; } shake128incctx; // Context for non-incremental API typedef struct { - uint64_t ctx[25]; + uint64_t* ctx; } shake128ctx; // Context for incremental API typedef struct { - uint64_t ctx[26]; + uint64_t* ctx; } shake256incctx; // Context for non-incremental API typedef struct { - uint64_t ctx[25]; + uint64_t* ctx; } shake256ctx; // Context for incremental API typedef struct { - uint64_t ctx[26]; + uint64_t* ctx; } sha3_256incctx; // Context for incremental API typedef struct { - uint64_t ctx[26]; + uint64_t* ctx; } sha3_384incctx; // Context for incremental API typedef struct { - uint64_t ctx[26]; + uint64_t* ctx; } sha3_512incctx; +/* Initialize the state and absorb the provided input. + * + * This function does not support being called multiple times + * with the same state. + */ void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen); - +/* Squeeze output out of the sponge. + * + * Supports being called multiple times + */ void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state); +/* Free the state */ +void shake128_ctx_release(shake128ctx *state); +/* Copy the state. */ +void shake128_ctx_clone(shake128ctx *dest, const shake128ctx *src); +/* Initialize incremental hashing API */ void shake128_inc_init(shake128incctx *state); +/* Absorb more information into the XOF. + * + * Can be called multiple times. + */ void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen); +/* Finalize the XOF for squeezing */ void shake128_inc_finalize(shake128incctx *state); +/* Squeeze output out of the sponge. + * + * Supports being called multiple times + */ void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state); +/* Copy the context of the SHAKE128 XOF */ +void shake128_inc_ctx_clone(shake128incctx* dest, const shake128incctx *src); +/* Free the context of the SHAKE128 XOF */ +void shake128_inc_ctx_release(shake128incctx *state); +/* Initialize the state and absorb the provided input. + * + * This function does not support being called multiple times + * with the same state. + */ void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen); +/* Squeeze output out of the sponge. + * + * Supports being called multiple times + */ void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state); +/* Free the context held by this XOF */ +void shake256_ctx_release(shake256ctx *state); +/* Copy the context held by this XOF */ +void shake256_ctx_clone(shake256ctx *dest, const shake256ctx *src); +/* Initialize incremental hashing API */ void shake256_inc_init(shake256incctx *state); void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen); +/* Prepares for squeeze phase */ void shake256_inc_finalize(shake256incctx *state); +/* Squeeze output out of the sponge. + * + * Supports being called multiple times + */ void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state); +/* Copy the state */ +void shake256_inc_ctx_clone(shake256incctx* dest, const shake256incctx *src); +/* Free the state */ +void shake256_inc_ctx_release(shake256incctx *state); +/* One-stop SHAKE128 call */ void shake128(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen); +/* One-stop SHAKE256 call */ void shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen); +/* Initialize the incremental hashing state */ void sha3_256_inc_init(sha3_256incctx *state); +/* Absorb blocks into SHA3 */ void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen); +/* Obtain the output of the function and free `state` */ void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state); +/* Copy the context */ +void sha3_256_inc_ctx_clone(sha3_256incctx *dest, const sha3_256incctx *src); +/* Release the state, don't use if `_finalize` has been used */ +void sha3_256_inc_ctx_release(sha3_256incctx *state); void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen); +/* Initialize the incremental hashing state */ void sha3_384_inc_init(sha3_384incctx *state); +/* Absorb blocks into SHA3 */ void sha3_384_inc_absorb(sha3_384incctx *state, const uint8_t *input, size_t inlen); +/* Obtain the output of the function and free `state` */ void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state); +/* Copy the context */ +void sha3_384_inc_ctx_clone(sha3_384incctx *dest, const sha3_384incctx *src); +/* Release the state, don't use if `_finalize` has been used */ +void sha3_384_inc_ctx_release(sha3_384incctx *state); +/* One-stop SHA3-384 shop */ void sha3_384(uint8_t *output, const uint8_t *input, size_t inlen); +/* Initialize the incremental hashing state */ void sha3_512_inc_init(sha3_512incctx *state); +/* Absorb blocks into SHA3 */ void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen); +/* Obtain the output of the function and free `state` */ void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state); +/* Copy the context */ +void sha3_512_inc_ctx_clone(sha3_512incctx *dest, const sha3_512incctx *src); +/* Release the state, don't use if `_finalize` has been used */ +void sha3_512_inc_ctx_release(sha3_512incctx *state); +/* One-stop SHA3-512 shop */ void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen); #endif diff --git a/common/sha2.c b/common/sha2.c index bb89ff2e..ad0c4165 100644 --- a/common/sha2.c +++ b/common/sha2.c @@ -4,6 +4,7 @@ #include #include +#include #include #include "sha2.h" @@ -494,6 +495,10 @@ static const uint8_t iv_512[64] = { }; void sha224_inc_init(sha224ctx *state) { + state->ctx = malloc(PQC_SHA256CTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } for (size_t i = 0; i < 32; ++i) { state->ctx[i] = iv_224[i]; } @@ -503,6 +508,10 @@ void sha224_inc_init(sha224ctx *state) { } void sha256_inc_init(sha256ctx *state) { + state->ctx = malloc(PQC_SHA256CTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } for (size_t i = 0; i < 32; ++i) { state->ctx[i] = iv_256[i]; } @@ -512,6 +521,10 @@ void sha256_inc_init(sha256ctx *state) { } void sha384_inc_init(sha384ctx *state) { + state->ctx = malloc(PQC_SHA512CTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } for (size_t i = 0; i < 64; ++i) { state->ctx[i] = iv_384[i]; } @@ -521,6 +534,10 @@ void sha384_inc_init(sha384ctx *state) { } void sha512_inc_init(sha512ctx *state) { + state->ctx = malloc(PQC_SHA512CTX_BYTES); + if (state->ctx == NULL) { + exit(111); + } for (size_t i = 0; i < 64; ++i) { state->ctx[i] = iv_512[i]; } @@ -529,52 +546,56 @@ void sha512_inc_init(sha512ctx *state) { } } -void sha224_inc_clone_state(sha224ctx *stateout, const sha224ctx *statein) { - memcpy(stateout, statein, sizeof(sha224ctx)); +void sha224_inc_ctx_clone(sha224ctx *stateout, const sha224ctx *statein) { + stateout->ctx = malloc(PQC_SHA256CTX_BYTES); + if (stateout->ctx == NULL) { + exit(111); + } + memcpy(stateout->ctx, statein->ctx, PQC_SHA256CTX_BYTES); } -void sha256_inc_clone_state(sha256ctx *stateout, const sha256ctx *statein) { - memcpy(stateout, statein, sizeof(sha256ctx)); +void sha256_inc_ctx_clone(sha256ctx *stateout, const sha256ctx *statein) { + stateout->ctx = malloc(PQC_SHA256CTX_BYTES); + if (stateout->ctx == NULL) { + exit(111); + } + memcpy(stateout->ctx, statein->ctx, PQC_SHA256CTX_BYTES); } -void sha384_inc_clone_state(sha384ctx *stateout, const sha384ctx *statein) { - memcpy(stateout, statein, sizeof(sha384ctx)); +void sha384_inc_ctx_clone(sha384ctx *stateout, const sha384ctx *statein) { + stateout->ctx = malloc(PQC_SHA512CTX_BYTES); + if (stateout->ctx == NULL) { + exit(111); + } + memcpy(stateout->ctx, statein->ctx, PQC_SHA512CTX_BYTES); } -void sha512_inc_clone_state(sha512ctx *stateout, const sha512ctx *statein) { - memcpy(stateout, statein, sizeof(sha512ctx)); +void sha512_inc_ctx_clone(sha512ctx *stateout, const sha512ctx *statein) { + stateout->ctx = malloc(PQC_SHA512CTX_BYTES); + if (stateout->ctx == NULL) { + exit(111); + } + memcpy(stateout->ctx, statein->ctx, PQC_SHA512CTX_BYTES); } -/* Destroy the hash state. - * - * Because this implementation is stack-based, this is a no-op - */ -void sha224_inc_destroy(sha224ctx *state) { - (void)state; +/* Destroy the hash state. */ +void sha224_inc_ctx_release(sha224ctx *state) { + free(state->ctx); } -/* Destroy the hash state. - * - * Because this implementation is stack-based, this is a no-op - */ -void sha256_inc_destroy(sha256ctx *state) { - (void)state; +/* Destroy the hash state. */ +void sha256_inc_ctx_release(sha256ctx *state) { + free(state->ctx); } -/* Destroy the hash state. - * - * Because this implementation is stack-based, this is a no-op - */ -void sha384_inc_destroy(sha384ctx *state) { - (void)state; +/* Destroy the hash state. */ +void sha384_inc_ctx_release(sha384ctx *state) { + free(state->ctx); } -/* Destroy the hash state. - * - * Because this implementation is stack-based, this is a no-op - */ -void sha512_inc_destroy(sha512ctx *state) { - (void)state; +/* Destroy the hash state. */ +void sha512_inc_ctx_release(sha512ctx *state) { + free(state->ctx); } void sha256_inc_blocks(sha256ctx *state, const uint8_t *in, size_t inblocks) { @@ -648,13 +669,15 @@ void sha256_inc_finalize(uint8_t *out, sha256ctx *state, const uint8_t *in, size for (size_t i = 0; i < 32; ++i) { out[i] = state->ctx[i]; } + sha256_inc_ctx_release(state); } void sha224_inc_finalize(uint8_t *out, sha224ctx *state, const uint8_t *in, size_t inlen) { - sha256_inc_finalize(state->ctx, (sha256ctx*)state, in, inlen); + uint8_t tmp[32]; + sha256_inc_finalize(tmp, (sha256ctx*)state, in, inlen); for (size_t i = 0; i < 28; ++i) { - out[i] = state->ctx[i]; + out[i] = tmp[i]; } } @@ -705,13 +728,15 @@ void sha512_inc_finalize(uint8_t *out, sha512ctx *state, const uint8_t *in, size for (size_t i = 0; i < 64; ++i) { out[i] = state->ctx[i]; } + sha512_inc_ctx_release(state); } void sha384_inc_finalize(uint8_t *out, sha384ctx *state, const uint8_t *in, size_t inlen) { - sha512_inc_finalize(state->ctx, (sha512ctx*)state, in, inlen); + uint8_t tmp[64]; + sha512_inc_finalize(tmp, (sha512ctx*)state, in, inlen); for (size_t i = 0; i < 48; ++i) { - out[i] = state->ctx[i]; + out[i] = tmp[i]; } } diff --git a/common/sha2.h b/common/sha2.h index dc5874d6..02d17d88 100644 --- a/common/sha2.h +++ b/common/sha2.h @@ -8,36 +8,41 @@ must be exactly 64 bytes each. Use the 'finalize' functions for any remaining bytes (possibly over 64). */ +#define PQC_SHA256CTX_BYTES 40 /* Structure for the incremental API */ typedef struct { - uint8_t ctx[40]; + uint8_t *ctx; } sha224ctx; /* Structure for the incremental API */ typedef struct { - uint8_t ctx[40]; + uint8_t *ctx; } sha256ctx; +#define PQC_SHA512CTX_BYTES 72 /* Structure for the incremental API */ typedef struct { - uint8_t ctx[72]; + uint8_t *ctx; } sha384ctx; /* Structure for the incremental API */ typedef struct { - uint8_t ctx[72]; + uint8_t *ctx; } sha512ctx; /* ====== SHA224 API ==== */ + /** - * Initialize the incremental hashing API + * Initialize the incremental hashing API. + * + * Can't be called multiple times. */ void sha224_inc_init(sha224ctx *state); /** * Copy the hashing state */ -void sha224_inc_clone_state(sha224ctx *stateout, const sha224ctx *statein); +void sha224_inc_ctx_clone(sha224ctx *stateout, const sha224ctx *statein); /** * Absorb blocks @@ -48,13 +53,15 @@ void sha224_inc_blocks(sha224ctx *state, const uint8_t *in, size_t inblocks); * Finalize and obtain the digest * * If applicable, this function will free the memory associated with the sha224ctx. + * + * If not calling this function, call `sha224_inc_ctx_release` */ void sha224_inc_finalize(uint8_t *out, sha224ctx *state, const uint8_t *in, size_t inlen); /** * Destroy the state. Make sure to use this, as this API may not always be stack-based. */ -void sha224_inc_destroy(sha224ctx *state); +void sha224_inc_ctx_release(sha224ctx *state); /** * All-in-one sha224 function @@ -71,7 +78,7 @@ void sha256_inc_init(sha256ctx *state); /** * Copy the hashing state */ -void sha256_inc_clone_state(sha256ctx *stateout, const sha256ctx *statein); +void sha256_inc_ctx_clone(sha256ctx *stateout, const sha256ctx *statein); /** * Absorb blocks @@ -88,7 +95,7 @@ void sha256_inc_finalize(uint8_t *out, sha256ctx *state, const uint8_t *in, size /** * Destroy the state. Make sure to use this, as this API may not always be stack-based. */ -void sha256_inc_destroy(sha256ctx *state); +void sha256_inc_ctx_release(sha256ctx *state); /** * All-in-one sha256 function @@ -105,7 +112,7 @@ void sha384_inc_init(sha384ctx *state); /** * Copy the hashing state */ -void sha384_inc_clone_state(sha384ctx *stateout, const sha384ctx *statein); +void sha384_inc_ctx_clone(sha384ctx *stateout, const sha384ctx *statein); /** * Absorb blocks @@ -120,9 +127,9 @@ void sha384_inc_blocks(sha384ctx *state, const uint8_t *in, size_t inblocks); void sha384_inc_finalize(uint8_t *out, sha384ctx *state, const uint8_t *in, size_t inlen); /** - * Destroy the state. Make sure to use this, as this API may not always be stack-based. + * Destroy the state. Make sure to use this if not calling finalize, as this API may not always be stack-based. */ -void sha384_inc_destroy(sha384ctx *state); +void sha384_inc_ctx_release(sha384ctx *state); /** * All-in-one sha384 function @@ -140,7 +147,7 @@ void sha512_inc_init(sha512ctx *state); /** * Copy the hashing state */ -void sha512_inc_clone_state(sha512ctx *stateout, const sha512ctx *statein); +void sha512_inc_ctx_clone(sha512ctx *stateout, const sha512ctx *statein); /** * Absorb blocks @@ -155,9 +162,9 @@ void sha512_inc_blocks(sha512ctx *state, const uint8_t *in, size_t inblocks); void sha512_inc_finalize(uint8_t *out, sha512ctx *state, const uint8_t *in, size_t inlen); /** - * Destroy the state. Make sure to use this, as this API may not always be stack-based. + * Destroy the state. Make sure to use this if not calling finalize, as this API may not always be stack-based. */ -void sha512_inc_destroy(sha512ctx *state); +void sha512_inc_ctx_release(sha512ctx *state); /** * All-in-one sha512 function diff --git a/common/sp800-185.c b/common/sp800-185.c index b21e81fc..5eac7e62 100644 --- a/common/sp800-185.c +++ b/common/sp800-185.c @@ -53,6 +53,14 @@ void cshake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state shake128_inc_squeeze(output, outlen, state); } +void cshake128_inc_ctx_release(shake128incctx *state) { + shake128_inc_ctx_release(state); +} + +void cshake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src) { + shake128_inc_ctx_clone(dest, src); +} + void cshake256_inc_init(shake256incctx *state, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen) { uint8_t encbuf[sizeof(size_t)+1]; @@ -87,6 +95,14 @@ void cshake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state shake256_inc_squeeze(output, outlen, state); } +void cshake256_inc_ctx_release(shake256incctx *state) { + shake256_inc_ctx_release(state); +} + +void cshake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src) { + shake256_inc_ctx_clone(dest, src); +} + /************************************************* * Name: cshake128 * @@ -110,6 +126,7 @@ void cshake128(uint8_t *output, size_t outlen, cshake128_inc_absorb(&state, input, inlen); cshake128_inc_finalize(&state); cshake128_inc_squeeze(output, outlen, &state); + cshake128_inc_ctx_release(&state); } /************************************************* @@ -135,4 +152,5 @@ void cshake256(uint8_t *output, size_t outlen, cshake256_inc_absorb(&state, input, inlen); cshake256_inc_finalize(&state); cshake256_inc_squeeze(output, outlen, &state); + cshake256_inc_ctx_release(&state); } diff --git a/common/sp800-185.h b/common/sp800-185.h index 06781523..117d142b 100644 --- a/common/sp800-185.h +++ b/common/sp800-185.h @@ -10,6 +10,8 @@ void cshake128_inc_init(shake128incctx *state, const uint8_t *name, size_t namel void cshake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen); void cshake128_inc_finalize(shake128incctx *state); void cshake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state); +void cshake128_inc_ctx_release(shake128incctx *state); +void cshake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src); void cshake128(uint8_t *output, size_t outlen, const uint8_t *name, size_t namelen, const uint8_t *cstm, size_t cstmlen, const uint8_t *input, size_t inlen); @@ -17,6 +19,8 @@ void cshake256_inc_init(shake256incctx *state, const uint8_t *name, size_t namel void cshake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen); void cshake256_inc_finalize(shake256incctx *state); void cshake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state); +void cshake256_inc_ctx_release(shake256incctx *state); +void cshake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src); void cshake256(uint8_t *output, size_t outlen, const uint8_t *name, size_t namelen, const uint8_t* cstm, size_t cstmlen, const uint8_t *input, size_t inlen); diff --git a/crypto_kem/babybear-ephem/clean/threebears.c b/crypto_kem/babybear-ephem/clean/threebears.c index 9ba84b8b..2c2b3796 100644 --- a/crypto_kem/babybear-ephem/clean/threebears.c +++ b/crypto_kem/babybear-ephem/clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_BABYBEAREPHEM_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_BABYBEAREPHEM_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_BABYBEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -135,6 +139,8 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); + threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES); @@ -152,6 +158,7 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -199,6 +206,7 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_decapsulate( /* Recalculate matrix seed */ cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Re-run the key derivation from encaps */ threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); @@ -207,4 +215,5 @@ void PQCLEAN_BABYBEAREPHEM_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } diff --git a/crypto_kem/babybear/clean/threebears.c b/crypto_kem/babybear/clean/threebears.c index b6d886b7..70fa05e0 100644 --- a/crypto_kem/babybear/clean/threebears.c +++ b/crypto_kem/babybear/clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_BABYBEAR_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_BABYBEAR_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_BABYBEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_BABYBEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_BABYBEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -147,6 +151,7 @@ void PQCLEAN_BABYBEAR_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -210,6 +215,7 @@ void PQCLEAN_BABYBEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &sep, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Calculate PRF */ threebears_hash_init(&ctx, HASH_PURPOSE_PRF); @@ -217,6 +223,7 @@ void PQCLEAN_BABYBEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok)); diff --git a/crypto_kem/kyber1024-90s/avx2/aes256ctr.c b/crypto_kem/kyber1024-90s/avx2/aes256ctr.c index 5f69a4bc..b7dbd90d 100644 --- a/crypto_kem/kyber1024-90s/avx2/aes256ctr.c +++ b/crypto_kem/kyber1024-90s/avx2/aes256ctr.c @@ -174,4 +174,3 @@ void PQCLEAN_KYBER102490S_AVX2_aes256ctr_prf(uint8_t *out, } } } - diff --git a/crypto_kem/kyber1024-90s/avx2/symmetric.h b/crypto_kem/kyber1024-90s/avx2/symmetric.h index b2a47537..4ee7b202 100644 --- a/crypto_kem/kyber1024-90s/avx2/symmetric.h +++ b/crypto_kem/kyber1024-90s/avx2/symmetric.h @@ -11,6 +11,7 @@ #define hash_g(OUT, IN, INBYTES) sha512((OUT), (IN), (INBYTES)) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER102490S_AVX2_aes256ctr_init((STATE), (IN), (Y) + ((uint16_t)(X) << 8)) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks((OUT), (OUTBLOCKS), (STATE)) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER102490S_AVX2_aes256ctr_prf((OUT), (OUTBYTES), (KEY), (NONCE)) #define kdf(OUT, IN, INBYTES) sha256((OUT), (IN), (INBYTES)) diff --git a/crypto_kem/kyber1024-90s/clean/aes256ctr.c b/crypto_kem/kyber1024-90s/clean/aes256ctr.c index 2af282ae..1e81589d 100644 --- a/crypto_kem/kyber1024-90s/clean/aes256ctr.c +++ b/crypto_kem/kyber1024-90s/clean/aes256ctr.c @@ -93,3 +93,8 @@ void PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nbl aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp); s->ctr += (uint32_t) (4 * nblocks); } + +/** Free the AES ctx **/ +void PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) { + aes256_ctx_release(&s->sk_exp); +} diff --git a/crypto_kem/kyber1024-90s/clean/aes256ctr.h b/crypto_kem/kyber1024-90s/clean/aes256ctr.h index efc9675c..bc2d7483 100644 --- a/crypto_kem/kyber1024-90s/clean/aes256ctr.h +++ b/crypto_kem/kyber1024-90s/clean/aes256ctr.h @@ -15,5 +15,6 @@ typedef struct { void PQCLEAN_KYBER102490S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); void PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y); void PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s); +void PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s); #endif diff --git a/crypto_kem/kyber1024-90s/clean/indcpa.c b/crypto_kem/kyber1024-90s/clean/indcpa.c index 1cb5a326..3092c6a5 100644 --- a/crypto_kem/kyber1024-90s/clean/indcpa.c +++ b/crypto_kem/kyber1024-90s/clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/crypto_kem/kyber1024-90s/clean/symmetric.h b/crypto_kem/kyber1024-90s/clean/symmetric.h index 57eb91dd..df1faa56 100644 --- a/crypto_kem/kyber1024-90s/clean/symmetric.h +++ b/crypto_kem/kyber1024-90s/clean/symmetric.h @@ -11,6 +11,7 @@ #define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER102490S_CLEAN_aes256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) diff --git a/crypto_kem/kyber1024/avx2/symmetric.h b/crypto_kem/kyber1024/avx2/symmetric.h index a89d9b26..efc88d7c 100644 --- a/crypto_kem/kyber1024/avx2/symmetric.h +++ b/crypto_kem/kyber1024/avx2/symmetric.h @@ -17,6 +17,7 @@ void PQCLEAN_KYBER1024_AVX2_shake256_prf(uint8_t *output, size_t outlen, const u #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER1024_AVX2_kyber_shake128_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER1024_AVX2_shake256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) diff --git a/crypto_kem/kyber1024/clean/indcpa.c b/crypto_kem/kyber1024/clean/indcpa.c index 755463bd..e8bfa1c0 100644 --- a/crypto_kem/kyber1024/clean/indcpa.c +++ b/crypto_kem/kyber1024/clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/crypto_kem/kyber1024/clean/symmetric.h b/crypto_kem/kyber1024/clean/symmetric.h index f4031824..ae5c7c99 100644 --- a/crypto_kem/kyber1024/clean/symmetric.h +++ b/crypto_kem/kyber1024/clean/symmetric.h @@ -18,6 +18,7 @@ void PQCLEAN_KYBER1024_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER1024_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER1024_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER1024_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) diff --git a/crypto_kem/kyber512-90s/avx2/aes256ctr.c b/crypto_kem/kyber512-90s/avx2/aes256ctr.c index 768c6ec1..1a8128e4 100644 --- a/crypto_kem/kyber512-90s/avx2/aes256ctr.c +++ b/crypto_kem/kyber512-90s/avx2/aes256ctr.c @@ -174,4 +174,3 @@ void PQCLEAN_KYBER51290S_AVX2_aes256ctr_prf(uint8_t *out, } } } - diff --git a/crypto_kem/kyber512-90s/avx2/symmetric.h b/crypto_kem/kyber512-90s/avx2/symmetric.h index f6ac29a8..144c3c00 100644 --- a/crypto_kem/kyber512-90s/avx2/symmetric.h +++ b/crypto_kem/kyber512-90s/avx2/symmetric.h @@ -11,6 +11,7 @@ #define hash_g(OUT, IN, INBYTES) sha512((OUT), (IN), (INBYTES)) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER51290S_AVX2_aes256ctr_init((STATE), (IN), (Y) + ((uint16_t)(X) << 8)) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks((OUT), (OUTBLOCKS), (STATE)) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER51290S_AVX2_aes256ctr_prf((OUT), (OUTBYTES), (KEY), (NONCE)) #define kdf(OUT, IN, INBYTES) sha256((OUT), (IN), (INBYTES)) diff --git a/crypto_kem/kyber512-90s/clean/aes256ctr.c b/crypto_kem/kyber512-90s/clean/aes256ctr.c index fcf2af5c..7d536f30 100644 --- a/crypto_kem/kyber512-90s/clean/aes256ctr.c +++ b/crypto_kem/kyber512-90s/clean/aes256ctr.c @@ -93,3 +93,8 @@ void PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblo aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp); s->ctr += (uint32_t) (4 * nblocks); } + +/** Free the AES ctx **/ +void PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) { + aes256_ctx_release(&s->sk_exp); +} diff --git a/crypto_kem/kyber512-90s/clean/aes256ctr.h b/crypto_kem/kyber512-90s/clean/aes256ctr.h index 98279b0b..3efa2567 100644 --- a/crypto_kem/kyber512-90s/clean/aes256ctr.h +++ b/crypto_kem/kyber512-90s/clean/aes256ctr.h @@ -15,5 +15,6 @@ typedef struct { void PQCLEAN_KYBER51290S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); void PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y); void PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s); +void PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s); #endif diff --git a/crypto_kem/kyber512-90s/clean/indcpa.c b/crypto_kem/kyber512-90s/clean/indcpa.c index 6e031f04..72cd842b 100644 --- a/crypto_kem/kyber512-90s/clean/indcpa.c +++ b/crypto_kem/kyber512-90s/clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/crypto_kem/kyber512-90s/clean/symmetric.h b/crypto_kem/kyber512-90s/clean/symmetric.h index 537da9be..e1bc2743 100644 --- a/crypto_kem/kyber512-90s/clean/symmetric.h +++ b/crypto_kem/kyber512-90s/clean/symmetric.h @@ -11,6 +11,7 @@ #define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER51290S_CLEAN_aes256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) diff --git a/crypto_kem/kyber512/avx2/symmetric.h b/crypto_kem/kyber512/avx2/symmetric.h index 9d350cc8..d7f636f3 100644 --- a/crypto_kem/kyber512/avx2/symmetric.h +++ b/crypto_kem/kyber512/avx2/symmetric.h @@ -17,6 +17,7 @@ void PQCLEAN_KYBER512_AVX2_shake256_prf(uint8_t *output, size_t outlen, const ui #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER512_AVX2_kyber_shake128_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER512_AVX2_shake256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) diff --git a/crypto_kem/kyber512/clean/indcpa.c b/crypto_kem/kyber512/clean/indcpa.c index 7b6d40bc..41db35be 100644 --- a/crypto_kem/kyber512/clean/indcpa.c +++ b/crypto_kem/kyber512/clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/crypto_kem/kyber512/clean/symmetric.h b/crypto_kem/kyber512/clean/symmetric.h index a49b5c02..8b58c0c3 100644 --- a/crypto_kem/kyber512/clean/symmetric.h +++ b/crypto_kem/kyber512/clean/symmetric.h @@ -18,6 +18,7 @@ void PQCLEAN_KYBER512_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const u #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER512_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER512_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER512_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) diff --git a/crypto_kem/kyber768-90s/avx2/aes256ctr.c b/crypto_kem/kyber768-90s/avx2/aes256ctr.c index d44e5b76..7a2d3a15 100644 --- a/crypto_kem/kyber768-90s/avx2/aes256ctr.c +++ b/crypto_kem/kyber768-90s/avx2/aes256ctr.c @@ -174,4 +174,3 @@ void PQCLEAN_KYBER76890S_AVX2_aes256ctr_prf(uint8_t *out, } } } - diff --git a/crypto_kem/kyber768-90s/avx2/symmetric.h b/crypto_kem/kyber768-90s/avx2/symmetric.h index 0483e559..f1247c36 100644 --- a/crypto_kem/kyber768-90s/avx2/symmetric.h +++ b/crypto_kem/kyber768-90s/avx2/symmetric.h @@ -11,6 +11,7 @@ #define hash_g(OUT, IN, INBYTES) sha512((OUT), (IN), (INBYTES)) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER76890S_AVX2_aes256ctr_init((STATE), (IN), (Y) + ((uint16_t)(X) << 8)) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks((OUT), (OUTBLOCKS), (STATE)) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER76890S_AVX2_aes256ctr_prf((OUT), (OUTBYTES), (KEY), (NONCE)) #define kdf(OUT, IN, INBYTES) sha256((OUT), (IN), (INBYTES)) diff --git a/crypto_kem/kyber768-90s/clean/aes256ctr.c b/crypto_kem/kyber768-90s/clean/aes256ctr.c index 555da919..950ab45b 100644 --- a/crypto_kem/kyber768-90s/clean/aes256ctr.c +++ b/crypto_kem/kyber768-90s/clean/aes256ctr.c @@ -93,3 +93,8 @@ void PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblo aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp); s->ctr += (uint32_t) (4 * nblocks); } + +/** Free the AES ctx **/ +void PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) { + aes256_ctx_release(&s->sk_exp); +} diff --git a/crypto_kem/kyber768-90s/clean/aes256ctr.h b/crypto_kem/kyber768-90s/clean/aes256ctr.h index feb50ea1..35facbeb 100644 --- a/crypto_kem/kyber768-90s/clean/aes256ctr.h +++ b/crypto_kem/kyber768-90s/clean/aes256ctr.h @@ -15,5 +15,6 @@ typedef struct { void PQCLEAN_KYBER76890S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); void PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y); void PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s); +void PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s); #endif diff --git a/crypto_kem/kyber768-90s/clean/indcpa.c b/crypto_kem/kyber768-90s/clean/indcpa.c index 517a1265..babde479 100644 --- a/crypto_kem/kyber768-90s/clean/indcpa.c +++ b/crypto_kem/kyber768-90s/clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/crypto_kem/kyber768-90s/clean/symmetric.h b/crypto_kem/kyber768-90s/clean/symmetric.h index 29c68a9f..681ea3d7 100644 --- a/crypto_kem/kyber768-90s/clean/symmetric.h +++ b/crypto_kem/kyber768-90s/clean/symmetric.h @@ -11,6 +11,7 @@ #define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER76890S_CLEAN_aes256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) diff --git a/crypto_kem/kyber768/avx2/symmetric.h b/crypto_kem/kyber768/avx2/symmetric.h index c98886aa..694457e2 100644 --- a/crypto_kem/kyber768/avx2/symmetric.h +++ b/crypto_kem/kyber768/avx2/symmetric.h @@ -17,6 +17,7 @@ void PQCLEAN_KYBER768_AVX2_shake256_prf(uint8_t *output, size_t outlen, const ui #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER768_AVX2_kyber_shake128_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER768_AVX2_shake256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) diff --git a/crypto_kem/kyber768/clean/indcpa.c b/crypto_kem/kyber768/clean/indcpa.c index 723fafd9..776f233b 100644 --- a/crypto_kem/kyber768/clean/indcpa.c +++ b/crypto_kem/kyber768/clean/indcpa.c @@ -169,6 +169,7 @@ static void gen_matrix(polyvec *a, const uint8_t *seed, int transposed) { } } } + xof_ctx_release(&state); } /************************************************* diff --git a/crypto_kem/kyber768/clean/symmetric.h b/crypto_kem/kyber768/clean/symmetric.h index a31f00b0..cd688df9 100644 --- a/crypto_kem/kyber768/clean/symmetric.h +++ b/crypto_kem/kyber768/clean/symmetric.h @@ -18,6 +18,7 @@ void PQCLEAN_KYBER768_CLEAN_shake256_prf(uint8_t *output, size_t outlen, const u #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES) #define xof_absorb(STATE, IN, X, Y) PQCLEAN_KYBER768_CLEAN_kyber_shake128_absorb(STATE, IN, X, Y) #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER768_CLEAN_kyber_shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define xof_ctx_release(STATE) #define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER768_CLEAN_shake256_prf(OUT, OUTBYTES, KEY, NONCE) #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES) diff --git a/crypto_kem/mamabear-ephem/clean/threebears.c b/crypto_kem/mamabear-ephem/clean/threebears.c index 12580fbe..c343ebe7 100644 --- a/crypto_kem/mamabear-ephem/clean/threebears.c +++ b/crypto_kem/mamabear-ephem/clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_MAMABEAREPHEM_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_MAMABEAREPHEM_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_MAMABEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -135,6 +139,8 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); + threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES); @@ -152,6 +158,7 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -199,6 +206,7 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_decapsulate( /* Recalculate matrix seed */ cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Re-run the key derivation from encaps */ threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); @@ -207,4 +215,5 @@ void PQCLEAN_MAMABEAREPHEM_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } diff --git a/crypto_kem/mamabear/clean/threebears.c b/crypto_kem/mamabear/clean/threebears.c index f3864de8..5636d79d 100644 --- a/crypto_kem/mamabear/clean/threebears.c +++ b/crypto_kem/mamabear/clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_MAMABEAR_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_MAMABEAR_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_MAMABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_MAMABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_MAMABEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -147,6 +151,7 @@ void PQCLEAN_MAMABEAR_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -210,6 +215,7 @@ void PQCLEAN_MAMABEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &sep, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Calculate PRF */ threebears_hash_init(&ctx, HASH_PURPOSE_PRF); @@ -217,6 +223,7 @@ void PQCLEAN_MAMABEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok)); diff --git a/crypto_kem/papabear-ephem/clean/threebears.c b/crypto_kem/papabear-ephem/clean/threebears.c index fe1cd38b..b278e1b5 100644 --- a/crypto_kem/papabear-ephem/clean/threebears.c +++ b/crypto_kem/papabear-ephem/clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_PAPABEAREPHEM_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_PAPABEAREPHEM_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_PAPABEAREPHEM_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -135,6 +139,8 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(tbi, ENC_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); + threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); cshake256_inc_absorb(&ctx, pk, MATRIX_SEED_BYTES); cshake256_inc_absorb(&ctx, tbi, ENC_SEED_BYTES); @@ -152,6 +158,7 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -199,6 +206,7 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_decapsulate( /* Recalculate matrix seed */ cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(matrix_seed, MATRIX_SEED_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Re-run the key derivation from encaps */ threebears_hash_init(&ctx, HASH_PURPOSE_ENCAPS); @@ -207,4 +215,5 @@ void PQCLEAN_PAPABEAREPHEM_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &lpr_data[(ENC_BITS * LPR_BITS + 7) / 8], IV_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } diff --git a/crypto_kem/papabear/clean/threebears.c b/crypto_kem/papabear/clean/threebears.c index a14d59b4..e99b902b 100644 --- a/crypto_kem/papabear/clean/threebears.c +++ b/crypto_kem/papabear/clean/threebears.c @@ -38,6 +38,7 @@ static void uniform(gf_t matrix, const uint8_t *seed, uint8_t iv) { cshake256_inc_absorb(&ctx, &iv, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(c, sizeof(c), &ctx); + cshake256_inc_ctx_release(&ctx); PQCLEAN_PAPABEAR_CLEAN_expand(matrix, c); } @@ -56,13 +57,14 @@ static void noise(gf_t x, const shake256incctx *ctx, uint8_t iv) { uint8_t c[DIGITS]; shake256incctx ctx2; - memcpy(&ctx2, ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, ctx); cshake256_inc_absorb(&ctx2, &iv, 1); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(c, DIGITS, &ctx2); for (size_t i = 0; i < DIGITS; i++) { x[i] = (limb_t)(psi(c[i]) + PQCLEAN_PAPABEAR_CLEAN_modulus(i)); } + cshake256_inc_ctx_release(&ctx2); } /* Expand public key from private key */ @@ -74,9 +76,10 @@ void PQCLEAN_PAPABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { threebears_hash_init(&ctx, HASH_PURPOSE_KEYGEN); cshake256_inc_absorb(&ctx, sk, PRIVATE_KEY_BYTES); - memcpy(&ctx2, &ctx, sizeof(ctx2)); + cshake256_inc_ctx_clone(&ctx2, &ctx); cshake256_inc_finalize(&ctx2); cshake256_inc_squeeze(pk, MATRIX_SEED_BYTES, &ctx2); + cshake256_inc_ctx_release(&ctx2); for (uint8_t i = 0; i < DIM; i++) { noise(sk_expanded[i], &ctx, i); @@ -89,6 +92,7 @@ void PQCLEAN_PAPABEAR_CLEAN_get_pubkey(uint8_t *pk, const uint8_t *sk) { } PQCLEAN_PAPABEAR_CLEAN_contract(&pk[MATRIX_SEED_BYTES + i * GF_BYTES], c); } + cshake256_inc_ctx_release(&ctx); } /* Encapsulate a shared secret and return it */ @@ -147,6 +151,7 @@ void PQCLEAN_PAPABEAR_CLEAN_encapsulate( cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(shared_secret, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); } /* Decapsulate a shared secret and return it */ @@ -210,6 +215,7 @@ void PQCLEAN_PAPABEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, &sep, 1); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfk, PRF_KEY_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); /* Calculate PRF */ threebears_hash_init(&ctx, HASH_PURPOSE_PRF); @@ -217,6 +223,7 @@ void PQCLEAN_PAPABEAR_CLEAN_decapsulate( cshake256_inc_absorb(&ctx, capsule, CAPSULE_BYTES); cshake256_inc_finalize(&ctx); cshake256_inc_squeeze(prfout, SHARED_SECRET_BYTES, &ctx); + cshake256_inc_ctx_release(&ctx); for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { shared_secret[i] = (uint8_t)((shared_secret[i] & ok) | (prfout[i] & ~ok)); diff --git a/crypto_sign/dilithium2/avx2/poly.c b/crypto_sign/dilithium2/avx2/poly.c index e9e1ad2c..24a6ea06 100644 --- a/crypto_sign/dilithium2/avx2/poly.c +++ b/crypto_sign/dilithium2/avx2/poly.c @@ -356,6 +356,7 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform(poly *a, stream128_squeezeblocks(buf + off, 1, &state); ctr += rej_uniform_ref(a->coeffs + ctr, N - ctr, buf, buflen); } + stream128_ctx_release(&state); } void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_4x(poly *a0, @@ -481,6 +482,7 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta( stream128_squeezeblocks(buf, 1, &state); ctr += rej_eta_ref(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); } + stream128_ctx_release(&state); } void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_eta_4x( @@ -618,6 +620,7 @@ void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_gamma1m1( stream256_squeezeblocks(buf + off, 1, &state); ctr += rej_gamma1m1_ref(a->coeffs + ctr, N - ctr, buf, buflen); } + stream256_ctx_release(&state); } void PQCLEAN_DILITHIUM2_AVX2_poly_uniform_gamma1m1_4x(poly *a0, diff --git a/crypto_sign/dilithium2/avx2/symmetric.h b/crypto_sign/dilithium2/avx2/symmetric.h index 92c36244..33d32654 100644 --- a/crypto_sign/dilithium2/avx2/symmetric.h +++ b/crypto_sign/dilithium2/avx2/symmetric.h @@ -10,8 +10,10 @@ #define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_AVX2_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream128_ctx_release(STATE) shake128_ctx_release(STATE) #define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_AVX2_shake256_stream_init(STATE, SEED, NONCE) #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream256_ctx_release(STATE) shake256_ctx_release(STATE) #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE diff --git a/crypto_sign/dilithium2/clean/poly.c b/crypto_sign/dilithium2/clean/poly.c index e44ecae8..733efb17 100644 --- a/crypto_sign/dilithium2/clean/poly.c +++ b/crypto_sign/dilithium2/clean/poly.c @@ -315,6 +315,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform(poly *a, stream128_squeezeblocks(buf + off, 1, &state); ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); } + stream128_ctx_release(&state); } /************************************************* @@ -385,6 +386,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_eta(poly *a, stream128_squeezeblocks(buf, 1, &state); ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); } + stream128_ctx_release(&state); } /************************************************* @@ -472,6 +474,7 @@ void PQCLEAN_DILITHIUM2_CLEAN_poly_uniform_gamma1m1(poly *a, stream256_squeezeblocks(buf + off, 1, &state); ctr += rej_gamma1m1(a->coeffs + ctr, N - ctr, buf, buflen); } + stream256_ctx_release(&state); } /************************************************* diff --git a/crypto_sign/dilithium2/clean/symmetric.h b/crypto_sign/dilithium2/clean/symmetric.h index b36694cc..ee2b8103 100644 --- a/crypto_sign/dilithium2/clean/symmetric.h +++ b/crypto_sign/dilithium2/clean/symmetric.h @@ -10,8 +10,10 @@ #define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_CLEAN_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream128_ctx_release(STATE) shake128_ctx_release(STATE) #define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2_CLEAN_shake256_stream_init(STATE, SEED, NONCE) #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream256_ctx_release(STATE) shake256_ctx_release(STATE) #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE diff --git a/crypto_sign/dilithium3/avx2/poly.c b/crypto_sign/dilithium3/avx2/poly.c index 217971ef..3f4223c3 100644 --- a/crypto_sign/dilithium3/avx2/poly.c +++ b/crypto_sign/dilithium3/avx2/poly.c @@ -356,6 +356,7 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform(poly *a, stream128_squeezeblocks(buf + off, 1, &state); ctr += rej_uniform_ref(a->coeffs + ctr, N - ctr, buf, buflen); } + stream128_ctx_release(&state); } void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_4x(poly *a0, @@ -481,6 +482,7 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta( stream128_squeezeblocks(buf, 1, &state); ctr += rej_eta_ref(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); } + stream128_ctx_release(&state); } void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_eta_4x( @@ -618,6 +620,7 @@ void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_gamma1m1( stream256_squeezeblocks(buf + off, 1, &state); ctr += rej_gamma1m1_ref(a->coeffs + ctr, N - ctr, buf, buflen); } + stream256_ctx_release(&state); } void PQCLEAN_DILITHIUM3_AVX2_poly_uniform_gamma1m1_4x(poly *a0, diff --git a/crypto_sign/dilithium3/avx2/symmetric.h b/crypto_sign/dilithium3/avx2/symmetric.h index 9a29e8e5..a54a9ab4 100644 --- a/crypto_sign/dilithium3/avx2/symmetric.h +++ b/crypto_sign/dilithium3/avx2/symmetric.h @@ -10,8 +10,10 @@ #define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_AVX2_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream128_ctx_release(STATE) shake128_ctx_release(STATE) #define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_AVX2_shake256_stream_init(STATE, SEED, NONCE) #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream256_ctx_release(STATE) shake256_ctx_release(STATE) #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE diff --git a/crypto_sign/dilithium3/clean/poly.c b/crypto_sign/dilithium3/clean/poly.c index 5eed6058..84273cab 100644 --- a/crypto_sign/dilithium3/clean/poly.c +++ b/crypto_sign/dilithium3/clean/poly.c @@ -315,6 +315,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform(poly *a, stream128_squeezeblocks(buf + off, 1, &state); ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); } + stream128_ctx_release(&state); } /************************************************* @@ -385,6 +386,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_eta(poly *a, stream128_squeezeblocks(buf, 1, &state); ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); } + stream128_ctx_release(&state); } /************************************************* @@ -472,6 +474,7 @@ void PQCLEAN_DILITHIUM3_CLEAN_poly_uniform_gamma1m1(poly *a, stream256_squeezeblocks(buf + off, 1, &state); ctr += rej_gamma1m1(a->coeffs + ctr, N - ctr, buf, buflen); } + stream256_ctx_release(&state); } /************************************************* diff --git a/crypto_sign/dilithium3/clean/symmetric.h b/crypto_sign/dilithium3/clean/symmetric.h index d90623d6..736f1744 100644 --- a/crypto_sign/dilithium3/clean/symmetric.h +++ b/crypto_sign/dilithium3/clean/symmetric.h @@ -10,8 +10,10 @@ #define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_CLEAN_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream128_ctx_release(STATE) shake128_ctx_release(STATE) #define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3_CLEAN_shake256_stream_init(STATE, SEED, NONCE) #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream256_ctx_release(STATE) shake256_ctx_release(STATE) #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE diff --git a/crypto_sign/dilithium4/avx2/poly.c b/crypto_sign/dilithium4/avx2/poly.c index c1bd2fc8..6fde3258 100644 --- a/crypto_sign/dilithium4/avx2/poly.c +++ b/crypto_sign/dilithium4/avx2/poly.c @@ -356,6 +356,7 @@ void PQCLEAN_DILITHIUM4_AVX2_poly_uniform(poly *a, stream128_squeezeblocks(buf + off, 1, &state); ctr += rej_uniform_ref(a->coeffs + ctr, N - ctr, buf, buflen); } + stream128_ctx_release(&state); } void PQCLEAN_DILITHIUM4_AVX2_poly_uniform_4x(poly *a0, @@ -481,6 +482,7 @@ void PQCLEAN_DILITHIUM4_AVX2_poly_uniform_eta( stream128_squeezeblocks(buf, 1, &state); ctr += rej_eta_ref(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); } + stream128_ctx_release(&state); } void PQCLEAN_DILITHIUM4_AVX2_poly_uniform_eta_4x( @@ -618,6 +620,7 @@ void PQCLEAN_DILITHIUM4_AVX2_poly_uniform_gamma1m1( stream256_squeezeblocks(buf + off, 1, &state); ctr += rej_gamma1m1_ref(a->coeffs + ctr, N - ctr, buf, buflen); } + stream256_ctx_release(&state); } void PQCLEAN_DILITHIUM4_AVX2_poly_uniform_gamma1m1_4x(poly *a0, diff --git a/crypto_sign/dilithium4/avx2/symmetric.h b/crypto_sign/dilithium4/avx2/symmetric.h index 8ad8243b..3309c1de 100644 --- a/crypto_sign/dilithium4/avx2/symmetric.h +++ b/crypto_sign/dilithium4/avx2/symmetric.h @@ -10,8 +10,10 @@ #define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM4_AVX2_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream128_ctx_release(STATE) shake128_ctx_release(STATE) #define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM4_AVX2_shake256_stream_init(STATE, SEED, NONCE) #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream256_ctx_release(STATE) shake256_ctx_release(STATE) #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE diff --git a/crypto_sign/dilithium4/clean/poly.c b/crypto_sign/dilithium4/clean/poly.c index d44ecaac..993fe3ec 100644 --- a/crypto_sign/dilithium4/clean/poly.c +++ b/crypto_sign/dilithium4/clean/poly.c @@ -315,6 +315,7 @@ void PQCLEAN_DILITHIUM4_CLEAN_poly_uniform(poly *a, stream128_squeezeblocks(buf + off, 1, &state); ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); } + stream128_ctx_release(&state); } /************************************************* @@ -385,6 +386,7 @@ void PQCLEAN_DILITHIUM4_CLEAN_poly_uniform_eta(poly *a, stream128_squeezeblocks(buf, 1, &state); ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); } + stream128_ctx_release(&state); } /************************************************* @@ -472,6 +474,7 @@ void PQCLEAN_DILITHIUM4_CLEAN_poly_uniform_gamma1m1(poly *a, stream256_squeezeblocks(buf + off, 1, &state); ctr += rej_gamma1m1(a->coeffs + ctr, N - ctr, buf, buflen); } + stream256_ctx_release(&state); } /************************************************* diff --git a/crypto_sign/dilithium4/clean/symmetric.h b/crypto_sign/dilithium4/clean/symmetric.h index 4102ddce..117f5640 100644 --- a/crypto_sign/dilithium4/clean/symmetric.h +++ b/crypto_sign/dilithium4/clean/symmetric.h @@ -10,8 +10,10 @@ #define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) #define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM4_CLEAN_shake128_stream_init(STATE, SEED, NONCE) #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream128_ctx_release(STATE) shake128_ctx_release(STATE) #define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM4_CLEAN_shake256_stream_init(STATE, SEED, NONCE) #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE) +#define stream256_ctx_release(STATE) shake256_ctx_release(STATE) #define STREAM128_BLOCKBYTES SHAKE128_RATE #define STREAM256_BLOCKBYTES SHAKE256_RATE diff --git a/crypto_sign/falcon-1024/clean/inner.h b/crypto_sign/falcon-1024/clean/inner.h index 98855160..a10ecd3d 100644 --- a/crypto_sign/falcon-1024/clean/inner.h +++ b/crypto_sign/falcon-1024/clean/inner.h @@ -122,6 +122,7 @@ set_fpu_cw(unsigned x) { #define inner_shake256_inject(sc, in, len) shake256_inc_absorb(sc, in, len) #define inner_shake256_flip(sc) shake256_inc_finalize(sc) #define inner_shake256_extract(sc, out, len) shake256_inc_squeeze(out, len, sc) +#define inner_shake256_ctx_release(sc) shake256_inc_ctx_release(sc) /* ==================================================================== */ diff --git a/crypto_sign/falcon-1024/clean/pqclean.c b/crypto_sign/falcon-1024/clean/pqclean.c index bbab1921..b6f48a0a 100644 --- a/crypto_sign/falcon-1024/clean/pqclean.c +++ b/crypto_sign/falcon-1024/clean/pqclean.c @@ -62,6 +62,7 @@ PQCLEAN_FALCON1024_CLEAN_crypto_sign_keypair( inner_shake256_inject(&rng, seed, sizeof seed); inner_shake256_flip(&rng); PQCLEAN_FALCON1024_CLEAN_keygen(&rng, f, g, F, NULL, h, 10, tmp.b); + inner_shake256_ctx_release(&rng); /* * Encode private key. @@ -186,6 +187,7 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t *sigbuflen, inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); PQCLEAN_FALCON1024_CLEAN_hash_to_point_ct(&sc, r.hm, 10, tmp.b); + inner_shake256_ctx_release(&sc); /* * Initialize a RNG. @@ -203,6 +205,7 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t *sigbuflen, PQCLEAN_FALCON1024_CLEAN_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, 10, tmp.b); v = PQCLEAN_FALCON1024_CLEAN_comp_encode(sigbuf, *sigbuflen, r.sig, 10); if (v != 0) { + inner_shake256_ctx_release(&sc); *sigbuflen = v; return 0; } @@ -258,6 +261,7 @@ do_verify( inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); PQCLEAN_FALCON1024_CLEAN_hash_to_point_ct(&sc, hm, 10, tmp.b); + inner_shake256_ctx_release(&sc); /* * Verify signature. diff --git a/crypto_sign/falcon-512/clean/inner.h b/crypto_sign/falcon-512/clean/inner.h index 78c74bb8..f4fefe15 100644 --- a/crypto_sign/falcon-512/clean/inner.h +++ b/crypto_sign/falcon-512/clean/inner.h @@ -122,6 +122,7 @@ set_fpu_cw(unsigned x) { #define inner_shake256_inject(sc, in, len) shake256_inc_absorb(sc, in, len) #define inner_shake256_flip(sc) shake256_inc_finalize(sc) #define inner_shake256_extract(sc, out, len) shake256_inc_squeeze(out, len, sc) +#define inner_shake256_ctx_release(sc) shake256_inc_ctx_release(sc) /* ==================================================================== */ diff --git a/crypto_sign/falcon-512/clean/pqclean.c b/crypto_sign/falcon-512/clean/pqclean.c index c31599b5..6589999c 100644 --- a/crypto_sign/falcon-512/clean/pqclean.c +++ b/crypto_sign/falcon-512/clean/pqclean.c @@ -62,6 +62,7 @@ PQCLEAN_FALCON512_CLEAN_crypto_sign_keypair( inner_shake256_inject(&rng, seed, sizeof seed); inner_shake256_flip(&rng); PQCLEAN_FALCON512_CLEAN_keygen(&rng, f, g, F, NULL, h, 9, tmp.b); + inner_shake256_ctx_release(&rng); /* * Encode private key. @@ -186,6 +187,7 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t *sigbuflen, inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); PQCLEAN_FALCON512_CLEAN_hash_to_point_ct(&sc, r.hm, 9, tmp.b); + inner_shake256_ctx_release(&sc); /* * Initialize a RNG. @@ -203,6 +205,7 @@ do_sign(uint8_t *nonce, uint8_t *sigbuf, size_t *sigbuflen, PQCLEAN_FALCON512_CLEAN_sign_dyn(r.sig, &sc, f, g, F, G, r.hm, 9, tmp.b); v = PQCLEAN_FALCON512_CLEAN_comp_encode(sigbuf, *sigbuflen, r.sig, 9); if (v != 0) { + inner_shake256_ctx_release(&sc); *sigbuflen = v; return 0; } @@ -258,6 +261,7 @@ do_verify( inner_shake256_inject(&sc, m, mlen); inner_shake256_flip(&sc); PQCLEAN_FALCON512_CLEAN_hash_to_point_ct(&sc, hm, 9, tmp.b); + inner_shake256_ctx_release(&sc); /* * Verify signature. diff --git a/crypto_sign/mqdss-48/clean/gf31.c b/crypto_sign/mqdss-48/clean/gf31.c index 9a5f2df0..a3838e30 100644 --- a/crypto_sign/mqdss-48/clean/gf31.c +++ b/crypto_sign/mqdss-48/clean/gf31.c @@ -63,6 +63,7 @@ void PQCLEAN_MQDSS48_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *s } } } + shake256_ctx_release(&shakestate); } /* Given a seed, samples len gf31 elements, transposed into unsigned range, @@ -84,6 +85,7 @@ void PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(signed char *out, int len, const uns } } } + shake256_ctx_release(&shakestate); } /* Unpacks an array of packed GF31 elements to one element per gf31. diff --git a/crypto_sign/mqdss-48/clean/sign.c b/crypto_sign/mqdss-48/clean/sign.c index 01d67ef9..fe4f2b75 100644 --- a/crypto_sign/mqdss-48/clean/sign.c +++ b/crypto_sign/mqdss-48/clean/sign.c @@ -120,6 +120,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R. + shake256_inc_ctx_release(&state); memcpy(pk, skbuf, SEED_BYTES); PQCLEAN_MQDSS48_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); @@ -133,6 +134,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(D, HASH_BYTES, &state); + shake256_inc_ctx_release(&state); sig += HASH_BYTES; // Compensate for prefixed R. @@ -193,6 +195,8 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(t1 + i * N, t1 + i * N); PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(e1 + i * N, e1 + i * N); } + shake256_ctx_release(&shakestate); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS); PQCLEAN_MQDSS48_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS); @@ -264,6 +268,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(D, HASH_BYTES, &state); + shake256_inc_ctx_release(&state); sig += HASH_BYTES; @@ -328,6 +333,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify( memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES); sig += NPACKED_BYTES + 2 * HASH_BYTES; } + shake256_ctx_release(&shakestate); H(c, c, HASH_BYTES * ROUNDS * 2); if (memcmp(c, sigma0, HASH_BYTES) != 0) { diff --git a/crypto_sign/mqdss-64/clean/gf31.c b/crypto_sign/mqdss-64/clean/gf31.c index 54bb7da5..dac416b0 100644 --- a/crypto_sign/mqdss-64/clean/gf31.c +++ b/crypto_sign/mqdss-64/clean/gf31.c @@ -63,6 +63,7 @@ void PQCLEAN_MQDSS64_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *s } } } + shake256_ctx_release(&shakestate); } /* Given a seed, samples len gf31 elements, transposed into unsigned range, @@ -84,6 +85,7 @@ void PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(signed char *out, int len, const uns } } } + shake256_ctx_release(&shakestate); } /* Unpacks an array of packed GF31 elements to one element per gf31. diff --git a/crypto_sign/mqdss-64/clean/sign.c b/crypto_sign/mqdss-64/clean/sign.c index 189b70f8..702cbdf8 100644 --- a/crypto_sign/mqdss-64/clean/sign.c +++ b/crypto_sign/mqdss-64/clean/sign.c @@ -120,6 +120,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R. + shake256_inc_ctx_release(&state); memcpy(pk, skbuf, SEED_BYTES); PQCLEAN_MQDSS64_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); @@ -133,6 +134,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(D, HASH_BYTES, &state); + shake256_inc_ctx_release(&state); sig += HASH_BYTES; // Compensate for prefixed R. @@ -193,6 +195,8 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(t1 + i * N, t1 + i * N); PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(e1 + i * N, e1 + i * N); } + shake256_ctx_release(&shakestate); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS); PQCLEAN_MQDSS64_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS); @@ -264,6 +268,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(D, HASH_BYTES, &state); + shake256_inc_ctx_release(&state); sig += HASH_BYTES; @@ -328,6 +333,7 @@ int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify( memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES); sig += NPACKED_BYTES + 2 * HASH_BYTES; } + shake256_ctx_release(&shakestate); H(c, c, HASH_BYTES * ROUNDS * 2); if (memcmp(c, sigma0, HASH_BYTES) != 0) { diff --git a/crypto_sign/rainbowIIIc-classic/clean/utils_prng.c b/crypto_sign/rainbowIIIc-classic/clean/utils_prng.c index 5f627f37..61b65cfd 100644 --- a/crypto_sign/rainbowIIIc-classic/clean/utils_prng.c +++ b/crypto_sign/rainbowIIIc-classic/clean/utils_prng.c @@ -32,6 +32,7 @@ static void prng_update(const unsigned char *provided_data, temp[i] ^= provided_data[i]; } } + aes256_ctx_release(&ctx); memcpy(Key, temp, 32); memcpy(V, temp + 32, 16); } @@ -72,6 +73,7 @@ static int randombytes_with_state(prng_t *state, xlen = 0; } } + aes256_ctx_release(&ctx); prng_update(NULL, state->Key, state->V); return 0; } diff --git a/crypto_sign/rainbowIIIc-cyclic-compressed/clean/utils_prng.c b/crypto_sign/rainbowIIIc-cyclic-compressed/clean/utils_prng.c index 40b489f0..89722fc5 100644 --- a/crypto_sign/rainbowIIIc-cyclic-compressed/clean/utils_prng.c +++ b/crypto_sign/rainbowIIIc-cyclic-compressed/clean/utils_prng.c @@ -32,6 +32,7 @@ static void prng_update(const unsigned char *provided_data, temp[i] ^= provided_data[i]; } } + aes256_ctx_release(&ctx); memcpy(Key, temp, 32); memcpy(V, temp + 32, 16); } @@ -72,6 +73,7 @@ static int randombytes_with_state(prng_t *state, xlen = 0; } } + aes256_ctx_release(&ctx); prng_update(NULL, state->Key, state->V); return 0; } diff --git a/crypto_sign/rainbowIIIc-cyclic/clean/utils_prng.c b/crypto_sign/rainbowIIIc-cyclic/clean/utils_prng.c index 142e653e..9367e037 100644 --- a/crypto_sign/rainbowIIIc-cyclic/clean/utils_prng.c +++ b/crypto_sign/rainbowIIIc-cyclic/clean/utils_prng.c @@ -32,6 +32,7 @@ static void prng_update(const unsigned char *provided_data, temp[i] ^= provided_data[i]; } } + aes256_ctx_release(&ctx); memcpy(Key, temp, 32); memcpy(V, temp + 32, 16); } @@ -72,6 +73,7 @@ static int randombytes_with_state(prng_t *state, xlen = 0; } } + aes256_ctx_release(&ctx); prng_update(NULL, state->Key, state->V); return 0; } diff --git a/crypto_sign/rainbowIa-classic/clean/utils_prng.c b/crypto_sign/rainbowIa-classic/clean/utils_prng.c index 36eae4b7..fdfbe10b 100644 --- a/crypto_sign/rainbowIa-classic/clean/utils_prng.c +++ b/crypto_sign/rainbowIa-classic/clean/utils_prng.c @@ -32,6 +32,7 @@ static void prng_update(const unsigned char *provided_data, temp[i] ^= provided_data[i]; } } + aes256_ctx_release(&ctx); memcpy(Key, temp, 32); memcpy(V, temp + 32, 16); } @@ -72,6 +73,7 @@ static int randombytes_with_state(prng_t *state, xlen = 0; } } + aes256_ctx_release(&ctx); prng_update(NULL, state->Key, state->V); return 0; } diff --git a/crypto_sign/rainbowIa-cyclic-compressed/clean/utils_prng.c b/crypto_sign/rainbowIa-cyclic-compressed/clean/utils_prng.c index 7937f31d..54132ee0 100644 --- a/crypto_sign/rainbowIa-cyclic-compressed/clean/utils_prng.c +++ b/crypto_sign/rainbowIa-cyclic-compressed/clean/utils_prng.c @@ -32,6 +32,7 @@ static void prng_update(const unsigned char *provided_data, temp[i] ^= provided_data[i]; } } + aes256_ctx_release(&ctx); memcpy(Key, temp, 32); memcpy(V, temp + 32, 16); } @@ -72,6 +73,7 @@ static int randombytes_with_state(prng_t *state, xlen = 0; } } + aes256_ctx_release(&ctx); prng_update(NULL, state->Key, state->V); return 0; } diff --git a/crypto_sign/rainbowIa-cyclic/clean/utils_prng.c b/crypto_sign/rainbowIa-cyclic/clean/utils_prng.c index 849994cb..8f3b3fcd 100644 --- a/crypto_sign/rainbowIa-cyclic/clean/utils_prng.c +++ b/crypto_sign/rainbowIa-cyclic/clean/utils_prng.c @@ -32,6 +32,7 @@ static void prng_update(const unsigned char *provided_data, temp[i] ^= provided_data[i]; } } + aes256_ctx_release(&ctx); memcpy(Key, temp, 32); memcpy(V, temp + 32, 16); } @@ -72,6 +73,7 @@ static int randombytes_with_state(prng_t *state, xlen = 0; } } + aes256_ctx_release(&ctx); prng_update(NULL, state->Key, state->V); return 0; } diff --git a/crypto_sign/rainbowVc-classic/clean/utils_prng.c b/crypto_sign/rainbowVc-classic/clean/utils_prng.c index dd081dfb..0c758c30 100644 --- a/crypto_sign/rainbowVc-classic/clean/utils_prng.c +++ b/crypto_sign/rainbowVc-classic/clean/utils_prng.c @@ -32,6 +32,7 @@ static void prng_update(const unsigned char *provided_data, temp[i] ^= provided_data[i]; } } + aes256_ctx_release(&ctx); memcpy(Key, temp, 32); memcpy(V, temp + 32, 16); } @@ -72,6 +73,7 @@ static int randombytes_with_state(prng_t *state, xlen = 0; } } + aes256_ctx_release(&ctx); prng_update(NULL, state->Key, state->V); return 0; } diff --git a/crypto_sign/rainbowVc-cyclic-compressed/clean/utils_prng.c b/crypto_sign/rainbowVc-cyclic-compressed/clean/utils_prng.c index 53f4111c..b8fb2638 100644 --- a/crypto_sign/rainbowVc-cyclic-compressed/clean/utils_prng.c +++ b/crypto_sign/rainbowVc-cyclic-compressed/clean/utils_prng.c @@ -32,6 +32,7 @@ static void prng_update(const unsigned char *provided_data, temp[i] ^= provided_data[i]; } } + aes256_ctx_release(&ctx); memcpy(Key, temp, 32); memcpy(V, temp + 32, 16); } @@ -72,6 +73,7 @@ static int randombytes_with_state(prng_t *state, xlen = 0; } } + aes256_ctx_release(&ctx); prng_update(NULL, state->Key, state->V); return 0; } diff --git a/crypto_sign/rainbowVc-cyclic/clean/utils_prng.c b/crypto_sign/rainbowVc-cyclic/clean/utils_prng.c index 81fa0412..d390fa98 100644 --- a/crypto_sign/rainbowVc-cyclic/clean/utils_prng.c +++ b/crypto_sign/rainbowVc-cyclic/clean/utils_prng.c @@ -32,6 +32,7 @@ static void prng_update(const unsigned char *provided_data, temp[i] ^= provided_data[i]; } } + aes256_ctx_release(&ctx); memcpy(Key, temp, 32); memcpy(V, temp + 32, 16); } @@ -72,6 +73,7 @@ static int randombytes_with_state(prng_t *state, xlen = 0; } } + aes256_ctx_release(&ctx); prng_update(NULL, state->Key, state->V); return 0; } diff --git a/crypto_sign/sphincs-sha256-128f-robust/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-128f-robust/avx2/hash_sha256.c index b812f06b..8b0aa087 100644 --- a/crypto_sign/sphincs-sha256-128f-robust/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-128f-robust/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_N - PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-128f-robust/avx2/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-128f-robust/avx2/thash_sha256_robust.c index d21c982e..f2c72de0 100644 --- a/crypto_sign/sphincs-sha256-128f-robust/avx2/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-128f-robust/avx2/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void thash( PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_N, buf, PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_N; i++) { buf[PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256128FROBUST_AVX2_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-128f-robust/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-128f-robust/clean/hash_sha256.c index 35789109..65e79907 100644 --- a/crypto_sign/sphincs-sha256-128f-robust/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-128f-robust/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-128f-robust/clean/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-128f-robust/clean/thash_sha256_robust.c index 65040d18..27d59115 100644 --- a/crypto_sign/sphincs-sha256-128f-robust/clean/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-128f-robust/clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-128f-simple/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-128f-simple/avx2/hash_sha256.c index 06501644..27ad6331 100644 --- a/crypto_sign/sphincs-sha256-128f-simple/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-128f-simple/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_N - PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-128f-simple/avx2/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-128f-simple/avx2/thash_sha256_simple.c index af841881..2f900c56 100644 --- a/crypto_sign/sphincs-sha256-128f-simple/avx2/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-128f-simple/avx2/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256128FSIMPLE_AVX2_N); diff --git a/crypto_sign/sphincs-sha256-128f-simple/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-128f-simple/clean/hash_sha256.c index b65f6622..0420a41c 100644 --- a/crypto_sign/sphincs-sha256-128f-simple/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-128f-simple/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-128f-simple/clean/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-128f-simple/clean/thash_sha256_simple.c index 0e8178f5..ef0d3a93 100644 --- a/crypto_sign/sphincs-sha256-128f-simple/clean/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-128f-simple/clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_N); diff --git a/crypto_sign/sphincs-sha256-128s-robust/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-128s-robust/avx2/hash_sha256.c index 2b6b4c5f..3bb03320 100644 --- a/crypto_sign/sphincs-sha256-128s-robust/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-128s-robust/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_N - PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-128s-robust/avx2/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-128s-robust/avx2/thash_sha256_robust.c index fec0fe3b..b9af100e 100644 --- a/crypto_sign/sphincs-sha256-128s-robust/avx2/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-128s-robust/avx2/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void thash( PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_N, buf, PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_N; i++) { buf[PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256128SROBUST_AVX2_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-128s-robust/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-128s-robust/clean/hash_sha256.c index 92a34172..744670a8 100644 --- a/crypto_sign/sphincs-sha256-128s-robust/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-128s-robust/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-128s-robust/clean/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-128s-robust/clean/thash_sha256_robust.c index 1f4ef3b9..a10b1a82 100644 --- a/crypto_sign/sphincs-sha256-128s-robust/clean/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-128s-robust/clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-128s-simple/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-128s-simple/avx2/hash_sha256.c index 23e13a49..62625cd2 100644 --- a/crypto_sign/sphincs-sha256-128s-simple/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-128s-simple/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_N - PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-128s-simple/avx2/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-128s-simple/avx2/thash_sha256_simple.c index e877b70d..df280608 100644 --- a/crypto_sign/sphincs-sha256-128s-simple/avx2/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-128s-simple/avx2/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256128SSIMPLE_AVX2_N); diff --git a/crypto_sign/sphincs-sha256-128s-simple/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-128s-simple/clean/hash_sha256.c index 132e9ced..b2334d19 100644 --- a/crypto_sign/sphincs-sha256-128s-simple/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-128s-simple/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-128s-simple/clean/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-128s-simple/clean/thash_sha256_simple.c index 2dae21a7..4695df98 100644 --- a/crypto_sign/sphincs-sha256-128s-simple/clean/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-128s-simple/clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_N); diff --git a/crypto_sign/sphincs-sha256-192f-robust/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-192f-robust/avx2/hash_sha256.c index a6f74a2a..fad52a5f 100644 --- a/crypto_sign/sphincs-sha256-192f-robust/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-192f-robust/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_N - PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-192f-robust/avx2/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-192f-robust/avx2/thash_sha256_robust.c index 3a554235..157e8ff5 100644 --- a/crypto_sign/sphincs-sha256-192f-robust/avx2/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-192f-robust/avx2/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void thash( PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_N, buf, PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_N; i++) { buf[PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256192FROBUST_AVX2_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-192f-robust/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-192f-robust/clean/hash_sha256.c index 9a1bfa04..490b60b9 100644 --- a/crypto_sign/sphincs-sha256-192f-robust/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-192f-robust/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-192f-robust/clean/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-192f-robust/clean/thash_sha256_robust.c index b38f3e15..8a289d07 100644 --- a/crypto_sign/sphincs-sha256-192f-robust/clean/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-192f-robust/clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-192f-simple/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-192f-simple/avx2/hash_sha256.c index 54c45a6d..88e9f529 100644 --- a/crypto_sign/sphincs-sha256-192f-simple/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-192f-simple/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N - PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-192f-simple/avx2/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-192f-simple/avx2/thash_sha256_simple.c index 0a5f13ab..57f57ead 100644 --- a/crypto_sign/sphincs-sha256-192f-simple/avx2/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-192f-simple/avx2/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N); diff --git a/crypto_sign/sphincs-sha256-192f-simple/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-192f-simple/clean/hash_sha256.c index f5e71ffb..5a5e5c3a 100644 --- a/crypto_sign/sphincs-sha256-192f-simple/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-192f-simple/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-192f-simple/clean/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-192f-simple/clean/thash_sha256_simple.c index 00021971..445aab66 100644 --- a/crypto_sign/sphincs-sha256-192f-simple/clean/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-192f-simple/clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_N); diff --git a/crypto_sign/sphincs-sha256-192s-robust/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-192s-robust/avx2/hash_sha256.c index 52bcc426..aef4714c 100644 --- a/crypto_sign/sphincs-sha256-192s-robust/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-192s-robust/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_N - PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-192s-robust/avx2/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-192s-robust/avx2/thash_sha256_robust.c index eabc7cea..5c56e524 100644 --- a/crypto_sign/sphincs-sha256-192s-robust/avx2/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-192s-robust/avx2/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void thash( PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_N, buf, PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_N; i++) { buf[PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-192s-robust/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-192s-robust/clean/hash_sha256.c index 1747e4da..88f7c47e 100644 --- a/crypto_sign/sphincs-sha256-192s-robust/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-192s-robust/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-192s-robust/clean/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-192s-robust/clean/thash_sha256_robust.c index 9b94cb20..996c7b32 100644 --- a/crypto_sign/sphincs-sha256-192s-robust/clean/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-192s-robust/clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-192s-simple/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-192s-simple/avx2/hash_sha256.c index fd8c55e9..40301ba1 100644 --- a/crypto_sign/sphincs-sha256-192s-simple/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-192s-simple/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_N - PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-192s-simple/avx2/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-192s-simple/avx2/thash_sha256_simple.c index e5c13c8e..4f6c8c01 100644 --- a/crypto_sign/sphincs-sha256-192s-simple/avx2/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-192s-simple/avx2/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256192SSIMPLE_AVX2_N); diff --git a/crypto_sign/sphincs-sha256-192s-simple/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-192s-simple/clean/hash_sha256.c index c5b39a3d..8b7aeee2 100644 --- a/crypto_sign/sphincs-sha256-192s-simple/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-192s-simple/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-192s-simple/clean/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-192s-simple/clean/thash_sha256_simple.c index 80f7a37e..7a59f4e8 100644 --- a/crypto_sign/sphincs-sha256-192s-simple/clean/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-192s-simple/clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_N); diff --git a/crypto_sign/sphincs-sha256-256f-robust/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-256f-robust/avx2/hash_sha256.c index feb94b10..1e609a52 100644 --- a/crypto_sign/sphincs-sha256-256f-robust/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-256f-robust/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_N - PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-256f-robust/avx2/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-256f-robust/avx2/thash_sha256_robust.c index 1b34ffed..09014cc9 100644 --- a/crypto_sign/sphincs-sha256-256f-robust/avx2/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-256f-robust/avx2/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void thash( PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_N, buf, PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_N; i++) { buf[PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256256FROBUST_AVX2_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-256f-robust/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-256f-robust/clean/hash_sha256.c index b119a190..ccd81976 100644 --- a/crypto_sign/sphincs-sha256-256f-robust/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-256f-robust/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-256f-robust/clean/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-256f-robust/clean/thash_sha256_robust.c index 8a414fcd..3e33b1ff 100644 --- a/crypto_sign/sphincs-sha256-256f-robust/clean/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-256f-robust/clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-256f-simple/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-256f-simple/avx2/hash_sha256.c index e984af90..230f8fc7 100644 --- a/crypto_sign/sphincs-sha256-256f-simple/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-256f-simple/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_N - PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-256f-simple/avx2/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-256f-simple/avx2/thash_sha256_simple.c index d9c769c5..7f56f862 100644 --- a/crypto_sign/sphincs-sha256-256f-simple/avx2/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-256f-simple/avx2/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256256FSIMPLE_AVX2_N); diff --git a/crypto_sign/sphincs-sha256-256f-simple/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-256f-simple/clean/hash_sha256.c index 32d9f243..a35f2ac0 100644 --- a/crypto_sign/sphincs-sha256-256f-simple/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-256f-simple/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-256f-simple/clean/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-256f-simple/clean/thash_sha256_simple.c index 4b66e0f4..333a9712 100644 --- a/crypto_sign/sphincs-sha256-256f-simple/clean/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-256f-simple/clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_N); diff --git a/crypto_sign/sphincs-sha256-256s-robust/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-256s-robust/avx2/hash_sha256.c index ac4787bf..fffb80d3 100644 --- a/crypto_sign/sphincs-sha256-256s-robust/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-256s-robust/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_N - PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-256s-robust/avx2/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-256s-robust/avx2/thash_sha256_robust.c index 6f6c4199..b8b0bdc6 100644 --- a/crypto_sign/sphincs-sha256-256s-robust/avx2/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-256s-robust/avx2/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void thash( PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_N, buf, PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_N; i++) { buf[PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_N + PQCLEAN_SPHINCSSHA256256SROBUST_AVX2_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-256s-robust/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-256s-robust/clean/hash_sha256.c index 4c430861..a8264f8a 100644 --- a/crypto_sign/sphincs-sha256-256s-robust/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-256s-robust/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-256s-robust/clean/thash_sha256_robust.c b/crypto_sign/sphincs-sha256-256s-robust/clean/thash_sha256_robust.c index 1982e760..88c9e088 100644 --- a/crypto_sign/sphincs-sha256-256s-robust/clean/thash_sha256_robust.c +++ b/crypto_sign/sphincs-sha256-256s-robust/clean/thash_sha256_robust.c @@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_thash( PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_mgf1(bitmask, inblocks * PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_SHA256_ADDR_BYTES); /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); for (i = 0; i < inblocks * PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N; i++) { buf[PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_N + PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i]; diff --git a/crypto_sign/sphincs-sha256-256s-simple/avx2/hash_sha256.c b/crypto_sign/sphincs-sha256-256s-simple/avx2/hash_sha256.c index ceb87ddd..4a48a99e 100644 --- a/crypto_sign/sphincs-sha256-256s-simple/avx2/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-256s-simple/avx2/hash_sha256.c @@ -25,7 +25,7 @@ void PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_initialize_hash_function( * Cleans up the hash function states */ void PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(&hash_state_seeded->x1); + sha256_inc_ctx_release(&hash_state_seeded->x1); } /* @@ -87,8 +87,6 @@ void PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_gen_message_random( mlen -= PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_N; sha256_inc_finalize(buf + PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_SHA256_BLOCK_BYTES, &state, m, mlen); } - // Clean up SHA2 state. - sha256_inc_destroy(&state); for (i = 0; i < PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_N; i++) { buf[i] = 0x5c ^ sk_prf[i]; @@ -148,8 +146,6 @@ void PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_hash_message( mlen -= PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_INBLOCKS * PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_SHA256_BLOCK_BYTES - PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_N - PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_PK_BYTES; sha256_inc_finalize(seed, &state, m, mlen); } - // Clean up SHA2 state - sha256_inc_destroy(&state); /* By doing this in two steps, we prevent hashing the message twice; otherwise each iteration in MGF1 would hash the message again. */ diff --git a/crypto_sign/sphincs-sha256-256s-simple/avx2/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-256s-simple/avx2/thash_sha256_simple.c index d2822187..2b84447f 100644 --- a/crypto_sign/sphincs-sha256-256s-simple/avx2/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-256s-simple/avx2/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, &hash_state_seeded->x1); + sha256_inc_ctx_clone(&sha2_state, &hash_state_seeded->x1); PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256256SSIMPLE_AVX2_N); diff --git a/crypto_sign/sphincs-sha256-256s-simple/clean/hash_sha256.c b/crypto_sign/sphincs-sha256-256s-simple/clean/hash_sha256.c index b5535d10..2948d690 100644 --- a/crypto_sign/sphincs-sha256-256s-simple/clean/hash_sha256.c +++ b/crypto_sign/sphincs-sha256-256s-simple/clean/hash_sha256.c @@ -20,7 +20,7 @@ void PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_initialize_hash_function( /* Clean up hash state */ void PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded) { - sha256_inc_destroy(hash_state_seeded); + sha256_inc_ctx_release(hash_state_seeded); } /* diff --git a/crypto_sign/sphincs-sha256-256s-simple/clean/thash_sha256_simple.c b/crypto_sign/sphincs-sha256-256s-simple/clean/thash_sha256_simple.c index 9748b01c..44023c41 100644 --- a/crypto_sign/sphincs-sha256-256s-simple/clean/thash_sha256_simple.c +++ b/crypto_sign/sphincs-sha256-256s-simple/clean/thash_sha256_simple.c @@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_thash( (void)pub_seed; /* Suppress an 'unused parameter' warning. */ /* Retrieve precomputed state containing pub_seed */ - sha256_inc_clone_state(&sha2_state, hash_state_seeded); + sha256_inc_ctx_clone(&sha2_state, hash_state_seeded); PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_compress_address(buf, addr); memcpy(buf + PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_SHA256_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_N); diff --git a/crypto_sign/sphincs-shake256-128f-robust/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-128f-robust/avx2/hash_shake256.c index 682b2420..fe3aa3bd 100644 --- a/crypto_sign/sphincs-shake256-128f-robust/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-128f-robust/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128FROBUST_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128FROBUST_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128FROBUST_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128FROBUST_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128FROBUST_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128FROBUST_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-128f-robust/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-128f-robust/clean/hash_shake256.c index 16fb398d..f350f0b9 100644 --- a/crypto_sign/sphincs-shake256-128f-robust/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-128f-robust/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128FROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-128f-simple/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-128f-simple/avx2/hash_shake256.c index aa1cff46..496aac8f 100644 --- a/crypto_sign/sphincs-shake256-128f-simple/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-128f-simple/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128FSIMPLE_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128FSIMPLE_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128FSIMPLE_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-128f-simple/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-128f-simple/clean/hash_shake256.c index 7eae1bbb..1719f18a 100644 --- a/crypto_sign/sphincs-shake256-128f-simple/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-128f-simple/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128FSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-128s-robust/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-128s-robust/avx2/hash_shake256.c index 2ffb5f78..c24b61e6 100644 --- a/crypto_sign/sphincs-shake256-128s-robust/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-128s-robust/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128SROBUST_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128SROBUST_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128SROBUST_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128SROBUST_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128SROBUST_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128SROBUST_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-128s-robust/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-128s-robust/clean/hash_shake256.c index 672eb4ae..53a99814 100644 --- a/crypto_sign/sphincs-shake256-128s-robust/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-128s-robust/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128SROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-128s-simple/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-128s-simple/avx2/hash_shake256.c index 114c45a0..15ed03b3 100644 --- a/crypto_sign/sphincs-shake256-128s-simple/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-128s-simple/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128SSIMPLE_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128SSIMPLE_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128SSIMPLE_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-128s-simple/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-128s-simple/clean/hash_shake256.c index b1ea7f76..7fca240c 100644 --- a/crypto_sign/sphincs-shake256-128s-simple/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-128s-simple/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256128SSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-192f-robust/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-192f-robust/avx2/hash_shake256.c index 7a04ed82..08cc063e 100644 --- a/crypto_sign/sphincs-shake256-192f-robust/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-192f-robust/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192FROBUST_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192FROBUST_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192FROBUST_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192FROBUST_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192FROBUST_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192FROBUST_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-192f-robust/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-192f-robust/clean/hash_shake256.c index 7f6155ef..08e93bf6 100644 --- a/crypto_sign/sphincs-shake256-192f-robust/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-192f-robust/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192FROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-192f-simple/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-192f-simple/avx2/hash_shake256.c index 775edb2f..9b19a6d9 100644 --- a/crypto_sign/sphincs-shake256-192f-simple/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-192f-simple/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192FSIMPLE_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192FSIMPLE_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192FSIMPLE_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-192f-simple/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-192f-simple/clean/hash_shake256.c index 83f1350c..81d055a5 100644 --- a/crypto_sign/sphincs-shake256-192f-simple/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-192f-simple/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192FSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-192s-robust/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-192s-robust/avx2/hash_shake256.c index ea057644..b7390a6e 100644 --- a/crypto_sign/sphincs-shake256-192s-robust/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-192s-robust/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192SROBUST_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192SROBUST_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192SROBUST_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192SROBUST_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192SROBUST_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192SROBUST_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-192s-robust/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-192s-robust/clean/hash_shake256.c index e2a85598..facef0b4 100644 --- a/crypto_sign/sphincs-shake256-192s-robust/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-192s-robust/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192SROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-192s-simple/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-192s-simple/avx2/hash_shake256.c index c88c5edd..2ff61c06 100644 --- a/crypto_sign/sphincs-shake256-192s-simple/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-192s-simple/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192SSIMPLE_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192SSIMPLE_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192SSIMPLE_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-192s-simple/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-192s-simple/clean/hash_shake256.c index 828e4d4e..26c5d912 100644 --- a/crypto_sign/sphincs-shake256-192s-simple/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-192s-simple/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256192SSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-256f-robust/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-256f-robust/avx2/hash_shake256.c index c53b616d..4e1c7491 100644 --- a/crypto_sign/sphincs-shake256-256f-robust/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-256f-robust/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256FROBUST_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256FROBUST_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256FROBUST_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256FROBUST_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256FROBUST_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256FROBUST_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-256f-robust/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-256f-robust/clean/hash_shake256.c index 38dc0a1e..750baedc 100644 --- a/crypto_sign/sphincs-shake256-256f-robust/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-256f-robust/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256FROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-256f-simple/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-256f-simple/avx2/hash_shake256.c index 7cd02e92..58e27a87 100644 --- a/crypto_sign/sphincs-shake256-256f-simple/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-256f-simple/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256FSIMPLE_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256FSIMPLE_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256FSIMPLE_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-256f-simple/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-256f-simple/clean/hash_shake256.c index 204d6096..dfc285bf 100644 --- a/crypto_sign/sphincs-shake256-256f-simple/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-256f-simple/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256FSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-256s-robust/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-256s-robust/avx2/hash_shake256.c index 545e9400..9fbd642d 100644 --- a/crypto_sign/sphincs-shake256-256s-robust/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-256s-robust/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256SROBUST_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256SROBUST_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256SROBUST_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256SROBUST_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256SROBUST_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256SROBUST_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-256s-robust/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-256s-robust/clean/hash_shake256.c index d76b6a06..ebf85a81 100644 --- a/crypto_sign/sphincs-shake256-256s-robust/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-256s-robust/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256SROBUST_CLEAN_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-256s-simple/avx2/hash_shake256.c b/crypto_sign/sphincs-shake256-256s-simple/avx2/hash_shake256.c index 9baad042..23f34d94 100644 --- a/crypto_sign/sphincs-shake256-256s-simple/avx2/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-256s-simple/avx2/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256SSIMPLE_AVX2_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_AVX2_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256SSIMPLE_AVX2_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_AVX2_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_AVX2_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256SSIMPLE_AVX2_FORS_MSG_BYTES; diff --git a/crypto_sign/sphincs-shake256-256s-simple/clean/hash_shake256.c b/crypto_sign/sphincs-shake256-256s-simple/clean/hash_shake256.c index a5b56495..2ef61e2a 100644 --- a/crypto_sign/sphincs-shake256-256s-simple/clean/hash_shake256.c +++ b/crypto_sign/sphincs-shake256-256s-simple/clean/hash_shake256.c @@ -57,6 +57,7 @@ void PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_gen_message_random( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(R, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_N, &state); + shake256_inc_ctx_release(&state); (void)hash_state_seeded; /* Prevent unused parameter warning. */ } @@ -87,6 +88,7 @@ void PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_hash_message( shake256_inc_absorb(&state, m, mlen); shake256_inc_finalize(&state); shake256_inc_squeeze(buf, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_DGST_BYTES, &state); + shake256_inc_ctx_release(&state); memcpy(digest, bufp, PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_FORS_MSG_BYTES); bufp += PQCLEAN_SPHINCSSHAKE256256SSIMPLE_CLEAN_FORS_MSG_BYTES; diff --git a/test/common/nistkatrng.c b/test/common/nistkatrng.c index 368d0db3..96a3c032 100644 --- a/test/common/nistkatrng.c +++ b/test/common/nistkatrng.c @@ -29,6 +29,7 @@ static void AES256_ECB(uint8_t *key, uint8_t *ctr, uint8_t *buffer) { aes256ctx ctx; aes256_keyexp(&ctx, key); aes256_ecb(buffer, ctr, 1, &ctx); + aes256_ctx_release(&ctx); } void nist_kat_init(uint8_t *entropy_input, const uint8_t *personalization_string, int security_strength); diff --git a/test/test_common/fips202.c b/test/test_common/fips202.c index 9cd09f85..cba93bf0 100644 --- a/test/test_common/fips202.c +++ b/test/test_common/fips202.c @@ -1,9 +1,10 @@ -#include "fips202.h" +#include "../../common/fips202.h" #include #include #include #include +#include const unsigned char plaintext[44] = "The quick brown fox jumps over the lazy dog"; const unsigned char expected[512] = { @@ -129,12 +130,12 @@ static int test_shake128_incremental(void) { shake128_absorb(&state_combined, input, 512); - if (memcmp(&state_absorb, &state_combined, sizeof(shake128ctx)) != 0) { + if (memcmp(state_absorb.ctx, state_combined.ctx, PQC_SHAKECTX_BYTES) != 0) { printf("ERROR shake128 state after incremental absorb did not match all-at-once absorb.\n"); returncode = 1; } - memcpy(&state_both, &state_absorb, sizeof(shake128incctx)); + shake128_inc_ctx_clone(&state_both, &state_absorb); shake128_squeezeblocks(output, 3, (shake128ctx*)&state_absorb); @@ -154,9 +155,13 @@ static int test_shake128_incremental(void) { } shake128_absorb((shake128ctx*)&state_squeeze, input, 512); + state_squeeze.ctx = realloc(state_squeeze.ctx, PQC_SHAKEINCCTX_BYTES); + if (state_squeeze.ctx == NULL) { + exit(111); + } state_squeeze.ctx[25] = 0; - memcpy(&state_squeeze_all, &state_squeeze, sizeof(shake128incctx)); + shake128_inc_ctx_clone(&state_squeeze_all, &state_squeeze); shake128_inc_squeeze(output, 512, &state_squeeze_all); @@ -221,6 +226,13 @@ static int test_shake128_incremental(void) { returncode = 1; } + + shake128_inc_ctx_release(&state_absorb); + shake128_inc_ctx_release(&state_squeeze); + shake128_inc_ctx_release(&state_squeeze_all); + shake128_inc_ctx_release(&state_both); + shake128_ctx_release(&state_combined); + return returncode; } diff --git a/test/test_valgrind.py b/test/test_valgrind.py index df3606e8..b4b5ed7b 100644 --- a/test/test_valgrind.py +++ b/test/test_valgrind.py @@ -46,6 +46,7 @@ def test_valgrind(implementation: pqclean.Implementation, impl_path, test_dir, SCHEME_DIR=os.path.abspath(impl_path), IMPLEMENTATION=implementation.name, DEST_DIR=dest_dir, + EXTRAFLAGS="-g3", NTESTS=1, working_dir=os.path.join(test_dir, 'test')) functest_name = './functest_{}_{}'.format(implementation.scheme.name,