jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
200 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 2b0c51f4b3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2b0c51f4b3'
${ noResults }
ed448goldilocks/include/shake.hxx

382 lines
13 KiB
Raw Blame History 

  1. /**

  2.  * @file shake.hxx

  3.  * @copyright

  4.  *   Based on CC0 code by David Leon Gil, 2015 \n

  5.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  6.  *   Released under the MIT License.  See LICENSE.txt for license information.

  7.  * @author Mike Hamburg

  8.  * @brief SHA-3-n and SHAKE-n instances, C++ wrapper.

  9.  * @warning EXPERIMENTAL!  The names, parameter orders etc are likely to change.

  10.  */

  11. 

  12. #ifndef __SHAKE_HXX__

  13. #define __SHAKE_HXX__

  14. 

  15. #include "shake.h"

  16. #include <string>

  17. #include <sys/types.h>

  18. 

  19. /** @cond internal */

  20. #if __cplusplus >= 201103L

  21. #define DELETE = delete

  22. #define NOEXCEPT noexcept

  23. #define EXPLICIT_CON explicit

  24. #define GET_DATA(str) ((const unsigned char *)&(str)[0])

  25. #else

  26. #define DELETE

  27. #define NOEXCEPT throw()

  28. #define EXPLICIT_CON

  29. #define GET_DATA(str) ((const unsigned char *)((str).data()))

  30. #endif

  31. /** @endcond */

  32. 

  33. namespace decaf {

  34. 

  35. /** A Keccak sponge internal class */

  36. class KeccakSponge {

  37. protected:

  38.     /** The C-wrapper sponge state */

  39.     keccak_sponge_t sp;

  40. 

  41.     /** Initialize from parameters */

  42.     inline KeccakSponge(const struct kparams_s *params) NOEXCEPT { sponge_init(sp, params); }

  43.     

  44.     /** No initialization */

  45.     inline KeccakSponge(const NOINIT &) NOEXCEPT { }

  46. 

  47. public:

  48.     /** Destructor zeroizes state */

  49.     inline ~KeccakSponge() NOEXCEPT { sponge_destroy(sp); }

  50. };

  51. 

  52. /**

  53.  * Hash function derived from Keccak

  54.  * @todo throw exceptions when hash is misused.

  55.  */

  56. class KeccakHash : public KeccakSponge {

  57. protected:

  58.     /** Initialize from parameters */

  59.     inline KeccakHash(const kparams_s *params) NOEXCEPT : KeccakSponge(params) {}

  60.     

  61. public:

  62.     /** Add more data to running hash */

  63.     inline void update(const uint8_t *__restrict__ in, size_t len) { sha3_update(sp,in,len); }

  64. 

  65.     /** Add more data to running hash, C++ version. */

  66.     inline void update(const Block &s) { sha3_update(sp,s.data(),s.size()); }

  67.     

  68.     /** Add more data, stream version. */

  69.     inline KeccakHash &operator<<(const Block &s) { update(s); return *this; }

  70.     

  71.     /** Same as <<. */

  72.     inline KeccakHash &operator+=(const Block &s) { return *this << s; }

  73.     

  74.     /**

  75.      * @brief Output bytes from the sponge.

  76.      * @todo make this throw exceptions.

  77.      */

  78.     inline void output(TmpBuffer b) { sha3_output(sp,b.data(),b.size()); }

  79.     

  80.     /**

  81.      * @brief Output bytes from the sponge.

  82.      * @todo make this throw exceptions.

  83.      */

  84.     inline void output(Buffer &b) { sha3_output(sp,b.data(),b.size()); }

  85.     

  86.     /** @brief Output bytes from the sponge. */

  87.     inline SecureBuffer output(size_t len) {

  88.         SecureBuffer buffer(len);

  89.         sha3_output(sp,buffer,len);

  90.         return buffer;

  91.     }

  92.     

  93.     /** @brief Return the sponge's default output size. */

  94.     inline size_t default_output_size() const NOEXCEPT {

  95.         return sponge_default_output_bytes(sp);

  96.     }

  97.     

  98.     /** Output the default number of bytes. */

  99.     inline SecureBuffer output() {

  100.         return output(default_output_size());

  101.     }

  102. };

  103. 

  104. /** Fixed-output-length SHA3 */

  105. template<int bits> class SHA3 : public KeccakHash {

  106. private:

  107.     /** Get the parameter template block for this hash */

  108.     static inline const struct kparams_s *get_params();

  109. public:

  110.     /** Initializer */

  111.     inline SHA3() NOEXCEPT : KeccakHash(get_params()) {}

  112. 

  113.     /** Reset the hash to the empty string */

  114.     inline void reset() NOEXCEPT { sponge_init(sp, get_params()); }

  115. };

  116. 

  117. /** Variable-output-length SHAKE */

  118. template<int bits>

  119. class SHAKE : public KeccakHash {

  120. private:

  121.     /** Get the parameter template block for this hash */

  122.     static inline const struct kparams_s *get_params();

  123. public:

  124.     /** Initializer */

  125.     inline SHAKE() NOEXCEPT : KeccakHash(get_params()) {}

  126. 

  127.     /** Reset the hash to the empty string */

  128.     inline void reset() NOEXCEPT { sponge_init(sp, get_params()); }

  129. };

  130. 

  131. /** @cond internal */

  132. template<> inline const struct kparams_s *SHAKE<128>::get_params() { return &SHAKE128_params_s; }

  133. template<> inline const struct kparams_s *SHAKE<256>::get_params() { return &SHAKE256_params_s; }

  134. template<> inline const struct kparams_s *SHA3<224>::get_params() { return &SHA3_224_params_s; }

  135. template<> inline const struct kparams_s *SHA3<256>::get_params() { return &SHA3_256_params_s; }

  136. template<> inline const struct kparams_s *SHA3<384>::get_params() { return &SHA3_384_params_s; }

  137. template<> inline const struct kparams_s *SHA3<512>::get_params() { return &SHA3_512_params_s; }

  138. /** @endcond */

  139. 

  140. /** @brief An exception for misused protocol, eg encrypt with no key. */

  141. class ProtocolException : public std::exception {

  142. public:

  143.     /** @return "ProtocolException" */

  144.     virtual const char * what() const NOEXCEPT { return "ProtocolException"; }

  145. };

  146.     

  147. /** Sponge-based random-number generator */

  148. class SpongeRng : private KeccakSponge {

  149. public:

  150.     class RngException : public std::exception {

  151.     private:

  152.         const char *const what_;

  153.     public:

  154.         const int err_code;

  155.         const char *what() const NOEXCEPT { return what_; }

  156.         RngException(int err_code, const char *what_) NOEXCEPT : what_(what_), err_code(err_code) {}

  157.     };

  158.     

  159.     /** Initialize, deterministically by default, from block */

  160.     inline SpongeRng( const Block &in, bool deterministic = true )

  161.     : KeccakSponge((NOINIT())) {

  162.         spongerng_init_from_buffer(sp,in.data(),in.size(),deterministic);

  163.     }

  164.     

  165.     /** Initialize, non-deterministically by default, from C/C++ filename */

  166.     inline SpongeRng( const std::string &in = "/dev/urandom", size_t len = 32, bool deterministic = false )

  167.         throw(RngException)

  168.     : KeccakSponge((NOINIT())) {

  169.         int ret = spongerng_init_from_file(sp,in.c_str(),len,deterministic);

  170.         if (ret) {

  171.             throw RngException(ret, "Couldn't load from file");

  172.         }

  173.     }

  174.     

  175.     /** Read data to a buffer. */

  176.     inline void read(Buffer &buffer) NOEXCEPT { spongerng_next(sp,buffer.data(),buffer.size()); }

  177.     

  178.     /** Read data to a buffer. */

  179.     inline void read(TmpBuffer buffer) NOEXCEPT { read((Buffer &)buffer); }

  180.     

  181.     /** Read data to a C++ string 

  182.      * @warning TODO Future versions of this function may throw RngException if a

  183.      * nondeterministic RNG fails a reseed.

  184.      */

  185.     inline SecureBuffer read(size_t length) throw(std::bad_alloc) {

  186.         SecureBuffer out(length); read(out); return out;

  187.     }

  188.     

  189. private:

  190.     SpongeRng(const SpongeRng &) DELETE;

  191.     SpongeRng &operator=(const SpongeRng &) DELETE;

  192. };

  193. 

  194. /**@cond internal*/

  195. inline Ed255::Scalar::Scalar(SpongeRng &rng) NOEXCEPT {

  196.     *this = rng.read(SER_BYTES);

  197. }

  198. 

  199. inline Ed255::Point::Point(SpongeRng &rng, bool uniform) NOEXCEPT {

  200.     SecureBuffer buffer((uniform ? 2 : 1) * HASH_BYTES);

  201.     rng.read(buffer);

  202.     set_to_hash(buffer);

  203. }

  204. 

  205. 

  206. inline SecureBuffer Ed255::Point::steg_encode(SpongeRng &rng) const NOEXCEPT {

  207.     SecureBuffer out(STEG_BYTES);

  208.     bool done;

  209.     do {

  210.         rng.read(out.slice(HASH_BYTES-1,STEG_BYTES-HASH_BYTES+1));

  211.         done = invert_elligator(out, out[HASH_BYTES-1] & 7); /* 7 is kind of MAGIC */

  212.     } while (!done);

  213.     return out;

  214. }

  215. /**@endcond*/

  216. 

  217. class Strobe : private KeccakSponge {

  218. public:

  219.     /* TODO: pull out parameters */

  220.     

  221.     /** Am I a server or a client? */

  222.     enum client_or_server { SERVER, CLIENT };

  223.     

  224.     inline Strobe (

  225.         client_or_server whoami,

  226.         const kparams_s &params = STROBE_256

  227.     ) NOEXCEPT : KeccakSponge(NOINIT()) {

  228.         strobe_init(sp, &params, whoami == CLIENT);

  229.     }

  230. 

  231.     inline void key (

  232.         const Block &data, bool more = false

  233.     ) throw(ProtocolException) {

  234.         if (!strobe_key(sp, data, data.size(), more)) throw ProtocolException();

  235.     }

  236. 

  237.     inline void nonce(const Block &data, bool more = false

  238.     ) throw(ProtocolException) {

  239.         if (!strobe_nonce(sp, data, data.size(), more)) throw ProtocolException();

  240.     }

  241. 

  242.     inline void send_plaintext(const Block &data, bool more = false

  243.     ) throw(ProtocolException) {

  244.         if (!strobe_plaintext(sp, data, data.size(), true, more))

  245.             throw(ProtocolException());

  246.     }

  247. 

  248.     inline void recv_plaintext(const Block &data, bool more = false

  249.     ) throw(ProtocolException) {

  250.         if (!strobe_plaintext(sp, data, data.size(), false, more))

  251.             throw(ProtocolException());

  252.     }

  253. 

  254.     inline void ad(const Block &data, bool more = false

  255.     ) throw(ProtocolException) {

  256.         if (!strobe_ad(sp, data, data.size(), more))

  257.             throw(ProtocolException());

  258.     }

  259.     

  260.     inline void encrypt_no_auth(

  261.         Buffer &out, const Block &data, bool more = false

  262.     ) throw(LengthException,ProtocolException) {

  263.         if (out.size() != data.size()) throw LengthException();

  264.         if (!strobe_encrypt(sp, out, data, data.size(), more)) throw(ProtocolException());

  265.     }

  266.     

  267.     inline void encrypt_no_auth(

  268.         TmpBuffer out, const Block &data, bool more = false

  269.     ) throw(LengthException,ProtocolException) {

  270.         encrypt_no_auth((Buffer &)out, data, more);

  271.     }

  272.     

  273.     inline SecureBuffer encrypt_no_auth(const Block &data, bool more = false

  274.     ) throw(ProtocolException) {

  275.         SecureBuffer out(data.size()); encrypt_no_auth(out, data, more); return out;

  276.     }

  277.     

  278.     inline void decrypt_no_auth(

  279.         Buffer &out, const Block &data, bool more = false

  280.     ) throw(LengthException,ProtocolException) {

  281.         if (out.size() != data.size()) throw LengthException();

  282.         if (!strobe_decrypt(sp, out, data, data.size(), more)) throw ProtocolException();

  283.     }

  284.     

  285.     inline void decrypt_no_auth(

  286.         TmpBuffer out, const Block &data, bool more = false

  287.     ) throw(LengthException,ProtocolException) {

  288.         decrypt_no_auth((Buffer &)out, data, more);

  289.     }

  290.     

  291.     inline SecureBuffer decrypt_no_auth(const Block &data, bool more = false

  292.     ) throw(ProtocolException) {

  293.         SecureBuffer out(data.size()); decrypt_no_auth(out, data, more); return out;

  294.     }

  295.     

  296.     inline void produce_auth(Buffer &out) throw(LengthException,ProtocolException) {

  297.         if (out.size() > STROBE_MAX_AUTH_BYTES) throw LengthException();

  298.         if (!strobe_produce_auth(sp, out, out.size())) throw ProtocolException();

  299.     }

  300.     

  301.     inline void produce_auth(TmpBuffer out) throw(LengthException,ProtocolException) {

  302.         produce_auth((Buffer &)out);

  303.     }

  304.     

  305.     inline SecureBuffer produce_auth(

  306.         uint8_t bytes = 8

  307.     ) throw(ProtocolException) {

  308.         SecureBuffer out(bytes); produce_auth(out); return out;

  309.     }

  310.     

  311.     inline void encrypt(

  312.         Buffer &out, const Block &data, uint8_t auth = 8

  313.     ) throw(LengthException,ProtocolException) {

  314.         if (out.size() < data.size() || out.size() != data.size() + auth) throw LengthException();

  315.         encrypt_no_auth(out.slice(0,data.size()), data);

  316.         produce_auth(out.slice(data.size(),auth));

  317.     }

  318.     

  319.     inline void encrypt (

  320.         TmpBuffer out, const Block &data, uint8_t auth = 8

  321.     ) throw(LengthException,ProtocolException) {

  322.         encrypt((Buffer &)out, data, auth);

  323.     }

  324.     

  325.     inline SecureBuffer encrypt (

  326.         const Block &data, uint8_t auth = 8

  327.     ) throw(LengthException,ProtocolException,std::bad_alloc ){

  328.         SecureBuffer out(data.size() + auth); encrypt(out, data, auth); return out;

  329.     }

  330.     

  331.     inline void decrypt (

  332.         Buffer &out, const Block &data, uint8_t bytes = 8

  333.     ) throw(LengthException, CryptoException, ProtocolException) {

  334.         if (out.size() > data.size() || out.size() != data.size() - bytes) throw LengthException();

  335.         decrypt_no_auth(out, data.slice(0,out.size()));

  336.         verify_auth(data.slice(out.size(),bytes));

  337.     }

  338.     

  339.     inline void decrypt (

  340.         TmpBuffer out, const Block &data, uint8_t bytes = 8

  341.     ) throw(LengthException,CryptoException,ProtocolException) {

  342.         decrypt((Buffer &)out, data, bytes);

  343.     }

  344.     

  345.     inline SecureBuffer decrypt (

  346.         const Block &data, uint8_t bytes = 8

  347.     ) throw(LengthException,CryptoException,ProtocolException,std::bad_alloc) {

  348.         if (data.size() < bytes) throw LengthException();

  349.         SecureBuffer out(data.size() - bytes); decrypt(out, data, bytes); return out;

  350.     }

  351.     

  352.     inline void verify_auth(const Block &auth) throw(LengthException,CryptoException) {

  353.         if (auth.size() == 0 || auth.size() > STROBE_MAX_AUTH_BYTES) throw LengthException();

  354.         if (!strobe_verify_auth(sp, auth, auth.size())) throw CryptoException();

  355.     }

  356.     

  357.     inline void prng(Buffer &out, bool more = false) NOEXCEPT {

  358.         (void)strobe_prng(sp, out, out.size(), more);

  359.     }

  360.     

  361.     inline void prng(TmpBuffer out, bool more = false) NOEXCEPT {

  362.         prng((Buffer &)out, more);

  363.     }

  364.     

  365.     inline SecureBuffer prng(size_t bytes, bool more = false) {

  366.         SecureBuffer out(bytes); prng(out, more); return out;

  367.     }

  368.     

  369.     inline void respec(const kparams_s &params) throw(ProtocolException) {

  370.         if (!strobe_respec(sp, &params)) throw(ProtocolException());

  371.     }

  372. };

  373.   

  374. } /* namespace decaf */

  375. 

  376. #undef NOEXCEPT

  377. #undef EXPLICIT_CON

  378. #undef GET_DATA

  379. #undef DELETE

  380. 

  381. #endif /* __SHAKE_HXX__ */