noxtls-crypto 0.1.3

Internal implementation crate for noxtls: hash, symmetric cipher, public-key, and DRBG primitives.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249

// Copyright (c) 2019-2026, Argenox Technologies LLC
// All rights reserved.
//
// SPDX-License-Identifier: GPL-2.0-only OR LicenseRef-Argenox-Commercial-License
//
// This file is part of the NoxTLS Library.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by the
// Free Software Foundation; version 2 of the License.
//
// Alternatively, this file may be used under the terms of a commercial
// license from Argenox Technologies LLC.
//
// See `noxtls/LICENSE` and `noxtls/LICENSE.md` in this repository for full details.
// CONTACT: info@argenox.com

//! SHA-3 family digests (FIPS 202) using an in-house Keccak-f[1600] sponge.

use crate::internal_alloc::Vec;

const KECCAK_ROUND_CONSTANTS: [u64; 24] = [
    0x0000_0000_0000_0001,
    0x0000_0000_0000_8082,
    0x8000_0000_0000_808A,
    0x8000_0000_8000_8000,
    0x0000_0000_0000_808B,
    0x0000_0000_8000_0001,
    0x8000_0000_8000_8081,
    0x8000_0000_0000_8009,
    0x0000_0000_0000_008A,
    0x0000_0000_0000_0088,
    0x0000_0000_8000_8009,
    0x0000_0000_8000_000A,
    0x0000_0000_8000_808B,
    0x8000_0000_0000_008B,
    0x8000_0000_0000_8089,
    0x8000_0000_0000_8003,
    0x8000_0000_0000_8002,
    0x8000_0000_0000_0080,
    0x0000_0000_0000_800A,
    0x8000_0000_8000_000A,
    0x8000_0000_8000_8081,
    0x8000_0000_0000_8080,
    0x0000_0000_8000_0001,
    0x8000_0000_8000_8008,
];

const KECCAK_ROTATION_OFFSETS: [u32; 25] = [
    0, 1, 62, 28, 27, 36, 44, 6, 55, 20, 3, 10, 43, 25, 39, 41, 45, 15, 21, 8, 18, 2, 61, 56, 14,
];

/// Applies one full Keccak-f\[1600] permutation in place.
///
/// # Arguments
///
/// * `state` — 25 lanes (5×5) of the sponge state in row-major order; updated by the round function.
///
/// # Returns
///
/// `()`; permutes `state` in place.
///
/// # Panics
///
/// This function does not panic.
fn keccak_f1600(state: &mut [u64; 25]) {
    for &round_constant in &KECCAK_ROUND_CONSTANTS {
        let mut c = [0_u64; 5];
        for x in 0..5 {
            c[x] = state[x] ^ state[x + 5] ^ state[x + 10] ^ state[x + 15] ^ state[x + 20];
        }
        let mut d = [0_u64; 5];
        for x in 0..5 {
            d[x] = c[(x + 4) % 5] ^ c[(x + 1) % 5].rotate_left(1);
        }
        for x in 0..5 {
            for y in 0..5 {
                state[x + 5 * y] ^= d[x];
            }
        }

        let mut b = [0_u64; 25];
        for x in 0..5 {
            for y in 0..5 {
                let index = x + 5 * y;
                let rotated = state[index].rotate_left(KECCAK_ROTATION_OFFSETS[index]);
                let new_x = y;
                let new_y = (2 * x + 3 * y) % 5;
                b[new_x + 5 * new_y] = rotated;
            }
        }

        for x in 0..5 {
            for y in 0..5 {
                state[x + 5 * y] =
                    b[x + 5 * y] ^ ((!b[(x + 1) % 5 + 5 * y]) & b[(x + 2) % 5 + 5 * y]);
            }
        }

        state[0] ^= round_constant;
    }
}

/// XOR-absorbs one full rate-sized block into the sponge state and permutes once.
///
/// # Arguments
///
/// * `state` — Keccak state to update.
/// * `rate_bytes` — Sponge rate in bytes (must be a multiple of 8 and match `block` length).
/// * `block` — Exactly `rate_bytes` input octets interpreted as little-endian 64-bit lanes.
///
/// # Returns
///
/// `()`; updates `state` then calls [`keccak_f1600`].
///
/// # Panics
///
/// This function does not panic when `block.len() == rate_bytes` as produced by this module.
fn absorb_block(state: &mut [u64; 25], rate_bytes: usize, block: &[u8]) {
    for (lane, lane_state) in state.iter_mut().take(rate_bytes / 8).enumerate() {
        let start = lane * 8;
        let mut bytes = [0_u8; 8];
        bytes.copy_from_slice(&block[start..start + 8]);
        *lane_state ^= u64::from_le_bytes(bytes);
    }
    keccak_f1600(state);
}

/// Runs a Keccak sponge with the given rate, domain byte, and squeeze length.
///
/// # Arguments
///
/// * `rate_bytes` — Sponge rate in bytes (SHA3-256/SHAKE256 use 136; SHA3-384 uses 104; SHA3-512 uses 72 in this implementation).
/// * `output_len` — Number of output bytes to squeeze (truncate if the last lane is partial).
/// * `data` — Message bytes absorbed before padding.
/// * `domain` — Domain-separation suffix XORed into the padded tail (`0x06` for SHA3, `0x1F` for SHAKE256 here).
///
/// # Returns
///
/// Allocated digest or XOF bytes of length `output_len`.
///
/// # Panics
///
/// This function does not panic for valid `rate_bytes` values used by the public SHA3/SHAKE entry points.
fn keccak_sponge(rate_bytes: usize, output_len: usize, data: &[u8], domain: u8) -> Vec<u8> {
    let mut state = [0_u64; 25];
    let mut cursor = 0_usize;
    while cursor + rate_bytes <= data.len() {
        absorb_block(&mut state, rate_bytes, &data[cursor..cursor + rate_bytes]);
        cursor += rate_bytes;
    }

    let mut tail = [0_u8; 200];
    let tail_len = data.len() - cursor;
    tail[..tail_len].copy_from_slice(&data[cursor..]);
    tail[tail_len] ^= domain;
    tail[rate_bytes - 1] ^= 0x80;
    absorb_block(&mut state, rate_bytes, &tail[..rate_bytes]);

    let mut out = Vec::with_capacity(output_len);
    while out.len() < output_len {
        let mut lane = 0_usize;
        while lane < (rate_bytes / 8) && out.len() < output_len {
            out.extend_from_slice(&state[lane].to_le_bytes());
            lane += 1;
        }
        if out.len() >= output_len {
            break;
        }
        keccak_f1600(&mut state);
    }
    out.truncate(output_len);
    out
}

/// Computes the SHA3-256 digest of `data`.
///
/// # Arguments
/// * `data`: Input octets.
///
/// # Returns
/// 32-byte digest.
///
/// # Panics
///
/// This function does not panic.
#[must_use]
pub fn sha3_256(data: &[u8]) -> [u8; 32] {
    let digest = keccak_sponge(136, 32, data, 0x06);
    let mut out = [0_u8; 32];
    out.copy_from_slice(&digest);
    out
}

/// Computes the SHA3-384 digest of `data`.
///
/// # Arguments
/// * `data`: Input octets.
///
/// # Returns
/// 48-byte digest.
///
/// # Panics
///
/// This function does not panic.
#[must_use]
pub fn sha3_384(data: &[u8]) -> [u8; 48] {
    let digest = keccak_sponge(104, 48, data, 0x06);
    let mut out = [0_u8; 48];
    out.copy_from_slice(&digest);
    out
}

/// Computes the SHA3-512 digest of `data`.
///
/// # Arguments
/// * `data`: Input octets.
///
/// # Returns
/// 64-byte digest.
///
/// # Panics
///
/// This function does not panic.
#[must_use]
pub fn sha3_512(data: &[u8]) -> [u8; 64] {
    let digest = keccak_sponge(72, 64, data, 0x06);
    let mut out = [0_u8; 64];
    out.copy_from_slice(&digest);
    out
}

/// Computes SHAKE256 extendable-output bytes for `data`.
///
/// # Arguments
/// * `data`: Input octets.
/// * `output_len`: Number of bytes to squeeze from the XOF stream.
///
/// # Returns
/// Variable-length SHAKE256 output.
///
/// # Panics
///
/// This function does not panic.
#[must_use]
pub fn shake256(data: &[u8], output_len: usize) -> Vec<u8> {
    // SHAKE functions use domain-separation suffix 0x1F (FIPS 202).
    keccak_sponge(136, output_len, data, 0x1F)
}