1 files changed, 49 insertions, 123 deletions
diff --git a/sha3/shake.go b/sha3/shake.go
index a6b3a42..6f3f70c 100644
--- a/sha3/shake.go
+++ b/sha3/shake.go
@@ -4,24 +4,10 @@
 
 package sha3
 
-// This file defines the ShakeHash interface, and provides
-// functions for creating SHAKE and cSHAKE instances, as well as utility
-// functions for hashing bytes to arbitrary-length output.
-//
-//
-// SHAKE implementation is based on FIPS PUB 202 [1]
-// cSHAKE implementations is based on NIST SP 800-185 [2]
-//
-// [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
-// [2] https://doi.org/10.6028/NIST.SP.800-185
-
 import (
-	"bytes"
-	"encoding/binary"
-	"errors"
+	"crypto/sha3"
 	"hash"
 	"io"
-	"math/bits"
 )
 
 // ShakeHash defines the interface to hash functions that support
@@ -32,7 +18,7 @@ type ShakeHash interface {
 	hash.Hash
 
 	// Read reads more output from the hash; reading affects the hash's
-	// state. (ShakeHash.Read is thus very different from Hash.Sum)
+	// state. (ShakeHash.Read is thus very different from Hash.Sum.)
 	// It never returns an error, but subsequent calls to Write or Sum
 	// will panic.
 	io.Reader
@@ -41,115 +27,18 @@ type ShakeHash interface {
 	Clone() ShakeHash
 }
 
-// cSHAKE specific context
-type cshakeState struct {
-	*state // SHA-3 state context and Read/Write operations
-
-	// initBlock is the cSHAKE specific initialization set of bytes. It is initialized
-	// by newCShake function and stores concatenation of N followed by S, encoded
-	// by the method specified in 3.3 of [1].
-	// It is stored here in order for Reset() to be able to put context into
-	// initial state.
-	initBlock []byte
-}
-
-func bytepad(data []byte, rate int) []byte {
-	out := make([]byte, 0, 9+len(data)+rate-1)
-	out = append(out, leftEncode(uint64(rate))...)
-	out = append(out, data...)
-	if padlen := rate - len(out)%rate; padlen < rate {
-		out = append(out, make([]byte, padlen)...)
-	}
-	return out
-}
-
-func leftEncode(x uint64) []byte {
-	// Let n be the smallest positive integer for which 2^(8n) > x.
-	n := (bits.Len64(x) + 7) / 8
-	if n == 0 {
-		n = 1
-	}
-	// Return n || x with n as a byte and x an n bytes in big-endian order.
-	b := make([]byte, 9)
-	binary.BigEndian.PutUint64(b[1:], x)
-	b = b[9-n-1:]
-	b[0] = byte(n)
-	return b
-}
-
-func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) ShakeHash {
-	c := cshakeState{state: &state{rate: rate, outputLen: outputLen, dsbyte: dsbyte}}
-	c.initBlock = make([]byte, 0, 9+len(N)+9+len(S)) // leftEncode returns max 9 bytes
-	c.initBlock = append(c.initBlock, leftEncode(uint64(len(N))*8)...)
-	c.initBlock = append(c.initBlock, N...)
-	c.initBlock = append(c.initBlock, leftEncode(uint64(len(S))*8)...)
-	c.initBlock = append(c.initBlock, S...)
-	c.Write(bytepad(c.initBlock, c.rate))
-	return &c
-}
-
-// Reset resets the hash to initial state.
-func (c *cshakeState) Reset() {
-	c.state.Reset()
-	c.Write(bytepad(c.initBlock, c.rate))
-}
-
-// Clone returns copy of a cSHAKE context within its current state.
-func (c *cshakeState) Clone() ShakeHash {
-	b := make([]byte, len(c.initBlock))
-	copy(b, c.initBlock)
-	return &cshakeState{state: c.clone(), initBlock: b}
-}
-
-// Clone returns copy of SHAKE context within its current state.
-func (c *state) Clone() ShakeHash {
-	return c.clone()
-}
-
-func (c *cshakeState) MarshalBinary() ([]byte, error) {
-	return c.AppendBinary(make([]byte, 0, marshaledSize+len(c.initBlock)))
-}
-
-func (c *cshakeState) AppendBinary(b []byte) ([]byte, error) {
-	b, err := c.state.AppendBinary(b)
-	if err != nil {
-		return nil, err
-	}
-	b = append(b, c.initBlock...)
-	return b, nil
-}
-
-func (c *cshakeState) UnmarshalBinary(b []byte) error {
-	if len(b) <= marshaledSize {
-		return errors.New("sha3: invalid hash state")
-	}
-	if err := c.state.UnmarshalBinary(b[:marshaledSize]); err != nil {
-		return err
-	}
-	c.initBlock = bytes.Clone(b[marshaledSize:])
-	return nil
-}
-
 // NewShake128 creates a new SHAKE128 variable-output-length ShakeHash.
 // Its generic security strength is 128 bits against all attacks if at
 // least 32 bytes of its output are used.
 func NewShake128() ShakeHash {
-	return newShake128()
+	return &shakeWrapper{sha3.NewSHAKE128(), 32, false, sha3.NewSHAKE128}
 }
 
 // NewShake256 creates a new SHAKE256 variable-output-length ShakeHash.
 // Its generic security strength is 256 bits against all attacks if
 // at least 64 bytes of its output are used.
 func NewShake256() ShakeHash {
-	return newShake256()
-}
-
-func newShake128Generic() *state {
-	return &state{rate: rateK256, outputLen: 32, dsbyte: dsbyteShake}
-}
-
-func newShake256Generic() *state {
-	return &state{rate: rateK512, outputLen: 64, dsbyte: dsbyteShake}
+	return &shakeWrapper{sha3.NewSHAKE256(), 64, false, sha3.NewSHAKE256}
 }
 
 // NewCShake128 creates a new instance of cSHAKE128 variable-output-length ShakeHash,
@@ -159,10 +48,9 @@ func newShake256Generic() *state {
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake128.
 func NewCShake128(N, S []byte) ShakeHash {
-	if len(N) == 0 && len(S) == 0 {
-		return NewShake128()
-	}
-	return newCShake(N, S, rateK256, 32, dsbyteCShake)
+	return &shakeWrapper{sha3.NewCSHAKE128(N, S), 32, false, func() *sha3.SHAKE {
+		return sha3.NewCSHAKE128(N, S)
+	}}
 }
 
 // NewCShake256 creates a new instance of cSHAKE256 variable-output-length ShakeHash,
@@ -172,10 +60,9 @@ func NewCShake128(N, S []byte) ShakeHash {
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake256.
 func NewCShake256(N, S []byte) ShakeHash {
-	if len(N) == 0 && len(S) == 0 {
-		return NewShake256()
-	}
-	return newCShake(N, S, rateK512, 64, dsbyteCShake)
+	return &shakeWrapper{sha3.NewCSHAKE256(N, S), 64, false, func() *sha3.SHAKE {
+		return sha3.NewCSHAKE256(N, S)
+	}}
 }
 
 // ShakeSum128 writes an arbitrary-length digest of data into hash.
@@ -191,3 +78,42 @@ func ShakeSum256(hash, data []byte) {
 	h.Write(data)
 	h.Read(hash)
 }
+
+// shakeWrapper adds the Size, Sum, and Clone methods to a sha3.SHAKE
+// to implement the ShakeHash interface.
+type shakeWrapper struct {
+	*sha3.SHAKE
+	outputLen int
+	squeezing bool
+	newSHAKE  func() *sha3.SHAKE
+}
+
+func (w *shakeWrapper) Read(p []byte) (n int, err error) {
+	w.squeezing = true
+	return w.SHAKE.Read(p)
+}
+
+func (w *shakeWrapper) Clone() ShakeHash {
+	s := w.newSHAKE()
+	b, err := w.MarshalBinary()
+	if err != nil {
+		panic(err) // unreachable
+	}
+	if err := s.UnmarshalBinary(b); err != nil {
+		panic(err) // unreachable
+	}
+	return &shakeWrapper{s, w.outputLen, w.squeezing, w.newSHAKE}
+}
+
+func (w *shakeWrapper) Size() int { return w.outputLen }
+
+func (w *shakeWrapper) Sum(b []byte) []byte {
+	if w.squeezing {
+		panic("sha3: Sum after Read")
+	}
+	out := make([]byte, w.outputLen)
+	// Clone the state so that we don't affect future Write calls.
+	s := w.Clone()
+	s.Read(out)
+	return append(b, out...)
+}