1/* $NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $ */ 2 3/*- 4 * Copyright (c) 2015 Taylor R. Campbell 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29/* 30 * SHA-3: FIPS-202, Permutation-Based Hash and Extendable-Output Functions 31 */ 32 33#if HAVE_NBTOOL_CONFIG_H 34#include "nbtool_config.h" 35#endif 36 37#include <sys/cdefs.h> 38 39#if defined(_KERNEL) || defined(_STANDALONE) 40 41__KERNEL_RCSID(0, "$NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $"); 42#include <lib/libkern/libkern.h> 43 44#define SHA3_ASSERT KASSERT 45 46#else 47 48__RCSID("$NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $"); 49 50#include "namespace.h" 51 52#include <assert.h> 53#include <string.h> 54 55#define SHA3_ASSERT _DIAGASSERT 56 57#endif 58 59#include <sys/endian.h> 60#include <sys/sha3.h> 61 62#include "keccak.h" 63 64/* XXX Disabled for now -- these will be libc-private. */ 65#if 0 && !defined(_KERNEL) && !defined(_STANDALONE) 66#ifdef __weak_alias 67__weak_alias(SHA3_224_Init,_SHA3_224_Init) 68__weak_alias(SHA3_224_Update,_SHA3_224_Update) 69__weak_alias(SHA3_224_Final,_SHA3_224_Final) 70__weak_alias(SHA3_256_Init,_SHA3_256_Init) 71__weak_alias(SHA3_256_Update,_SHA3_256_Update) 72__weak_alias(SHA3_256_Final,_SHA3_256_Final) 73__weak_alias(SHA3_384_Init,_SHA3_384_Init) 74__weak_alias(SHA3_384_Update,_SHA3_384_Update) 75__weak_alias(SHA3_384_Final,_SHA3_384_Final) 76__weak_alias(SHA3_512_Init,_SHA3_512_Init) 77__weak_alias(SHA3_512_Update,_SHA3_512_Update) 78__weak_alias(SHA3_512_Final,_SHA3_512_Final) 79__weak_alias(SHA3_Selftest,_SHA3_Selftest) 80__weak_alias(SHAKE128_Init,_SHAKE128_Init) 81__weak_alias(SHAKE128_Update,_SHAKE128_Update) 82__weak_alias(SHAKE128_Final,_SHAKE128_Final) 83__weak_alias(SHAKE256_Init,_SHAKE256_Init) 84__weak_alias(SHAKE256_Update,_SHAKE256_Update) 85__weak_alias(SHAKE256_Final,_SHAKE256_Final) 86#endif /* __weak_alias */ 87#endif /* kernel/standalone */ 88 89#define MIN(a,b) ((a) < (b) ? (a) : (b)) 90#define arraycount(a) (sizeof(a)/sizeof((a)[0])) 91 92/* 93 * Common body. All the SHA-3 functions share code structure. They 94 * differ only in the size of the chunks they split the message into: 95 * for digest size d, they are split into chunks of 200 - d bytes. 96 */ 97 98static inline unsigned 99sha3_rate(unsigned d) 100{ 101 const unsigned cw = 2*d/8; /* capacity in words */ 102 103 return 25 - cw; 104} 105 106static void 107sha3_init(struct sha3 *C, unsigned rw) 108{ 109 unsigned iw; 110 111 C->nb = 8*rw; 112 for (iw = 0; iw < 25; iw++) 113 C->A[iw] = 0; 114} 115 116static void 117sha3_update(struct sha3 *C, const uint8_t *data, size_t len, unsigned rw) 118{ 119 uint64_t T; 120 unsigned ib, iw; /* index of byte/word */ 121 122 assert(0 < C->nb); 123 124 /* If there's a partial word, try to fill it. */ 125 if ((C->nb % 8) != 0) { 126 T = 0; 127 for (ib = 0; ib < MIN(len, C->nb % 8); ib++) 128 T |= (uint64_t)data[ib] << (8*ib); 129 C->A[rw - (C->nb + 7)/8] ^= T << (8*(8 - (C->nb % 8))); 130 C->nb -= ib; 131 data += ib; 132 len -= ib; 133 134 /* If we filled the buffer, permute now. */ 135 if (C->nb == 0) { 136 keccakf1600(C->A); 137 C->nb = 8*rw; 138 } 139 140 /* If that exhausted the input, we're done. */ 141 if (len == 0) 142 return; 143 } 144 145 /* At a word boundary. Fill any partial buffer. */ 146 assert((C->nb % 8) == 0); 147 if (C->nb < 8*rw) { 148 for (iw = 0; iw < MIN(len, C->nb)/8; iw++) 149 C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw); 150 C->nb -= 8*iw; 151 data += 8*iw; 152 len -= 8*iw; 153 154 /* If we filled the buffer, permute now. */ 155 if (C->nb == 0) { 156 keccakf1600(C->A); 157 C->nb = 8*rw; 158 } else { 159 /* Otherwise, less than a word left. */ 160 assert(len < 8); 161 goto partial; 162 } 163 } 164 165 /* At a buffer boundary. Absorb input one buffer at a time. */ 166 assert(C->nb == 8*rw); 167 while (8*rw <= len) { 168 for (iw = 0; iw < rw; iw++) 169 C->A[iw] ^= le64dec(data + 8*iw); 170 keccakf1600(C->A); 171 data += 8*rw; 172 len -= 8*rw; 173 } 174 175 /* Partially fill the buffer with as many words as we can. */ 176 for (iw = 0; iw < len/8; iw++) 177 C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw); 178 C->nb -= 8*iw; 179 data += 8*iw; 180 len -= 8*iw; 181 182partial: 183 /* Partially fill the last word with as many bytes as we can. */ 184 assert(len < 8); 185 assert(0 < C->nb); 186 assert((C->nb % 8) == 0); 187 T = 0; 188 for (ib = 0; ib < len; ib++) 189 T |= (uint64_t)data[ib] << (8*ib); 190 C->A[rw - C->nb/8] ^= T; 191 C->nb -= ib; 192 assert(0 < C->nb); 193} 194 195static void 196sha3_final(uint8_t *h, unsigned d, struct sha3 *C, unsigned rw) 197{ 198 unsigned nw, iw; 199 200 assert(d <= 8*25); 201 assert(0 < C->nb); 202 203 /* Append 01, pad with 10*1 up to buffer boundary, LSB first. */ 204 nw = (C->nb + 7)/8; 205 assert(0 < nw); 206 assert(nw <= rw); 207 C->A[rw - nw] ^= (uint64_t)0x06 << (8*(8*nw - C->nb)); 208 C->A[rw - 1] ^= 0x8000000000000000ULL; 209 210 /* Permute one last time. */ 211 keccakf1600(C->A); 212 213 /* Reveal the first 8d bits of state, forget 1600-8d of them. */ 214 for (iw = 0; iw < d/8; iw++) 215 le64enc(h + 8*iw, C->A[iw]); 216 h += 8*iw; 217 d -= 8*iw; 218 if (0 < d) { 219 /* For SHA3-224, we need to expose a partial word. */ 220 uint64_t T = C->A[iw]; 221 do { 222 *h++ = T & 0xff; 223 T >>= 8; 224 } while (--d); 225 } 226 (void)explicit_memset(C->A, 0, sizeof C->A); 227 C->nb = 0; 228} 229 230static void 231shake_final(uint8_t *h, size_t d, struct sha3 *C, unsigned rw) 232{ 233 unsigned nw, iw; 234 235 assert(0 < C->nb); 236 237 /* Append 1111, pad with 10*1 up to buffer boundary, LSB first. */ 238 nw = (C->nb + 7)/8; 239 assert(0 < nw); 240 assert(nw <= rw); 241 C->A[rw - nw] ^= (uint64_t)0x1f << (8*(8*nw - C->nb)); 242 C->A[rw - 1] ^= 0x8000000000000000ULL; 243 244 /* Permute, reveal first rw words of state, repeat. */ 245 while (8*rw <= d) { 246 keccakf1600(C->A); 247 for (iw = 0; iw < rw; iw++) 248 le64enc(h + 8*iw, C->A[iw]); 249 h += 8*iw; 250 d -= 8*iw; 251 } 252 253 /* 254 * If 8*rw (the output rate in bytes) does not divide d, more 255 * words are wanted: permute again and reveal a little more. 256 */ 257 if (0 < d) { 258 keccakf1600(C->A); 259 for (iw = 0; iw < d/8; iw++) 260 le64enc(h + 8*iw, C->A[iw]); 261 h += 8*iw; 262 d -= 8*iw; 263 264 /* 265 * If 8 does not divide d, more bytes are wanted: 266 * reveal them. 267 */ 268 if (0 < d) { 269 uint64_t T = C->A[iw]; 270 do { 271 *h++ = T & 0xff; 272 T >>= 8; 273 } while (--d); 274 } 275 } 276 277 (void)explicit_memset(C->A, 0, sizeof C->A); 278 C->nb = 0; 279} 280 281void 282SHA3_224_Init(SHA3_224_CTX *C) 283{ 284 285 sha3_init(&C->C224, sha3_rate(SHA3_224_DIGEST_LENGTH)); 286} 287 288void 289SHA3_224_Update(SHA3_224_CTX *C, const uint8_t *data, size_t len) 290{ 291 292 sha3_update(&C->C224, data, len, sha3_rate(SHA3_224_DIGEST_LENGTH)); 293} 294 295void 296SHA3_224_Final(uint8_t h[SHA3_224_DIGEST_LENGTH], SHA3_224_CTX *C) 297{ 298 299 sha3_final(h, SHA3_224_DIGEST_LENGTH, &C->C224, 300 sha3_rate(SHA3_224_DIGEST_LENGTH)); 301} 302 303void 304SHA3_256_Init(SHA3_256_CTX *C) 305{ 306 307 sha3_init(&C->C256, sha3_rate(SHA3_256_DIGEST_LENGTH)); 308} 309 310void 311SHA3_256_Update(SHA3_256_CTX *C, const uint8_t *data, size_t len) 312{ 313 314 sha3_update(&C->C256, data, len, sha3_rate(SHA3_256_DIGEST_LENGTH)); 315} 316 317void 318SHA3_256_Final(uint8_t h[SHA3_256_DIGEST_LENGTH], SHA3_256_CTX *C) 319{ 320 321 sha3_final(h, SHA3_256_DIGEST_LENGTH, &C->C256, 322 sha3_rate(SHA3_256_DIGEST_LENGTH)); 323} 324 325void 326SHA3_384_Init(SHA3_384_CTX *C) 327{ 328 329 sha3_init(&C->C384, sha3_rate(SHA3_384_DIGEST_LENGTH)); 330} 331 332void 333SHA3_384_Update(SHA3_384_CTX *C, const uint8_t *data, size_t len) 334{ 335 336 sha3_update(&C->C384, data, len, sha3_rate(SHA3_384_DIGEST_LENGTH)); 337} 338 339void 340SHA3_384_Final(uint8_t h[SHA3_384_DIGEST_LENGTH], SHA3_384_CTX *C) 341{ 342 343 sha3_final(h, SHA3_384_DIGEST_LENGTH, &C->C384, 344 sha3_rate(SHA3_384_DIGEST_LENGTH)); 345} 346 347void 348SHA3_512_Init(SHA3_512_CTX *C) 349{ 350 351 sha3_init(&C->C512, sha3_rate(SHA3_512_DIGEST_LENGTH)); 352} 353 354void 355SHA3_512_Update(SHA3_512_CTX *C, const uint8_t *data, size_t len) 356{ 357 358 sha3_update(&C->C512, data, len, sha3_rate(SHA3_512_DIGEST_LENGTH)); 359} 360 361void 362SHA3_512_Final(uint8_t h[SHA3_512_DIGEST_LENGTH], SHA3_512_CTX *C) 363{ 364 365 sha3_final(h, SHA3_512_DIGEST_LENGTH, &C->C512, 366 sha3_rate(SHA3_512_DIGEST_LENGTH)); 367} 368 369void 370SHAKE128_Init(SHAKE128_CTX *C) 371{ 372 373 sha3_init(&C->C128, sha3_rate(128/8)); 374} 375 376void 377SHAKE128_Update(SHAKE128_CTX *C, const uint8_t *data, size_t len) 378{ 379 380 sha3_update(&C->C128, data, len, sha3_rate(128/8)); 381} 382 383void 384SHAKE128_Final(uint8_t *h, size_t d, SHAKE128_CTX *C) 385{ 386 387 shake_final(h, d, &C->C128, sha3_rate(128/8)); 388} 389 390void 391SHAKE256_Init(SHAKE256_CTX *C) 392{ 393 394 sha3_init(&C->C256, sha3_rate(256/8)); 395} 396 397void 398SHAKE256_Update(SHAKE256_CTX *C, const uint8_t *data, size_t len) 399{ 400 401 sha3_update(&C->C256, data, len, sha3_rate(256/8)); 402} 403 404void 405SHAKE256_Final(uint8_t *h, size_t d, SHAKE256_CTX *C) 406{ 407 408 shake_final(h, d, &C->C256, sha3_rate(256/8)); 409} 410 411static void 412sha3_selftest_prng(void *buf, size_t len, uint32_t seed) 413{ 414 uint8_t *p = buf; 415 size_t n = len; 416 uint32_t t, a, b; 417 418 a = 0xdead4bad * seed; 419 b = 1; 420 421 while (n--) { 422 t = a + b; 423 *p++ = t >> 24; 424 a = b; 425 b = t; 426 } 427} 428 429int 430SHA3_Selftest(void) 431{ 432 static const uint8_t d224_0[] = { /* SHA3-224(0-bit) */ 433 0x6b,0x4e,0x03,0x42,0x36,0x67,0xdb,0xb7, 434 0x3b,0x6e,0x15,0x45,0x4f,0x0e,0xb1,0xab, 435 0xd4,0x59,0x7f,0x9a,0x1b,0x07,0x8e,0x3f, 436 0x5b,0x5a,0x6b,0xc7, 437 }; 438 static const uint8_t d256_0[] = { /* SHA3-256(0-bit) */ 439 0xa7,0xff,0xc6,0xf8,0xbf,0x1e,0xd7,0x66, 440 0x51,0xc1,0x47,0x56,0xa0,0x61,0xd6,0x62, 441 0xf5,0x80,0xff,0x4d,0xe4,0x3b,0x49,0xfa, 442 0x82,0xd8,0x0a,0x4b,0x80,0xf8,0x43,0x4a, 443 }; 444 static const uint8_t d384_0[] = { /* SHA3-384(0-bit) */ 445 0x0c,0x63,0xa7,0x5b,0x84,0x5e,0x4f,0x7d, 446 0x01,0x10,0x7d,0x85,0x2e,0x4c,0x24,0x85, 447 0xc5,0x1a,0x50,0xaa,0xaa,0x94,0xfc,0x61, 448 0x99,0x5e,0x71,0xbb,0xee,0x98,0x3a,0x2a, 449 0xc3,0x71,0x38,0x31,0x26,0x4a,0xdb,0x47, 450 0xfb,0x6b,0xd1,0xe0,0x58,0xd5,0xf0,0x04, 451 }; 452 static const uint8_t d512_0[] = { /* SHA3-512(0-bit) */ 453 0xa6,0x9f,0x73,0xcc,0xa2,0x3a,0x9a,0xc5, 454 0xc8,0xb5,0x67,0xdc,0x18,0x5a,0x75,0x6e, 455 0x97,0xc9,0x82,0x16,0x4f,0xe2,0x58,0x59, 456 0xe0,0xd1,0xdc,0xc1,0x47,0x5c,0x80,0xa6, 457 0x15,0xb2,0x12,0x3a,0xf1,0xf5,0xf9,0x4c, 458 0x11,0xe3,0xe9,0x40,0x2c,0x3a,0xc5,0x58, 459 0xf5,0x00,0x19,0x9d,0x95,0xb6,0xd3,0xe3, 460 0x01,0x75,0x85,0x86,0x28,0x1d,0xcd,0x26, 461 }; 462 static const uint8_t shake128_0_41[] = { /* SHAKE128(0-bit, 41) */ 463 0x7f,0x9c,0x2b,0xa4,0xe8,0x8f,0x82,0x7d, 464 0x61,0x60,0x45,0x50,0x76,0x05,0x85,0x3e, 465 0xd7,0x3b,0x80,0x93,0xf6,0xef,0xbc,0x88, 466 0xeb,0x1a,0x6e,0xac,0xfa,0x66,0xef,0x26, 467 0x3c,0xb1,0xee,0xa9,0x88,0x00,0x4b,0x93,0x10, 468 }; 469 static const uint8_t shake256_0_73[] = { /* SHAKE256(0-bit, 73) */ 470 0x46,0xb9,0xdd,0x2b,0x0b,0xa8,0x8d,0x13, 471 0x23,0x3b,0x3f,0xeb,0x74,0x3e,0xeb,0x24, 472 0x3f,0xcd,0x52,0xea,0x62,0xb8,0x1b,0x82, 473 0xb5,0x0c,0x27,0x64,0x6e,0xd5,0x76,0x2f, 474 0xd7,0x5d,0xc4,0xdd,0xd8,0xc0,0xf2,0x00, 475 0xcb,0x05,0x01,0x9d,0x67,0xb5,0x92,0xf6, 476 0xfc,0x82,0x1c,0x49,0x47,0x9a,0xb4,0x86, 477 0x40,0x29,0x2e,0xac,0xb3,0xb7,0xc4,0xbe, 478 0x14,0x1e,0x96,0x61,0x6f,0xb1,0x39,0x57,0x69, 479 }; 480 static const uint8_t d224_1600[] = { /* SHA3-224(200 * 0xa3) */ 481 0x93,0x76,0x81,0x6a,0xba,0x50,0x3f,0x72, 482 0xf9,0x6c,0xe7,0xeb,0x65,0xac,0x09,0x5d, 483 0xee,0xe3,0xbe,0x4b,0xf9,0xbb,0xc2,0xa1, 484 0xcb,0x7e,0x11,0xe0, 485 }; 486 static const uint8_t d256_1600[] = { /* SHA3-256(200 * 0xa3) */ 487 0x79,0xf3,0x8a,0xde,0xc5,0xc2,0x03,0x07, 488 0xa9,0x8e,0xf7,0x6e,0x83,0x24,0xaf,0xbf, 489 0xd4,0x6c,0xfd,0x81,0xb2,0x2e,0x39,0x73, 490 0xc6,0x5f,0xa1,0xbd,0x9d,0xe3,0x17,0x87, 491 }; 492 static const uint8_t d384_1600[] = { /* SHA3-384(200 * 0xa3) */ 493 0x18,0x81,0xde,0x2c,0xa7,0xe4,0x1e,0xf9, 494 0x5d,0xc4,0x73,0x2b,0x8f,0x5f,0x00,0x2b, 495 0x18,0x9c,0xc1,0xe4,0x2b,0x74,0x16,0x8e, 496 0xd1,0x73,0x26,0x49,0xce,0x1d,0xbc,0xdd, 497 0x76,0x19,0x7a,0x31,0xfd,0x55,0xee,0x98, 498 0x9f,0x2d,0x70,0x50,0xdd,0x47,0x3e,0x8f, 499 }; 500 static const uint8_t d512_1600[] = { /* SHA3-512(200 * 0xa3) */ 501 0xe7,0x6d,0xfa,0xd2,0x20,0x84,0xa8,0xb1, 502 0x46,0x7f,0xcf,0x2f,0xfa,0x58,0x36,0x1b, 503 0xec,0x76,0x28,0xed,0xf5,0xf3,0xfd,0xc0, 504 0xe4,0x80,0x5d,0xc4,0x8c,0xae,0xec,0xa8, 505 0x1b,0x7c,0x13,0xc3,0x0a,0xdf,0x52,0xa3, 506 0x65,0x95,0x84,0x73,0x9a,0x2d,0xf4,0x6b, 507 0xe5,0x89,0xc5,0x1c,0xa1,0xa4,0xa8,0x41, 508 0x6d,0xf6,0x54,0x5a,0x1c,0xe8,0xba,0x00, 509 }; 510 static const uint8_t shake128_1600_41[] = { 511 /* SHAKE128(200 * 0xa3, 41) */ 512 0x13,0x1a,0xb8,0xd2,0xb5,0x94,0x94,0x6b, 513 0x9c,0x81,0x33,0x3f,0x9b,0xb6,0xe0,0xce, 514 0x75,0xc3,0xb9,0x31,0x04,0xfa,0x34,0x69, 515 0xd3,0x91,0x74,0x57,0x38,0x5d,0xa0,0x37, 516 0xcf,0x23,0x2e,0xf7,0x16,0x4a,0x6d,0x1e,0xb4, 517 }; 518 static const uint8_t shake256_1600_73[] = { 519 /* SHAKE256(200 * 0xa3, 73) */ 520 0xcd,0x8a,0x92,0x0e,0xd1,0x41,0xaa,0x04, 521 0x07,0xa2,0x2d,0x59,0x28,0x86,0x52,0xe9, 522 0xd9,0xf1,0xa7,0xee,0x0c,0x1e,0x7c,0x1c, 523 0xa6,0x99,0x42,0x4d,0xa8,0x4a,0x90,0x4d, 524 0x2d,0x70,0x0c,0xaa,0xe7,0x39,0x6e,0xce, 525 0x96,0x60,0x44,0x40,0x57,0x7d,0xa4,0xf3, 526 0xaa,0x22,0xae,0xb8,0x85,0x7f,0x96,0x1c, 527 0x4c,0xd8,0xe0,0x6f,0x0a,0xe6,0x61,0x0b, 528 0x10,0x48,0xa7,0xf6,0x4e,0x10,0x74,0xcd,0x62, 529 }; 530 static const uint8_t d0[] = { 531 0x5d,0x3e,0x45,0xdd,0x9b,0x6b,0xda,0xf8, 532 0xe6,0xe6,0xb8,0x72,0xfb,0xc5,0x0d,0x0a, 533 0x4f,0x52,0x65,0xb4,0x11,0xf1,0xa1,0x0c, 534 0x00,0xa4,0x74,0x6c,0x0f,0xc0,0xdc,0xe0, 535 0x97,0x73,0xd6,0x70,0xaf,0xd4,0x64,0x0b, 536 0x8c,0x52,0x32,0x4c,0x87,0x8c,0xfa,0x4a, 537 0xdc,0x11,0x66,0x91,0x66,0x5a,0x1e,0xa4, 538 0xd6,0x69,0x97,0xc7,0xcb,0xe2,0x73,0xca, 539 }; 540 static const unsigned mlen[] = { 0, 3, 128, 129, 255 }; 541 uint8_t m[255], d[73]; 542 struct sha3 sha3; 543 SHA3_224_CTX *sha3224 = (SHA3_224_CTX *)&sha3; 544 SHA3_256_CTX *sha3256 = (SHA3_256_CTX *)&sha3; 545 SHA3_384_CTX *sha3384 = (SHA3_384_CTX *)&sha3; 546 SHA3_512_CTX *sha3512 = (SHA3_512_CTX *)&sha3; 547 SHAKE128_CTX *shake128 = (SHAKE128_CTX *)&sha3; 548 SHAKE256_CTX *shake256 = (SHAKE256_CTX *)&sha3; 549 SHA3_512_CTX ctx; 550 unsigned mi; 551 552 /* 553 * NIST test vectors from 554 * <http://csrc.nist.gov/groups/ST/toolkit/examples.html#aHashing>: 555 * 0-bit, 1600-bit repeated 0xa3 (= 0b10100011). 556 */ 557 SHA3_224_Init(sha3224); 558 SHA3_224_Final(d, sha3224); 559 if (memcmp(d, d224_0, 28) != 0) 560 return -1; 561 SHA3_256_Init(sha3256); 562 SHA3_256_Final(d, sha3256); 563 if (memcmp(d, d256_0, 32) != 0) 564 return -1; 565 SHA3_384_Init(sha3384); 566 SHA3_384_Final(d, sha3384); 567 if (memcmp(d, d384_0, 48) != 0) 568 return -1; 569 SHA3_512_Init(sha3512); 570 SHA3_512_Final(d, sha3512); 571 if (memcmp(d, d512_0, 64) != 0) 572 return -1; 573 SHAKE128_Init(shake128); 574 SHAKE128_Final(d, 41, shake128); 575 if (memcmp(d, shake128_0_41, 41) != 0) 576 return -1; 577 SHAKE256_Init(shake256); 578 SHAKE256_Final(d, 73, shake256); 579 if (memcmp(d, shake256_0_73, 73) != 0) 580 return -1; 581 582 (void)memset(m, 0xa3, 200); 583 SHA3_224_Init(sha3224); 584 SHA3_224_Update(sha3224, m, 200); 585 SHA3_224_Final(d, sha3224); 586 if (memcmp(d, d224_1600, 28) != 0) 587 return -1; 588 SHA3_256_Init(sha3256); 589 SHA3_256_Update(sha3256, m, 200); 590 SHA3_256_Final(d, sha3256); 591 if (memcmp(d, d256_1600, 32) != 0) 592 return -1; 593 SHA3_384_Init(sha3384); 594 SHA3_384_Update(sha3384, m, 200); 595 SHA3_384_Final(d, sha3384); 596 if (memcmp(d, d384_1600, 48) != 0) 597 return -1; 598 SHA3_512_Init(sha3512); 599 SHA3_512_Update(sha3512, m, 200); 600 SHA3_512_Final(d, sha3512); 601 if (memcmp(d, d512_1600, 64) != 0) 602 return -1; 603 SHAKE128_Init(shake128); 604 SHAKE128_Update(shake128, m, 200); 605 SHAKE128_Final(d, 41, shake128); 606 if (memcmp(d, shake128_1600_41, 41) != 0) 607 return -1; 608 SHAKE256_Init(shake256); 609 SHAKE256_Update(shake256, m, 200); 610 SHAKE256_Final(d, 73, shake256); 611 if (memcmp(d, shake256_1600_73, 73) != 0) 612 return -1; 613 614 /* 615 * Hand-crufted test vectors with unaligned message lengths. 616 */ 617 SHA3_512_Init(&ctx); 618 for (mi = 0; mi < arraycount(mlen); mi++) { 619 sha3_selftest_prng(m, mlen[mi], (224/8)*mlen[mi]); 620 SHA3_224_Init(sha3224); 621 SHA3_224_Update(sha3224, m, mlen[mi]); 622 SHA3_224_Final(d, sha3224); 623 SHA3_512_Update(&ctx, d, 224/8); 624 } 625 for (mi = 0; mi < arraycount(mlen); mi++) { 626 sha3_selftest_prng(m, mlen[mi], (256/8)*mlen[mi]); 627 SHA3_256_Init(sha3256); 628 SHA3_256_Update(sha3256, m, mlen[mi]); 629 SHA3_256_Final(d, sha3256); 630 SHA3_512_Update(&ctx, d, 256/8); 631 } 632 for (mi = 0; mi < arraycount(mlen); mi++) { 633 sha3_selftest_prng(m, mlen[mi], (384/8)*mlen[mi]); 634 SHA3_384_Init(sha3384); 635 SHA3_384_Update(sha3384, m, mlen[mi]); 636 SHA3_384_Final(d, sha3384); 637 SHA3_512_Update(&ctx, d, 384/8); 638 } 639 for (mi = 0; mi < arraycount(mlen); mi++) { 640 sha3_selftest_prng(m, mlen[mi], (512/8)*mlen[mi]); 641 SHA3_512_Init(sha3512); 642 SHA3_512_Update(sha3512, m, mlen[mi]); 643 SHA3_512_Final(d, sha3512); 644 SHA3_512_Update(&ctx, d, 512/8); 645 } 646 SHA3_512_Final(d, &ctx); 647 if (memcmp(d, d0, 64) != 0) 648 return -1; 649 650 return 0; 651} 652