xref: /netbsd-src/common/lib/libc/hash/sha3/sha3.c (revision f3cfa6f6ce31685c6c4a758bc430e69eb99f50a4) 
1 /*	$NetBSD: sha3.c,v 1.1 2017/11/30 05:47:24 riastradh Exp $	*/
2 
3 /*-
4  * Copyright (c) 2015 Taylor R. Campbell
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 /*
30  * SHA-3: FIPS-202, Permutation-Based Hash and Extendable-Ouptut Functions
31  */
32 
33 #if HAVE_NBTOOL_CONFIG_H
34 #include "nbtool_config.h"
35 #endif
36 
37 #include <sys/cdefs.h>
38 
39 #if defined(_KERNEL) || defined(_STANDALONE)
40 
41 __KERNEL_RCSID(0, "$NetBSD: sha3.c,v 1.1 2017/11/30 05:47:24 riastradh Exp $");
42 #include <lib/libkern/libkern.h>
43 
44 #define	SHA3_ASSERT	KASSERT
45 
46 #else
47 
48 __RCSID("$NetBSD: sha3.c,v 1.1 2017/11/30 05:47:24 riastradh Exp $");
49 
50 #include "namespace.h"
51 
52 #include <assert.h>
53 #include <string.h>
54 
55 #define	SHA3_ASSERT	_DIAGASSERT
56 
57 #endif
58 
59 #include <sys/endian.h>
60 #include <sys/sha3.h>
61 
62 #include "keccak.h"
63 
64 /* XXX Disabled for now -- these will be libc-private.  */
65 #if 0 && !defined(_KERNEL) && !defined(_STANDALONE)
66 #ifdef __weak_alias
67 __weak_alias(SHA3_224_Init,_SHA3_224_Init)
68 __weak_alias(SHA3_224_Update,_SHA3_224_Update)
69 __weak_alias(SHA3_224_Final,_SHA3_224_Final)
70 __weak_alias(SHA3_256_Init,_SHA3_256_Init)
71 __weak_alias(SHA3_256_Update,_SHA3_256_Update)
72 __weak_alias(SHA3_256_Final,_SHA3_256_Final)
73 __weak_alias(SHA3_384_Init,_SHA3_384_Init)
74 __weak_alias(SHA3_384_Update,_SHA3_384_Update)
75 __weak_alias(SHA3_384_Final,_SHA3_384_Final)
76 __weak_alias(SHA3_512_Init,_SHA3_512_Init)
77 __weak_alias(SHA3_512_Update,_SHA3_512_Update)
78 __weak_alias(SHA3_512_Final,_SHA3_512_Final)
79 __weak_alias(SHA3_Selftest,_SHA3_Selftest)
80 __weak_alias(SHAKE128_Init,_SHAKE128_Init)
81 __weak_alias(SHAKE128_Update,_SHAKE128_Update)
82 __weak_alias(SHAKE128_Final,_SHAKE128_Final)
83 __weak_alias(SHAKE256_Init,_SHAKE256_Init)
84 __weak_alias(SHAKE256_Update,_SHAKE256_Update)
85 __weak_alias(SHAKE256_Final,_SHAKE256_Final)
86 #endif	/* __weak_alias */
87 #endif	/* kernel/standalone */
88 
89 #define	MIN(a,b)	((a) < (b) ? (a) : (b))
90 
91 /*
92  * Common body.  All the SHA-3 functions share code structure.  They
93  * differ only in the size of the chunks they split the message into:
94  * for digest size d, they are split into chunks of 200 - d bytes.
95  */
96 
97 static inline unsigned
98 sha3_rate(unsigned d)
99 {
100 	const unsigned cw = 2*d/8;	/* capacity in words */
101 
102 	return 25 - cw;
103 }
104 
105 static void
106 sha3_init(struct sha3 *C, unsigned rw)
107 {
108 	unsigned iw;
109 
110 	C->nb = 8*rw;
111 	for (iw = 0; iw < 25; iw++)
112 		C->A[iw] = 0;
113 }
114 
115 static void
116 sha3_update(struct sha3 *C, const uint8_t *data, size_t len, unsigned rw)
117 {
118 	uint64_t T;
119 	unsigned ib, iw;		/* index of byte/word */
120 
121 	assert(0 < C->nb);
122 
123 	/* If there's a partial word, try to fill it.  */
124 	if ((C->nb % 8) != 0) {
125 		T = 0;
126 		for (ib = 0; ib < MIN(len, C->nb % 8); ib++)
127 			T |= (uint64_t)data[ib] << (8*ib);
128 		C->A[rw - (C->nb + 7)/8] ^= T << (8*(8 - (C->nb % 8)));
129 		C->nb -= ib;
130 		data += ib;
131 		len -= ib;
132 
133 		/* If we filled the buffer, permute now.  */
134 		if (C->nb == 0) {
135 			keccakf1600(C->A);
136 			C->nb = 8*rw;
137 		}
138 
139 		/* If that exhausted the input, we're done.  */
140 		if (len == 0)
141 			return;
142 	}
143 
144 	/* At a word boundary.  Fill any partial buffer.  */
145 	assert((C->nb % 8) == 0);
146 	if (C->nb < 8*rw) {
147 		for (iw = 0; iw < MIN(len, C->nb)/8; iw++)
148 			C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw);
149 		C->nb -= 8*iw;
150 		data += 8*iw;
151 		len -= 8*iw;
152 
153 		/* If we filled the buffer, permute now.  */
154 		if (C->nb == 0) {
155 			keccakf1600(C->A);
156 			C->nb = 8*rw;
157 		} else {
158 			/* Otherwise, less than a word left.  */
159 			assert(len < 8);
160 			goto partial;
161 		}
162 	}
163 
164 	/* At a buffer boundary.  Absorb input one buffer at a time.  */
165 	assert(C->nb == 8*rw);
166 	while (8*rw <= len) {
167 		for (iw = 0; iw < rw; iw++)
168 			C->A[iw] ^= le64dec(data + 8*iw);
169 		keccakf1600(C->A);
170 		data += 8*rw;
171 		len -= 8*rw;
172 	}
173 
174 	/* Partially fill the buffer with as many words as we can.  */
175 	for (iw = 0; iw < len/8; iw++)
176 		C->A[rw - C->nb/8 + iw] ^= le64dec(data + 8*iw);
177 	C->nb -= 8*iw;
178 	data += 8*iw;
179 	len -= 8*iw;
180 
181 partial:
182 	/* Partially fill the last word with as many bytes as we can.  */
183 	assert(len < 8);
184 	assert(0 < C->nb);
185 	assert((C->nb % 8) == 0);
186 	T = 0;
187 	for (ib = 0; ib < len; ib++)
188 		T |= (uint64_t)data[ib] << (8*ib);
189 	C->A[rw - C->nb/8] ^= T;
190 	C->nb -= ib;
191 	assert(0 < C->nb);
192 }
193 
194 static void
195 sha3_final(uint8_t *h, unsigned d, struct sha3 *C, unsigned rw)
196 {
197 	unsigned nw, iw;
198 
199 	assert(d <= 8*25);
200 	assert(0 < C->nb);
201 
202 	/* Append 01, pad with 10*1 up to buffer boundary, LSB first.  */
203 	nw = (C->nb + 7)/8;
204 	assert(0 < nw);
205 	assert(nw <= rw);
206 	C->A[rw - nw] ^= (uint64_t)0x06 << (8*(8*nw - C->nb));
207 	C->A[rw - 1] ^= 0x8000000000000000ULL;
208 
209 	/* Permute one last time.  */
210 	keccakf1600(C->A);
211 
212 	/* Reveal the first 8d bits of state, forget 1600-8d of them.  */
213 	for (iw = 0; iw < d/8; iw++)
214 		le64enc(h + 8*iw, C->A[iw]);
215 	h += 8*iw;
216 	d -= 8*iw;
217 	if (0 < d) {
218 		/* For SHA3-224, we need to expose a partial word.  */
219 		uint64_t T = C->A[iw];
220 		do {
221 			*h++ = T & 0xff;
222 			T >>= 8;
223 		} while (--d);
224 	}
225 	(void)explicit_memset(C->A, 0, sizeof C->A);
226 	C->nb = 0;
227 }
228 
229 static void
230 shake_final(uint8_t *h, unsigned d, struct sha3 *C, unsigned rw)
231 {
232 	unsigned nw, iw;
233 
234 	assert(0 < C->nb);
235 
236 	/* Append 1111, pad with 10*1 up to buffer boundary, LSB first.  */
237 	nw = (C->nb + 7)/8;
238 	assert(0 < nw);
239 	assert(nw <= rw);
240 	C->A[rw - nw] ^= (uint64_t)0x1f << (8*(8*nw - C->nb));
241 	C->A[rw - 1] ^= 0x8000000000000000ULL;
242 
243 	/* Permute, reveal first rw words of state, repeat.  */
244 	while (8*rw <= d) {
245 		keccakf1600(C->A);
246 		for (iw = 0; iw < rw; iw++)
247 			le64enc(h + 8*iw, C->A[iw]);
248 		h += 8*iw;
249 		d -= 8*iw;
250 	}
251 
252 	/*
253 	 * If 8*rw (the output rate in bytes) does not divide d, more
254 	 * words are wanted: permute again and reveal a little more.
255 	 */
256 	if (0 < d) {
257 		keccakf1600(C->A);
258 		for (iw = 0; iw < d/8; iw++)
259 			le64enc(h + 8*iw, C->A[iw]);
260 		h += 8*iw;
261 		d -= 8*iw;
262 
263 		/*
264 		 * If 8 does not divide d, more bytes are wanted:
265 		 * reveal them.
266 		 */
267 		if (0 < d) {
268 			uint64_t T = C->A[iw];
269 			do {
270 				*h++ = T & 0xff;
271 				T >>= 8;
272 			} while (--d);
273 		}
274 	}
275 
276 	(void)explicit_memset(C->A, 0, sizeof C->A);
277 	C->nb = 0;
278 }
279 
280 void
281 SHA3_224_Init(SHA3_224_CTX *C)
282 {
283 
284 	sha3_init(&C->C224, sha3_rate(SHA3_224_DIGEST_LENGTH));
285 }
286 
287 void
288 SHA3_224_Update(SHA3_224_CTX *C, const uint8_t *data, size_t len)
289 {
290 
291 	sha3_update(&C->C224, data, len, sha3_rate(SHA3_224_DIGEST_LENGTH));
292 }
293 
294 void
295 SHA3_224_Final(uint8_t h[SHA3_224_DIGEST_LENGTH], SHA3_224_CTX *C)
296 {
297 
298 	sha3_final(h, SHA3_224_DIGEST_LENGTH, &C->C224,
299 	    sha3_rate(SHA3_224_DIGEST_LENGTH));
300 }
301 
302 void
303 SHA3_256_Init(SHA3_256_CTX *C)
304 {
305 
306 	sha3_init(&C->C256, sha3_rate(SHA3_256_DIGEST_LENGTH));
307 }
308 
309 void
310 SHA3_256_Update(SHA3_256_CTX *C, const uint8_t *data, size_t len)
311 {
312 
313 	sha3_update(&C->C256, data, len, sha3_rate(SHA3_256_DIGEST_LENGTH));
314 }
315 
316 void
317 SHA3_256_Final(uint8_t h[SHA3_256_DIGEST_LENGTH], SHA3_256_CTX *C)
318 {
319 
320 	sha3_final(h, SHA3_256_DIGEST_LENGTH, &C->C256,
321 	    sha3_rate(SHA3_256_DIGEST_LENGTH));
322 }
323 
324 void
325 SHA3_384_Init(SHA3_384_CTX *C)
326 {
327 
328 	sha3_init(&C->C384, sha3_rate(SHA3_384_DIGEST_LENGTH));
329 }
330 
331 void
332 SHA3_384_Update(SHA3_384_CTX *C, const uint8_t *data, size_t len)
333 {
334 
335 	sha3_update(&C->C384, data, len, sha3_rate(SHA3_384_DIGEST_LENGTH));
336 }
337 
338 void
339 SHA3_384_Final(uint8_t h[SHA3_384_DIGEST_LENGTH], SHA3_384_CTX *C)
340 {
341 
342 	sha3_final(h, SHA3_384_DIGEST_LENGTH, &C->C384,
343 	    sha3_rate(SHA3_384_DIGEST_LENGTH));
344 }
345 
346 void
347 SHA3_512_Init(SHA3_512_CTX *C)
348 {
349 
350 	sha3_init(&C->C512, sha3_rate(SHA3_512_DIGEST_LENGTH));
351 }
352 
353 void
354 SHA3_512_Update(SHA3_512_CTX *C, const uint8_t *data, size_t len)
355 {
356 
357 	sha3_update(&C->C512, data, len, sha3_rate(SHA3_512_DIGEST_LENGTH));
358 }
359 
360 void
361 SHA3_512_Final(uint8_t h[SHA3_512_DIGEST_LENGTH], SHA3_512_CTX *C)
362 {
363 
364 	sha3_final(h, SHA3_512_DIGEST_LENGTH, &C->C512,
365 	    sha3_rate(SHA3_512_DIGEST_LENGTH));
366 }
367 
368 void
369 SHAKE128_Init(SHAKE128_CTX *C)
370 {
371 
372 	sha3_init(&C->C128, sha3_rate(128/8));
373 }
374 
375 void
376 SHAKE128_Update(SHAKE128_CTX *C, const uint8_t *data, size_t len)
377 {
378 
379 	sha3_update(&C->C128, data, len, sha3_rate(128/8));
380 }
381 
382 void
383 SHAKE128_Final(uint8_t *h, size_t d, SHAKE128_CTX *C)
384 {
385 
386 	shake_final(h, d, &C->C128, sha3_rate(128/8));
387 }
388 
389 void
390 SHAKE256_Init(SHAKE256_CTX *C)
391 {
392 
393 	sha3_init(&C->C256, sha3_rate(256/8));
394 }
395 
396 void
397 SHAKE256_Update(SHAKE256_CTX *C, const uint8_t *data, size_t len)
398 {
399 
400 	sha3_update(&C->C256, data, len, sha3_rate(256/8));
401 }
402 
403 void
404 SHAKE256_Final(uint8_t *h, size_t d, SHAKE256_CTX *C)
405 {
406 
407 	shake_final(h, d, &C->C256, sha3_rate(256/8));
408 }
409 
410 static void
411 sha3_selftest_prng(void *buf, size_t len, uint32_t seed)
412 {
413 	uint8_t *p = buf;
414 	size_t n = len;
415 	uint32_t t, a, b;
416 
417 	a = 0xdead4bad * seed;
418 	b = 1;
419 
420 	while (n--) {
421 		t = a + b;
422 		*p++ = t >> 24;
423 		a = b;
424 		b = t;
425 	}
426 }
427 
428 int
429 SHA3_Selftest(void)
430 {
431 	const uint8_t d224_0[] = { /* SHA3-224(0-bit) */
432 		0x6b,0x4e,0x03,0x42,0x36,0x67,0xdb,0xb7,
433 		0x3b,0x6e,0x15,0x45,0x4f,0x0e,0xb1,0xab,
434 		0xd4,0x59,0x7f,0x9a,0x1b,0x07,0x8e,0x3f,
435 		0x5b,0x5a,0x6b,0xc7,
436 	};
437 	const uint8_t d256_0[] = { /* SHA3-256(0-bit) */
438 		0xa7,0xff,0xc6,0xf8,0xbf,0x1e,0xd7,0x66,
439 		0x51,0xc1,0x47,0x56,0xa0,0x61,0xd6,0x62,
440 		0xf5,0x80,0xff,0x4d,0xe4,0x3b,0x49,0xfa,
441 		0x82,0xd8,0x0a,0x4b,0x80,0xf8,0x43,0x4a,
442 	};
443 	const uint8_t d384_0[] = { /* SHA3-384(0-bit) */
444 		0x0c,0x63,0xa7,0x5b,0x84,0x5e,0x4f,0x7d,
445 		0x01,0x10,0x7d,0x85,0x2e,0x4c,0x24,0x85,
446 		0xc5,0x1a,0x50,0xaa,0xaa,0x94,0xfc,0x61,
447 		0x99,0x5e,0x71,0xbb,0xee,0x98,0x3a,0x2a,
448 		0xc3,0x71,0x38,0x31,0x26,0x4a,0xdb,0x47,
449 		0xfb,0x6b,0xd1,0xe0,0x58,0xd5,0xf0,0x04,
450 	};
451 	const uint8_t d512_0[] = { /* SHA3-512(0-bit) */
452 		0xa6,0x9f,0x73,0xcc,0xa2,0x3a,0x9a,0xc5,
453 		0xc8,0xb5,0x67,0xdc,0x18,0x5a,0x75,0x6e,
454 		0x97,0xc9,0x82,0x16,0x4f,0xe2,0x58,0x59,
455 		0xe0,0xd1,0xdc,0xc1,0x47,0x5c,0x80,0xa6,
456 		0x15,0xb2,0x12,0x3a,0xf1,0xf5,0xf9,0x4c,
457 		0x11,0xe3,0xe9,0x40,0x2c,0x3a,0xc5,0x58,
458 		0xf5,0x00,0x19,0x9d,0x95,0xb6,0xd3,0xe3,
459 		0x01,0x75,0x85,0x86,0x28,0x1d,0xcd,0x26,
460 	};
461 	const uint8_t shake128_0_41[] = { /* SHAKE128(0-bit, 41) */
462 		0x7f,0x9c,0x2b,0xa4,0xe8,0x8f,0x82,0x7d,
463 		0x61,0x60,0x45,0x50,0x76,0x05,0x85,0x3e,
464 		0xd7,0x3b,0x80,0x93,0xf6,0xef,0xbc,0x88,
465 		0xeb,0x1a,0x6e,0xac,0xfa,0x66,0xef,0x26,
466 		0x3c,0xb1,0xee,0xa9,0x88,0x00,0x4b,0x93,0x10,
467 	};
468 	const uint8_t shake256_0_73[] = { /* SHAKE256(0-bit, 73) */
469 		0x46,0xb9,0xdd,0x2b,0x0b,0xa8,0x8d,0x13,
470 		0x23,0x3b,0x3f,0xeb,0x74,0x3e,0xeb,0x24,
471 		0x3f,0xcd,0x52,0xea,0x62,0xb8,0x1b,0x82,
472 		0xb5,0x0c,0x27,0x64,0x6e,0xd5,0x76,0x2f,
473 		0xd7,0x5d,0xc4,0xdd,0xd8,0xc0,0xf2,0x00,
474 		0xcb,0x05,0x01,0x9d,0x67,0xb5,0x92,0xf6,
475 		0xfc,0x82,0x1c,0x49,0x47,0x9a,0xb4,0x86,
476 		0x40,0x29,0x2e,0xac,0xb3,0xb7,0xc4,0xbe,
477 		0x14,0x1e,0x96,0x61,0x6f,0xb1,0x39,0x57,0x69,
478 	};
479 	const uint8_t d224_1600[] = { /* SHA3-224(200 * 0xa3) */
480 		0x93,0x76,0x81,0x6a,0xba,0x50,0x3f,0x72,
481 		0xf9,0x6c,0xe7,0xeb,0x65,0xac,0x09,0x5d,
482 		0xee,0xe3,0xbe,0x4b,0xf9,0xbb,0xc2,0xa1,
483 		0xcb,0x7e,0x11,0xe0,
484 	};
485 	const uint8_t d256_1600[] = { /* SHA3-256(200 * 0xa3) */
486 		0x79,0xf3,0x8a,0xde,0xc5,0xc2,0x03,0x07,
487 		0xa9,0x8e,0xf7,0x6e,0x83,0x24,0xaf,0xbf,
488 		0xd4,0x6c,0xfd,0x81,0xb2,0x2e,0x39,0x73,
489 		0xc6,0x5f,0xa1,0xbd,0x9d,0xe3,0x17,0x87,
490 	};
491 	const uint8_t d384_1600[] = { /* SHA3-384(200 * 0xa3) */
492 		0x18,0x81,0xde,0x2c,0xa7,0xe4,0x1e,0xf9,
493 		0x5d,0xc4,0x73,0x2b,0x8f,0x5f,0x00,0x2b,
494 		0x18,0x9c,0xc1,0xe4,0x2b,0x74,0x16,0x8e,
495 		0xd1,0x73,0x26,0x49,0xce,0x1d,0xbc,0xdd,
496 		0x76,0x19,0x7a,0x31,0xfd,0x55,0xee,0x98,
497 		0x9f,0x2d,0x70,0x50,0xdd,0x47,0x3e,0x8f,
498 	};
499 	const uint8_t d512_1600[] = { /* SHA3-512(200 * 0xa3) */
500 		0xe7,0x6d,0xfa,0xd2,0x20,0x84,0xa8,0xb1,
501 		0x46,0x7f,0xcf,0x2f,0xfa,0x58,0x36,0x1b,
502 		0xec,0x76,0x28,0xed,0xf5,0xf3,0xfd,0xc0,
503 		0xe4,0x80,0x5d,0xc4,0x8c,0xae,0xec,0xa8,
504 		0x1b,0x7c,0x13,0xc3,0x0a,0xdf,0x52,0xa3,
505 		0x65,0x95,0x84,0x73,0x9a,0x2d,0xf4,0x6b,
506 		0xe5,0x89,0xc5,0x1c,0xa1,0xa4,0xa8,0x41,
507 		0x6d,0xf6,0x54,0x5a,0x1c,0xe8,0xba,0x00,
508 	};
509 	const uint8_t shake128_1600_41[] = { /* SHAKE128(200 * 0xa3, 41) */
510 		0x13,0x1a,0xb8,0xd2,0xb5,0x94,0x94,0x6b,
511 		0x9c,0x81,0x33,0x3f,0x9b,0xb6,0xe0,0xce,
512 		0x75,0xc3,0xb9,0x31,0x04,0xfa,0x34,0x69,
513 		0xd3,0x91,0x74,0x57,0x38,0x5d,0xa0,0x37,
514 		0xcf,0x23,0x2e,0xf7,0x16,0x4a,0x6d,0x1e,0xb4,
515 	};
516 	const uint8_t shake256_1600_73[] = { /* SHAKE256(200 * 0xa3, 73) */
517 		0xcd,0x8a,0x92,0x0e,0xd1,0x41,0xaa,0x04,
518 		0x07,0xa2,0x2d,0x59,0x28,0x86,0x52,0xe9,
519 		0xd9,0xf1,0xa7,0xee,0x0c,0x1e,0x7c,0x1c,
520 		0xa6,0x99,0x42,0x4d,0xa8,0x4a,0x90,0x4d,
521 		0x2d,0x70,0x0c,0xaa,0xe7,0x39,0x6e,0xce,
522 		0x96,0x60,0x44,0x40,0x57,0x7d,0xa4,0xf3,
523 		0xaa,0x22,0xae,0xb8,0x85,0x7f,0x96,0x1c,
524 		0x4c,0xd8,0xe0,0x6f,0x0a,0xe6,0x61,0x0b,
525 		0x10,0x48,0xa7,0xf6,0x4e,0x10,0x74,0xcd,0x62,
526 	};
527 	const uint8_t d0[] = {
528 		0x6c,0x02,0x1a,0xc6,0x65,0xaf,0x80,0xfb,
529 		0x52,0xe6,0x2d,0x27,0xe5,0x02,0x88,0x84,
530 		0xec,0x1c,0x0c,0xe7,0x0b,0x94,0x55,0x83,
531 		0x19,0xf2,0xbf,0x09,0x86,0xeb,0x1a,0xbb,
532 		0xc3,0x0d,0x1c,0xef,0x22,0xfe,0xc5,0x4c,
533 		0x45,0x90,0x66,0x14,0x00,0x6e,0xc8,0x79,
534 		0xdf,0x1e,0x02,0xbd,0x75,0xe9,0x60,0xd8,
535 		0x60,0x39,0x85,0xc9,0xc4,0xee,0x33,0xab,
536 	};
537 	const unsigned mlen[6] = { 0, 3, 128, 129, 255, 1024 };
538 	uint8_t m[1024], d[73];
539 	SHA3_224_CTX sha3224;
540 	SHA3_256_CTX sha3256;
541 	SHA3_384_CTX sha3384;
542 	SHA3_512_CTX sha3512;
543 	SHAKE128_CTX shake128;
544 	SHAKE256_CTX shake256;
545 	SHA3_512_CTX ctx;
546 	unsigned mi;
547 
548 	/*
549 	 * NIST test vectors from
550 	 * <http://csrc.nist.gov/groups/ST/toolkit/examples.html#aHashing>:
551 	 * 0-bit, 1600-bit repeated 0xa3 (= 0b10100011).
552 	 */
553 	SHA3_224_Init(&sha3224);
554 	SHA3_224_Final(d, &sha3224);
555 	if (memcmp(d, d224_0, 28) != 0)
556 		return -1;
557 	SHA3_256_Init(&sha3256);
558 	SHA3_256_Final(d, &sha3256);
559 	if (memcmp(d, d256_0, 32) != 0)
560 		return -1;
561 	SHA3_384_Init(&sha3384);
562 	SHA3_384_Final(d, &sha3384);
563 	if (memcmp(d, d384_0, 48) != 0)
564 		return -1;
565 	SHA3_512_Init(&sha3512);
566 	SHA3_512_Final(d, &sha3512);
567 	if (memcmp(d, d512_0, 64) != 0)
568 		return -1;
569 	SHAKE128_Init(&shake128);
570 	SHAKE128_Final(d, 41, &shake128);
571 	if (memcmp(d, shake128_0_41, 41) != 0)
572 		return -1;
573 	SHAKE256_Init(&shake256);
574 	SHAKE256_Final(d, 73, &shake256);
575 	if (memcmp(d, shake256_0_73, 73) != 0)
576 		return -1;
577 
578 	(void)memset(m, 0xa3, 200);
579 	SHA3_224_Init(&sha3224);
580 	SHA3_224_Update(&sha3224, m, 200);
581 	SHA3_224_Final(d, &sha3224);
582 	if (memcmp(d, d224_1600, 28) != 0)
583 		return -1;
584 	SHA3_256_Init(&sha3256);
585 	SHA3_256_Update(&sha3256, m, 200);
586 	SHA3_256_Final(d, &sha3256);
587 	if (memcmp(d, d256_1600, 32) != 0)
588 		return -1;
589 	SHA3_384_Init(&sha3384);
590 	SHA3_384_Update(&sha3384, m, 200);
591 	SHA3_384_Final(d, &sha3384);
592 	if (memcmp(d, d384_1600, 48) != 0)
593 		return -1;
594 	SHA3_512_Init(&sha3512);
595 	SHA3_512_Update(&sha3512, m, 200);
596 	SHA3_512_Final(d, &sha3512);
597 	if (memcmp(d, d512_1600, 64) != 0)
598 		return -1;
599 	SHAKE128_Init(&shake128);
600 	SHAKE128_Update(&shake128, m, 200);
601 	SHAKE128_Final(d, 41, &shake128);
602 	if (memcmp(d, shake128_1600_41, 41) != 0)
603 		return -1;
604 	SHAKE256_Init(&shake256);
605 	SHAKE256_Update(&shake256, m, 200);
606 	SHAKE256_Final(d, 73, &shake256);
607 	if (memcmp(d, shake256_1600_73, 73) != 0)
608 		return -1;
609 
610 	/*
611 	 * Hand-crufted test vectors with unaligned message lengths.
612 	 */
613 	SHA3_512_Init(&ctx);
614 	for (mi = 0; mi < 6; mi++) {
615 		sha3_selftest_prng(m, mlen[mi], (224/8)*mlen[mi]);
616 		SHA3_224_Init(&sha3224);
617 		SHA3_224_Update(&sha3224, m, mlen[mi]);
618 		SHA3_224_Final(d, &sha3224);
619 		SHA3_512_Update(&ctx, d, 224/8);
620 	}
621 	for (mi = 0; mi < 6; mi++) {
622 		sha3_selftest_prng(m, mlen[mi], (256/8)*mlen[mi]);
623 		SHA3_256_Init(&sha3256);
624 		SHA3_256_Update(&sha3256, m, mlen[mi]);
625 		SHA3_256_Final(d, &sha3256);
626 		SHA3_512_Update(&ctx, d, 256/8);
627 	}
628 	for (mi = 0; mi < 6; mi++) {
629 		sha3_selftest_prng(m, mlen[mi], (384/8)*mlen[mi]);
630 		SHA3_384_Init(&sha3384);
631 		SHA3_384_Update(&sha3384, m, mlen[mi]);
632 		SHA3_384_Final(d, &sha3384);
633 		SHA3_512_Update(&ctx, d, 384/8);
634 	}
635 	for (mi = 0; mi < 6; mi++) {
636 		sha3_selftest_prng(m, mlen[mi], (512/8)*mlen[mi]);
637 		SHA3_512_Init(&sha3512);
638 		SHA3_512_Update(&sha3512, m, mlen[mi]);
639 		SHA3_512_Final(d, &sha3512);
640 		SHA3_512_Update(&ctx, d, 512/8);
641 	}
642 	SHA3_512_Final(d, &ctx);
643 	if (memcmp(d, d0, 64) != 0)
644 		return -1;
645 
646 	return 0;
647 }
648