jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
182 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: a1d33e0b6a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a1d33e0b6a'
${ noResults }
ed448goldilocks/include/shake.hxx

371 lines
12 KiB
Raw Blame History 

  1. /**

  2.  * @file shake.hxx

  3.  * @copyright

  4.  *   Based on CC0 code by David Leon Gil, 2015 \n

  5.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  6.  *   Released under the MIT License.  See LICENSE.txt for license information.

  7.  * @author Mike Hamburg

  8.  * @brief SHA-3-n and SHAKE-n instances, C++ wrapper.

  9.  * @warning EXPERIMENTAL!  The names, parameter orders etc are likely to change.

  10.  */

  11. 

  12. #ifndef __SHAKE_HXX__

  13. #define __SHAKE_HXX__

  14. 

  15. #include "shake.h"

  16. #include <string>

  17. #include <sys/types.h>

  18. 

  19. /** @cond internal */

  20. #if __cplusplus >= 201103L

  21. #define DELETE = delete

  22. #define NOEXCEPT noexcept

  23. #define EXPLICIT_CON explicit

  24. #define GET_DATA(str) ((const unsigned char *)&(str)[0])

  25. #else

  26. #define DELETE

  27. #define NOEXCEPT throw()

  28. #define EXPLICIT_CON

  29. #define GET_DATA(str) ((const unsigned char *)((str).data()))

  30. #endif

  31. /** @endcond */

  32. 

  33. namespace decaf {

  34. 

  35. /** A Keccak sponge internal class */

  36. class KeccakSponge {

  37. protected:

  38.     /** The C-wrapper sponge state */

  39.     keccak_sponge_t sp;

  40. 

  41.     /** Initialize from parameters */

  42.     inline KeccakSponge(const struct kparams_s *params) NOEXCEPT { sponge_init(sp, params); }

  43.     

  44.     /** No initialization */

  45.     inline KeccakSponge(const NOINIT &) NOEXCEPT { }

  46. 

  47. public:

  48.     /** Destructor zeroizes state */

  49.     inline ~KeccakSponge() NOEXCEPT { sponge_destroy(sp); }

  50. };

  51. 

  52. /**

  53.  * Hash function derived from Keccak

  54.  * @todo throw exceptions when hash is misused.

  55.  */

  56. class KeccakHash : public KeccakSponge {

  57. protected:

  58.     /** Initialize from parameters */

  59.     inline KeccakHash(const kparams_s *params) NOEXCEPT : KeccakSponge(params) {}

  60.     

  61. public:

  62.     /** Add more data to running hash */

  63.     inline void update(const uint8_t *__restrict__ in, size_t len) { sha3_update(sp,in,len); }

  64. 

  65.     /** Add more data to running hash, C++ version. */

  66.     inline void update(const Block &s) { sha3_update(sp,s.data(),s.size()); }

  67.     

  68.     /** Add more data, stream version. */

  69.     inline KeccakHash &operator<<(const Block &s) { update(s); return *this; }

  70.     

  71.     /** Same as <<. */

  72.     inline KeccakHash &operator+=(const Block &s) { return *this << s; }

  73.     

  74.     /**

  75.      * @brief Output bytes from the sponge.

  76.      * @todo make this throw exceptions.

  77.      */

  78.     inline void output(TmpBuffer b) { sha3_output(sp,b.data(),b.size()); }

  79.     

  80.     /**

  81.      * @brief Output bytes from the sponge.

  82.      * @todo make this throw exceptions.

  83.      */

  84.     inline void output(Buffer &b) { sha3_output(sp,b.data(),b.size()); }

  85.     

  86.     /** @brief Output bytes from the sponge. */

  87.     inline SecureBuffer output(size_t len) {

  88.         SecureBuffer buffer(len);

  89.         sha3_output(sp,buffer,len);

  90.         return buffer;

  91.     }

  92.     

  93.     /** @brief Return the sponge's default output size. */

  94.     inline size_t default_output_size() const NOEXCEPT {

  95.         return sponge_default_output_bytes(sp);

  96.     }

  97.     

  98.     /** Output the default number of bytes. */

  99.     inline SecureBuffer output() {

  100.         return output(default_output_size());

  101.     }

  102. };

  103. 

  104. /** Fixed-output-length SHA3 */

  105. template<int bits> class SHA3 : public KeccakHash {

  106. private:

  107.     /** Get the parameter template block for this hash */

  108.     static inline const struct kparams_s *get_params();

  109. public:

  110.     /** Initializer */

  111.     inline SHA3() NOEXCEPT : KeccakHash(get_params()) {}

  112. 

  113.     /** Reset the hash to the empty string */

  114.     inline void reset() NOEXCEPT { sponge_init(sp, get_params()); }

  115. };

  116. 

  117. /** Variable-output-length SHAKE */

  118. template<int bits>

  119. class SHAKE : public KeccakHash {

  120. private:

  121.     /** Get the parameter template block for this hash */

  122.     static inline const struct kparams_s *get_params();

  123. public:

  124.     /** Initializer */

  125.     inline SHAKE() NOEXCEPT : KeccakHash(get_params()) {}

  126. 

  127.     /** Reset the hash to the empty string */

  128.     inline void reset() NOEXCEPT { sponge_init(sp, get_params()); }

  129. };

  130. 

  131. /** @cond internal */

  132. template<> inline const struct kparams_s *SHAKE<128>::get_params() { return &SHAKE128_params_s; }

  133. template<> inline const struct kparams_s *SHAKE<256>::get_params() { return &SHAKE256_params_s; }

  134. template<> inline const struct kparams_s *SHA3<224>::get_params() { return &SHA3_224_params_s; }

  135. template<> inline const struct kparams_s *SHA3<256>::get_params() { return &SHA3_256_params_s; }

  136. template<> inline const struct kparams_s *SHA3<384>::get_params() { return &SHA3_384_params_s; }

  137. template<> inline const struct kparams_s *SHA3<512>::get_params() { return &SHA3_512_params_s; }

  138. /** @endcond */

  139. 

  140. /** @brief An exception for misused protocol, eg encrypt with no key. */

  141. class ProtocolException : public std::exception {

  142. public:

  143.     /** @return "ProtocolException" */

  144.     virtual const char * what() const NOEXCEPT { return "ProtocolException"; }

  145. };

  146.     

  147. /** Sponge-based random-number generator */

  148. class SpongeRng : private KeccakSponge {

  149. public:

  150.     class RngException : public std::exception {

  151.     private:

  152.         const char *const what_;

  153.     public:

  154.         const int err_code;

  155.         const char *what() const NOEXCEPT { return what_; }

  156.         RngException(int err_code, const char *what_) NOEXCEPT : what_(what_), err_code(err_code) {}

  157.     };

  158.     

  159.     /** Initialize, deterministically by default, from block */

  160.     inline SpongeRng( const Block &in, bool deterministic = true )

  161.     : KeccakSponge((NOINIT())) {

  162.         spongerng_init_from_buffer(sp,in.data(),in.size(),deterministic);

  163.     }

  164.     

  165.     /** Initialize, non-deterministically by default, from C/C++ filename */

  166.     inline SpongeRng( const std::string &in = "/dev/urandom", size_t len = 32, bool deterministic = false )

  167.         throw(RngException)

  168.     : KeccakSponge((NOINIT())) {

  169.         int ret = spongerng_init_from_file(sp,in.c_str(),len,deterministic);

  170.         if (ret) {

  171.             throw RngException(ret, "Couldn't load from file");

  172.         }

  173.     }

  174.     

  175.     /** Read data to a buffer. */

  176.     inline void read(Buffer &buffer) NOEXCEPT { spongerng_next(sp,buffer.data(),buffer.size()); }

  177.     

  178.     /** Read data to a buffer. */

  179.     inline void read(TmpBuffer buffer) NOEXCEPT { read((Buffer &)buffer); }

  180.     

  181.     /** Read data to a C++ string 

  182.      * @warning TODO Future versions of this function may throw RngException if a

  183.      * nondeterministic RNG fails a reseed.

  184.      */

  185.     inline SecureBuffer read(size_t length) throw(std::bad_alloc) {

  186.         SecureBuffer out(length); read(out); return out;

  187.     }

  188.     

  189. private:

  190.     SpongeRng(const SpongeRng &) DELETE;

  191.     SpongeRng &operator=(const SpongeRng &) DELETE;

  192. };

  193. 

  194. /**@cond internal*/

  195. inline Ed448::Scalar::Scalar(SpongeRng &rng) NOEXCEPT {

  196.     *this = rng.read(SER_BYTES);

  197. }

  198. 

  199. inline Ed448::Point::Point(SpongeRng &rng, bool uniform) NOEXCEPT {

  200.     SecureBuffer buffer((uniform ? 2 : 1) * HASH_BYTES);

  201.     rng.read(buffer);

  202.     set_to_hash(buffer);

  203. }

  204. /**@endcond*/

  205. 

  206. class Strobe : private KeccakSponge {

  207. public:

  208.     /* TODO: pull out parameters */

  209.     

  210.     /** Am I a server or a client? */

  211.     enum client_or_server { SERVER, CLIENT };

  212.     

  213.     inline Strobe (

  214.         client_or_server whoami,

  215.         const kparams_s &params = STROBE_256

  216.     ) NOEXCEPT : KeccakSponge(NOINIT()) {

  217.         strobe_init(sp, &params, whoami == CLIENT);

  218.     }

  219. 

  220.     inline void key (

  221.         const Block &data, bool more = false

  222.     ) throw(ProtocolException) {

  223.         if (!strobe_key(sp, data, data.size(), more)) throw ProtocolException();

  224.     }

  225. 

  226.     inline void nonce(const Block &data, bool more = false

  227.     ) throw(ProtocolException) {

  228.         if (!strobe_nonce(sp, data, data.size(), more)) throw ProtocolException();

  229.     }

  230. 

  231.     inline void send_plaintext(const Block &data, bool more = false

  232.     ) throw(ProtocolException) {

  233.         if (!strobe_plaintext(sp, data, data.size(), true, more))

  234.             throw(ProtocolException());

  235.     }

  236. 

  237.     inline void recv_plaintext(const Block &data, bool more = false

  238.     ) throw(ProtocolException) {

  239.         if (!strobe_plaintext(sp, data, data.size(), false, more))

  240.             throw(ProtocolException());

  241.     }

  242. 

  243.     inline void ad(const Block &data, bool more = false

  244.     ) throw(ProtocolException) {

  245.         if (!strobe_ad(sp, data, data.size(), more))

  246.             throw(ProtocolException());

  247.     }

  248.     

  249.     inline void encrypt_no_auth(

  250.         Buffer &out, const Block &data, bool more = false

  251.     ) throw(LengthException,ProtocolException) {

  252.         if (out.size() != data.size()) throw LengthException();

  253.         if (!strobe_encrypt(sp, out, data, data.size(), more)) throw(ProtocolException());

  254.     }

  255.     

  256.     inline void encrypt_no_auth(

  257.         TmpBuffer out, const Block &data, bool more = false

  258.     ) throw(LengthException,ProtocolException) {

  259.         encrypt_no_auth((Buffer &)out, data, more);

  260.     }

  261.     

  262.     inline SecureBuffer encrypt_no_auth(const Block &data, bool more = false

  263.     ) throw(ProtocolException) {

  264.         SecureBuffer out(data.size()); encrypt_no_auth(out, data, more); return out;

  265.     }

  266.     

  267.     inline void decrypt_no_auth(

  268.         Buffer &out, const Block &data, bool more = false

  269.     ) throw(LengthException,ProtocolException) {

  270.         if (out.size() != data.size()) throw LengthException();

  271.         if (!strobe_decrypt(sp, out, data, data.size(), more)) throw ProtocolException();

  272.     }

  273.     

  274.     inline void decrypt_no_auth(

  275.         TmpBuffer out, const Block &data, bool more = false

  276.     ) throw(LengthException,ProtocolException) {

  277.         decrypt_no_auth((Buffer &)out, data, more);

  278.     }

  279.     

  280.     inline SecureBuffer decrypt_no_auth(const Block &data, bool more = false

  281.     ) throw(ProtocolException) {

  282.         SecureBuffer out(data.size()); decrypt_no_auth(out, data, more); return out;

  283.     }

  284.     

  285.     inline void produce_auth(Buffer &out) throw(LengthException,ProtocolException) {

  286.         if (out.size() > STROBE_MAX_AUTH_BYTES) throw LengthException();

  287.         if (!strobe_produce_auth(sp, out, out.size())) throw ProtocolException();

  288.     }

  289.     

  290.     inline void produce_auth(TmpBuffer out) throw(LengthException,ProtocolException) {

  291.         produce_auth((Buffer &)out);

  292.     }

  293.     

  294.     inline SecureBuffer produce_auth(

  295.         uint8_t bytes = 8

  296.     ) throw(ProtocolException) {

  297.         SecureBuffer out(bytes); produce_auth(out); return out;

  298.     }

  299.     

  300.     inline void encrypt(

  301.         Buffer &out, const Block &data, uint8_t auth = 8

  302.     ) throw(LengthException,ProtocolException) {

  303.         if (out.size() < data.size() || out.size() != data.size() + auth) throw LengthException();

  304.         encrypt_no_auth(out.slice(0,data.size()), data);

  305.         produce_auth(out.slice(data.size(),auth));

  306.     }

  307.     

  308.     inline void encrypt (

  309.         TmpBuffer out, const Block &data, uint8_t auth = 8

  310.     ) throw(LengthException,ProtocolException) {

  311.         encrypt((Buffer &)out, data, auth);

  312.     }

  313.     

  314.     inline SecureBuffer encrypt (

  315.         const Block &data, uint8_t auth = 8

  316.     ) throw(LengthException,ProtocolException,std::bad_alloc ){

  317.         SecureBuffer out(data.size() + auth); encrypt(out, data, auth); return out;

  318.     }

  319.     

  320.     inline void decrypt (

  321.         Buffer &out, const Block &data, uint8_t bytes = 8

  322.     ) throw(LengthException, CryptoException, ProtocolException) {

  323.         if (out.size() > data.size() || out.size() != data.size() - bytes) throw LengthException();

  324.         decrypt_no_auth(out, data.slice(0,out.size()));

  325.         verify_auth(data.slice(out.size(),bytes));

  326.     }

  327.     

  328.     inline void decrypt (

  329.         TmpBuffer out, const Block &data, uint8_t bytes = 8

  330.     ) throw(LengthException,CryptoException,ProtocolException) {

  331.         decrypt((Buffer &)out, data, bytes);

  332.     }

  333.     

  334.     inline SecureBuffer decrypt (

  335.         const Block &data, uint8_t bytes = 8

  336.     ) throw(LengthException,CryptoException,ProtocolException,std::bad_alloc) {

  337.         if (data.size() < bytes) throw LengthException();

  338.         SecureBuffer out(data.size() - bytes); decrypt(out, data, bytes); return out;

  339.     }

  340.     

  341.     inline void verify_auth(const Block &auth) throw(LengthException,CryptoException) {

  342.         if (auth.size() == 0 || auth.size() > STROBE_MAX_AUTH_BYTES) throw LengthException();

  343.         if (!strobe_verify_auth(sp, auth, auth.size())) throw CryptoException();

  344.     }

  345.     

  346.     inline void prng(Buffer &out, bool more = false) NOEXCEPT {

  347.         (void)strobe_prng(sp, out, out.size(), more);

  348.     }

  349.     

  350.     inline void prng(TmpBuffer out, bool more = false) NOEXCEPT {

  351.         prng((Buffer &)out, more);

  352.     }

  353.     

  354.     inline SecureBuffer prng(size_t bytes, bool more = false) {

  355.         SecureBuffer out(bytes); prng(out, more); return out;

  356.     }

  357.     

  358.     inline void respec(const kparams_s &params) throw(ProtocolException) {

  359.         if (!strobe_respec(sp, &params)) throw(ProtocolException());

  360.     }

  361. };

  362.   

  363. } /* namespace decaf */

  364. 

  365. #undef NOEXCEPT

  366. #undef EXPLICIT_CON

  367. #undef GET_DATA

  368. #undef DELETE

  369. 

  370. #endif /* __SHAKE_HXX__ */