RubyGems - sleeping_kangaroo12 - Versions diffs - 0.0.3 → 0.0.4 - Mend

sleeping_kangaroo12 0.0.3 → 0.0.4

Files changed (291) hide show

data/ext/xkcp/lib/high/Xoofff/Xoofff.h DELETED Viewed

@@ -1,147 +0,0 @@
-/*
-The eXtended Keccak Code Package (XKCP)
-https://github.com/XKCP/XKCP
-Xoofff, designed by Joan Daemen, Seth Hoffert, Gilles Van Assche and Ronny Van Keer.
-Implementation by Ronny Van Keer, hereby denoted as "the implementer".
-For more information, feedback or questions, please refer to the Keccak Team website:
-https://keccak.team/
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-#ifndef _Xoofff_h_
-#define _Xoofff_h_
-#include "config.h"
-#ifdef XKCP_has_Xoodoo
-#include <stddef.h>
-#include <stdint.h>
-#include "align.h"
-#include "Xoodoo-SnP.h"
-#define SnP_widthInBytes        (3*4*4)
-#define Xoofff_RollSizeInBytes  SnP_widthInBytes
-#define Xoofff_RollOffset       0
-#define Xoofff_FlagNone         0
-#define Xoofff_FlagInit         1 /* If set, initialize a new Xoofff_Compress session */
-#define Xoofff_FlagLastPart     2 /* If set, indicates the last part of input/output */
-#define Xoofff_FlagXoofffie     4 /* If set, indicates Xoofffie will be performed */
-#ifndef _Keccak_BitTypes_
-#define _Keccak_BitTypes_
-typedef uint8_t BitSequence;
-typedef size_t  BitLength;
-#endif
-typedef enum
-{
-    NOT_INITIALIZED_YET,
-    COMPRESSING,
-    EXPANDING,
-    EXPANDED,
-} Xoofff_Phases;
-#ifdef XKCP_has_Xoodootimes16
-#include "Xoodoo-times16-SnP.h"
-#endif
-#ifdef XKCP_has_Xoodootimes8
-#include "Xoodoo-times8-SnP.h"
-#endif
-#ifdef XKCP_has_Xoodootimes4
-#include "Xoodoo-times4-SnP.h"
-#endif
-#include "Xoodoo-SnP.h"
-#if defined(XKCP_has_Xoodootimes16) && !defined(Xoodootimes16_isFallback)
-    #define XoodooMaxParallellism   16
-    #define Xoofff_Alignment        Xoodootimes16_statesAlignment
-    #if defined(Xoodootimes16_FastXoofff_supported)
-        #define    Xoofff_AddIs    Xooffftimes16_AddIs
-    #endif
-#elif defined(XKCP_has_Xoodootimes8) && !defined(Xoodootimes8_isFallback)
-    #define XoodooMaxParallellism   8
-    #define Xoofff_Alignment        Xoodootimes8_statesAlignment
-    #if defined(Xoodootimes8_FastXoofff_supported)
-        #define    Xoofff_AddIs    Xooffftimes8_AddIs
-    #endif
-#elif defined(XKCP_has_Xoodootimes4) && !defined(Xoodootimes4_isFallback)
-    #define XoodooMaxParallellism   4
-    #define Xoofff_Alignment        Xoodootimes4_statesAlignment
-    #if defined(Xoodootimes4_FastXoofff_supported)
-        #define    Xoofff_AddIs    Xooffftimes4_AddIs
-    #endif
-#else
-    #define XoodooMaxParallellism   1
-    #define Xoofff_Alignment        Xoodoo_stateAlignment
-#endif
-ALIGN(Xoofff_Alignment) typedef struct
-{
-    unsigned char a[SnP_widthInBytes];
-} Xoofff_AlignedArray;
-typedef struct {
-    Xoofff_AlignedArray k;
-    Xoofff_AlignedArray kRoll;
-    Xoofff_AlignedArray xAccu;
-    Xoofff_AlignedArray yAccu;
-    Xoofff_AlignedArray queue;      /* input/output queue buffer */
-    BitLength queueOffset;          /* current offset in queue */
-    Xoofff_Phases phase;
-} Xoofff_Instance;
-/**
-  * Function to initialize a Xoofff instance with given key.
-  * @param  xpInstance      Pointer to the instance to be initialized.
-  * @param  Key             Pointer to the key (K).
-  * @param  KeyBitLen       The length of the key in bits.
-  * @return 0 if successful, 1 otherwise.
-  */
-int Xoofff_MaskDerivation(Xoofff_Instance *xpInstance, const BitSequence *Key, BitLength KeyBitLen);
-/**
-  * Function to handle input data to be compressed.
-  * @param  xpInstance      Pointer to the instance initialized by Xoofff_MaskDerivation().
-  * @param  input           Pointer to the input message data (M).
-  * @param  inputBitLen     The number of bits provided in the input message data.
-  *                         This must be a multiple of 8 if Xoofff_FlagLastPart flag not set.
-  * @param  flags           Bitwise or combination of Xoofff_FlagNone, Xoofff_FlagInit, Xoofff_FlagLastPart.
-  * @return 0 if successful, 1 otherwise.
-  */
-int Xoofff_Compress(Xoofff_Instance *xpInstance, const BitSequence *input, BitLength inputBitLen, int flags);
-/**
-  * Function to expand output data.
-  * @param  xpInstance      Pointer to the hash instance initialized by Xoofff_MaskDerivation().
-  * @param  output          Pointer to the buffer where to store the output data.
-  * @param  outputBitLen    The number of output bits desired.
-  *                         This must be a multiple of 8 if Xoofff_FlagLastPart flag not set.
-  * @param  flags           Bitwise or combination of Xoofff_FlagNone, Xoofff_FlagXoofffie, Xoofff_FlagLastPart.
-  * @return 0 if successful, 1 otherwise.
-  */
-int Xoofff_Expand(Xoofff_Instance *xpInstance, BitSequence *output, BitLength outputBitLen, int flags);
-/** Function to compress input data and expand output data.
-  * @param  xpInstance      Pointer to the instance initialized by Xoofff_MaskDerivation().
-  * @param  input           Pointer to the input message (M).
-  * @param  inputBitLen     The number of bits provided in the input message data.
-  * @param  output          Pointer to the output buffer.
-  * @param  outputBitLen    The number of output bits desired.
-  * @param  flags           Bitwise or combination of Xoofff_FlagNone, Xoofff_FlagInit, Xoofff_FlagXoofffie, Xoofff_FlagLastPart.
-  *                         Xoofff_FlagLastPart is internally forced to true for input and output.
-  * @return 0 if successful, 1 otherwise.
-  */
-int Xoofff(Xoofff_Instance *xpInstance, const BitSequence *input, BitLength inputBitLen, BitSequence *output, BitLength outputBitLen, int flags);
-#else
-#error This requires an implementation of Xoodoo
-#endif
-#endif

data/ext/xkcp/lib/high/Xoofff/XoofffModes.c DELETED Viewed

@@ -1,483 +0,0 @@
-/*
-The eXtended Keccak Code Package (XKCP)
-https://github.com/XKCP/XKCP
-Xoofff, designed by Joan Daemen, Seth Hoffert, Gilles Van Assche and Ronny Van Keer.
-Implementation by Ronny Van Keer, hereby denoted as "the implementer".
-For more information, feedback or questions, please refer to the Keccak Team website:
-https://keccak.team/
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-#include <string.h>
-#include "brg_endian.h"
-#include "Xoofff.h"
-#include "XoofffModes.h"
-/* #define    DEBUG_DUMP */
-#define laneSize        4
-#define width           (3*4*32)
-#define widthInBytes    (width/8)
-#define widthInLanes    (widthInBytes/laneSize)
-#define MyMin(a, b)     (((a) < (b)) ? (a) : (b))
-#if !defined(Xoodoo_FastXoofff_supported)
-void Xoofff_AddIs(unsigned char *output, const unsigned char *input, size_t bitLen);
-#else
-#endif
-#if defined(DEBUG_DUMP)
-static void DUMP( const unsigned char * pText, const unsigned char * pData, unsigned int size )
-{
-    unsigned int i;
-    printf("%s (%u bytes):", pText, size);
-    for(i=0; i<size; i++)
-        printf(" %02x", (int)pData[i]);
-    printf("\n");
-}
-#else
-#define DUMP(pText, pData, size )
-#endif
-/* ------------------------------------------------------------------------- */
-static BitLength XoofffWBC_Split(BitLength n)
-{
-    BitLength   nL;
-    BitLength   q, x;
-    if (n <= (2 * XoofffWBC_b - (XoofffWBC_l + 2)))
-        nL = XoofffWBC_l * ((n + XoofffWBC_l) / (2*XoofffWBC_l));
-    else {
-        q = (n + XoofffWBC_l + 2 + (XoofffWBC_b - 1)) / XoofffWBC_b;
-        for (x = 1; (BitLength)(1 << x) < q; ++x)
-            ; /* empty */
-        --x;
-        nL = (q - (BitLength)(1 << x)) * XoofffWBC_b - XoofffWBC_l;
-    }
-    return nL;
-}
-#define Lp  plaintext
-#define Rp  (plaintext + nL / 8)
-#define Lc  ciphertext
-#define Rc  (ciphertext + nL / 8)
-int XoofffWBC_Encipher(Xoofff_Instance *xp, const BitSequence *plaintext, BitSequence *ciphertext, BitLength dataBitLen,
-                        const BitSequence *W, BitLength WBitLen)
-{
-    size_t nL = XoofffWBC_Split(dataBitLen);
-    size_t nR = dataBitLen - nL;
-    size_t nL0 = MyMin(width, nL);
-    size_t nR0 = MyMin(width, nR);
-    unsigned char R0[SnP_widthInBytes];
-    unsigned char HkW[SnP_widthInBytes];
-    unsigned char kRollAfterHkW[Xoofff_RollSizeInBytes];
-    unsigned int numberOfBitsInLastByte;
-    BitSequence lastByte[1];
-    /* R0 = R0 + Hk(L || 0) */
-    if (Xoofff_Compress(xp, Lp, nL, Xoofff_FlagInit) != 0) /* Do complete L, is always a multiple of 8 bits */
-        return 1;
-    lastByte[0] = 0;
-    if (Xoofff(xp, lastByte, 1, R0, nR0, Xoofff_FlagXoofffie) != 0)
-        return 1;
-    Xoofff_AddIs(R0, Rp, nR0);
-    /* L = L + Fk(R || 1 . W) */
-    if (Xoofff_Compress(xp, W, WBitLen, Xoofff_FlagInit | Xoofff_FlagLastPart) != 0)
-        return 1;
-    memcpy(HkW, xp->xAccu.a, SnP_widthInBytes);
-    memcpy(kRollAfterHkW, xp->kRoll.a+Xoofff_RollOffset, Xoofff_RollSizeInBytes);
-    numberOfBitsInLastByte = nR & 7;
-    lastByte[0] = (numberOfBitsInLastByte != 0) ? Rp[nR/8] : 0;
-    if (nR0 == nR) {
-        if (Xoofff_Compress(xp, R0, nR0 - numberOfBitsInLastByte, Xoofff_FlagNone) != 0)  /* Compress R0 except last byte if incomplete */
-            return 1;
-        lastByte[0] = (numberOfBitsInLastByte != 0) ? R0[nR/8] : 0;
-    }
-    else {
-        if (Xoofff_Compress(xp, R0, nR0, Xoofff_FlagNone) != 0) /* compress R0 */
-            return 1;
-        if (Xoofff_Compress(xp, Rp + nR0 / 8, nR - nR0 - numberOfBitsInLastByte, Xoofff_FlagNone) != 0)  /* rest of R except last byte if incomplete */
-            return 1;
-        lastByte[0] = (numberOfBitsInLastByte != 0) ? Rp[nR/8] : 0;
-    }
-    lastByte[0] &= (1 << numberOfBitsInLastByte) - 1;
-    lastByte[0] |= 1 << numberOfBitsInLastByte;
-    if (Xoofff(xp, lastByte, numberOfBitsInLastByte + 1, Lc, nL, Xoofff_FlagNone) != 0)
-        return 1;
-    Xoofff_AddIs(Lc, Lp, nL);
-    /* R = R + Fk(L || 0 . W) */
-    memcpy(xp->kRoll.a+Xoofff_RollOffset, kRollAfterHkW, Xoofff_RollSizeInBytes);
-    memcpy(xp->xAccu.a, HkW, SnP_widthInBytes);
-    if (Xoofff_Compress(xp, Lc, nL, Xoofff_FlagNone) != 0)
-        return 1;
-    lastByte[0] = 0;
-    if (Xoofff(xp, lastByte, 1, Rc, nR, Xoofff_FlagNone) != 0)
-        return 1;
-    Xoofff_AddIs(Rc, R0, nR0);
-    Xoofff_AddIs(Rc + nR0 / 8, Rp + nR0 / 8, nR - nR0);
-    /* L0 = L0 + Hk(R || 1) */
-    if (Xoofff_Compress(xp, Rc, nR - numberOfBitsInLastByte, Xoofff_FlagInit) != 0) /* Do all except last byte if incomplete */
-        return 1;
-    lastByte[0] = (numberOfBitsInLastByte != 0) ? Rc[nR/8] : 0;
-    lastByte[0] &= (1 << numberOfBitsInLastByte) - 1;
-    lastByte[0] |= 1 << numberOfBitsInLastByte;
-    if (Xoofff(xp, lastByte, numberOfBitsInLastByte + 1, R0, nL0, Xoofff_FlagXoofffie) != 0)
-        return 1;
-    Xoofff_AddIs(Lc, R0, nL0);
-    return 0;
-}
-int XoofffWBC_Decipher(Xoofff_Instance *xp, const BitSequence *ciphertext, BitSequence *plaintext, BitLength dataBitLen,
-                        const BitSequence *W, BitLength WBitLen)
-{
-    size_t nL = XoofffWBC_Split(dataBitLen);
-    size_t nR = dataBitLen - nL;
-    size_t nL0 = MyMin(width, nL);
-    size_t nR0 = MyMin(width, nR);
-    unsigned char L0[SnP_widthInBytes];
-    unsigned char HkW[SnP_widthInBytes];
-    unsigned char kRollAfterHkW[Xoofff_RollSizeInBytes];
-    unsigned int numberOfBitsInLastByte;
-    BitSequence lastByte[1];
-    /* L0 = L0 + Hk(R || 1) */
-    numberOfBitsInLastByte = nR & 7;
-    if (Xoofff_Compress(xp, Rc, nR - numberOfBitsInLastByte, Xoofff_FlagInit) != 0) /* Do all except last byte if incomplete */
-        return 1;
-    lastByte[0] = (numberOfBitsInLastByte != 0) ? Rc[nR/8] : 0;
-    lastByte[0] &= (1 << numberOfBitsInLastByte) - 1;
-    lastByte[0] |= 1 << numberOfBitsInLastByte;
-    if (Xoofff(xp, lastByte, numberOfBitsInLastByte + 1, L0, nL0, Xoofff_FlagXoofffie) != 0)
-        return 1;
-    Xoofff_AddIs( L0, Lc, nL0);
-    /* R = R + Fk(L || 0 . W) */
-    if (Xoofff_Compress(xp, W, WBitLen, Xoofff_FlagInit | Xoofff_FlagLastPart) != 0)
-        return 1;
-    memcpy(HkW, xp->xAccu.a, SnP_widthInBytes);
-    memcpy(kRollAfterHkW, xp->kRoll.a+Xoofff_RollOffset, Xoofff_RollSizeInBytes);
-    if (Xoofff_Compress(xp, L0, nL0, Xoofff_FlagNone) != 0) /* compress L0 */
-        return 1;
-    if (Xoofff_Compress(xp, Lc + nL0 / 8, nL - nL0, Xoofff_FlagNone) != 0)  /* compress rest of L */
-        return 1;
-    lastByte[0] = 0;
-    if (Xoofff(xp, lastByte, 1, Rp, nR, Xoofff_FlagNone) != 0)  /* last zero bit */
-        return 1;
-    Xoofff_AddIs(Rp, Rc, nR);
-    /* L = L + Fk(R || 1 . W) */
-    memcpy(xp->kRoll.a+Xoofff_RollOffset, kRollAfterHkW, Xoofff_RollSizeInBytes);
-    memcpy(xp->xAccu.a, HkW, SnP_widthInBytes);
-    if (Xoofff_Compress(xp, Rp, nR - numberOfBitsInLastByte, Xoofff_FlagNone) != 0)
-        return 1;
-    lastByte[0] = (numberOfBitsInLastByte != 0) ? Rp[nR/8] : 0;
-    lastByte[0] &= (1 << numberOfBitsInLastByte) - 1;
-    lastByte[0] |= 1 << numberOfBitsInLastByte;
-    if (Xoofff(xp, lastByte, numberOfBitsInLastByte + 1, Lp, nL, Xoofff_FlagNone) != 0)
-        return 1;
-    Xoofff_AddIs(Lp, L0, nL0);
-    Xoofff_AddIs(Lp + nL0 / 8, Lc + nL0 / 8, nL - nL0);
-    /* R0 = R0 + Hk(L || 0) */
-    if (Xoofff_Compress(xp, Lp, nL, Xoofff_FlagInit) != 0) /* Do all, L is always a multiple of 8 bits */
-        return 1;
-    lastByte[0] = 0;
-    if (Xoofff(xp, lastByte, 1, L0, nR0, Xoofff_FlagXoofffie) != 0)
-        return 1;
-    Xoofff_AddIs(Rp, L0, nR0);
-    return 0;
-}
-int XoofffWBCAE_Encipher(Xoofff_Instance *xp, BitSequence *plaintext, BitSequence *ciphertext, BitLength dataBitLen,
-                        const BitSequence *AD, BitLength ADBitLen)
-{
-    size_t          databytelen = dataBitLen / 8;
-    unsigned int    nbitsInLastByte = dataBitLen & 7;
-    int             result;
-    if (nbitsInLastByte != 0) {
-        plaintext[databytelen] &= ((1 << nbitsInLastByte) - 1);
-        ++databytelen;
-    }
-    memset(plaintext + databytelen, 0, XoofffWBCAE_t/8);
-    result = XoofffWBC_Encipher(xp, plaintext, ciphertext, dataBitLen + XoofffWBCAE_t, AD, ADBitLen);
-    return(result);
-}
-const BitSequence XoofffWBCAE_Zero[XoofffWBCAE_t/8] = { 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0 };
-int XoofffWBCAE_Decipher(Xoofff_Instance *xp, const BitSequence *ciphertext, BitSequence *plaintext, BitLength dataBitLen,
-                        const BitSequence *AD, BitLength ADBitLen)
-{
-    unsigned int nbitsInLastByte = dataBitLen & 7;
-    if ( XoofffWBC_Decipher(xp, ciphertext, plaintext, dataBitLen + XoofffWBCAE_t, AD, ADBitLen) != 0)
-        return 1;
-    if (nbitsInLastByte != 0) { /* check first bits of checkValue sitting in last byte of plaintext */
-        if ((plaintext[dataBitLen/8] & ~((1 << nbitsInLastByte) - 1)) != 0) {
-            memset( plaintext, 0, (dataBitLen + XoofffWBCAE_t + 7) / 8 );
-            return 1;
-        }
-    }
-    if (memcmp(plaintext + (dataBitLen+7)/8, XoofffWBCAE_Zero, XoofffWBCAE_t/8) != 0) {
-        memset( plaintext, 0, (dataBitLen + XoofffWBCAE_t + 7) / 8 );
-        return 1;
-    }
-    return 0;
-}
-#undef  Lp
-#undef  Rp
-#undef  Lc
-#undef  Rc
-/* ------------------------------------------------------------------------- */
-int XoofffSANE_Initialize(XoofffSANE_Instance *xp, const BitSequence *Key, BitLength KeyBitLen,
-                            const BitSequence *Nonce, BitLength NonceBitLen, unsigned char *tag)
-{
-    xp->e = 0;
-    if (Xoofff_MaskDerivation(&xp->xoofff, Key, KeyBitLen) != 0)
-        return 1;
-    if (Xoofff_Compress(&xp->xoofff, Nonce, NonceBitLen, Xoofff_FlagInit | Xoofff_FlagLastPart) != 0)
-        return 1;
-    return Xoofff_Expand(&xp->xoofff, tag, XoofffSANE_TagLength * 8, Xoofff_FlagNone);
-}
-static int XoofffSANE_AddToHistory(XoofffSANE_Instance *xp, const BitSequence *data, BitLength dataBitLen, unsigned char appendix)
-{
-    BitSequence lastByte[1];
-    if (Xoofff_Compress(&xp->xoofff, data, dataBitLen & ~7, Xoofff_FlagNone) != 0) /* Do all except last byte if incomplete */
-        return 1;
-    data += dataBitLen >> 3; /* move pointer to last incomplete byte (if no incomplete last byte, it will point beyond the buffer, but pointer won't be dereferenced) */
-    dataBitLen &= 7; /* dataBitLen is now number of bits in last possible incomplete byte */
-    if (dataBitLen == 0) {
-        lastByte[0] = (BitSequence)(appendix | (xp->e << 1));
-        dataBitLen = 2;
-    }
-    else if (dataBitLen <= 6) {
-        lastByte[0] = (BitSequence)(*data | (appendix << dataBitLen) | (xp->e << (dataBitLen + 1)));
-        dataBitLen += 2;
-    }
-    else { /* dataBitLen == 7 */
-        lastByte[0] = (BitSequence)(*data | (appendix << 7));
-        if ( Xoofff_Compress(&xp->xoofff, lastByte, 8, Xoofff_FlagNone) != 0) {
-            return 1;
-        }
-        lastByte[0] = (BitSequence)xp->e;
-        dataBitLen = 1;
-    }
-       return Xoofff_Compress(&xp->xoofff, lastByte, dataBitLen, Xoofff_FlagLastPart);
-}
-int XoofffSANE_Wrap(XoofffSANE_Instance *xp, const BitSequence *plaintext, BitSequence *ciphertext, BitLength dataBitLen,
-                        const BitSequence *AD, BitLength ADBitLen, unsigned char *tag)
-{
-    if (dataBitLen != 0) {
-        /* C = P ^ Fk(history) << offset */
-        if (Xoofff_Expand(&xp->xoofff, ciphertext, dataBitLen, Xoofff_FlagLastPart) != 0)
-            return 1;
-        Xoofff_AddIs(ciphertext, plaintext, dataBitLen);
-    }
-    if ((ADBitLen != 0) || (dataBitLen == 0)) {
-        /* history <- A || 0 || e ° history */
-        if (XoofffSANE_AddToHistory(xp, AD, ADBitLen, 0 ) != 0)
-            return 1;
-    }
-    if (dataBitLen != 0) {
-        /* history <- C || 1 || e ° history */
-        if (XoofffSANE_AddToHistory(xp, ciphertext, dataBitLen, 1 ) != 0)
-            return 1;
-    }
-    xp->e ^= 1;
-    /* T = Fk(history) */
-    return Xoofff_Expand(&xp->xoofff, tag, XoofffSANE_TagLength * 8, Xoofff_FlagNone);
-}
-int XoofffSANE_Unwrap(XoofffSANE_Instance *xp, const BitSequence *ciphertext, BitSequence *plaintext, BitLength dataBitLen,
-                            const BitSequence *AD, BitLength ADBitLen, const unsigned char *tag)
-{
-    unsigned char tagPrime[XoofffSANE_TagLength];
-    if (dataBitLen != 0) {
-        /*    P = C ^ Fk(history) << offset */
-        if (Xoofff_Expand(&xp->xoofff, plaintext, dataBitLen, Xoofff_FlagLastPart) != 0)
-            return 1;
-        Xoofff_AddIs(plaintext, ciphertext, dataBitLen);
-    }
-    if ((ADBitLen != 0) || (dataBitLen == 0)) {
-        /* history <- A || 0 || e ° history */
-        if (XoofffSANE_AddToHistory(xp, AD, ADBitLen, 0 ) != 0)
-            return 1;
-    }
-    if (dataBitLen != 0) {
-        /* history <- C || 1 || e  ° history */
-        if (XoofffSANE_AddToHistory(xp, ciphertext, dataBitLen, 1 ) != 0)
-            return 1;
-    }
-    /* Tprime = Fk(history) */
-    if (Xoofff_Expand(&xp->xoofff, tagPrime, XoofffSANE_TagLength * 8, Xoofff_FlagNone) != 0)
-        return 1;
-    xp->e ^= 1;
-     /* Wipe plaintext on tag difference */
-    if ( memcmp( tagPrime, tag, XoofffSANE_TagLength) != 0) {
-        memset(plaintext, 0, (dataBitLen + 7) / 8);
-        return 1;
-    }
-    return 0;
-}
-/* ------------------------------------------------------------------------- */
-static int XoofffSANSE_AddToHistory(XoofffSANSE_Instance *xp, const BitSequence *data, BitLength dataBitLen, unsigned char appendix, unsigned int appendixLen)
-{
-    BitSequence lastByte[1];
-    if (Xoofff_Compress(&xp->xoofff, data, dataBitLen & ~7, Xoofff_FlagNone) != 0) /* Do all except last byte if incomplete */
-        return 1;
-    data += dataBitLen >> 3; /* move pointer to last incomplete byte (if no incomplete last byte, it will point beyond the buffer, but pointer won't be dereferenced) */
-    dataBitLen &= 7; /* dataBitLen is now number of bits in last possible incomplete byte */
-    if (dataBitLen == 0) {
-        lastByte[0] = (BitSequence)(appendix | (xp->e << appendixLen));
-        dataBitLen = appendixLen + 1;
-    }
-    else if (dataBitLen <= (8 - (appendixLen + 1))) {
-        lastByte[0] = (BitSequence)((*data & ((1 << dataBitLen) - 1)) | (appendix << dataBitLen) | (xp->e << (dataBitLen + appendixLen)));
-        dataBitLen += appendixLen + 1;
-    }
-    else { /* dataBitLen too big to hold everything in last byte */
-        unsigned int bitsLeft;
-        bitsLeft = 8 - (unsigned int)dataBitLen;
-        lastByte[0] = (BitSequence)((*data & ((1 << dataBitLen) - 1)) | ((appendix & ((1 << bitsLeft) - 1)) << dataBitLen));
-        appendixLen -= bitsLeft;
-        appendix >>= bitsLeft;
-        if ( Xoofff_Compress(&xp->xoofff, lastByte, 8, Xoofff_FlagNone) != 0) {
-            return 1;
-        }
-        lastByte[0] = (BitSequence)(appendix | (xp->e << appendixLen));
-        dataBitLen = appendixLen + 1;
-    }
-    return Xoofff_Compress(&xp->xoofff, lastByte, dataBitLen, Xoofff_FlagLastPart);
-}
-int XoofffSANSE_Initialize(XoofffSANSE_Instance *xp, const BitSequence *Key, BitLength KeyBitLen)
-{
-    xp->e = 0;
-    return Xoofff_MaskDerivation(&xp->xoofff, Key, KeyBitLen);
-}
-int XoofffSANSE_Wrap(XoofffSANSE_Instance *xp, const BitSequence *plaintext, BitSequence *ciphertext, BitLength dataBitLen,
-                        const BitSequence *AD, BitLength ADBitLen, unsigned char *tag)
-{
-    /* if |A| > 0 OR |P| = 0 then */
-    if ((ADBitLen != 0) || (dataBitLen == 0)) {
-        /* history <- A || 0 || e . history */
-        if (XoofffSANSE_AddToHistory(xp, AD, ADBitLen, 0, 1 ) != 0)
-            return 1;
-    }
-    /* if |P| > 0 then */
-    if (dataBitLen != 0) {
-        Xoofff_Instance initialHistory = xp->xoofff;
-        Xoofff_Instance newHistory;
-        /* T = 0t + FK (P || 01 || e . history) */
-        if (XoofffSANSE_AddToHistory(xp, plaintext, dataBitLen, 2, 2 ) != 0)
-            return 1;
-        newHistory = xp->xoofff;
-        if ( Xoofff_Expand(&xp->xoofff, tag, XoofffSANSE_TagLength * 8, Xoofff_FlagNone) != 0)
-            return 1;
-        /* C = P + FK (T || 11 || e . history) */
-        xp->xoofff = initialHistory;
-        if (XoofffSANSE_AddToHistory(xp, tag, XoofffSANSE_TagLength * 8, 3, 2 ) != 0)
-            return 1;
-        if (Xoofff_Expand(&xp->xoofff, ciphertext, dataBitLen, Xoofff_FlagLastPart) != 0)
-            return 1;
-        Xoofff_AddIs(ciphertext, plaintext, dataBitLen);
-        /* history = P || 01 || e . history */
-        xp->xoofff = newHistory;
-    }
-    else {
-        /* T = 0t + FK (history)  */
-        if ( Xoofff_Expand(&xp->xoofff, tag, XoofffSANSE_TagLength * 8, Xoofff_FlagNone) != 0)
-            return 1;
-    }
-    /* e = e + 1 */
-    xp->e ^= 1;
-    return 0;
-}
-int XoofffSANSE_Unwrap(XoofffSANSE_Instance *xp, const BitSequence *ciphertext, BitSequence *plaintext, BitLength dataBitLen,
-                            const BitSequence *AD, BitLength ADBitLen, const unsigned char *tag)
-{
-    unsigned char tagPrime[XoofffSANSE_TagLength];
-    /* if |A| > 0 OR |C| = 0 then */
-    if ((ADBitLen != 0) || (dataBitLen == 0)) {
-        /* history = A || 0 || e . history */
-        if (XoofffSANSE_AddToHistory(xp, AD, ADBitLen, 0, 1 ) != 0)
-            return 1;
-    }
-    /* if |C| > 0 then */
-    if (dataBitLen != 0) {
-        Xoofff_Instance initialHistory = xp->xoofff;
-        /* P = C + FK (T || 11 || e . history) */
-        if (XoofffSANSE_AddToHistory(xp, tag, XoofffSANSE_TagLength * 8, 3, 2 ) != 0)
-            return 1;
-        if (Xoofff_Expand(&xp->xoofff, plaintext, dataBitLen, Xoofff_FlagLastPart) != 0)
-            return 1;
-        Xoofff_AddIs(plaintext, ciphertext, dataBitLen);
-        /* history = P || 01 || e . history */
-        xp->xoofff = initialHistory;
-        if (XoofffSANSE_AddToHistory(xp, plaintext, dataBitLen, 2, 2 ) != 0)
-            return 1;
-    }
-    /* T' = 0t + FK (history) */
-    if ( Xoofff_Expand(&xp->xoofff, tagPrime, sizeof(tagPrime) * 8, Xoofff_FlagNone) != 0)
-        return 1;
-    /* e = e + 1 */
-    xp->e ^= 1;
-    /* if T' != T then */
-    if ( memcmp( tagPrime, tag, sizeof(tagPrime)) != 0) {
-        /* wipe P, return error! */
-        memset(plaintext, 0, (dataBitLen + 7) / 8);
-        return 1;
-    }
-    /* else return P */
-    return 0;
-}