diff options
| author | Mattias Andrée <maandree@operamail.com> | 2014-11-15 07:23:51 +0100 |
|---|---|---|
| committer | Mattias Andrée <maandree@operamail.com> | 2014-11-15 07:23:51 +0100 |
| commit | 1494075ac1eae554b613fed2547c561c2d4d28f9 (patch) | |
| tree | f4433a68ae8ca9427ad195efd0dea64309490e19 /src | |
| parent | fix makefile (diff) | |
| download | autopasswd-1494075ac1eae554b613fed2547c561c2d4d28f9.tar.gz autopasswd-1494075ac1eae554b613fed2547c561c2d4d28f9.tar.bz2 autopasswd-1494075ac1eae554b613fed2547c561c2d4d28f9.tar.xz | |
rewrite to use libkeccak2
Signed-off-by: Mattias Andrée <maandree@operamail.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/autopasswd.c | 799 | ||||
| -rw-r--r-- | src/sha3.c | 859 | ||||
| -rw-r--r-- | src/sha3.h | 115 |
3 files changed, 359 insertions, 1414 deletions
diff --git a/src/autopasswd.c b/src/autopasswd.c index d954024..c82f475 100644 --- a/src/autopasswd.c +++ b/src/autopasswd.c @@ -23,8 +23,7 @@ #include <passphrase.h> #include <argparser.h> - -#include "sha3.h" +#include <libkeccak.h> @@ -46,44 +45,24 @@ /** * The radix 64 characters (66 characters), the two last ones are for padding */ -#ifndef BASE64 -# define BASE64 "0123456789qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM,.-=" -#endif +#define BASE64 "0123456789qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM,.-=" /** * The number of squeezes to do at bump level zero */ -#ifndef KECCAK_SQUEEZES -# define KECCAK_SQUEEZES 300000 -#endif - -/** - * The default output parameter for the Keccak sponge - */ -#ifndef KECCAK_OUTPUT -# define KECCAK_OUTPUT 512 -#endif - -/** - * The default state size parameter for the Keccak sponge - */ -#ifndef KECCAK_STATE_SIZE -# define KECCAK_STATE_SIZE 1600 -#endif +#define DEFAULT_SQUEEZES 300000 /** * The number of addition squeezes to perform per bump level */ -#ifndef BUMP_LEVEL_MULTIPLIER -# define BUMP_LEVEL_MULTIPLIER 5000 -#endif +#define BUMP_LEVEL_MULTIPLIER 5000 /** - * The bitrate parameter for the Keccak sponge when hashing master passphrase + * The rate parameter for the Keccak sponge when hashing master passphrase */ -#ifndef MASTER_PASSPHRASE_KECCAK_BITRATE -# define MASTER_PASSPHRASE_KECCAK_BITRATE 576 +#ifndef MASTER_PASSPHRASE_KECCAK_RATE +# define MASTER_PASSPHRASE_KECCAK_RATE 576 #endif /** @@ -107,99 +86,123 @@ # define MASTER_PASSPHRASE_KECCAK_SQUEEZES 10000 #endif + + +#define USER_ERROR(string) \ + (fprintf(stderr, "%s: %s.\n", execname, string), 1) + +#define ADD(arg, desc, ...) \ + (arg ? args_add_option(args_new_argumented(NULL, arg, 0, __VA_ARGS__, NULL), desc) \ + : args_add_option(args_new_argumentless(NULL, 0, __VA_ARGS__, NULL), desc)) + +#define LAST(arg) \ + (args_opts_get(arg)[args_opts_get_count(arg) - 1]) + +#define t(expr) if ((r = (expr))) goto fail + +#define xfree(s) (free(s), s = NULL) + + + /** - * The hexadecimal alphabet + * `argv[0]` from `main` */ -#ifndef HEXADECA -# define HEXADECA "0123456789abcdef" -#endif +static char* execname; -static char* last_arg(char* arg) +/** + * Convert `libkeccak_generalised_spec_t` to `libkeccak_spec_t` and check for errors + * + * @param gspec See `libkeccak_degeneralise_spec` + * @param spec See `libkeccak_degeneralise_spec` + * @return Zero on success, an appropriate exit value on error + */ +static int make_spec(libkeccak_generalised_spec_t* gspec, libkeccak_spec_t* spec) { - return *(args_opts_get(arg) + (args_opts_get_count(arg) - 1)); + int r; + +#define TEST(CASE, STR) case LIBKECCAK_GENERALISED_SPEC_ERROR_##CASE: return USER_ERROR(STR) + if (r = libkeccak_degeneralise_spec(gspec, spec), r) + switch (r) + { + TEST (STATE_NONPOSITIVE, "the state size must be positive"); + TEST (STATE_TOO_LARGE, "the state size is too large, may not exceed 1600"); + TEST (STATE_MOD_25, "the state size must be a multiple of 25"); + TEST (WORD_NONPOSITIVE, "the word size must be positive"); + TEST (WORD_TOO_LARGE, "the word size is too large, may not exceed 64"); + TEST (STATE_WORD_INCOHERENCY, "the state size must be exactly 25 times the word size"); + TEST (CAPACITY_NONPOSITIVE, "the capacity must be positive"); + TEST (CAPACITY_MOD_8, "the capacity must be a multiple of 8"); + TEST (BITRATE_NONPOSITIVE, "the rate must be positive"); + TEST (BITRATE_MOD_8, "the rate must be a multiple of 8"); + TEST (OUTPUT_NONPOSITIVE, "the output size must be positive"); + default: + return USER_ERROR("unknown error in algorithm parameters"); + } +#undef TEST + +#define TEST(CASE, STR) case LIBKECCAK_SPEC_ERROR_##CASE: return USER_ERROR(STR) + if (r = libkeccak_spec_check(spec), r) + switch (r) + { + TEST (BITRATE_NONPOSITIVE, "the rate size must be positive"); + TEST (BITRATE_MOD_8, "the rate must be a multiple of 8"); + TEST (CAPACITY_NONPOSITIVE, "the capacity must be positive"); + TEST (CAPACITY_MOD_8, "the capacity must be a multiple of 8"); + TEST (OUTPUT_NONPOSITIVE, "the output size must be positive"); + TEST (STATE_TOO_LARGE, "the state size is too large, may not exceed 1600"); + TEST (STATE_MOD_25, "the state size must be a multiple of 25"); + TEST (WORD_NON_2_POTENT, "the word size must be a power of 2"); + TEST (WORD_MOD_8, "the word size must be a multiple of 8"); + default: + return USER_ERROR("unknown error in algorithm parameters"); + } +#undef TEST + + return 0; } /** - * Here we go! + * Parse the command line arguments + * + * @param argc The number of command line argumnets + * @param argv Command line argumnets + * @param gspec Output parameter for the algorithm parameters, must already be initialised + * @param squeezes Output parameter for the number of squeezes to perform, must already have default value + * @param bump_level Output parameter for the bump level, must already be zero + * @param clear_mode Output parameter for the clear mode setting, must already be zero + * @param verbose Output parameter for the verbosity setting, must already be zero + * @return Zero on success, an appropriate exit value on error, however -1 if + * the program should exit with value zero */ -int main(int argc, char** argv) +static int parse_cmdline(int argc, char* argv[], libkeccak_generalised_spec_t* gspec, + long* squeezes, long* bump_level, int* clear_mode, int* verbose) { - size_t site_size = 64; - long bump_level = 0; - int clear_mode = 0; - int verbose_mode = 0; - long keccak_output_ = KECCAK_OUTPUT; - long keccak_state_size_ = KECCAK_STATE_SIZE; - long keccak_capacity_ = keccak_state_size_ - (keccak_output_ << 1); - long keccak_bitrate_ = keccak_state_size_ - keccak_capacity_; - long keccak_squeezes = KECCAK_SQUEEZES; - int output__ = 0; - int state_size__ = 0; - int capacity__ = 0; - int bitrate__ = 0; - int word_size__ = 0; - int squeezes__ = 0; - long output_, keccak_output; - long state_size_, keccak_state_size; - long capacity_, keccak_capacity; - long bitrate_, keccak_bitrate; - long word_size_, keccak_word_size; - long squeezes_; - byte* site; - char* passphrase; - byte* passphrase_hash; - int_fast8_t* digest; - char* base64; - size_t ptr64; - size_t ptr; - char* master_passphrase_hash; - size_t passphrase_n; - size_t site_n; - - - /* Parse command line arguments. */ args_init("Reproducable password generator", "autopasswd [options...]", - "TODO", 0, 1, 0, args_standard_abbreviations); + NULL, NULL, 1, 0, args_standard_abbreviations); - args_add_option(args_new_argumentless(NULL, 0, "-h", "-?", "--help", NULL), - "Display this help message"); - args_add_option(args_new_argumentless(NULL, 0, "+c", "--copyright", "--copying", NULL), - "Display copyright information"); - args_add_option(args_new_argumentless(NULL, 0, "+w", "--warranty", NULL), - "Display warranty disclaimer"); - args_add_option(args_new_argumentless(NULL, 0, "-v", "--verbose", NULL), - "Display extra information"); - args_add_option(args_new_argumented(NULL, "INT", 0, "-b", "--bump-level", NULL), - "Select bump level, can contain + or - to perform accumulated adjustment"); - args_add_option(args_new_argumentless(NULL, 0, "-c", "--clear-mode", NULL), - "Do not hide the output, but rather make it ease to pass into another program\n" - "Use twice to suppress terminal line break"); - args_add_option(args_new_argumented(NULL, "INT", 0, "-O", "--output", NULL), - "Select output parameter for Keccak sponge"); - args_add_option(args_new_argumented(NULL, "INT", 0, "-S", "--state-size", NULL), - "Select state size parameter for Keccak sponge"); - args_add_option(args_new_argumented(NULL, "INT", 0, "-C", "--capacity", NULL), - "Select capacity parameter for Keccak sponge"); - args_add_option(args_new_argumented(NULL, "INT", 0, "-R", "--rate", "--bitrate", NULL), - "Select bitrate parameter for Keccak sponge"); - args_add_option(args_new_argumented(NULL, "INT", 0, "-W", "--word-size", NULL), - "Select word size parameter for Keccak sponge"); - args_add_option(args_new_argumented(NULL, "INT", 0, "-Z", "--squeezes", NULL), - "Select the number squeezes performe on the Keccak sponge at bump level zero"); + ADD(NULL, "Display option summary", "-h", "-?", "--help"); + ADD(NULL, "Display copyright information", "+c", "--copyright", "--copying"); + ADD(NULL, "Display warranty disclaimer", "+w", "--warranty"); + ADD(NULL, "Display extra information", "-v", "--verbose"); + ADD(NULL, "Do not hide the output, but rather make it ease to pass into another program\n" + "Use twice to suppress terminal line break", "-c", "--clear-mode"); + ADD("LEVEL", "Select bump level, can contain + or - to perform accumulated adjustment", + "-b", "--bump-level"); + ADD("RATE", "Select rate parameter for Keccak sponge", "-R", "--bitrate", "--rate"); + ADD("CAPACITY", "Select capacity parameter for Keccak sponge", "-C", "--capacity"); + ADD("SIZE", "Select output parameter for Keccak sponge", "-N", "-O", "--output-size", "--output"); + ADD("SIZE", "Select state size parameter for Keccak sponge", "-S", "-B", "--state-size", "--state"); + ADD("SIZE", "Select word size parameter for Keccak sponge", "-W", "--word-size", "--word"); + ADD("COUNT", "Select the number squeezes performed on the Keccak sponge at bump level zero", + "-Z", "--squeezes"); args_parse(argc, argv); - args_support_alternatives(); - if (args_opts_used("--help")) - { - args_help(); - args_dispose(); - return 0; - } - if (args_opts_used("--copyright")) + if (args_opts_used("-h")) return args_help(0), args_dispose(), -1; + if (args_opts_used("+c")) { printf("autopasswd – Reproducable password generator\n"); printf("\n"); @@ -218,393 +221,309 @@ int main(int argc, char** argv) printf("You should have received a copy of the GNU Affero General Public License\n"); printf("along with this program. If not, see <http://www.gnu.org/licenses/>.\n"); args_dispose(); - return 0; + return -1; } - if (args_opts_used("--warranty")) + if (args_opts_used("+w")) { printf("This program is distributed in the hope that it will be useful,\n"); printf("but WITHOUT ANY WARRANTY; without even the implied warranty of\n"); printf("MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n"); printf("GNU Affero General Public License for more details.\n"); args_dispose(); - return 0; + return -1; } - if (args_opts_used("--clear-mode")) - { - clear_mode = (int)args_opts_get_count("--clear-mode"); - } - if (args_opts_used("--verbose")) - { - verbose_mode = 1; - } - if (args_opts_used("--bump-level")) + + if (args_opts_used("-R")) gspec->bitrate = atol(LAST("-R")); + if (args_opts_used("-C")) gspec->capacity = atol(LAST("-C")); + if (args_opts_used("-N")) gspec->output = atol(LAST("-N")); + if (args_opts_used("-S")) gspec->state_size = atol(LAST("-S")); + if (args_opts_used("-W")) gspec->word_size = atol(LAST("-W")); + if (args_opts_used("-Z")) *squeezes = atol(LAST("-Z")); + if (args_opts_used("-v")) *verbose = 1; + if (args_opts_used("-c")) *clear_mode = (int)args_opts_get_count("-c"); + if (args_opts_used("-b")) { - size_t n = (size_t)args_opts_get_count("--bump-level"); - char** arr = args_opts_get("--bump-level"); + size_t i, n = (size_t)args_opts_get_count("-b"); + char** arr = args_opts_get("-b"); char* arg; - for (ptr = 0; ptr < n; ptr++) - if ((arg = *(arr + ptr))) + for (i = 0; i < n; i++) + if ((arg = arr[i])) switch (*arg) { - case 0: - break; - case '+': - bump_level += atol(arg + 1); - break; - case '-': - bump_level -= atol(arg + 1); - break; - default: - bump_level = atol(arg); - break; + case 0: break; + case '+': *bump_level += atol(arg + 1); break; + case '-': *bump_level -= atol(arg + 1); break; + default: *bump_level = atol(arg); break; } } - if (args_opts_used("--output")) - { - output__ = 1; - output_ = atol(last_arg("--output")); - } - if (args_opts_used("--state-size")) - { - state_size__ = 1; - state_size_ = atol(last_arg("--state-size")); - } - if (args_opts_used("--capacity")) - { - capacity__ = 1; - capacity_ = atol(last_arg("--capacity")); - } - if (args_opts_used("--bitrate")) - { - bitrate__ = 1; - bitrate_ = atol(last_arg("--bitrate")); - } - if (args_opts_used("--word-size")) - { - word_size__ = 1; - word_size_ = atol(last_arg("--word-size")); - } - if (args_opts_used("--squeezes")) - { - squeezes__ = 1; - squeezes_ = atol(last_arg("--squeezes")); - } args_dispose(); + return 0; +} + + +/** + * Hash, and display, master passphrase so to hint + * the user whether it as typed correctly or not + * (important when creating a passphrase) + * + * @param passphrase The master passphrase + * @return Zero on success, an appropriate exit value on error + */ +static int hash_master_passphrase(const char* passphrase) +{ +#define SQUEEZES MASTER_PASSPHRASE_KECCAK_SQUEEZES + libkeccak_spec_t spec; + libkeccak_state_t state; + char hashsum[MASTER_PASSPHRASE_KECCAK_OUTPUT / 8]; + char hexsum[MASTER_PASSPHRASE_KECCAK_OUTPUT / 4 + 1]; - /* Get Keccak sponge parameters. */ - if (squeezes__) - { - keccak_squeezes = squeezes_; - if (keccak_squeezes == 0) - { - fprintf(stderr, "%s: do you really want your passphrase included in plain text?", *argv); - return 1; - } - else if (keccak_squeezes < 1) - { - fprintf(stderr, "%s: the squeeze count must be positive.", *argv); - return 1; - } - } - if (state_size__) - { - keccak_state_size = state_size_; - if ((keccak_state_size <= 0) || (keccak_state_size > 1600) || (keccak_state_size % 25)) - { - fprintf(stderr, "%s: the state size must be a positive multiple of 25 and is limited to 1600.", *argv); - return 1; - } - } - if (word_size__) - { - keccak_word_size = word_size_; - if ((keccak_word_size <= 0) || (keccak_word_size > 64)) - { - fprintf(stderr, "%s: the word size must be positive and is limited to 64.", *argv); - return 1; - } - if (state_size__ && (keccak_state_size != keccak_word_size * 25)) - { - fprintf(stderr, "%s: the state size must be 25 times of the word size.", *argv); - return 1; - } - else if (state_size__ == 0) - { - state_size__ = 1; - keccak_state_size = keccak_word_size * 25; - } - } - if (capacity__) - { - keccak_capacity = capacity_; - if ((keccak_capacity <= 0) || (keccak_capacity & 7)) - { - fprintf(stderr, "%s: the capacity must be a positive multiple of 8.", *argv); - return 1; - } - } - if (bitrate__) - { - keccak_bitrate = bitrate_; - if ((keccak_bitrate <= 0) || (keccak_bitrate & 7)) - { - fprintf(stderr, "%s: the bitrate must be a positive multiple of 8.", *argv); - return 1; - } - } - if (output__) - { - keccak_output = output_; - if (keccak_output <= 0) - { - fprintf(stderr, "%s: the output size must be positive.", *argv); - return 1; - } - } - if ((bitrate__ | capacity__ | output__) == 0) /* state_size? */ - { - keccak_state_size = state_size__ ? keccak_state_size : keccak_state_size_; - keccak_output = (((keccak_state_size << 5) / 100 + 7) >> 3) << 3; - keccak_bitrate = keccak_output << 1; - keccak_capacity = keccak_state_size - keccak_bitrate; - keccak_output = keccak_output < 8 ? 8 : keccak_output; - } - else if ((bitrate__ | capacity__) == 0) /* !output state_size? */ - { - keccak_bitrate = keccak_bitrate_; - keccak_capacity = keccak_capacity_; - keccak_state_size = state_size__ ? keccak_state_size : (keccak_bitrate + keccak_capacity); - } - else if (bitrate__ == 0) /* !bitrate output? state_size? */ - { - keccak_state_size = state_size__ ? keccak_state_size : keccak_state_size_; - keccak_bitrate = keccak_state_size - keccak_capacity; - keccak_output = output__ ? keccak_output : (keccak_capacity == 8 ? 8 : (keccak_capacity << 1)); - } - else if (capacity__ == 0) /* !bitrate output? state_size? */ - { - keccak_state_size = state_size__ ? keccak_state_size : keccak_state_size_; - keccak_capacity = keccak_state_size - keccak_bitrate; - keccak_output = output__ ? keccak_output : (keccak_capacity == 8 ? 8 : (keccak_capacity << 1)); - } - else /* !bitrate !capacity output? state_size? */ - { - keccak_state_size = state_size__ ? keccak_state_size : (keccak_bitrate + keccak_capacity); - keccak_output = output__ ? keccak_output : (keccak_capacity == 8 ? 8 : (keccak_capacity << 1)); - } - if (keccak_bitrate > keccak_state_size) - { - fprintf(stderr, "%s: the bitrate must not be higher than the state size.", *argv); - return 1; - } - if (keccak_capacity > keccak_state_size) - { - fprintf(stderr, "%s: the capacity must not be higher than the state size.", *argv); - return 1; - } - if (keccak_bitrate + keccak_capacity != keccak_state_size) - { - fprintf(stderr, "%s: the sum of the bitrate and the capacity must equal the state size.", *argv); - return 1; - } - keccak_squeezes += bump_level * BUMP_LEVEL_MULTIPLIER; - if (keccak_squeezes < 1) - { - fprintf(stderr, "%s: bump level is too low.", *argv); - return 1; - } - keccak_word_size = keccak_state_size / 25; + spec.bitrate = MASTER_PASSPHRASE_KECCAK_RATE; + spec.capacity = MASTER_PASSPHRASE_KECCAK_CAPACITY; + spec.output = MASTER_PASSPHRASE_KECCAK_OUTPUT; - /* Display verbose information. */ - if (verbose_mode) - { - fprintf(stderr, "Bump level: %li\n", bump_level); - fprintf(stderr, "Bitrate: %li\n", keccak_bitrate); - fprintf(stderr, "Capacity: %li\n", keccak_capacity); - fprintf(stderr, "Word size: %li\n", keccak_word_size); - fprintf(stderr, "State size: %li\n", keccak_state_size); - fprintf(stderr, "Output size: %li\n", keccak_output); - fprintf(stderr, "Squeezes (excluding bump level): %li\n", - keccak_squeezes - bump_level * BUMP_LEVEL_MULTIPLIER); - fprintf(stderr, "Squeezes (including bump level): %li\n", keccak_squeezes); - } + if (libkeccak_spec_check(&spec) || (SQUEEZES <= 0)) + return USER_ERROR("bad master passhprase hashing parameters, " + "please recompile autopasswd with with proper " + "values on MASTER_PASSPHRASE_KECCAK_RATE, " + "MASTER_PASSPHRASE_KECCAK_CAPACITY, " + "MASTER_PASSPHRASE_KECCAK_OUTPUT and " + "MASTER_PASSPHRASE_KECCAK_SQUEEZES"); + + if (libkeccak_state_initialise(&state, &spec)) + return perror(execname), 2; + + if (libkeccak_digest(&state, passphrase, strlen(passphrase), 0, NULL, SQUEEZES == 1 ? hashsum : NULL)) + return perror(execname), libkeccak_state_destroy(&state), 2; + if (SQUEEZES > 2) libkeccak_fast_squeeze(&state, SQUEEZES - 2); + if (SQUEEZES > 1) libkeccak_squeeze(&state, hashsum); + + libkeccak_state_destroy(&state); + + libkeccak_behex_lower(hexsum, hashsum, sizeof(hashsum) / sizeof(char)); + fprintf(stderr, "%s: master passphrase hash: %s\n", execname, hexsum); + + return 0; +#undef SQUEEZES +} + + +/** + * Ask the user for the site + * + * @param site Output parameter for the site + * @return Zero on success, an appropriate exit value on error + */ +static int get_site(char** site) +{ + size_t size = 64; + size_t ptr = 0; + char* buf = malloc(size * sizeof(char)); + if (buf == NULL) + return perror(execname), 2; - /* Read site. */ - site = malloc(site_size * sizeof(byte)); - if (site == NULL) - { - perror(*argv); - passphrase_disable_echo(); - return 1; - } fprintf(stderr, "%s", SITE_PROMPT_STRING); fflush(stderr); - for (site_n = 0;;) + + for (;;) { int c = getchar(); - if (site_n == site_size) + if (ptr == size) { - site = realloc(site, (site_size <<= 1) * sizeof(byte)); - if (site == NULL) - { - perror(*argv); - passphrase_disable_echo(); - return 1; - } + char* new = realloc(buf, (size <<= 1) * sizeof(char)); + if (new == NULL) + return perror(execname), free(buf), 2; } - if (c == -1) - { - free(site); - passphrase_disable_echo(); - return 0; - } - if (c == '\n') + if ((c < 0) || (c == '\n')) break; - *(site + site_n++) = (byte)c; + buf[ptr++] = (char)c; } - /* Disable echoing. (Should be done as soon as possible after reading site.) */ - passphrase_disable_echo(); - - /* Initialise Keccak sponge. */ - sha3_initialise(MASTER_PASSPHRASE_KECCAK_BITRATE, - MASTER_PASSPHRASE_KECCAK_CAPACITY, - MASTER_PASSPHRASE_KECCAK_OUTPUT); - - /* Read passphrease. */ - fprintf(stderr, "%s", PASSPHRASE_PROMPT_STRING); - fflush(stderr); - passphrase = passphrase_read(); - if (passphrase == NULL) + if (ptr == size) { - perror(*argv); - passphrase_reenable_echo(); - sha3_dispose(); - free(site); - return 1; + char* new = realloc(buf, (size += 1) * sizeof(char)); + if (new == NULL) + return perror(execname), free(buf), 2; } + buf[ptr] = '\0'; - /* Reset terminal settings. */ + *site = buf; + return 0; +} + + +/** + * Ask the user for the master passphrase + * + * @param passphrase Output parameter for the passphrase + * @return Zero on success, an appropriate exit value on error + */ +static int get_master_passphrase(char** passphrase) +{ + passphrase_disable_echo(); + fprintf(stderr, "%s", PASSPHRASE_PROMPT_STRING); + fflush(stderr); + *passphrase = passphrase_read(); + if (*passphrase == NULL) + perror(execname); passphrase_reenable_echo(); + return *passphrase ? 0 : 2; +} + + +/** + * Hash the master password hash and site into a password + * + * @param spec Hashing parameters + * @param squeezes The number of squeezes to perform + * @param passphrase The master passphrase + * @param site The site + * @param hash Output paramter for the raw password + * @return Zero on success, an appropriate exit value on error + */ +static int calculate_raw_password(const libkeccak_spec_t* spec, long squeezes, + const char* passphrase, const char* site, char** hash) +{ + libkeccak_state_t state; + char* hashsum = NULL; - /* Measure passphrase length. */ - passphrase_n = strlen(passphrase); - - /* Translate password to sha3.h friendly format. */ - passphrase_hash = malloc((passphrase_n + 1) * sizeof(byte)); - if (passphrase_hash == NULL) - { - perror(*argv); - memset(passphrase, 0, passphrase_n * sizeof(char)); - free(passphrase); - return 1; - } - else - { - for (ptr = 0; ptr < passphrase_n + 1; ptr++) - *(passphrase_hash + ptr) = (byte)*(passphrase + ptr); - /* Wipe source password, however it is not yet secure to free it. (Should be done as sone as possible.) */ - memset(passphrase, 0, passphrase_n * sizeof(char)); - } - - /* Hash and display master passphrase so hint the user whether it as typed correctly or not. */ - master_passphrase_hash = malloc((MASTER_PASSPHRASE_KECCAK_OUTPUT * 2 + 1) * sizeof(char)); - if (master_passphrase_hash == NULL) - { - perror(*argv); - memset(passphrase_hash, 0, passphrase_n * sizeof(byte)); - free(passphrase_hash); - free(passphrase); - return 1; - } - digest = sha3_digest(passphrase_hash, (long)passphrase_n, MASTER_PASSPHRASE_KECCAK_SQUEEZES == 1); - if (MASTER_PASSPHRASE_KECCAK_SQUEEZES > 2) - sha3_fastSqueeze(MASTER_PASSPHRASE_KECCAK_SQUEEZES - 2); - if (MASTER_PASSPHRASE_KECCAK_SQUEEZES > 1) - digest = sha3_squeeze(); - for (ptr = 0; ptr < (MASTER_PASSPHRASE_KECCAK_OUTPUT + 7) / 8; ptr++) - { - uint8_t v = (uint8_t)*(digest + ptr); - *(master_passphrase_hash + ptr * 2 + 0) = HEXADECA[(v >> 4) & 15]; - *(master_passphrase_hash + ptr * 2 + 1) = HEXADECA[(v >> 0) & 15]; - } - *(master_passphrase_hash + ptr * 2) = 0; - fprintf(stderr, "%s: master passphrase hash: %s\n", *argv, master_passphrase_hash); + if (libkeccak_state_initialise(&state, spec)) + return perror(execname), 2; - /* Reinitialise Keccak sponge. */ - sha3_dispose(); - sha3_initialise(keccak_bitrate, keccak_capacity, keccak_output); + if (hashsum = malloc((size_t)(spec->output / 8) * sizeof(char)), hashsum == NULL) + goto fail; - /* Add passphrase to Keccak sponge input. */ - sha3_update(passphrase_hash, (long)passphrase_n); + if (libkeccak_update(&state, passphrase, strlen(passphrase))) + goto fail; + if (libkeccak_digest(&state, site, strlen(site), 0, NULL, squeezes == 1 ? hashsum : NULL)) + goto fail; + if (squeezes > 2) libkeccak_fast_squeeze(&state, squeezes - 2); + if (squeezes > 1) libkeccak_squeeze(&state, hashsum); - /* Clear passphrase from memory. (Should be done as sone as possible.) */ - memset(passphrase, 0, passphrase_n * sizeof(char)); - free(passphrase_hash); - free(passphrase); + libkeccak_state_destroy(&state); + *hash = hashsum; + return 0; + fail: + perror(execname); + free(hashsum); + libkeccak_state_destroy(&state); + return 2; +} + + +/** + * base64-encode the password + * + * @param raw The password + * @param length The length of the pasword + * @param base64 Output parameter for the base64-encoded password + * @return Zero on success, an appropriate exit value on error + */ +static int encode_base64(const char* raw, size_t length, char** base64) +{ + size_t ptr, ptr64, out_length = ((length + 2) / 3) * 4 + 2; + char* buf = malloc(out_length * sizeof(char)); - /* Add site to Keccak sponge input. */ - free(digest); /* (Should be done after wiping passphrase.) */ - free(master_passphrase_hash); /* (Should be done after wiping passphrase.) */ - digest = sha3_digest(site, (long)site_n, keccak_squeezes == 1); + if (*base64 = buf, buf == NULL) + return perror(execname), 2; - /* Release resources. */ - free(site); + for (ptr = ptr64 = 0; ptr < length; ptr64 += 4) + { + uint8_t a = (uint8_t)(ptr < length ? raw[ptr++] : 0); + uint8_t b = (uint8_t)(ptr < length ? raw[ptr++] : 0); + uint8_t c = (uint8_t)(ptr < length ? raw[ptr++] : 0); + + uint32_t abc = ((uint32_t)a << 16) | ((uint32_t)b << 8) | ((uint32_t)c << 0); + + buf[ptr64 | 0] = BASE64[(abc >> (3 * 6)) & 63]; + buf[ptr64 | 1] = BASE64[(abc >> (2 * 6)) & 63]; + buf[ptr64 | 2] = BASE64[(abc >> (1 * 6)) & 63]; + buf[ptr64 | 3] = BASE64[(abc >> (0 * 6)) & 63]; + } + if (length % 3 == 1) buf[ptr64++] = BASE64[64]; + if (length % 3 == 2) buf[ptr64++] = BASE64[65]; + buf[ptr64++] = '\0'; - /* Squeeze that sponge. */ - if (keccak_squeezes > 2) - sha3_fastSqueeze(keccak_squeezes - 2); - if (keccak_squeezes > 1) - digest = sha3_squeeze(); + return 0; +} + + +/** + * Here we go! + * + * @param argc The number of command line argumnets + * @param argv Command line argumnets + * @return Zero on success, 1 on user error, 2 on system error + */ +int main(int argc, char* argv[]) +{ + int r, verbose = 0, clear_mode = 0; + libkeccak_generalised_spec_t gspec; + libkeccak_spec_t spec; + long squeezes = DEFAULT_SQUEEZES, bump_level = 0; + char* site = NULL; + char* passphrase = NULL; + char* raw_password = NULL; + char* base64 = NULL; - /* Release resources. */ - sha3_dispose(); + libkeccak_generalised_spec_initialise(&gspec); + execname = *argv; - /* Encode with base64 (no invalid character, shorter than hexadecimal.) */ - base64 = malloc((4 * (((((size_t)keccak_output + 7) / 8) + 2) / 3) + 2) * sizeof(char)); - if (base64 == NULL) + t (parse_cmdline(argc, argv, &gspec, &squeezes, &bump_level, &clear_mode, &verbose)); + t (make_spec(&gspec, &spec)); + if (squeezes <= 0) { - perror(*argv); - free(digest); - free(base64); + r = USER_ERROR("the squeeze count most be positive"); + goto fail; } - for (ptr = ptr64 = 0; ptr < (size_t)((keccak_output + 7) / 8); ptr64 += 4) + + squeezes += bump_level * BUMP_LEVEL_MULTIPLIER; + + if (verbose) { - uint8_t a = (uint8_t)(ptr < (size_t)((keccak_output + 7) / 8) ? digest[ptr++] : 0); - uint8_t b = (uint8_t)(ptr < (size_t)((keccak_output + 7) / 8) ? digest[ptr++] : 0); - uint8_t c = (uint8_t)(ptr < (size_t)((keccak_output + 7) / 8) ? digest[ptr++] : 0); - - uint32_t abc = ((uint32_t)a << 16) | ((uint32_t)b << 8) | ((uint32_t)c << 0); - - base64[ptr64 | 0] = BASE64[(abc >> (3 * 6)) & 63]; - base64[ptr64 | 1] = BASE64[(abc >> (2 * 6)) & 63]; - base64[ptr64 | 2] = BASE64[(abc >> (1 * 6)) & 63]; - base64[ptr64 | 3] = BASE64[(abc >> (0 * 6)) & 63]; + fprintf(stderr, "bump level: %li\n", bump_level); + fprintf(stderr, "rate: %li\n", gspec.bitrate); + fprintf(stderr, "capacity: %li\n", gspec.capacity); + fprintf(stderr, "output size: %li\n", gspec.output); + fprintf(stderr, "state size: %li\n", gspec.state_size); + fprintf(stderr, "word size: %li\n", gspec.word_size); + fprintf(stderr, "squeezes after bump level: %li\n", squeezes); + fprintf(stderr, "squeezes before bump level: %li\n", + squeezes - bump_level * BUMP_LEVEL_MULTIPLIER); } - if ((((keccak_output + 7) / 8) % 3) == 1) base64[ptr64++] = BASE64[64]; - if ((((keccak_output + 7) / 8) % 3) == 2) base64[ptr64++] = BASE64[65]; - base64[ptr64++] = 0; - /* Display verbose information. */ - if (verbose_mode) + t (get_site(&site)); + t (get_master_passphrase(&passphrase)); + t (hash_master_passphrase(passphrase)); + + t (calculate_raw_password(&spec, squeezes, passphrase, site, &raw_password)); + passphrase_wipe(passphrase, strlen(passphrase)); + xfree(passphrase); + xfree(site); + + t (encode_base64(raw_password, (size_t)(spec.output / 8), &base64)); + xfree(raw_password); + + if (verbose) { - fprintf(stderr, "Password length (before base64): %li\n", (keccak_output + 7) / 8); - fprintf(stderr, "Password length (after base64): %li\n", strlen(base64)); + fprintf(stderr, "password length before base64: %li\n", spec.output / 8); + fprintf(stderr, "password length after base64: %li\n", strlen(base64)); } - /* Print generated password. */ - if (clear_mode > 1) - printf("%s", base64); - else if (clear_mode) - printf("%s\n", base64); - else - printf("\033[00m>\033[00;30;40m%s\033[00m<\n", base64); + if (clear_mode > 1) printf("%s", base64); + else if (clear_mode) printf("%s\n", base64); + else printf("\033[00m>\033[08;30;40m%s\033[00m<\n", base64); - /* Release resources. */ - free(digest); free(base64); - return 0; + + fail: + if (passphrase) + passphrase_wipe(passphrase, strlen(passphrase)); + free(passphrase); + free(site); + free(raw_password); + free(base64); + return r < 0 ? 0 : r; } diff --git a/src/sha3.c b/src/sha3.c deleted file mode 100644 index ce35f38..0000000 --- a/src/sha3.c +++ /dev/null @@ -1,859 +0,0 @@ -/** - * sha3sum – SHA-3 (Keccak) checksum calculator - * - * Copyright © 2013, 2014 Mattias Andrée (maandree@member.fsf.org) - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - */ -#include "sha3.h" - - -#ifdef WITH_C99 -# define static_inline static inline -#else -# define static_inline inline -#endif - -#ifdef WITH_THREADLOCAL -# define threadlocal __thread - /* This is compiler dependent, if your compiler does - * not support this you need to define __thread yourself. */ -#else -# define threadlocal /* no threading support */ -#endif - -#define null 0 -#define true 1 -#define false 0 - - - -/** - * Round contants - */ -#ifdef WITH_C99 -static const llong RC[] = { - 0x0000000000000001LL, 0x0000000000008082LL, 0x800000000000808ALL, 0x8000000080008000LL, - 0x000000000000808BLL, 0x0000000080000001LL, 0x8000000080008081LL, 0x8000000000008009LL, - 0x000000000000008ALL, 0x0000000000000088LL, 0x0000000080008009LL, 0x000000008000000ALL, - 0x000000008000808BLL, 0x800000000000008BLL, 0x8000000000008089LL, 0x8000000000008003LL, - 0x8000000000008002LL, 0x8000000000000080LL, 0x000000000000800ALL, 0x800000008000000ALL, - 0x8000000080008081LL, 0x8000000000008080LL, 0x0000000080000001LL, 0x8000000080008008LL}; -#else -static const llong RC[] = { - 0x0000000000000001L, 0x0000000000008082L, 0x800000000000808AL, 0x8000000080008000L, - 0x000000000000808BL, 0x0000000080000001L, 0x8000000080008081L, 0x8000000000008009L, - 0x000000000000008AL, 0x0000000000000088L, 0x0000000080008009L, 0x000000008000000AL, - 0x000000008000808BL, 0x800000000000008BL, 0x8000000000008089L, 0x8000000000008003L, - 0x8000000000008002L, 0x8000000000000080L, 0x000000000000800AL, 0x800000008000000AL, - 0x8000000080008081L, 0x8000000000008080L, 0x0000000080000001L, 0x8000000080008008L}; -#endif - -/** - * Keccak-f round temporary - */ -static threadlocal llong B[25]; - -/** - * Keccak-f round temporary - */ -static threadlocal llong C[5]; - - -/** - * The bitrate - */ -static threadlocal long r = 0; - -/** - * The capacity - */ -static threadlocal long c = 0; - -/** - * The output size - */ -static threadlocal long n = 0; - -/** - * The state size - */ -static threadlocal long b = 0; - -/** - * The word size - */ -static threadlocal long w = 0; - -/** - * The word mask - */ -static threadlocal llong wmod = 0; - -/** - * ℓ, the binary logarithm of the word size - */ -static threadlocal long l = 0; - -/** - * 12 + 2ℓ, the number of rounds - */ -static threadlocal long nr = 0; - - -/** - * The current state - */ -static threadlocal llong* S = null; - -/** - * Left over water to fill the sponge with at next update - */ -static threadlocal byte* M = null; - -/** - * Pointer for {@link #M} - */ -static threadlocal long mptr = 0; - -/** - * Size of {@link #M} - */ -static threadlocal long mlen = 0; - - - -/** - * Gets the smallest, in value, of the arguments - * - * @param X The first candidate - * @param Y The second candidate - * @return The lowest candidate - */ -#define min(X, Y) ((X) < (Y) ? (X) : (Y)) - - - -/** - * Copy an array segment into an array in start to end order - * - * @param src The source array - * @param soff The source array offset - * @param dest The destination array - * @param doff The destination array offset - * @param length The number of elements to copy - */ -static_inline void sha3_arraycopy(byte* src, long soff, byte* dest, long doff, long length) -{ - long i; - src += soff; - dest += doff; - - #define __(X) dest[X] = src[X] - #define __0 *dest = *src - #define __1 __(0x01) - #define __2 __(0x02); __(0x03) - #define __3 __(0x04); __(0x05); __(0x06); __(0x07) - #define __4 __(0x08); __(0x09); __(0x0A); __(0x0B); __(0x0C); __(0x0D); __(0x0E); __(0x0F) - #define __5 __(0x10); __(0x11); __(0x12); __(0x13); __(0x14); __(0x15); __(0x16); __(0x17); __(0x18); __(0x19); __(0x1A); __(0x1B); __(0x1C); __(0x1D); __(0x1E); __(0x1F) - #define __6 __(0x20); __(0x21); __(0x22); __(0x23); __(0x24); __(0x25); __(0x26); __(0x27); __(0x28); __(0x29); __(0x2A); __(0x2B); __(0x2C); __(0x2D); __(0x2E); __(0x2F); \ - __(0x30); __(0x31); __(0x32); __(0x33); __(0x34); __(0x35); __(0x36); __(0x37); __(0x38); __(0x39); __(0x3A); __(0x3B); __(0x3C); __(0x3D); __(0x3E); __(0x3F) - #define __7 __(0x40); __(0x41); __(0x42); __(0x43); __(0x44); __(0x45); __(0x46); __(0x47); __(0x48); __(0x49); __(0x4A); __(0x4B); __(0x4C); __(0x4D); __(0x4E); __(0x4F); \ - __(0x50); __(0x51); __(0x52); __(0x53); __(0x54); __(0x55); __(0x56); __(0x57); __(0x58); __(0x59); __(0x5A); __(0x5B); __(0x5C); __(0x5D); __(0x5E); __(0x5F); \ - __(0x60); __(0x61); __(0x62); __(0x63); __(0x64); __(0x65); __(0x66); __(0x67); __(0x68); __(0x69); __(0x6A); __(0x6B); __(0x6C); __(0x6D); __(0x6E); __(0x6F); \ - __(0x70); __(0x71); __(0x72); __(0x73); __(0x74); __(0x75); __(0x76); __(0x77); __(0x78); __(0x79); __(0x7A); __(0x7B); __(0x7C); __(0x7D); __(0x7E); __(0x7F) - #define __8 __(0x80); __(0x81); __(0x82); __(0x83); __(0x84); __(0x85); __(0x86); __(0x87); __(0x88); __(0x89); __(0x8A); __(0x8B); __(0x8C); __(0x8D); __(0x8E); __(0x8F); \ - __(0x90); __(0x91); __(0x92); __(0x93); __(0x94); __(0x95); __(0x96); __(0x97); __(0x98); __(0x99); __(0x9A); __(0x9B); __(0x9C); __(0x9D); __(0x9E); __(0x9F); \ - __(0xA0); __(0xA1); __(0xA2); __(0xA3); __(0xA4); __(0xA5); __(0xA6); __(0xA7); __(0xA8); __(0xA9); __(0xAA); __(0xAB); __(0xAC); __(0xAD); __(0xAE); __(0xAF); \ - __(0xB0); __(0xB1); __(0xB2); __(0xB3); __(0xB4); __(0xB5); __(0xB6); __(0xB7); __(0xB8); __(0xB9); __(0xBA); __(0xBB); __(0xBC); __(0xBD); __(0xBE); __(0xBF); \ - __(0xC0); __(0xC1); __(0xC2); __(0xC3); __(0xC4); __(0xC5); __(0xC6); __(0xC7); __(0xC8); __(0xC9); __(0xCA); __(0xCB); __(0xCC); __(0xCD); __(0xCE); __(0xCF); \ - __(0xD0); __(0xD1); __(0xD2); __(0xD3); __(0xD4); __(0xD5); __(0xD6); __(0xD7); __(0xD8); __(0xD9); __(0xDA); __(0xDB); __(0xDC); __(0xDD); __(0xDE); __(0xDF); \ - __(0xE0); __(0xE1); __(0xE2); __(0xE3); __(0xE4); __(0xE5); __(0xE6); __(0xE7); __(0xE8); __(0xE9); __(0xEA); __(0xEB); __(0xEC); __(0xED); __(0xEE); __(0xEF); \ - __(0xF0); __(0xF1); __(0xF2); __(0xF3); __(0xF4); __(0xF5); __(0xF6); __(0xF7); __(0xF8); __(0xF9); __(0xFA); __(0xFB); __(0xFC); __(0xFD); __(0xFE); __(0xFF) - - if ((length & 15)) - { - if ((length & 1)) { __0; src += 1; dest += 1; } - if ((length & 2)) { __0; __1; src += 2; dest += 2; } - if ((length & 4)) { __0; __1; __2; src += 4; dest += 4; } - if ((length & 8)) { __0; __1; __2; __3; src += 8; dest += 8; } - } - if ((length & 240)) - { - if ((length & 16)) { __0; __1; __2; __3; __4; src += 16; dest += 16; } - if ((length & 32)) { __0; __1; __2; __3; __4; __5; src += 32; dest += 32; } - if ((length & 64)) { __0; __1; __2; __3; __4; __5; __6; src += 64; dest += 64; } - if ((length & 128)) { __0; __1; __2; __3; __4; __5; __6; __7; src += 128; dest += 128; } - } - length &= ~255; - for (i = 0; i < length; i += 256) - { - __0; __1; __2; __3; __4; __5; __6; __7; __8; src += 256; dest += 256; - } - - #undef __8 - #undef __7 - #undef __6 - #undef __5 - #undef __4 - #undef __3 - #undef __2 - #undef __1 - #undef __0 - #undef __ -} - - -/** - * Copy an array segment into an array in end to start order - * - * @param src The source array - * @param soff The source array offset - * @param dest The destination array - * @param doff The destination array offset - * @param length The number of elements to copy - */ -static_inline void sha3_revarraycopy(byte* src, long soff, byte* dest, long doff, long length) -{ - long copyi; - for (copyi = length - 1; copyi >= 0; copyi--) - dest[copyi + doff] = src[copyi + soff]; -} - - -/** - * Rotate a word - * - * @param X:llong The value to rotate - * @param N:long Rotation steps, may not be 0 - * @return :llong The value rotated - */ -#define rotate(X, N) ((((X) >> (w - ((N) % w))) + ((X) << ((N) % w))) & wmod) - - -/** - * Rotate a 64-bit word - * - * @param X:llong The value to rotate - * @param N:long Rotation steps, may not be 0 - * @return :llong The value rotated - */ -#define rotate64(X, N) ((llong)((ullong)(X) >> (64 - (N))) + ((X) << (N))) - - -/** - * Binary logarithm - * - * @param x The value of which to calculate the binary logarithm - * @return The binary logarithm - */ -static_inline long sha3_lb(long x) -{ - long rc = 0; - if ((x & 0xFF00) != 0) { rc += 8; x >>= 8; } - if ((x & 0x00F0) != 0) { rc += 4; x >>= 4; } - if ((x & 0x000C) != 0) { rc += 2; x >>= 2; } - if ((x & 0x0002) != 0) rc += 1; - return rc; -} - - -/** - * Perform one round of computation - * - * @param A The current state - * @param rc Round constant - */ -static void sha3_keccakFRound(llong* restrict_ A, llong rc) -{ - llong da, db, dc, dd, de; - - /* θ step (step 1 and 2 of 3) */ - #define __C(I, J0, J1, J2, J3, J4) C[I] = (A[J0] ^ A[J1]) ^ (A[J2] ^ A[J3]) ^ A[J4] - __C(0, 0, 1, 2, 3, 4); - __C(1, 5, 6, 7, 8, 9); - __C(2, 10, 11, 12, 13, 14); - __C(3, 15, 16, 17, 18, 19); - __C(4, 20, 21, 22, 23, 24); - #undef __C - - da = C[4] ^ rotate64(C[1], 1); - dd = C[2] ^ rotate64(C[4], 1); - db = C[0] ^ rotate64(C[2], 1); - de = C[3] ^ rotate64(C[0], 1); - dc = C[1] ^ rotate64(C[3], 1); - - if (w == 64) - { - /* ρ and π steps, with last two part of θ */ - #define __B(Bi, Ai, Dv, R) B[Bi] = rotate64(A[Ai] ^ Dv, R) - B[0] = A[0] ^ da; __B( 1, 15, dd, 28); __B( 2, 5, db, 1); __B( 3, 20, de, 27); __B( 4, 10, dc, 62); - __B( 5, 6, db, 44); __B( 6, 21, de, 20); __B( 7, 11, dc, 6); __B( 8, 1, da, 36); __B( 9, 16, dd, 55); - __B(10, 12, dc, 43); __B(11, 2, da, 3); __B(12, 17, dd, 25); __B(13, 7, db, 10); __B(14, 22, de, 39); - __B(15, 18, dd, 21); __B(16, 8, db, 45); __B(17, 23, de, 8); __B(18, 13, dc, 15); __B(19, 3, da, 41); - __B(20, 24, de, 14); __B(21, 14, dc, 61); __B(22, 4, da, 18); __B(23, 19, dd, 56); __B(24, 9, db, 2); - #undef __B - } - else - { - /* ρ and π steps, with last two part of θ */ - #define __B(Bi, Ai, Dv, R) B[Bi] = rotate(A[Ai] ^ Dv, R) - B[0] = A[0] ^ da; __B( 1, 15, dd, 28); __B( 2, 5, db, 1); __B( 3, 20, de, 27); __B( 4, 10, dc, 62); - __B( 5, 6, db, 44); __B( 6, 21, de, 20); __B( 7, 11, dc, 6); __B( 8, 1, da, 36); __B( 9, 16, dd, 55); - __B(10, 12, dc, 43); __B(11, 2, da, 3); __B(12, 17, dd, 25); __B(13, 7, db, 10); __B(14, 22, de, 39); - __B(15, 18, dd, 21); __B(16, 8, db, 45); __B(17, 23, de, 8); __B(18, 13, dc, 15); __B(19, 3, da, 41); - __B(20, 24, de, 14); __B(21, 14, dc, 61); __B(22, 4, da, 18); __B(23, 19, dd, 56); __B(24, 9, db, 2); - #undef __B - } - - /* ξ step */ - #define __A(X, X5, X10) A[X] = B[X] ^ ((~(B[X5])) & B[X10]) - __A( 0, 5, 10); __A( 1, 6, 11); __A( 2, 7, 12); __A( 3, 8, 13); __A( 4, 9, 14); - __A( 5, 10, 15); __A( 6, 11, 16); __A( 7, 12, 17); __A( 8, 13, 18); __A( 9, 14, 19); - __A(10, 15, 20); __A(11, 16, 21); __A(12, 17, 22); __A(13, 18, 23); __A(14, 19, 24); - __A(15, 20, 0); __A(16, 21, 1); __A(17, 22, 2); __A(18, 23, 3); __A(19, 24, 4); - __A(20, 0, 5); __A(21, 1, 6); __A(22, 2, 7); __A(23, 3, 8); __A(24, 4, 9); - #undef __A - - /* ι step */ - A[0] ^= rc; -} - - -/** - * Perform Keccak-f function - * - * @param A The current state - */ -static void sha3_keccakF(llong* restrict_ A) -{ - long i; - if (nr == 24) - { - sha3_keccakFRound(A, 0x0000000000000001); - sha3_keccakFRound(A, 0x0000000000008082); - sha3_keccakFRound(A, 0x800000000000808A); - sha3_keccakFRound(A, 0x8000000080008000); - sha3_keccakFRound(A, 0x000000000000808B); - sha3_keccakFRound(A, 0x0000000080000001); - sha3_keccakFRound(A, 0x8000000080008081); - sha3_keccakFRound(A, 0x8000000000008009); - sha3_keccakFRound(A, 0x000000000000008A); - sha3_keccakFRound(A, 0x0000000000000088); - sha3_keccakFRound(A, 0x0000000080008009); - sha3_keccakFRound(A, 0x000000008000000A); - sha3_keccakFRound(A, 0x000000008000808B); - sha3_keccakFRound(A, 0x800000000000008B); - sha3_keccakFRound(A, 0x8000000000008089); - sha3_keccakFRound(A, 0x8000000000008003); - sha3_keccakFRound(A, 0x8000000000008002); - sha3_keccakFRound(A, 0x8000000000000080); - sha3_keccakFRound(A, 0x000000000000800A); - sha3_keccakFRound(A, 0x800000008000000A); - sha3_keccakFRound(A, 0x8000000080008081); - sha3_keccakFRound(A, 0x8000000000008080); - sha3_keccakFRound(A, 0x0000000080000001); - sha3_keccakFRound(A, 0x8000000080008008); - } - else - for (i = 0; i < nr; i++) - sha3_keccakFRound(A, RC[i] & wmod); -} - - -/** - * Convert a chunk of byte:s to a word - * - * @param message The message - * @param msglen The length of the message - * @param rr Bitrate in bytes - * @param ww Word size in bytes - * @param off The offset in the message - * @return Lane - */ -static_inline llong sha3_toLane(byte* restrict_ message, long msglen, long rr, long ww, long off) -{ - llong rc = 0; - long n = min(msglen, rr), i; - for (i = off + ww - 1; i >= off; i--) - rc = (rc << 8) | ((i < n) ? (llong)(message[i] & 255) : 0L); - return rc; -} - - -/** - * Convert a chunk of byte:s to a 64-bit word - * - * @param message The message - * @param msglen The length of the message - * @param rr Bitrate in bytes - * @param off The offset in the message - * @return Lane - */ -static_inline llong sha3_toLane64(byte* restrict_ message, long msglen, long rr, long off) -{ - long n = min(msglen, rr); - return ((off + 7 < n) ? ((llong)(message[off + 7] & 255) << 56) : 0L) | - ((off + 6 < n) ? ((llong)(message[off + 6] & 255) << 48) : 0L) | - ((off + 5 < n) ? ((llong)(message[off + 5] & 255) << 40) : 0L) | - ((off + 4 < n) ? ((llong)(message[off + 4] & 255) << 32) : 0L) | - ((off + 3 < n) ? ((llong)(message[off + 3] & 255) << 24) : 0L) | - ((off + 2 < n) ? ((llong)(message[off + 2] & 255) << 16) : 0L) | - ((off + 1 < n) ? ((llong)(message[off + 1] & 255) << 8) : 0L) | - ((off < n) ? ((llong)(message[off ] & 255) ) : 0L); -} - - -/** - * pad 10*1 - * - * @param msg The message to pad - * @param len The length of the message - * @param r The bitrate - * @param outlen The length of the padded message (out parameter) - * @return The message padded - */ -static_inline byte* sha3_pad10star1(byte* restrict_ msg, long len, long r, long* restrict_ outlen) -{ - byte* message; - - long nrf = (len <<= 3) >> 3; - long nbrf = len & 7; - long ll = len % r; - long i; - - byte b = (byte)(nbrf == 0 ? 1 : ((msg[nrf] >> (8 - nbrf)) | (1 << nbrf))); - - if ((r - 8 <= ll) && (ll <= r - 2)) - { - message = (byte*)malloc((len = nrf + 1) * sizeof(byte)); - message[nrf] = (byte)(b ^ 128); - } - else - { - byte* M; - long N; - len = (nrf + 1) << 3; - len = ((len - (len % r) + (r - 8)) >> 3) + 1; - message = (byte*)malloc(len * sizeof(byte)); - message[nrf] = b; - N = len - nrf - 1; - M = message + nrf + 1; - - #define __(X) M[X] = 0 - #define __0 *M = 0 - #define __1 __(0x01) - #define __2 __(0x02); __(0x03) - #define __3 __(0x04); __(0x05); __(0x06); __(0x07) - #define __4 __(0x08); __(0x09); __(0x0A); __(0x0B); __(0x0C); __(0x0D); __(0x0E); __(0x0F) - #define __5 __(0x10); __(0x11); __(0x12); __(0x13); __(0x14); __(0x15); __(0x16); __(0x17); __(0x18); __(0x19); __(0x1A); __(0x1B); __(0x1C); __(0x1D); __(0x1E); __(0x1F) - #define __6 __(0x20); __(0x21); __(0x22); __(0x23); __(0x24); __(0x25); __(0x26); __(0x27); __(0x28); __(0x29); __(0x2A); __(0x2B); __(0x2C); __(0x2D); __(0x2E); __(0x2F); \ - __(0x30); __(0x31); __(0x32); __(0x33); __(0x34); __(0x35); __(0x36); __(0x37); __(0x38); __(0x39); __(0x3A); __(0x3B); __(0x3C); __(0x3D); __(0x3E); __(0x3F) - #define __7 __(0x40); __(0x41); __(0x42); __(0x43); __(0x44); __(0x45); __(0x46); __(0x47); __(0x48); __(0x49); __(0x4A); __(0x4B); __(0x4C); __(0x4D); __(0x4E); __(0x4F); \ - __(0x50); __(0x51); __(0x52); __(0x53); __(0x54); __(0x55); __(0x56); __(0x57); __(0x58); __(0x59); __(0x5A); __(0x5B); __(0x5C); __(0x5D); __(0x5E); __(0x5F); \ - __(0x60); __(0x61); __(0x62); __(0x63); __(0x64); __(0x65); __(0x66); __(0x67); __(0x68); __(0x69); __(0x6A); __(0x6B); __(0x6C); __(0x6D); __(0x6E); __(0x6F); \ - __(0x70); __(0x71); __(0x72); __(0x73); __(0x74); __(0x75); __(0x76); __(0x77); __(0x78); __(0x79); __(0x7A); __(0x7B); __(0x7C); __(0x7D); __(0x7E); __(0x7F) - #define __8 __(0x80); __(0x81); __(0x82); __(0x83); __(0x84); __(0x85); __(0x86); __(0x87); __(0x88); __(0x89); __(0x8A); __(0x8B); __(0x8C); __(0x8D); __(0x8E); __(0x8F); \ - __(0x90); __(0x91); __(0x92); __(0x93); __(0x94); __(0x95); __(0x96); __(0x97); __(0x98); __(0x99); __(0x9A); __(0x9B); __(0x9C); __(0x9D); __(0x9E); __(0x9F); \ - __(0xA0); __(0xA1); __(0xA2); __(0xA3); __(0xA4); __(0xA5); __(0xA6); __(0xA7); __(0xA8); __(0xA9); __(0xAA); __(0xAB); __(0xAC); __(0xAD); __(0xAE); __(0xAF); \ - __(0xB0); __(0xB1); __(0xB2); __(0xB3); __(0xB4); __(0xB5); __(0xB6); __(0xB7); __(0xB8); __(0xB9); __(0xBA); __(0xBB); __(0xBC); __(0xBD); __(0xBE); __(0xBF); \ - __(0xC0); __(0xC1); __(0xC2); __(0xC3); __(0xC4); __(0xC5); __(0xC6); __(0xC7); __(0xC8); __(0xC9); __(0xCA); __(0xCB); __(0xCC); __(0xCD); __(0xCE); __(0xCF); \ - __(0xD0); __(0xD1); __(0xD2); __(0xD3); __(0xD4); __(0xD5); __(0xD6); __(0xD7); __(0xD8); __(0xD9); __(0xDA); __(0xDB); __(0xDC); __(0xDD); __(0xDE); __(0xDF); \ - __(0xE0); __(0xE1); __(0xE2); __(0xE3); __(0xE4); __(0xE5); __(0xE6); __(0xE7); __(0xE8); __(0xE9); __(0xEA); __(0xEB); __(0xEC); __(0xED); __(0xEE); __(0xEF); \ - __(0xF0); __(0xF1); __(0xF2); __(0xF3); __(0xF4); __(0xF5); __(0xF6); __(0xF7); __(0xF8); __(0xF9); __(0xFA); __(0xFB); __(0xFC); __(0xFD); __(0xFE); __(0xFF) - - if ((N & 15)) - { - if ((N & 1)) { __0; M += 1; } - if ((N & 2)) { __0; __1; M += 2; } - if ((N & 4)) { __0; __1; __2; M += 4; } - if ((N & 8)) { __0; __1; __2; __3; M += 8; } - } - if ((N & 240)) - { - if ((N & 16)) { __0; __1; __2; __3; __4; M += 16; } - if ((N & 32)) { __0; __1; __2; __3; __4; __5; M += 32; } - if ((N & 64)) { __0; __1; __2; __3; __4; __5; __6; M += 64; } - if ((N & 128)) { __0; __1; __2; __3; __4; __5; __6; __7; M += 128; } - } - N &= ~255; - for (i = 0; i < N; i += 256) - { - __0; __1; __2; __3; __4; __5; __6; __7; __8; M += 256; - } - - #undef __8 - #undef __7 - #undef __6 - #undef __5 - #undef __4 - #undef __3 - #undef __2 - #undef __1 - #undef __0 - #undef __ - - message[len - 1] = -128; - } - sha3_arraycopy(msg, 0, message, 0, nrf); - - *outlen = len; - return message; -} - - -/** - * Initialise Keccak sponge - * - * @param bitrate The bitrate - * @param capacity The capacity - * @param output The output size - */ -void sha3_initialise(long bitrate, long capacity, long output) -{ - long i; - - r = bitrate; - n = output; - c = capacity; - b = r + c; - w = b / 25; - l = sha3_lb(w); - nr = 12 + (l << 1); - if (w == 64) - wmod = -1; - else - { - wmod = 1; - wmod <<= w; - wmod--; - } - S = (llong*)malloc(25 * sizeof(llong)); - M = (byte*)malloc((mlen = (r * b) >> 2) * sizeof(byte)); - mptr = 0; - - for (i = 0; i < 25; i++) - *(S + i) = 0; -} - -/** - * Dispose of the Keccak sponge - */ -void sha3_dispose() -{ - #ifdef WITH_WIPE - long i; - #endif - if (S != null) - { - #ifdef WITH_WIPE - for (i = 0; i < 25; i++) - *(S + i) = 0; - #endif - free(S); - S = null; - } - if (M != null) - { - #ifdef WITH_WIPE - for (i = 0; i < mlen; i++) - *(M + i) = 0; - #endif - free(M); - M = null; - } -} - -/** - * Absorb the more of the message to the Keccak sponge - * - * @param msg The partial message - * @param msglen The length of the partial message - */ -void sha3_update(byte* restrict_ msg, long msglen) -{ - long rr = r >> 3; - long ww = w >> 3; - long i, len; - byte* message; - byte* _msg; - long nnn; - - if (mptr + msglen > mlen) - #ifdef WITH_WIPE - M = (byte*)realloc(M, mlen = (mlen + msglen) << 1); - #else - { - long mlen_ = mlen; - char* M_ = (byte*)malloc(mlen = (mlen + msglen) << 1); - sha3_arraycopy(M, 0, M_, 0, mlen_); - for (i = 0; i < mlen_; i++) - *(M + i) = 0; - free(M); - M = M_; - } - #endif - sha3_arraycopy(msg, 0, M, mptr, msglen); - len = mptr += msglen; - len -= len % ((r * b) >> 3); - message = (byte*)malloc(len * sizeof(byte)); - sha3_arraycopy(M, 0, message, 0, len); - mptr -= len; - sha3_revarraycopy(M, nnn = len, M, 0, mptr); - _msg = message; - - /* Absorbing phase */ - if (ww == 8) - for (i = 0; i < nnn; i += rr) - { - #define __S(Si, OFF) S[Si] ^= sha3_toLane64(message, len, rr, OFF) - __S( 0, 0); __S( 5, 8); __S(10, 16); __S(15, 24); __S(20, 32); - __S( 1, 40); __S( 6, 48); __S(11, 56); __S(16, 64); __S(21, 72); - __S( 2, 80); __S( 7, 88); __S(12, 96); __S(17, 104); __S(22, 112); - __S( 3, 120); __S( 8, 128); __S(13, 136); __S(18, 144); __S(23, 152); - __S( 4, 160); __S( 9, 168); __S(14, 176); __S(19, 184); __S(24, 192); - #undef __S - sha3_keccakF(S); - message += rr; - len -= rr; - } - else - for (i = 0; i < nnn; i += rr) - { - #define __S(Si, OFF) S[Si] ^= sha3_toLane(message, len, rr, ww, OFF * w) - __S( 0, 0); __S( 5, 1); __S(10, 2); __S(15, 3); __S(20, 4); - __S( 1, 5); __S( 6, 6); __S(11, 7); __S(16, 8); __S(21, 9); - __S( 2, 10); __S( 7, 11); __S(12, 12); __S(17, 13); __S(22, 14); - __S( 3, 15); __S( 8, 16); __S(13, 17); __S(18, 18); __S(23, 19); - __S( 4, 20); __S( 9, 21); __S(14, 22); __S(19, 23); __S(24, 24); - #undef __S - sha3_keccakF(S); - message += rr; - len -= rr; - } - - #ifdef WITH_WIPE - for (i = 0; i < nnn; i++) - *(_msg + i) = 0; - #endif - free(_msg); -} - - -/** - * Absorb the last part of the message and squeeze the Keccak sponge - * - * @param msg The rest of the message, may be {@code null} - * @param msglen The length of the partial message - * @param withReturn Whether to return the hash instead of just do a quick squeeze phrase and return {@code null} - * @return The hash sum, or {@code null} if <tt>withReturn</tt> is {@code false} - */ -byte* sha3_digest(byte* restrict_ msg, long msglen, boolean withReturn) -{ - byte* message; - byte* _msg; - byte* rc; - long rr = r >> 3, len; - long nn = (n + 7) >> 3, olen; - long ww = w >> 3, ni; - long i, j = 0, ptr = 0, _; - long nnn; - - if ((msg == null) || (msglen == 0)) - message = sha3_pad10star1(M, mptr, r, &len); - else - { - if (mptr + msglen > mlen) - #ifdef WITH_WIPE - M = (byte*)realloc(M, mlen += msglen); - #else - { - long mlen_ = mlen; - char* M_ = (byte*)malloc(mlen += msglen); - sha3_arraycopy(M, 0, M_, 0, mlen_); - for (i = 0; i < mlen_; i++) - *(M + i) = 0; - free(M); - M = M_; - } - #endif - sha3_arraycopy(msg, 0, M, mptr, msglen); - message = sha3_pad10star1(M, mptr + msglen, r, &len); - } - #ifdef WITH_WIPE - for (i = 0; i < mlen; i++) - *(M + i) = 0; - #endif - free(M); - M = null; - rc = withReturn ? (byte*)malloc(((n + 7) >> 3) * sizeof(byte)) : null; - _msg = message; - nnn = len; - - /* Absorbing phase */ - if (ww == 8) - for (i = 0; i < nnn; i += rr) - { - #define __S(Si, OFF) S[Si] ^= sha3_toLane64(message, len, rr, OFF) - __S( 0, 0); __S( 5, 8); __S(10, 16); __S(15, 24); __S(20, 32); - __S( 1, 40); __S( 6, 48); __S(11, 56); __S(16, 64); __S(21, 72); - __S( 2, 80); __S( 7, 88); __S(12, 96); __S(17, 104); __S(22, 112); - __S( 3, 120); __S( 8, 128); __S(13, 136); __S(18, 144); __S(23, 152); - __S( 4, 160); __S( 9, 168); __S(14, 176); __S(19, 184); __S(24, 192); - #undef __S - sha3_keccakF(S); - message += rr; - len -= rr; - } - else - for (i = 0; i < nnn; i += rr) - { - #define __S(Si, OFF) S[Si] ^= sha3_toLane(message, len, rr, ww, OFF * w) - __S( 0, 0); __S( 5, 1); __S(10, 2); __S(15, 3); __S(20, 4); - __S( 1, 5); __S( 6, 6); __S(11, 7); __S(16, 8); __S(21, 9); - __S( 2, 10); __S( 7, 11); __S(12, 12); __S(17, 13); __S(22, 14); - __S( 3, 15); __S( 8, 16); __S(13, 17); __S(18, 18); __S(23, 19); - __S( 4, 20); __S( 9, 21); __S(14, 22); __S(19, 23); __S(24, 24); - #undef __S - sha3_keccakF(S); - message += rr; - len -= rr; - } - - #ifdef WITH_WIPE - for (i = 0; i < nnn; i++) - *(_msg + i) = 0; - #endif - free(_msg); - - /* Squeezing phase */ - olen = n; - if (withReturn) - { - ni = min(25, rr); - while (olen > 0) - { - i = 0; - while ((i < ni) && (j < nn)) - { - llong v = S[(i % 5) * 5 + i / 5]; - for (_ = 0; _ < ww; _++) - { - if (j < nn) - rc[ptr++] = (byte)v; - v >>= 8; - j += 1; - } - i += 1; - } - olen -= r; - if (olen > 0) - sha3_keccakF(S); - } - if ((n & 7)) - rc[n >> 3] &= (1 << (n & 7)) - 1; - - return rc; - } - while ((olen -= r) > 0) - sha3_keccakF(S); - return null; -} - - -/** - * Force some rounds of Keccak-f - * - * @param times The number of rounds - */ -void sha3_simpleSqueeze(long times) -{ - long i; - for (i = 0; i < times; i++) - sha3_keccakF(S); -} - - -/** - * Squeeze as much as is needed to get a digest a number of times - * - * @param times The number of digests - */ -void sha3_fastSqueeze(long times) -{ - long i, olen; - for (i = 0; i < times; i++) - { - sha3_keccakF(S); /* Last squeeze did not do a ending squeeze */ - olen = n; - while ((olen -= r) > 0) - sha3_keccakF(S); - } -} - - -/** - * Squeeze out another digest - * - * @return The hash sum - */ -byte* sha3_squeeze(void) -{ - long nn, ww, olen, i, j, ptr, ni; - byte* rc; - - sha3_keccakF(S); /* Last squeeze did not do a ending squeeze */ - - ww = w >> 3; - rc = (byte*)malloc((nn = (n + 7) >> 3) * sizeof(byte)); - olen = n; - j = ptr = 0; - ni = (25 < r >> 3) ? 25 : (r >> 3); - - while (olen > 0) - { - i = 0; - while ((i < ni) && (j < nn)) - { - long _, v = S[(i % 5) * 5 + i / 5]; - for (_ = 0; _ < ww; _++) - { - if (j < nn) - *(rc + ptr++) = (byte)v; - v >>= 8; - j += 1; - } - i += 1; - } - olen -= r; - if (olen > 0) - sha3_keccakF(S); - } - if (n & 7) - rc[nn - 1] &= (1 << (n & 7)) - 1; - - return rc; -} - - -/** - * Retrieve the state of the Keccak sponge - * - * @return A 25-element array with the state, changes will be applied to the sponge - */ -llong* sha3_state(void) -{ - return S; -} - diff --git a/src/sha3.h b/src/sha3.h deleted file mode 100644 index a6cf321..0000000 --- a/src/sha3.h +++ /dev/null @@ -1,115 +0,0 @@ -/** - * sha3sum – SHA-3 (Keccak) checksum calculator - * - * Copyright © 2013, 2014 Mattias Andrée (maandree@member.fsf.org) - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - */ -#ifndef __SHA3_H__ -#define __SHA3_H__ - -#include <stdlib.h> - - -#ifdef WITH_C99 -# include <inttypes.h> -# define restrict_ restrict -# define byte int_fast8_t -# define boolean int_fast8_t -# define llong int_fast64_t -# define ullong uint_fast64_t -#else -# define restrict_ /* introduced in C99 */ -# define byte char -# define boolean char -# if __x86_64__ || __ppc64__ -# define llong long int -# else -# define llong long long int -# endif -# define ullong unsigned llong -#endif - - - -/** - * Initialise Keccak sponge - * - * @param bitrate The bitrate - * @param capacity The capacity - * @param output The output size - */ -void sha3_initialise(long bitrate, long capacity, long output); - - -/** - * Dispose of the Keccak sponge - */ -void sha3_dispose(void); - - -/** - * Absorb the more of the message to the Keccak sponge - * - * @param msg The partial message - * @param msglen The length of the partial message - */ -void sha3_update(byte* restrict_ msg, long msglen); - - -/** - * Absorb the last part of the message and squeeze the Keccak sponge - * - * @param msg The rest of the message, may be {@code null} - * @param msglen The length of the partial message - * @param withReturn Whether to return the hash instead of just do a quick squeeze phrase and return {@code null} - * @return The hash sum, or {@code null} if <tt>withReturn</tt> is {@code false} - */ -byte* sha3_digest(byte* restrict_ msg, long msglen, boolean withReturn); - - -/** - * Force some rounds of Keccak-f - * - * @param times The number of rounds - */ -void sha3_simpleSqueeze(long times); - - -/** - * Squeeze as much as is needed to get a digest a number of times - * - * @param times The number of digests - */ -void sha3_fastSqueeze(long times); - - -/** - * Squeeze out another digest - * - * @return The hash sum - */ -byte* sha3_squeeze(void); - - -/** - * Retrieve the state of the Keccak sponge - * - * @return A 25-element array with the state, changes will be applied to the sponge - */ -llong* sha3_state(void); - - -#endif - |