diff --git a/common/fips202.c b/common/fips202.c index ceeb6a5c..0fb29fab 100644 --- a/common/fips202.c +++ b/common/fips202.c @@ -520,36 +520,36 @@ static void keccak_inc_squeeze(uint8_t *h, size_t outlen, } } -void shake128_inc_init(uint64_t *s_inc) { - keccak_inc_init(s_inc); +void shake128_inc_init(shake128incctx *state) { + keccak_inc_init(state->ctx); } -void shake128_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen) { - keccak_inc_absorb(s_inc, SHAKE128_RATE, input, inlen); +void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen) { + keccak_inc_absorb(state->ctx, SHAKE128_RATE, input, inlen); } -void shake128_inc_finalize(uint64_t *s_inc) { - keccak_inc_finalize(s_inc, SHAKE128_RATE, 0x1F); +void shake128_inc_finalize(shake128incctx *state) { + keccak_inc_finalize(state->ctx, SHAKE128_RATE, 0x1F); } -void shake128_inc_squeeze(uint8_t *output, size_t outlen, uint64_t *s_inc) { - keccak_inc_squeeze(output, outlen, s_inc, SHAKE128_RATE); +void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state) { + keccak_inc_squeeze(output, outlen, state->ctx, SHAKE128_RATE); } -void shake256_inc_init(uint64_t *s_inc) { - keccak_inc_init(s_inc); +void shake256_inc_init(shake256incctx *state) { + keccak_inc_init(state->ctx); } -void shake256_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen) { - keccak_inc_absorb(s_inc, SHAKE256_RATE, input, inlen); +void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen) { + keccak_inc_absorb(state->ctx, SHAKE256_RATE, input, inlen); } -void shake256_inc_finalize(uint64_t *s_inc) { - keccak_inc_finalize(s_inc, SHAKE256_RATE, 0x1F); +void shake256_inc_finalize(shake256incctx *state) { + keccak_inc_finalize(state->ctx, SHAKE256_RATE, 0x1F); } -void shake256_inc_squeeze(uint8_t *output, size_t outlen, uint64_t *s_inc) { - keccak_inc_squeeze(output, outlen, s_inc, SHAKE256_RATE); +void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) { + keccak_inc_squeeze(output, outlen, state->ctx, SHAKE256_RATE); } @@ -564,8 +564,8 @@ void shake256_inc_squeeze(uint8_t *output, size_t outlen, uint64_t *s_inc) { * into s * - size_t inlen: length of input in bytes **************************************************/ -void shake128_absorb(uint64_t *s, const uint8_t *input, size_t inlen) { - keccak_absorb(s, SHAKE128_RATE, input, inlen, 0x1F); +void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen) { + keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F); } /************************************************* @@ -578,10 +578,10 @@ void shake128_absorb(uint64_t *s, const uint8_t *input, size_t inlen) { * Arguments: - uint8_t *output: pointer to output blocks * - size_t nblocks: number of blocks to be squeezed * (written to output) - * - uint64_t *s: pointer to input/output Keccak state + * - shake128ctx *state: pointer to input/output Keccak state **************************************************/ -void shake128_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *s) { - keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE); +void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) { + keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE); } /************************************************* @@ -590,13 +590,13 @@ void shake128_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *s) { * Description: Absorb step of the SHAKE256 XOF. * non-incremental, starts by zeroeing the state. * - * Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state + * Arguments: - shake256ctx *state: pointer to (uninitialized) output Keccak state * - const uint8_t *input: pointer to input to be absorbed * into s * - size_t inlen: length of input in bytes **************************************************/ -void shake256_absorb(uint64_t *s, const uint8_t *input, size_t inlen) { - keccak_absorb(s, SHAKE256_RATE, input, inlen, 0x1F); +void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen) { + keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F); } /************************************************* @@ -609,10 +609,10 @@ void shake256_absorb(uint64_t *s, const uint8_t *input, size_t inlen) { * Arguments: - uint8_t *output: pointer to output blocks * - size_t nblocks: number of blocks to be squeezed * (written to output) - * - uint64_t *s: pointer to input/output Keccak state + * - shake256ctx *state: pointer to input/output Keccak state **************************************************/ -void shake256_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *s) { - keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE); +void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state) { + keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE); } /************************************************* @@ -629,16 +629,16 @@ void shake128(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen) { size_t nblocks = outlen / SHAKE128_RATE; uint8_t t[SHAKE128_RATE]; - uint64_t s[25]; + shake128ctx s; - shake128_absorb(s, input, inlen); - shake128_squeezeblocks(output, nblocks, s); + shake128_absorb(&s, input, inlen); + shake128_squeezeblocks(output, nblocks, &s); output += nblocks * SHAKE128_RATE; outlen -= nblocks * SHAKE128_RATE; if (outlen) { - shake128_squeezeblocks(t, 1, s); + shake128_squeezeblocks(t, 1, &s); for (size_t i = 0; i < outlen; ++i) { output[i] = t[i]; } @@ -659,35 +659,35 @@ void shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen) { size_t nblocks = outlen / SHAKE256_RATE; uint8_t t[SHAKE256_RATE]; - uint64_t s[25]; + shake256ctx s; - shake256_absorb(s, input, inlen); - shake256_squeezeblocks(output, nblocks, s); + shake256_absorb(&s, input, inlen); + shake256_squeezeblocks(output, nblocks, &s); output += nblocks * SHAKE256_RATE; outlen -= nblocks * SHAKE256_RATE; if (outlen) { - shake256_squeezeblocks(t, 1, s); + shake256_squeezeblocks(t, 1, &s); for (size_t i = 0; i < outlen; ++i) { output[i] = t[i]; } } } -void sha3_256_inc_init(uint64_t *s_inc) { - keccak_inc_init(s_inc); +void sha3_256_inc_init(sha3_256incctx *state) { + keccak_inc_init(state->ctx); } -void sha3_256_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen) { - keccak_inc_absorb(s_inc, SHA3_256_RATE, input, inlen); +void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen) { + keccak_inc_absorb(state->ctx, SHA3_256_RATE, input, inlen); } -void sha3_256_inc_finalize(uint8_t *output, uint64_t *s_inc) { +void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state) { uint8_t t[SHA3_256_RATE]; - keccak_inc_finalize(s_inc, SHA3_256_RATE, 0x06); + keccak_inc_finalize(state->ctx, SHA3_256_RATE, 0x06); - keccak_squeezeblocks(t, 1, s_inc, SHA3_256_RATE); + keccak_squeezeblocks(t, 1, state->ctx, SHA3_256_RATE); for (size_t i = 0; i < 32; i++) { output[i] = t[i]; @@ -718,19 +718,19 @@ void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen) { } } -void sha3_512_inc_init(uint64_t *s_inc) { - keccak_inc_init(s_inc); +void sha3_512_inc_init(sha3_512incctx *state) { + keccak_inc_init(state->ctx); } -void sha3_512_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen) { - keccak_inc_absorb(s_inc, SHA3_512_RATE, input, inlen); +void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen) { + keccak_inc_absorb(state->ctx, SHA3_512_RATE, input, inlen); } -void sha3_512_inc_finalize(uint8_t *output, uint64_t *s_inc) { +void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state) { uint8_t t[SHA3_512_RATE]; - keccak_inc_finalize(s_inc, SHA3_512_RATE, 0x06); + keccak_inc_finalize(state->ctx, SHA3_512_RATE, 0x06); - keccak_squeezeblocks(t, 1, s_inc, SHA3_512_RATE); + keccak_squeezeblocks(t, 1, state->ctx, SHA3_512_RATE); for (size_t i = 0; i < 32; i++) { output[i] = t[i]; diff --git a/common/fips202.h b/common/fips202.h index 8971cf5c..622d736a 100644 --- a/common/fips202.h +++ b/common/fips202.h @@ -9,22 +9,53 @@ #define SHA3_256_RATE 136 #define SHA3_512_RATE 72 -void shake128_absorb(uint64_t *s, const uint8_t *input, size_t inlen); -void shake128_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *s); +// Context for incremental API +typedef struct { + uint64_t ctx[26]; +} shake128incctx; -void shake128_inc_init(uint64_t *s_inc); -void shake128_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen); -void shake128_inc_finalize(uint64_t *s_inc); -void shake128_inc_squeeze(uint8_t *output, size_t outlen, uint64_t *s_inc); +// Context for non-incremental API +typedef struct { + uint64_t ctx[25]; +} shake128ctx; -void shake256_absorb(uint64_t *s, const uint8_t *input, size_t inlen); -void shake256_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *s); +// Context for incremental API +typedef struct { + uint64_t ctx[26]; +} shake256incctx; -void shake256_inc_init(uint64_t *s_inc); -void shake256_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen); -void shake256_inc_finalize(uint64_t *s_inc); -void shake256_inc_squeeze(uint8_t *output, size_t outlen, uint64_t *s_inc); +// Context for non-incremental API +typedef struct { + uint64_t ctx[25]; +} shake256ctx; + +// Context for incremental API +typedef struct { + uint64_t ctx[26]; +} sha3_256incctx; + +// Context for incremental API +typedef struct { + uint64_t ctx[26]; +} sha3_512incctx; + +void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen); + +void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state); + +void shake128_inc_init(shake128incctx *state); +void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen); +void shake128_inc_finalize(shake128incctx *state); +void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state); + +void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen); +void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state); + +void shake256_inc_init(shake256incctx *state); +void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen); +void shake256_inc_finalize(shake256incctx *state); +void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state); void shake128(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen); @@ -32,15 +63,15 @@ void shake128(uint8_t *output, size_t outlen, void shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen); -void sha3_256_inc_init(uint64_t *s_inc); -void sha3_256_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen); -void sha3_256_inc_finalize(uint8_t *output, uint64_t *s_inc); +void sha3_256_inc_init(sha3_256incctx *state); +void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen); +void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state); void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen); -void sha3_512_inc_init(uint64_t *s_inc); -void sha3_512_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen); -void sha3_512_inc_finalize(uint8_t *output, uint64_t *s_inc); +void sha3_512_inc_init(sha3_512incctx *state); +void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen); +void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state); void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen); diff --git a/test/common/fips202.c b/test/common/fips202.c index e7d017d8..9cd09f85 100644 --- a/test/common/fips202.c +++ b/test/common/fips202.c @@ -56,7 +56,7 @@ static int test_sha3_256_incremental(void) { unsigned char input[512]; unsigned char check[32]; unsigned char output[32]; - uint64_t s_inc[26]; + sha3_256incctx state; int i; int absorbed; int returncode = 0; @@ -67,18 +67,18 @@ static int test_sha3_256_incremental(void) { sha3_256(check, input, 512); - sha3_256_inc_init(s_inc); + sha3_256_inc_init(&state); absorbed = 0; for (i = 0; i < 512 && absorbed + i <= 512; i++) { - sha3_256_inc_absorb(s_inc, input + absorbed, i); + sha3_256_inc_absorb(&state, input + absorbed, i); absorbed += i; } - sha3_256_inc_absorb(s_inc, input + absorbed, 512 - absorbed); + sha3_256_inc_absorb(&state, input + absorbed, 512 - absorbed); - sha3_256_inc_finalize(output, s_inc); + sha3_256_inc_finalize(output, &state); - if (memcmp(check, output, 32)) { + if (memcmp(check, output, 32) != 0) { printf("ERROR sha3_256 incremental did not match sha3_256.\n"); printf(" Expected: "); for (i = 0; i < 32; i++) { @@ -100,11 +100,11 @@ static int test_shake128_incremental(void) { unsigned char input[512]; unsigned char check[512]; unsigned char output[512]; - uint64_t s_inc_absorb[26]; - uint64_t s_inc_squeeze[26]; - uint64_t s_inc_squeeze_all[26]; - uint64_t s_inc_both[26]; - uint64_t s_combined[25]; + shake128incctx state_absorb; + shake128incctx state_squeeze; + shake128incctx state_squeeze_all; + shake128incctx state_both; + shake128ctx state_combined; int i; int absorbed; int squeezed; @@ -116,47 +116,27 @@ static int test_shake128_incremental(void) { shake128(check, 512, input, 512); - shake128_inc_init(s_inc_absorb); + shake128_inc_init(&state_absorb); absorbed = 0; for (i = 0; i < 512 && absorbed + i <= 512; i++) { - shake128_inc_absorb(s_inc_absorb, input + absorbed, i); + shake128_inc_absorb(&state_absorb, input + absorbed, i); absorbed += i; } - shake128_inc_absorb(s_inc_absorb, input + absorbed, 512 - absorbed); + shake128_inc_absorb(&state_absorb, input + absorbed, 512 - absorbed); - shake128_inc_finalize(s_inc_absorb); + shake128_inc_finalize(&state_absorb); - shake128_absorb(s_combined, input, 512); + shake128_absorb(&state_combined, input, 512); - if (memcmp(s_inc_absorb, s_combined, 25 * sizeof(uint64_t))) { + if (memcmp(&state_absorb, &state_combined, sizeof(shake128ctx)) != 0) { printf("ERROR shake128 state after incremental absorb did not match all-at-once absorb.\n"); - printf(" Expected: "); - for (i = 0; i < 25; i++) { - printf("%016" PRIx64, s_combined[i]); - } - printf("\n"); - printf(" State: "); - for (i = 0; i < 25; i++) { - printf("%016" PRIx64, s_inc_absorb[i]); - } - printf("\n"); - for (i = 0; i < 8 * 25; i++) { - if (((s_combined[i >> 3] >> (8*(i & 0x7))) & 0xFF) != - ((s_inc_absorb[i >> 3] >> (8*(i & 0x7))) & 0xFF)) { - printf(" First occurred in int %d, byte %d (%02X should be %02X)\n", - i >> 3, i & 0x7, - (uint8_t)((s_inc_absorb[i >> 3] >> (8*(i & 0x7))) & 0xFF), - (uint8_t)((s_combined[i >> 3] >> (8*(i & 0x7))) & 0xFF)); - break; - } - } returncode = 1; } - memcpy(s_inc_both, s_inc_absorb, 26 * sizeof(uint64_t)); + memcpy(&state_both, &state_absorb, sizeof(shake128incctx)); - shake128_squeezeblocks(output, 3, s_inc_absorb); + shake128_squeezeblocks(output, 3, (shake128ctx*)&state_absorb); if (memcmp(check, output, 3*SHAKE128_RATE)) { printf("ERROR shake128 incremental absorb did not match shake128.\n"); @@ -173,14 +153,14 @@ static int test_shake128_incremental(void) { returncode = 1; } - shake128_absorb(s_inc_squeeze, input, 512); - s_inc_squeeze[25] = 0; + shake128_absorb((shake128ctx*)&state_squeeze, input, 512); + state_squeeze.ctx[25] = 0; - memcpy(s_inc_squeeze_all, s_inc_squeeze, 26 * sizeof(uint64_t)); + memcpy(&state_squeeze_all, &state_squeeze, sizeof(shake128incctx)); - shake128_inc_squeeze(output, 512, s_inc_squeeze_all); + shake128_inc_squeeze(output, 512, &state_squeeze_all); - if (memcmp(check, output, 512)) { + if (memcmp(check, output, 512) != 0) { printf("ERROR shake128 incremental squeeze-all did not match shake128.\n"); printf(" Expected: "); for (i = 0; i < 512; i++) { @@ -198,12 +178,12 @@ static int test_shake128_incremental(void) { squeezed = 0; memset(output, 0, 512); for (i = 0; i < 512 && squeezed + i <= 512; i++) { - shake128_inc_squeeze(output + squeezed, i, s_inc_squeeze); + shake128_inc_squeeze(output + squeezed, i, &state_squeeze); squeezed += i; } - shake128_inc_squeeze(output + squeezed, 512 - squeezed, s_inc_squeeze); + shake128_inc_squeeze(output + squeezed, 512 - squeezed, &state_squeeze); - if (memcmp(check, output, 512)) { + if (memcmp(check, output, 512) != 0) { printf("ERROR shake128 incremental squeeze did not match shake128.\n"); printf(" Expected: "); for (i = 0; i < 512; i++) { @@ -221,12 +201,12 @@ static int test_shake128_incremental(void) { squeezed = 0; memset(output, 0, 512); for (i = 0; i < 512 && squeezed + i <= 512; i++) { - shake128_inc_squeeze(output + squeezed, i, s_inc_both); + shake128_inc_squeeze(output + squeezed, i, &state_both); squeezed += i; } - shake128_inc_squeeze(output + squeezed, 512 - squeezed, s_inc_both); + shake128_inc_squeeze(output + squeezed, 512 - squeezed, &state_both); - if (memcmp(check, output, 512)) { + if (memcmp(check, output, 512) != 0) { printf("ERROR shake128 incremental absorb + squeeze did not match shake128.\n"); printf(" Expected: "); for (i = 0; i < 512; i++) { @@ -250,7 +230,7 @@ static int test_shake128(void) { shake128(output, 32, plaintext, 43); - if (memcmp(expected, output, 32)) { + if (memcmp(expected, output, 32) != 0) { printf("ERROR shake128 output did not match test vector.\n"); printf("Expected: "); for (i = 0; i < 32; i++) {