jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
337 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 5311dd5863
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5311dd5863'
${ noResults }
ed448goldilocks/src/shake.c

627 lines
18 KiB
Raw Blame History 

  1. /**

  2.  * @cond internal

  3.  * @file shake.c

  4.  * @copyright

  5.  *   Uses public domain code by Mathias Panzenböck \n

  6.  *   Uses CC0 code by David Leon Gil, 2015 \n

  7.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  8.  *   Released under the MIT License.  See LICENSE.txt for license information.

  9.  * @author Mike Hamburg

  10.  * @brief SHA-3-n and SHAKE-n instances.

  11.  * @warning EXPERIMENTAL!  The names, parameter orders etc are likely to change.

  12.  */

  13. 

  14. #define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s */

  15. #define _BSD_SOURCE 1 /* for endian */

  16. #include <assert.h>

  17. #include <stdint.h>

  18. #include <string.h>

  19. 

  20. /* to open and read from /dev/urandom */

  21. #include <sys/types.h>

  22. #include <sys/stat.h>

  23. #include <fcntl.h>

  24. #include <unistd.h>

  25. 

  26. /* Subset of Mathias Panzenböck's portable endian code, public domain */

  27. #if defined(__linux__) || defined(__CYGWIN__)

  28. #	include <endian.h>

  29. #elif defined(__OpenBSD__)

  30. #	include <sys/endian.h>

  31. #elif defined(__APPLE__)

  32. #	include <libkern/OSByteOrder.h>

  33. #	define htole64(x) OSSwapHostToLittleInt64(x)

  34. #	define le64toh(x) OSSwapLittleToHostInt64(x)

  35. #elif defined(__NetBSD__) || defined(__FreeBSD__) || defined(__DragonFly__)

  36. #	include <sys/endian.h>

  37. #	define le64toh(x) letoh64(x)

  38. #elif defined(_WIN16) || defined(_WIN32) || defined(_WIN64) || defined(__WINDOWS__)

  39. #	include <winsock2.h>

  40. #	include <sys/param.h>

  41. #	if BYTE_ORDER == LITTLE_ENDIAN

  42. #		define htole64(x) (x)

  43. #		define le64toh(x) (x)

  44. #	elif BYTE_ORDER == BIG_ENDIAN

  45. #		define htole64(x) __builtin_bswap64(x)

  46. #		define le64toh(x) __builtin_bswap64(x)

  47. #	else

  48. #		error byte order not supported

  49. #	endif

  50. #else

  51. #	error platform not supported

  52. #endif

  53. 

  54. /* The internal, non-opaque definition of the sponge struct. */

  55. typedef union {

  56.     uint64_t w[25]; uint8_t b[25*8];

  57. } kdomain_t[1];

  58. 

  59. typedef struct kparams_s {

  60.     uint8_t position, flags, rate, startRound, pad, ratePad, maxOut, client;

  61. } kparams_t[1];

  62. 

  63. typedef struct keccak_sponge_s {

  64.     kdomain_t state;

  65.     kparams_t params;

  66. } keccak_sponge_s, keccak_sponge_t[1];

  67. 

  68. #define INTERNAL_SPONGE_STRUCT 1

  69. #include <decaf/shake.h>

  70. #include <decaf/strobe.h>

  71. #include <decaf/spongerng.h>

  72. 

  73. #define FLAG_ABSORBING 'A'

  74. #define FLAG_SQUEEZING 'Z'

  75. 

  76. /** Constants. **/

  77. static const uint8_t pi[24] = {

  78.     10, 7,  11, 17, 18, 3, 5,  16, 8,  21, 24, 4,

  79.     15, 23, 19, 13, 12, 2, 20, 14, 22, 9,  6,  1

  80. };

  81. 

  82. #define RC_B(x,n) ((((x##ull)>>n)&1)<<((1<<n)-1))

  83. #define RC_X(x) (RC_B(x,0)|RC_B(x,1)|RC_B(x,2)|RC_B(x,3)|RC_B(x,4)|RC_B(x,5)|RC_B(x,6))

  84. static const uint64_t RC[24] = {

  85.     RC_X(0x01), RC_X(0x1a), RC_X(0x5e), RC_X(0x70), RC_X(0x1f), RC_X(0x21),

  86.     RC_X(0x79), RC_X(0x55), RC_X(0x0e), RC_X(0x0c), RC_X(0x35), RC_X(0x26),

  87.     RC_X(0x3f), RC_X(0x4f), RC_X(0x5d), RC_X(0x53), RC_X(0x52), RC_X(0x48),

  88.     RC_X(0x16), RC_X(0x66), RC_X(0x79), RC_X(0x58), RC_X(0x21), RC_X(0x74)

  89. };

  90. 

  91. static inline uint64_t rol(uint64_t x, int s) {

  92.     return (x << s) | (x >> (64 - s));

  93. }

  94. 

  95. /* Helper macros to unroll the permutation. */

  96. #define REPEAT5(e) e e e e e

  97. #define FOR51(v, e) v = 0; REPEAT5(e; v += 1;)

  98. #ifndef SHAKE_NO_UNROLL_LOOPS

  99. #    define FOR55(v, e) v = 0; REPEAT5(e; v += 5;)

  100. #    define REPEAT24(e) e e e e e e e e e e e e e e e e e e e e e e e e

  101. #else

  102. #    define FOR55(v, e) for (v=0; v<25; v+= 5) { e; }

  103. #    define REPEAT24(e) {int _j=0; for (_j=0; _j<24; _j++) { e }}

  104. #endif

  105. 

  106. /*** The Keccak-f[1600] permutation ***/

  107. static void

  108. __attribute__((noinline))

  109. keccakf(kdomain_t state, uint8_t startRound) {

  110.     uint64_t* a = state->w;

  111.     uint64_t b[5] = {0}, t, u;

  112.     uint8_t x, y, i;

  113.     

  114.     for (i=0; i<25; i++) a[i] = le64toh(a[i]);

  115. 

  116.     for (i = startRound; i < 24; i++) {

  117.         FOR51(x, b[x] = 0; )

  118.         FOR55(y, FOR51(x, b[x] ^= a[x + y]; ))

  119.         FOR55(y, FOR51(x,

  120.             a[y + x] ^= b[(x + 4) % 5] ^ rol(b[(x + 1) % 5], 1);

  121.         ))

  122.         // Rho and pi

  123.         t = a[1];

  124.         x = y = 0;

  125.         REPEAT24(u = a[pi[x]]; y += x+1; a[pi[x]] = rol(t, y % 64); t = u; x++; )

  126.         // Chi

  127.         FOR55(y,

  128.              FOR51(x, b[x] = a[y + x];)

  129.              FOR51(x, a[y + x] = b[x] ^ ((~b[(x + 1) % 5]) & b[(x + 2) % 5]);)

  130.         )

  131.         // Iota

  132.         a[0] ^= RC[i];

  133.     }

  134. 

  135.     for (i=0; i<25; i++) a[i] = htole64(a[i]);

  136. }

  137. 

  138. static inline void dokeccak (keccak_sponge_t sponge) {

  139.     keccakf(sponge->state, sponge->params->startRound);

  140.     sponge->params->position = 0;

  141. }

  142. 

  143. void sha3_update (

  144.     struct keccak_sponge_s * __restrict__ sponge,

  145.     const uint8_t *in,

  146.     size_t len

  147. ) {

  148.     if (!len) return;

  149.     assert(sponge->params->position < sponge->params->rate);

  150.     assert(sponge->params->rate < sizeof(sponge->state));

  151.     assert(sponge->params->flags == FLAG_ABSORBING);

  152.     while (len) {

  153.         size_t cando = sponge->params->rate - sponge->params->position, i;

  154.         uint8_t* state = &sponge->state->b[sponge->params->position];

  155.         if (cando > len) {

  156.             for (i = 0; i < len; i += 1) state[i] ^= in[i];

  157.             sponge->params->position += len;

  158.             return;

  159.         } else {

  160.             for (i = 0; i < cando; i += 1) state[i] ^= in[i];

  161.             dokeccak(sponge);

  162.             len -= cando;

  163.             in += cando;

  164.         }

  165.     }

  166. }

  167. 

  168. void sha3_output (

  169.     keccak_sponge_t sponge,

  170.     uint8_t * __restrict__ out,

  171.     size_t len

  172. ) {

  173.     assert(sponge->params->position < sponge->params->rate);

  174.     assert(sponge->params->rate < sizeof(sponge->state));

  175.     

  176.     if (sponge->params->maxOut != 0xFF) {

  177.         assert(sponge->params->maxOut >= len);

  178.         sponge->params->maxOut -= len;

  179.     }

  180.     

  181.     switch (sponge->params->flags) {

  182.     case FLAG_SQUEEZING: break;

  183.     case FLAG_ABSORBING:

  184.         {

  185.             uint8_t* state = sponge->state->b;

  186.             state[sponge->params->position] ^= sponge->params->pad;

  187.             state[sponge->params->rate - 1] ^= sponge->params->ratePad;

  188.             dokeccak(sponge);

  189.             break;

  190.         }

  191.     default:

  192.         assert(0);

  193.     }

  194.     

  195.     while (len) {

  196.         size_t cando = sponge->params->rate - sponge->params->position;

  197.         uint8_t* state = &sponge->state->b[sponge->params->position];

  198.         if (cando > len) {

  199.             memcpy(out, state, len);

  200.             sponge->params->position += len;

  201.             return;

  202.         } else {

  203.             memcpy(out, state, cando);

  204.             dokeccak(sponge);

  205.             len -= cando;

  206.             out += cando;

  207.         }

  208.     }

  209. }

  210. 

  211. void sponge_destroy (keccak_sponge_t sponge) { decaf_bzero(sponge, sizeof(keccak_sponge_t)); }

  212. 

  213. void sponge_init (

  214.     keccak_sponge_t sponge,

  215.     const struct kparams_s *params

  216. ) {

  217.     memset(sponge->state, 0, sizeof(sponge->state));

  218.     sponge->params[0] = params[0];

  219. }

  220. 

  221. void sponge_hash (

  222.     const uint8_t *in,

  223.     size_t inlen,

  224.     uint8_t *out,

  225.     size_t outlen,

  226.     const struct kparams_s *params

  227. ) {

  228.     keccak_sponge_t sponge;

  229.     sponge_init(sponge, params);

  230.     sha3_update(sponge, in, inlen);

  231.     sha3_output(sponge, out, outlen);

  232.     sponge_destroy(sponge);

  233. }

  234. 

  235. #define DEFSHAKE(n) \

  236.     const struct kparams_s SHAKE##n##_params_s = \

  237.         { 0, FLAG_ABSORBING, 200-n/4, 0, 0x1f, 0x80, 0xFF, 0 };

  238.     

  239. #define DEFSHA3(n) \

  240.     const struct kparams_s SHA3_##n##_params_s = \

  241.         { 0, FLAG_ABSORBING, 200-n/4, 0, 0x06, 0x80, n/8, 0 };

  242. 

  243. size_t sponge_default_output_bytes (

  244.     const keccak_sponge_t s

  245. ) {

  246.     return (s->params->maxOut == 0xFF)

  247.         ? (200-s->params->rate)

  248.         : ((200-s->params->rate)/2);

  249. }

  250. 

  251. DEFSHAKE(128)

  252. DEFSHAKE(256)

  253. DEFSHA3(224)

  254. DEFSHA3(256)

  255. DEFSHA3(384)

  256. DEFSHA3(512)

  257. 

  258. /** Get entropy from a CPU, preferably in the form of RDRAND, but possibly instead from RDTSC. */

  259. static void get_cpu_entropy(uint8_t *entropy, size_t len) {

  260. # if (defined(__i386__) || defined(__x86_64__))

  261.     static char tested = 0, have_rdrand = 0;

  262.     if (!tested) {

  263.         u_int32_t a,b,c,d;

  264.         a=1; __asm__("cpuid" : "+a"(a), "=b"(b), "=c"(c), "=d"(d));

  265.         have_rdrand = (c>>30)&1;

  266.         tested = 1;

  267.     }

  268. 

  269.     if (have_rdrand) {

  270.         # if defined(__x86_64__)

  271.             uint64_t out, a=0, *eo = (uint64_t *)entropy;

  272.         # elif defined(__i386__)

  273.             uint32_t out, a=0, *eo = (uint64_t *)entropy;

  274.         #endif

  275.         len /= sizeof(out);

  276. 

  277.         uint32_t tries;

  278.         for (tries = 100+len; tries && len; len--, eo++) {

  279.             for (a = 0; tries && !a; tries--) {

  280.                 __asm__ __volatile__ ("rdrand %0\n\tsetc %%al" : "=r"(out), "+a"(a) :: "cc" );

  281.             }

  282.             *eo ^= out;

  283.         }

  284.     } else if (len>=8) {

  285.         uint64_t out;

  286.         __asm__ __volatile__ ("rdtsc" : "=A"(out));

  287.         *(uint64_t*) entropy ^= out;

  288.     }

  289. 

  290. #else

  291.     (void) entropy;

  292.     (void) len;

  293. #endif

  294. }

  295. 

  296. static const char *SPONGERNG_NAME = "strobe::spongerng";  /* TODO: canonicalize name */

  297. 

  298. void spongerng_next (

  299.     keccak_prng_t prng,

  300.     uint8_t * __restrict__ out,

  301.     size_t len

  302. ) {

  303.     keccak_sponge_s *sponge = prng->sponge;

  304.     if (sponge->params->client) {

  305.         /* nondet */

  306.         uint8_t cpu_entropy[32];

  307.         get_cpu_entropy(cpu_entropy, sizeof(cpu_entropy));

  308.         strobe_transact((keccak_strobe_s*)sponge,NULL,cpu_entropy,sizeof(cpu_entropy),STROBE_CW_PRNG_CPU_SEED);

  309.     }

  310.     

  311.     strobe_transact((keccak_strobe_s*)sponge,out,NULL,len,STROBE_CW_PRNG);

  312. }

  313. 

  314. void spongerng_stir (

  315.     keccak_prng_t sponge,

  316.     const uint8_t * __restrict__ in,

  317.     size_t len

  318. ) {

  319.     strobe_transact((keccak_strobe_s*)sponge,NULL,in,len,STROBE_CW_PRNG_USER_SEED);

  320. }

  321. 

  322. static const struct kparams_s spongerng_params = {

  323.     0, 0, 200-256/4, 0, 0x06, 0x80, 0xFF, 0

  324. };

  325. 

  326. void spongerng_init_from_buffer (

  327.     keccak_prng_t prng,

  328.     const uint8_t * __restrict__ in,

  329.     size_t len,

  330.     int deterministic

  331. ) {

  332.     keccak_sponge_s *sponge = prng->sponge;

  333.     strobe_init((keccak_strobe_s*)sponge, &spongerng_params, SPONGERNG_NAME, !deterministic);

  334.     spongerng_stir(prng, in, len);

  335. }

  336. 

  337. decaf_error_t spongerng_init_from_file (

  338.     keccak_prng_t prng,

  339.     const char *file,

  340.     size_t len,

  341.     int deterministic

  342. ) {

  343.     keccak_sponge_s *sponge = prng->sponge;

  344.     strobe_init((keccak_strobe_s*)sponge, &spongerng_params, SPONGERNG_NAME, !deterministic);

  345.     if (!len) return DECAF_FAILURE;

  346. 

  347.     int fd = open(file, O_RDONLY);

  348.     if (fd < 0) return DECAF_FAILURE;

  349.     

  350.     uint8_t buffer[128];

  351.     int first = 1;

  352.     while (len) {

  353.         ssize_t red = read(fd, buffer, (len > sizeof(buffer)) ? sizeof(buffer) : len);

  354.         if (red <= 0) {

  355.             close(fd);

  356.             return DECAF_FAILURE;

  357.         }

  358.         strobe_transact((keccak_strobe_s*)sponge,NULL,buffer,red,

  359.             first ? STROBE_CW_PRNG_USER_SEED : (STROBE_CW_PRNG_USER_SEED | STROBE_FLAG_MORE));

  360.         len -= red;

  361.         first = 0;

  362.     };

  363.     close(fd);

  364.     

  365.     return DECAF_SUCCESS;

  366. }

  367. 

  368. decaf_error_t spongerng_init_from_dev_urandom (

  369.     keccak_prng_t sponge

  370. ) {

  371.     return spongerng_init_from_file(sponge, "/dev/urandom", 64, 0);

  372. }

  373. 

  374. const struct kparams_s STROBE_128 = { 0, 0, 200-128/4, 0, 0, 0, 0, 0 };

  375. const struct kparams_s STROBE_256 = { 0, 0, 200-256/4, 0, 0, 0, 0, 0 };

  376. const struct kparams_s STROBE_KEYED_256 = { 0, 0, 200-256/4, 12, 0, 0, 0, 0 };

  377. const struct kparams_s STROBE_KEYED_128 = { 0, 0, 200-128/4, 12, 0, 0, 0, 0 };

  378. 

  379. /* Strobe is different in that its rate is padded by one byte. */

  380. void strobe_init(

  381.     keccak_strobe_t strobe,

  382.     const struct kparams_s *params,

  383.     const char *proto,

  384.     uint8_t am_client

  385. ) {

  386.     keccak_sponge_s *sponge = strobe->sponge;

  387.     sponge_init(sponge,params);

  388.     

  389.     const char *a_string = "STROBE full v0.2";

  390.     unsigned len = strlen(a_string);

  391.     memcpy (

  392.         &sponge->state->b[sizeof(sponge->state)-len],

  393.         a_string,

  394.         len

  395.     );

  396.         

  397.     strobe_transact(strobe,  NULL, (const unsigned char *)proto, strlen(proto), STROBE_CW_INIT);

  398.         

  399.     sponge->state->b[sponge->params->rate+1] = 1;

  400.     sponge->params->client = !!am_client;

  401. }

  402. 

  403. static const uint8_t EXCEEDED_RATE_PAD = 0x2;

  404. static __inline__ uint8_t CONTROL_WORD_PAD(int cw_size) {

  405.     assert(cw_size >= 0 && cw_size <= 31);

  406.     return 0xC0 | cw_size;

  407. }

  408. 

  409. /* PERF vectorize */

  410. static void strobe_duplex (

  411.     struct keccak_sponge_s *__restrict__ sponge,

  412.     unsigned char *out,

  413.     const unsigned char *in,

  414.     size_t len,

  415.     mode_t mode

  416. ) {

  417.     unsigned int j, r = sponge->params->rate, p = sponge->params->position;

  418.     uint8_t* __restrict__ state = &sponge->state->b[0];

  419.     

  420.     /* sanity */

  421.     assert(r < sizeof(sponge->state) && r >= p);

  422.     switch (mode) {

  423.     case STROBE_MODE_PLAINTEXT:

  424.         assert(in || len==0);

  425.         break;

  426.     case STROBE_MODE_ABSORB:

  427.     case STROBE_MODE_ABSORB_R:

  428.         assert((in||len==0) && !out);

  429.         break;

  430.     case STROBE_MODE_DUPLEX:

  431.     case STROBE_MODE_DUPLEX_R:

  432.         assert((in && out) || len==0);

  433.         break;

  434.     case STROBE_MODE_SQUEEZE:

  435.     case STROBE_MODE_SQUEEZE_R:

  436.         assert((out || len==0) && !in);

  437.         break;

  438.     case STROBE_MODE_FORGET:

  439.         assert(!in && !out);

  440.         break;

  441.     default:

  442.         assert(0);

  443.     }

  444.     

  445.     while(1) {

  446.         unsigned int cando = r - p;

  447.         unsigned int last = (cando >= len);

  448.         if (last) {

  449.             cando = len;

  450.         }

  451.         

  452.         switch (mode) {

  453.         case STROBE_MODE_PLAINTEXT:

  454.             for (j=0; j<cando; j++) state[p+j] ^= in[j];

  455.             if (out) {

  456.                 memcpy(out, in, cando);

  457.                 out += cando;

  458.             }

  459.             in += cando;

  460.             break;

  461.             

  462.         case STROBE_MODE_ABSORB:

  463.             for (j=0; j<cando; j++) state[p+j] ^= in[j];

  464.             in += cando;

  465.             break;

  466.             

  467.         case STROBE_MODE_ABSORB_R:

  468.             memcpy(state+p, in, cando);

  469.             in += cando;

  470.             break;

  471.         

  472.         case STROBE_MODE_SQUEEZE:

  473.             memcpy(out, state+p, cando);

  474.             out += cando;

  475.             break;

  476.         

  477.         case STROBE_MODE_SQUEEZE_R:

  478.             memcpy(out, state+p, cando);

  479.             out += cando;

  480.             memset(state+p, 0, cando);

  481.             break;

  482.             

  483.         case STROBE_MODE_FORGET:

  484.             memset(state+p, 0, cando);

  485.             break;

  486.         

  487.         case STROBE_MODE_DUPLEX:

  488.             for (j=0; j<cando; j++) {

  489.                 state[p+j] ^= in[j];

  490.                 out[j] = state[p+j];

  491.             }

  492.             in += cando;

  493.             out += cando;

  494.             break;

  495.         

  496.         case STROBE_MODE_DUPLEX_R:

  497.             for (j=0; j<cando; j++) {

  498.                 unsigned char c = in[j];

  499.                 out[j] = c ^ state[p+j];

  500.                 state[p+j] = c;

  501.             }

  502.             in += cando;

  503.             out += cando;

  504.             break;

  505. 

  506.         default:

  507.             assert(0);

  508.         };

  509.         

  510.         if (last) {

  511.             sponge->params->position = p+len;

  512.             return;

  513.         } else {

  514.             state[r] ^= EXCEEDED_RATE_PAD;

  515.             keccakf(sponge->state, sponge->params->startRound);

  516.             len -= cando;

  517.             p = 0;

  518.         }

  519.     }

  520. }

  521. 

  522. static inline mode_t get_mode ( uint32_t cw_flags ) {

  523.     return (mode_t)((cw_flags >> 29) & 7);

  524. }

  525. 

  526. static const int STROBE_FORGET_BYTES = 32;

  527. 

  528. static const uint8_t FLAG_NOPARSE = 1;

  529. 

  530. void strobe_transact (

  531.     keccak_strobe_t strobe,

  532.     unsigned char *out,

  533.     const unsigned char *in,

  534.     size_t len,

  535.     uint32_t cw_flags

  536. ) {

  537.     keccak_sponge_s *sponge = strobe->sponge;

  538.     if ( (cw_flags & STROBE_FLAG_NONDIR) == 0

  539.         /* extraneous nots to change ints to bools :-/ */

  540.         && !(cw_flags & STROBE_FLAG_RECV) != !(sponge->params->client) ) {

  541.         cw_flags ^= STROBE_FLAG_CLIENT_SENT;

  542.     }

  543.     

  544.     uint64_t my_len = len, len_cw = (cw_flags & STROBE_FLAG_LENGTH_64) ? 10 : 4;

  545.     if (cw_flags & STROBE_FLAG_NO_LENGTH) {

  546.         my_len = 0;

  547.     } else if ((cw_flags & STROBE_FLAG_LENGTH_64)==0) {

  548.         assert(my_len < 1<<16);

  549.     }

  550.     

  551.     if (cw_flags & STROBE_FLAG_MORE) {

  552.         assert(cw_flags & STROBE_FLAG_NO_LENGTH); /* FUTURE */

  553.     } else {

  554.         uint8_t cwb[10] = {

  555.             cw_flags,

  556.             cw_flags>>8,

  557.             my_len,

  558.             my_len>>8,

  559.             my_len>>16,

  560.             my_len>>24,

  561.             my_len>>32,

  562.             my_len>>40,

  563.             my_len>>48,

  564.             my_len>>56

  565.         };

  566.         strobe_duplex(sponge, NULL, cwb, len_cw, STROBE_MODE_ABSORB_R);

  567.         if ((cw_flags & STROBE_FLAG_RUN_F) || (sponge->params->flags & FLAG_NOPARSE)) {

  568.             sponge->state->b[sponge->params->position] ^= CONTROL_WORD_PAD(len_cw);

  569.             dokeccak(sponge);

  570.         }

  571. 

  572.         sponge->params->flags &= ~FLAG_NOPARSE;

  573.         if (cw_flags & STROBE_FLAG_NO_LENGTH) {

  574.             sponge->params->flags |= FLAG_NOPARSE;

  575.         }

  576.     }

  577.         

  578.     strobe_duplex(sponge, out, in, len, get_mode(cw_flags));

  579.     if (cw_flags & STROBE_FLAG_FORGET) {

  580.         

  581.         uint32_t len = sponge->params->rate - sponge->params->position;

  582.         if (len < STROBE_FORGET_BYTES + len_cw) len += sponge->params->rate;

  583.         len -= len_cw; /* HACK */

  584.         

  585.         if (cw_flags & STROBE_FLAG_NO_LENGTH) len = 2*STROBE_FORGET_BYTES;

  586.         assert(!(cw_flags & STROBE_FLAG_MORE));

  587.         

  588.         strobe_duplex(

  589.             sponge, NULL, NULL, len,

  590.             STROBE_MODE_FORGET

  591.         );

  592.     }

  593. }

  594. 

  595. decaf_error_t strobe_verify_auth (

  596.     keccak_strobe_t strobe,

  597.     const unsigned char *in,

  598.     uint16_t len

  599. ) {

  600.     keccak_sponge_s *sponge = strobe->sponge;

  601.     if (len > sponge->params->rate) return DECAF_FAILURE;

  602.     strobe_transact(strobe, NULL, in, len, strobe_cw_recv(STROBE_CW_MAC));

  603.     

  604.     int32_t residue = 0;

  605.     int i;

  606.     for (i=0; i<len; i++) {

  607.         residue |= sponge->state->b[i];

  608.     }

  609.     

  610.     return decaf_succeed_if((residue-1)>>8);

  611. }

  612. 

  613. void strobe_respec (

  614.     keccak_strobe_t strobe,

  615.     const struct kparams_s *params

  616. ) {

  617.     keccak_sponge_s *sponge = strobe->sponge;

  618.     uint8_t in[] = { params->rate, params->startRound };

  619.     strobe_transact( strobe, NULL, in, sizeof(in), STROBE_CW_RESPEC_INFO );

  620.     strobe_transact( strobe, NULL, NULL, 0, STROBE_CW_RESPEC );

  621.     assert(sponge->params->position == 0);

  622.     sponge->params->rate = params->rate;

  623.     sponge->params->startRound = params->startRound;

  624. }

  625. 

  626. /* FUTURE: Keyak instances, etc */