1 1.4 christos /* $NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $ */ 2 1.1 riastrad 3 1.1 riastrad /*- 4 1.1 riastrad * Copyright (c) 2015 Taylor R. Campbell 5 1.1 riastrad * All rights reserved. 6 1.1 riastrad * 7 1.1 riastrad * Redistribution and use in source and binary forms, with or without 8 1.1 riastrad * modification, are permitted provided that the following conditions 9 1.1 riastrad * are met: 10 1.1 riastrad * 1. Redistributions of source code must retain the above copyright 11 1.1 riastrad * notice, this list of conditions and the following disclaimer. 12 1.1 riastrad * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 riastrad * notice, this list of conditions and the following disclaimer in the 14 1.1 riastrad * documentation and/or other materials provided with the distribution. 15 1.1 riastrad * 16 1.1 riastrad * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 1.1 riastrad * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 1.1 riastrad * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 1.1 riastrad * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 1.1 riastrad * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 1.1 riastrad * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 1.1 riastrad * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 1.1 riastrad * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 1.1 riastrad * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 1.1 riastrad * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 1.1 riastrad * SUCH DAMAGE. 27 1.1 riastrad */ 28 1.1 riastrad 29 1.1 riastrad /* 30 1.3 andvar * SHA-3: FIPS-202, Permutation-Based Hash and Extendable-Output Functions 31 1.1 riastrad */ 32 1.1 riastrad 33 1.1 riastrad #if HAVE_NBTOOL_CONFIG_H 34 1.1 riastrad #include "nbtool_config.h" 35 1.1 riastrad #endif 36 1.1 riastrad 37 1.1 riastrad #include <sys/cdefs.h> 38 1.1 riastrad 39 1.1 riastrad #if defined(_KERNEL) || defined(_STANDALONE) 40 1.1 riastrad 41 1.4 christos __KERNEL_RCSID(0, "$NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $"); 42 1.1 riastrad #include <lib/libkern/libkern.h> 43 1.1 riastrad 44 1.1 riastrad #define SHA3_ASSERT KASSERT 45 1.1 riastrad 46 1.1 riastrad #else 47 1.1 riastrad 48 1.4 christos __RCSID("$NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $"); 49 1.1 riastrad 50 1.1 riastrad #include "namespace.h" 51 1.1 riastrad 52 1.1 riastrad #include <assert.h> 53 1.1 riastrad #include <string.h> 54 1.1 riastrad 55 1.1 riastrad #define SHA3_ASSERT _DIAGASSERT 56 1.1 riastrad 57 1.1 riastrad #endif 58 1.1 riastrad 59 1.1 riastrad #include <sys/endian.h> 60 1.1 riastrad #include <sys/sha3.h> 61 1.1 riastrad 62 1.1 riastrad #include "keccak.h" 63 1.1 riastrad 64 1.1 riastrad /* XXX Disabled for now -- these will be libc-private. */ 65 1.1 riastrad #if 0 && !defined(_KERNEL) && !defined(_STANDALONE) 66 1.1 riastrad #ifdef __weak_alias 67 1.1 riastrad __weak_alias(SHA3_224_Init,_SHA3_224_Init) 68 1.1 riastrad __weak_alias(SHA3_224_Update,_SHA3_224_Update) 69 1.1 riastrad __weak_alias(SHA3_224_Final,_SHA3_224_Final) 70 1.1 riastrad __weak_alias(SHA3_256_Init,_SHA3_256_Init) 71 1.1 riastrad __weak_alias(SHA3_256_Update,_SHA3_256_Update) 72 1.1 riastrad __weak_alias(SHA3_256_Final,_SHA3_256_Final) 73 1.1 riastrad __weak_alias(SHA3_384_Init,_SHA3_384_Init) 74 1.1 riastrad __weak_alias(SHA3_384_Update,_SHA3_384_Update) 75 1.1 riastrad __weak_alias(SHA3_384_Final,_SHA3_384_Final) 76 1.1 riastrad __weak_alias(SHA3_512_Init,_SHA3_512_Init) 77 1.1 riastrad __weak_alias(SHA3_512_Update,_SHA3_512_Update) 78 1.1 riastrad __weak_alias(SHA3_512_Final,_SHA3_512_Final) 79 1.1 riastrad __weak_alias(SHA3_Selftest,_SHA3_Selftest) 80 1.1 riastrad __weak_alias(SHAKE128_Init,_SHAKE128_Init) 81 1.1 riastrad __weak_alias(SHAKE128_Update,_SHAKE128_Update) 82 1.1 riastrad __weak_alias(SHAKE128_Final,_SHAKE128_Final) 83 1.1 riastrad __weak_alias(SHAKE256_Init,_SHAKE256_Init) 84 1.1 riastrad __weak_alias(SHAKE256_Update,_SHAKE256_Update) 85 1.1 riastrad __weak_alias(SHAKE256_Final,_SHAKE256_Final) 86 1.1 riastrad #endif /* __weak_alias */ 87 1.1 riastrad #endif /* kernel/standalone */ 88 1.1 riastrad 89 1.1 riastrad #define MIN(a,b) ((a) < (b) ? (a) : (b)) 90 1.2 riastrad #define arraycount(a) (sizeof(a)/sizeof((a)[0])) 91 1.1 riastrad 92 1.1 riastrad /* 93 1.1 riastrad * Common body. All the SHA-3 functions share code structure. They 94 1.1 riastrad * differ only in the size of the chunks they split the message into: 95 1.1 riastrad * for digest size d, they are split into chunks of 200 - d bytes. 96 1.1 riastrad */ 97 1.1 riastrad 98 1.1 riastrad static inline unsigned 99 1.1 riastrad sha3_rate(unsigned d) 100 1.1 riastrad { 101 1.1 riastrad const unsigned cw = 2*d/8; /* capacity in words */ 102 1.1 riastrad 103 1.1 riastrad return 25 - cw; 104 1.1 riastrad } 105 1.1 riastrad 106 1.1 riastrad static void 107 1.1 riastrad sha3_init(struct sha3 *C, unsigned rw) 108 1.1 riastrad { 109 1.1 riastrad unsigned iw; 110 1.1 riastrad 111 1.1 riastrad C->nb = 8*rw; 112 1.1 riastrad for (iw = 0; iw < 25; iw++) 113 1.1 riastrad C->A[iw] = 0; 114 1.1 riastrad } 115 1.1 riastrad 116 1.1 riastrad static void 117 1.1 riastrad sha3_update(struct sha3 *C, const uint8_t *data, size_t len, unsigned rw) 118 1.1 riastrad { 119 1.1 riastrad uint64_t T; 120 1.1 riastrad unsigned ib, iw; /* index of byte/word */ 121 1.1 riastrad 122 1.1 riastrad assert(0 < C->nb); 123 1.1 riastrad 124 1.1 riastrad /* If there's a partial word, try to fill it. */ 125 1.1 riastrad if ((C->nb % 8) != 0) { 126 1.1 riastrad T = 0; 127 1.1 riastrad for (ib = 0; ib < MIN(len, C->nb % 8); ib++) 128 1.1 riastrad T |= (uint64_t)data[ib] << (8*ib); 129 1.1 riastrad C->A[rw - (C->nb + 7)/8] ^= T << (8*(8 - (C->nb % 8))); 130 1.1 riastrad C->nb -= ib; 131 1.1 riastrad data += ib; 132 1.1 riastrad len -= ib; 133 1.1 riastrad 134 1.1 riastrad /* If we filled the buffer, permute now. */ 135 1.1 riastrad if (C->nb == 0) { 136 1.1 riastrad keccakf1600(C->A); 137 1.1 riastrad C->nb = 8*rw; 138 1.1 riastrad } 139 1.1 riastrad 140 1.1 riastrad /* If that exhausted the input, we're done. */ 141 1.1 riastrad if (len == 0) 142 1.1 riastrad return; 143 1.1 riastrad } 144 1.1 riastrad 145 1.1 riastrad /* At a word boundary. Fill any partial buffer. */ 146 1.1 riastrad assert((C->nb % 8) == 0); 147 1.1 riastrad if (C->nb < 8*rw) { 148 1.1 riastrad for (iw = 0; iw < MIN(len, C->nb)/8; iw++) 149 1.1 riastrad C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw); 150 1.1 riastrad C->nb -= 8*iw; 151 1.1 riastrad data += 8*iw; 152 1.1 riastrad len -= 8*iw; 153 1.1 riastrad 154 1.1 riastrad /* If we filled the buffer, permute now. */ 155 1.1 riastrad if (C->nb == 0) { 156 1.1 riastrad keccakf1600(C->A); 157 1.1 riastrad C->nb = 8*rw; 158 1.1 riastrad } else { 159 1.1 riastrad /* Otherwise, less than a word left. */ 160 1.1 riastrad assert(len < 8); 161 1.1 riastrad goto partial; 162 1.1 riastrad } 163 1.1 riastrad } 164 1.1 riastrad 165 1.1 riastrad /* At a buffer boundary. Absorb input one buffer at a time. */ 166 1.1 riastrad assert(C->nb == 8*rw); 167 1.1 riastrad while (8*rw <= len) { 168 1.1 riastrad for (iw = 0; iw < rw; iw++) 169 1.1 riastrad C->A[iw] ^= le64dec(data + 8*iw); 170 1.1 riastrad keccakf1600(C->A); 171 1.1 riastrad data += 8*rw; 172 1.1 riastrad len -= 8*rw; 173 1.1 riastrad } 174 1.1 riastrad 175 1.1 riastrad /* Partially fill the buffer with as many words as we can. */ 176 1.1 riastrad for (iw = 0; iw < len/8; iw++) 177 1.1 riastrad C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw); 178 1.1 riastrad C->nb -= 8*iw; 179 1.1 riastrad data += 8*iw; 180 1.1 riastrad len -= 8*iw; 181 1.1 riastrad 182 1.1 riastrad partial: 183 1.1 riastrad /* Partially fill the last word with as many bytes as we can. */ 184 1.1 riastrad assert(len < 8); 185 1.1 riastrad assert(0 < C->nb); 186 1.1 riastrad assert((C->nb % 8) == 0); 187 1.1 riastrad T = 0; 188 1.1 riastrad for (ib = 0; ib < len; ib++) 189 1.1 riastrad T |= (uint64_t)data[ib] << (8*ib); 190 1.1 riastrad C->A[rw - C->nb/8] ^= T; 191 1.1 riastrad C->nb -= ib; 192 1.1 riastrad assert(0 < C->nb); 193 1.1 riastrad } 194 1.1 riastrad 195 1.1 riastrad static void 196 1.1 riastrad sha3_final(uint8_t *h, unsigned d, struct sha3 *C, unsigned rw) 197 1.1 riastrad { 198 1.1 riastrad unsigned nw, iw; 199 1.1 riastrad 200 1.1 riastrad assert(d <= 8*25); 201 1.1 riastrad assert(0 < C->nb); 202 1.1 riastrad 203 1.1 riastrad /* Append 01, pad with 10*1 up to buffer boundary, LSB first. */ 204 1.1 riastrad nw = (C->nb + 7)/8; 205 1.1 riastrad assert(0 < nw); 206 1.1 riastrad assert(nw <= rw); 207 1.1 riastrad C->A[rw - nw] ^= (uint64_t)0x06 << (8*(8*nw - C->nb)); 208 1.1 riastrad C->A[rw - 1] ^= 0x8000000000000000ULL; 209 1.1 riastrad 210 1.1 riastrad /* Permute one last time. */ 211 1.1 riastrad keccakf1600(C->A); 212 1.1 riastrad 213 1.1 riastrad /* Reveal the first 8d bits of state, forget 1600-8d of them. */ 214 1.1 riastrad for (iw = 0; iw < d/8; iw++) 215 1.1 riastrad le64enc(h + 8*iw, C->A[iw]); 216 1.1 riastrad h += 8*iw; 217 1.1 riastrad d -= 8*iw; 218 1.1 riastrad if (0 < d) { 219 1.1 riastrad /* For SHA3-224, we need to expose a partial word. */ 220 1.1 riastrad uint64_t T = C->A[iw]; 221 1.1 riastrad do { 222 1.1 riastrad *h++ = T & 0xff; 223 1.1 riastrad T >>= 8; 224 1.1 riastrad } while (--d); 225 1.1 riastrad } 226 1.1 riastrad (void)explicit_memset(C->A, 0, sizeof C->A); 227 1.1 riastrad C->nb = 0; 228 1.1 riastrad } 229 1.1 riastrad 230 1.1 riastrad static void 231 1.4 christos shake_final(uint8_t *h, size_t d, struct sha3 *C, unsigned rw) 232 1.1 riastrad { 233 1.1 riastrad unsigned nw, iw; 234 1.1 riastrad 235 1.1 riastrad assert(0 < C->nb); 236 1.1 riastrad 237 1.1 riastrad /* Append 1111, pad with 10*1 up to buffer boundary, LSB first. */ 238 1.1 riastrad nw = (C->nb + 7)/8; 239 1.1 riastrad assert(0 < nw); 240 1.1 riastrad assert(nw <= rw); 241 1.1 riastrad C->A[rw - nw] ^= (uint64_t)0x1f << (8*(8*nw - C->nb)); 242 1.1 riastrad C->A[rw - 1] ^= 0x8000000000000000ULL; 243 1.1 riastrad 244 1.1 riastrad /* Permute, reveal first rw words of state, repeat. */ 245 1.1 riastrad while (8*rw <= d) { 246 1.1 riastrad keccakf1600(C->A); 247 1.1 riastrad for (iw = 0; iw < rw; iw++) 248 1.1 riastrad le64enc(h + 8*iw, C->A[iw]); 249 1.1 riastrad h += 8*iw; 250 1.1 riastrad d -= 8*iw; 251 1.1 riastrad } 252 1.1 riastrad 253 1.1 riastrad /* 254 1.1 riastrad * If 8*rw (the output rate in bytes) does not divide d, more 255 1.1 riastrad * words are wanted: permute again and reveal a little more. 256 1.1 riastrad */ 257 1.1 riastrad if (0 < d) { 258 1.1 riastrad keccakf1600(C->A); 259 1.1 riastrad for (iw = 0; iw < d/8; iw++) 260 1.1 riastrad le64enc(h + 8*iw, C->A[iw]); 261 1.1 riastrad h += 8*iw; 262 1.1 riastrad d -= 8*iw; 263 1.1 riastrad 264 1.1 riastrad /* 265 1.1 riastrad * If 8 does not divide d, more bytes are wanted: 266 1.1 riastrad * reveal them. 267 1.1 riastrad */ 268 1.1 riastrad if (0 < d) { 269 1.1 riastrad uint64_t T = C->A[iw]; 270 1.1 riastrad do { 271 1.1 riastrad *h++ = T & 0xff; 272 1.1 riastrad T >>= 8; 273 1.1 riastrad } while (--d); 274 1.1 riastrad } 275 1.1 riastrad } 276 1.1 riastrad 277 1.1 riastrad (void)explicit_memset(C->A, 0, sizeof C->A); 278 1.1 riastrad C->nb = 0; 279 1.1 riastrad } 280 1.1 riastrad 281 1.1 riastrad void 282 1.1 riastrad SHA3_224_Init(SHA3_224_CTX *C) 283 1.1 riastrad { 284 1.1 riastrad 285 1.1 riastrad sha3_init(&C->C224, sha3_rate(SHA3_224_DIGEST_LENGTH)); 286 1.1 riastrad } 287 1.1 riastrad 288 1.1 riastrad void 289 1.1 riastrad SHA3_224_Update(SHA3_224_CTX *C, const uint8_t *data, size_t len) 290 1.1 riastrad { 291 1.1 riastrad 292 1.1 riastrad sha3_update(&C->C224, data, len, sha3_rate(SHA3_224_DIGEST_LENGTH)); 293 1.1 riastrad } 294 1.1 riastrad 295 1.1 riastrad void 296 1.1 riastrad SHA3_224_Final(uint8_t h[SHA3_224_DIGEST_LENGTH], SHA3_224_CTX *C) 297 1.1 riastrad { 298 1.1 riastrad 299 1.1 riastrad sha3_final(h, SHA3_224_DIGEST_LENGTH, &C->C224, 300 1.1 riastrad sha3_rate(SHA3_224_DIGEST_LENGTH)); 301 1.1 riastrad } 302 1.1 riastrad 303 1.1 riastrad void 304 1.1 riastrad SHA3_256_Init(SHA3_256_CTX *C) 305 1.1 riastrad { 306 1.1 riastrad 307 1.1 riastrad sha3_init(&C->C256, sha3_rate(SHA3_256_DIGEST_LENGTH)); 308 1.1 riastrad } 309 1.1 riastrad 310 1.1 riastrad void 311 1.1 riastrad SHA3_256_Update(SHA3_256_CTX *C, const uint8_t *data, size_t len) 312 1.1 riastrad { 313 1.1 riastrad 314 1.1 riastrad sha3_update(&C->C256, data, len, sha3_rate(SHA3_256_DIGEST_LENGTH)); 315 1.1 riastrad } 316 1.1 riastrad 317 1.1 riastrad void 318 1.1 riastrad SHA3_256_Final(uint8_t h[SHA3_256_DIGEST_LENGTH], SHA3_256_CTX *C) 319 1.1 riastrad { 320 1.1 riastrad 321 1.1 riastrad sha3_final(h, SHA3_256_DIGEST_LENGTH, &C->C256, 322 1.1 riastrad sha3_rate(SHA3_256_DIGEST_LENGTH)); 323 1.1 riastrad } 324 1.1 riastrad 325 1.1 riastrad void 326 1.1 riastrad SHA3_384_Init(SHA3_384_CTX *C) 327 1.1 riastrad { 328 1.1 riastrad 329 1.1 riastrad sha3_init(&C->C384, sha3_rate(SHA3_384_DIGEST_LENGTH)); 330 1.1 riastrad } 331 1.1 riastrad 332 1.1 riastrad void 333 1.1 riastrad SHA3_384_Update(SHA3_384_CTX *C, const uint8_t *data, size_t len) 334 1.1 riastrad { 335 1.1 riastrad 336 1.1 riastrad sha3_update(&C->C384, data, len, sha3_rate(SHA3_384_DIGEST_LENGTH)); 337 1.1 riastrad } 338 1.1 riastrad 339 1.1 riastrad void 340 1.1 riastrad SHA3_384_Final(uint8_t h[SHA3_384_DIGEST_LENGTH], SHA3_384_CTX *C) 341 1.1 riastrad { 342 1.1 riastrad 343 1.1 riastrad sha3_final(h, SHA3_384_DIGEST_LENGTH, &C->C384, 344 1.1 riastrad sha3_rate(SHA3_384_DIGEST_LENGTH)); 345 1.1 riastrad } 346 1.1 riastrad 347 1.1 riastrad void 348 1.1 riastrad SHA3_512_Init(SHA3_512_CTX *C) 349 1.1 riastrad { 350 1.1 riastrad 351 1.1 riastrad sha3_init(&C->C512, sha3_rate(SHA3_512_DIGEST_LENGTH)); 352 1.1 riastrad } 353 1.1 riastrad 354 1.1 riastrad void 355 1.1 riastrad SHA3_512_Update(SHA3_512_CTX *C, const uint8_t *data, size_t len) 356 1.1 riastrad { 357 1.1 riastrad 358 1.1 riastrad sha3_update(&C->C512, data, len, sha3_rate(SHA3_512_DIGEST_LENGTH)); 359 1.1 riastrad } 360 1.1 riastrad 361 1.1 riastrad void 362 1.1 riastrad SHA3_512_Final(uint8_t h[SHA3_512_DIGEST_LENGTH], SHA3_512_CTX *C) 363 1.1 riastrad { 364 1.1 riastrad 365 1.1 riastrad sha3_final(h, SHA3_512_DIGEST_LENGTH, &C->C512, 366 1.1 riastrad sha3_rate(SHA3_512_DIGEST_LENGTH)); 367 1.1 riastrad } 368 1.1 riastrad 369 1.1 riastrad void 370 1.1 riastrad SHAKE128_Init(SHAKE128_CTX *C) 371 1.1 riastrad { 372 1.1 riastrad 373 1.1 riastrad sha3_init(&C->C128, sha3_rate(128/8)); 374 1.1 riastrad } 375 1.1 riastrad 376 1.1 riastrad void 377 1.1 riastrad SHAKE128_Update(SHAKE128_CTX *C, const uint8_t *data, size_t len) 378 1.1 riastrad { 379 1.1 riastrad 380 1.1 riastrad sha3_update(&C->C128, data, len, sha3_rate(128/8)); 381 1.1 riastrad } 382 1.1 riastrad 383 1.1 riastrad void 384 1.1 riastrad SHAKE128_Final(uint8_t *h, size_t d, SHAKE128_CTX *C) 385 1.1 riastrad { 386 1.1 riastrad 387 1.1 riastrad shake_final(h, d, &C->C128, sha3_rate(128/8)); 388 1.1 riastrad } 389 1.1 riastrad 390 1.1 riastrad void 391 1.1 riastrad SHAKE256_Init(SHAKE256_CTX *C) 392 1.1 riastrad { 393 1.1 riastrad 394 1.1 riastrad sha3_init(&C->C256, sha3_rate(256/8)); 395 1.1 riastrad } 396 1.1 riastrad 397 1.1 riastrad void 398 1.1 riastrad SHAKE256_Update(SHAKE256_CTX *C, const uint8_t *data, size_t len) 399 1.1 riastrad { 400 1.1 riastrad 401 1.1 riastrad sha3_update(&C->C256, data, len, sha3_rate(256/8)); 402 1.1 riastrad } 403 1.1 riastrad 404 1.1 riastrad void 405 1.1 riastrad SHAKE256_Final(uint8_t *h, size_t d, SHAKE256_CTX *C) 406 1.1 riastrad { 407 1.1 riastrad 408 1.1 riastrad shake_final(h, d, &C->C256, sha3_rate(256/8)); 409 1.1 riastrad } 410 1.1 riastrad 411 1.1 riastrad static void 412 1.1 riastrad sha3_selftest_prng(void *buf, size_t len, uint32_t seed) 413 1.1 riastrad { 414 1.1 riastrad uint8_t *p = buf; 415 1.1 riastrad size_t n = len; 416 1.1 riastrad uint32_t t, a, b; 417 1.1 riastrad 418 1.1 riastrad a = 0xdead4bad * seed; 419 1.1 riastrad b = 1; 420 1.1 riastrad 421 1.1 riastrad while (n--) { 422 1.1 riastrad t = a + b; 423 1.1 riastrad *p++ = t >> 24; 424 1.1 riastrad a = b; 425 1.1 riastrad b = t; 426 1.1 riastrad } 427 1.1 riastrad } 428 1.1 riastrad 429 1.1 riastrad int 430 1.1 riastrad SHA3_Selftest(void) 431 1.1 riastrad { 432 1.2 riastrad static const uint8_t d224_0[] = { /* SHA3-224(0-bit) */ 433 1.1 riastrad 0x6b,0x4e,0x03,0x42,0x36,0x67,0xdb,0xb7, 434 1.1 riastrad 0x3b,0x6e,0x15,0x45,0x4f,0x0e,0xb1,0xab, 435 1.1 riastrad 0xd4,0x59,0x7f,0x9a,0x1b,0x07,0x8e,0x3f, 436 1.1 riastrad 0x5b,0x5a,0x6b,0xc7, 437 1.1 riastrad }; 438 1.2 riastrad static const uint8_t d256_0[] = { /* SHA3-256(0-bit) */ 439 1.1 riastrad 0xa7,0xff,0xc6,0xf8,0xbf,0x1e,0xd7,0x66, 440 1.1 riastrad 0x51,0xc1,0x47,0x56,0xa0,0x61,0xd6,0x62, 441 1.1 riastrad 0xf5,0x80,0xff,0x4d,0xe4,0x3b,0x49,0xfa, 442 1.1 riastrad 0x82,0xd8,0x0a,0x4b,0x80,0xf8,0x43,0x4a, 443 1.1 riastrad }; 444 1.2 riastrad static const uint8_t d384_0[] = { /* SHA3-384(0-bit) */ 445 1.1 riastrad 0x0c,0x63,0xa7,0x5b,0x84,0x5e,0x4f,0x7d, 446 1.1 riastrad 0x01,0x10,0x7d,0x85,0x2e,0x4c,0x24,0x85, 447 1.1 riastrad 0xc5,0x1a,0x50,0xaa,0xaa,0x94,0xfc,0x61, 448 1.1 riastrad 0x99,0x5e,0x71,0xbb,0xee,0x98,0x3a,0x2a, 449 1.1 riastrad 0xc3,0x71,0x38,0x31,0x26,0x4a,0xdb,0x47, 450 1.1 riastrad 0xfb,0x6b,0xd1,0xe0,0x58,0xd5,0xf0,0x04, 451 1.1 riastrad }; 452 1.2 riastrad static const uint8_t d512_0[] = { /* SHA3-512(0-bit) */ 453 1.1 riastrad 0xa6,0x9f,0x73,0xcc,0xa2,0x3a,0x9a,0xc5, 454 1.1 riastrad 0xc8,0xb5,0x67,0xdc,0x18,0x5a,0x75,0x6e, 455 1.1 riastrad 0x97,0xc9,0x82,0x16,0x4f,0xe2,0x58,0x59, 456 1.1 riastrad 0xe0,0xd1,0xdc,0xc1,0x47,0x5c,0x80,0xa6, 457 1.1 riastrad 0x15,0xb2,0x12,0x3a,0xf1,0xf5,0xf9,0x4c, 458 1.1 riastrad 0x11,0xe3,0xe9,0x40,0x2c,0x3a,0xc5,0x58, 459 1.1 riastrad 0xf5,0x00,0x19,0x9d,0x95,0xb6,0xd3,0xe3, 460 1.1 riastrad 0x01,0x75,0x85,0x86,0x28,0x1d,0xcd,0x26, 461 1.1 riastrad }; 462 1.2 riastrad static const uint8_t shake128_0_41[] = { /* SHAKE128(0-bit, 41) */ 463 1.1 riastrad 0x7f,0x9c,0x2b,0xa4,0xe8,0x8f,0x82,0x7d, 464 1.1 riastrad 0x61,0x60,0x45,0x50,0x76,0x05,0x85,0x3e, 465 1.1 riastrad 0xd7,0x3b,0x80,0x93,0xf6,0xef,0xbc,0x88, 466 1.1 riastrad 0xeb,0x1a,0x6e,0xac,0xfa,0x66,0xef,0x26, 467 1.1 riastrad 0x3c,0xb1,0xee,0xa9,0x88,0x00,0x4b,0x93,0x10, 468 1.1 riastrad }; 469 1.2 riastrad static const uint8_t shake256_0_73[] = { /* SHAKE256(0-bit, 73) */ 470 1.1 riastrad 0x46,0xb9,0xdd,0x2b,0x0b,0xa8,0x8d,0x13, 471 1.1 riastrad 0x23,0x3b,0x3f,0xeb,0x74,0x3e,0xeb,0x24, 472 1.1 riastrad 0x3f,0xcd,0x52,0xea,0x62,0xb8,0x1b,0x82, 473 1.1 riastrad 0xb5,0x0c,0x27,0x64,0x6e,0xd5,0x76,0x2f, 474 1.1 riastrad 0xd7,0x5d,0xc4,0xdd,0xd8,0xc0,0xf2,0x00, 475 1.1 riastrad 0xcb,0x05,0x01,0x9d,0x67,0xb5,0x92,0xf6, 476 1.1 riastrad 0xfc,0x82,0x1c,0x49,0x47,0x9a,0xb4,0x86, 477 1.1 riastrad 0x40,0x29,0x2e,0xac,0xb3,0xb7,0xc4,0xbe, 478 1.1 riastrad 0x14,0x1e,0x96,0x61,0x6f,0xb1,0x39,0x57,0x69, 479 1.1 riastrad }; 480 1.2 riastrad static const uint8_t d224_1600[] = { /* SHA3-224(200 * 0xa3) */ 481 1.1 riastrad 0x93,0x76,0x81,0x6a,0xba,0x50,0x3f,0x72, 482 1.1 riastrad 0xf9,0x6c,0xe7,0xeb,0x65,0xac,0x09,0x5d, 483 1.1 riastrad 0xee,0xe3,0xbe,0x4b,0xf9,0xbb,0xc2,0xa1, 484 1.1 riastrad 0xcb,0x7e,0x11,0xe0, 485 1.1 riastrad }; 486 1.2 riastrad static const uint8_t d256_1600[] = { /* SHA3-256(200 * 0xa3) */ 487 1.1 riastrad 0x79,0xf3,0x8a,0xde,0xc5,0xc2,0x03,0x07, 488 1.1 riastrad 0xa9,0x8e,0xf7,0x6e,0x83,0x24,0xaf,0xbf, 489 1.1 riastrad 0xd4,0x6c,0xfd,0x81,0xb2,0x2e,0x39,0x73, 490 1.1 riastrad 0xc6,0x5f,0xa1,0xbd,0x9d,0xe3,0x17,0x87, 491 1.1 riastrad }; 492 1.2 riastrad static const uint8_t d384_1600[] = { /* SHA3-384(200 * 0xa3) */ 493 1.1 riastrad 0x18,0x81,0xde,0x2c,0xa7,0xe4,0x1e,0xf9, 494 1.1 riastrad 0x5d,0xc4,0x73,0x2b,0x8f,0x5f,0x00,0x2b, 495 1.1 riastrad 0x18,0x9c,0xc1,0xe4,0x2b,0x74,0x16,0x8e, 496 1.1 riastrad 0xd1,0x73,0x26,0x49,0xce,0x1d,0xbc,0xdd, 497 1.1 riastrad 0x76,0x19,0x7a,0x31,0xfd,0x55,0xee,0x98, 498 1.1 riastrad 0x9f,0x2d,0x70,0x50,0xdd,0x47,0x3e,0x8f, 499 1.1 riastrad }; 500 1.2 riastrad static const uint8_t d512_1600[] = { /* SHA3-512(200 * 0xa3) */ 501 1.1 riastrad 0xe7,0x6d,0xfa,0xd2,0x20,0x84,0xa8,0xb1, 502 1.1 riastrad 0x46,0x7f,0xcf,0x2f,0xfa,0x58,0x36,0x1b, 503 1.1 riastrad 0xec,0x76,0x28,0xed,0xf5,0xf3,0xfd,0xc0, 504 1.1 riastrad 0xe4,0x80,0x5d,0xc4,0x8c,0xae,0xec,0xa8, 505 1.1 riastrad 0x1b,0x7c,0x13,0xc3,0x0a,0xdf,0x52,0xa3, 506 1.1 riastrad 0x65,0x95,0x84,0x73,0x9a,0x2d,0xf4,0x6b, 507 1.1 riastrad 0xe5,0x89,0xc5,0x1c,0xa1,0xa4,0xa8,0x41, 508 1.1 riastrad 0x6d,0xf6,0x54,0x5a,0x1c,0xe8,0xba,0x00, 509 1.1 riastrad }; 510 1.2 riastrad static const uint8_t shake128_1600_41[] = { 511 1.2 riastrad /* SHAKE128(200 * 0xa3, 41) */ 512 1.1 riastrad 0x13,0x1a,0xb8,0xd2,0xb5,0x94,0x94,0x6b, 513 1.1 riastrad 0x9c,0x81,0x33,0x3f,0x9b,0xb6,0xe0,0xce, 514 1.1 riastrad 0x75,0xc3,0xb9,0x31,0x04,0xfa,0x34,0x69, 515 1.1 riastrad 0xd3,0x91,0x74,0x57,0x38,0x5d,0xa0,0x37, 516 1.1 riastrad 0xcf,0x23,0x2e,0xf7,0x16,0x4a,0x6d,0x1e,0xb4, 517 1.1 riastrad }; 518 1.2 riastrad static const uint8_t shake256_1600_73[] = { 519 1.2 riastrad /* SHAKE256(200 * 0xa3, 73) */ 520 1.1 riastrad 0xcd,0x8a,0x92,0x0e,0xd1,0x41,0xaa,0x04, 521 1.1 riastrad 0x07,0xa2,0x2d,0x59,0x28,0x86,0x52,0xe9, 522 1.1 riastrad 0xd9,0xf1,0xa7,0xee,0x0c,0x1e,0x7c,0x1c, 523 1.1 riastrad 0xa6,0x99,0x42,0x4d,0xa8,0x4a,0x90,0x4d, 524 1.1 riastrad 0x2d,0x70,0x0c,0xaa,0xe7,0x39,0x6e,0xce, 525 1.1 riastrad 0x96,0x60,0x44,0x40,0x57,0x7d,0xa4,0xf3, 526 1.1 riastrad 0xaa,0x22,0xae,0xb8,0x85,0x7f,0x96,0x1c, 527 1.1 riastrad 0x4c,0xd8,0xe0,0x6f,0x0a,0xe6,0x61,0x0b, 528 1.1 riastrad 0x10,0x48,0xa7,0xf6,0x4e,0x10,0x74,0xcd,0x62, 529 1.1 riastrad }; 530 1.2 riastrad static const uint8_t d0[] = { 531 1.2 riastrad 0x5d,0x3e,0x45,0xdd,0x9b,0x6b,0xda,0xf8, 532 1.2 riastrad 0xe6,0xe6,0xb8,0x72,0xfb,0xc5,0x0d,0x0a, 533 1.2 riastrad 0x4f,0x52,0x65,0xb4,0x11,0xf1,0xa1,0x0c, 534 1.2 riastrad 0x00,0xa4,0x74,0x6c,0x0f,0xc0,0xdc,0xe0, 535 1.2 riastrad 0x97,0x73,0xd6,0x70,0xaf,0xd4,0x64,0x0b, 536 1.2 riastrad 0x8c,0x52,0x32,0x4c,0x87,0x8c,0xfa,0x4a, 537 1.2 riastrad 0xdc,0x11,0x66,0x91,0x66,0x5a,0x1e,0xa4, 538 1.2 riastrad 0xd6,0x69,0x97,0xc7,0xcb,0xe2,0x73,0xca, 539 1.2 riastrad }; 540 1.2 riastrad static const unsigned mlen[] = { 0, 3, 128, 129, 255 }; 541 1.2 riastrad uint8_t m[255], d[73]; 542 1.2 riastrad struct sha3 sha3; 543 1.2 riastrad SHA3_224_CTX *sha3224 = (SHA3_224_CTX *)&sha3; 544 1.2 riastrad SHA3_256_CTX *sha3256 = (SHA3_256_CTX *)&sha3; 545 1.2 riastrad SHA3_384_CTX *sha3384 = (SHA3_384_CTX *)&sha3; 546 1.2 riastrad SHA3_512_CTX *sha3512 = (SHA3_512_CTX *)&sha3; 547 1.2 riastrad SHAKE128_CTX *shake128 = (SHAKE128_CTX *)&sha3; 548 1.2 riastrad SHAKE256_CTX *shake256 = (SHAKE256_CTX *)&sha3; 549 1.1 riastrad SHA3_512_CTX ctx; 550 1.1 riastrad unsigned mi; 551 1.1 riastrad 552 1.1 riastrad /* 553 1.1 riastrad * NIST test vectors from 554 1.1 riastrad * <http://csrc.nist.gov/groups/ST/toolkit/examples.html#aHashing>: 555 1.1 riastrad * 0-bit, 1600-bit repeated 0xa3 (= 0b10100011). 556 1.1 riastrad */ 557 1.2 riastrad SHA3_224_Init(sha3224); 558 1.2 riastrad SHA3_224_Final(d, sha3224); 559 1.1 riastrad if (memcmp(d, d224_0, 28) != 0) 560 1.1 riastrad return -1; 561 1.2 riastrad SHA3_256_Init(sha3256); 562 1.2 riastrad SHA3_256_Final(d, sha3256); 563 1.1 riastrad if (memcmp(d, d256_0, 32) != 0) 564 1.1 riastrad return -1; 565 1.2 riastrad SHA3_384_Init(sha3384); 566 1.2 riastrad SHA3_384_Final(d, sha3384); 567 1.1 riastrad if (memcmp(d, d384_0, 48) != 0) 568 1.1 riastrad return -1; 569 1.2 riastrad SHA3_512_Init(sha3512); 570 1.2 riastrad SHA3_512_Final(d, sha3512); 571 1.1 riastrad if (memcmp(d, d512_0, 64) != 0) 572 1.1 riastrad return -1; 573 1.2 riastrad SHAKE128_Init(shake128); 574 1.2 riastrad SHAKE128_Final(d, 41, shake128); 575 1.1 riastrad if (memcmp(d, shake128_0_41, 41) != 0) 576 1.1 riastrad return -1; 577 1.2 riastrad SHAKE256_Init(shake256); 578 1.2 riastrad SHAKE256_Final(d, 73, shake256); 579 1.1 riastrad if (memcmp(d, shake256_0_73, 73) != 0) 580 1.1 riastrad return -1; 581 1.1 riastrad 582 1.1 riastrad (void)memset(m, 0xa3, 200); 583 1.2 riastrad SHA3_224_Init(sha3224); 584 1.2 riastrad SHA3_224_Update(sha3224, m, 200); 585 1.2 riastrad SHA3_224_Final(d, sha3224); 586 1.1 riastrad if (memcmp(d, d224_1600, 28) != 0) 587 1.1 riastrad return -1; 588 1.2 riastrad SHA3_256_Init(sha3256); 589 1.2 riastrad SHA3_256_Update(sha3256, m, 200); 590 1.2 riastrad SHA3_256_Final(d, sha3256); 591 1.1 riastrad if (memcmp(d, d256_1600, 32) != 0) 592 1.1 riastrad return -1; 593 1.2 riastrad SHA3_384_Init(sha3384); 594 1.2 riastrad SHA3_384_Update(sha3384, m, 200); 595 1.2 riastrad SHA3_384_Final(d, sha3384); 596 1.1 riastrad if (memcmp(d, d384_1600, 48) != 0) 597 1.1 riastrad return -1; 598 1.2 riastrad SHA3_512_Init(sha3512); 599 1.2 riastrad SHA3_512_Update(sha3512, m, 200); 600 1.2 riastrad SHA3_512_Final(d, sha3512); 601 1.1 riastrad if (memcmp(d, d512_1600, 64) != 0) 602 1.1 riastrad return -1; 603 1.2 riastrad SHAKE128_Init(shake128); 604 1.2 riastrad SHAKE128_Update(shake128, m, 200); 605 1.2 riastrad SHAKE128_Final(d, 41, shake128); 606 1.1 riastrad if (memcmp(d, shake128_1600_41, 41) != 0) 607 1.1 riastrad return -1; 608 1.2 riastrad SHAKE256_Init(shake256); 609 1.2 riastrad SHAKE256_Update(shake256, m, 200); 610 1.2 riastrad SHAKE256_Final(d, 73, shake256); 611 1.1 riastrad if (memcmp(d, shake256_1600_73, 73) != 0) 612 1.1 riastrad return -1; 613 1.1 riastrad 614 1.1 riastrad /* 615 1.1 riastrad * Hand-crufted test vectors with unaligned message lengths. 616 1.1 riastrad */ 617 1.1 riastrad SHA3_512_Init(&ctx); 618 1.2 riastrad for (mi = 0; mi < arraycount(mlen); mi++) { 619 1.1 riastrad sha3_selftest_prng(m, mlen[mi], (224/8)*mlen[mi]); 620 1.2 riastrad SHA3_224_Init(sha3224); 621 1.2 riastrad SHA3_224_Update(sha3224, m, mlen[mi]); 622 1.2 riastrad SHA3_224_Final(d, sha3224); 623 1.1 riastrad SHA3_512_Update(&ctx, d, 224/8); 624 1.1 riastrad } 625 1.2 riastrad for (mi = 0; mi < arraycount(mlen); mi++) { 626 1.1 riastrad sha3_selftest_prng(m, mlen[mi], (256/8)*mlen[mi]); 627 1.2 riastrad SHA3_256_Init(sha3256); 628 1.2 riastrad SHA3_256_Update(sha3256, m, mlen[mi]); 629 1.2 riastrad SHA3_256_Final(d, sha3256); 630 1.1 riastrad SHA3_512_Update(&ctx, d, 256/8); 631 1.1 riastrad } 632 1.2 riastrad for (mi = 0; mi < arraycount(mlen); mi++) { 633 1.1 riastrad sha3_selftest_prng(m, mlen[mi], (384/8)*mlen[mi]); 634 1.2 riastrad SHA3_384_Init(sha3384); 635 1.2 riastrad SHA3_384_Update(sha3384, m, mlen[mi]); 636 1.2 riastrad SHA3_384_Final(d, sha3384); 637 1.1 riastrad SHA3_512_Update(&ctx, d, 384/8); 638 1.1 riastrad } 639 1.2 riastrad for (mi = 0; mi < arraycount(mlen); mi++) { 640 1.1 riastrad sha3_selftest_prng(m, mlen[mi], (512/8)*mlen[mi]); 641 1.2 riastrad SHA3_512_Init(sha3512); 642 1.2 riastrad SHA3_512_Update(sha3512, m, mlen[mi]); 643 1.2 riastrad SHA3_512_Final(d, sha3512); 644 1.1 riastrad SHA3_512_Update(&ctx, d, 512/8); 645 1.1 riastrad } 646 1.1 riastrad SHA3_512_Final(d, &ctx); 647 1.1 riastrad if (memcmp(d, d0, 64) != 0) 648 1.1 riastrad return -1; 649 1.1 riastrad 650 1.1 riastrad return 0; 651 1.1 riastrad } 652