/src/libgcrypt/random/jitterentropy-sha3.c

Line	Count	Source (jump to first uncovered line)
1		/* Jitter RNG: SHA-3 Implementation
2		*
3		* Copyright (C) 2021, Stephan Mueller <smueller@chronox.de>
4		*
5		* License: see LICENSE file in root directory
6		*
7		* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
8		* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
9		* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
10		* WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
11		* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
12		* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
13		* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
14		* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
15		* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
16		* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
17		* USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
18		* DAMAGE.
19		*/
20
21		#include "jitterentropy-sha3.h"
22
23		/***************************************************************************
24		* Message Digest Implementation
25		***************************************************************************/
26
27		/*
28		* Conversion of Little-Endian representations in byte streams - the data
29		* representation in the integer values is the host representation.
30		*/
31		static inline uint32_t ptr_to_le32(const uint8_t *p)
32	0	{
33	0	return (uint32_t)p[0] \| (uint32_t)p[1] << 8 \|
34	0	(uint32_t)p[2] << 16 \| (uint32_t)p[3] << 24;
35	0	}
36
37		static inline uint64_t ptr_to_le64(const uint8_t *p)
38	0	{
39	0	return (uint64_t)ptr_to_le32(p) \| (uint64_t)ptr_to_le32(p + 4) << 32;
40	0	}
41
42		static inline void le32_to_ptr(uint8_t *p, const uint32_t value)
43	0	{
44	0	p[0] = (uint8_t)(value);
45	0	p[1] = (uint8_t)(value >> 8);
46	0	p[2] = (uint8_t)(value >> 16);
47	0	p[3] = (uint8_t)(value >> 24);
48	0	}
49
50		static inline void le64_to_ptr(uint8_t *p, const uint64_t value)
51	0	{
52	0	le32_to_ptr(p + 4, (uint32_t)(value >> 32));
53	0	le32_to_ptr(p, (uint32_t)(value));
54	0	}
55
56		/********************************* Keccak *********************************/
57		/* state[x + y5] /
58	0	#define A(x, y) (x + 5 * y)
59
60		static inline void keccakp_theta(uint64_t s[25])
61	0	{
62	0	uint64_t C[5], D[5];
63
64		/* Step 1 */
65	0	C[0] = s[A(0, 0)] ^ s[A(0, 1)] ^ s[A(0, 2)] ^ s[A(0, 3)] ^ s[A(0, 4)];
66	0	C[1] = s[A(1, 0)] ^ s[A(1, 1)] ^ s[A(1, 2)] ^ s[A(1, 3)] ^ s[A(1, 4)];
67	0	C[2] = s[A(2, 0)] ^ s[A(2, 1)] ^ s[A(2, 2)] ^ s[A(2, 3)] ^ s[A(2, 4)];
68	0	C[3] = s[A(3, 0)] ^ s[A(3, 1)] ^ s[A(3, 2)] ^ s[A(3, 3)] ^ s[A(3, 4)];
69	0	C[4] = s[A(4, 0)] ^ s[A(4, 1)] ^ s[A(4, 2)] ^ s[A(4, 3)] ^ s[A(4, 4)];
70
71		/* Step 2 */
72	0	D[0] = C[4] ^ rol64(C[1], 1);
73	0	D[1] = C[0] ^ rol64(C[2], 1);
74	0	D[2] = C[1] ^ rol64(C[3], 1);
75	0	D[3] = C[2] ^ rol64(C[4], 1);
76	0	D[4] = C[3] ^ rol64(C[0], 1);
77
78		/* Step 3 */
79	0	s[A(0, 0)] ^= D[0];
80	0	s[A(1, 0)] ^= D[1];
81	0	s[A(2, 0)] ^= D[2];
82	0	s[A(3, 0)] ^= D[3];
83	0	s[A(4, 0)] ^= D[4];
84
85	0	s[A(0, 1)] ^= D[0];
86	0	s[A(1, 1)] ^= D[1];
87	0	s[A(2, 1)] ^= D[2];
88	0	s[A(3, 1)] ^= D[3];
89	0	s[A(4, 1)] ^= D[4];
90
91	0	s[A(0, 2)] ^= D[0];
92	0	s[A(1, 2)] ^= D[1];
93	0	s[A(2, 2)] ^= D[2];
94	0	s[A(3, 2)] ^= D[3];
95	0	s[A(4, 2)] ^= D[4];
96
97	0	s[A(0, 3)] ^= D[0];
98	0	s[A(1, 3)] ^= D[1];
99	0	s[A(2, 3)] ^= D[2];
100	0	s[A(3, 3)] ^= D[3];
101	0	s[A(4, 3)] ^= D[4];
102
103	0	s[A(0, 4)] ^= D[0];
104	0	s[A(1, 4)] ^= D[1];
105	0	s[A(2, 4)] ^= D[2];
106	0	s[A(3, 4)] ^= D[3];
107	0	s[A(4, 4)] ^= D[4];
108	0	}
109
110		static inline void keccakp_rho(uint64_t s[25])
111	0	{
112		/* Step 1 */
113		/* s[A(0, 0)] = s[A(0, 0)]; */
114
115	0	#define RHO_ROL(t) (((t + 1) * (t + 2) / 2) % 64)
116		/* Step 3 */
117	0	s[A(1, 0)] = rol64(s[A(1, 0)], RHO_ROL(0));
118	0	s[A(0, 2)] = rol64(s[A(0, 2)], RHO_ROL(1));
119	0	s[A(2, 1)] = rol64(s[A(2, 1)], RHO_ROL(2));
120	0	s[A(1, 2)] = rol64(s[A(1, 2)], RHO_ROL(3));
121	0	s[A(2, 3)] = rol64(s[A(2, 3)], RHO_ROL(4));
122	0	s[A(3, 3)] = rol64(s[A(3, 3)], RHO_ROL(5));
123	0	s[A(3, 0)] = rol64(s[A(3, 0)], RHO_ROL(6));
124	0	s[A(0, 1)] = rol64(s[A(0, 1)], RHO_ROL(7));
125	0	s[A(1, 3)] = rol64(s[A(1, 3)], RHO_ROL(8));
126	0	s[A(3, 1)] = rol64(s[A(3, 1)], RHO_ROL(9));
127	0	s[A(1, 4)] = rol64(s[A(1, 4)], RHO_ROL(10));
128	0	s[A(4, 4)] = rol64(s[A(4, 4)], RHO_ROL(11));
129	0	s[A(4, 0)] = rol64(s[A(4, 0)], RHO_ROL(12));
130	0	s[A(0, 3)] = rol64(s[A(0, 3)], RHO_ROL(13));
131	0	s[A(3, 4)] = rol64(s[A(3, 4)], RHO_ROL(14));
132	0	s[A(4, 3)] = rol64(s[A(4, 3)], RHO_ROL(15));
133	0	s[A(3, 2)] = rol64(s[A(3, 2)], RHO_ROL(16));
134	0	s[A(2, 2)] = rol64(s[A(2, 2)], RHO_ROL(17));
135	0	s[A(2, 0)] = rol64(s[A(2, 0)], RHO_ROL(18));
136	0	s[A(0, 4)] = rol64(s[A(0, 4)], RHO_ROL(19));
137	0	s[A(4, 2)] = rol64(s[A(4, 2)], RHO_ROL(20));
138	0	s[A(2, 4)] = rol64(s[A(2, 4)], RHO_ROL(21));
139	0	s[A(4, 1)] = rol64(s[A(4, 1)], RHO_ROL(22));
140	0	s[A(1, 1)] = rol64(s[A(1, 1)], RHO_ROL(23));
141	0	}
142
143		static inline void keccakp_pi(uint64_t s[25])
144	0	{
145	0	uint64_t t = s[A(4, 4)];
146
147		/* Step 1 */
148		/* s[A(0, 0)] = s[A(0, 0)]; */
149	0	s[A(4, 4)] = s[A(1, 4)];
150	0	s[A(1, 4)] = s[A(3, 1)];
151	0	s[A(3, 1)] = s[A(1, 3)];
152	0	s[A(1, 3)] = s[A(0, 1)];
153	0	s[A(0, 1)] = s[A(3, 0)];
154	0	s[A(3, 0)] = s[A(3, 3)];
155	0	s[A(3, 3)] = s[A(2, 3)];
156	0	s[A(2, 3)] = s[A(1, 2)];
157	0	s[A(1, 2)] = s[A(2, 1)];
158	0	s[A(2, 1)] = s[A(0, 2)];
159	0	s[A(0, 2)] = s[A(1, 0)];
160	0	s[A(1, 0)] = s[A(1, 1)];
161	0	s[A(1, 1)] = s[A(4, 1)];
162	0	s[A(4, 1)] = s[A(2, 4)];
163	0	s[A(2, 4)] = s[A(4, 2)];
164	0	s[A(4, 2)] = s[A(0, 4)];
165	0	s[A(0, 4)] = s[A(2, 0)];
166	0	s[A(2, 0)] = s[A(2, 2)];
167	0	s[A(2, 2)] = s[A(3, 2)];
168	0	s[A(3, 2)] = s[A(4, 3)];
169	0	s[A(4, 3)] = s[A(3, 4)];
170	0	s[A(3, 4)] = s[A(0, 3)];
171	0	s[A(0, 3)] = s[A(4, 0)];
172	0	s[A(4, 0)] = t;
173	0	}
174
175		static inline void keccakp_chi(uint64_t s[25])
176	0	{
177	0	uint64_t t0[5], t1[5];
178
179	0	t0[0] = s[A(0, 0)];
180	0	t0[1] = s[A(0, 1)];
181	0	t0[2] = s[A(0, 2)];
182	0	t0[3] = s[A(0, 3)];
183	0	t0[4] = s[A(0, 4)];
184
185	0	t1[0] = s[A(1, 0)];
186	0	t1[1] = s[A(1, 1)];
187	0	t1[2] = s[A(1, 2)];
188	0	t1[3] = s[A(1, 3)];
189	0	t1[4] = s[A(1, 4)];
190
191	0	s[A(0, 0)] ^= ~s[A(1, 0)] & s[A(2, 0)];
192	0	s[A(0, 1)] ^= ~s[A(1, 1)] & s[A(2, 1)];
193	0	s[A(0, 2)] ^= ~s[A(1, 2)] & s[A(2, 2)];
194	0	s[A(0, 3)] ^= ~s[A(1, 3)] & s[A(2, 3)];
195	0	s[A(0, 4)] ^= ~s[A(1, 4)] & s[A(2, 4)];
196
197	0	s[A(1, 0)] ^= ~s[A(2, 0)] & s[A(3, 0)];
198	0	s[A(1, 1)] ^= ~s[A(2, 1)] & s[A(3, 1)];
199	0	s[A(1, 2)] ^= ~s[A(2, 2)] & s[A(3, 2)];
200	0	s[A(1, 3)] ^= ~s[A(2, 3)] & s[A(3, 3)];
201	0	s[A(1, 4)] ^= ~s[A(2, 4)] & s[A(3, 4)];
202
203	0	s[A(2, 0)] ^= ~s[A(3, 0)] & s[A(4, 0)];
204	0	s[A(2, 1)] ^= ~s[A(3, 1)] & s[A(4, 1)];
205	0	s[A(2, 2)] ^= ~s[A(3, 2)] & s[A(4, 2)];
206	0	s[A(2, 3)] ^= ~s[A(3, 3)] & s[A(4, 3)];
207	0	s[A(2, 4)] ^= ~s[A(3, 4)] & s[A(4, 4)];
208
209	0	s[A(3, 0)] ^= ~s[A(4, 0)] & t0[0];
210	0	s[A(3, 1)] ^= ~s[A(4, 1)] & t0[1];
211	0	s[A(3, 2)] ^= ~s[A(4, 2)] & t0[2];
212	0	s[A(3, 3)] ^= ~s[A(4, 3)] & t0[3];
213	0	s[A(3, 4)] ^= ~s[A(4, 4)] & t0[4];
214
215	0	s[A(4, 0)] ^= ~t0[0] & t1[0];
216	0	s[A(4, 1)] ^= ~t0[1] & t1[1];
217	0	s[A(4, 2)] ^= ~t0[2] & t1[2];
218	0	s[A(4, 3)] ^= ~t0[3] & t1[3];
219	0	s[A(4, 4)] ^= ~t0[4] & t1[4];
220	0	}
221
222		static const uint64_t keccakp_iota_vals[] = {
223		0x0000000000000001ULL, 0x0000000000008082ULL, 0x800000000000808aULL,
224		0x8000000080008000ULL, 0x000000000000808bULL, 0x0000000080000001ULL,
225		0x8000000080008081ULL, 0x8000000000008009ULL, 0x000000000000008aULL,
226		0x0000000000000088ULL, 0x0000000080008009ULL, 0x000000008000000aULL,
227		0x000000008000808bULL, 0x800000000000008bULL, 0x8000000000008089ULL,
228		0x8000000000008003ULL, 0x8000000000008002ULL, 0x8000000000000080ULL,
229		0x000000000000800aULL, 0x800000008000000aULL, 0x8000000080008081ULL,
230		0x8000000000008080ULL, 0x0000000080000001ULL, 0x8000000080008008ULL
231		};
232
233		static inline void keccakp_iota(uint64_t s[25], unsigned int round)
234	0	{
235	0	s[0] ^= keccakp_iota_vals[round];
236	0	}
237
238		static inline void keccakp_1600(uint64_t s[25])
239	0	{
240	0	unsigned int round;
241
242	0	for (round = 0; round < 24; round++) {
243	0	keccakp_theta(s);
244	0	keccakp_rho(s);
245	0	keccakp_pi(s);
246	0	keccakp_chi(s);
247	0	keccakp_iota(s, round);
248	0	}
249	0	}
250
251		/********************************* SHA-3 **********************************/
252
253		static inline void sha3_init(struct sha_ctx *ctx)
254	0	{
255	0	unsigned int i;
256
257	0	for (i = 0; i < 25; i++)
258	0	ctx->state[i] = 0;
259	0	ctx->msg_len = 0;
260	0	}
261
262		void sha3_256_init(struct sha_ctx *ctx)
263	0	{
264	0	sha3_init(ctx);
265	0	ctx->r = SHA3_256_SIZE_BLOCK;
266	0	ctx->rword = SHA3_256_SIZE_BLOCK / sizeof(uint64_t);
267	0	ctx->digestsize = SHA3_256_SIZE_DIGEST;
268	0	}
269
270		static inline void sha3_fill_state(struct sha_ctx ctx, const uint8_t in)
271	0	{
272	0	unsigned int i;
273
274	0	for (i = 0; i < ctx->rword; i++) {
275	0	ctx->state[i] ^= ptr_to_le64(in);
276	0	in += 8;
277	0	}
278	0	}
279
280		void sha3_update(struct sha_ctx ctx, const uint8_t in, size_t inlen)
281	0	{
282	0	size_t partial = ctx->msg_len % ctx->r;
283
284	0	ctx->msg_len += inlen;
285
286		/* Sponge absorbing phase */
287
288		/* Check if we have a partial block stored */
289	0	if (partial) {
290	0	size_t todo = ctx->r - partial;
291
292		/*
293		* If the provided data is small enough to fit in the partial
294		* buffer, copy it and leave it unprocessed.
295		*/
296	0	if (inlen < todo) {
297	0	memcpy(ctx->partial + partial, in, inlen);
298	0	return;
299	0	}
300
301		/*
302		* The input data is large enough to fill the entire partial
303		* block buffer. Thus, we fill it and transform it.
304		*/
305	0	memcpy(ctx->partial + partial, in, todo);
306	0	inlen -= todo;
307	0	in += todo;
308
309	0	sha3_fill_state(ctx, ctx->partial);
310	0	keccakp_1600(ctx->state);
311	0	}
312
313		/* Perform a transformation of full block-size messages */
314	0	for (; inlen >= ctx->r; inlen -= ctx->r, in += ctx->r) {
315	0	sha3_fill_state(ctx, in);
316	0	keccakp_1600(ctx->state);
317	0	}
318
319		/* If we have data left, copy it into the partial block buffer */
320	0	memcpy(ctx->partial, in, inlen);
321	0	}
322
323		void sha3_final(struct sha_ctx ctx, uint8_t digest)
324	0	{
325	0	size_t partial = ctx->msg_len % ctx->r;
326	0	unsigned int i;
327
328		/* Final round in sponge absorbing phase */
329
330		/* Fill the unused part of the partial buffer with zeros */
331	0	memset(ctx->partial + partial, 0, ctx->r - partial);
332
333		/*
334		* Add the leading and trailing bit as well as the 01 bits for the
335		* SHA-3 suffix.
336		*/
337	0	ctx->partial[partial] = 0x06;
338	0	ctx->partial[ctx->r - 1] \|= 0x80;
339
340		/* Final transformation */
341	0	sha3_fill_state(ctx, ctx->partial);
342	0	keccakp_1600(ctx->state);
343
344		/*
345		* Sponge squeeze phase - the digest size is always smaller as the
346		* state size r which implies we only have one squeeze round.
347		*/
348	0	for (i = 0; i < ctx->digestsize / 8; i++, digest += 8)
349	0	le64_to_ptr(digest, ctx->state[i]);
350
351		/* Add remaining 4 bytes if we use SHA3-224 */
352	0	if (ctx->digestsize % 8)
353	0	le32_to_ptr(digest, (uint32_t)(ctx->state[i]));
354
355	0	memset(ctx->partial, 0, ctx->r);
356	0	sha3_init(ctx);
357	0	}
358
359		int sha3_tester(void)
360	0	{
361	0	HASH_CTX_ON_STACK(ctx);
362	0	static const uint8_t msg_256[] = { 0x5E, 0x5E, 0xD6 };
363	0	static const uint8_t exp_256[] = { 0xF1, 0x6E, 0x66, 0xC0, 0x43, 0x72,
364	0	0xB4, 0xA3, 0xE1, 0xE3, 0x2E, 0x07,
365	0	0xC4, 0x1C, 0x03, 0x40, 0x8A, 0xD5,
366	0	0x43, 0x86, 0x8C, 0xC4, 0x0E, 0xC5,
367	0	0x5E, 0x00, 0xBB, 0xBB, 0xBD, 0xF5,
368	0	0x91, 0x1E };
369	0	uint8_t act[SHA3_256_SIZE_DIGEST] = { 0 };
370	0	unsigned int i;
371
372	0	sha3_256_init(&ctx);
373	0	sha3_update(&ctx, msg_256, 3);
374	0	sha3_final(&ctx, act);
375
376	0	for (i = 0; i < SHA3_256_SIZE_DIGEST; i++) {
377	0	if (exp_256[i] != act[i])
378	0	return 1;
379	0	}
380
381	0	return 0;
382	0	}

Coverage Report

Created: 2022-12-08 06:09