aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2023-09-02 12:39:56 -0400
committerPaul Duncan <pabs@pablotron.org>2023-09-02 12:39:56 -0400
commita36e72d0825e2390575ea228e670074089a2b5b1 (patch)
treed6f30e2b18016ea76975ac98d262ed907e1a67de
parentbe371d5f35f783bdd73ec5714c6cbbd7153ed6f7 (diff)
downloadsha3-a36e72d0825e2390575ea228e670074089a2b5b1.tar.bz2
sha3-a36e72d0825e2390575ea228e670074089a2b5b1.zip
sha3.c: add xof_once(), refactor shake{128,256}_xof_once()
-rw-r--r--sha3.c330
1 files changed, 312 insertions, 18 deletions
diff --git a/sha3.c b/sha3.c
index d6c43d3..ec03185 100644
--- a/sha3.c
+++ b/sha3.c
@@ -294,6 +294,18 @@ static inline void xof_squeeze(sha3_xof_t * const xof, const size_t rate, uint8_
}
}
+static inline void xof_once(const size_t rate, const uint8_t * const src, const size_t src_len, uint8_t * const dst, const size_t dst_len) {
+ // init
+ sha3_xof_t xof;
+ xof_init(&xof);
+
+ // absorb (ignore error)
+ (void) xof_absorb(&xof, rate, src, src_len);
+
+ // squeeze
+ xof_squeeze(&xof, rate, dst, dst_len);
+}
+
#define SHAKE128_XOF_RATE (200 - 2 * 16)
void shake128_xof_init(sha3_xof_t * const xof) {
@@ -309,15 +321,7 @@ void shake128_xof_squeeze(sha3_xof_t * const xof, uint8_t * const dst, const siz
}
void shake128_xof_once(const uint8_t * const src, const size_t src_len, uint8_t * const dst, const size_t dst_len) {
- // init
- sha3_xof_t xof;
- shake128_xof_init(&xof);
-
- // absorb (ignore error)
- (void) shake128_xof_absorb(&xof, src, src_len);
-
- // squeeze
- shake128_xof_squeeze(&xof, dst, dst_len);
+ xof_once(SHAKE128_XOF_RATE, src, src_len, dst, dst_len);
}
#define SHAKE256_XOF_RATE (200 - 2 * 32)
@@ -335,15 +339,7 @@ void shake256_xof_squeeze(sha3_xof_t * const xof, uint8_t * const dst, const siz
}
void shake256_xof_once(const uint8_t * const src, const size_t src_len, uint8_t * const dst, const size_t dst_len) {
- // init
- sha3_xof_t xof;
- shake256_xof_init(&xof);
-
- // absorb (ignore error)
- (void) shake256_xof_absorb(&xof, src, src_len);
-
- // squeeze
- shake256_xof_squeeze(&xof, dst, dst_len);
+ xof_once(SHAKE256_XOF_RATE, src, src_len, dst, dst_len);
}
#ifdef SHA3_TEST
@@ -1708,6 +1704,301 @@ static void test_shake256_xof_once(void) {
}
}
+// NIST SP 800-105 utility function.
+static inline size_t left_encode(uint8_t buf[static 9], const uint64_t n) {
+ if (n > 0x00ffffffffffffffULL) {
+ buf[0] = 8;
+ buf[1] = (n >> 56) & 0xff;
+ buf[2] = (n >> 40) & 0xff;
+ buf[3] = (n >> 32) & 0xff;
+ buf[4] = (n >> 24) & 0xff;
+ buf[5] = (n >> 16) & 0xff;
+ buf[6] = (n >> 8) & 0xff;
+ buf[7] = n & 0xff;
+ return 9;
+ } else if (n > 0x0000ffffffffffffULL) {
+ buf[0] = 7;
+ buf[1] = (n >> 56) & 0xff;
+ buf[2] = (n >> 40) & 0xff;
+ buf[3] = (n >> 32) & 0xff;
+ buf[4] = (n >> 24) & 0xff;
+ buf[5] = (n >> 16) & 0xff;
+ buf[6] = (n >> 8) & 0xff;
+ buf[7] = n & 0xff;
+ return 8;
+ } else if (n > 0x000000ffffffffffULL) {
+ buf[0] = 6;
+ buf[1] = (n >> 40) & 0xff;
+ buf[2] = (n >> 32) & 0xff;
+ buf[3] = (n >> 24) & 0xff;
+ buf[4] = (n >> 16) & 0xff;
+ buf[5] = (n >> 8) & 0xff;
+ buf[6] = n & 0xff;
+ return 7;
+ } else if (n > 0x00000000ffffffffULL) {
+ buf[0] = 5;
+ buf[1] = (n >> 32) & 0xff;
+ buf[2] = (n >> 24) & 0xff;
+ buf[3] = (n >> 16) & 0xff;
+ buf[4] = (n >> 8) & 0xff;
+ buf[5] = n & 0xff;
+ return 6;
+ } else if (n > 0x0000000000ffffffULL) {
+ buf[0] = 4;
+ buf[1] = (n >> 24) & 0xff;
+ buf[2] = (n >> 16) & 0xff;
+ buf[3] = (n >> 8) & 0xff;
+ buf[4] = n & 0xff;
+ return 5;
+ } else if (n > 0x000000000000ffffULL) {
+ buf[0] = 3;
+ buf[1] = (n >> 16) & 0xff;
+ buf[2] = (n >> 8) & 0xff;
+ buf[3] = n & 0xff;
+ return 4;
+ } else if (n > 0x00000000000000ffULL) {
+ buf[0] = 2;
+ buf[1] = (n >> 8) & 0xff;
+ buf[2] = n & 0xff;
+ return 3;
+ } else {
+ buf[0] = 1;
+ buf[1] = n & 0xff;
+ return 2;
+ }
+}
+
+static void test_left_encode(void) {
+ static const struct {
+ const char *name;
+ uint64_t val;
+ uint8_t exp[9];
+ size_t exp_len;
+ } tests[] = {{
+ .name = "zero",
+ .val = 0,
+ .exp = { 0x01, 0x00 },
+ .exp_len = 2,
+ }, {
+ .name = "120",
+ .val = 120,
+ .exp = { 0x01, 0x78 },
+ .exp_len = 2,
+ }, {
+ .name = "256",
+ .val = 256,
+ .exp = { 0x02, 0x01, 0x00 },
+ .exp_len = 3,
+ }, {
+ .name = "65535",
+ .val = 65535,
+ .exp = { 0x02, 0xff, 0xff },
+ .exp_len = 3,
+ }, {
+ .name = "65536",
+ .val = 65536,
+ .exp = { 0x03, 0x01, 0x00, 0x00 },
+ .exp_len = 4,
+ }, {
+ .name = "0xff00ff",
+ .val = 0xff00ff,
+ .exp = { 0x03, 0xff, 0x00, 0xff },
+ .exp_len = 4,
+ }, {
+ .name = "0x01000000",
+ .val = 0x01000000,
+ .exp = { 0x04, 0x01, 0x00, 0x00, 0x00 },
+ .exp_len = 5,
+ }, {
+ .name = "0xffffffff",
+ .val = 0xffffffff,
+ .exp = { 0x04, 0xff, 0xff, 0xff, 0xff },
+ .exp_len = 5,
+ }, {
+ .name = "0x0100000000",
+ .val = 0x0100000000,
+ .exp = { 0x05, 0x01, 0x00, 0x00, 0x00, 0x00 },
+ .exp_len = 6,
+ }};
+
+ for (size_t i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+ uint8_t got[9];
+ const size_t got_len = left_encode(got, tests[i].val);
+
+ // check length and data
+ if (got_len != tests[i].exp_len) {
+ fprintf(stderr, "test_left_encode(\"%s\") length check failed: got %zu, exp %zu:\n", tests[i].name, got_len, tests[i].exp_len);
+ } else if (memcmp(got, tests[i].exp, got_len)) {
+ fprintf(stderr, "test_left_encode(\"%s\") failed, got:\n", tests[i].name);
+ dump_hex(stderr, got, got_len);
+
+ fprintf(stderr, "exp:\n");
+ dump_hex(stderr, tests[i].exp, got_len);
+ }
+ }
+}
+
+// Write prefix for encode_string() to the given buffer. Accepts the
+// length of the string, in bytes.
+//
+// Returns the length of the prefix, in bytes.
+static inline size_t encode_string_prefix(uint8_t buf[static 9], const size_t num_bytes) {
+ return left_encode(buf, (uint64_t) num_bytes << 3);
+}
+
+static void test_encode_string_prefix(void) {
+ static const struct {
+ const char *name;
+ uint8_t val[256];
+ size_t val_len;
+ uint8_t exp[9];
+ size_t exp_len;
+ } tests[] = {{
+ .name = "empty",
+ .val = "",
+ .val_len = 0,
+ .exp = { 0x01, 0x00 },
+ .exp_len = 2,
+ }, {
+ .name = "4",
+ .val = "asdf",
+ .val_len = 4,
+ .exp = { 0x01, 0x20 },
+ .exp_len = 2,
+ }, {
+ .name = "31",
+ .val = "asdfasdfasdfasdfasdfasdfasdfasd",
+ .val_len = 31,
+ .exp = { 0x01, 0xf8 },
+ .exp_len = 2,
+ }, {
+ .name = "32",
+ .val = "asdfasdfasdfasdfasdfasdfasdfasdf",
+ .val_len = 32,
+ .exp = { 0x02, 0x01, 0x00 },
+ .exp_len = 3,
+ }, {
+ .name = "33",
+ .val = "asdfasdfasdfasdfasdfasdfasdfasdfa",
+ .val_len = 33,
+ .exp = { 0x02, 0x01, 0x08 },
+ .exp_len = 3,
+ }};
+
+ for (size_t i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+ uint8_t got[9];
+ const size_t got_len = encode_string_prefix(got, tests[i].val_len);
+
+ // check length and data
+ if (got_len != tests[i].exp_len) {
+ fprintf(stderr, "test_encode_string_prefix(\"%s\") length check failed: got %zu, exp %zu:\n", tests[i].name, got_len, tests[i].exp_len);
+ } else if (memcmp(got, tests[i].exp, got_len)) {
+ fprintf(stderr, "test_encode_string_prefix(\"%s\") failed, got:\n", tests[i].name);
+ dump_hex(stderr, got, got_len);
+
+ fprintf(stderr, "exp:\n");
+ dump_hex(stderr, tests[i].exp, got_len);
+ }
+ }
+}
+
+typedef struct {
+ size_t prefix_len; // length of bytepad prefix, in bytes
+ size_t pad_len; // number of padding bytes after prefix and data
+} bytepad_lens_t;
+
+// write bytepad() prefix to buffer, then return structure containing
+// the length of the prefix, in bytes, and the total number of
+static inline bytepad_lens_t bytepad_prefix(uint8_t buf[static 9], const size_t data_len, const size_t width) {
+ const size_t prefix_len = left_encode(buf, width);
+ const size_t total_len = prefix_len + data_len;
+ const size_t padded_len = (total_len / width + ((total_len % width) ? 1 : 0)) * width;
+
+ return (bytepad_lens_t) {
+ .prefix_len = prefix_len,
+ .pad_len = padded_len - total_len,
+ };
+}
+
+static void test_bytepad_prefix(void) {
+ static const struct {
+ const char *name;
+ size_t data_len, width;
+ uint8_t exp_buf[9];
+ bytepad_lens_t exp_lens;
+ } tests[] = {{
+ .name = "0-10",
+ .data_len = 0,
+ .width = 10,
+ .exp_buf = { 0x01, 0x0a },
+ .exp_lens = { 2, 8 },
+ }, {
+ .name = "8-10",
+ .data_len = 8,
+ .width = 10,
+ .exp_buf = { 0x01, 0x0a },
+ .exp_lens = { 2, 0 },
+ }, {
+ .name = "9-10",
+ .data_len = 9,
+ .width = 10,
+ .exp_buf = { 0x01, 0x0a },
+ .exp_lens = { 2, 9 },
+ }, {
+ .name = "10-10",
+ .data_len = 10,
+ .width = 10,
+ .exp_buf = { 0x01, 0x0a },
+ .exp_lens = { 2, 8 },
+ }, {
+ .name = "11-10",
+ .data_len = 11,
+ .width = 10,
+ .exp_buf = { 0x01, 0x0a },
+ .exp_lens = { 2, 7 },
+ }};
+
+ for (size_t i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+ uint8_t got_buf[9];
+ const bytepad_lens_t got_lens = bytepad_prefix(got_buf, tests[i].data_len, tests[i].width);
+
+ // check prefix length and data
+ if (got_lens.prefix_len != tests[i].exp_lens.prefix_len || got_lens.pad_len != tests[i].exp_lens.pad_len) {
+ fprintf(stderr, "test_bytepad_prefix(\"%s\") length check failed:\n got: { %zu, %zu }\n exp: { %zu, %zu }\n", tests[i].name, got_lens.prefix_len, got_lens.pad_len, tests[i].exp_lens.prefix_len, tests[i].exp_lens.pad_len);
+ } else if (memcmp(got_buf, tests[i].exp_buf, got_lens.prefix_len)) {
+ fprintf(stderr, "test_bytepad_prefix(\"%s\") failed, got:\n", tests[i].name);
+ dump_hex(stderr, got_buf, got_lens.prefix_len);
+
+ fprintf(stderr, "exp:\n");
+ dump_hex(stderr, tests[i].exp_buf, got_lens.prefix_len);
+ }
+ }
+}
+
+void cshake128(
+ const uint8_t * const nist_name, const size_t nist_name_len,
+ const uint8_t * const domain, const size_t domain_len,
+ const uint8_t *msg, const size_t msg_len,
+ uint8_t * const dst, const size_t dst_len
+) {
+ if (nist_name_len || domain_len) {
+ // TODO
+ } else {
+ // without nist prefix and domain, cshake128 is equivalent to
+ // shake128()
+
+ // init
+ sha3_xof_t xof;
+ shake128_xof_init(&xof);
+
+ // absorb (note: ignoring error message here)
+ (void) shake128_xof_absorb(&xof, msg, msg_len);
+
+ // squeeze
+ shake128_xof_squeeze(&xof, dst, dst_len);
+ }
+}
+
int main(void) {
test_theta();
test_rho();
@@ -1725,6 +2016,9 @@ int main(void) {
test_shake128_xof_once();
test_shake256_xof();
test_shake256_xof_once();
+ test_left_encode();
+ test_encode_string_prefix();
+ test_bytepad_prefix();
printf("ok\n");
}