Home | History | Annotate | Line # | Download | only in sha3
      1  1.4  christos /*	$NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $	*/
      2  1.1  riastrad 
      3  1.1  riastrad /*-
      4  1.1  riastrad  * Copyright (c) 2015 Taylor R. Campbell
      5  1.1  riastrad  * All rights reserved.
      6  1.1  riastrad  *
      7  1.1  riastrad  * Redistribution and use in source and binary forms, with or without
      8  1.1  riastrad  * modification, are permitted provided that the following conditions
      9  1.1  riastrad  * are met:
     10  1.1  riastrad  * 1. Redistributions of source code must retain the above copyright
     11  1.1  riastrad  *    notice, this list of conditions and the following disclaimer.
     12  1.1  riastrad  * 2. Redistributions in binary form must reproduce the above copyright
     13  1.1  riastrad  *    notice, this list of conditions and the following disclaimer in the
     14  1.1  riastrad  *    documentation and/or other materials provided with the distribution.
     15  1.1  riastrad  *
     16  1.1  riastrad  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
     17  1.1  riastrad  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     18  1.1  riastrad  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     19  1.1  riastrad  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     20  1.1  riastrad  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     21  1.1  riastrad  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     22  1.1  riastrad  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     23  1.1  riastrad  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     24  1.1  riastrad  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     25  1.1  riastrad  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     26  1.1  riastrad  * SUCH DAMAGE.
     27  1.1  riastrad  */
     28  1.1  riastrad 
     29  1.1  riastrad /*
     30  1.3    andvar  * SHA-3: FIPS-202, Permutation-Based Hash and Extendable-Output Functions
     31  1.1  riastrad  */
     32  1.1  riastrad 
     33  1.1  riastrad #if HAVE_NBTOOL_CONFIG_H
     34  1.1  riastrad #include "nbtool_config.h"
     35  1.1  riastrad #endif
     36  1.1  riastrad 
     37  1.1  riastrad #include <sys/cdefs.h>
     38  1.1  riastrad 
     39  1.1  riastrad #if defined(_KERNEL) || defined(_STANDALONE)
     40  1.1  riastrad 
     41  1.4  christos __KERNEL_RCSID(0, "$NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $");
     42  1.1  riastrad #include <lib/libkern/libkern.h>
     43  1.1  riastrad 
     44  1.1  riastrad #define	SHA3_ASSERT	KASSERT
     45  1.1  riastrad 
     46  1.1  riastrad #else
     47  1.1  riastrad 
     48  1.4  christos __RCSID("$NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $");
     49  1.1  riastrad 
     50  1.1  riastrad #include "namespace.h"
     51  1.1  riastrad 
     52  1.1  riastrad #include <assert.h>
     53  1.1  riastrad #include <string.h>
     54  1.1  riastrad 
     55  1.1  riastrad #define	SHA3_ASSERT	_DIAGASSERT
     56  1.1  riastrad 
     57  1.1  riastrad #endif
     58  1.1  riastrad 
     59  1.1  riastrad #include <sys/endian.h>
     60  1.1  riastrad #include <sys/sha3.h>
     61  1.1  riastrad 
     62  1.1  riastrad #include "keccak.h"
     63  1.1  riastrad 
     64  1.1  riastrad /* XXX Disabled for now -- these will be libc-private.  */
     65  1.1  riastrad #if 0 && !defined(_KERNEL) && !defined(_STANDALONE)
     66  1.1  riastrad #ifdef __weak_alias
     67  1.1  riastrad __weak_alias(SHA3_224_Init,_SHA3_224_Init)
     68  1.1  riastrad __weak_alias(SHA3_224_Update,_SHA3_224_Update)
     69  1.1  riastrad __weak_alias(SHA3_224_Final,_SHA3_224_Final)
     70  1.1  riastrad __weak_alias(SHA3_256_Init,_SHA3_256_Init)
     71  1.1  riastrad __weak_alias(SHA3_256_Update,_SHA3_256_Update)
     72  1.1  riastrad __weak_alias(SHA3_256_Final,_SHA3_256_Final)
     73  1.1  riastrad __weak_alias(SHA3_384_Init,_SHA3_384_Init)
     74  1.1  riastrad __weak_alias(SHA3_384_Update,_SHA3_384_Update)
     75  1.1  riastrad __weak_alias(SHA3_384_Final,_SHA3_384_Final)
     76  1.1  riastrad __weak_alias(SHA3_512_Init,_SHA3_512_Init)
     77  1.1  riastrad __weak_alias(SHA3_512_Update,_SHA3_512_Update)
     78  1.1  riastrad __weak_alias(SHA3_512_Final,_SHA3_512_Final)
     79  1.1  riastrad __weak_alias(SHA3_Selftest,_SHA3_Selftest)
     80  1.1  riastrad __weak_alias(SHAKE128_Init,_SHAKE128_Init)
     81  1.1  riastrad __weak_alias(SHAKE128_Update,_SHAKE128_Update)
     82  1.1  riastrad __weak_alias(SHAKE128_Final,_SHAKE128_Final)
     83  1.1  riastrad __weak_alias(SHAKE256_Init,_SHAKE256_Init)
     84  1.1  riastrad __weak_alias(SHAKE256_Update,_SHAKE256_Update)
     85  1.1  riastrad __weak_alias(SHAKE256_Final,_SHAKE256_Final)
     86  1.1  riastrad #endif	/* __weak_alias */
     87  1.1  riastrad #endif	/* kernel/standalone */
     88  1.1  riastrad 
     89  1.1  riastrad #define	MIN(a,b)	((a) < (b) ? (a) : (b))
     90  1.2  riastrad #define	arraycount(a)	(sizeof(a)/sizeof((a)[0]))
     91  1.1  riastrad 
     92  1.1  riastrad /*
     93  1.1  riastrad  * Common body.  All the SHA-3 functions share code structure.  They
     94  1.1  riastrad  * differ only in the size of the chunks they split the message into:
     95  1.1  riastrad  * for digest size d, they are split into chunks of 200 - d bytes.
     96  1.1  riastrad  */
     97  1.1  riastrad 
     98  1.1  riastrad static inline unsigned
     99  1.1  riastrad sha3_rate(unsigned d)
    100  1.1  riastrad {
    101  1.1  riastrad 	const unsigned cw = 2*d/8;	/* capacity in words */
    102  1.1  riastrad 
    103  1.1  riastrad 	return 25 - cw;
    104  1.1  riastrad }
    105  1.1  riastrad 
    106  1.1  riastrad static void
    107  1.1  riastrad sha3_init(struct sha3 *C, unsigned rw)
    108  1.1  riastrad {
    109  1.1  riastrad 	unsigned iw;
    110  1.1  riastrad 
    111  1.1  riastrad 	C->nb = 8*rw;
    112  1.1  riastrad 	for (iw = 0; iw < 25; iw++)
    113  1.1  riastrad 		C->A[iw] = 0;
    114  1.1  riastrad }
    115  1.1  riastrad 
    116  1.1  riastrad static void
    117  1.1  riastrad sha3_update(struct sha3 *C, const uint8_t *data, size_t len, unsigned rw)
    118  1.1  riastrad {
    119  1.1  riastrad 	uint64_t T;
    120  1.1  riastrad 	unsigned ib, iw;		/* index of byte/word */
    121  1.1  riastrad 
    122  1.1  riastrad 	assert(0 < C->nb);
    123  1.1  riastrad 
    124  1.1  riastrad 	/* If there's a partial word, try to fill it.  */
    125  1.1  riastrad 	if ((C->nb % 8) != 0) {
    126  1.1  riastrad 		T = 0;
    127  1.1  riastrad 		for (ib = 0; ib < MIN(len, C->nb % 8); ib++)
    128  1.1  riastrad 			T |= (uint64_t)data[ib] << (8*ib);
    129  1.1  riastrad 		C->A[rw - (C->nb + 7)/8] ^= T << (8*(8 - (C->nb % 8)));
    130  1.1  riastrad 		C->nb -= ib;
    131  1.1  riastrad 		data += ib;
    132  1.1  riastrad 		len -= ib;
    133  1.1  riastrad 
    134  1.1  riastrad 		/* If we filled the buffer, permute now.  */
    135  1.1  riastrad 		if (C->nb == 0) {
    136  1.1  riastrad 			keccakf1600(C->A);
    137  1.1  riastrad 			C->nb = 8*rw;
    138  1.1  riastrad 		}
    139  1.1  riastrad 
    140  1.1  riastrad 		/* If that exhausted the input, we're done.  */
    141  1.1  riastrad 		if (len == 0)
    142  1.1  riastrad 			return;
    143  1.1  riastrad 	}
    144  1.1  riastrad 
    145  1.1  riastrad 	/* At a word boundary.  Fill any partial buffer.  */
    146  1.1  riastrad 	assert((C->nb % 8) == 0);
    147  1.1  riastrad 	if (C->nb < 8*rw) {
    148  1.1  riastrad 		for (iw = 0; iw < MIN(len, C->nb)/8; iw++)
    149  1.1  riastrad 			C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw);
    150  1.1  riastrad 		C->nb -= 8*iw;
    151  1.1  riastrad 		data += 8*iw;
    152  1.1  riastrad 		len -= 8*iw;
    153  1.1  riastrad 
    154  1.1  riastrad 		/* If we filled the buffer, permute now.  */
    155  1.1  riastrad 		if (C->nb == 0) {
    156  1.1  riastrad 			keccakf1600(C->A);
    157  1.1  riastrad 			C->nb = 8*rw;
    158  1.1  riastrad 		} else {
    159  1.1  riastrad 			/* Otherwise, less than a word left.  */
    160  1.1  riastrad 			assert(len < 8);
    161  1.1  riastrad 			goto partial;
    162  1.1  riastrad 		}
    163  1.1  riastrad 	}
    164  1.1  riastrad 
    165  1.1  riastrad 	/* At a buffer boundary.  Absorb input one buffer at a time.  */
    166  1.1  riastrad 	assert(C->nb == 8*rw);
    167  1.1  riastrad 	while (8*rw <= len) {
    168  1.1  riastrad 		for (iw = 0; iw < rw; iw++)
    169  1.1  riastrad 			C->A[iw] ^= le64dec(data + 8*iw);
    170  1.1  riastrad 		keccakf1600(C->A);
    171  1.1  riastrad 		data += 8*rw;
    172  1.1  riastrad 		len -= 8*rw;
    173  1.1  riastrad 	}
    174  1.1  riastrad 
    175  1.1  riastrad 	/* Partially fill the buffer with as many words as we can.  */
    176  1.1  riastrad 	for (iw = 0; iw < len/8; iw++)
    177  1.1  riastrad 		C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw);
    178  1.1  riastrad 	C->nb -= 8*iw;
    179  1.1  riastrad 	data += 8*iw;
    180  1.1  riastrad 	len -= 8*iw;
    181  1.1  riastrad 
    182  1.1  riastrad partial:
    183  1.1  riastrad 	/* Partially fill the last word with as many bytes as we can.  */
    184  1.1  riastrad 	assert(len < 8);
    185  1.1  riastrad 	assert(0 < C->nb);
    186  1.1  riastrad 	assert((C->nb % 8) == 0);
    187  1.1  riastrad 	T = 0;
    188  1.1  riastrad 	for (ib = 0; ib < len; ib++)
    189  1.1  riastrad 		T |= (uint64_t)data[ib] << (8*ib);
    190  1.1  riastrad 	C->A[rw - C->nb/8] ^= T;
    191  1.1  riastrad 	C->nb -= ib;
    192  1.1  riastrad 	assert(0 < C->nb);
    193  1.1  riastrad }
    194  1.1  riastrad 
    195  1.1  riastrad static void
    196  1.1  riastrad sha3_final(uint8_t *h, unsigned d, struct sha3 *C, unsigned rw)
    197  1.1  riastrad {
    198  1.1  riastrad 	unsigned nw, iw;
    199  1.1  riastrad 
    200  1.1  riastrad 	assert(d <= 8*25);
    201  1.1  riastrad 	assert(0 < C->nb);
    202  1.1  riastrad 
    203  1.1  riastrad 	/* Append 01, pad with 10*1 up to buffer boundary, LSB first.  */
    204  1.1  riastrad 	nw = (C->nb + 7)/8;
    205  1.1  riastrad 	assert(0 < nw);
    206  1.1  riastrad 	assert(nw <= rw);
    207  1.1  riastrad 	C->A[rw - nw] ^= (uint64_t)0x06 << (8*(8*nw - C->nb));
    208  1.1  riastrad 	C->A[rw - 1] ^= 0x8000000000000000ULL;
    209  1.1  riastrad 
    210  1.1  riastrad 	/* Permute one last time.  */
    211  1.1  riastrad 	keccakf1600(C->A);
    212  1.1  riastrad 
    213  1.1  riastrad 	/* Reveal the first 8d bits of state, forget 1600-8d of them.  */
    214  1.1  riastrad 	for (iw = 0; iw < d/8; iw++)
    215  1.1  riastrad 		le64enc(h + 8*iw, C->A[iw]);
    216  1.1  riastrad 	h += 8*iw;
    217  1.1  riastrad 	d -= 8*iw;
    218  1.1  riastrad 	if (0 < d) {
    219  1.1  riastrad 		/* For SHA3-224, we need to expose a partial word.  */
    220  1.1  riastrad 		uint64_t T = C->A[iw];
    221  1.1  riastrad 		do {
    222  1.1  riastrad 			*h++ = T & 0xff;
    223  1.1  riastrad 			T >>= 8;
    224  1.1  riastrad 		} while (--d);
    225  1.1  riastrad 	}
    226  1.1  riastrad 	(void)explicit_memset(C->A, 0, sizeof C->A);
    227  1.1  riastrad 	C->nb = 0;
    228  1.1  riastrad }
    229  1.1  riastrad 
    230  1.1  riastrad static void
    231  1.4  christos shake_final(uint8_t *h, size_t d, struct sha3 *C, unsigned rw)
    232  1.1  riastrad {
    233  1.1  riastrad 	unsigned nw, iw;
    234  1.1  riastrad 
    235  1.1  riastrad 	assert(0 < C->nb);
    236  1.1  riastrad 
    237  1.1  riastrad 	/* Append 1111, pad with 10*1 up to buffer boundary, LSB first.  */
    238  1.1  riastrad 	nw = (C->nb + 7)/8;
    239  1.1  riastrad 	assert(0 < nw);
    240  1.1  riastrad 	assert(nw <= rw);
    241  1.1  riastrad 	C->A[rw - nw] ^= (uint64_t)0x1f << (8*(8*nw - C->nb));
    242  1.1  riastrad 	C->A[rw - 1] ^= 0x8000000000000000ULL;
    243  1.1  riastrad 
    244  1.1  riastrad 	/* Permute, reveal first rw words of state, repeat.  */
    245  1.1  riastrad 	while (8*rw <= d) {
    246  1.1  riastrad 		keccakf1600(C->A);
    247  1.1  riastrad 		for (iw = 0; iw < rw; iw++)
    248  1.1  riastrad 			le64enc(h + 8*iw, C->A[iw]);
    249  1.1  riastrad 		h += 8*iw;
    250  1.1  riastrad 		d -= 8*iw;
    251  1.1  riastrad 	}
    252  1.1  riastrad 
    253  1.1  riastrad 	/*
    254  1.1  riastrad 	 * If 8*rw (the output rate in bytes) does not divide d, more
    255  1.1  riastrad 	 * words are wanted: permute again and reveal a little more.
    256  1.1  riastrad 	 */
    257  1.1  riastrad 	if (0 < d) {
    258  1.1  riastrad 		keccakf1600(C->A);
    259  1.1  riastrad 		for (iw = 0; iw < d/8; iw++)
    260  1.1  riastrad 			le64enc(h + 8*iw, C->A[iw]);
    261  1.1  riastrad 		h += 8*iw;
    262  1.1  riastrad 		d -= 8*iw;
    263  1.1  riastrad 
    264  1.1  riastrad 		/*
    265  1.1  riastrad 		 * If 8 does not divide d, more bytes are wanted:
    266  1.1  riastrad 		 * reveal them.
    267  1.1  riastrad 		 */
    268  1.1  riastrad 		if (0 < d) {
    269  1.1  riastrad 			uint64_t T = C->A[iw];
    270  1.1  riastrad 			do {
    271  1.1  riastrad 				*h++ = T & 0xff;
    272  1.1  riastrad 				T >>= 8;
    273  1.1  riastrad 			} while (--d);
    274  1.1  riastrad 		}
    275  1.1  riastrad 	}
    276  1.1  riastrad 
    277  1.1  riastrad 	(void)explicit_memset(C->A, 0, sizeof C->A);
    278  1.1  riastrad 	C->nb = 0;
    279  1.1  riastrad }
    280  1.1  riastrad 
    281  1.1  riastrad void
    282  1.1  riastrad SHA3_224_Init(SHA3_224_CTX *C)
    283  1.1  riastrad {
    284  1.1  riastrad 
    285  1.1  riastrad 	sha3_init(&C->C224, sha3_rate(SHA3_224_DIGEST_LENGTH));
    286  1.1  riastrad }
    287  1.1  riastrad 
    288  1.1  riastrad void
    289  1.1  riastrad SHA3_224_Update(SHA3_224_CTX *C, const uint8_t *data, size_t len)
    290  1.1  riastrad {
    291  1.1  riastrad 
    292  1.1  riastrad 	sha3_update(&C->C224, data, len, sha3_rate(SHA3_224_DIGEST_LENGTH));
    293  1.1  riastrad }
    294  1.1  riastrad 
    295  1.1  riastrad void
    296  1.1  riastrad SHA3_224_Final(uint8_t h[SHA3_224_DIGEST_LENGTH], SHA3_224_CTX *C)
    297  1.1  riastrad {
    298  1.1  riastrad 
    299  1.1  riastrad 	sha3_final(h, SHA3_224_DIGEST_LENGTH, &C->C224,
    300  1.1  riastrad 	    sha3_rate(SHA3_224_DIGEST_LENGTH));
    301  1.1  riastrad }
    302  1.1  riastrad 
    303  1.1  riastrad void
    304  1.1  riastrad SHA3_256_Init(SHA3_256_CTX *C)
    305  1.1  riastrad {
    306  1.1  riastrad 
    307  1.1  riastrad 	sha3_init(&C->C256, sha3_rate(SHA3_256_DIGEST_LENGTH));
    308  1.1  riastrad }
    309  1.1  riastrad 
    310  1.1  riastrad void
    311  1.1  riastrad SHA3_256_Update(SHA3_256_CTX *C, const uint8_t *data, size_t len)
    312  1.1  riastrad {
    313  1.1  riastrad 
    314  1.1  riastrad 	sha3_update(&C->C256, data, len, sha3_rate(SHA3_256_DIGEST_LENGTH));
    315  1.1  riastrad }
    316  1.1  riastrad 
    317  1.1  riastrad void
    318  1.1  riastrad SHA3_256_Final(uint8_t h[SHA3_256_DIGEST_LENGTH], SHA3_256_CTX *C)
    319  1.1  riastrad {
    320  1.1  riastrad 
    321  1.1  riastrad 	sha3_final(h, SHA3_256_DIGEST_LENGTH, &C->C256,
    322  1.1  riastrad 	    sha3_rate(SHA3_256_DIGEST_LENGTH));
    323  1.1  riastrad }
    324  1.1  riastrad 
    325  1.1  riastrad void
    326  1.1  riastrad SHA3_384_Init(SHA3_384_CTX *C)
    327  1.1  riastrad {
    328  1.1  riastrad 
    329  1.1  riastrad 	sha3_init(&C->C384, sha3_rate(SHA3_384_DIGEST_LENGTH));
    330  1.1  riastrad }
    331  1.1  riastrad 
    332  1.1  riastrad void
    333  1.1  riastrad SHA3_384_Update(SHA3_384_CTX *C, const uint8_t *data, size_t len)
    334  1.1  riastrad {
    335  1.1  riastrad 
    336  1.1  riastrad 	sha3_update(&C->C384, data, len, sha3_rate(SHA3_384_DIGEST_LENGTH));
    337  1.1  riastrad }
    338  1.1  riastrad 
    339  1.1  riastrad void
    340  1.1  riastrad SHA3_384_Final(uint8_t h[SHA3_384_DIGEST_LENGTH], SHA3_384_CTX *C)
    341  1.1  riastrad {
    342  1.1  riastrad 
    343  1.1  riastrad 	sha3_final(h, SHA3_384_DIGEST_LENGTH, &C->C384,
    344  1.1  riastrad 	    sha3_rate(SHA3_384_DIGEST_LENGTH));
    345  1.1  riastrad }
    346  1.1  riastrad 
    347  1.1  riastrad void
    348  1.1  riastrad SHA3_512_Init(SHA3_512_CTX *C)
    349  1.1  riastrad {
    350  1.1  riastrad 
    351  1.1  riastrad 	sha3_init(&C->C512, sha3_rate(SHA3_512_DIGEST_LENGTH));
    352  1.1  riastrad }
    353  1.1  riastrad 
    354  1.1  riastrad void
    355  1.1  riastrad SHA3_512_Update(SHA3_512_CTX *C, const uint8_t *data, size_t len)
    356  1.1  riastrad {
    357  1.1  riastrad 
    358  1.1  riastrad 	sha3_update(&C->C512, data, len, sha3_rate(SHA3_512_DIGEST_LENGTH));
    359  1.1  riastrad }
    360  1.1  riastrad 
    361  1.1  riastrad void
    362  1.1  riastrad SHA3_512_Final(uint8_t h[SHA3_512_DIGEST_LENGTH], SHA3_512_CTX *C)
    363  1.1  riastrad {
    364  1.1  riastrad 
    365  1.1  riastrad 	sha3_final(h, SHA3_512_DIGEST_LENGTH, &C->C512,
    366  1.1  riastrad 	    sha3_rate(SHA3_512_DIGEST_LENGTH));
    367  1.1  riastrad }
    368  1.1  riastrad 
    369  1.1  riastrad void
    370  1.1  riastrad SHAKE128_Init(SHAKE128_CTX *C)
    371  1.1  riastrad {
    372  1.1  riastrad 
    373  1.1  riastrad 	sha3_init(&C->C128, sha3_rate(128/8));
    374  1.1  riastrad }
    375  1.1  riastrad 
    376  1.1  riastrad void
    377  1.1  riastrad SHAKE128_Update(SHAKE128_CTX *C, const uint8_t *data, size_t len)
    378  1.1  riastrad {
    379  1.1  riastrad 
    380  1.1  riastrad 	sha3_update(&C->C128, data, len, sha3_rate(128/8));
    381  1.1  riastrad }
    382  1.1  riastrad 
    383  1.1  riastrad void
    384  1.1  riastrad SHAKE128_Final(uint8_t *h, size_t d, SHAKE128_CTX *C)
    385  1.1  riastrad {
    386  1.1  riastrad 
    387  1.1  riastrad 	shake_final(h, d, &C->C128, sha3_rate(128/8));
    388  1.1  riastrad }
    389  1.1  riastrad 
    390  1.1  riastrad void
    391  1.1  riastrad SHAKE256_Init(SHAKE256_CTX *C)
    392  1.1  riastrad {
    393  1.1  riastrad 
    394  1.1  riastrad 	sha3_init(&C->C256, sha3_rate(256/8));
    395  1.1  riastrad }
    396  1.1  riastrad 
    397  1.1  riastrad void
    398  1.1  riastrad SHAKE256_Update(SHAKE256_CTX *C, const uint8_t *data, size_t len)
    399  1.1  riastrad {
    400  1.1  riastrad 
    401  1.1  riastrad 	sha3_update(&C->C256, data, len, sha3_rate(256/8));
    402  1.1  riastrad }
    403  1.1  riastrad 
    404  1.1  riastrad void
    405  1.1  riastrad SHAKE256_Final(uint8_t *h, size_t d, SHAKE256_CTX *C)
    406  1.1  riastrad {
    407  1.1  riastrad 
    408  1.1  riastrad 	shake_final(h, d, &C->C256, sha3_rate(256/8));
    409  1.1  riastrad }
    410  1.1  riastrad 
    411  1.1  riastrad static void
    412  1.1  riastrad sha3_selftest_prng(void *buf, size_t len, uint32_t seed)
    413  1.1  riastrad {
    414  1.1  riastrad 	uint8_t *p = buf;
    415  1.1  riastrad 	size_t n = len;
    416  1.1  riastrad 	uint32_t t, a, b;
    417  1.1  riastrad 
    418  1.1  riastrad 	a = 0xdead4bad * seed;
    419  1.1  riastrad 	b = 1;
    420  1.1  riastrad 
    421  1.1  riastrad 	while (n--) {
    422  1.1  riastrad 		t = a + b;
    423  1.1  riastrad 		*p++ = t >> 24;
    424  1.1  riastrad 		a = b;
    425  1.1  riastrad 		b = t;
    426  1.1  riastrad 	}
    427  1.1  riastrad }
    428  1.1  riastrad 
    429  1.1  riastrad int
    430  1.1  riastrad SHA3_Selftest(void)
    431  1.1  riastrad {
    432  1.2  riastrad 	static const uint8_t d224_0[] = { /* SHA3-224(0-bit) */
    433  1.1  riastrad 		0x6b,0x4e,0x03,0x42,0x36,0x67,0xdb,0xb7,
    434  1.1  riastrad 		0x3b,0x6e,0x15,0x45,0x4f,0x0e,0xb1,0xab,
    435  1.1  riastrad 		0xd4,0x59,0x7f,0x9a,0x1b,0x07,0x8e,0x3f,
    436  1.1  riastrad 		0x5b,0x5a,0x6b,0xc7,
    437  1.1  riastrad 	};
    438  1.2  riastrad 	static const uint8_t d256_0[] = { /* SHA3-256(0-bit) */
    439  1.1  riastrad 		0xa7,0xff,0xc6,0xf8,0xbf,0x1e,0xd7,0x66,
    440  1.1  riastrad 		0x51,0xc1,0x47,0x56,0xa0,0x61,0xd6,0x62,
    441  1.1  riastrad 		0xf5,0x80,0xff,0x4d,0xe4,0x3b,0x49,0xfa,
    442  1.1  riastrad 		0x82,0xd8,0x0a,0x4b,0x80,0xf8,0x43,0x4a,
    443  1.1  riastrad 	};
    444  1.2  riastrad 	static const uint8_t d384_0[] = { /* SHA3-384(0-bit) */
    445  1.1  riastrad 		0x0c,0x63,0xa7,0x5b,0x84,0x5e,0x4f,0x7d,
    446  1.1  riastrad 		0x01,0x10,0x7d,0x85,0x2e,0x4c,0x24,0x85,
    447  1.1  riastrad 		0xc5,0x1a,0x50,0xaa,0xaa,0x94,0xfc,0x61,
    448  1.1  riastrad 		0x99,0x5e,0x71,0xbb,0xee,0x98,0x3a,0x2a,
    449  1.1  riastrad 		0xc3,0x71,0x38,0x31,0x26,0x4a,0xdb,0x47,
    450  1.1  riastrad 		0xfb,0x6b,0xd1,0xe0,0x58,0xd5,0xf0,0x04,
    451  1.1  riastrad 	};
    452  1.2  riastrad 	static const uint8_t d512_0[] = { /* SHA3-512(0-bit) */
    453  1.1  riastrad 		0xa6,0x9f,0x73,0xcc,0xa2,0x3a,0x9a,0xc5,
    454  1.1  riastrad 		0xc8,0xb5,0x67,0xdc,0x18,0x5a,0x75,0x6e,
    455  1.1  riastrad 		0x97,0xc9,0x82,0x16,0x4f,0xe2,0x58,0x59,
    456  1.1  riastrad 		0xe0,0xd1,0xdc,0xc1,0x47,0x5c,0x80,0xa6,
    457  1.1  riastrad 		0x15,0xb2,0x12,0x3a,0xf1,0xf5,0xf9,0x4c,
    458  1.1  riastrad 		0x11,0xe3,0xe9,0x40,0x2c,0x3a,0xc5,0x58,
    459  1.1  riastrad 		0xf5,0x00,0x19,0x9d,0x95,0xb6,0xd3,0xe3,
    460  1.1  riastrad 		0x01,0x75,0x85,0x86,0x28,0x1d,0xcd,0x26,
    461  1.1  riastrad 	};
    462  1.2  riastrad 	static const uint8_t shake128_0_41[] = { /* SHAKE128(0-bit, 41) */
    463  1.1  riastrad 		0x7f,0x9c,0x2b,0xa4,0xe8,0x8f,0x82,0x7d,
    464  1.1  riastrad 		0x61,0x60,0x45,0x50,0x76,0x05,0x85,0x3e,
    465  1.1  riastrad 		0xd7,0x3b,0x80,0x93,0xf6,0xef,0xbc,0x88,
    466  1.1  riastrad 		0xeb,0x1a,0x6e,0xac,0xfa,0x66,0xef,0x26,
    467  1.1  riastrad 		0x3c,0xb1,0xee,0xa9,0x88,0x00,0x4b,0x93,0x10,
    468  1.1  riastrad 	};
    469  1.2  riastrad 	static const uint8_t shake256_0_73[] = { /* SHAKE256(0-bit, 73) */
    470  1.1  riastrad 		0x46,0xb9,0xdd,0x2b,0x0b,0xa8,0x8d,0x13,
    471  1.1  riastrad 		0x23,0x3b,0x3f,0xeb,0x74,0x3e,0xeb,0x24,
    472  1.1  riastrad 		0x3f,0xcd,0x52,0xea,0x62,0xb8,0x1b,0x82,
    473  1.1  riastrad 		0xb5,0x0c,0x27,0x64,0x6e,0xd5,0x76,0x2f,
    474  1.1  riastrad 		0xd7,0x5d,0xc4,0xdd,0xd8,0xc0,0xf2,0x00,
    475  1.1  riastrad 		0xcb,0x05,0x01,0x9d,0x67,0xb5,0x92,0xf6,
    476  1.1  riastrad 		0xfc,0x82,0x1c,0x49,0x47,0x9a,0xb4,0x86,
    477  1.1  riastrad 		0x40,0x29,0x2e,0xac,0xb3,0xb7,0xc4,0xbe,
    478  1.1  riastrad 		0x14,0x1e,0x96,0x61,0x6f,0xb1,0x39,0x57,0x69,
    479  1.1  riastrad 	};
    480  1.2  riastrad 	static const uint8_t d224_1600[] = { /* SHA3-224(200 * 0xa3) */
    481  1.1  riastrad 		0x93,0x76,0x81,0x6a,0xba,0x50,0x3f,0x72,
    482  1.1  riastrad 		0xf9,0x6c,0xe7,0xeb,0x65,0xac,0x09,0x5d,
    483  1.1  riastrad 		0xee,0xe3,0xbe,0x4b,0xf9,0xbb,0xc2,0xa1,
    484  1.1  riastrad 		0xcb,0x7e,0x11,0xe0,
    485  1.1  riastrad 	};
    486  1.2  riastrad 	static const uint8_t d256_1600[] = { /* SHA3-256(200 * 0xa3) */
    487  1.1  riastrad 		0x79,0xf3,0x8a,0xde,0xc5,0xc2,0x03,0x07,
    488  1.1  riastrad 		0xa9,0x8e,0xf7,0x6e,0x83,0x24,0xaf,0xbf,
    489  1.1  riastrad 		0xd4,0x6c,0xfd,0x81,0xb2,0x2e,0x39,0x73,
    490  1.1  riastrad 		0xc6,0x5f,0xa1,0xbd,0x9d,0xe3,0x17,0x87,
    491  1.1  riastrad 	};
    492  1.2  riastrad 	static const uint8_t d384_1600[] = { /* SHA3-384(200 * 0xa3) */
    493  1.1  riastrad 		0x18,0x81,0xde,0x2c,0xa7,0xe4,0x1e,0xf9,
    494  1.1  riastrad 		0x5d,0xc4,0x73,0x2b,0x8f,0x5f,0x00,0x2b,
    495  1.1  riastrad 		0x18,0x9c,0xc1,0xe4,0x2b,0x74,0x16,0x8e,
    496  1.1  riastrad 		0xd1,0x73,0x26,0x49,0xce,0x1d,0xbc,0xdd,
    497  1.1  riastrad 		0x76,0x19,0x7a,0x31,0xfd,0x55,0xee,0x98,
    498  1.1  riastrad 		0x9f,0x2d,0x70,0x50,0xdd,0x47,0x3e,0x8f,
    499  1.1  riastrad 	};
    500  1.2  riastrad 	static const uint8_t d512_1600[] = { /* SHA3-512(200 * 0xa3) */
    501  1.1  riastrad 		0xe7,0x6d,0xfa,0xd2,0x20,0x84,0xa8,0xb1,
    502  1.1  riastrad 		0x46,0x7f,0xcf,0x2f,0xfa,0x58,0x36,0x1b,
    503  1.1  riastrad 		0xec,0x76,0x28,0xed,0xf5,0xf3,0xfd,0xc0,
    504  1.1  riastrad 		0xe4,0x80,0x5d,0xc4,0x8c,0xae,0xec,0xa8,
    505  1.1  riastrad 		0x1b,0x7c,0x13,0xc3,0x0a,0xdf,0x52,0xa3,
    506  1.1  riastrad 		0x65,0x95,0x84,0x73,0x9a,0x2d,0xf4,0x6b,
    507  1.1  riastrad 		0xe5,0x89,0xc5,0x1c,0xa1,0xa4,0xa8,0x41,
    508  1.1  riastrad 		0x6d,0xf6,0x54,0x5a,0x1c,0xe8,0xba,0x00,
    509  1.1  riastrad 	};
    510  1.2  riastrad 	static const uint8_t shake128_1600_41[] = {
    511  1.2  riastrad 		/* SHAKE128(200 * 0xa3, 41) */
    512  1.1  riastrad 		0x13,0x1a,0xb8,0xd2,0xb5,0x94,0x94,0x6b,
    513  1.1  riastrad 		0x9c,0x81,0x33,0x3f,0x9b,0xb6,0xe0,0xce,
    514  1.1  riastrad 		0x75,0xc3,0xb9,0x31,0x04,0xfa,0x34,0x69,
    515  1.1  riastrad 		0xd3,0x91,0x74,0x57,0x38,0x5d,0xa0,0x37,
    516  1.1  riastrad 		0xcf,0x23,0x2e,0xf7,0x16,0x4a,0x6d,0x1e,0xb4,
    517  1.1  riastrad 	};
    518  1.2  riastrad 	static const uint8_t shake256_1600_73[] = {
    519  1.2  riastrad 		/* SHAKE256(200 * 0xa3, 73) */
    520  1.1  riastrad 		0xcd,0x8a,0x92,0x0e,0xd1,0x41,0xaa,0x04,
    521  1.1  riastrad 		0x07,0xa2,0x2d,0x59,0x28,0x86,0x52,0xe9,
    522  1.1  riastrad 		0xd9,0xf1,0xa7,0xee,0x0c,0x1e,0x7c,0x1c,
    523  1.1  riastrad 		0xa6,0x99,0x42,0x4d,0xa8,0x4a,0x90,0x4d,
    524  1.1  riastrad 		0x2d,0x70,0x0c,0xaa,0xe7,0x39,0x6e,0xce,
    525  1.1  riastrad 		0x96,0x60,0x44,0x40,0x57,0x7d,0xa4,0xf3,
    526  1.1  riastrad 		0xaa,0x22,0xae,0xb8,0x85,0x7f,0x96,0x1c,
    527  1.1  riastrad 		0x4c,0xd8,0xe0,0x6f,0x0a,0xe6,0x61,0x0b,
    528  1.1  riastrad 		0x10,0x48,0xa7,0xf6,0x4e,0x10,0x74,0xcd,0x62,
    529  1.1  riastrad 	};
    530  1.2  riastrad 	static const uint8_t d0[] = {
    531  1.2  riastrad 		0x5d,0x3e,0x45,0xdd,0x9b,0x6b,0xda,0xf8,
    532  1.2  riastrad 		0xe6,0xe6,0xb8,0x72,0xfb,0xc5,0x0d,0x0a,
    533  1.2  riastrad 		0x4f,0x52,0x65,0xb4,0x11,0xf1,0xa1,0x0c,
    534  1.2  riastrad 		0x00,0xa4,0x74,0x6c,0x0f,0xc0,0xdc,0xe0,
    535  1.2  riastrad 		0x97,0x73,0xd6,0x70,0xaf,0xd4,0x64,0x0b,
    536  1.2  riastrad 		0x8c,0x52,0x32,0x4c,0x87,0x8c,0xfa,0x4a,
    537  1.2  riastrad 		0xdc,0x11,0x66,0x91,0x66,0x5a,0x1e,0xa4,
    538  1.2  riastrad 		0xd6,0x69,0x97,0xc7,0xcb,0xe2,0x73,0xca,
    539  1.2  riastrad 	};
    540  1.2  riastrad 	static const unsigned mlen[] = { 0, 3, 128, 129, 255 };
    541  1.2  riastrad 	uint8_t m[255], d[73];
    542  1.2  riastrad 	struct sha3 sha3;
    543  1.2  riastrad 	SHA3_224_CTX *sha3224 = (SHA3_224_CTX *)&sha3;
    544  1.2  riastrad 	SHA3_256_CTX *sha3256 = (SHA3_256_CTX *)&sha3;
    545  1.2  riastrad 	SHA3_384_CTX *sha3384 = (SHA3_384_CTX *)&sha3;
    546  1.2  riastrad 	SHA3_512_CTX *sha3512 = (SHA3_512_CTX *)&sha3;
    547  1.2  riastrad 	SHAKE128_CTX *shake128 = (SHAKE128_CTX *)&sha3;
    548  1.2  riastrad 	SHAKE256_CTX *shake256 = (SHAKE256_CTX *)&sha3;
    549  1.1  riastrad 	SHA3_512_CTX ctx;
    550  1.1  riastrad 	unsigned mi;
    551  1.1  riastrad 
    552  1.1  riastrad 	/*
    553  1.1  riastrad 	 * NIST test vectors from
    554  1.1  riastrad 	 * <http://csrc.nist.gov/groups/ST/toolkit/examples.html#aHashing>:
    555  1.1  riastrad 	 * 0-bit, 1600-bit repeated 0xa3 (= 0b10100011).
    556  1.1  riastrad 	 */
    557  1.2  riastrad 	SHA3_224_Init(sha3224);
    558  1.2  riastrad 	SHA3_224_Final(d, sha3224);
    559  1.1  riastrad 	if (memcmp(d, d224_0, 28) != 0)
    560  1.1  riastrad 		return -1;
    561  1.2  riastrad 	SHA3_256_Init(sha3256);
    562  1.2  riastrad 	SHA3_256_Final(d, sha3256);
    563  1.1  riastrad 	if (memcmp(d, d256_0, 32) != 0)
    564  1.1  riastrad 		return -1;
    565  1.2  riastrad 	SHA3_384_Init(sha3384);
    566  1.2  riastrad 	SHA3_384_Final(d, sha3384);
    567  1.1  riastrad 	if (memcmp(d, d384_0, 48) != 0)
    568  1.1  riastrad 		return -1;
    569  1.2  riastrad 	SHA3_512_Init(sha3512);
    570  1.2  riastrad 	SHA3_512_Final(d, sha3512);
    571  1.1  riastrad 	if (memcmp(d, d512_0, 64) != 0)
    572  1.1  riastrad 		return -1;
    573  1.2  riastrad 	SHAKE128_Init(shake128);
    574  1.2  riastrad 	SHAKE128_Final(d, 41, shake128);
    575  1.1  riastrad 	if (memcmp(d, shake128_0_41, 41) != 0)
    576  1.1  riastrad 		return -1;
    577  1.2  riastrad 	SHAKE256_Init(shake256);
    578  1.2  riastrad 	SHAKE256_Final(d, 73, shake256);
    579  1.1  riastrad 	if (memcmp(d, shake256_0_73, 73) != 0)
    580  1.1  riastrad 		return -1;
    581  1.1  riastrad 
    582  1.1  riastrad 	(void)memset(m, 0xa3, 200);
    583  1.2  riastrad 	SHA3_224_Init(sha3224);
    584  1.2  riastrad 	SHA3_224_Update(sha3224, m, 200);
    585  1.2  riastrad 	SHA3_224_Final(d, sha3224);
    586  1.1  riastrad 	if (memcmp(d, d224_1600, 28) != 0)
    587  1.1  riastrad 		return -1;
    588  1.2  riastrad 	SHA3_256_Init(sha3256);
    589  1.2  riastrad 	SHA3_256_Update(sha3256, m, 200);
    590  1.2  riastrad 	SHA3_256_Final(d, sha3256);
    591  1.1  riastrad 	if (memcmp(d, d256_1600, 32) != 0)
    592  1.1  riastrad 		return -1;
    593  1.2  riastrad 	SHA3_384_Init(sha3384);
    594  1.2  riastrad 	SHA3_384_Update(sha3384, m, 200);
    595  1.2  riastrad 	SHA3_384_Final(d, sha3384);
    596  1.1  riastrad 	if (memcmp(d, d384_1600, 48) != 0)
    597  1.1  riastrad 		return -1;
    598  1.2  riastrad 	SHA3_512_Init(sha3512);
    599  1.2  riastrad 	SHA3_512_Update(sha3512, m, 200);
    600  1.2  riastrad 	SHA3_512_Final(d, sha3512);
    601  1.1  riastrad 	if (memcmp(d, d512_1600, 64) != 0)
    602  1.1  riastrad 		return -1;
    603  1.2  riastrad 	SHAKE128_Init(shake128);
    604  1.2  riastrad 	SHAKE128_Update(shake128, m, 200);
    605  1.2  riastrad 	SHAKE128_Final(d, 41, shake128);
    606  1.1  riastrad 	if (memcmp(d, shake128_1600_41, 41) != 0)
    607  1.1  riastrad 		return -1;
    608  1.2  riastrad 	SHAKE256_Init(shake256);
    609  1.2  riastrad 	SHAKE256_Update(shake256, m, 200);
    610  1.2  riastrad 	SHAKE256_Final(d, 73, shake256);
    611  1.1  riastrad 	if (memcmp(d, shake256_1600_73, 73) != 0)
    612  1.1  riastrad 		return -1;
    613  1.1  riastrad 
    614  1.1  riastrad 	/*
    615  1.1  riastrad 	 * Hand-crufted test vectors with unaligned message lengths.
    616  1.1  riastrad 	 */
    617  1.1  riastrad 	SHA3_512_Init(&ctx);
    618  1.2  riastrad 	for (mi = 0; mi < arraycount(mlen); mi++) {
    619  1.1  riastrad 		sha3_selftest_prng(m, mlen[mi], (224/8)*mlen[mi]);
    620  1.2  riastrad 		SHA3_224_Init(sha3224);
    621  1.2  riastrad 		SHA3_224_Update(sha3224, m, mlen[mi]);
    622  1.2  riastrad 		SHA3_224_Final(d, sha3224);
    623  1.1  riastrad 		SHA3_512_Update(&ctx, d, 224/8);
    624  1.1  riastrad 	}
    625  1.2  riastrad 	for (mi = 0; mi < arraycount(mlen); mi++) {
    626  1.1  riastrad 		sha3_selftest_prng(m, mlen[mi], (256/8)*mlen[mi]);
    627  1.2  riastrad 		SHA3_256_Init(sha3256);
    628  1.2  riastrad 		SHA3_256_Update(sha3256, m, mlen[mi]);
    629  1.2  riastrad 		SHA3_256_Final(d, sha3256);
    630  1.1  riastrad 		SHA3_512_Update(&ctx, d, 256/8);
    631  1.1  riastrad 	}
    632  1.2  riastrad 	for (mi = 0; mi < arraycount(mlen); mi++) {
    633  1.1  riastrad 		sha3_selftest_prng(m, mlen[mi], (384/8)*mlen[mi]);
    634  1.2  riastrad 		SHA3_384_Init(sha3384);
    635  1.2  riastrad 		SHA3_384_Update(sha3384, m, mlen[mi]);
    636  1.2  riastrad 		SHA3_384_Final(d, sha3384);
    637  1.1  riastrad 		SHA3_512_Update(&ctx, d, 384/8);
    638  1.1  riastrad 	}
    639  1.2  riastrad 	for (mi = 0; mi < arraycount(mlen); mi++) {
    640  1.1  riastrad 		sha3_selftest_prng(m, mlen[mi], (512/8)*mlen[mi]);
    641  1.2  riastrad 		SHA3_512_Init(sha3512);
    642  1.2  riastrad 		SHA3_512_Update(sha3512, m, mlen[mi]);
    643  1.2  riastrad 		SHA3_512_Final(d, sha3512);
    644  1.1  riastrad 		SHA3_512_Update(&ctx, d, 512/8);
    645  1.1  riastrad 	}
    646  1.1  riastrad 	SHA3_512_Final(d, &ctx);
    647  1.1  riastrad 	if (memcmp(d, d0, 64) != 0)
    648  1.1  riastrad 		return -1;
    649  1.1  riastrad 
    650  1.1  riastrad 	return 0;
    651  1.1  riastrad }
    652