jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
271 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: b5a2757f21
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b5a2757f21'
${ noResults }
ed448goldilocks/src/public_include/decaf/shake.h

588 lines
19 KiB
Raw Blame History 

  1. /**

  2.  * @file decaf/shake.h

  3.  * @copyright

  4.  *   Based on CC0 code by David Leon Gil, 2015 \n

  5.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  6.  *   Released under the MIT License.  See LICENSE.txt for license information.

  7.  * @author Mike Hamburg

  8.  * @brief SHA-3-n and SHAKE-n instances.

  9.  * @warning EXPERIMENTAL!  The names, parameter orders etc are likely to change.

  10.  */

  11. 

  12. #ifndef __SHAKE_H__

  13. #define __SHAKE_H__

  14. 

  15. #include <stdint.h>

  16. #include <sys/types.h>

  17. #include <stdlib.h> /* for NULL */

  18. 

  19. #include <decaf/common.h>

  20. 

  21. /** @cond internal */

  22. #define API_VIS __attribute__((visibility("default")))

  23. #define WARN_UNUSED __attribute__((warn_unused_result))

  24. #define NONNULL1 __attribute__((nonnull(1)))

  25. #define NONNULL2 __attribute__((nonnull(1,2)))

  26. #define NONNULL13 __attribute__((nonnull(1,3)))

  27. #define NONNULL3 __attribute__((nonnull(1,2,3)))

  28. #define INLINE __inline__ __attribute__((always_inline))

  29. #define UNUSED __attribute__((unused))

  30. /** @endcond */

  31. 

  32. #ifndef INTERNAL_SPONGE_STRUCT

  33.     /** Sponge container object for the various primitives. */

  34.     typedef struct keccak_sponge_s {

  35.         /** @cond internal */

  36.         uint64_t opaque[26];

  37.         /** @endcond */

  38.     } keccak_sponge_t[1];

  39.     struct kparams_s;

  40. #endif

  41. typedef struct keccak_sponge_s keccak_strobe_t[1], keccak_prng_t[1];

  42. 

  43. #ifdef __cplusplus

  44. extern "C" {

  45. #endif

  46. 

  47. /**

  48.  * @brief Initialize a sponge context object.

  49.  * @param [out] sponge The object to initialize.

  50.  * @param [in] params The sponge's parameter description.

  51.  */

  52. void sponge_init (

  53.     keccak_sponge_t sponge,

  54.     const struct kparams_s *params

  55. ) API_VIS;

  56. 

  57. /**

  58.  * @brief Absorb data into a SHA3 or SHAKE hash context.

  59.  * @param [inout] sponge The context.

  60.  * @param [in] in The input data.

  61.  * @param [in] len The input data's length in bytes.

  62.  */

  63. void sha3_update (

  64.     struct keccak_sponge_s * __restrict__ sponge,

  65.     const uint8_t *in,

  66.     size_t len

  67. ) API_VIS;

  68. 

  69. /**

  70.  * @brief Squeeze output data from a SHA3 or SHAKE hash context.

  71.  * This does not destroy or re-initialize the hash context, and

  72.  * sha3 output can be called more times.

  73.  *

  74.  * @param [inout] sponge The context.

  75.  * @param [out] out The output data.

  76.  * @param [in] len The requested output data length in bytes.

  77.  */  

  78. void sha3_output (

  79.     keccak_sponge_t sponge,

  80.     uint8_t * __restrict__ out,

  81.     size_t len

  82. ) API_VIS;

  83. 

  84. /**

  85.  * @brief Return the default output length of the sponge construction,

  86.  * for the purpose of C++ default operators.

  87.  *

  88.  * Returns n/8 for SHA3-n and 2n/8 for SHAKE-n.

  89.  *

  90.  * @param [inout] sponge The context.

  91.  */  

  92. size_t sponge_default_output_bytes (

  93.     const keccak_sponge_t sponge

  94. ) API_VIS;

  95. 

  96. /**

  97.  * @brief Destroy a SHA3 or SHAKE sponge context by overwriting it with 0.

  98.  * @param [out] sponge The context.

  99.  */  

  100. void sponge_destroy (

  101.     keccak_sponge_t sponge

  102. ) API_VIS;

  103. 

  104. /**

  105.  * @brief Hash (in) to (out)

  106.  * @param [in] in The input data.

  107.  * @param [in] inlen The length of the input data.

  108.  * @param [out] out A buffer for the output data.

  109.  * @param [in] outlen The length of the output data.

  110.  * @param [in] params The parameters of the sponge hash.

  111.  */  

  112. void sponge_hash (

  113.     const uint8_t *in,

  114.     size_t inlen,

  115.     uint8_t *out,

  116.     size_t outlen,

  117.     const struct kparams_s *params

  118. ) API_VIS;

  119. 

  120. /* FUTURE: expand/doxygenate individual SHAKE/SHA3 instances? */

  121. 

  122. /** @cond internal */

  123. #define DECSHAKE(n) \

  124.     extern const struct kparams_s SHAKE##n##_params_s API_VIS; \

  125.     typedef struct shake##n##_ctx_s { keccak_sponge_t s; } shake##n##_ctx_t[1]; \

  126.     static inline void NONNULL1 shake##n##_init(shake##n##_ctx_t sponge) { \

  127.         sponge_init(sponge->s, &SHAKE##n##_params_s); \

  128.     } \

  129.     static inline void NONNULL1 shake##n##_gen_init(keccak_sponge_t sponge) { \

  130.         sponge_init(sponge, &SHAKE##n##_params_s); \

  131.     } \

  132.     static inline void NONNULL2 shake##n##_update(shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \

  133.         sha3_update(sponge->s, in, inlen); \

  134.     } \

  135.     static inline void  NONNULL2 shake##n##_final(shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \

  136.         sha3_output(sponge->s, out, outlen); \

  137.         sponge_init(sponge->s, &SHAKE##n##_params_s); \

  138.     } \

  139.     static inline void  NONNULL13 shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \

  140.         sponge_hash(in,inlen,out,outlen,&SHAKE##n##_params_s); \

  141.     } \

  142.     static inline void  NONNULL1 shake##n##_destroy( shake##n##_ctx_t sponge ) { \

  143.         sponge_destroy(sponge->s); \

  144.     }

  145.     

  146. #define DECSHA3(n) \

  147.     extern const struct kparams_s SHA3_##n##_params_s API_VIS; \

  148.     typedef struct sha3_##n##_ctx_s { keccak_sponge_t s; } sha3_##n##_ctx_t[1]; \

  149.     static inline void NONNULL1 sha3_##n##_init(sha3_##n##_ctx_t sponge) { \

  150.         sponge_init(sponge->s, &SHA3_##n##_params_s); \

  151.     } \

  152.     static inline void NONNULL1 sha3_##n##_gen_init(keccak_sponge_t sponge) { \

  153.         sponge_init(sponge, &SHA3_##n##_params_s); \

  154.     } \

  155.     static inline void NONNULL2 sha3_##n##_update(sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \

  156.         sha3_update(sponge->s, in, inlen); \

  157.     } \

  158.     static inline void NONNULL2 sha3_##n##_final(sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \

  159.         sha3_output(sponge->s, out, outlen); \

  160.         sponge_init(sponge->s, &SHA3_##n##_params_s); \

  161.     } \

  162.     static inline void NONNULL13 sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \

  163.         sponge_hash(in,inlen,out,outlen,&SHA3_##n##_params_s); \

  164.     } \

  165.     static inline void NONNULL1 sha3_##n##_destroy(sha3_##n##_ctx_t sponge) { \

  166.         sponge_destroy(sponge->s); \

  167.     }

  168. /** @endcond */

  169. 

  170. DECSHAKE(128)

  171. DECSHAKE(256)

  172. DECSHA3(224)

  173. DECSHA3(256)

  174. DECSHA3(384)

  175. DECSHA3(512)

  176. 

  177. /**

  178.  * @brief Initialize a sponge-based CSPRNG from a buffer.

  179.  *

  180.  * @param [out] prng The prng object.

  181.  * @param [in] in The initial data.

  182.  * @param [in] len The length of the initial data.

  183.  * @param [in] deterministic If zero, allow RNG to stir in nondeterministic

  184.  * data from RDRAND or RDTSC.

  185.  */

  186. void spongerng_init_from_buffer (

  187.     keccak_prng_t prng,

  188.     const uint8_t * __restrict__ in,

  189.     size_t len,

  190.     int deterministic

  191. ) NONNULL2 API_VIS;

  192. /**

  193.  * @brief Initialize a sponge-based CSPRNG from a file.

  194.  *

  195.  * @param [out] prng The prng object.

  196.  * @param [in] file A name of a file containing initial data.

  197.  * @param [in] len The length of the initial data.  Must be positive.

  198.  * @param [in] deterministic If zero, allow RNG to stir in nondeterministic

  199.  * data from RDRAND or RDTSC.

  200.  *

  201.  * @retval DECAF_SUCCESS success.

  202.  * @retval DECAF_FAILURE failure.

  203.  * @note On failure, errno can be used to determine the cause.

  204.  */

  205. decaf_error_t spongerng_init_from_file (

  206.     keccak_prng_t prng,

  207.     const char *file,

  208.     size_t len,

  209.     int deterministic

  210. ) NONNULL2 API_VIS WARN_UNUSED;

  211. 

  212. /**

  213.  * @brief Initialize a nondeterministic sponge-based CSPRNG from /dev/urandom.

  214.  *

  215.  * @param [out] sponge The sponge object.

  216.  *

  217.  * @retval DECAF_SUCCESS success.

  218.  * @retval DECAF_FAILURE failure.

  219.  * @note On failure, errno can be used to determine the cause.

  220.  */

  221. decaf_error_t spongerng_init_from_dev_urandom (

  222.     keccak_prng_t prng

  223. ) API_VIS WARN_UNUSED;

  224. 

  225. /**

  226.  * @brief Output bytes from a sponge-based CSPRNG.

  227.  *

  228.  * @param [inout] sponge The sponge object.

  229.  * @param [out] out The output buffer.

  230.  * @param [in] len The output buffer's length.

  231.  */

  232. void spongerng_next (

  233.     keccak_prng_t prng,

  234.     uint8_t * __restrict__ out,

  235.     size_t len

  236. ) API_VIS;

  237. 

  238. /**

  239.  * @brief Stir entropy data into a sponge-based CSPRNG from a buffer.

  240.  *

  241.  * @param [out] sponge The sponge object.

  242.  * @param [in] in The entropy data.

  243.  * @param [in] len The length of the initial data.

  244.  */

  245. void spongerng_stir (

  246.     keccak_prng_t prng,

  247.     const uint8_t * __restrict__ in,

  248.     size_t len

  249. ) NONNULL2 API_VIS;

  250. 

  251. extern const struct kparams_s STROBE_128 API_VIS;

  252. extern const struct kparams_s STROBE_256 API_VIS;

  253. extern const struct kparams_s STROBE_KEYED_128 API_VIS;

  254. extern const struct kparams_s STROBE_KEYED_256 API_VIS;

  255. 

  256. typedef enum {

  257.     STROBE_MODE_ABSORB    = 0,

  258.     STROBE_MODE_DUPLEX    = 1,

  259.     STROBE_MODE_ABSORB_R  = 2,

  260.     STROBE_MODE_DUPLEX_R  = 3,

  261.     /* FIXME: no bits allocated in .py version */

  262.     STROBE_MODE_PLAINTEXT = 4,

  263.     STROBE_MODE_SQUEEZE   = 5, 

  264.     STROBE_MODE_FORGET    = 6,

  265.     STROBE_MODE_SQUEEZE_R = 7

  266. } strobe_mode_t;

  267. 

  268. #define STROBE_FLAG_CLIENT_SENT (1<<8)

  269. #define STROBE_FLAG_IMPLICIT    (1<<9)

  270. #define STROBE_FLAG_FORGET      (1<<12)

  271. #define STROBE_FLAG_NO_LENGTH   (1<<15)

  272. 

  273. /* After 1<<16, flags don't go to the sponge anymore, they just affect the handling */

  274. #define STROBE_FLAG_RECV        (1<<16)

  275. #define STROBE_FLAG_RUN_F       (1<<17)

  276. #define STROBE_FLAG_MORE        (1<<18)

  277. #define STROBE_FLAG_LENGTH_64   (1<<19)

  278. #define STROBE_FLAG_NONDIR      (STROBE_FLAG_IMPLICIT)

  279. 

  280. /** Automatic flags implied by the mode */

  281. /* HACK: SQUEEZE_R is treated as directional because its' MAC */

  282. #define STROBE_AUTO_FLAGS(_mode)                           \

  283.     (     (((_mode)&1) ? STROBE_FLAG_RUN_F : 0)            \

  284.         | (( ((_mode) & ~2) == STROBE_MODE_ABSORB          \

  285.           ||  (_mode)       == STROBE_MODE_SQUEEZE         \

  286.           ||  (_mode)       == STROBE_MODE_FORGET          \

  287.           ) ? STROBE_FLAG_IMPLICIT|STROBE_FLAG_NONDIR : 0) \

  288.     )

  289. 

  290. #define STROBE_CONTROL_WORD(_name,_id,_mode,_flags) \

  291.     static const uint32_t _name = _id | (_mode<<10) | (_mode<<29) | _flags | STROBE_AUTO_FLAGS(_mode)

  292. 

  293. STROBE_CONTROL_WORD(STROBE_CW_INIT,              0x00, STROBE_MODE_ABSORB,    0);

  294.                                                  

  295. /* Ciphers */                                    

  296. STROBE_CONTROL_WORD(STROBE_CW_FIXED_KEY,          0x10, STROBE_MODE_ABSORB,    0);

  297. STROBE_CONTROL_WORD(STROBE_CW_STATIC_PUB,         0x11, STROBE_MODE_PLAINTEXT, 0);

  298. STROBE_CONTROL_WORD(STROBE_CW_DH_EPH,             0x12, STROBE_MODE_PLAINTEXT, 0);

  299. STROBE_CONTROL_WORD(STROBE_CW_DH_KEY,             0x13, STROBE_MODE_ABSORB,    0);

  300. STROBE_CONTROL_WORD(STROBE_CW_PRNG,               0x18, STROBE_MODE_SQUEEZE,   STROBE_FLAG_FORGET);

  301. STROBE_CONTROL_WORD(STROBE_CW_SESSION_HASH,       0x19, STROBE_MODE_SQUEEZE,   0);

  302. 

  303. /* Reuse for PRNG */

  304. STROBE_CONTROL_WORD(STROBE_CW_PRNG_INITIAL_SEED,  0x10, STROBE_MODE_ABSORB,    STROBE_FLAG_NO_LENGTH);

  305. STROBE_CONTROL_WORD(STROBE_CW_PRNG_RESEED,        0x11, STROBE_MODE_ABSORB,    STROBE_FLAG_NO_LENGTH);

  306. STROBE_CONTROL_WORD(STROBE_CW_PRNG_CPU_SEED,      0x12, STROBE_MODE_ABSORB,    0);

  307. STROBE_CONTROL_WORD(STROBE_CW_PRNG_USER_SEED,     0x13, STROBE_MODE_ABSORB,    STROBE_FLAG_LENGTH_64);

  308. STROBE_CONTROL_WORD(STROBE_CW_PRNG_PRNG,          0x14, STROBE_MODE_SQUEEZE,   STROBE_FLAG_LENGTH_64 | STROBE_FLAG_FORGET);

  309. 

  310. /* Signatures */                                 

  311. STROBE_CONTROL_WORD(STROBE_CW_SIG_SCHEME,         0x20, STROBE_MODE_ABSORB,    0);

  312. STROBE_CONTROL_WORD(STROBE_CW_SIG_PK,             0x21, STROBE_MODE_ABSORB,    0);

  313. STROBE_CONTROL_WORD(STROBE_CW_SIG_EPH,            0x22, STROBE_MODE_PLAINTEXT, 0);

  314. STROBE_CONTROL_WORD(STROBE_CW_SIG_CHAL,           0x23, STROBE_MODE_SQUEEZE,   0);

  315. STROBE_CONTROL_WORD(STROBE_CW_SIG_RESP,           0x24, STROBE_MODE_DUPLEX,    0);

  316. 

  317. 

  318. /* Payloads and encrypted data */

  319. 

  320. STROBE_CONTROL_WORD(STROBE_CW_PAYLOAD_PLAINTEXT,  0x30, STROBE_MODE_PLAINTEXT, 0);

  321. STROBE_CONTROL_WORD(STROBE_CW_PAYLOAD_CIPHERTEXT, 0x31, STROBE_MODE_DUPLEX,    0);

  322. STROBE_CONTROL_WORD(STROBE_CW_MAC,                0x32, STROBE_MODE_SQUEEZE_R, STROBE_FLAG_FORGET);

  323. STROBE_CONTROL_WORD(STROBE_CW_AD_EXPLICIT,        0x34, STROBE_MODE_PLAINTEXT, 0);

  324. STROBE_CONTROL_WORD(STROBE_CW_AD_IMPLICIT,        0x35, STROBE_MODE_ABSORB,    0);

  325. STROBE_CONTROL_WORD(STROBE_CW_NONCE_EXPLICIT,     0x36, STROBE_MODE_PLAINTEXT, 0);

  326. STROBE_CONTROL_WORD(STROBE_CW_NONCE_IMPLICIT,     0x37, STROBE_MODE_ABSORB,    0);

  327. 

  328. STROBE_CONTROL_WORD(STROBE_CW_STREAMING_PLAINTEXT,0x30, STROBE_MODE_PLAINTEXT, STROBE_FLAG_NO_LENGTH); /* TODO: orly? */

  329. 

  330. /* Change spec, control flow, etc */

  331. STROBE_CONTROL_WORD(STROBE_CW_COMPRESS,           0x40, STROBE_MODE_ABSORB_R,  0);

  332. /* FIXME: adjust this respec logic */

  333. STROBE_CONTROL_WORD(STROBE_CW_RESPEC_INFO,        0x41, STROBE_MODE_ABSORB,    STROBE_FLAG_RUN_F | STROBE_FLAG_FORGET);

  334. STROBE_CONTROL_WORD(STROBE_CW_RESPEC,             0x42, STROBE_MODE_ABSORB_R,  STROBE_FLAG_RUN_F);

  335. STROBE_CONTROL_WORD(STROBE_CW_FORK,               0x43, STROBE_MODE_ABSORB_R,  STROBE_FLAG_RUN_F | STROBE_FLAG_FORGET);

  336. /* FIXME: instance can be rolled back to recover other INSTANCEs */

  337. STROBE_CONTROL_WORD(STROBE_CW_INSTANCE,           0x44, STROBE_MODE_ABSORB_R,  STROBE_FLAG_FORGET);

  338. STROBE_CONTROL_WORD(STROBE_CW_ACKNOWLEDGE,        0x45, STROBE_MODE_PLAINTEXT, 0);

  339. 

  340. static INLINE UNUSED WARN_UNUSED uint32_t

  341. strobe_cw_recv(uint32_t cw) {

  342.     uint32_t recv_toggle = (cw & STROBE_FLAG_NONDIR) ? 0 : STROBE_FLAG_RECV;

  343.     if (cw & STROBE_FLAG_IMPLICIT) {

  344.         return cw ^ recv_toggle;

  345.     } else {   

  346.         uint32_t modes_2[8] = {

  347.             /* Note: most of these really shouldn't happen... */

  348.             STROBE_MODE_ABSORB,

  349.             STROBE_MODE_DUPLEX_R,

  350.             STROBE_MODE_ABSORB_R,

  351.             STROBE_MODE_DUPLEX,

  352.             STROBE_MODE_PLAINTEXT,

  353.             STROBE_MODE_SQUEEZE,

  354.             STROBE_MODE_FORGET,

  355.             STROBE_MODE_ABSORB

  356.         };

  357.     

  358.         return ((cw & ((1<<29)-1)) | (modes_2[cw>>29]<<29)) ^ recv_toggle;

  359.     }

  360. }

  361. 

  362. #define STROBE_MAX_AUTH_BYTES 32

  363. 

  364. 

  365. /**

  366.  * @brief Initialize Strobe protocol context.

  367.  * @param [out] strobe The uninitialized strobe object.

  368.  * @param [in] Strobe parameter descriptor

  369.  * @param [in] am_client Nonzero if this party

  370.  * is the client.

  371.  */

  372. void strobe_init (

  373.     keccak_strobe_t strobe,

  374.     const struct kparams_s *params,

  375.     const char *proto,

  376.     uint8_t am_client

  377. ) NONNULL2 API_VIS;

  378. 

  379. /**

  380.  * @brief Run a transaction against a STROBE state.

  381.  * @param [inout] strobe The initialized STROBE object.

  382.  * @param [out] out The output.

  383.  * @param [in] in The input.

  384.  * @param [in] len The length of the input/output.

  385.  * @param [in] cw_flags The control word with flags.

  386.  */

  387. void strobe_transact (

  388.     keccak_strobe_t strobe,

  389.     unsigned char *out,

  390.     const unsigned char *in,

  391.     size_t len,

  392.     uint32_t cw_flags

  393. ) NONNULL1 API_VIS;

  394. 

  395. /**

  396.  * @brief Send plaintext in strobe context.

  397.  * @param [inout] The initialized strobe object.

  398.  * @param [in] in The plaintext.

  399.  * @param [in] len The length of the plaintext.

  400.  * @param [in] iSent Nonzero if this side of exchange sent the plaintext.

  401.  */

  402. static INLINE UNUSED void strobe_plaintext (

  403.     keccak_strobe_t strobe,

  404.     const unsigned char *in,

  405.     uint16_t len,

  406.     uint8_t iSent

  407. ) {

  408.     strobe_transact(

  409.         strobe, NULL, in, len,

  410.         iSent ? STROBE_CW_PAYLOAD_PLAINTEXT

  411.               : strobe_cw_recv(STROBE_CW_PAYLOAD_PLAINTEXT)

  412.     );

  413. }

  414.    

  415. /**

  416.  * @brief Report authenticated data in strobe context.

  417.  * @param [inout] The initialized strobe object.

  418.  * @param [in] in The plaintext.

  419.  * @param [in] len The length of the ad.

  420.  */

  421. static INLINE UNUSED void strobe_ad (

  422.     keccak_strobe_t strobe,

  423.     const unsigned char *in,

  424.     size_t len

  425. ) {

  426.     strobe_transact( strobe, NULL, in, len, STROBE_CW_AD_EXPLICIT );

  427. }

  428.   

  429. /**

  430.  * @brief Set nonce in strobe context.

  431.  * @param [inout] The initialized strobe object.

  432.  * @param [in] in The nonce.

  433.  * @param [in] len The length of the nonce.

  434.  */

  435. static INLINE UNUSED void strobe_nonce (

  436.     keccak_strobe_t strobe,

  437.     const unsigned char *in,

  438.     uint16_t len

  439. ) {

  440.     strobe_transact( strobe, NULL, in, len, STROBE_CW_NONCE_EXPLICIT );

  441. }

  442.    

  443. /**

  444.  * @brief Set fixed key in strobe context.

  445.  * @param [inout] The initialized strobe object.

  446.  * @param [in] in The key.

  447.  * @param [in] len The length of the key.

  448.  */

  449. static INLINE UNUSED void

  450. strobe_fixed_key (

  451.     keccak_strobe_t strobe,

  452.     const unsigned char *in,

  453.     uint16_t len

  454. ) {

  455.     strobe_transact( strobe, NULL, in, len, STROBE_CW_FIXED_KEY );

  456. }

  457.    

  458. /**

  459.  * @brief Set Diffie-Hellman key in strobe context.

  460.  * @param [inout] The initialized strobe object.

  461.  * @param [in] in The key.

  462.  * @param [in] len The length of the key.

  463.  */

  464. static INLINE UNUSED void

  465. strobe_dh_key (

  466.     keccak_strobe_t strobe,

  467.     const unsigned char *in,

  468.     uint16_t len

  469. ) {

  470.     strobe_transact( strobe, NULL, in, len, STROBE_CW_DH_KEY );

  471. }

  472. 

  473.     

  474. /**

  475.  * @brief Produce an authenticator.

  476.  * @param [inout] strobe The Strobe protocol context.

  477.  * @param [out] out The authenticator

  478.  * @param len The length.

  479.  */

  480. static INLINE UNUSED void

  481. strobe_produce_auth (

  482.     keccak_strobe_t strobe,

  483.     unsigned char *out,

  484.     uint16_t len

  485. ) {

  486.     strobe_transact( strobe, out, NULL, len, STROBE_CW_MAC );

  487. }

  488.    

  489. /**

  490.  * @brief Encrypt bytes from in to out.

  491.  * @warning Doesn't produce an auth tag.

  492.  * @param [inout] strobe The Strobe protocol context.

  493.  * @param [in] in The plaintext.

  494.  * @param [out] out The ciphertext.

  495.  * @param [in] len The length of plaintext and ciphertext.

  496.  */

  497. static INLINE UNUSED void

  498. strobe_encrypt (

  499.    keccak_strobe_t strobe,

  500.    unsigned char *out,

  501.    const unsigned char *in,

  502.    uint16_t len

  503. ) {

  504.    strobe_transact(strobe, out, in, len, STROBE_CW_PAYLOAD_CIPHERTEXT);

  505. }

  506.    

  507. /**

  508.  * @brief Decrypt bytes from in to out.

  509.  * @warning Doesn't check an auth tag.

  510.  * @param [inout] strobe The Strobe protocol context.

  511.  * @param [in] in The ciphertext.

  512.  * @param [out] out The plaintext.

  513.  * @param [in] len The length of plaintext and ciphertext.

  514.  */

  515. static INLINE UNUSED void

  516. strobe_decrypt (

  517.    keccak_strobe_t strobe,

  518.    unsigned char *out,

  519.    const unsigned char *in,

  520.    uint16_t len

  521. ) {

  522.    strobe_transact(strobe, out, in, len, strobe_cw_recv(STROBE_CW_PAYLOAD_CIPHERTEXT));

  523. }

  524. 

  525. /**

  526.  * @brief Produce a session-bound pseudorandom value.

  527.  *

  528.  * @warning This "prng" value is NOT suitable for

  529.  * refreshing forward secrecy!  It's to replace things

  530.  * like TCP session hash.

  531.  *

  532.  * @param [inout] strobe The Strobe protocol context

  533.  * @param [out] out The output random data.

  534.  * @param len The length.

  535.  */

  536. static inline void strobe_prng (

  537.     keccak_strobe_t strobe,

  538.     unsigned char *out,

  539.     uint16_t len

  540. ) {

  541.     strobe_transact( strobe, out, NULL, len, STROBE_CW_PRNG );

  542. }

  543. 

  544. /**

  545.  * @brief Verify an authenticator.

  546.  * @param [inout] strobe The Strobe protocol context

  547.  * @param [in] in The authenticator

  548.  * @param len The length, which must be no more than

  549.  * @todo 32?

  550.  * @retval DECAF_SUCCESS The operation applied successfully.

  551.  * @retval DECAF_FAILURE The operation failed because of a

  552.  * bad validator (or because you aren't keyed)

  553.  */

  554. decaf_error_t strobe_verify_auth (

  555.     keccak_strobe_t strobe,

  556.     const unsigned char *in,

  557.     uint16_t len

  558. ) WARN_UNUSED NONNULL2 API_VIS;

  559. 

  560. /**

  561.  * @brief Respecify Strobe protocol object's crypto.

  562.  * @param [inout] The initialized strobe context.

  563.  * @param [in] Strobe parameter descriptor

  564.  * @param [in] am_client Nonzero if this party

  565.  * is the client.

  566.  */

  567. void strobe_respec (

  568.     keccak_strobe_t strobe,

  569.     const struct kparams_s *params

  570. ) NONNULL2 API_VIS;

  571.     

  572. #define strobe_destroy sponge_destroy

  573. 

  574. #ifdef __cplusplus

  575. } /* extern "C" */

  576. #endif

  577. 

  578. #undef API_VIS

  579. #undef WARN_UNUSED

  580. #undef NONNULL1

  581. #undef NONNULL13

  582. #undef NONNULL2

  583. #undef NONNULL3

  584. #undef INLINE

  585. #undef UNUSED

  586.     

  587. #endif /* __SHAKE_H__ */