diff --git a/src/GENERATED/c/curve25519/eddsa.c b/src/GENERATED/c/curve25519/eddsa.c index 2efb0d2..9277c7c 100644 --- a/src/GENERATED/c/curve25519/eddsa.c +++ b/src/GENERATED/c/curve25519/eddsa.c @@ -56,6 +56,7 @@ static void clamp ( static void hash_init_with_dom( hash_ctx_t hash, uint8_t prehashed, + uint8_t for_prehash, const uint8_t *context, uint8_t context_len ) { @@ -63,12 +64,13 @@ static void hash_init_with_dom( #if SUPPORTS_CONTEXTS const char *dom_s = ""; - const uint8_t dom[2] = {1+word_is_zero(prehashed), context_len}; + const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len}; hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s)); hash_update(hash,dom,2); hash_update(hash,context,context_len); #else (void)prehashed; + (void)for_prehash; (void)context; assert(context==NULL); (void)context_len; @@ -76,6 +78,20 @@ static void hash_init_with_dom( #endif } +void decaf_ed25519_prehash_init ( + hash_ctx_t hash +#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) { +#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS + hash_init_with_dom(hash,1,1,context,context_len); +#else + hash_init_with_dom(hash,1,1,NULL,0); +#endif +} + void decaf_ed25519_derive_public_key ( uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES], const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES] @@ -149,7 +165,7 @@ void decaf_ed25519_sign ( API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser)); /* Hash to create the nonce */ - hash_init_with_dom(hash,prehashed,context,context_len); + hash_init_with_dom(hash,prehashed,0,context,context_len); hash_update(hash,expanded.seed,sizeof(expanded.seed)); hash_update(hash,message,message_len); decaf_bzero(&expanded, sizeof(expanded)); @@ -183,7 +199,7 @@ void decaf_ed25519_sign ( API_NS(scalar_t) challenge_scalar; { /* Compute the challenge */ - hash_init_with_dom(hash,prehashed,context,context_len); + hash_init_with_dom(hash,prehashed,0,context,context_len); hash_update(hash,nonce_point,sizeof(nonce_point)); hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES); hash_update(hash,message,message_len); @@ -207,6 +223,33 @@ void decaf_ed25519_sign ( } +void decaf_ed25519_sign_prehash ( + uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES], + const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES], + const decaf_ed25519_prehash_ctx_t hash +#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) { + uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */ + { + decaf_ed25519_prehash_ctx_t hash_too; + memcpy(hash_too,hash,sizeof(hash_too)); + hash_final(hash_too,hash_output,sizeof(hash_output)); + hash_destroy(hash_too); + } + +#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS + decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len); +#else + decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1); +#endif + + decaf_bzero(hash_output,sizeof(hash_output)); +} + decaf_error_t decaf_ed25519_verify ( const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES], const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES], @@ -233,7 +276,7 @@ decaf_error_t decaf_ed25519_verify ( { /* Compute the challenge */ hash_ctx_t hash; - hash_init_with_dom(hash,prehashed,context,context_len); + hash_init_with_dom(hash,prehashed,0,context,context_len); hash_update(hash,signature,DECAF_EDDSA_25519_PUBLIC_BYTES); hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES); hash_update(hash,message,message_len); @@ -265,3 +308,32 @@ decaf_error_t decaf_ed25519_verify ( ); return decaf_succeed_if(API_NS(point_eq(pk_point,r_point))); } + + +decaf_error_t decaf_ed25519_verify_prehash ( + const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES], + const decaf_ed25519_prehash_ctx_t hash +#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) { + decaf_error_t ret; + + uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */ + { + decaf_ed25519_prehash_ctx_t hash_too; + memcpy(hash_too,hash,sizeof(hash_too)); + hash_final(hash_too,hash_output,sizeof(hash_output)); + hash_destroy(hash_too); + } + +#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS + ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len); +#else + ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1); +#endif + + return ret; +} diff --git a/src/GENERATED/c/ed448goldilocks/eddsa.c b/src/GENERATED/c/ed448goldilocks/eddsa.c index 388036a..dae9a8c 100644 --- a/src/GENERATED/c/ed448goldilocks/eddsa.c +++ b/src/GENERATED/c/ed448goldilocks/eddsa.c @@ -56,6 +56,7 @@ static void clamp ( static void hash_init_with_dom( hash_ctx_t hash, uint8_t prehashed, + uint8_t for_prehash, const uint8_t *context, uint8_t context_len ) { @@ -63,12 +64,13 @@ static void hash_init_with_dom( #if SUPPORTS_CONTEXTS const char *dom_s = "SigEd448"; - const uint8_t dom[2] = {1+word_is_zero(prehashed), context_len}; + const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len}; hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s)); hash_update(hash,dom,2); hash_update(hash,context,context_len); #else (void)prehashed; + (void)for_prehash; (void)context; assert(context==NULL); (void)context_len; @@ -76,6 +78,20 @@ static void hash_init_with_dom( #endif } +void decaf_ed448_prehash_init ( + hash_ctx_t hash +#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) { +#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS + hash_init_with_dom(hash,1,1,context,context_len); +#else + hash_init_with_dom(hash,1,1,NULL,0); +#endif +} + void decaf_ed448_derive_public_key ( uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES] @@ -149,7 +165,7 @@ void decaf_ed448_sign ( API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser)); /* Hash to create the nonce */ - hash_init_with_dom(hash,prehashed,context,context_len); + hash_init_with_dom(hash,prehashed,0,context,context_len); hash_update(hash,expanded.seed,sizeof(expanded.seed)); hash_update(hash,message,message_len); decaf_bzero(&expanded, sizeof(expanded)); @@ -183,7 +199,7 @@ void decaf_ed448_sign ( API_NS(scalar_t) challenge_scalar; { /* Compute the challenge */ - hash_init_with_dom(hash,prehashed,context,context_len); + hash_init_with_dom(hash,prehashed,0,context,context_len); hash_update(hash,nonce_point,sizeof(nonce_point)); hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES); hash_update(hash,message,message_len); @@ -207,6 +223,33 @@ void decaf_ed448_sign ( } +void decaf_ed448_sign_prehash ( + uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], + const decaf_ed448_prehash_ctx_t hash +#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) { + uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */ + { + decaf_ed448_prehash_ctx_t hash_too; + memcpy(hash_too,hash,sizeof(hash_too)); + hash_final(hash_too,hash_output,sizeof(hash_output)); + hash_destroy(hash_too); + } + +#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS + decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len); +#else + decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1); +#endif + + decaf_bzero(hash_output,sizeof(hash_output)); +} + decaf_error_t decaf_ed448_verify ( const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], @@ -233,7 +276,7 @@ decaf_error_t decaf_ed448_verify ( { /* Compute the challenge */ hash_ctx_t hash; - hash_init_with_dom(hash,prehashed,context,context_len); + hash_init_with_dom(hash,prehashed,0,context,context_len); hash_update(hash,signature,DECAF_EDDSA_448_PUBLIC_BYTES); hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES); hash_update(hash,message,message_len); @@ -265,3 +308,32 @@ decaf_error_t decaf_ed448_verify ( ); return decaf_succeed_if(API_NS(point_eq(pk_point,r_point))); } + + +decaf_error_t decaf_ed448_verify_prehash ( + const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], + const decaf_ed448_prehash_ctx_t hash +#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) { + decaf_error_t ret; + + uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */ + { + decaf_ed448_prehash_ctx_t hash_too; + memcpy(hash_too,hash,sizeof(hash_too)); + hash_final(hash_too,hash_output,sizeof(hash_output)); + hash_destroy(hash_too); + } + +#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS + ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len); +#else + ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1); +#endif + + return ret; +} diff --git a/src/GENERATED/include/decaf/ed255.h b/src/GENERATED/include/decaf/ed255.h index 020ce1b..97f78c0 100644 --- a/src/GENERATED/include/decaf/ed255.h +++ b/src/GENERATED/include/decaf/ed255.h @@ -16,6 +16,8 @@ #define __DECAF_ED255_H__ 1 #include +#include +#include #ifdef __cplusplus extern "C" { @@ -32,6 +34,12 @@ extern "C" { /** Does EdDSA support contexts? */ #define DECAF_EDDSA_25519_SUPPORTS_CONTEXTS 0 + +/** Prehash context renaming macros. */ +#define decaf_ed25519_prehash_ctx_s decaf_sha512_ctx_s +#define decaf_ed25519_prehash_ctx_t decaf_sha512_ctx_t +#define decaf_ed25519_prehash_update decaf_sha512_update +#define decaf_ed25519_prehash_destroy decaf_sha512_destroy /** * @brief EdDSA key generation. This function uses a different (non-Decaf) @@ -75,6 +83,48 @@ void decaf_ed25519_sign ( #endif ) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE; +/** + * @brief EdDSA signing with prehash. + * + * @param [out] signature The signature. + * @param [in] privkey The private key. + * @param [in] pubkey The public key. + * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. + * @param [in] context_len Length of the context. + * @param [in] hash The hash of the message. This object will not be modified by the call. + * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign. + * + * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed + * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is + * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives + * you no seat belt. + */ +void decaf_ed25519_sign_prehash ( + uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES], + const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES], + const decaf_ed25519_prehash_ctx_t hash +#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE; + +/** + * @brief Prehash initialization, with contexts if supported. + * + * @param [out] hash The hash object to be initialized. + * @param [in] context A "context" for this signature of up to 255 bytes. + * @param [in] context_len Length of the context. + */ +void decaf_ed25519_prehash_init ( + decaf_ed25519_prehash_ctx_t hash +#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) API_VIS __attribute__((nonnull(1))) NOINLINE; + /** * @brief EdDSA signature verification. * @@ -105,7 +155,32 @@ decaf_error_t decaf_ed25519_verify ( #endif ) API_VIS __attribute__((nonnull(1,2))) NOINLINE; - +/** + * @brief EdDSA signature verification. + * + * Uses the standard (i.e. less-strict) verification formula. + * + * @param [in] signature The signature. + * @param [in] pubkey The public key. + * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. + * @param [in] context_len Length of the context. + * @param [in] hash The hash of the message. This object will not be modified by the call. + * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify. + * + * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed + * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is + * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives + * you no seat belt. + */ +decaf_error_t decaf_ed25519_verify_prehash ( + const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES], + const decaf_ed25519_prehash_ctx_t hash +#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) API_VIS __attribute__((nonnull(1,2))) NOINLINE; /** * @brief EdDSA point encoding. Used internally, exposed externally. diff --git a/src/GENERATED/include/decaf/ed255.hxx b/src/GENERATED/include/decaf/ed255.hxx index 592f5bc..aba868b 100644 --- a/src/GENERATED/include/decaf/ed255.hxx +++ b/src/GENERATED/include/decaf/ed255.hxx @@ -79,14 +79,12 @@ private: ) { throw LengthException(); } - - if (SUPPORTS_CONTEXTS) { - const char pfx[] = ""; - uint8_t dom[2] = {2, (uint8_t)context_.size() }; - update((const unsigned char*)pfx,strlen(pfx)); - update(dom,2); - update(context_); - } + +#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS + decaf_ed25519_prehash_init((decaf_sha512_ctx_s *)wrapped,context_.data(),context_.size()); +#else + decaf_ed25519_prehash_init(wrapped); +#endif } public: @@ -122,17 +120,13 @@ template class Signing; template class Signing { public: /* Sign a prehash context, and reset the context */ - inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ { + inline SecureBuffer sign_prehashed ( const Prehash &ph ) const /*throw(std::bad_alloc)*/ { SecureBuffer out(CRTP::SIG_BYTES); - FixedArrayBuffer tmp; - ph.final(tmp); - decaf_ed25519_sign ( + decaf_ed25519_sign_prehash ( out.data(), ((const CRTP*)this)->priv_.data(), ((const CRTP*)this)->pub_.data(), - tmp.data(), - tmp.size(), - 1 + (const decaf_ed25519_prehash_ctx_s*)ph.wrapped #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() @@ -324,19 +318,15 @@ public: template class Verification { public: - /* Verify a prehash context, and reset the context */ + /* Verify a prehash context. */ inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept ( const FixedBlock &sig, - Prehash &ph + const Prehash &ph ) const /*NOEXCEPT*/ { - FixedArrayBuffer m; - ph.final(m); - return decaf_ed25519_verify ( + return decaf_ed25519_verify_prehash ( sig.data(), ((const CRTP*)this)->pub_.data(), - m.data(), - m.size(), - 1 + (const decaf_ed25519_prehash_ctx_s*)ph.wrapped #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() @@ -344,19 +334,15 @@ public: ); } - /* Verify a prehash context, and reset the context */ + /* Verify a prehash context. */ inline void verify_prehashed ( const FixedBlock &sig, - Prehash &ph + const Prehash &ph ) const /*throw(CryptoException)*/ { - FixedArrayBuffer m; - ph.final(m); - if (DECAF_SUCCESS != decaf_ed25519_verify ( + if (DECAF_SUCCESS != decaf_ed25519_verify_prehash ( sig.data(), ((const CRTP*)this)->pub_.data(), - m.data(), - m.size(), - 1 + (const decaf_ed25519_prehash_ctx_s*)ph.wrapped #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() diff --git a/src/GENERATED/include/decaf/ed448.h b/src/GENERATED/include/decaf/ed448.h index 379cbef..8c95ec9 100644 --- a/src/GENERATED/include/decaf/ed448.h +++ b/src/GENERATED/include/decaf/ed448.h @@ -16,6 +16,8 @@ #define __DECAF_ED448_H__ 1 #include +#include +#include #ifdef __cplusplus extern "C" { @@ -32,6 +34,12 @@ extern "C" { /** Does EdDSA support contexts? */ #define DECAF_EDDSA_448_SUPPORTS_CONTEXTS 1 + +/** Prehash context renaming macros. */ +#define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s +#define decaf_ed448_prehash_ctx_t decaf_shake256_ctx_t +#define decaf_ed448_prehash_update decaf_shake256_update +#define decaf_ed448_prehash_destroy decaf_shake256_destroy /** * @brief EdDSA key generation. This function uses a different (non-Decaf) @@ -75,6 +83,48 @@ void decaf_ed448_sign ( #endif ) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE; +/** + * @brief EdDSA signing with prehash. + * + * @param [out] signature The signature. + * @param [in] privkey The private key. + * @param [in] pubkey The public key. + * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. + * @param [in] context_len Length of the context. + * @param [in] hash The hash of the message. This object will not be modified by the call. + * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign. + * + * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed + * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is + * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives + * you no seat belt. + */ +void decaf_ed448_sign_prehash ( + uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], + const decaf_ed448_prehash_ctx_t hash +#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE; + +/** + * @brief Prehash initialization, with contexts if supported. + * + * @param [out] hash The hash object to be initialized. + * @param [in] context A "context" for this signature of up to 255 bytes. + * @param [in] context_len Length of the context. + */ +void decaf_ed448_prehash_init ( + decaf_ed448_prehash_ctx_t hash +#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) API_VIS __attribute__((nonnull(1))) NOINLINE; + /** * @brief EdDSA signature verification. * @@ -105,7 +155,32 @@ decaf_error_t decaf_ed448_verify ( #endif ) API_VIS __attribute__((nonnull(1,2))) NOINLINE; - +/** + * @brief EdDSA signature verification. + * + * Uses the standard (i.e. less-strict) verification formula. + * + * @param [in] signature The signature. + * @param [in] pubkey The public key. + * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. + * @param [in] context_len Length of the context. + * @param [in] hash The hash of the message. This object will not be modified by the call. + * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify. + * + * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed + * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is + * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives + * you no seat belt. + */ +decaf_error_t decaf_ed448_verify_prehash ( + const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], + const decaf_ed448_prehash_ctx_t hash +#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) API_VIS __attribute__((nonnull(1,2))) NOINLINE; /** * @brief EdDSA point encoding. Used internally, exposed externally. diff --git a/src/GENERATED/include/decaf/ed448.hxx b/src/GENERATED/include/decaf/ed448.hxx index 9fed302..e978516 100644 --- a/src/GENERATED/include/decaf/ed448.hxx +++ b/src/GENERATED/include/decaf/ed448.hxx @@ -77,14 +77,12 @@ private: ) { throw LengthException(); } - - if (SUPPORTS_CONTEXTS) { - const char pfx[] = "SigEd448"; - uint8_t dom[2] = {2, (uint8_t)context_.size() }; - update((const unsigned char*)pfx,strlen(pfx)); - update(dom,2); - update(context_); - } + +#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS + decaf_ed448_prehash_init((decaf_shake256_ctx_s *)wrapped,context_.data(),context_.size()); +#else + decaf_ed448_prehash_init(wrapped); +#endif } public: @@ -120,17 +118,13 @@ template class Signing; template class Signing { public: /* Sign a prehash context, and reset the context */ - inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ { + inline SecureBuffer sign_prehashed ( const Prehash &ph ) const /*throw(std::bad_alloc)*/ { SecureBuffer out(CRTP::SIG_BYTES); - FixedArrayBuffer tmp; - ph.final(tmp); - decaf_ed448_sign ( + decaf_ed448_sign_prehash ( out.data(), ((const CRTP*)this)->priv_.data(), ((const CRTP*)this)->pub_.data(), - tmp.data(), - tmp.size(), - 1 + (const decaf_ed448_prehash_ctx_s*)ph.wrapped #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() @@ -324,19 +318,15 @@ public: template class Verification { public: - /* Verify a prehash context, and reset the context */ + /* Verify a prehash context. */ inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept ( const FixedBlock &sig, - Prehash &ph + const Prehash &ph ) const /*NOEXCEPT*/ { - FixedArrayBuffer m; - ph.final(m); - return decaf_ed448_verify ( + return decaf_ed448_verify_prehash ( sig.data(), ((const CRTP*)this)->pub_.data(), - m.data(), - m.size(), - 1 + (const decaf_ed448_prehash_ctx_s*)ph.wrapped #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() @@ -344,19 +334,15 @@ public: ); } - /* Verify a prehash context, and reset the context */ + /* Verify a prehash context. */ inline void verify_prehashed ( const FixedBlock &sig, - Prehash &ph + const Prehash &ph ) const /*throw(CryptoException)*/ { - FixedArrayBuffer m; - ph.final(m); - if (DECAF_SUCCESS != decaf_ed448_verify ( + if (DECAF_SUCCESS != decaf_ed448_verify_prehash ( sig.data(), ((const CRTP*)this)->pub_.data(), - m.data(), - m.size(), - 1 + (const decaf_ed448_prehash_ctx_s*)ph.wrapped #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() diff --git a/src/GENERATED/include/decaf/sha512.hxx b/src/GENERATED/include/decaf/sha512.hxx index 3545f3c..031e6bc 100644 --- a/src/GENERATED/include/decaf/sha512.hxx +++ b/src/GENERATED/include/decaf/sha512.hxx @@ -30,7 +30,7 @@ class SHA512 { protected: /** @cond internal */ /** The C-wrapper sponge state */ - decaf_sha512_ctx_t sha; + decaf_sha512_ctx_t wrapped; public: @@ -44,10 +44,10 @@ public: static const size_t DEFAULT_OUTPUT_BYTES = OUTPUT_BYTES; /** Constructor */ - inline SHA512() NOEXCEPT { decaf_sha512_init(sha); } + inline SHA512() NOEXCEPT { decaf_sha512_init(wrapped); } /** Add more data to running hash */ - inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(sha,in,len); } + inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(wrapped,in,len); } /** Add more data to running hash, C++ version. */ inline void update(const Block &s) NOEXCEPT { update(s.data(),s.size()); } @@ -61,17 +61,17 @@ public: /** @brief Output bytes from the SHA context, and resets it. */ inline void final(Buffer b) throw(LengthException) { if (b.size() > OUTPUT_BYTES) throw LengthException(); - decaf_sha512_final(sha,b.data(),b.size()); + decaf_sha512_final(wrapped,b.data(),b.size()); } /** Resets the SHA context */ - inline void reset() NOEXCEPT { decaf_sha512_init(sha); } + inline void reset() NOEXCEPT { decaf_sha512_init(wrapped); } /** @brief Output bytes from the sponge. */ inline SecureBuffer final(size_t len = OUTPUT_BYTES) throw(LengthException) { if (len > OUTPUT_BYTES) throw LengthException(); SecureBuffer buffer(len); - decaf_sha512_final(sha,buffer.data(),len); + decaf_sha512_final(wrapped,buffer.data(),len); return buffer; } @@ -93,7 +93,7 @@ public: } /** Destructor zeroizes state */ - inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(sha); } + inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(wrapped); } }; } /* namespace decaf */ diff --git a/src/GENERATED/include/decaf/shake.hxx b/src/GENERATED/include/decaf/shake.hxx index 804f841..1ea9c4a 100644 --- a/src/GENERATED/include/decaf/shake.hxx +++ b/src/GENERATED/include/decaf/shake.hxx @@ -35,18 +35,18 @@ class KeccakHash { protected: /** @cond internal */ /** The C-wrapper sponge state */ - decaf_keccak_sponge_t sp; + decaf_keccak_sponge_t wrapped; /** Initialize from parameters */ - inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(sp, params); } + inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(wrapped, params); } /** @endcond */ public: /** Add more data to running hash */ - inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(sp,in,len); } + inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(wrapped,in,len); } /** Add more data to running hash, C++ version. */ - inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(sp,s.data(),s.size()); } + inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(wrapped,s.data(),s.size()); } /** Add more data, stream version. */ inline KeccakHash &operator<<(const Block &s) NOEXCEPT { update(s); return *this; } @@ -58,7 +58,7 @@ public: inline SecureBuffer output(size_t len) throw(std::bad_alloc, LengthException) { if (len > max_output_size()) throw LengthException(); SecureBuffer buffer(len); - if (DECAF_SUCCESS != decaf_sha3_output(sp,buffer.data(),len)) { + if (DECAF_SUCCESS != decaf_sha3_output(wrapped,buffer.data(),len)) { throw LengthException(); } return buffer; @@ -68,7 +68,7 @@ public: inline SecureBuffer final(size_t len) throw(std::bad_alloc, LengthException) { if (len > max_output_size()) throw LengthException(); SecureBuffer buffer(len); - if (DECAF_SUCCESS != decaf_sha3_final(sp,buffer.data(),len)) { + if (DECAF_SUCCESS != decaf_sha3_final(wrapped,buffer.data(),len)) { throw LengthException(); } return buffer; @@ -78,7 +78,7 @@ public: * output too many bytes from a SHA-3 instance. */ inline void output(Buffer b) throw(LengthException) { - if (DECAF_SUCCESS != decaf_sha3_output(sp,b.data(),b.size())) { + if (DECAF_SUCCESS != decaf_sha3_output(wrapped,b.data(),b.size())) { throw LengthException(); } } @@ -87,19 +87,19 @@ public: * LengthException if you've output too many bytes from a SHA3 instance. */ inline void final(Buffer b) throw(LengthException) { - if (DECAF_SUCCESS != decaf_sha3_final(sp,b.data(),b.size())) { + if (DECAF_SUCCESS != decaf_sha3_final(wrapped,b.data(),b.size())) { throw LengthException(); } } /** @brief Return the sponge's default output size. */ inline size_t default_output_size() const NOEXCEPT { - return decaf_sponge_default_output_bytes(sp); + return decaf_sponge_default_output_bytes(wrapped); } /** @brief Return the sponge's maximum output size. */ inline size_t max_output_size() const NOEXCEPT { - return decaf_sponge_max_output_bytes(sp); + return decaf_sponge_max_output_bytes(wrapped); } /** Output the default number of bytes. */ @@ -113,10 +113,10 @@ public: } /** Reset the hash to the empty string */ - inline void reset() NOEXCEPT { decaf_sha3_reset(sp); } + inline void reset() NOEXCEPT { decaf_sha3_reset(wrapped); } /** Destructor zeroizes state */ - inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(sp); } + inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(wrapped); } }; /** Fixed-output-length SHA3 */ diff --git a/src/per_curve/eddsa.tmpl.c b/src/per_curve/eddsa.tmpl.c index 943cfde..cce6fd4 100644 --- a/src/per_curve/eddsa.tmpl.c +++ b/src/per_curve/eddsa.tmpl.c @@ -47,6 +47,7 @@ static void clamp ( static void hash_init_with_dom( hash_ctx_t hash, uint8_t prehashed, + uint8_t for_prehash, const uint8_t *context, uint8_t context_len ) { @@ -54,12 +55,13 @@ static void hash_init_with_dom( #if SUPPORTS_CONTEXTS const char *dom_s = "$(eddsa_dom)"; - const uint8_t dom[2] = {1+word_is_zero(prehashed), context_len}; + const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len}; hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s)); hash_update(hash,dom,2); hash_update(hash,context,context_len); #else (void)prehashed; + (void)for_prehash; (void)context; assert(context==NULL); (void)context_len; @@ -67,6 +69,20 @@ static void hash_init_with_dom( #endif } +void decaf_ed$(gf_shortname)_prehash_init ( + hash_ctx_t hash +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) { +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS + hash_init_with_dom(hash,1,1,context,context_len); +#else + hash_init_with_dom(hash,1,1,NULL,0); +#endif +} + void decaf_ed$(gf_shortname)_derive_public_key ( uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES] @@ -140,7 +156,7 @@ void decaf_ed$(gf_shortname)_sign ( API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser)); /* Hash to create the nonce */ - hash_init_with_dom(hash,prehashed,context,context_len); + hash_init_with_dom(hash,prehashed,0,context,context_len); hash_update(hash,expanded.seed,sizeof(expanded.seed)); hash_update(hash,message,message_len); decaf_bzero(&expanded, sizeof(expanded)); @@ -174,7 +190,7 @@ void decaf_ed$(gf_shortname)_sign ( API_NS(scalar_t) challenge_scalar; { /* Compute the challenge */ - hash_init_with_dom(hash,prehashed,context,context_len); + hash_init_with_dom(hash,prehashed,0,context,context_len); hash_update(hash,nonce_point,sizeof(nonce_point)); hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES); hash_update(hash,message,message_len); @@ -198,6 +214,33 @@ void decaf_ed$(gf_shortname)_sign ( } +void decaf_ed$(gf_shortname)_sign_prehash ( + uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES], + const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], + const decaf_ed$(gf_shortname)_prehash_ctx_t hash +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) { + uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */ + { + decaf_ed$(gf_shortname)_prehash_ctx_t hash_too; + memcpy(hash_too,hash,sizeof(hash_too)); + hash_final(hash_too,hash_output,sizeof(hash_output)); + hash_destroy(hash_too); + } + +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS + decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len); +#else + decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1); +#endif + + decaf_bzero(hash_output,sizeof(hash_output)); +} + decaf_error_t decaf_ed$(gf_shortname)_verify ( const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES], const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], @@ -224,7 +267,7 @@ decaf_error_t decaf_ed$(gf_shortname)_verify ( { /* Compute the challenge */ hash_ctx_t hash; - hash_init_with_dom(hash,prehashed,context,context_len); + hash_init_with_dom(hash,prehashed,0,context,context_len); hash_update(hash,signature,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES); hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES); hash_update(hash,message,message_len); @@ -256,3 +299,32 @@ decaf_error_t decaf_ed$(gf_shortname)_verify ( ); return decaf_succeed_if(API_NS(point_eq(pk_point,r_point))); } + + +decaf_error_t decaf_ed$(gf_shortname)_verify_prehash ( + const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], + const decaf_ed$(gf_shortname)_prehash_ctx_t hash +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) { + decaf_error_t ret; + + uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */ + { + decaf_ed$(gf_shortname)_prehash_ctx_t hash_too; + memcpy(hash_too,hash,sizeof(hash_too)); + hash_final(hash_too,hash_output,sizeof(hash_output)); + hash_destroy(hash_too); + } + +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS + ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len); +#else + ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1); +#endif + + return ret; +} diff --git a/src/per_curve/eddsa.tmpl.h b/src/per_curve/eddsa.tmpl.h index 5d3f94e..556a2a2 100644 --- a/src/per_curve/eddsa.tmpl.h +++ b/src/per_curve/eddsa.tmpl.h @@ -1,6 +1,8 @@ /** @brief A group of prime order p, based on $(iso_to). */ #include +#include +#include #ifdef __cplusplus extern "C" { @@ -17,6 +19,12 @@ extern "C" { /** Does EdDSA support contexts? */ #define DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS $(eddsa_supports_contexts) + +/** Prehash context renaming macros. */ +#define decaf_ed$(gf_shortname)_prehash_ctx_s decaf_$(eddsa_hash)_ctx_s +#define decaf_ed$(gf_shortname)_prehash_ctx_t decaf_$(eddsa_hash)_ctx_t +#define decaf_ed$(gf_shortname)_prehash_update decaf_$(eddsa_hash)_update +#define decaf_ed$(gf_shortname)_prehash_destroy decaf_$(eddsa_hash)_destroy /** * @brief EdDSA key generation. This function uses a different (non-Decaf) @@ -60,6 +68,48 @@ void decaf_ed$(gf_shortname)_sign ( #endif ) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE; +/** + * @brief EdDSA signing with prehash. + * + * @param [out] signature The signature. + * @param [in] privkey The private key. + * @param [in] pubkey The public key. + * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. + * @param [in] context_len Length of the context. + * @param [in] hash The hash of the message. This object will not be modified by the call. + * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign. + * + * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed + * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is + * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives + * you no seat belt. + */ +void decaf_ed$(gf_shortname)_sign_prehash ( + uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES], + const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], + const decaf_ed$(gf_shortname)_prehash_ctx_t hash +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE; + +/** + * @brief Prehash initialization, with contexts if supported. + * + * @param [out] hash The hash object to be initialized. + * @param [in] context A "context" for this signature of up to 255 bytes. + * @param [in] context_len Length of the context. + */ +void decaf_ed$(gf_shortname)_prehash_init ( + decaf_ed$(gf_shortname)_prehash_ctx_t hash +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) API_VIS __attribute__((nonnull(1))) NOINLINE; + /** * @brief EdDSA signature verification. * @@ -90,7 +140,32 @@ decaf_error_t decaf_ed$(gf_shortname)_verify ( #endif ) API_VIS __attribute__((nonnull(1,2))) NOINLINE; - +/** + * @brief EdDSA signature verification. + * + * Uses the standard (i.e. less-strict) verification formula. + * + * @param [in] signature The signature. + * @param [in] pubkey The public key. + * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. + * @param [in] context_len Length of the context. + * @param [in] hash The hash of the message. This object will not be modified by the call. + * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify. + * + * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed + * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is + * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives + * you no seat belt. + */ +decaf_error_t decaf_ed$(gf_shortname)_verify_prehash ( + const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], + const decaf_ed$(gf_shortname)_prehash_ctx_t hash +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS + , const uint8_t *context, + uint8_t context_len +#endif +) API_VIS __attribute__((nonnull(1,2))) NOINLINE; /** * @brief EdDSA point encoding. Used internally, exposed externally. diff --git a/src/per_curve/eddsa.tmpl.hxx b/src/per_curve/eddsa.tmpl.hxx index f5743d6..b5af7bc 100644 --- a/src/per_curve/eddsa.tmpl.hxx +++ b/src/per_curve/eddsa.tmpl.hxx @@ -68,14 +68,12 @@ private: ) { throw LengthException(); } - - if (SUPPORTS_CONTEXTS) { - const char pfx[] = "$(eddsa_dom)"; - uint8_t dom[2] = {2, (uint8_t)context_.size() }; - update((const unsigned char*)pfx,strlen(pfx)); - update(dom,2); - update(context_); - } + +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS + decaf_ed$(gf_shortname)_prehash_init((decaf_$(eddsa_hash)_ctx_s *)wrapped,context_.data(),context_.size()); +#else + decaf_ed$(gf_shortname)_prehash_init(wrapped); +#endif } public: @@ -111,17 +109,13 @@ template class Signing; template class Signing { public: /* Sign a prehash context, and reset the context */ - inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ { + inline SecureBuffer sign_prehashed ( const Prehash &ph ) const /*throw(std::bad_alloc)*/ { SecureBuffer out(CRTP::SIG_BYTES); - FixedArrayBuffer tmp; - ph.final(tmp); - decaf_ed$(gf_shortname)_sign ( + decaf_ed$(gf_shortname)_sign_prehash ( out.data(), ((const CRTP*)this)->priv_.data(), ((const CRTP*)this)->pub_.data(), - tmp.data(), - tmp.size(), - 1 + (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() @@ -326,19 +320,15 @@ public: template class Verification { public: - /* Verify a prehash context, and reset the context */ + /* Verify a prehash context. */ inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept ( const FixedBlock &sig, - Prehash &ph + const Prehash &ph ) const /*NOEXCEPT*/ { - FixedArrayBuffer m; - ph.final(m); - return decaf_ed$(gf_shortname)_verify ( + return decaf_ed$(gf_shortname)_verify_prehash ( sig.data(), ((const CRTP*)this)->pub_.data(), - m.data(), - m.size(), - 1 + (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() @@ -346,19 +336,15 @@ public: ); } - /* Verify a prehash context, and reset the context */ + /* Verify a prehash context. */ inline void verify_prehashed ( const FixedBlock &sig, - Prehash &ph + const Prehash &ph ) const /*throw(CryptoException)*/ { - FixedArrayBuffer m; - ph.final(m); - if (DECAF_SUCCESS != decaf_ed$(gf_shortname)_verify ( + if (DECAF_SUCCESS != decaf_ed$(gf_shortname)_verify_prehash ( sig.data(), ((const CRTP*)this)->pub_.data(), - m.data(), - m.size(), - 1 + (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() diff --git a/src/public_include/decaf/sha512.hxx b/src/public_include/decaf/sha512.hxx index 3545f3c..031e6bc 100644 --- a/src/public_include/decaf/sha512.hxx +++ b/src/public_include/decaf/sha512.hxx @@ -30,7 +30,7 @@ class SHA512 { protected: /** @cond internal */ /** The C-wrapper sponge state */ - decaf_sha512_ctx_t sha; + decaf_sha512_ctx_t wrapped; public: @@ -44,10 +44,10 @@ public: static const size_t DEFAULT_OUTPUT_BYTES = OUTPUT_BYTES; /** Constructor */ - inline SHA512() NOEXCEPT { decaf_sha512_init(sha); } + inline SHA512() NOEXCEPT { decaf_sha512_init(wrapped); } /** Add more data to running hash */ - inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(sha,in,len); } + inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(wrapped,in,len); } /** Add more data to running hash, C++ version. */ inline void update(const Block &s) NOEXCEPT { update(s.data(),s.size()); } @@ -61,17 +61,17 @@ public: /** @brief Output bytes from the SHA context, and resets it. */ inline void final(Buffer b) throw(LengthException) { if (b.size() > OUTPUT_BYTES) throw LengthException(); - decaf_sha512_final(sha,b.data(),b.size()); + decaf_sha512_final(wrapped,b.data(),b.size()); } /** Resets the SHA context */ - inline void reset() NOEXCEPT { decaf_sha512_init(sha); } + inline void reset() NOEXCEPT { decaf_sha512_init(wrapped); } /** @brief Output bytes from the sponge. */ inline SecureBuffer final(size_t len = OUTPUT_BYTES) throw(LengthException) { if (len > OUTPUT_BYTES) throw LengthException(); SecureBuffer buffer(len); - decaf_sha512_final(sha,buffer.data(),len); + decaf_sha512_final(wrapped,buffer.data(),len); return buffer; } @@ -93,7 +93,7 @@ public: } /** Destructor zeroizes state */ - inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(sha); } + inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(wrapped); } }; } /* namespace decaf */ diff --git a/src/public_include/decaf/shake.hxx b/src/public_include/decaf/shake.hxx index 804f841..1ea9c4a 100644 --- a/src/public_include/decaf/shake.hxx +++ b/src/public_include/decaf/shake.hxx @@ -35,18 +35,18 @@ class KeccakHash { protected: /** @cond internal */ /** The C-wrapper sponge state */ - decaf_keccak_sponge_t sp; + decaf_keccak_sponge_t wrapped; /** Initialize from parameters */ - inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(sp, params); } + inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(wrapped, params); } /** @endcond */ public: /** Add more data to running hash */ - inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(sp,in,len); } + inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(wrapped,in,len); } /** Add more data to running hash, C++ version. */ - inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(sp,s.data(),s.size()); } + inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(wrapped,s.data(),s.size()); } /** Add more data, stream version. */ inline KeccakHash &operator<<(const Block &s) NOEXCEPT { update(s); return *this; } @@ -58,7 +58,7 @@ public: inline SecureBuffer output(size_t len) throw(std::bad_alloc, LengthException) { if (len > max_output_size()) throw LengthException(); SecureBuffer buffer(len); - if (DECAF_SUCCESS != decaf_sha3_output(sp,buffer.data(),len)) { + if (DECAF_SUCCESS != decaf_sha3_output(wrapped,buffer.data(),len)) { throw LengthException(); } return buffer; @@ -68,7 +68,7 @@ public: inline SecureBuffer final(size_t len) throw(std::bad_alloc, LengthException) { if (len > max_output_size()) throw LengthException(); SecureBuffer buffer(len); - if (DECAF_SUCCESS != decaf_sha3_final(sp,buffer.data(),len)) { + if (DECAF_SUCCESS != decaf_sha3_final(wrapped,buffer.data(),len)) { throw LengthException(); } return buffer; @@ -78,7 +78,7 @@ public: * output too many bytes from a SHA-3 instance. */ inline void output(Buffer b) throw(LengthException) { - if (DECAF_SUCCESS != decaf_sha3_output(sp,b.data(),b.size())) { + if (DECAF_SUCCESS != decaf_sha3_output(wrapped,b.data(),b.size())) { throw LengthException(); } } @@ -87,19 +87,19 @@ public: * LengthException if you've output too many bytes from a SHA3 instance. */ inline void final(Buffer b) throw(LengthException) { - if (DECAF_SUCCESS != decaf_sha3_final(sp,b.data(),b.size())) { + if (DECAF_SUCCESS != decaf_sha3_final(wrapped,b.data(),b.size())) { throw LengthException(); } } /** @brief Return the sponge's default output size. */ inline size_t default_output_size() const NOEXCEPT { - return decaf_sponge_default_output_bytes(sp); + return decaf_sponge_default_output_bytes(wrapped); } /** @brief Return the sponge's maximum output size. */ inline size_t max_output_size() const NOEXCEPT { - return decaf_sponge_max_output_bytes(sp); + return decaf_sponge_max_output_bytes(wrapped); } /** Output the default number of bytes. */ @@ -113,10 +113,10 @@ public: } /** Reset the hash to the empty string */ - inline void reset() NOEXCEPT { decaf_sha3_reset(sp); } + inline void reset() NOEXCEPT { decaf_sha3_reset(wrapped); } /** Destructor zeroizes state */ - inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(sp); } + inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(wrapped); } }; /** Fixed-output-length SHA3 */