sha3.c revision 1.1
1 1.1 riastrad /* $NetBSD: sha3.c,v 1.1 2017/11/30 05:47:24 riastradh Exp $ */ 2 1.1 riastrad 3 1.1 riastrad /*- 4 1.1 riastrad * Copyright (c) 2015 Taylor R. Campbell 5 1.1 riastrad * All rights reserved. 6 1.1 riastrad * 7 1.1 riastrad * Redistribution and use in source and binary forms, with or without 8 1.1 riastrad * modification, are permitted provided that the following conditions 9 1.1 riastrad * are met: 10 1.1 riastrad * 1. Redistributions of source code must retain the above copyright 11 1.1 riastrad * notice, this list of conditions and the following disclaimer. 12 1.1 riastrad * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 riastrad * notice, this list of conditions and the following disclaimer in the 14 1.1 riastrad * documentation and/or other materials provided with the distribution. 15 1.1 riastrad * 16 1.1 riastrad * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 1.1 riastrad * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 1.1 riastrad * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 1.1 riastrad * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 1.1 riastrad * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 1.1 riastrad * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 1.1 riastrad * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 1.1 riastrad * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 1.1 riastrad * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 1.1 riastrad * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 1.1 riastrad * SUCH DAMAGE. 27 1.1 riastrad */ 28 1.1 riastrad 29 1.1 riastrad /* 30 1.1 riastrad * SHA-3: FIPS-202, Permutation-Based Hash and Extendable-Ouptut Functions 31 1.1 riastrad */ 32 1.1 riastrad 33 1.1 riastrad #if HAVE_NBTOOL_CONFIG_H 34 1.1 riastrad #include "nbtool_config.h" 35 1.1 riastrad #endif 36 1.1 riastrad 37 1.1 riastrad #include <sys/cdefs.h> 38 1.1 riastrad 39 1.1 riastrad #if defined(_KERNEL) || defined(_STANDALONE) 40 1.1 riastrad 41 1.1 riastrad __KERNEL_RCSID(0, "$NetBSD: sha3.c,v 1.1 2017/11/30 05:47:24 riastradh Exp $"); 42 1.1 riastrad #include <lib/libkern/libkern.h> 43 1.1 riastrad 44 1.1 riastrad #define SHA3_ASSERT KASSERT 45 1.1 riastrad 46 1.1 riastrad #else 47 1.1 riastrad 48 1.1 riastrad __RCSID("$NetBSD: sha3.c,v 1.1 2017/11/30 05:47:24 riastradh Exp $"); 49 1.1 riastrad 50 1.1 riastrad #include "namespace.h" 51 1.1 riastrad 52 1.1 riastrad #include <assert.h> 53 1.1 riastrad #include <string.h> 54 1.1 riastrad 55 1.1 riastrad #define SHA3_ASSERT _DIAGASSERT 56 1.1 riastrad 57 1.1 riastrad #endif 58 1.1 riastrad 59 1.1 riastrad #include <sys/endian.h> 60 1.1 riastrad #include <sys/sha3.h> 61 1.1 riastrad 62 1.1 riastrad #include "keccak.h" 63 1.1 riastrad 64 1.1 riastrad /* XXX Disabled for now -- these will be libc-private. */ 65 1.1 riastrad #if 0 && !defined(_KERNEL) && !defined(_STANDALONE) 66 1.1 riastrad #ifdef __weak_alias 67 1.1 riastrad __weak_alias(SHA3_224_Init,_SHA3_224_Init) 68 1.1 riastrad __weak_alias(SHA3_224_Update,_SHA3_224_Update) 69 1.1 riastrad __weak_alias(SHA3_224_Final,_SHA3_224_Final) 70 1.1 riastrad __weak_alias(SHA3_256_Init,_SHA3_256_Init) 71 1.1 riastrad __weak_alias(SHA3_256_Update,_SHA3_256_Update) 72 1.1 riastrad __weak_alias(SHA3_256_Final,_SHA3_256_Final) 73 1.1 riastrad __weak_alias(SHA3_384_Init,_SHA3_384_Init) 74 1.1 riastrad __weak_alias(SHA3_384_Update,_SHA3_384_Update) 75 1.1 riastrad __weak_alias(SHA3_384_Final,_SHA3_384_Final) 76 1.1 riastrad __weak_alias(SHA3_512_Init,_SHA3_512_Init) 77 1.1 riastrad __weak_alias(SHA3_512_Update,_SHA3_512_Update) 78 1.1 riastrad __weak_alias(SHA3_512_Final,_SHA3_512_Final) 79 1.1 riastrad __weak_alias(SHA3_Selftest,_SHA3_Selftest) 80 1.1 riastrad __weak_alias(SHAKE128_Init,_SHAKE128_Init) 81 1.1 riastrad __weak_alias(SHAKE128_Update,_SHAKE128_Update) 82 1.1 riastrad __weak_alias(SHAKE128_Final,_SHAKE128_Final) 83 1.1 riastrad __weak_alias(SHAKE256_Init,_SHAKE256_Init) 84 1.1 riastrad __weak_alias(SHAKE256_Update,_SHAKE256_Update) 85 1.1 riastrad __weak_alias(SHAKE256_Final,_SHAKE256_Final) 86 1.1 riastrad #endif /* __weak_alias */ 87 1.1 riastrad #endif /* kernel/standalone */ 88 1.1 riastrad 89 1.1 riastrad #define MIN(a,b) ((a) < (b) ? (a) : (b)) 90 1.1 riastrad 91 1.1 riastrad /* 92 1.1 riastrad * Common body. All the SHA-3 functions share code structure. They 93 1.1 riastrad * differ only in the size of the chunks they split the message into: 94 1.1 riastrad * for digest size d, they are split into chunks of 200 - d bytes. 95 1.1 riastrad */ 96 1.1 riastrad 97 1.1 riastrad static inline unsigned 98 1.1 riastrad sha3_rate(unsigned d) 99 1.1 riastrad { 100 1.1 riastrad const unsigned cw = 2*d/8; /* capacity in words */ 101 1.1 riastrad 102 1.1 riastrad return 25 - cw; 103 1.1 riastrad } 104 1.1 riastrad 105 1.1 riastrad static void 106 1.1 riastrad sha3_init(struct sha3 *C, unsigned rw) 107 1.1 riastrad { 108 1.1 riastrad unsigned iw; 109 1.1 riastrad 110 1.1 riastrad C->nb = 8*rw; 111 1.1 riastrad for (iw = 0; iw < 25; iw++) 112 1.1 riastrad C->A[iw] = 0; 113 1.1 riastrad } 114 1.1 riastrad 115 1.1 riastrad static void 116 1.1 riastrad sha3_update(struct sha3 *C, const uint8_t *data, size_t len, unsigned rw) 117 1.1 riastrad { 118 1.1 riastrad uint64_t T; 119 1.1 riastrad unsigned ib, iw; /* index of byte/word */ 120 1.1 riastrad 121 1.1 riastrad assert(0 < C->nb); 122 1.1 riastrad 123 1.1 riastrad /* If there's a partial word, try to fill it. */ 124 1.1 riastrad if ((C->nb % 8) != 0) { 125 1.1 riastrad T = 0; 126 1.1 riastrad for (ib = 0; ib < MIN(len, C->nb % 8); ib++) 127 1.1 riastrad T |= (uint64_t)data[ib] << (8*ib); 128 1.1 riastrad C->A[rw - (C->nb + 7)/8] ^= T << (8*(8 - (C->nb % 8))); 129 1.1 riastrad C->nb -= ib; 130 1.1 riastrad data += ib; 131 1.1 riastrad len -= ib; 132 1.1 riastrad 133 1.1 riastrad /* If we filled the buffer, permute now. */ 134 1.1 riastrad if (C->nb == 0) { 135 1.1 riastrad keccakf1600(C->A); 136 1.1 riastrad C->nb = 8*rw; 137 1.1 riastrad } 138 1.1 riastrad 139 1.1 riastrad /* If that exhausted the input, we're done. */ 140 1.1 riastrad if (len == 0) 141 1.1 riastrad return; 142 1.1 riastrad } 143 1.1 riastrad 144 1.1 riastrad /* At a word boundary. Fill any partial buffer. */ 145 1.1 riastrad assert((C->nb % 8) == 0); 146 1.1 riastrad if (C->nb < 8*rw) { 147 1.1 riastrad for (iw = 0; iw < MIN(len, C->nb)/8; iw++) 148 1.1 riastrad C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw); 149 1.1 riastrad C->nb -= 8*iw; 150 1.1 riastrad data += 8*iw; 151 1.1 riastrad len -= 8*iw; 152 1.1 riastrad 153 1.1 riastrad /* If we filled the buffer, permute now. */ 154 1.1 riastrad if (C->nb == 0) { 155 1.1 riastrad keccakf1600(C->A); 156 1.1 riastrad C->nb = 8*rw; 157 1.1 riastrad } else { 158 1.1 riastrad /* Otherwise, less than a word left. */ 159 1.1 riastrad assert(len < 8); 160 1.1 riastrad goto partial; 161 1.1 riastrad } 162 1.1 riastrad } 163 1.1 riastrad 164 1.1 riastrad /* At a buffer boundary. Absorb input one buffer at a time. */ 165 1.1 riastrad assert(C->nb == 8*rw); 166 1.1 riastrad while (8*rw <= len) { 167 1.1 riastrad for (iw = 0; iw < rw; iw++) 168 1.1 riastrad C->A[iw] ^= le64dec(data + 8*iw); 169 1.1 riastrad keccakf1600(C->A); 170 1.1 riastrad data += 8*rw; 171 1.1 riastrad len -= 8*rw; 172 1.1 riastrad } 173 1.1 riastrad 174 1.1 riastrad /* Partially fill the buffer with as many words as we can. */ 175 1.1 riastrad for (iw = 0; iw < len/8; iw++) 176 1.1 riastrad C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw); 177 1.1 riastrad C->nb -= 8*iw; 178 1.1 riastrad data += 8*iw; 179 1.1 riastrad len -= 8*iw; 180 1.1 riastrad 181 1.1 riastrad partial: 182 1.1 riastrad /* Partially fill the last word with as many bytes as we can. */ 183 1.1 riastrad assert(len < 8); 184 1.1 riastrad assert(0 < C->nb); 185 1.1 riastrad assert((C->nb % 8) == 0); 186 1.1 riastrad T = 0; 187 1.1 riastrad for (ib = 0; ib < len; ib++) 188 1.1 riastrad T |= (uint64_t)data[ib] << (8*ib); 189 1.1 riastrad C->A[rw - C->nb/8] ^= T; 190 1.1 riastrad C->nb -= ib; 191 1.1 riastrad assert(0 < C->nb); 192 1.1 riastrad } 193 1.1 riastrad 194 1.1 riastrad static void 195 1.1 riastrad sha3_final(uint8_t *h, unsigned d, struct sha3 *C, unsigned rw) 196 1.1 riastrad { 197 1.1 riastrad unsigned nw, iw; 198 1.1 riastrad 199 1.1 riastrad assert(d <= 8*25); 200 1.1 riastrad assert(0 < C->nb); 201 1.1 riastrad 202 1.1 riastrad /* Append 01, pad with 10*1 up to buffer boundary, LSB first. */ 203 1.1 riastrad nw = (C->nb + 7)/8; 204 1.1 riastrad assert(0 < nw); 205 1.1 riastrad assert(nw <= rw); 206 1.1 riastrad C->A[rw - nw] ^= (uint64_t)0x06 << (8*(8*nw - C->nb)); 207 1.1 riastrad C->A[rw - 1] ^= 0x8000000000000000ULL; 208 1.1 riastrad 209 1.1 riastrad /* Permute one last time. */ 210 1.1 riastrad keccakf1600(C->A); 211 1.1 riastrad 212 1.1 riastrad /* Reveal the first 8d bits of state, forget 1600-8d of them. */ 213 1.1 riastrad for (iw = 0; iw < d/8; iw++) 214 1.1 riastrad le64enc(h + 8*iw, C->A[iw]); 215 1.1 riastrad h += 8*iw; 216 1.1 riastrad d -= 8*iw; 217 1.1 riastrad if (0 < d) { 218 1.1 riastrad /* For SHA3-224, we need to expose a partial word. */ 219 1.1 riastrad uint64_t T = C->A[iw]; 220 1.1 riastrad do { 221 1.1 riastrad *h++ = T & 0xff; 222 1.1 riastrad T >>= 8; 223 1.1 riastrad } while (--d); 224 1.1 riastrad } 225 1.1 riastrad (void)explicit_memset(C->A, 0, sizeof C->A); 226 1.1 riastrad C->nb = 0; 227 1.1 riastrad } 228 1.1 riastrad 229 1.1 riastrad static void 230 1.1 riastrad shake_final(uint8_t *h, unsigned d, struct sha3 *C, unsigned rw) 231 1.1 riastrad { 232 1.1 riastrad unsigned nw, iw; 233 1.1 riastrad 234 1.1 riastrad assert(0 < C->nb); 235 1.1 riastrad 236 1.1 riastrad /* Append 1111, pad with 10*1 up to buffer boundary, LSB first. */ 237 1.1 riastrad nw = (C->nb + 7)/8; 238 1.1 riastrad assert(0 < nw); 239 1.1 riastrad assert(nw <= rw); 240 1.1 riastrad C->A[rw - nw] ^= (uint64_t)0x1f << (8*(8*nw - C->nb)); 241 1.1 riastrad C->A[rw - 1] ^= 0x8000000000000000ULL; 242 1.1 riastrad 243 1.1 riastrad /* Permute, reveal first rw words of state, repeat. */ 244 1.1 riastrad while (8*rw <= d) { 245 1.1 riastrad keccakf1600(C->A); 246 1.1 riastrad for (iw = 0; iw < rw; iw++) 247 1.1 riastrad le64enc(h + 8*iw, C->A[iw]); 248 1.1 riastrad h += 8*iw; 249 1.1 riastrad d -= 8*iw; 250 1.1 riastrad } 251 1.1 riastrad 252 1.1 riastrad /* 253 1.1 riastrad * If 8*rw (the output rate in bytes) does not divide d, more 254 1.1 riastrad * words are wanted: permute again and reveal a little more. 255 1.1 riastrad */ 256 1.1 riastrad if (0 < d) { 257 1.1 riastrad keccakf1600(C->A); 258 1.1 riastrad for (iw = 0; iw < d/8; iw++) 259 1.1 riastrad le64enc(h + 8*iw, C->A[iw]); 260 1.1 riastrad h += 8*iw; 261 1.1 riastrad d -= 8*iw; 262 1.1 riastrad 263 1.1 riastrad /* 264 1.1 riastrad * If 8 does not divide d, more bytes are wanted: 265 1.1 riastrad * reveal them. 266 1.1 riastrad */ 267 1.1 riastrad if (0 < d) { 268 1.1 riastrad uint64_t T = C->A[iw]; 269 1.1 riastrad do { 270 1.1 riastrad *h++ = T & 0xff; 271 1.1 riastrad T >>= 8; 272 1.1 riastrad } while (--d); 273 1.1 riastrad } 274 1.1 riastrad } 275 1.1 riastrad 276 1.1 riastrad (void)explicit_memset(C->A, 0, sizeof C->A); 277 1.1 riastrad C->nb = 0; 278 1.1 riastrad } 279 1.1 riastrad 280 1.1 riastrad void 281 1.1 riastrad SHA3_224_Init(SHA3_224_CTX *C) 282 1.1 riastrad { 283 1.1 riastrad 284 1.1 riastrad sha3_init(&C->C224, sha3_rate(SHA3_224_DIGEST_LENGTH)); 285 1.1 riastrad } 286 1.1 riastrad 287 1.1 riastrad void 288 1.1 riastrad SHA3_224_Update(SHA3_224_CTX *C, const uint8_t *data, size_t len) 289 1.1 riastrad { 290 1.1 riastrad 291 1.1 riastrad sha3_update(&C->C224, data, len, sha3_rate(SHA3_224_DIGEST_LENGTH)); 292 1.1 riastrad } 293 1.1 riastrad 294 1.1 riastrad void 295 1.1 riastrad SHA3_224_Final(uint8_t h[SHA3_224_DIGEST_LENGTH], SHA3_224_CTX *C) 296 1.1 riastrad { 297 1.1 riastrad 298 1.1 riastrad sha3_final(h, SHA3_224_DIGEST_LENGTH, &C->C224, 299 1.1 riastrad sha3_rate(SHA3_224_DIGEST_LENGTH)); 300 1.1 riastrad } 301 1.1 riastrad 302 1.1 riastrad void 303 1.1 riastrad SHA3_256_Init(SHA3_256_CTX *C) 304 1.1 riastrad { 305 1.1 riastrad 306 1.1 riastrad sha3_init(&C->C256, sha3_rate(SHA3_256_DIGEST_LENGTH)); 307 1.1 riastrad } 308 1.1 riastrad 309 1.1 riastrad void 310 1.1 riastrad SHA3_256_Update(SHA3_256_CTX *C, const uint8_t *data, size_t len) 311 1.1 riastrad { 312 1.1 riastrad 313 1.1 riastrad sha3_update(&C->C256, data, len, sha3_rate(SHA3_256_DIGEST_LENGTH)); 314 1.1 riastrad } 315 1.1 riastrad 316 1.1 riastrad void 317 1.1 riastrad SHA3_256_Final(uint8_t h[SHA3_256_DIGEST_LENGTH], SHA3_256_CTX *C) 318 1.1 riastrad { 319 1.1 riastrad 320 1.1 riastrad sha3_final(h, SHA3_256_DIGEST_LENGTH, &C->C256, 321 1.1 riastrad sha3_rate(SHA3_256_DIGEST_LENGTH)); 322 1.1 riastrad } 323 1.1 riastrad 324 1.1 riastrad void 325 1.1 riastrad SHA3_384_Init(SHA3_384_CTX *C) 326 1.1 riastrad { 327 1.1 riastrad 328 1.1 riastrad sha3_init(&C->C384, sha3_rate(SHA3_384_DIGEST_LENGTH)); 329 1.1 riastrad } 330 1.1 riastrad 331 1.1 riastrad void 332 1.1 riastrad SHA3_384_Update(SHA3_384_CTX *C, const uint8_t *data, size_t len) 333 1.1 riastrad { 334 1.1 riastrad 335 1.1 riastrad sha3_update(&C->C384, data, len, sha3_rate(SHA3_384_DIGEST_LENGTH)); 336 1.1 riastrad } 337 1.1 riastrad 338 1.1 riastrad void 339 1.1 riastrad SHA3_384_Final(uint8_t h[SHA3_384_DIGEST_LENGTH], SHA3_384_CTX *C) 340 1.1 riastrad { 341 1.1 riastrad 342 1.1 riastrad sha3_final(h, SHA3_384_DIGEST_LENGTH, &C->C384, 343 1.1 riastrad sha3_rate(SHA3_384_DIGEST_LENGTH)); 344 1.1 riastrad } 345 1.1 riastrad 346 1.1 riastrad void 347 1.1 riastrad SHA3_512_Init(SHA3_512_CTX *C) 348 1.1 riastrad { 349 1.1 riastrad 350 1.1 riastrad sha3_init(&C->C512, sha3_rate(SHA3_512_DIGEST_LENGTH)); 351 1.1 riastrad } 352 1.1 riastrad 353 1.1 riastrad void 354 1.1 riastrad SHA3_512_Update(SHA3_512_CTX *C, const uint8_t *data, size_t len) 355 1.1 riastrad { 356 1.1 riastrad 357 1.1 riastrad sha3_update(&C->C512, data, len, sha3_rate(SHA3_512_DIGEST_LENGTH)); 358 1.1 riastrad } 359 1.1 riastrad 360 1.1 riastrad void 361 1.1 riastrad SHA3_512_Final(uint8_t h[SHA3_512_DIGEST_LENGTH], SHA3_512_CTX *C) 362 1.1 riastrad { 363 1.1 riastrad 364 1.1 riastrad sha3_final(h, SHA3_512_DIGEST_LENGTH, &C->C512, 365 1.1 riastrad sha3_rate(SHA3_512_DIGEST_LENGTH)); 366 1.1 riastrad } 367 1.1 riastrad 368 1.1 riastrad void 369 1.1 riastrad SHAKE128_Init(SHAKE128_CTX *C) 370 1.1 riastrad { 371 1.1 riastrad 372 1.1 riastrad sha3_init(&C->C128, sha3_rate(128/8)); 373 1.1 riastrad } 374 1.1 riastrad 375 1.1 riastrad void 376 1.1 riastrad SHAKE128_Update(SHAKE128_CTX *C, const uint8_t *data, size_t len) 377 1.1 riastrad { 378 1.1 riastrad 379 1.1 riastrad sha3_update(&C->C128, data, len, sha3_rate(128/8)); 380 1.1 riastrad } 381 1.1 riastrad 382 1.1 riastrad void 383 1.1 riastrad SHAKE128_Final(uint8_t *h, size_t d, SHAKE128_CTX *C) 384 1.1 riastrad { 385 1.1 riastrad 386 1.1 riastrad shake_final(h, d, &C->C128, sha3_rate(128/8)); 387 1.1 riastrad } 388 1.1 riastrad 389 1.1 riastrad void 390 1.1 riastrad SHAKE256_Init(SHAKE256_CTX *C) 391 1.1 riastrad { 392 1.1 riastrad 393 1.1 riastrad sha3_init(&C->C256, sha3_rate(256/8)); 394 1.1 riastrad } 395 1.1 riastrad 396 1.1 riastrad void 397 1.1 riastrad SHAKE256_Update(SHAKE256_CTX *C, const uint8_t *data, size_t len) 398 1.1 riastrad { 399 1.1 riastrad 400 1.1 riastrad sha3_update(&C->C256, data, len, sha3_rate(256/8)); 401 1.1 riastrad } 402 1.1 riastrad 403 1.1 riastrad void 404 1.1 riastrad SHAKE256_Final(uint8_t *h, size_t d, SHAKE256_CTX *C) 405 1.1 riastrad { 406 1.1 riastrad 407 1.1 riastrad shake_final(h, d, &C->C256, sha3_rate(256/8)); 408 1.1 riastrad } 409 1.1 riastrad 410 1.1 riastrad static void 411 1.1 riastrad sha3_selftest_prng(void *buf, size_t len, uint32_t seed) 412 1.1 riastrad { 413 1.1 riastrad uint8_t *p = buf; 414 1.1 riastrad size_t n = len; 415 1.1 riastrad uint32_t t, a, b; 416 1.1 riastrad 417 1.1 riastrad a = 0xdead4bad * seed; 418 1.1 riastrad b = 1; 419 1.1 riastrad 420 1.1 riastrad while (n--) { 421 1.1 riastrad t = a + b; 422 1.1 riastrad *p++ = t >> 24; 423 1.1 riastrad a = b; 424 1.1 riastrad b = t; 425 1.1 riastrad } 426 1.1 riastrad } 427 1.1 riastrad 428 1.1 riastrad int 429 1.1 riastrad SHA3_Selftest(void) 430 1.1 riastrad { 431 1.1 riastrad const uint8_t d224_0[] = { /* SHA3-224(0-bit) */ 432 1.1 riastrad 0x6b,0x4e,0x03,0x42,0x36,0x67,0xdb,0xb7, 433 1.1 riastrad 0x3b,0x6e,0x15,0x45,0x4f,0x0e,0xb1,0xab, 434 1.1 riastrad 0xd4,0x59,0x7f,0x9a,0x1b,0x07,0x8e,0x3f, 435 1.1 riastrad 0x5b,0x5a,0x6b,0xc7, 436 1.1 riastrad }; 437 1.1 riastrad const uint8_t d256_0[] = { /* SHA3-256(0-bit) */ 438 1.1 riastrad 0xa7,0xff,0xc6,0xf8,0xbf,0x1e,0xd7,0x66, 439 1.1 riastrad 0x51,0xc1,0x47,0x56,0xa0,0x61,0xd6,0x62, 440 1.1 riastrad 0xf5,0x80,0xff,0x4d,0xe4,0x3b,0x49,0xfa, 441 1.1 riastrad 0x82,0xd8,0x0a,0x4b,0x80,0xf8,0x43,0x4a, 442 1.1 riastrad }; 443 1.1 riastrad const uint8_t d384_0[] = { /* SHA3-384(0-bit) */ 444 1.1 riastrad 0x0c,0x63,0xa7,0x5b,0x84,0x5e,0x4f,0x7d, 445 1.1 riastrad 0x01,0x10,0x7d,0x85,0x2e,0x4c,0x24,0x85, 446 1.1 riastrad 0xc5,0x1a,0x50,0xaa,0xaa,0x94,0xfc,0x61, 447 1.1 riastrad 0x99,0x5e,0x71,0xbb,0xee,0x98,0x3a,0x2a, 448 1.1 riastrad 0xc3,0x71,0x38,0x31,0x26,0x4a,0xdb,0x47, 449 1.1 riastrad 0xfb,0x6b,0xd1,0xe0,0x58,0xd5,0xf0,0x04, 450 1.1 riastrad }; 451 1.1 riastrad const uint8_t d512_0[] = { /* SHA3-512(0-bit) */ 452 1.1 riastrad 0xa6,0x9f,0x73,0xcc,0xa2,0x3a,0x9a,0xc5, 453 1.1 riastrad 0xc8,0xb5,0x67,0xdc,0x18,0x5a,0x75,0x6e, 454 1.1 riastrad 0x97,0xc9,0x82,0x16,0x4f,0xe2,0x58,0x59, 455 1.1 riastrad 0xe0,0xd1,0xdc,0xc1,0x47,0x5c,0x80,0xa6, 456 1.1 riastrad 0x15,0xb2,0x12,0x3a,0xf1,0xf5,0xf9,0x4c, 457 1.1 riastrad 0x11,0xe3,0xe9,0x40,0x2c,0x3a,0xc5,0x58, 458 1.1 riastrad 0xf5,0x00,0x19,0x9d,0x95,0xb6,0xd3,0xe3, 459 1.1 riastrad 0x01,0x75,0x85,0x86,0x28,0x1d,0xcd,0x26, 460 1.1 riastrad }; 461 1.1 riastrad const uint8_t shake128_0_41[] = { /* SHAKE128(0-bit, 41) */ 462 1.1 riastrad 0x7f,0x9c,0x2b,0xa4,0xe8,0x8f,0x82,0x7d, 463 1.1 riastrad 0x61,0x60,0x45,0x50,0x76,0x05,0x85,0x3e, 464 1.1 riastrad 0xd7,0x3b,0x80,0x93,0xf6,0xef,0xbc,0x88, 465 1.1 riastrad 0xeb,0x1a,0x6e,0xac,0xfa,0x66,0xef,0x26, 466 1.1 riastrad 0x3c,0xb1,0xee,0xa9,0x88,0x00,0x4b,0x93,0x10, 467 1.1 riastrad }; 468 1.1 riastrad const uint8_t shake256_0_73[] = { /* SHAKE256(0-bit, 73) */ 469 1.1 riastrad 0x46,0xb9,0xdd,0x2b,0x0b,0xa8,0x8d,0x13, 470 1.1 riastrad 0x23,0x3b,0x3f,0xeb,0x74,0x3e,0xeb,0x24, 471 1.1 riastrad 0x3f,0xcd,0x52,0xea,0x62,0xb8,0x1b,0x82, 472 1.1 riastrad 0xb5,0x0c,0x27,0x64,0x6e,0xd5,0x76,0x2f, 473 1.1 riastrad 0xd7,0x5d,0xc4,0xdd,0xd8,0xc0,0xf2,0x00, 474 1.1 riastrad 0xcb,0x05,0x01,0x9d,0x67,0xb5,0x92,0xf6, 475 1.1 riastrad 0xfc,0x82,0x1c,0x49,0x47,0x9a,0xb4,0x86, 476 1.1 riastrad 0x40,0x29,0x2e,0xac,0xb3,0xb7,0xc4,0xbe, 477 1.1 riastrad 0x14,0x1e,0x96,0x61,0x6f,0xb1,0x39,0x57,0x69, 478 1.1 riastrad }; 479 1.1 riastrad const uint8_t d224_1600[] = { /* SHA3-224(200 * 0xa3) */ 480 1.1 riastrad 0x93,0x76,0x81,0x6a,0xba,0x50,0x3f,0x72, 481 1.1 riastrad 0xf9,0x6c,0xe7,0xeb,0x65,0xac,0x09,0x5d, 482 1.1 riastrad 0xee,0xe3,0xbe,0x4b,0xf9,0xbb,0xc2,0xa1, 483 1.1 riastrad 0xcb,0x7e,0x11,0xe0, 484 1.1 riastrad }; 485 1.1 riastrad const uint8_t d256_1600[] = { /* SHA3-256(200 * 0xa3) */ 486 1.1 riastrad 0x79,0xf3,0x8a,0xde,0xc5,0xc2,0x03,0x07, 487 1.1 riastrad 0xa9,0x8e,0xf7,0x6e,0x83,0x24,0xaf,0xbf, 488 1.1 riastrad 0xd4,0x6c,0xfd,0x81,0xb2,0x2e,0x39,0x73, 489 1.1 riastrad 0xc6,0x5f,0xa1,0xbd,0x9d,0xe3,0x17,0x87, 490 1.1 riastrad }; 491 1.1 riastrad const uint8_t d384_1600[] = { /* SHA3-384(200 * 0xa3) */ 492 1.1 riastrad 0x18,0x81,0xde,0x2c,0xa7,0xe4,0x1e,0xf9, 493 1.1 riastrad 0x5d,0xc4,0x73,0x2b,0x8f,0x5f,0x00,0x2b, 494 1.1 riastrad 0x18,0x9c,0xc1,0xe4,0x2b,0x74,0x16,0x8e, 495 1.1 riastrad 0xd1,0x73,0x26,0x49,0xce,0x1d,0xbc,0xdd, 496 1.1 riastrad 0x76,0x19,0x7a,0x31,0xfd,0x55,0xee,0x98, 497 1.1 riastrad 0x9f,0x2d,0x70,0x50,0xdd,0x47,0x3e,0x8f, 498 1.1 riastrad }; 499 1.1 riastrad const uint8_t d512_1600[] = { /* SHA3-512(200 * 0xa3) */ 500 1.1 riastrad 0xe7,0x6d,0xfa,0xd2,0x20,0x84,0xa8,0xb1, 501 1.1 riastrad 0x46,0x7f,0xcf,0x2f,0xfa,0x58,0x36,0x1b, 502 1.1 riastrad 0xec,0x76,0x28,0xed,0xf5,0xf3,0xfd,0xc0, 503 1.1 riastrad 0xe4,0x80,0x5d,0xc4,0x8c,0xae,0xec,0xa8, 504 1.1 riastrad 0x1b,0x7c,0x13,0xc3,0x0a,0xdf,0x52,0xa3, 505 1.1 riastrad 0x65,0x95,0x84,0x73,0x9a,0x2d,0xf4,0x6b, 506 1.1 riastrad 0xe5,0x89,0xc5,0x1c,0xa1,0xa4,0xa8,0x41, 507 1.1 riastrad 0x6d,0xf6,0x54,0x5a,0x1c,0xe8,0xba,0x00, 508 1.1 riastrad }; 509 1.1 riastrad const uint8_t shake128_1600_41[] = { /* SHAKE128(200 * 0xa3, 41) */ 510 1.1 riastrad 0x13,0x1a,0xb8,0xd2,0xb5,0x94,0x94,0x6b, 511 1.1 riastrad 0x9c,0x81,0x33,0x3f,0x9b,0xb6,0xe0,0xce, 512 1.1 riastrad 0x75,0xc3,0xb9,0x31,0x04,0xfa,0x34,0x69, 513 1.1 riastrad 0xd3,0x91,0x74,0x57,0x38,0x5d,0xa0,0x37, 514 1.1 riastrad 0xcf,0x23,0x2e,0xf7,0x16,0x4a,0x6d,0x1e,0xb4, 515 1.1 riastrad }; 516 1.1 riastrad const uint8_t shake256_1600_73[] = { /* SHAKE256(200 * 0xa3, 73) */ 517 1.1 riastrad 0xcd,0x8a,0x92,0x0e,0xd1,0x41,0xaa,0x04, 518 1.1 riastrad 0x07,0xa2,0x2d,0x59,0x28,0x86,0x52,0xe9, 519 1.1 riastrad 0xd9,0xf1,0xa7,0xee,0x0c,0x1e,0x7c,0x1c, 520 1.1 riastrad 0xa6,0x99,0x42,0x4d,0xa8,0x4a,0x90,0x4d, 521 1.1 riastrad 0x2d,0x70,0x0c,0xaa,0xe7,0x39,0x6e,0xce, 522 1.1 riastrad 0x96,0x60,0x44,0x40,0x57,0x7d,0xa4,0xf3, 523 1.1 riastrad 0xaa,0x22,0xae,0xb8,0x85,0x7f,0x96,0x1c, 524 1.1 riastrad 0x4c,0xd8,0xe0,0x6f,0x0a,0xe6,0x61,0x0b, 525 1.1 riastrad 0x10,0x48,0xa7,0xf6,0x4e,0x10,0x74,0xcd,0x62, 526 1.1 riastrad }; 527 1.1 riastrad const uint8_t d0[] = { 528 1.1 riastrad 0x6c,0x02,0x1a,0xc6,0x65,0xaf,0x80,0xfb, 529 1.1 riastrad 0x52,0xe6,0x2d,0x27,0xe5,0x02,0x88,0x84, 530 1.1 riastrad 0xec,0x1c,0x0c,0xe7,0x0b,0x94,0x55,0x83, 531 1.1 riastrad 0x19,0xf2,0xbf,0x09,0x86,0xeb,0x1a,0xbb, 532 1.1 riastrad 0xc3,0x0d,0x1c,0xef,0x22,0xfe,0xc5,0x4c, 533 1.1 riastrad 0x45,0x90,0x66,0x14,0x00,0x6e,0xc8,0x79, 534 1.1 riastrad 0xdf,0x1e,0x02,0xbd,0x75,0xe9,0x60,0xd8, 535 1.1 riastrad 0x60,0x39,0x85,0xc9,0xc4,0xee,0x33,0xab, 536 1.1 riastrad }; 537 1.1 riastrad const unsigned mlen[6] = { 0, 3, 128, 129, 255, 1024 }; 538 1.1 riastrad uint8_t m[1024], d[73]; 539 1.1 riastrad SHA3_224_CTX sha3224; 540 1.1 riastrad SHA3_256_CTX sha3256; 541 1.1 riastrad SHA3_384_CTX sha3384; 542 1.1 riastrad SHA3_512_CTX sha3512; 543 1.1 riastrad SHAKE128_CTX shake128; 544 1.1 riastrad SHAKE256_CTX shake256; 545 1.1 riastrad SHA3_512_CTX ctx; 546 1.1 riastrad unsigned mi; 547 1.1 riastrad 548 1.1 riastrad /* 549 1.1 riastrad * NIST test vectors from 550 1.1 riastrad * <http://csrc.nist.gov/groups/ST/toolkit/examples.html#aHashing>: 551 1.1 riastrad * 0-bit, 1600-bit repeated 0xa3 (= 0b10100011). 552 1.1 riastrad */ 553 1.1 riastrad SHA3_224_Init(&sha3224); 554 1.1 riastrad SHA3_224_Final(d, &sha3224); 555 1.1 riastrad if (memcmp(d, d224_0, 28) != 0) 556 1.1 riastrad return -1; 557 1.1 riastrad SHA3_256_Init(&sha3256); 558 1.1 riastrad SHA3_256_Final(d, &sha3256); 559 1.1 riastrad if (memcmp(d, d256_0, 32) != 0) 560 1.1 riastrad return -1; 561 1.1 riastrad SHA3_384_Init(&sha3384); 562 1.1 riastrad SHA3_384_Final(d, &sha3384); 563 1.1 riastrad if (memcmp(d, d384_0, 48) != 0) 564 1.1 riastrad return -1; 565 1.1 riastrad SHA3_512_Init(&sha3512); 566 1.1 riastrad SHA3_512_Final(d, &sha3512); 567 1.1 riastrad if (memcmp(d, d512_0, 64) != 0) 568 1.1 riastrad return -1; 569 1.1 riastrad SHAKE128_Init(&shake128); 570 1.1 riastrad SHAKE128_Final(d, 41, &shake128); 571 1.1 riastrad if (memcmp(d, shake128_0_41, 41) != 0) 572 1.1 riastrad return -1; 573 1.1 riastrad SHAKE256_Init(&shake256); 574 1.1 riastrad SHAKE256_Final(d, 73, &shake256); 575 1.1 riastrad if (memcmp(d, shake256_0_73, 73) != 0) 576 1.1 riastrad return -1; 577 1.1 riastrad 578 1.1 riastrad (void)memset(m, 0xa3, 200); 579 1.1 riastrad SHA3_224_Init(&sha3224); 580 1.1 riastrad SHA3_224_Update(&sha3224, m, 200); 581 1.1 riastrad SHA3_224_Final(d, &sha3224); 582 1.1 riastrad if (memcmp(d, d224_1600, 28) != 0) 583 1.1 riastrad return -1; 584 1.1 riastrad SHA3_256_Init(&sha3256); 585 1.1 riastrad SHA3_256_Update(&sha3256, m, 200); 586 1.1 riastrad SHA3_256_Final(d, &sha3256); 587 1.1 riastrad if (memcmp(d, d256_1600, 32) != 0) 588 1.1 riastrad return -1; 589 1.1 riastrad SHA3_384_Init(&sha3384); 590 1.1 riastrad SHA3_384_Update(&sha3384, m, 200); 591 1.1 riastrad SHA3_384_Final(d, &sha3384); 592 1.1 riastrad if (memcmp(d, d384_1600, 48) != 0) 593 1.1 riastrad return -1; 594 1.1 riastrad SHA3_512_Init(&sha3512); 595 1.1 riastrad SHA3_512_Update(&sha3512, m, 200); 596 1.1 riastrad SHA3_512_Final(d, &sha3512); 597 1.1 riastrad if (memcmp(d, d512_1600, 64) != 0) 598 1.1 riastrad return -1; 599 1.1 riastrad SHAKE128_Init(&shake128); 600 1.1 riastrad SHAKE128_Update(&shake128, m, 200); 601 1.1 riastrad SHAKE128_Final(d, 41, &shake128); 602 1.1 riastrad if (memcmp(d, shake128_1600_41, 41) != 0) 603 1.1 riastrad return -1; 604 1.1 riastrad SHAKE256_Init(&shake256); 605 1.1 riastrad SHAKE256_Update(&shake256, m, 200); 606 1.1 riastrad SHAKE256_Final(d, 73, &shake256); 607 1.1 riastrad if (memcmp(d, shake256_1600_73, 73) != 0) 608 1.1 riastrad return -1; 609 1.1 riastrad 610 1.1 riastrad /* 611 1.1 riastrad * Hand-crufted test vectors with unaligned message lengths. 612 1.1 riastrad */ 613 1.1 riastrad SHA3_512_Init(&ctx); 614 1.1 riastrad for (mi = 0; mi < 6; mi++) { 615 1.1 riastrad sha3_selftest_prng(m, mlen[mi], (224/8)*mlen[mi]); 616 1.1 riastrad SHA3_224_Init(&sha3224); 617 1.1 riastrad SHA3_224_Update(&sha3224, m, mlen[mi]); 618 1.1 riastrad SHA3_224_Final(d, &sha3224); 619 1.1 riastrad SHA3_512_Update(&ctx, d, 224/8); 620 1.1 riastrad } 621 1.1 riastrad for (mi = 0; mi < 6; mi++) { 622 1.1 riastrad sha3_selftest_prng(m, mlen[mi], (256/8)*mlen[mi]); 623 1.1 riastrad SHA3_256_Init(&sha3256); 624 1.1 riastrad SHA3_256_Update(&sha3256, m, mlen[mi]); 625 1.1 riastrad SHA3_256_Final(d, &sha3256); 626 1.1 riastrad SHA3_512_Update(&ctx, d, 256/8); 627 1.1 riastrad } 628 1.1 riastrad for (mi = 0; mi < 6; mi++) { 629 1.1 riastrad sha3_selftest_prng(m, mlen[mi], (384/8)*mlen[mi]); 630 1.1 riastrad SHA3_384_Init(&sha3384); 631 1.1 riastrad SHA3_384_Update(&sha3384, m, mlen[mi]); 632 1.1 riastrad SHA3_384_Final(d, &sha3384); 633 1.1 riastrad SHA3_512_Update(&ctx, d, 384/8); 634 1.1 riastrad } 635 1.1 riastrad for (mi = 0; mi < 6; mi++) { 636 1.1 riastrad sha3_selftest_prng(m, mlen[mi], (512/8)*mlen[mi]); 637 1.1 riastrad SHA3_512_Init(&sha3512); 638 1.1 riastrad SHA3_512_Update(&sha3512, m, mlen[mi]); 639 1.1 riastrad SHA3_512_Final(d, &sha3512); 640 1.1 riastrad SHA3_512_Update(&ctx, d, 512/8); 641 1.1 riastrad } 642 1.1 riastrad SHA3_512_Final(d, &ctx); 643 1.1 riastrad if (memcmp(d, d0, 64) != 0) 644 1.1 riastrad return -1; 645 1.1 riastrad 646 1.1 riastrad return 0; 647 1.1 riastrad } 648
Indexes created Tue Sep 30 20:09:53 GMT 2025