1 /* $NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $ */
2
3 /*-
4 * Copyright (c) 2015 Taylor R. Campbell
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 /*
30 * SHA-3: FIPS-202, Permutation-Based Hash and Extendable-Output Functions
31 */
32
33 #if HAVE_NBTOOL_CONFIG_H
34 #include "nbtool_config.h"
35 #endif
36
37 #include <sys/cdefs.h>
38
39 #if defined(_KERNEL) || defined(_STANDALONE)
40
41 __KERNEL_RCSID(0, "$NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $");
42 #include <lib/libkern/libkern.h>
43
44 #define SHA3_ASSERT KASSERT
45
46 #else
47
48 __RCSID("$NetBSD: sha3.c,v 1.4 2024/01/19 19:32:42 christos Exp $");
49
50 #include "namespace.h"
51
52 #include <assert.h>
53 #include <string.h>
54
55 #define SHA3_ASSERT _DIAGASSERT
56
57 #endif
58
59 #include <sys/endian.h>
60 #include <sys/sha3.h>
61
62 #include "keccak.h"
63
64 /* XXX Disabled for now -- these will be libc-private. */
65 #if 0 && !defined(_KERNEL) && !defined(_STANDALONE)
66 #ifdef __weak_alias
67 __weak_alias(SHA3_224_Init,_SHA3_224_Init)
68 __weak_alias(SHA3_224_Update,_SHA3_224_Update)
69 __weak_alias(SHA3_224_Final,_SHA3_224_Final)
70 __weak_alias(SHA3_256_Init,_SHA3_256_Init)
71 __weak_alias(SHA3_256_Update,_SHA3_256_Update)
72 __weak_alias(SHA3_256_Final,_SHA3_256_Final)
73 __weak_alias(SHA3_384_Init,_SHA3_384_Init)
74 __weak_alias(SHA3_384_Update,_SHA3_384_Update)
75 __weak_alias(SHA3_384_Final,_SHA3_384_Final)
76 __weak_alias(SHA3_512_Init,_SHA3_512_Init)
77 __weak_alias(SHA3_512_Update,_SHA3_512_Update)
78 __weak_alias(SHA3_512_Final,_SHA3_512_Final)
79 __weak_alias(SHA3_Selftest,_SHA3_Selftest)
80 __weak_alias(SHAKE128_Init,_SHAKE128_Init)
81 __weak_alias(SHAKE128_Update,_SHAKE128_Update)
82 __weak_alias(SHAKE128_Final,_SHAKE128_Final)
83 __weak_alias(SHAKE256_Init,_SHAKE256_Init)
84 __weak_alias(SHAKE256_Update,_SHAKE256_Update)
85 __weak_alias(SHAKE256_Final,_SHAKE256_Final)
86 #endif /* __weak_alias */
87 #endif /* kernel/standalone */
88
89 #define MIN(a,b) ((a) < (b) ? (a) : (b))
90 #define arraycount(a) (sizeof(a)/sizeof((a)[0]))
91
92 /*
93 * Common body. All the SHA-3 functions share code structure. They
94 * differ only in the size of the chunks they split the message into:
95 * for digest size d, they are split into chunks of 200 - d bytes.
96 */
97
98 static inline unsigned
sha3_rate(unsigned d)99 sha3_rate(unsigned d)
100 {
101 const unsigned cw = 2*d/8; /* capacity in words */
102
103 return 25 - cw;
104 }
105
106 static void
sha3_init(struct sha3 * C,unsigned rw)107 sha3_init(struct sha3 *C, unsigned rw)
108 {
109 unsigned iw;
110
111 C->nb = 8*rw;
112 for (iw = 0; iw < 25; iw++)
113 C->A[iw] = 0;
114 }
115
116 static void
sha3_update(struct sha3 * C,const uint8_t * data,size_t len,unsigned rw)117 sha3_update(struct sha3 *C, const uint8_t *data, size_t len, unsigned rw)
118 {
119 uint64_t T;
120 unsigned ib, iw; /* index of byte/word */
121
122 assert(0 < C->nb);
123
124 /* If there's a partial word, try to fill it. */
125 if ((C->nb % 8) != 0) {
126 T = 0;
127 for (ib = 0; ib < MIN(len, C->nb % 8); ib++)
128 T |= (uint64_t)data[ib] << (8*ib);
129 C->A[rw - (C->nb + 7)/8] ^= T << (8*(8 - (C->nb % 8)));
130 C->nb -= ib;
131 data += ib;
132 len -= ib;
133
134 /* If we filled the buffer, permute now. */
135 if (C->nb == 0) {
136 keccakf1600(C->A);
137 C->nb = 8*rw;
138 }
139
140 /* If that exhausted the input, we're done. */
141 if (len == 0)
142 return;
143 }
144
145 /* At a word boundary. Fill any partial buffer. */
146 assert((C->nb % 8) == 0);
147 if (C->nb < 8*rw) {
148 for (iw = 0; iw < MIN(len, C->nb)/8; iw++)
149 C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw);
150 C->nb -= 8*iw;
151 data += 8*iw;
152 len -= 8*iw;
153
154 /* If we filled the buffer, permute now. */
155 if (C->nb == 0) {
156 keccakf1600(C->A);
157 C->nb = 8*rw;
158 } else {
159 /* Otherwise, less than a word left. */
160 assert(len < 8);
161 goto partial;
162 }
163 }
164
165 /* At a buffer boundary. Absorb input one buffer at a time. */
166 assert(C->nb == 8*rw);
167 while (8*rw <= len) {
168 for (iw = 0; iw < rw; iw++)
169 C->A[iw] ^= le64dec(data + 8*iw);
170 keccakf1600(C->A);
171 data += 8*rw;
172 len -= 8*rw;
173 }
174
175 /* Partially fill the buffer with as many words as we can. */
176 for (iw = 0; iw < len/8; iw++)
177 C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw);
178 C->nb -= 8*iw;
179 data += 8*iw;
180 len -= 8*iw;
181
182 partial:
183 /* Partially fill the last word with as many bytes as we can. */
184 assert(len < 8);
185 assert(0 < C->nb);
186 assert((C->nb % 8) == 0);
187 T = 0;
188 for (ib = 0; ib < len; ib++)
189 T |= (uint64_t)data[ib] << (8*ib);
190 C->A[rw - C->nb/8] ^= T;
191 C->nb -= ib;
192 assert(0 < C->nb);
193 }
194
195 static void
sha3_final(uint8_t * h,unsigned d,struct sha3 * C,unsigned rw)196 sha3_final(uint8_t *h, unsigned d, struct sha3 *C, unsigned rw)
197 {
198 unsigned nw, iw;
199
200 assert(d <= 8*25);
201 assert(0 < C->nb);
202
203 /* Append 01, pad with 10*1 up to buffer boundary, LSB first. */
204 nw = (C->nb + 7)/8;
205 assert(0 < nw);
206 assert(nw <= rw);
207 C->A[rw - nw] ^= (uint64_t)0x06 << (8*(8*nw - C->nb));
208 C->A[rw - 1] ^= 0x8000000000000000ULL;
209
210 /* Permute one last time. */
211 keccakf1600(C->A);
212
213 /* Reveal the first 8d bits of state, forget 1600-8d of them. */
214 for (iw = 0; iw < d/8; iw++)
215 le64enc(h + 8*iw, C->A[iw]);
216 h += 8*iw;
217 d -= 8*iw;
218 if (0 < d) {
219 /* For SHA3-224, we need to expose a partial word. */
220 uint64_t T = C->A[iw];
221 do {
222 *h++ = T & 0xff;
223 T >>= 8;
224 } while (--d);
225 }
226 (void)explicit_memset(C->A, 0, sizeof C->A);
227 C->nb = 0;
228 }
229
230 static void
shake_final(uint8_t * h,size_t d,struct sha3 * C,unsigned rw)231 shake_final(uint8_t *h, size_t d, struct sha3 *C, unsigned rw)
232 {
233 unsigned nw, iw;
234
235 assert(0 < C->nb);
236
237 /* Append 1111, pad with 10*1 up to buffer boundary, LSB first. */
238 nw = (C->nb + 7)/8;
239 assert(0 < nw);
240 assert(nw <= rw);
241 C->A[rw - nw] ^= (uint64_t)0x1f << (8*(8*nw - C->nb));
242 C->A[rw - 1] ^= 0x8000000000000000ULL;
243
244 /* Permute, reveal first rw words of state, repeat. */
245 while (8*rw <= d) {
246 keccakf1600(C->A);
247 for (iw = 0; iw < rw; iw++)
248 le64enc(h + 8*iw, C->A[iw]);
249 h += 8*iw;
250 d -= 8*iw;
251 }
252
253 /*
254 * If 8*rw (the output rate in bytes) does not divide d, more
255 * words are wanted: permute again and reveal a little more.
256 */
257 if (0 < d) {
258 keccakf1600(C->A);
259 for (iw = 0; iw < d/8; iw++)
260 le64enc(h + 8*iw, C->A[iw]);
261 h += 8*iw;
262 d -= 8*iw;
263
264 /*
265 * If 8 does not divide d, more bytes are wanted:
266 * reveal them.
267 */
268 if (0 < d) {
269 uint64_t T = C->A[iw];
270 do {
271 *h++ = T & 0xff;
272 T >>= 8;
273 } while (--d);
274 }
275 }
276
277 (void)explicit_memset(C->A, 0, sizeof C->A);
278 C->nb = 0;
279 }
280
281 void
SHA3_224_Init(SHA3_224_CTX * C)282 SHA3_224_Init(SHA3_224_CTX *C)
283 {
284
285 sha3_init(&C->C224, sha3_rate(SHA3_224_DIGEST_LENGTH));
286 }
287
288 void
SHA3_224_Update(SHA3_224_CTX * C,const uint8_t * data,size_t len)289 SHA3_224_Update(SHA3_224_CTX *C, const uint8_t *data, size_t len)
290 {
291
292 sha3_update(&C->C224, data, len, sha3_rate(SHA3_224_DIGEST_LENGTH));
293 }
294
295 void
SHA3_224_Final(uint8_t h[SHA3_224_DIGEST_LENGTH],SHA3_224_CTX * C)296 SHA3_224_Final(uint8_t h[SHA3_224_DIGEST_LENGTH], SHA3_224_CTX *C)
297 {
298
299 sha3_final(h, SHA3_224_DIGEST_LENGTH, &C->C224,
300 sha3_rate(SHA3_224_DIGEST_LENGTH));
301 }
302
303 void
SHA3_256_Init(SHA3_256_CTX * C)304 SHA3_256_Init(SHA3_256_CTX *C)
305 {
306
307 sha3_init(&C->C256, sha3_rate(SHA3_256_DIGEST_LENGTH));
308 }
309
310 void
SHA3_256_Update(SHA3_256_CTX * C,const uint8_t * data,size_t len)311 SHA3_256_Update(SHA3_256_CTX *C, const uint8_t *data, size_t len)
312 {
313
314 sha3_update(&C->C256, data, len, sha3_rate(SHA3_256_DIGEST_LENGTH));
315 }
316
317 void
SHA3_256_Final(uint8_t h[SHA3_256_DIGEST_LENGTH],SHA3_256_CTX * C)318 SHA3_256_Final(uint8_t h[SHA3_256_DIGEST_LENGTH], SHA3_256_CTX *C)
319 {
320
321 sha3_final(h, SHA3_256_DIGEST_LENGTH, &C->C256,
322 sha3_rate(SHA3_256_DIGEST_LENGTH));
323 }
324
325 void
SHA3_384_Init(SHA3_384_CTX * C)326 SHA3_384_Init(SHA3_384_CTX *C)
327 {
328
329 sha3_init(&C->C384, sha3_rate(SHA3_384_DIGEST_LENGTH));
330 }
331
332 void
SHA3_384_Update(SHA3_384_CTX * C,const uint8_t * data,size_t len)333 SHA3_384_Update(SHA3_384_CTX *C, const uint8_t *data, size_t len)
334 {
335
336 sha3_update(&C->C384, data, len, sha3_rate(SHA3_384_DIGEST_LENGTH));
337 }
338
339 void
SHA3_384_Final(uint8_t h[SHA3_384_DIGEST_LENGTH],SHA3_384_CTX * C)340 SHA3_384_Final(uint8_t h[SHA3_384_DIGEST_LENGTH], SHA3_384_CTX *C)
341 {
342
343 sha3_final(h, SHA3_384_DIGEST_LENGTH, &C->C384,
344 sha3_rate(SHA3_384_DIGEST_LENGTH));
345 }
346
347 void
SHA3_512_Init(SHA3_512_CTX * C)348 SHA3_512_Init(SHA3_512_CTX *C)
349 {
350
351 sha3_init(&C->C512, sha3_rate(SHA3_512_DIGEST_LENGTH));
352 }
353
354 void
SHA3_512_Update(SHA3_512_CTX * C,const uint8_t * data,size_t len)355 SHA3_512_Update(SHA3_512_CTX *C, const uint8_t *data, size_t len)
356 {
357
358 sha3_update(&C->C512, data, len, sha3_rate(SHA3_512_DIGEST_LENGTH));
359 }
360
361 void
SHA3_512_Final(uint8_t h[SHA3_512_DIGEST_LENGTH],SHA3_512_CTX * C)362 SHA3_512_Final(uint8_t h[SHA3_512_DIGEST_LENGTH], SHA3_512_CTX *C)
363 {
364
365 sha3_final(h, SHA3_512_DIGEST_LENGTH, &C->C512,
366 sha3_rate(SHA3_512_DIGEST_LENGTH));
367 }
368
369 void
SHAKE128_Init(SHAKE128_CTX * C)370 SHAKE128_Init(SHAKE128_CTX *C)
371 {
372
373 sha3_init(&C->C128, sha3_rate(128/8));
374 }
375
376 void
SHAKE128_Update(SHAKE128_CTX * C,const uint8_t * data,size_t len)377 SHAKE128_Update(SHAKE128_CTX *C, const uint8_t *data, size_t len)
378 {
379
380 sha3_update(&C->C128, data, len, sha3_rate(128/8));
381 }
382
383 void
SHAKE128_Final(uint8_t * h,size_t d,SHAKE128_CTX * C)384 SHAKE128_Final(uint8_t *h, size_t d, SHAKE128_CTX *C)
385 {
386
387 shake_final(h, d, &C->C128, sha3_rate(128/8));
388 }
389
390 void
SHAKE256_Init(SHAKE256_CTX * C)391 SHAKE256_Init(SHAKE256_CTX *C)
392 {
393
394 sha3_init(&C->C256, sha3_rate(256/8));
395 }
396
397 void
SHAKE256_Update(SHAKE256_CTX * C,const uint8_t * data,size_t len)398 SHAKE256_Update(SHAKE256_CTX *C, const uint8_t *data, size_t len)
399 {
400
401 sha3_update(&C->C256, data, len, sha3_rate(256/8));
402 }
403
404 void
SHAKE256_Final(uint8_t * h,size_t d,SHAKE256_CTX * C)405 SHAKE256_Final(uint8_t *h, size_t d, SHAKE256_CTX *C)
406 {
407
408 shake_final(h, d, &C->C256, sha3_rate(256/8));
409 }
410
411 static void
sha3_selftest_prng(void * buf,size_t len,uint32_t seed)412 sha3_selftest_prng(void *buf, size_t len, uint32_t seed)
413 {
414 uint8_t *p = buf;
415 size_t n = len;
416 uint32_t t, a, b;
417
418 a = 0xdead4bad * seed;
419 b = 1;
420
421 while (n--) {
422 t = a + b;
423 *p++ = t >> 24;
424 a = b;
425 b = t;
426 }
427 }
428
429 int
SHA3_Selftest(void)430 SHA3_Selftest(void)
431 {
432 static const uint8_t d224_0[] = { /* SHA3-224(0-bit) */
433 0x6b,0x4e,0x03,0x42,0x36,0x67,0xdb,0xb7,
434 0x3b,0x6e,0x15,0x45,0x4f,0x0e,0xb1,0xab,
435 0xd4,0x59,0x7f,0x9a,0x1b,0x07,0x8e,0x3f,
436 0x5b,0x5a,0x6b,0xc7,
437 };
438 static const uint8_t d256_0[] = { /* SHA3-256(0-bit) */
439 0xa7,0xff,0xc6,0xf8,0xbf,0x1e,0xd7,0x66,
440 0x51,0xc1,0x47,0x56,0xa0,0x61,0xd6,0x62,
441 0xf5,0x80,0xff,0x4d,0xe4,0x3b,0x49,0xfa,
442 0x82,0xd8,0x0a,0x4b,0x80,0xf8,0x43,0x4a,
443 };
444 static const uint8_t d384_0[] = { /* SHA3-384(0-bit) */
445 0x0c,0x63,0xa7,0x5b,0x84,0x5e,0x4f,0x7d,
446 0x01,0x10,0x7d,0x85,0x2e,0x4c,0x24,0x85,
447 0xc5,0x1a,0x50,0xaa,0xaa,0x94,0xfc,0x61,
448 0x99,0x5e,0x71,0xbb,0xee,0x98,0x3a,0x2a,
449 0xc3,0x71,0x38,0x31,0x26,0x4a,0xdb,0x47,
450 0xfb,0x6b,0xd1,0xe0,0x58,0xd5,0xf0,0x04,
451 };
452 static const uint8_t d512_0[] = { /* SHA3-512(0-bit) */
453 0xa6,0x9f,0x73,0xcc,0xa2,0x3a,0x9a,0xc5,
454 0xc8,0xb5,0x67,0xdc,0x18,0x5a,0x75,0x6e,
455 0x97,0xc9,0x82,0x16,0x4f,0xe2,0x58,0x59,
456 0xe0,0xd1,0xdc,0xc1,0x47,0x5c,0x80,0xa6,
457 0x15,0xb2,0x12,0x3a,0xf1,0xf5,0xf9,0x4c,
458 0x11,0xe3,0xe9,0x40,0x2c,0x3a,0xc5,0x58,
459 0xf5,0x00,0x19,0x9d,0x95,0xb6,0xd3,0xe3,
460 0x01,0x75,0x85,0x86,0x28,0x1d,0xcd,0x26,
461 };
462 static const uint8_t shake128_0_41[] = { /* SHAKE128(0-bit, 41) */
463 0x7f,0x9c,0x2b,0xa4,0xe8,0x8f,0x82,0x7d,
464 0x61,0x60,0x45,0x50,0x76,0x05,0x85,0x3e,
465 0xd7,0x3b,0x80,0x93,0xf6,0xef,0xbc,0x88,
466 0xeb,0x1a,0x6e,0xac,0xfa,0x66,0xef,0x26,
467 0x3c,0xb1,0xee,0xa9,0x88,0x00,0x4b,0x93,0x10,
468 };
469 static const uint8_t shake256_0_73[] = { /* SHAKE256(0-bit, 73) */
470 0x46,0xb9,0xdd,0x2b,0x0b,0xa8,0x8d,0x13,
471 0x23,0x3b,0x3f,0xeb,0x74,0x3e,0xeb,0x24,
472 0x3f,0xcd,0x52,0xea,0x62,0xb8,0x1b,0x82,
473 0xb5,0x0c,0x27,0x64,0x6e,0xd5,0x76,0x2f,
474 0xd7,0x5d,0xc4,0xdd,0xd8,0xc0,0xf2,0x00,
475 0xcb,0x05,0x01,0x9d,0x67,0xb5,0x92,0xf6,
476 0xfc,0x82,0x1c,0x49,0x47,0x9a,0xb4,0x86,
477 0x40,0x29,0x2e,0xac,0xb3,0xb7,0xc4,0xbe,
478 0x14,0x1e,0x96,0x61,0x6f,0xb1,0x39,0x57,0x69,
479 };
480 static const uint8_t d224_1600[] = { /* SHA3-224(200 * 0xa3) */
481 0x93,0x76,0x81,0x6a,0xba,0x50,0x3f,0x72,
482 0xf9,0x6c,0xe7,0xeb,0x65,0xac,0x09,0x5d,
483 0xee,0xe3,0xbe,0x4b,0xf9,0xbb,0xc2,0xa1,
484 0xcb,0x7e,0x11,0xe0,
485 };
486 static const uint8_t d256_1600[] = { /* SHA3-256(200 * 0xa3) */
487 0x79,0xf3,0x8a,0xde,0xc5,0xc2,0x03,0x07,
488 0xa9,0x8e,0xf7,0x6e,0x83,0x24,0xaf,0xbf,
489 0xd4,0x6c,0xfd,0x81,0xb2,0x2e,0x39,0x73,
490 0xc6,0x5f,0xa1,0xbd,0x9d,0xe3,0x17,0x87,
491 };
492 static const uint8_t d384_1600[] = { /* SHA3-384(200 * 0xa3) */
493 0x18,0x81,0xde,0x2c,0xa7,0xe4,0x1e,0xf9,
494 0x5d,0xc4,0x73,0x2b,0x8f,0x5f,0x00,0x2b,
495 0x18,0x9c,0xc1,0xe4,0x2b,0x74,0x16,0x8e,
496 0xd1,0x73,0x26,0x49,0xce,0x1d,0xbc,0xdd,
497 0x76,0x19,0x7a,0x31,0xfd,0x55,0xee,0x98,
498 0x9f,0x2d,0x70,0x50,0xdd,0x47,0x3e,0x8f,
499 };
500 static const uint8_t d512_1600[] = { /* SHA3-512(200 * 0xa3) */
501 0xe7,0x6d,0xfa,0xd2,0x20,0x84,0xa8,0xb1,
502 0x46,0x7f,0xcf,0x2f,0xfa,0x58,0x36,0x1b,
503 0xec,0x76,0x28,0xed,0xf5,0xf3,0xfd,0xc0,
504 0xe4,0x80,0x5d,0xc4,0x8c,0xae,0xec,0xa8,
505 0x1b,0x7c,0x13,0xc3,0x0a,0xdf,0x52,0xa3,
506 0x65,0x95,0x84,0x73,0x9a,0x2d,0xf4,0x6b,
507 0xe5,0x89,0xc5,0x1c,0xa1,0xa4,0xa8,0x41,
508 0x6d,0xf6,0x54,0x5a,0x1c,0xe8,0xba,0x00,
509 };
510 static const uint8_t shake128_1600_41[] = {
511 /* SHAKE128(200 * 0xa3, 41) */
512 0x13,0x1a,0xb8,0xd2,0xb5,0x94,0x94,0x6b,
513 0x9c,0x81,0x33,0x3f,0x9b,0xb6,0xe0,0xce,
514 0x75,0xc3,0xb9,0x31,0x04,0xfa,0x34,0x69,
515 0xd3,0x91,0x74,0x57,0x38,0x5d,0xa0,0x37,
516 0xcf,0x23,0x2e,0xf7,0x16,0x4a,0x6d,0x1e,0xb4,
517 };
518 static const uint8_t shake256_1600_73[] = {
519 /* SHAKE256(200 * 0xa3, 73) */
520 0xcd,0x8a,0x92,0x0e,0xd1,0x41,0xaa,0x04,
521 0x07,0xa2,0x2d,0x59,0x28,0x86,0x52,0xe9,
522 0xd9,0xf1,0xa7,0xee,0x0c,0x1e,0x7c,0x1c,
523 0xa6,0x99,0x42,0x4d,0xa8,0x4a,0x90,0x4d,
524 0x2d,0x70,0x0c,0xaa,0xe7,0x39,0x6e,0xce,
525 0x96,0x60,0x44,0x40,0x57,0x7d,0xa4,0xf3,
526 0xaa,0x22,0xae,0xb8,0x85,0x7f,0x96,0x1c,
527 0x4c,0xd8,0xe0,0x6f,0x0a,0xe6,0x61,0x0b,
528 0x10,0x48,0xa7,0xf6,0x4e,0x10,0x74,0xcd,0x62,
529 };
530 static const uint8_t d0[] = {
531 0x5d,0x3e,0x45,0xdd,0x9b,0x6b,0xda,0xf8,
532 0xe6,0xe6,0xb8,0x72,0xfb,0xc5,0x0d,0x0a,
533 0x4f,0x52,0x65,0xb4,0x11,0xf1,0xa1,0x0c,
534 0x00,0xa4,0x74,0x6c,0x0f,0xc0,0xdc,0xe0,
535 0x97,0x73,0xd6,0x70,0xaf,0xd4,0x64,0x0b,
536 0x8c,0x52,0x32,0x4c,0x87,0x8c,0xfa,0x4a,
537 0xdc,0x11,0x66,0x91,0x66,0x5a,0x1e,0xa4,
538 0xd6,0x69,0x97,0xc7,0xcb,0xe2,0x73,0xca,
539 };
540 static const unsigned mlen[] = { 0, 3, 128, 129, 255 };
541 uint8_t m[255], d[73];
542 struct sha3 sha3;
543 SHA3_224_CTX *sha3224 = (SHA3_224_CTX *)&sha3;
544 SHA3_256_CTX *sha3256 = (SHA3_256_CTX *)&sha3;
545 SHA3_384_CTX *sha3384 = (SHA3_384_CTX *)&sha3;
546 SHA3_512_CTX *sha3512 = (SHA3_512_CTX *)&sha3;
547 SHAKE128_CTX *shake128 = (SHAKE128_CTX *)&sha3;
548 SHAKE256_CTX *shake256 = (SHAKE256_CTX *)&sha3;
549 SHA3_512_CTX ctx;
550 unsigned mi;
551
552 /*
553 * NIST test vectors from
554 * <http://csrc.nist.gov/groups/ST/toolkit/examples.html#aHashing>:
555 * 0-bit, 1600-bit repeated 0xa3 (= 0b10100011).
556 */
557 SHA3_224_Init(sha3224);
558 SHA3_224_Final(d, sha3224);
559 if (memcmp(d, d224_0, 28) != 0)
560 return -1;
561 SHA3_256_Init(sha3256);
562 SHA3_256_Final(d, sha3256);
563 if (memcmp(d, d256_0, 32) != 0)
564 return -1;
565 SHA3_384_Init(sha3384);
566 SHA3_384_Final(d, sha3384);
567 if (memcmp(d, d384_0, 48) != 0)
568 return -1;
569 SHA3_512_Init(sha3512);
570 SHA3_512_Final(d, sha3512);
571 if (memcmp(d, d512_0, 64) != 0)
572 return -1;
573 SHAKE128_Init(shake128);
574 SHAKE128_Final(d, 41, shake128);
575 if (memcmp(d, shake128_0_41, 41) != 0)
576 return -1;
577 SHAKE256_Init(shake256);
578 SHAKE256_Final(d, 73, shake256);
579 if (memcmp(d, shake256_0_73, 73) != 0)
580 return -1;
581
582 (void)memset(m, 0xa3, 200);
583 SHA3_224_Init(sha3224);
584 SHA3_224_Update(sha3224, m, 200);
585 SHA3_224_Final(d, sha3224);
586 if (memcmp(d, d224_1600, 28) != 0)
587 return -1;
588 SHA3_256_Init(sha3256);
589 SHA3_256_Update(sha3256, m, 200);
590 SHA3_256_Final(d, sha3256);
591 if (memcmp(d, d256_1600, 32) != 0)
592 return -1;
593 SHA3_384_Init(sha3384);
594 SHA3_384_Update(sha3384, m, 200);
595 SHA3_384_Final(d, sha3384);
596 if (memcmp(d, d384_1600, 48) != 0)
597 return -1;
598 SHA3_512_Init(sha3512);
599 SHA3_512_Update(sha3512, m, 200);
600 SHA3_512_Final(d, sha3512);
601 if (memcmp(d, d512_1600, 64) != 0)
602 return -1;
603 SHAKE128_Init(shake128);
604 SHAKE128_Update(shake128, m, 200);
605 SHAKE128_Final(d, 41, shake128);
606 if (memcmp(d, shake128_1600_41, 41) != 0)
607 return -1;
608 SHAKE256_Init(shake256);
609 SHAKE256_Update(shake256, m, 200);
610 SHAKE256_Final(d, 73, shake256);
611 if (memcmp(d, shake256_1600_73, 73) != 0)
612 return -1;
613
614 /*
615 * Hand-crufted test vectors with unaligned message lengths.
616 */
617 SHA3_512_Init(&ctx);
618 for (mi = 0; mi < arraycount(mlen); mi++) {
619 sha3_selftest_prng(m, mlen[mi], (224/8)*mlen[mi]);
620 SHA3_224_Init(sha3224);
621 SHA3_224_Update(sha3224, m, mlen[mi]);
622 SHA3_224_Final(d, sha3224);
623 SHA3_512_Update(&ctx, d, 224/8);
624 }
625 for (mi = 0; mi < arraycount(mlen); mi++) {
626 sha3_selftest_prng(m, mlen[mi], (256/8)*mlen[mi]);
627 SHA3_256_Init(sha3256);
628 SHA3_256_Update(sha3256, m, mlen[mi]);
629 SHA3_256_Final(d, sha3256);
630 SHA3_512_Update(&ctx, d, 256/8);
631 }
632 for (mi = 0; mi < arraycount(mlen); mi++) {
633 sha3_selftest_prng(m, mlen[mi], (384/8)*mlen[mi]);
634 SHA3_384_Init(sha3384);
635 SHA3_384_Update(sha3384, m, mlen[mi]);
636 SHA3_384_Final(d, sha3384);
637 SHA3_512_Update(&ctx, d, 384/8);
638 }
639 for (mi = 0; mi < arraycount(mlen); mi++) {
640 sha3_selftest_prng(m, mlen[mi], (512/8)*mlen[mi]);
641 SHA3_512_Init(sha3512);
642 SHA3_512_Update(sha3512, m, mlen[mi]);
643 SHA3_512_Final(d, sha3512);
644 SHA3_512_Update(&ctx, d, 512/8);
645 }
646 SHA3_512_Final(d, &ctx);
647 if (memcmp(d, d0, 64) != 0)
648 return -1;
649
650 return 0;
651 }
652