...
 
Commits (4)
2019-12-25 Niels Möller <nisse@lysator.liu.se>
Support for SHAKE256, based on patch by Daiki Ueno.
* shake256.c (sha3_256_shake): New file and function.
* Makefile.in (nettle_SOURCES): Add shake256.c.
* testsuite/testutils.c (test_hash): Allow arbitrary digest size,
if hash->digest_size == 0.
* testsuite/shake.awk: New script to extract test vectors.
* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake256-test.c.
(DISTFILES): Add shake.awk.
* nettle.texinfo (Recommended hash functions): Document SHAKE-256.
* sha3.c (_sha3_pad): Generalized with an argument for the magic
suffix defining the sha3 instance.
* sha3-internal.h (_sha3_pad_hash): New macro, for SHA3 hashes.
Updated all callers of _sha3_pad.
(_sha3_pad_shake): New macro, using the SHAKE magic byte 0x1f.
2019-12-19 Niels Möller <nisse@lysator.liu.se> 2019-12-19 Niels Möller <nisse@lysator.liu.se>
* ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Use * ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Use
......
...@@ -129,7 +129,8 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ ...@@ -129,7 +129,8 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
sha512-224-meta.c sha512-256-meta.c \ sha512-224-meta.c sha512-256-meta.c \
sha3.c sha3-permute.c \ sha3.c sha3-permute.c \
sha3-224.c sha3-224-meta.c sha3-256.c sha3-256-meta.c \ sha3-224.c sha3-224-meta.c sha3-256.c sha3-256-meta.c \
sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c\ sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c \
shake256.c \
serpent-set-key.c serpent-encrypt.c serpent-decrypt.c \ serpent-set-key.c serpent-encrypt.c serpent-decrypt.c \
serpent-meta.c \ serpent-meta.c \
twofish.c twofish-meta.c \ twofish.c twofish-meta.c \
......
...@@ -834,6 +834,28 @@ octets of the digest are written. ...@@ -834,6 +834,28 @@ octets of the digest are written.
This function also resets the context. This function also resets the context.
@end deftypefun @end deftypefun
@subsubsection @acronym{SHAKE-256}
@cindex SHAKE
In addition to those SHA-3 hash functions, Nettle also provides a SHA-3
extendable-output function (XOF), SHAKE-256. Unlike SHA-3 hash functions,
SHAKE can produce an output digest of any desired length.
To use SHAKE256, the context struct, init and update functions are the
same as for SHA3-256. To get a SHAKE256 digest, the following function
is used instead of @code{sha3_256_digest}. For an output size of
@code{SHA3_256_DIGEST_SIZE}, security is equivalent to SHA3-256 (but the
digest is different). Increasing output size further does not increase
security in terms of collision or preimage resistance. It can be seen as
a built in pseudorandomness generator.
@deftypefun void sha3_256_shake (struct shake256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and produces a SHAKE256 digest, writing it
to @var{digest}. @var{length} can be of arbitrary size.
This function also resets the context.
@end deftypefun
@node Legacy hash functions, nettle_hash abstraction, Recommended hash functions, Hash functions @node Legacy hash functions, nettle_hash abstraction, Recommended hash functions, Hash functions
@comment node-name, next, previous, up @comment node-name, next, previous, up
@subsection Legacy hash functions @subsection Legacy hash functions
......
...@@ -63,7 +63,7 @@ sha3_224_digest(struct sha3_224_ctx *ctx, ...@@ -63,7 +63,7 @@ sha3_224_digest(struct sha3_224_ctx *ctx,
size_t length, size_t length,
uint8_t *digest) uint8_t *digest)
{ {
_sha3_pad (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, ctx->index); _sha3_pad_hash (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, ctx->index);
_nettle_write_le64 (length, digest, ctx->state.a); _nettle_write_le64 (length, digest, ctx->state.a);
sha3_224_init (ctx); sha3_224_init (ctx);
} }
...@@ -63,7 +63,7 @@ sha3_256_digest(struct sha3_256_ctx *ctx, ...@@ -63,7 +63,7 @@ sha3_256_digest(struct sha3_256_ctx *ctx,
size_t length, size_t length,
uint8_t *digest) uint8_t *digest)
{ {
_sha3_pad (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index); _sha3_pad_hash (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index);
_nettle_write_le64 (length, digest, ctx->state.a); _nettle_write_le64 (length, digest, ctx->state.a);
sha3_256_init (ctx); sha3_256_init (ctx);
} }
...@@ -63,7 +63,7 @@ sha3_384_digest(struct sha3_384_ctx *ctx, ...@@ -63,7 +63,7 @@ sha3_384_digest(struct sha3_384_ctx *ctx,
size_t length, size_t length,
uint8_t *digest) uint8_t *digest)
{ {
_sha3_pad (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, ctx->index); _sha3_pad_hash (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, ctx->index);
_nettle_write_le64 (length, digest, ctx->state.a); _nettle_write_le64 (length, digest, ctx->state.a);
sha3_384_init (ctx); sha3_384_init (ctx);
} }
...@@ -63,7 +63,7 @@ sha3_512_digest(struct sha3_512_ctx *ctx, ...@@ -63,7 +63,7 @@ sha3_512_digest(struct sha3_512_ctx *ctx,
size_t length, size_t length,
uint8_t *digest) uint8_t *digest)
{ {
_sha3_pad (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, ctx->index); _sha3_pad_hash (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, ctx->index);
_nettle_write_le64 (length, digest, ctx->state.a); _nettle_write_le64 (length, digest, ctx->state.a);
sha3_512_init (ctx); sha3_512_init (ctx);
} }
...@@ -39,14 +39,25 @@ ...@@ -39,14 +39,25 @@
#define _sha3_update _nettle_sha3_update #define _sha3_update _nettle_sha3_update
#define _sha3_pad _nettle_sha3_pad #define _sha3_pad _nettle_sha3_pad
#define SHA3_HASH_MAGIC 6
#define SHA3_SHAKE_MAGIC 0x1f
unsigned unsigned
_sha3_update (struct sha3_state *state, _sha3_update (struct sha3_state *state,
unsigned block_size, uint8_t *block, unsigned block_size, uint8_t *block,
unsigned pos, unsigned pos,
size_t length, const uint8_t *data); size_t length, const uint8_t *data);
void void
_sha3_pad (struct sha3_state *state, _sha3_pad (struct sha3_state *state,
unsigned block_size, uint8_t *block, unsigned pos); unsigned block_size, uint8_t *block, unsigned pos, uint8_t magic);
#define _sha3_pad_hash(state, block_size, block, pos) \
_sha3_pad (state, block_size, block, pos, SHA3_HASH_MAGIC)
#define _sha3_pad_shake(state, block_size, block, pos) \
_sha3_pad (state, block_size, block, pos, SHA3_SHAKE_MAGIC)
#endif #endif
...@@ -92,10 +92,10 @@ _sha3_update (struct sha3_state *state, ...@@ -92,10 +92,10 @@ _sha3_update (struct sha3_state *state,
void void
_sha3_pad (struct sha3_state *state, _sha3_pad (struct sha3_state *state,
unsigned block_size, uint8_t *block, unsigned pos) unsigned block_size, uint8_t *block, unsigned pos, uint8_t magic)
{ {
assert (pos < block_size); assert (pos < block_size);
block[pos++] = 6; block[pos++] = magic;
memset (block + pos, 0, block_size - pos); memset (block + pos, 0, block_size - pos);
block[block_size - 1] |= 0x80; block[block_size - 1] |= 0x80;
......
...@@ -48,6 +48,7 @@ extern "C" { ...@@ -48,6 +48,7 @@ extern "C" {
#define sha3_256_init nettle_sha3_256_init #define sha3_256_init nettle_sha3_256_init
#define sha3_256_update nettle_sha3_256_update #define sha3_256_update nettle_sha3_256_update
#define sha3_256_digest nettle_sha3_256_digest #define sha3_256_digest nettle_sha3_256_digest
#define sha3_256_shake nettle_sha3_256_shake
#define sha3_384_init nettle_sha3_384_init #define sha3_384_init nettle_sha3_384_init
#define sha3_384_update nettle_sha3_384_update #define sha3_384_update nettle_sha3_384_update
#define sha3_384_digest nettle_sha3_384_digest #define sha3_384_digest nettle_sha3_384_digest
...@@ -135,6 +136,13 @@ sha3_256_digest(struct sha3_256_ctx *ctx, ...@@ -135,6 +136,13 @@ sha3_256_digest(struct sha3_256_ctx *ctx,
size_t length, size_t length,
uint8_t *digest); uint8_t *digest);
/* Alternative digest function implementing shake256, with arbitrary
digest size */
void
sha3_256_shake(struct sha3_256_ctx *ctx,
size_t length,
uint8_t *digest);
struct sha3_384_ctx struct sha3_384_ctx
{ {
struct sha3_state state; struct sha3_state state;
......
/* shake256.c
The SHAKE256 hash function, arbitrary length output.
Copyright (C) 2017 Daiki Ueno
Copyright (C) 2017 Red Hat, Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <stddef.h>
#include <string.h>
#include "sha3.h"
#include "sha3-internal.h"
#include "nettle-write.h"
void
sha3_256_shake (struct sha3_256_ctx *ctx,
size_t length,
uint8_t *dst)
{
_sha3_pad_shake (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index);
while (length > SHA3_256_BLOCK_SIZE)
{
_nettle_write_le64 (SHA3_256_BLOCK_SIZE, dst, ctx->state.a);
length -= SHA3_256_BLOCK_SIZE;
dst += SHA3_256_BLOCK_SIZE;
sha3_permute (&ctx->state);
}
_nettle_write_le64 (length, dst, ctx->state.a);
sha3_256_init (ctx);
}
...@@ -100,6 +100,9 @@ sha3-384-test$(EXEEXT): sha3-384-test.$(OBJEXT) ...@@ -100,6 +100,9 @@ sha3-384-test$(EXEEXT): sha3-384-test.$(OBJEXT)
sha3-512-test$(EXEEXT): sha3-512-test.$(OBJEXT) sha3-512-test$(EXEEXT): sha3-512-test.$(OBJEXT)
$(LINK) sha3-512-test.$(OBJEXT) $(TEST_OBJS) -o sha3-512-test$(EXEEXT) $(LINK) sha3-512-test.$(OBJEXT) $(TEST_OBJS) -o sha3-512-test$(EXEEXT)
shake256-test$(EXEEXT): shake256-test.$(OBJEXT)
$(LINK) shake256-test.$(OBJEXT) $(TEST_OBJS) -o shake256-test$(EXEEXT)
serpent-test$(EXEEXT): serpent-test.$(OBJEXT) serpent-test$(EXEEXT): serpent-test.$(OBJEXT)
$(LINK) serpent-test.$(OBJEXT) $(TEST_OBJS) -o serpent-test$(EXEEXT) $(LINK) serpent-test.$(OBJEXT) $(TEST_OBJS) -o serpent-test$(EXEEXT)
......
...@@ -24,6 +24,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \ ...@@ -24,6 +24,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \
sha384-test.c sha512-test.c sha512-224-test.c sha512-256-test.c \ sha384-test.c sha512-test.c sha512-224-test.c sha512-256-test.c \
sha3-permute-test.c sha3-224-test.c sha3-256-test.c \ sha3-permute-test.c sha3-224-test.c sha3-256-test.c \
sha3-384-test.c sha3-512-test.c \ sha3-384-test.c sha3-512-test.c \
shake256-test.c \
serpent-test.c twofish-test.c version-test.c \ serpent-test.c twofish-test.c version-test.c \
knuth-lfib-test.c \ knuth-lfib-test.c \
cbc-test.c cfb-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \ cbc-test.c cfb-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \
......
#! /usr/bin/awk -f
# This script is used to process the Keccak testvectors, originally
# we used http://keccak.noekeon.org/KeccakKAT-3.zip.
# For the updated NIST version, test vectors can be found at
# https://github.com/gvanas/KeccakCodePackage/tree/master/TestVectors
/^Len/ { len = $3 }
/^Msg/ { msg = $3 }
/^Squeezed/ { md = $3;
if (len % 8 == 0)
printf("test_hash_extendable(&nettle_shakexxx, /* %d octets */\nSHEX(\"%s\"),\nSHEX(\"%s\"));\n",
len / 8, len ? msg : "", md);
}
This diff is collapsed.
...@@ -866,33 +866,36 @@ test_hash(const struct nettle_hash *hash, ...@@ -866,33 +866,36 @@ test_hash(const struct nettle_hash *hash,
const struct tstring *digest) const struct tstring *digest)
{ {
void *ctx = xalloc(hash->context_size); void *ctx = xalloc(hash->context_size);
uint8_t *buffer = xalloc(hash->digest_size); uint8_t *buffer = xalloc(digest->length);
uint8_t *input; uint8_t *input;
unsigned offset; unsigned offset;
ASSERT (digest->length == hash->digest_size); /* Here, hash->digest_size zero means arbitrary size. */
if (hash->digest_size)
ASSERT (digest->length == hash->digest_size);
hash->init(ctx); hash->init(ctx);
hash->update(ctx, msg->length, msg->data); hash->update(ctx, msg->length, msg->data);
hash->digest(ctx, hash->digest_size, buffer); hash->digest(ctx, digest->length, buffer);
if (MEMEQ(hash->digest_size, digest->data, buffer) == 0) if (MEMEQ(digest->length, digest->data, buffer) == 0)
{ {
fprintf(stdout, "\nGot:\n"); fprintf(stdout, "\nGot:\n");
print_hex(hash->digest_size, buffer); print_hex(digest->length, buffer);
fprintf(stdout, "\nExpected:\n"); fprintf(stdout, "\nExpected:\n");
print_hex(hash->digest_size, digest->data); print_hex(digest->length, digest->data);
abort(); abort();
} }
memset(buffer, 0, hash->digest_size); memset(buffer, 0, digest->length);
hash->update(ctx, msg->length, msg->data); hash->update(ctx, msg->length, msg->data);
hash->digest(ctx, hash->digest_size - 1, buffer); ASSERT(digest->length > 0);
hash->digest(ctx, digest->length - 1, buffer);
ASSERT(MEMEQ(hash->digest_size - 1, digest->data, buffer)); ASSERT(MEMEQ(digest->length - 1, digest->data, buffer));
ASSERT(buffer[hash->digest_size - 1] == 0); ASSERT(buffer[digest->length - 1] == 0);
input = xalloc (msg->length + 16); input = xalloc (msg->length + 16);
for (offset = 0; offset < 16; offset++) for (offset = 0; offset < 16; offset++)
...@@ -900,13 +903,13 @@ test_hash(const struct nettle_hash *hash, ...@@ -900,13 +903,13 @@ test_hash(const struct nettle_hash *hash,
memset (input, 0, msg->length + 16); memset (input, 0, msg->length + 16);
memcpy (input + offset, msg->data, msg->length); memcpy (input + offset, msg->data, msg->length);
hash->update (ctx, msg->length, input + offset); hash->update (ctx, msg->length, input + offset);
hash->digest (ctx, hash->digest_size, buffer); hash->digest (ctx, digest->length, buffer);
if (MEMEQ(hash->digest_size, digest->data, buffer) == 0) if (MEMEQ(digest->length, digest->data, buffer) == 0)
{ {
fprintf(stdout, "hash input address: %p\nGot:\n", input + offset); fprintf(stdout, "hash input address: %p\nGot:\n", input + offset);
print_hex(hash->digest_size, buffer); print_hex(digest->length, buffer);
fprintf(stdout, "\nExpected:\n"); fprintf(stdout, "\nExpected:\n");
print_hex(hash->digest_size, digest->data); print_hex(digest->length, digest->data);
abort(); abort();
} }
} }
......