mirror of
https://github.com/XTLS/REALITY.git
synced 2025-08-22 22:48:36 +00:00
3833e8e2cb
In the process, replace out-of-module imports with their FIPS versions. For #69536 Change-Id: I83e900b7c38ecf760382e5dca7fd0b1eaa5a5589 Reviewed-on: https://go-review.googlesource.com/c/go/+/626879 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Russ Cox <rsc@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Michael Knyszek <mknyszek@google.com>
151 lines
4.6 KiB
Go
151 lines
4.6 KiB
Go
// Copyright 2014 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package sha3
|
|
|
|
import (
|
|
"bytes"
|
|
//"crypto/internal/fips140"
|
|
"github.com/xtls/reality/byteorder"
|
|
"errors"
|
|
"math/bits"
|
|
)
|
|
|
|
type SHAKE struct {
|
|
d Digest // SHA-3 state context and Read/Write operations
|
|
|
|
// initBlock is the cSHAKE specific initialization set of bytes. It is initialized
|
|
// by newCShake function and stores concatenation of N followed by S, encoded
|
|
// by the method specified in 3.3 of [1].
|
|
// It is stored here in order for Reset() to be able to put context into
|
|
// initial state.
|
|
initBlock []byte
|
|
}
|
|
|
|
func bytepad(data []byte, rate int) []byte {
|
|
out := make([]byte, 0, 9+len(data)+rate-1)
|
|
out = append(out, leftEncode(uint64(rate))...)
|
|
out = append(out, data...)
|
|
if padlen := rate - len(out)%rate; padlen < rate {
|
|
out = append(out, make([]byte, padlen)...)
|
|
}
|
|
return out
|
|
}
|
|
|
|
func leftEncode(x uint64) []byte {
|
|
// Let n be the smallest positive integer for which 2^(8n) > x.
|
|
n := (bits.Len64(x) + 7) / 8
|
|
if n == 0 {
|
|
n = 1
|
|
}
|
|
// Return n || x with n as a byte and x an n bytes in big-endian order.
|
|
b := make([]byte, 9)
|
|
byteorder.BEPutUint64(b[1:], x)
|
|
b = b[9-n-1:]
|
|
b[0] = byte(n)
|
|
return b
|
|
}
|
|
|
|
func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) *SHAKE {
|
|
c := &SHAKE{d: Digest{rate: rate, outputLen: outputLen, dsbyte: dsbyte}}
|
|
c.initBlock = make([]byte, 0, 9+len(N)+9+len(S)) // leftEncode returns max 9 bytes
|
|
c.initBlock = append(c.initBlock, leftEncode(uint64(len(N))*8)...)
|
|
c.initBlock = append(c.initBlock, N...)
|
|
c.initBlock = append(c.initBlock, leftEncode(uint64(len(S))*8)...)
|
|
c.initBlock = append(c.initBlock, S...)
|
|
c.Write(bytepad(c.initBlock, c.d.rate))
|
|
return c
|
|
}
|
|
|
|
func (s *SHAKE) BlockSize() int { return s.d.BlockSize() }
|
|
func (s *SHAKE) Size() int { return s.d.Size() }
|
|
|
|
// Sum appends a portion of output to b and returns the resulting slice. The
|
|
// output length is selected to provide full-strength generic security: 32 bytes
|
|
// for SHAKE128 and 64 bytes for SHAKE256. It does not change the underlying
|
|
// state. It panics if any output has already been read.
|
|
func (s *SHAKE) Sum(in []byte) []byte { return s.d.Sum(in) }
|
|
|
|
// Write absorbs more data into the hash's state.
|
|
// It panics if any output has already been read.
|
|
func (s *SHAKE) Write(p []byte) (n int, err error) { return s.d.Write(p) }
|
|
|
|
func (s *SHAKE) Read(out []byte) (n int, err error) {
|
|
//fips140.RecordApproved()
|
|
// Note that read is not exposed on Digest since SHA-3 does not offer
|
|
// variable output length. It is only used internally by Sum.
|
|
return s.d.read(out)
|
|
}
|
|
|
|
// Reset resets the hash to initial state.
|
|
func (s *SHAKE) Reset() {
|
|
s.d.Reset()
|
|
if len(s.initBlock) != 0 {
|
|
s.Write(bytepad(s.initBlock, s.d.rate))
|
|
}
|
|
}
|
|
|
|
// Clone returns a copy of the SHAKE context in its current state.
|
|
func (s *SHAKE) Clone() *SHAKE {
|
|
ret := *s
|
|
return &ret
|
|
}
|
|
|
|
func (s *SHAKE) MarshalBinary() ([]byte, error) {
|
|
return s.AppendBinary(make([]byte, 0, marshaledSize+len(s.initBlock)))
|
|
}
|
|
|
|
func (s *SHAKE) AppendBinary(b []byte) ([]byte, error) {
|
|
b, err := s.d.AppendBinary(b)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
b = append(b, s.initBlock...)
|
|
return b, nil
|
|
}
|
|
|
|
func (s *SHAKE) UnmarshalBinary(b []byte) error {
|
|
if len(b) < marshaledSize {
|
|
return errors.New("sha3: invalid hash state")
|
|
}
|
|
if err := s.d.UnmarshalBinary(b[:marshaledSize]); err != nil {
|
|
return err
|
|
}
|
|
s.initBlock = bytes.Clone(b[marshaledSize:])
|
|
return nil
|
|
}
|
|
|
|
// NewShake128 creates a new SHAKE128 XOF.
|
|
func NewShake128() *SHAKE {
|
|
return &SHAKE{d: Digest{rate: rateK256, outputLen: 32, dsbyte: dsbyteShake}}
|
|
}
|
|
|
|
// NewShake256 creates a new SHAKE256 XOF.
|
|
func NewShake256() *SHAKE {
|
|
return &SHAKE{d: Digest{rate: rateK512, outputLen: 64, dsbyte: dsbyteShake}}
|
|
}
|
|
|
|
// NewCShake128 creates a new cSHAKE128 XOF.
|
|
//
|
|
// N is used to define functions based on cSHAKE, it can be empty when plain
|
|
// cSHAKE is desired. S is a customization byte string used for domain
|
|
// separation. When N and S are both empty, this is equivalent to NewShake128.
|
|
func NewCShake128(N, S []byte) *SHAKE {
|
|
if len(N) == 0 && len(S) == 0 {
|
|
return NewShake128()
|
|
}
|
|
return newCShake(N, S, rateK256, 32, dsbyteCShake)
|
|
}
|
|
|
|
// NewCShake256 creates a new cSHAKE256 XOF.
|
|
//
|
|
// N is used to define functions based on cSHAKE, it can be empty when plain
|
|
// cSHAKE is desired. S is a customization byte string used for domain
|
|
// separation. When N and S are both empty, this is equivalent to NewShake256.
|
|
func NewCShake256(N, S []byte) *SHAKE {
|
|
if len(N) == 0 && len(S) == 0 {
|
|
return NewShake256()
|
|
}
|
|
return newCShake(N, S, rateK512, 64, dsbyteCShake)
|
|
} |