/src/wolfssl/wolfcrypt/src/sha3.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* sha3.c |
2 | | * |
3 | | * Copyright (C) 2006-2025 wolfSSL Inc. |
4 | | * |
5 | | * This file is part of wolfSSL. |
6 | | * |
7 | | * wolfSSL is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU General Public License as published by |
9 | | * the Free Software Foundation; either version 3 of the License, or |
10 | | * (at your option) any later version. |
11 | | * |
12 | | * wolfSSL is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU General Public License |
18 | | * along with this program; if not, write to the Free Software |
19 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
20 | | */ |
21 | | |
22 | | #include <wolfssl/wolfcrypt/libwolfssl_sources.h> |
23 | | |
24 | | #ifdef WC_SHA3_NO_ASM |
25 | | #undef USE_INTEL_SPEEDUP |
26 | | #undef WOLFSSL_ARMASM |
27 | | #undef WOLFSSL_RISCV_ASM |
28 | | #endif |
29 | | |
30 | | #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_XILINX_CRYPT) && \ |
31 | | !defined(WOLFSSL_AFALG_XILINX_SHA3) |
32 | | |
33 | | #if FIPS_VERSION3_GE(2,0,0) |
34 | | /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ |
35 | | #define FIPS_NO_WRAPPERS |
36 | | |
37 | | #ifdef USE_WINDOWS_API |
38 | | #pragma code_seg(".fipsA$n") |
39 | | #pragma const_seg(".fipsB$n") |
40 | | #endif |
41 | | #endif |
42 | | |
43 | | #include <wolfssl/wolfcrypt/sha3.h> |
44 | | #include <wolfssl/wolfcrypt/hash.h> |
45 | | |
46 | | #ifdef WOLF_CRYPTO_CB |
47 | | #include <wolfssl/wolfcrypt/cryptocb.h> |
48 | | #endif |
49 | | #ifdef NO_INLINE |
50 | | #include <wolfssl/wolfcrypt/misc.h> |
51 | | #else |
52 | | #define WOLFSSL_MISC_INCLUDED |
53 | | #include <wolfcrypt/src/misc.c> |
54 | | #endif |
55 | | |
56 | | #if FIPS_VERSION3_GE(6,0,0) |
57 | | const unsigned int wolfCrypt_FIPS_sha3_ro_sanity[2] = |
58 | | { 0x1a2b3c4d, 0x00000016 }; |
59 | | int wolfCrypt_FIPS_SHA3_sanity(void) |
60 | | { |
61 | | return 0; |
62 | | } |
63 | | #endif |
64 | | |
65 | | |
66 | | #if defined(USE_INTEL_SPEEDUP) || (defined(__aarch64__) && \ |
67 | | defined(WOLFSSL_ARMASM)) |
68 | | #include <wolfssl/wolfcrypt/cpuid.h> |
69 | | |
70 | | word32 cpuid_flags; |
71 | | int cpuid_flags_set = 0; |
72 | | #ifdef WC_C_DYNAMIC_FALLBACK |
73 | | #define SHA3_BLOCK (sha3->sha3_block) |
74 | | #define SHA3_BLOCK_N (sha3->sha3_block_n) |
75 | | #else |
76 | | void (*sha3_block)(word64 *s) = NULL; |
77 | | void (*sha3_block_n)(word64 *s, const byte* data, word32 n, |
78 | | word64 c) = NULL; |
79 | | #define SHA3_BLOCK sha3_block |
80 | | #define SHA3_BLOCK_N sha3_block_n |
81 | | #endif |
82 | | #endif |
83 | | |
84 | | #if !defined(WOLFSSL_ARMASM) && !defined(WOLFSSL_RISCV_ASM) |
85 | | |
86 | | #ifdef WOLFSSL_SHA3_SMALL |
87 | | /* Rotate a 64-bit value left. |
88 | | * |
89 | | * a Number to rotate left. |
90 | | * r Number od bits to rotate left. |
91 | | * returns the rotated number. |
92 | | */ |
93 | | #define ROTL64(a, n) (((a)<<(n))|((a)>>(64-(n)))) |
94 | | |
95 | | /* An array of values to XOR for block operation. */ |
96 | | static const word64 hash_keccak_r[24] = |
97 | | { |
98 | | 0x0000000000000001UL, 0x0000000000008082UL, |
99 | | 0x800000000000808aUL, 0x8000000080008000UL, |
100 | | 0x000000000000808bUL, 0x0000000080000001UL, |
101 | | 0x8000000080008081UL, 0x8000000000008009UL, |
102 | | 0x000000000000008aUL, 0x0000000000000088UL, |
103 | | 0x0000000080008009UL, 0x000000008000000aUL, |
104 | | 0x000000008000808bUL, 0x800000000000008bUL, |
105 | | 0x8000000000008089UL, 0x8000000000008003UL, |
106 | | 0x8000000000008002UL, 0x8000000000000080UL, |
107 | | 0x000000000000800aUL, 0x800000008000000aUL, |
108 | | 0x8000000080008081UL, 0x8000000000008080UL, |
109 | | 0x0000000080000001UL, 0x8000000080008008UL |
110 | | }; |
111 | | |
112 | | /* Indices used in swap and rotate operation. */ |
113 | | #define K_I_0 10 |
114 | | #define K_I_1 7 |
115 | | #define K_I_2 11 |
116 | | #define K_I_3 17 |
117 | | #define K_I_4 18 |
118 | | #define K_I_5 3 |
119 | | #define K_I_6 5 |
120 | | #define K_I_7 16 |
121 | | #define K_I_8 8 |
122 | | #define K_I_9 21 |
123 | | #define K_I_10 24 |
124 | | #define K_I_11 4 |
125 | | #define K_I_12 15 |
126 | | #define K_I_13 23 |
127 | | #define K_I_14 19 |
128 | | #define K_I_15 13 |
129 | | #define K_I_16 12 |
130 | | #define K_I_17 2 |
131 | | #define K_I_18 20 |
132 | | #define K_I_19 14 |
133 | | #define K_I_20 22 |
134 | | #define K_I_21 9 |
135 | | #define K_I_22 6 |
136 | | #define K_I_23 1 |
137 | | |
138 | | /* Number of bits to rotate in swap and rotate operation. */ |
139 | | #define K_R_0 1 |
140 | | #define K_R_1 3 |
141 | | #define K_R_2 6 |
142 | | #define K_R_3 10 |
143 | | #define K_R_4 15 |
144 | | #define K_R_5 21 |
145 | | #define K_R_6 28 |
146 | | #define K_R_7 36 |
147 | | #define K_R_8 45 |
148 | | #define K_R_9 55 |
149 | | #define K_R_10 2 |
150 | | #define K_R_11 14 |
151 | | #define K_R_12 27 |
152 | | #define K_R_13 41 |
153 | | #define K_R_14 56 |
154 | | #define K_R_15 8 |
155 | | #define K_R_16 25 |
156 | | #define K_R_17 43 |
157 | | #define K_R_18 62 |
158 | | #define K_R_19 18 |
159 | | #define K_R_20 39 |
160 | | #define K_R_21 61 |
161 | | #define K_R_22 20 |
162 | | #define K_R_23 44 |
163 | | |
164 | | /* Swap and rotate left operation. |
165 | | * |
166 | | * s The state. |
167 | | * t1 Temporary value. |
168 | | * t2 Second temporary value. |
169 | | * i The index of the loop. |
170 | | */ |
171 | | #define SWAP_ROTL(s, t1, t2, i) \ |
172 | | do { \ |
173 | | t2 = s[K_I_##i]; s[K_I_##i] = ROTL64(t1, K_R_##i); \ |
174 | | } \ |
175 | | while (0) |
176 | | |
177 | | /* Mix the XOR of the column's values into each number by column. |
178 | | * |
179 | | * s The state. |
180 | | * b Temporary array of XORed column values. |
181 | | * x The index of the column. |
182 | | * t Temporary variable. |
183 | | */ |
184 | | #define COL_MIX(s, b, x, t) \ |
185 | | do { \ |
186 | | for (x = 0; x < 5; x++) \ |
187 | | b[x] = s[x + 0] ^ s[x + 5] ^ s[x + 10] ^ s[x + 15] ^ s[x + 20]; \ |
188 | | for (x = 0; x < 5; x++) { \ |
189 | | t = b[(x + 4) % 5] ^ ROTL64(b[(x + 1) % 5], 1); \ |
190 | | s[x + 0] ^= t; \ |
191 | | s[x + 5] ^= t; \ |
192 | | s[x + 10] ^= t; \ |
193 | | s[x + 15] ^= t; \ |
194 | | s[x + 20] ^= t; \ |
195 | | } \ |
196 | | } \ |
197 | | while (0) |
198 | | |
199 | | #ifdef SHA3_BY_SPEC |
200 | | /* Mix the row values. |
201 | | * BMI1 has ANDN instruction ((~a) & b) - Haswell and above. |
202 | | * |
203 | | * s The state. |
204 | | * b Temporary array of XORed row values. |
205 | | * y The index of the row to work on. |
206 | | * x The index of the column. |
207 | | * t0 Temporary variable. |
208 | | * t1 Temporary variable. |
209 | | */ |
210 | | #define ROW_MIX(s, b, y, x, t0, t1) \ |
211 | | do { \ |
212 | | for (y = 0; y < 5; y++) { \ |
213 | | for (x = 0; x < 5; x++) \ |
214 | | b[x] = s[y * 5 + x]; \ |
215 | | for (x = 0; x < 5; x++) \ |
216 | | s[y * 5 + x] = b[x] ^ (~b[(x + 1) % 5] & b[(x + 2) % 5]); \ |
217 | | } \ |
218 | | } \ |
219 | | while (0) |
220 | | #else |
221 | | /* Mix the row values. |
222 | | * a ^ (~b & c) == a ^ (c & (b ^ c)) == (a ^ b) ^ (b | c) |
223 | | * |
224 | | * s The state. |
225 | | * b Temporary array of XORed row values. |
226 | | * y The index of the row to work on. |
227 | | * x The index of the column. |
228 | | * t0 Temporary variable. |
229 | | * t1 Temporary variable. |
230 | | */ |
231 | | #define ROW_MIX(s, b, y, x, t12, t34) \ |
232 | | do { \ |
233 | | for (y = 0; y < 5; y++) { \ |
234 | | for (x = 0; x < 5; x++) \ |
235 | | b[x] = s[y * 5 + x]; \ |
236 | | t12 = (b[1] ^ b[2]); t34 = (b[3] ^ b[4]); \ |
237 | | s[y * 5 + 0] = b[0] ^ (b[2] & t12); \ |
238 | | s[y * 5 + 1] = t12 ^ (b[2] | b[3]); \ |
239 | | s[y * 5 + 2] = b[2] ^ (b[4] & t34); \ |
240 | | s[y * 5 + 3] = t34 ^ (b[4] | b[0]); \ |
241 | | s[y * 5 + 4] = b[4] ^ (b[1] & (b[0] ^ b[1])); \ |
242 | | } \ |
243 | | } \ |
244 | | while (0) |
245 | | #endif /* SHA3_BY_SPEC */ |
246 | | |
247 | | /* The block operation performed on the state. |
248 | | * |
249 | | * s The state. |
250 | | */ |
251 | | void BlockSha3(word64* s) |
252 | | { |
253 | | byte i, x, y; |
254 | | word64 t0, t1; |
255 | | word64 b[5]; |
256 | | |
257 | | for (i = 0; i < 24; i++) |
258 | | { |
259 | | COL_MIX(s, b, x, t0); |
260 | | |
261 | | t0 = s[1]; |
262 | | SWAP_ROTL(s, t0, t1, 0); |
263 | | SWAP_ROTL(s, t1, t0, 1); |
264 | | SWAP_ROTL(s, t0, t1, 2); |
265 | | SWAP_ROTL(s, t1, t0, 3); |
266 | | SWAP_ROTL(s, t0, t1, 4); |
267 | | SWAP_ROTL(s, t1, t0, 5); |
268 | | SWAP_ROTL(s, t0, t1, 6); |
269 | | SWAP_ROTL(s, t1, t0, 7); |
270 | | SWAP_ROTL(s, t0, t1, 8); |
271 | | SWAP_ROTL(s, t1, t0, 9); |
272 | | SWAP_ROTL(s, t0, t1, 10); |
273 | | SWAP_ROTL(s, t1, t0, 11); |
274 | | SWAP_ROTL(s, t0, t1, 12); |
275 | | SWAP_ROTL(s, t1, t0, 13); |
276 | | SWAP_ROTL(s, t0, t1, 14); |
277 | | SWAP_ROTL(s, t1, t0, 15); |
278 | | SWAP_ROTL(s, t0, t1, 16); |
279 | | SWAP_ROTL(s, t1, t0, 17); |
280 | | SWAP_ROTL(s, t0, t1, 18); |
281 | | SWAP_ROTL(s, t1, t0, 19); |
282 | | SWAP_ROTL(s, t0, t1, 20); |
283 | | SWAP_ROTL(s, t1, t0, 21); |
284 | | SWAP_ROTL(s, t0, t1, 22); |
285 | | SWAP_ROTL(s, t1, t0, 23); |
286 | | |
287 | | ROW_MIX(s, b, y, x, t0, t1); |
288 | | |
289 | | s[0] ^= hash_keccak_r[i]; |
290 | | } |
291 | | } |
292 | | #else |
293 | | /* Rotate a 64-bit value left. |
294 | | * |
295 | | * a Number to rotate left. |
296 | | * r Number od bits to rotate left. |
297 | | * returns the rotated number. |
298 | | */ |
299 | 0 | #define ROTL64(a, n) (((a)<<(n))|((a)>>(64-(n)))) |
300 | | |
301 | | #if !defined(STM32_HASH_SHA3) |
302 | | /* An array of values to XOR for block operation. */ |
303 | | static const word64 hash_keccak_r[24] = |
304 | | { |
305 | | W64LIT(0x0000000000000001), W64LIT(0x0000000000008082), |
306 | | W64LIT(0x800000000000808a), W64LIT(0x8000000080008000), |
307 | | W64LIT(0x000000000000808b), W64LIT(0x0000000080000001), |
308 | | W64LIT(0x8000000080008081), W64LIT(0x8000000000008009), |
309 | | W64LIT(0x000000000000008a), W64LIT(0x0000000000000088), |
310 | | W64LIT(0x0000000080008009), W64LIT(0x000000008000000a), |
311 | | W64LIT(0x000000008000808b), W64LIT(0x800000000000008b), |
312 | | W64LIT(0x8000000000008089), W64LIT(0x8000000000008003), |
313 | | W64LIT(0x8000000000008002), W64LIT(0x8000000000000080), |
314 | | W64LIT(0x000000000000800a), W64LIT(0x800000008000000a), |
315 | | W64LIT(0x8000000080008081), W64LIT(0x8000000000008080), |
316 | | W64LIT(0x0000000080000001), W64LIT(0x8000000080008008) |
317 | | }; |
318 | | #endif |
319 | | |
320 | | /* Indices used in swap and rotate operation. */ |
321 | | #define KI_0 6 |
322 | | #define KI_1 12 |
323 | | #define KI_2 18 |
324 | | #define KI_3 24 |
325 | | #define KI_4 3 |
326 | | #define KI_5 9 |
327 | | #define KI_6 10 |
328 | | #define KI_7 16 |
329 | | #define KI_8 22 |
330 | | #define KI_9 1 |
331 | | #define KI_10 7 |
332 | | #define KI_11 13 |
333 | | #define KI_12 19 |
334 | | #define KI_13 20 |
335 | | #define KI_14 4 |
336 | | #define KI_15 5 |
337 | | #define KI_16 11 |
338 | | #define KI_17 17 |
339 | | #define KI_18 23 |
340 | | #define KI_19 2 |
341 | | #define KI_20 8 |
342 | | #define KI_21 14 |
343 | | #define KI_22 15 |
344 | | #define KI_23 21 |
345 | | |
346 | | /* Number of bits to rotate in swap and rotate operation. */ |
347 | | #define KR_0 44 |
348 | | #define KR_1 43 |
349 | | #define KR_2 21 |
350 | | #define KR_3 14 |
351 | | #define KR_4 28 |
352 | | #define KR_5 20 |
353 | | #define KR_6 3 |
354 | | #define KR_7 45 |
355 | | #define KR_8 61 |
356 | | #define KR_9 1 |
357 | | #define KR_10 6 |
358 | | #define KR_11 25 |
359 | | #define KR_12 8 |
360 | | #define KR_13 18 |
361 | | #define KR_14 27 |
362 | | #define KR_15 36 |
363 | | #define KR_16 10 |
364 | | #define KR_17 15 |
365 | | #define KR_18 56 |
366 | | #define KR_19 62 |
367 | | #define KR_20 55 |
368 | | #define KR_21 39 |
369 | | #define KR_22 41 |
370 | | #define KR_23 2 |
371 | | |
372 | | /* Mix the XOR of the column's values into each number by column. |
373 | | * |
374 | | * s The state. |
375 | | * b Temporary array of XORed column values. |
376 | | * x The index of the column. |
377 | | * t Temporary variable. |
378 | | */ |
379 | 0 | #define COL_MIX(s, b, x, t) \ |
380 | 0 | do { \ |
381 | 0 | (b)[0] = (s)[0] ^ (s)[5] ^ (s)[10] ^ (s)[15] ^ (s)[20]; \ |
382 | 0 | (b)[1] = (s)[1] ^ (s)[6] ^ (s)[11] ^ (s)[16] ^ (s)[21]; \ |
383 | 0 | (b)[2] = (s)[2] ^ (s)[7] ^ (s)[12] ^ (s)[17] ^ (s)[22]; \ |
384 | 0 | (b)[3] = (s)[3] ^ (s)[8] ^ (s)[13] ^ (s)[18] ^ (s)[23]; \ |
385 | 0 | (b)[4] = (s)[4] ^ (s)[9] ^ (s)[14] ^ (s)[19] ^ (s)[24]; \ |
386 | 0 | (t) = (b)[(0 + 4) % 5] ^ ROTL64((b)[(0 + 1) % 5], 1); \ |
387 | 0 | (s)[ 0] ^= (t); (s)[ 5] ^= (t); (s)[10] ^= (t); (s)[15] ^= (t); (s)[20] ^= (t); \ |
388 | 0 | (t) = (b)[(1 + 4) % 5] ^ ROTL64((b)[(1 + 1) % 5], 1); \ |
389 | 0 | (s)[ 1] ^= (t); (s)[ 6] ^= (t); (s)[11] ^= (t); (s)[16] ^= (t); (s)[21] ^= (t); \ |
390 | 0 | (t) = (b)[(2 + 4) % 5] ^ ROTL64((b)[(2 + 1) % 5], 1); \ |
391 | 0 | (s)[ 2] ^= (t); (s)[ 7] ^= (t); (s)[12] ^= (t); (s)[17] ^= (t); (s)[22] ^= (t); \ |
392 | 0 | (t) = (b)[(3 + 4) % 5] ^ ROTL64((b)[(3 + 1) % 5], 1); \ |
393 | 0 | (s)[ 3] ^= (t); (s)[ 8] ^= (t); (s)[13] ^= (t); (s)[18] ^= (t); (s)[23] ^= (t); \ |
394 | 0 | (t) = (b)[(4 + 4) % 5] ^ ROTL64((b)[(4 + 1) % 5], 1); \ |
395 | 0 | (s)[ 4] ^= (t); (s)[ 9] ^= (t); (s)[14] ^= (t); (s)[19] ^= (t); (s)[24] ^= (t); \ |
396 | 0 | } \ |
397 | 0 | while (0) |
398 | | |
399 | 0 | #define S(s1, i) ROTL64((s1)[KI_##i], KR_##i) |
400 | | |
401 | | #ifdef SHA3_BY_SPEC |
402 | | /* Mix the row values. |
403 | | * BMI1 has ANDN instruction ((~a) & b) - Haswell and above. |
404 | | * |
405 | | * s2 The new state. |
406 | | * s1 The current state. |
407 | | * b Temporary array of XORed row values. |
408 | | * t0 Temporary variable. (Unused) |
409 | | * t1 Temporary variable. (Unused) |
410 | | */ |
411 | | #define ROW_MIX(s2, s1, b, t0, t1) \ |
412 | | do { \ |
413 | | (b)[0] = (s1)[0]; \ |
414 | | (b)[1] = S((s1), 0); \ |
415 | | (b)[2] = S((s1), 1); \ |
416 | | (b)[3] = S((s1), 2); \ |
417 | | (b)[4] = S((s1), 3); \ |
418 | | (s2)[0] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
419 | | (s2)[1] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
420 | | (s2)[2] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
421 | | (s2)[3] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
422 | | (s2)[4] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
423 | | (b)[0] = S((s1), 4); \ |
424 | | (b)[1] = S((s1), 5); \ |
425 | | (b)[2] = S((s1), 6); \ |
426 | | (b)[3] = S((s1), 7); \ |
427 | | (b)[4] = S((s1), 8); \ |
428 | | (s2)[5] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
429 | | (s2)[6] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
430 | | (s2)[7] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
431 | | (s2)[8] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
432 | | (s2)[9] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
433 | | (b)[0] = S((s1), 9); \ |
434 | | (b)[1] = S((s1), 10); \ |
435 | | (b)[2] = S((s1), 11); \ |
436 | | (b)[3] = S((s1), 12); \ |
437 | | (b)[4] = S((s1), 13); \ |
438 | | (s2)[10] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
439 | | (s2)[11] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
440 | | (s2)[12] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
441 | | (s2)[13] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
442 | | (s2)[14] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
443 | | (b)[0] = S((s1), 14); \ |
444 | | (b)[1] = S((s1), 15); \ |
445 | | (b)[2] = S((s1), 16); \ |
446 | | (b)[3] = S((s1), 17); \ |
447 | | (b)[4] = S((s1), 18); \ |
448 | | (s2)[15] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
449 | | (s2)[16] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
450 | | (s2)[17] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
451 | | (s2)[18] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
452 | | (s2)[19] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
453 | | (b)[0] = S((s1), 19); \ |
454 | | (b)[1] = S((s1), 20); \ |
455 | | (b)[2] = S((s1), 21); \ |
456 | | (b)[3] = S((s1), 22); \ |
457 | | (b)[4] = S((s1), 23); \ |
458 | | (s2)[20] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
459 | | (s2)[21] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
460 | | (s2)[22] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
461 | | (s2)[23] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
462 | | (s2)[24] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
463 | | } \ |
464 | | while (0) |
465 | | #else |
466 | | /* Mix the row values. |
467 | | * a ^ (~b & c) == a ^ (c & (b ^ c)) == (a ^ b) ^ (b | c) |
468 | | * |
469 | | * s2 The new state. |
470 | | * s1 The current state. |
471 | | * b Temporary array of XORed row values. |
472 | | * t12 Temporary variable. |
473 | | * t34 Temporary variable. |
474 | | */ |
475 | 0 | #define ROW_MIX(s2, s1, b, t12, t34) \ |
476 | 0 | do { \ |
477 | 0 | (b)[0] = (s1)[0]; \ |
478 | 0 | (b)[1] = S((s1), 0); \ |
479 | 0 | (b)[2] = S((s1), 1); \ |
480 | 0 | (b)[3] = S((s1), 2); \ |
481 | 0 | (b)[4] = S((s1), 3); \ |
482 | 0 | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
483 | 0 | (s2)[0] = (b)[0] ^ ((b)[2] & (t12)); \ |
484 | 0 | (s2)[1] = (t12) ^ ((b)[2] | (b)[3]); \ |
485 | 0 | (s2)[2] = (b)[2] ^ ((b)[4] & (t34)); \ |
486 | 0 | (s2)[3] = (t34) ^ ((b)[4] | (b)[0]); \ |
487 | 0 | (s2)[4] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
488 | 0 | (b)[0] = S((s1), 4); \ |
489 | 0 | (b)[1] = S((s1), 5); \ |
490 | 0 | (b)[2] = S((s1), 6); \ |
491 | 0 | (b)[3] = S((s1), 7); \ |
492 | 0 | (b)[4] = S((s1), 8); \ |
493 | 0 | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
494 | 0 | (s2)[5] = (b)[0] ^ ((b)[2] & (t12)); \ |
495 | 0 | (s2)[6] = (t12) ^ ((b)[2] | (b)[3]); \ |
496 | 0 | (s2)[7] = (b)[2] ^ ((b)[4] & (t34)); \ |
497 | 0 | (s2)[8] = (t34) ^ ((b)[4] | (b)[0]); \ |
498 | 0 | (s2)[9] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
499 | 0 | (b)[0] = S((s1), 9); \ |
500 | 0 | (b)[1] = S((s1), 10); \ |
501 | 0 | (b)[2] = S((s1), 11); \ |
502 | 0 | (b)[3] = S((s1), 12); \ |
503 | 0 | (b)[4] = S((s1), 13); \ |
504 | 0 | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
505 | 0 | (s2)[10] = (b)[0] ^ ((b)[2] & (t12)); \ |
506 | 0 | (s2)[11] = (t12) ^ ((b)[2] | (b)[3]); \ |
507 | 0 | (s2)[12] = (b)[2] ^ ((b)[4] & (t34)); \ |
508 | 0 | (s2)[13] = (t34) ^ ((b)[4] | (b)[0]); \ |
509 | 0 | (s2)[14] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
510 | 0 | (b)[0] = S((s1), 14); \ |
511 | 0 | (b)[1] = S((s1), 15); \ |
512 | 0 | (b)[2] = S((s1), 16); \ |
513 | 0 | (b)[3] = S((s1), 17); \ |
514 | 0 | (b)[4] = S((s1), 18); \ |
515 | 0 | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
516 | 0 | (s2)[15] = (b)[0] ^ ((b)[2] & (t12)); \ |
517 | 0 | (s2)[16] = (t12) ^ ((b)[2] | (b)[3]); \ |
518 | 0 | (s2)[17] = (b)[2] ^ ((b)[4] & (t34)); \ |
519 | 0 | (s2)[18] = (t34) ^ ((b)[4] | (b)[0]); \ |
520 | 0 | (s2)[19] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
521 | 0 | (b)[0] = S((s1), 19); \ |
522 | 0 | (b)[1] = S((s1), 20); \ |
523 | 0 | (b)[2] = S((s1), 21); \ |
524 | 0 | (b)[3] = S((s1), 22); \ |
525 | 0 | (b)[4] = S((s1), 23); \ |
526 | 0 | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
527 | 0 | (s2)[20] = (b)[0] ^ ((b)[2] & (t12)); \ |
528 | 0 | (s2)[21] = (t12) ^ ((b)[2] | (b)[3]); \ |
529 | 0 | (s2)[22] = (b)[2] ^ ((b)[4] & (t34)); \ |
530 | 0 | (s2)[23] = (t34) ^ ((b)[4] | (b)[0]); \ |
531 | 0 | (s2)[24] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
532 | 0 | } \ |
533 | 0 | while (0) |
534 | | #endif /* SHA3_BY_SPEC */ |
535 | | |
536 | | #if !defined(STM32_HASH_SHA3) |
537 | | /* The block operation performed on the state. |
538 | | * |
539 | | * s The state. |
540 | | */ |
541 | | void BlockSha3(word64* s) |
542 | 0 | { |
543 | 0 | word64 n[25]; |
544 | 0 | word64 b[5]; |
545 | 0 | word64 t0; |
546 | 0 | #ifndef SHA3_BY_SPEC |
547 | 0 | word64 t1; |
548 | 0 | #endif |
549 | 0 | word32 i; |
550 | |
|
551 | 0 | for (i = 0; i < 24; i += 2) |
552 | 0 | { |
553 | 0 | COL_MIX(s, b, x, t0); |
554 | 0 | ROW_MIX(n, s, b, t0, t1); |
555 | 0 | n[0] ^= hash_keccak_r[i]; |
556 | |
|
557 | 0 | COL_MIX(n, b, x, t0); |
558 | 0 | ROW_MIX(s, n, b, t0, t1); |
559 | 0 | s[0] ^= hash_keccak_r[i+1]; |
560 | 0 | } |
561 | 0 | } |
562 | | #endif /* WOLFSSL_SHA3_SMALL */ |
563 | | #endif /* STM32_HASH_SHA3 */ |
564 | | #endif /* !WOLFSSL_ARMASM && !WOLFSSL_RISCV_ASM */ |
565 | | |
566 | | #if !defined(STM32_HASH_SHA3) |
567 | | static WC_INLINE word64 Load64Unaligned(const unsigned char *a) |
568 | 0 | { |
569 | 0 | return ((word64)a[0] << 0) | |
570 | 0 | ((word64)a[1] << 8) | |
571 | 0 | ((word64)a[2] << 16) | |
572 | 0 | ((word64)a[3] << 24) | |
573 | 0 | ((word64)a[4] << 32) | |
574 | 0 | ((word64)a[5] << 40) | |
575 | 0 | ((word64)a[6] << 48) | |
576 | 0 | ((word64)a[7] << 56); |
577 | 0 | } |
578 | | |
579 | | /* Convert the array of bytes, in little-endian order, to a 64-bit integer. |
580 | | * |
581 | | * a Array of bytes. |
582 | | * returns a 64-bit integer. |
583 | | */ |
584 | | static word64 Load64BitBigEndian(const byte* a) |
585 | 0 | { |
586 | | #if defined(BIG_ENDIAN_ORDER) || (WOLFSSL_GENERAL_ALIGNMENT == 1) |
587 | | word64 n = 0; |
588 | | int i; |
589 | | |
590 | | for (i = 0; i < 8; i++) |
591 | | n |= (word64)a[i] << (8 * i); |
592 | | |
593 | | return n; |
594 | | #elif ((WOLFSSL_GENERAL_ALIGNMENT > 0) && (WOLFSSL_GENERAL_ALIGNMENT == 4)) |
595 | | word64 n; |
596 | | |
597 | | n = *(word32*) a; |
598 | | n |= ((word64)*(word32*)(a + 4)) << 32; |
599 | | |
600 | | return n; |
601 | | #elif ((WOLFSSL_GENERAL_ALIGNMENT > 0) && (WOLFSSL_GENERAL_ALIGNMENT == 2)) |
602 | | word64 n; |
603 | | |
604 | | n = *(word16*) a; |
605 | | n |= ((word64)*(word16*)(a + 2)) << 16; |
606 | | n |= ((word64)*(word16*)(a + 4)) << 32; |
607 | | n |= ((word64)*(word16*)(a + 6)) << 48; |
608 | | |
609 | | return n; |
610 | | #else |
611 | 0 | return *(const word64*)a; |
612 | 0 | #endif |
613 | 0 | } |
614 | | |
615 | | /* Initialize the state for a SHA3-224 hash operation. |
616 | | * |
617 | | * sha3 wc_Sha3 object holding state. |
618 | | * returns 0 on success. |
619 | | */ |
620 | | |
621 | | static int InitSha3(wc_Sha3* sha3) |
622 | 0 | { |
623 | 0 | int i; |
624 | |
|
625 | 0 | for (i = 0; i < 25; i++) |
626 | 0 | sha3->s[i] = 0; |
627 | 0 | sha3->i = 0; |
628 | | #ifdef WOLFSSL_HASH_FLAGS |
629 | | sha3->flags = 0; |
630 | | #endif |
631 | |
|
632 | | #ifdef USE_INTEL_SPEEDUP |
633 | | if (!cpuid_flags_set) { |
634 | | cpuid_flags = cpuid_get_flags(); |
635 | | cpuid_flags_set = 1; |
636 | | #ifdef WC_C_DYNAMIC_FALLBACK |
637 | | } |
638 | | { |
639 | | if (! CAN_SAVE_VECTOR_REGISTERS()) { |
640 | | SHA3_BLOCK = BlockSha3; |
641 | | SHA3_BLOCK_N = NULL; |
642 | | } |
643 | | else |
644 | | #endif |
645 | | if (IS_INTEL_BMI1(cpuid_flags) && IS_INTEL_BMI2(cpuid_flags)) { |
646 | | SHA3_BLOCK = sha3_block_bmi2; |
647 | | SHA3_BLOCK_N = sha3_block_n_bmi2; |
648 | | } |
649 | | else if (IS_INTEL_AVX2(cpuid_flags)) { |
650 | | SHA3_BLOCK = sha3_block_avx2; |
651 | | SHA3_BLOCK_N = NULL; |
652 | | } |
653 | | else { |
654 | | SHA3_BLOCK = BlockSha3; |
655 | | SHA3_BLOCK_N = NULL; |
656 | | } |
657 | | } |
658 | | #define SHA3_FUNC_PTR |
659 | | #endif |
660 | | #if defined(__aarch64__) && defined(WOLFSSL_ARMASM) |
661 | | if (!cpuid_flags_set) { |
662 | | cpuid_flags = cpuid_get_flags(); |
663 | | cpuid_flags_set = 1; |
664 | | #ifdef WOLFSSL_ARMASM_CRYPTO_SHA3 |
665 | | if (IS_AARCH64_SHA3(cpuid_flags)) { |
666 | | SHA3_BLOCK = BlockSha3_crypto; |
667 | | SHA3_BLOCK_N = NULL; |
668 | | } |
669 | | else |
670 | | #endif |
671 | | { |
672 | | SHA3_BLOCK = BlockSha3_base; |
673 | | SHA3_BLOCK_N = NULL; |
674 | | } |
675 | | } |
676 | | #define SHA3_FUNC_PTR |
677 | | #endif |
678 | |
|
679 | 0 | return 0; |
680 | 0 | } |
681 | | |
682 | | #if defined(__aarch64__) && defined(WOLFSSL_ARMASM) |
683 | | void BlockSha3(word64* s) |
684 | | { |
685 | | (*SHA3_BLOCK)(s); |
686 | | } |
687 | | #endif |
688 | | |
689 | | /* Update the SHA-3 hash state with message data. |
690 | | * |
691 | | * sha3 wc_Sha3 object holding state. |
692 | | * data Message data to be hashed. |
693 | | * len Length of the message data. |
694 | | * p Number of 64-bit numbers in a block of data to process. |
695 | | * returns 0 on success. |
696 | | */ |
697 | | static int Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) |
698 | 0 | { |
699 | 0 | word32 i; |
700 | 0 | word32 blocks; |
701 | |
|
702 | | #if defined(WOLFSSL_LINUXKM) && defined(USE_INTEL_SPEEDUP) |
703 | | if (SHA3_BLOCK == sha3_block_avx2) |
704 | | SAVE_VECTOR_REGISTERS(return _svr_ret;); |
705 | | #endif |
706 | 0 | if (sha3->i > 0) { |
707 | 0 | byte *t; |
708 | 0 | byte l = (byte)(p * 8 - sha3->i); |
709 | 0 | if (l > len) { |
710 | 0 | l = (byte)len; |
711 | 0 | } |
712 | |
|
713 | 0 | t = &sha3->t[sha3->i]; |
714 | 0 | for (i = 0; i < l; i++) { |
715 | 0 | t[i] = data[i]; |
716 | 0 | } |
717 | 0 | data += i; |
718 | 0 | len -= i; |
719 | 0 | sha3->i = (byte)(sha3->i + i); |
720 | |
|
721 | 0 | if (sha3->i == p * 8) { |
722 | 0 | for (i = 0; i < p; i++) { |
723 | 0 | sha3->s[i] ^= Load64BitBigEndian(sha3->t + 8 * i); |
724 | 0 | } |
725 | | #ifdef SHA3_FUNC_PTR |
726 | | (*SHA3_BLOCK)(sha3->s); |
727 | | #else |
728 | 0 | BlockSha3(sha3->s); |
729 | 0 | #endif |
730 | 0 | sha3->i = 0; |
731 | 0 | } |
732 | 0 | } |
733 | 0 | blocks = len / (p * 8U); |
734 | | #ifdef SHA3_FUNC_PTR |
735 | | if ((SHA3_BLOCK_N != NULL) && (blocks > 0)) { |
736 | | (*SHA3_BLOCK_N)(sha3->s, data, blocks, p * 8U); |
737 | | len -= blocks * (p * 8U); |
738 | | data += blocks * (p * 8U); |
739 | | blocks = 0; |
740 | | } |
741 | | #endif |
742 | 0 | for (; blocks > 0; blocks--) { |
743 | 0 | for (i = 0; i < p; i++) { |
744 | 0 | sha3->s[i] ^= Load64Unaligned(data + 8 * i); |
745 | 0 | } |
746 | | #ifdef SHA3_FUNC_PTR |
747 | | (*SHA3_BLOCK)(sha3->s); |
748 | | #else |
749 | 0 | BlockSha3(sha3->s); |
750 | 0 | #endif |
751 | 0 | len -= p * 8U; |
752 | 0 | data += p * 8U; |
753 | 0 | } |
754 | | #if defined(WOLFSSL_LINUXKM) && defined(USE_INTEL_SPEEDUP) |
755 | | if (SHA3_BLOCK == sha3_block_avx2) |
756 | | RESTORE_VECTOR_REGISTERS(); |
757 | | #endif |
758 | 0 | if (len > 0) { |
759 | 0 | XMEMCPY(sha3->t, data, len); |
760 | 0 | } |
761 | 0 | sha3->i = (byte)(sha3->i + len); |
762 | |
|
763 | 0 | return 0; |
764 | 0 | } |
765 | | |
766 | | /* Calculate the SHA-3 hash based on all the message data seen. |
767 | | * |
768 | | * sha3 wc_Sha3 object holding state. |
769 | | * hash Buffer to hold the hash result. |
770 | | * p Number of 64-bit numbers in a block of data to process. |
771 | | * len Number of bytes in output. |
772 | | * returns 0 on success. |
773 | | */ |
774 | | static int Sha3Final(wc_Sha3* sha3, byte padChar, byte* hash, byte p, word32 l) |
775 | 0 | { |
776 | 0 | word32 rate = p * 8U; |
777 | 0 | word32 j; |
778 | 0 | word32 i; |
779 | |
|
780 | 0 | sha3->t[rate - 1] = 0x00; |
781 | | #ifdef WOLFSSL_HASH_FLAGS |
782 | | if ((p == WC_SHA3_256_COUNT) && (sha3->flags & WC_HASH_SHA3_KECCAK256)) |
783 | | padChar = 0x01; |
784 | | #endif |
785 | 0 | sha3->t[sha3->i ] = padChar; |
786 | 0 | sha3->t[rate - 1] |= 0x80; |
787 | 0 | if (rate - 1 > (word32)sha3->i + 1) { |
788 | 0 | XMEMSET(sha3->t + sha3->i + 1, 0, rate - 1U - (sha3->i + 1U)); |
789 | 0 | } |
790 | 0 | for (i = 0; i < p; i++) { |
791 | 0 | sha3->s[i] ^= Load64BitBigEndian(sha3->t + 8 * i); |
792 | 0 | } |
793 | |
|
794 | | #if defined(WOLFSSL_LINUXKM) && defined(USE_INTEL_SPEEDUP) |
795 | | if (SHA3_BLOCK == sha3_block_avx2) |
796 | | SAVE_VECTOR_REGISTERS(return _svr_ret;); |
797 | | #endif |
798 | |
|
799 | 0 | for (j = 0; l - j >= rate; j += rate) { |
800 | | #ifdef SHA3_FUNC_PTR |
801 | | (*SHA3_BLOCK)(sha3->s); |
802 | | #else |
803 | 0 | BlockSha3(sha3->s); |
804 | 0 | #endif |
805 | | #if defined(BIG_ENDIAN_ORDER) |
806 | | ByteReverseWords64((word64*)(hash + j), sha3->s, rate); |
807 | | #else |
808 | 0 | XMEMCPY(hash + j, sha3->s, rate); |
809 | 0 | #endif |
810 | 0 | } |
811 | 0 | if (j != l) { |
812 | | #ifdef SHA3_FUNC_PTR |
813 | | (*SHA3_BLOCK)(sha3->s); |
814 | | #else |
815 | 0 | BlockSha3(sha3->s); |
816 | 0 | #endif |
817 | | #if defined(BIG_ENDIAN_ORDER) |
818 | | ByteReverseWords64(sha3->s, sha3->s, rate); |
819 | | #endif |
820 | 0 | XMEMCPY(hash + j, sha3->s, l - j); |
821 | 0 | } |
822 | | #if defined(WOLFSSL_LINUXKM) && defined(USE_INTEL_SPEEDUP) |
823 | | if (SHA3_BLOCK == sha3_block_avx2) |
824 | | RESTORE_VECTOR_REGISTERS(); |
825 | | #endif |
826 | |
|
827 | 0 | return 0; |
828 | 0 | } |
829 | | #endif |
830 | | #if defined(STM32_HASH_SHA3) |
831 | | |
832 | | /* Supports CubeMX HAL or Standard Peripheral Library */ |
833 | | |
834 | | static int wc_InitSha3(wc_Sha3* sha3, void* heap, int devId) |
835 | | { |
836 | | if (sha3 == NULL) |
837 | | return BAD_FUNC_ARG; |
838 | | |
839 | | (void)devId; |
840 | | (void)heap; |
841 | | |
842 | | XMEMSET(sha3, 0, sizeof(wc_Sha3)); |
843 | | wc_Stm32_Hash_Init(&sha3->stmCtx); |
844 | | return 0; |
845 | | } |
846 | | |
847 | | static int Stm32GetAlgo(byte p) |
848 | | { |
849 | | switch(p) { |
850 | | case WC_SHA3_224_COUNT: |
851 | | return HASH_ALGOSELECTION_SHA3_224; |
852 | | case WC_SHA3_256_COUNT: |
853 | | return HASH_ALGOSELECTION_SHA3_256; |
854 | | case WC_SHA3_384_COUNT: |
855 | | return HASH_ALGOSELECTION_SHA3_384; |
856 | | case WC_SHA3_512_COUNT: |
857 | | return HASH_ALGOSELECTION_SHA3_512; |
858 | | } |
859 | | /* Should never get here */ |
860 | | return WC_SHA3_224_COUNT; |
861 | | } |
862 | | |
863 | | static int wc_Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) |
864 | | { |
865 | | int ret = 0; |
866 | | |
867 | | if (sha3 == NULL) { |
868 | | return BAD_FUNC_ARG; |
869 | | } |
870 | | if (data == NULL && len == 0) { |
871 | | /* valid, but do nothing */ |
872 | | return 0; |
873 | | } |
874 | | if (data == NULL) { |
875 | | return BAD_FUNC_ARG; |
876 | | } |
877 | | |
878 | | ret = wolfSSL_CryptHwMutexLock(); |
879 | | if (ret == 0) { |
880 | | ret = wc_Stm32_Hash_Update(&sha3->stmCtx, |
881 | | Stm32GetAlgo(p), data, len, p * 8); |
882 | | wolfSSL_CryptHwMutexUnLock(); |
883 | | } |
884 | | return ret; |
885 | | } |
886 | | |
887 | | static int wc_Sha3Final(wc_Sha3* sha3, byte* hash, byte p, byte len) |
888 | | { |
889 | | int ret = 0; |
890 | | |
891 | | if (sha3 == NULL || hash == NULL) { |
892 | | return BAD_FUNC_ARG; |
893 | | } |
894 | | |
895 | | ret = wolfSSL_CryptHwMutexLock(); |
896 | | if (ret == 0) { |
897 | | ret = wc_Stm32_Hash_Final(&sha3->stmCtx, |
898 | | Stm32GetAlgo(p), hash, len); |
899 | | wolfSSL_CryptHwMutexUnLock(); |
900 | | } |
901 | | |
902 | | (void)wc_InitSha3(sha3, NULL, 0); /* reset state */ |
903 | | |
904 | | return ret; |
905 | | } |
906 | | #else |
907 | | |
908 | | /* Initialize the state for a SHA-3 hash operation. |
909 | | * |
910 | | * sha3 wc_Sha3 object holding state. |
911 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
912 | | * devId Device identifier for asynchronous operation. |
913 | | * returns 0 on success. |
914 | | */ |
915 | | static int wc_InitSha3(wc_Sha3* sha3, void* heap, int devId) |
916 | 0 | { |
917 | 0 | int ret = 0; |
918 | |
|
919 | 0 | if (sha3 == NULL) |
920 | 0 | return BAD_FUNC_ARG; |
921 | | |
922 | 0 | sha3->heap = heap; |
923 | 0 | ret = InitSha3(sha3); |
924 | 0 | if (ret != 0) |
925 | 0 | return ret; |
926 | | |
927 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
928 | | ret = wolfAsync_DevCtxInit(&sha3->asyncDev, |
929 | | WOLFSSL_ASYNC_MARKER_SHA3, sha3->heap, devId); |
930 | | #endif |
931 | | #if defined(WOLF_CRYPTO_CB) |
932 | | sha3->devId = devId; |
933 | | #endif |
934 | 0 | (void)devId; |
935 | |
|
936 | 0 | return ret; |
937 | 0 | } |
938 | | |
939 | | /* Update the SHA-3 hash state with message data. |
940 | | * |
941 | | * sha3 wc_Sha3 object holding state. |
942 | | * data Message data to be hashed. |
943 | | * len Length of the message data. |
944 | | * p Number of 64-bit numbers in a block of data to process. |
945 | | * returns 0 on success. |
946 | | */ |
947 | | static int wc_Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) |
948 | 0 | { |
949 | 0 | int ret; |
950 | |
|
951 | 0 | if (sha3 == NULL || (data == NULL && len > 0)) { |
952 | 0 | return BAD_FUNC_ARG; |
953 | 0 | } |
954 | | |
955 | 0 | if (data == NULL && len == 0) { |
956 | | /* valid, but do nothing */ |
957 | 0 | return 0; |
958 | 0 | } |
959 | | |
960 | | #ifdef WOLF_CRYPTO_CB |
961 | | #ifndef WOLF_CRYPTO_CB_FIND |
962 | | if (sha3->devId != INVALID_DEVID) |
963 | | #endif |
964 | | { |
965 | | int hash_type = WC_HASH_TYPE_NONE; |
966 | | switch (p) { |
967 | | case WC_SHA3_224_COUNT: hash_type = WC_HASH_TYPE_SHA3_224; break; |
968 | | case WC_SHA3_256_COUNT: hash_type = WC_HASH_TYPE_SHA3_256; break; |
969 | | case WC_SHA3_384_COUNT: hash_type = WC_HASH_TYPE_SHA3_384; break; |
970 | | case WC_SHA3_512_COUNT: hash_type = WC_HASH_TYPE_SHA3_512; break; |
971 | | default: return BAD_FUNC_ARG; |
972 | | } |
973 | | ret = wc_CryptoCb_Sha3Hash(sha3, hash_type, data, len, NULL); |
974 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) |
975 | | return ret; |
976 | | /* fall-through when unavailable */ |
977 | | } |
978 | | #endif |
979 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
980 | | if (sha3->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA3) { |
981 | | #if defined(HAVE_INTEL_QA) && defined(QAT_V2) |
982 | | /* QAT only supports SHA3_256 */ |
983 | | if (p == WC_SHA3_256_COUNT) { |
984 | | ret = IntelQaSymSha3(&sha3->asyncDev, NULL, data, len); |
985 | | if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN)) |
986 | | return ret; |
987 | | /* fall-through when unavailable */ |
988 | | } |
989 | | #endif |
990 | | } |
991 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
992 | | |
993 | 0 | ret = Sha3Update(sha3, data, len, p); |
994 | |
|
995 | 0 | return ret; |
996 | 0 | } |
997 | | |
998 | | /* Calculate the SHA-3 hash based on all the message data seen. |
999 | | * |
1000 | | * sha3 wc_Sha3 object holding state. |
1001 | | * hash Buffer to hold the hash result. |
1002 | | * p Number of 64-bit numbers in a block of data to process. |
1003 | | * len Number of bytes in output. |
1004 | | * returns 0 on success. |
1005 | | */ |
1006 | | static int wc_Sha3Final(wc_Sha3* sha3, byte* hash, byte p, byte len) |
1007 | 0 | { |
1008 | 0 | int ret; |
1009 | |
|
1010 | 0 | if (sha3 == NULL || hash == NULL) { |
1011 | 0 | return BAD_FUNC_ARG; |
1012 | 0 | } |
1013 | | |
1014 | | #ifdef WOLF_CRYPTO_CB |
1015 | | #ifndef WOLF_CRYPTO_CB_FIND |
1016 | | if (sha3->devId != INVALID_DEVID) |
1017 | | #endif |
1018 | | { |
1019 | | int hash_type = WC_HASH_TYPE_NONE; |
1020 | | switch (p) { |
1021 | | case WC_SHA3_224_COUNT: hash_type = WC_HASH_TYPE_SHA3_224; break; |
1022 | | case WC_SHA3_256_COUNT: hash_type = WC_HASH_TYPE_SHA3_256; break; |
1023 | | case WC_SHA3_384_COUNT: hash_type = WC_HASH_TYPE_SHA3_384; break; |
1024 | | case WC_SHA3_512_COUNT: hash_type = WC_HASH_TYPE_SHA3_512; break; |
1025 | | default: return BAD_FUNC_ARG; |
1026 | | } |
1027 | | ret = wc_CryptoCb_Sha3Hash(sha3, hash_type, NULL, 0, hash); |
1028 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) |
1029 | | return ret; |
1030 | | /* fall-through when unavailable */ |
1031 | | } |
1032 | | #endif |
1033 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
1034 | | if (sha3->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA3) { |
1035 | | #if defined(HAVE_INTEL_QA) && defined(QAT_V2) |
1036 | | /* QAT only supports SHA3_256 */ |
1037 | | /* QAT SHA-3 only supported on v2 (8970 or later cards) */ |
1038 | | if (len == WC_SHA3_256_DIGEST_SIZE) { |
1039 | | ret = IntelQaSymSha3(&sha3->asyncDev, hash, NULL, len); |
1040 | | if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN)) |
1041 | | return ret; |
1042 | | /* fall-through when unavailable */ |
1043 | | } |
1044 | | #endif |
1045 | | } |
1046 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
1047 | | |
1048 | 0 | ret = Sha3Final(sha3, 0x06, hash, p, (word32)len); |
1049 | 0 | if (ret != 0) |
1050 | 0 | return ret; |
1051 | | |
1052 | 0 | return InitSha3(sha3); /* reset state */ |
1053 | 0 | } |
1054 | | #endif |
1055 | | /* Dispose of any dynamically allocated data from the SHA3-384 operation. |
1056 | | * (Required for async ops.) |
1057 | | * |
1058 | | * sha3 wc_Sha3 object holding state. |
1059 | | * returns 0 on success. |
1060 | | */ |
1061 | | static void wc_Sha3Free(wc_Sha3* sha3) |
1062 | 0 | { |
1063 | 0 | (void)sha3; |
1064 | |
|
1065 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
1066 | | if (sha3 == NULL) |
1067 | | return; |
1068 | | |
1069 | | wolfAsync_DevCtxFree(&sha3->asyncDev, WOLFSSL_ASYNC_MARKER_SHA3); |
1070 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
1071 | 0 | } |
1072 | | |
1073 | | |
1074 | | /* Copy the state of the SHA3 operation. |
1075 | | * |
1076 | | * src wc_Sha3 object holding state top copy. |
1077 | | * dst wc_Sha3 object to copy into. |
1078 | | * returns 0 on success. |
1079 | | */ |
1080 | | static int wc_Sha3Copy(wc_Sha3* src, wc_Sha3* dst) |
1081 | 0 | { |
1082 | 0 | int ret = 0; |
1083 | |
|
1084 | 0 | if (src == NULL || dst == NULL) |
1085 | 0 | return BAD_FUNC_ARG; |
1086 | | |
1087 | 0 | XMEMCPY(dst, src, sizeof(wc_Sha3)); |
1088 | |
|
1089 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
1090 | | ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev); |
1091 | | #endif |
1092 | | #ifdef WOLFSSL_HASH_FLAGS |
1093 | | dst->flags |= WC_HASH_FLAG_ISCOPY; |
1094 | | #endif |
1095 | |
|
1096 | 0 | return ret; |
1097 | 0 | } |
1098 | | |
1099 | | /* Calculate the SHA3-224 hash based on all the message data so far. |
1100 | | * More message data can be added, after this operation, using the current |
1101 | | * state. |
1102 | | * |
1103 | | * sha3 wc_Sha3 object holding state. |
1104 | | * hash Buffer to hold the hash result. Must be at least 28 bytes. |
1105 | | * p Number of 64-bit numbers in a block of data to process. |
1106 | | * len Number of bytes in output. |
1107 | | * returns 0 on success. |
1108 | | */ |
1109 | | static int wc_Sha3GetHash(wc_Sha3* sha3, byte* hash, byte p, byte len) |
1110 | 0 | { |
1111 | 0 | int ret; |
1112 | 0 | wc_Sha3 tmpSha3; |
1113 | |
|
1114 | 0 | if (sha3 == NULL || hash == NULL) |
1115 | 0 | return BAD_FUNC_ARG; |
1116 | | |
1117 | 0 | ret = wc_Sha3Copy(sha3, &tmpSha3); |
1118 | 0 | if (ret == 0) { |
1119 | 0 | ret = wc_Sha3Final(&tmpSha3, hash, p, len); |
1120 | 0 | } |
1121 | 0 | return ret; |
1122 | 0 | } |
1123 | | |
1124 | | |
1125 | | /* Initialize the state for a SHA3-224 hash operation. |
1126 | | * |
1127 | | * sha3 wc_Sha3 object holding state. |
1128 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1129 | | * devId Device identifier for asynchronous operation. |
1130 | | * returns 0 on success. |
1131 | | */ |
1132 | | int wc_InitSha3_224(wc_Sha3* sha3, void* heap, int devId) |
1133 | 0 | { |
1134 | 0 | return wc_InitSha3(sha3, heap, devId); |
1135 | 0 | } |
1136 | | |
1137 | | /* Update the SHA3-224 hash state with message data. |
1138 | | * |
1139 | | * sha3 wc_Sha3 object holding state. |
1140 | | * data Message data to be hashed. |
1141 | | * len Length of the message data. |
1142 | | * returns 0 on success. |
1143 | | */ |
1144 | | int wc_Sha3_224_Update(wc_Sha3* sha3, const byte* data, word32 len) |
1145 | 0 | { |
1146 | 0 | return wc_Sha3Update(sha3, data, len, WC_SHA3_224_COUNT); |
1147 | 0 | } |
1148 | | |
1149 | | /* Calculate the SHA3-224 hash based on all the message data seen. |
1150 | | * The state is initialized ready for a new message to hash. |
1151 | | * |
1152 | | * sha3 wc_Sha3 object holding state. |
1153 | | * hash Buffer to hold the hash result. Must be at least 28 bytes. |
1154 | | * returns 0 on success. |
1155 | | */ |
1156 | | int wc_Sha3_224_Final(wc_Sha3* sha3, byte* hash) |
1157 | 0 | { |
1158 | 0 | return wc_Sha3Final(sha3, hash, WC_SHA3_224_COUNT, WC_SHA3_224_DIGEST_SIZE); |
1159 | 0 | } |
1160 | | |
1161 | | /* Dispose of any dynamically allocated data from the SHA3-224 operation. |
1162 | | * (Required for async ops.) |
1163 | | * |
1164 | | * sha3 wc_Sha3 object holding state. |
1165 | | * returns 0 on success. |
1166 | | */ |
1167 | | void wc_Sha3_224_Free(wc_Sha3* sha3) |
1168 | 0 | { |
1169 | 0 | wc_Sha3Free(sha3); |
1170 | 0 | } |
1171 | | |
1172 | | /* Calculate the SHA3-224 hash based on all the message data so far. |
1173 | | * More message data can be added, after this operation, using the current |
1174 | | * state. |
1175 | | * |
1176 | | * sha3 wc_Sha3 object holding state. |
1177 | | * hash Buffer to hold the hash result. Must be at least 28 bytes. |
1178 | | * returns 0 on success. |
1179 | | */ |
1180 | | int wc_Sha3_224_GetHash(wc_Sha3* sha3, byte* hash) |
1181 | 0 | { |
1182 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_224_COUNT, WC_SHA3_224_DIGEST_SIZE); |
1183 | 0 | } |
1184 | | |
1185 | | /* Copy the state of the SHA3-224 operation. |
1186 | | * |
1187 | | * src wc_Sha3 object holding state top copy. |
1188 | | * dst wc_Sha3 object to copy into. |
1189 | | * returns 0 on success. |
1190 | | */ |
1191 | | int wc_Sha3_224_Copy(wc_Sha3* src, wc_Sha3* dst) |
1192 | 0 | { |
1193 | 0 | return wc_Sha3Copy(src, dst); |
1194 | 0 | } |
1195 | | |
1196 | | |
1197 | | /* Initialize the state for a SHA3-256 hash operation. |
1198 | | * |
1199 | | * sha3 wc_Sha3 object holding state. |
1200 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1201 | | * devId Device identifier for asynchronous operation. |
1202 | | * returns 0 on success. |
1203 | | */ |
1204 | | int wc_InitSha3_256(wc_Sha3* sha3, void* heap, int devId) |
1205 | 0 | { |
1206 | 0 | return wc_InitSha3(sha3, heap, devId); |
1207 | 0 | } |
1208 | | |
1209 | | /* Update the SHA3-256 hash state with message data. |
1210 | | * |
1211 | | * sha3 wc_Sha3 object holding state. |
1212 | | * data Message data to be hashed. |
1213 | | * len Length of the message data. |
1214 | | * returns 0 on success. |
1215 | | */ |
1216 | | int wc_Sha3_256_Update(wc_Sha3* sha3, const byte* data, word32 len) |
1217 | 0 | { |
1218 | 0 | return wc_Sha3Update(sha3, data, len, WC_SHA3_256_COUNT); |
1219 | 0 | } |
1220 | | |
1221 | | /* Calculate the SHA3-256 hash based on all the message data seen. |
1222 | | * The state is initialized ready for a new message to hash. |
1223 | | * |
1224 | | * sha3 wc_Sha3 object holding state. |
1225 | | * hash Buffer to hold the hash result. Must be at least 32 bytes. |
1226 | | * returns 0 on success. |
1227 | | */ |
1228 | | int wc_Sha3_256_Final(wc_Sha3* sha3, byte* hash) |
1229 | 0 | { |
1230 | 0 | return wc_Sha3Final(sha3, hash, WC_SHA3_256_COUNT, WC_SHA3_256_DIGEST_SIZE); |
1231 | 0 | } |
1232 | | |
1233 | | /* Dispose of any dynamically allocated data from the SHA3-256 operation. |
1234 | | * (Required for async ops.) |
1235 | | * |
1236 | | * sha3 wc_Sha3 object holding state. |
1237 | | * returns 0 on success. |
1238 | | */ |
1239 | | void wc_Sha3_256_Free(wc_Sha3* sha3) |
1240 | 0 | { |
1241 | 0 | wc_Sha3Free(sha3); |
1242 | 0 | } |
1243 | | |
1244 | | /* Calculate the SHA3-256 hash based on all the message data so far. |
1245 | | * More message data can be added, after this operation, using the current |
1246 | | * state. |
1247 | | * |
1248 | | * sha3 wc_Sha3 object holding state. |
1249 | | * hash Buffer to hold the hash result. Must be at least 32 bytes. |
1250 | | * returns 0 on success. |
1251 | | */ |
1252 | | int wc_Sha3_256_GetHash(wc_Sha3* sha3, byte* hash) |
1253 | 0 | { |
1254 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_256_COUNT, WC_SHA3_256_DIGEST_SIZE); |
1255 | 0 | } |
1256 | | |
1257 | | /* Copy the state of the SHA3-256 operation. |
1258 | | * |
1259 | | * src wc_Sha3 object holding state top copy. |
1260 | | * dst wc_Sha3 object to copy into. |
1261 | | * returns 0 on success. |
1262 | | */ |
1263 | | int wc_Sha3_256_Copy(wc_Sha3* src, wc_Sha3* dst) |
1264 | 0 | { |
1265 | 0 | return wc_Sha3Copy(src, dst); |
1266 | 0 | } |
1267 | | |
1268 | | |
1269 | | /* Initialize the state for a SHA3-384 hash operation. |
1270 | | * |
1271 | | * sha3 wc_Sha3 object holding state. |
1272 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1273 | | * devId Device identifier for asynchronous operation. |
1274 | | * returns 0 on success. |
1275 | | */ |
1276 | | int wc_InitSha3_384(wc_Sha3* sha3, void* heap, int devId) |
1277 | 0 | { |
1278 | 0 | return wc_InitSha3(sha3, heap, devId); |
1279 | 0 | } |
1280 | | |
1281 | | /* Update the SHA3-384 hash state with message data. |
1282 | | * |
1283 | | * sha3 wc_Sha3 object holding state. |
1284 | | * data Message data to be hashed. |
1285 | | * len Length of the message data. |
1286 | | * returns 0 on success. |
1287 | | */ |
1288 | | int wc_Sha3_384_Update(wc_Sha3* sha3, const byte* data, word32 len) |
1289 | 0 | { |
1290 | 0 | return wc_Sha3Update(sha3, data, len, WC_SHA3_384_COUNT); |
1291 | 0 | } |
1292 | | |
1293 | | /* Calculate the SHA3-384 hash based on all the message data seen. |
1294 | | * The state is initialized ready for a new message to hash. |
1295 | | * |
1296 | | * sha3 wc_Sha3 object holding state. |
1297 | | * hash Buffer to hold the hash result. Must be at least 48 bytes. |
1298 | | * returns 0 on success. |
1299 | | */ |
1300 | | int wc_Sha3_384_Final(wc_Sha3* sha3, byte* hash) |
1301 | 0 | { |
1302 | 0 | return wc_Sha3Final(sha3, hash, WC_SHA3_384_COUNT, WC_SHA3_384_DIGEST_SIZE); |
1303 | 0 | } |
1304 | | |
1305 | | /* Dispose of any dynamically allocated data from the SHA3-384 operation. |
1306 | | * (Required for async ops.) |
1307 | | * |
1308 | | * sha3 wc_Sha3 object holding state. |
1309 | | * returns 0 on success. |
1310 | | */ |
1311 | | void wc_Sha3_384_Free(wc_Sha3* sha3) |
1312 | 0 | { |
1313 | 0 | wc_Sha3Free(sha3); |
1314 | 0 | } |
1315 | | |
1316 | | /* Calculate the SHA3-384 hash based on all the message data so far. |
1317 | | * More message data can be added, after this operation, using the current |
1318 | | * state. |
1319 | | * |
1320 | | * sha3 wc_Sha3 object holding state. |
1321 | | * hash Buffer to hold the hash result. Must be at least 48 bytes. |
1322 | | * returns 0 on success. |
1323 | | */ |
1324 | | int wc_Sha3_384_GetHash(wc_Sha3* sha3, byte* hash) |
1325 | 0 | { |
1326 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_384_COUNT, WC_SHA3_384_DIGEST_SIZE); |
1327 | 0 | } |
1328 | | |
1329 | | /* Copy the state of the SHA3-384 operation. |
1330 | | * |
1331 | | * src wc_Sha3 object holding state top copy. |
1332 | | * dst wc_Sha3 object to copy into. |
1333 | | * returns 0 on success. |
1334 | | */ |
1335 | | int wc_Sha3_384_Copy(wc_Sha3* src, wc_Sha3* dst) |
1336 | 0 | { |
1337 | 0 | return wc_Sha3Copy(src, dst); |
1338 | 0 | } |
1339 | | |
1340 | | |
1341 | | /* Initialize the state for a SHA3-512 hash operation. |
1342 | | * |
1343 | | * sha3 wc_Sha3 object holding state. |
1344 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1345 | | * devId Device identifier for asynchronous operation. |
1346 | | * returns 0 on success. |
1347 | | */ |
1348 | | int wc_InitSha3_512(wc_Sha3* sha3, void* heap, int devId) |
1349 | 0 | { |
1350 | 0 | return wc_InitSha3(sha3, heap, devId); |
1351 | 0 | } |
1352 | | |
1353 | | /* Update the SHA3-512 hash state with message data. |
1354 | | * |
1355 | | * sha3 wc_Sha3 object holding state. |
1356 | | * data Message data to be hashed. |
1357 | | * len Length of the message data. |
1358 | | * returns 0 on success. |
1359 | | */ |
1360 | | int wc_Sha3_512_Update(wc_Sha3* sha3, const byte* data, word32 len) |
1361 | 0 | { |
1362 | 0 | return wc_Sha3Update(sha3, data, len, WC_SHA3_512_COUNT); |
1363 | 0 | } |
1364 | | |
1365 | | /* Calculate the SHA3-512 hash based on all the message data seen. |
1366 | | * The state is initialized ready for a new message to hash. |
1367 | | * |
1368 | | * sha3 wc_Sha3 object holding state. |
1369 | | * hash Buffer to hold the hash result. Must be at least 64 bytes. |
1370 | | * returns 0 on success. |
1371 | | */ |
1372 | | int wc_Sha3_512_Final(wc_Sha3* sha3, byte* hash) |
1373 | 0 | { |
1374 | 0 | return wc_Sha3Final(sha3, hash, WC_SHA3_512_COUNT, WC_SHA3_512_DIGEST_SIZE); |
1375 | 0 | } |
1376 | | |
1377 | | /* Dispose of any dynamically allocated data from the SHA3-512 operation. |
1378 | | * (Required for async ops.) |
1379 | | * |
1380 | | * sha3 wc_Sha3 object holding state. |
1381 | | * returns 0 on success. |
1382 | | */ |
1383 | | void wc_Sha3_512_Free(wc_Sha3* sha3) |
1384 | 0 | { |
1385 | 0 | wc_Sha3Free(sha3); |
1386 | 0 | } |
1387 | | |
1388 | | /* Calculate the SHA3-512 hash based on all the message data so far. |
1389 | | * More message data can be added, after this operation, using the current |
1390 | | * state. |
1391 | | * |
1392 | | * sha3 wc_Sha3 object holding state. |
1393 | | * hash Buffer to hold the hash result. Must be at least 64 bytes. |
1394 | | * returns 0 on success. |
1395 | | */ |
1396 | | int wc_Sha3_512_GetHash(wc_Sha3* sha3, byte* hash) |
1397 | 0 | { |
1398 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_512_COUNT, WC_SHA3_512_DIGEST_SIZE); |
1399 | 0 | } |
1400 | | |
1401 | | /* Copy the state of the SHA3-512 operation. |
1402 | | * |
1403 | | * src wc_Sha3 object holding state top copy. |
1404 | | * dst wc_Sha3 object to copy into. |
1405 | | * returns 0 on success. |
1406 | | */ |
1407 | | int wc_Sha3_512_Copy(wc_Sha3* src, wc_Sha3* dst) |
1408 | 0 | { |
1409 | 0 | return wc_Sha3Copy(src, dst); |
1410 | 0 | } |
1411 | | |
1412 | | #ifdef WOLFSSL_HASH_FLAGS |
1413 | | int wc_Sha3_SetFlags(wc_Sha3* sha3, word32 flags) |
1414 | | { |
1415 | | if (sha3) { |
1416 | | sha3->flags = flags; |
1417 | | } |
1418 | | return 0; |
1419 | | } |
1420 | | int wc_Sha3_GetFlags(wc_Sha3* sha3, word32* flags) |
1421 | | { |
1422 | | if (sha3 && flags) { |
1423 | | *flags = sha3->flags; |
1424 | | } |
1425 | | return 0; |
1426 | | } |
1427 | | #endif |
1428 | | |
1429 | | #ifdef WOLFSSL_SHAKE128 |
1430 | | /* Initialize the state for a Shake128 hash operation. |
1431 | | * |
1432 | | * shake wc_Shake object holding state. |
1433 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1434 | | * devId Device identifier for asynchronous operation. |
1435 | | * returns 0 on success. |
1436 | | */ |
1437 | | int wc_InitShake128(wc_Shake* shake, void* heap, int devId) |
1438 | | { |
1439 | | return wc_InitSha3(shake, heap, devId); |
1440 | | } |
1441 | | |
1442 | | /* Update the SHAKE128 hash state with message data. |
1443 | | * |
1444 | | * shake wc_Shake object holding state. |
1445 | | * data Message data to be hashed. |
1446 | | * len Length of the message data. |
1447 | | * returns 0 on success. |
1448 | | */ |
1449 | | int wc_Shake128_Update(wc_Shake* shake, const byte* data, word32 len) |
1450 | | { |
1451 | | if (shake == NULL || (data == NULL && len > 0)) { |
1452 | | return BAD_FUNC_ARG; |
1453 | | } |
1454 | | |
1455 | | if (data == NULL && len == 0) { |
1456 | | /* valid, but do nothing */ |
1457 | | return 0; |
1458 | | } |
1459 | | |
1460 | | return Sha3Update(shake, data, len, WC_SHA3_128_COUNT); |
1461 | | } |
1462 | | |
1463 | | /* Calculate the SHAKE128 hash based on all the message data seen. |
1464 | | * The state is initialized ready for a new message to hash. |
1465 | | * |
1466 | | * shake wc_Shake object holding state. |
1467 | | * hash Buffer to hold the hash result. Must be at least 64 bytes. |
1468 | | * returns 0 on success. |
1469 | | */ |
1470 | | int wc_Shake128_Final(wc_Shake* shake, byte* hash, word32 hashLen) |
1471 | | { |
1472 | | int ret; |
1473 | | |
1474 | | if (shake == NULL || hash == NULL) { |
1475 | | return BAD_FUNC_ARG; |
1476 | | } |
1477 | | |
1478 | | ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_128_COUNT, hashLen); |
1479 | | if (ret != 0) |
1480 | | return ret; |
1481 | | |
1482 | | return InitSha3(shake); /* reset state */ |
1483 | | } |
1484 | | |
1485 | | /* Absorb the data for squeezing. |
1486 | | * |
1487 | | * Update and final with data but no output and no reset |
1488 | | * |
1489 | | * shake wc_Shake object holding state. |
1490 | | * data Data to absorb. |
1491 | | * len Length of d to absorb in bytes. |
1492 | | * returns 0 on success. |
1493 | | */ |
1494 | | int wc_Shake128_Absorb(wc_Shake* shake, const byte* data, word32 len) |
1495 | | { |
1496 | | int ret; |
1497 | | |
1498 | | if ((shake == NULL) || (data == NULL && len != 0)) { |
1499 | | return BAD_FUNC_ARG; |
1500 | | } |
1501 | | |
1502 | | ret = Sha3Update(shake, data, len, WC_SHA3_128_COUNT); |
1503 | | if (ret == 0) { |
1504 | | byte hash[1]; |
1505 | | ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_128_COUNT, 0); |
1506 | | } |
1507 | | /* No partial data. */ |
1508 | | shake->i = 0; |
1509 | | |
1510 | | return ret; |
1511 | | } |
1512 | | |
1513 | | #ifdef WC_C_DYNAMIC_FALLBACK |
1514 | | #undef SHA3_BLOCK |
1515 | | #undef SHA3_BLOCK_N |
1516 | | #define SHA3_BLOCK (shake->sha3_block) |
1517 | | #define SHA3_BLOCK_N (shake->sha3_block_n) |
1518 | | #endif |
1519 | | |
1520 | | /* Squeeze the state to produce pseudo-random output. |
1521 | | * |
1522 | | * shake wc_Shake object holding state. |
1523 | | * out Output buffer. |
1524 | | * blockCnt Number of blocks to write. |
1525 | | * returns 0 on success. |
1526 | | */ |
1527 | | int wc_Shake128_SqueezeBlocks(wc_Shake* shake, byte* out, word32 blockCnt) |
1528 | | { |
1529 | | if ((shake == NULL) || (out == NULL && blockCnt != 0)) { |
1530 | | return BAD_FUNC_ARG; |
1531 | | } |
1532 | | #if defined(WOLFSSL_LINUXKM) && defined(USE_INTEL_SPEEDUP) |
1533 | | if (SHA3_BLOCK == sha3_block_avx2) |
1534 | | SAVE_VECTOR_REGISTERS(return _svr_ret;); |
1535 | | #endif |
1536 | | for (; (blockCnt > 0); blockCnt--) { |
1537 | | #ifdef SHA3_FUNC_PTR |
1538 | | (*SHA3_BLOCK)(shake->s); |
1539 | | #else |
1540 | | BlockSha3(shake->s); |
1541 | | #endif |
1542 | | #if defined(BIG_ENDIAN_ORDER) |
1543 | | ByteReverseWords64((word64*)out, shake->s, WC_SHA3_128_COUNT * 8); |
1544 | | #else |
1545 | | XMEMCPY(out, shake->s, WC_SHA3_128_COUNT * 8); |
1546 | | #endif |
1547 | | out += WC_SHA3_128_COUNT * 8; |
1548 | | } |
1549 | | #if defined(WOLFSSL_LINUXKM) && defined(USE_INTEL_SPEEDUP) |
1550 | | if (SHA3_BLOCK == sha3_block_avx2) |
1551 | | RESTORE_VECTOR_REGISTERS(); |
1552 | | #endif |
1553 | | |
1554 | | return 0; |
1555 | | } |
1556 | | |
1557 | | /* Dispose of any dynamically allocated data from the SHAKE128 operation. |
1558 | | * (Required for async ops.) |
1559 | | * |
1560 | | * shake wc_Shake object holding state. |
1561 | | * returns 0 on success. |
1562 | | */ |
1563 | | void wc_Shake128_Free(wc_Shake* shake) |
1564 | | { |
1565 | | wc_Sha3Free(shake); |
1566 | | } |
1567 | | |
1568 | | /* Copy the state of the SHA3-512 operation. |
1569 | | * |
1570 | | * src wc_Shake object holding state top copy. |
1571 | | * dst wc_Shake object to copy into. |
1572 | | * returns 0 on success. |
1573 | | */ |
1574 | | int wc_Shake128_Copy(wc_Shake* src, wc_Shake* dst) |
1575 | | { |
1576 | | return wc_Sha3Copy(src, dst); |
1577 | | } |
1578 | | #endif |
1579 | | |
1580 | | #ifdef WOLFSSL_SHAKE256 |
1581 | | /* Initialize the state for a Shake256 hash operation. |
1582 | | * |
1583 | | * shake wc_Shake object holding state. |
1584 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1585 | | * devId Device identifier for asynchronous operation. |
1586 | | * returns 0 on success. |
1587 | | */ |
1588 | | int wc_InitShake256(wc_Shake* shake, void* heap, int devId) |
1589 | | { |
1590 | | return wc_InitSha3(shake, heap, devId); |
1591 | | } |
1592 | | |
1593 | | /* Update the SHAKE256 hash state with message data. |
1594 | | * |
1595 | | * shake wc_Shake object holding state. |
1596 | | * data Message data to be hashed. |
1597 | | * len Length of the message data. |
1598 | | * returns 0 on success. |
1599 | | */ |
1600 | | int wc_Shake256_Update(wc_Shake* shake, const byte* data, word32 len) |
1601 | | { |
1602 | | if (shake == NULL || (data == NULL && len > 0)) { |
1603 | | return BAD_FUNC_ARG; |
1604 | | } |
1605 | | |
1606 | | if (data == NULL && len == 0) { |
1607 | | /* valid, but do nothing */ |
1608 | | return 0; |
1609 | | } |
1610 | | |
1611 | | return Sha3Update(shake, data, len, WC_SHA3_256_COUNT); |
1612 | | } |
1613 | | |
1614 | | /* Calculate the SHAKE256 hash based on all the message data seen. |
1615 | | * The state is initialized ready for a new message to hash. |
1616 | | * |
1617 | | * shake wc_Shake object holding state. |
1618 | | * hash Buffer to hold the hash result. Must be at least 64 bytes. |
1619 | | * hashLen Size of hash in bytes. |
1620 | | * returns 0 on success. |
1621 | | */ |
1622 | | int wc_Shake256_Final(wc_Shake* shake, byte* hash, word32 hashLen) |
1623 | | { |
1624 | | int ret; |
1625 | | |
1626 | | if (shake == NULL || hash == NULL) { |
1627 | | return BAD_FUNC_ARG; |
1628 | | } |
1629 | | |
1630 | | ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_256_COUNT, hashLen); |
1631 | | if (ret != 0) |
1632 | | return ret; |
1633 | | |
1634 | | return InitSha3(shake); /* reset state */ |
1635 | | } |
1636 | | |
1637 | | /* Absorb the data for squeezing. |
1638 | | * |
1639 | | * Update and final with data but no output and no reset |
1640 | | * |
1641 | | * shake wc_Shake object holding state. |
1642 | | * data Data to absorb. |
1643 | | * len Length of d to absorb in bytes. |
1644 | | * returns 0 on success. |
1645 | | */ |
1646 | | int wc_Shake256_Absorb(wc_Shake* shake, const byte* data, word32 len) |
1647 | | { |
1648 | | int ret; |
1649 | | |
1650 | | if ((shake == NULL) || (data == NULL && len != 0)) { |
1651 | | return BAD_FUNC_ARG; |
1652 | | } |
1653 | | |
1654 | | ret = Sha3Update(shake, data, len, WC_SHA3_256_COUNT); |
1655 | | if (ret == 0) { |
1656 | | byte hash[1]; |
1657 | | ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_256_COUNT, 0); |
1658 | | } |
1659 | | /* No partial data. */ |
1660 | | shake->i = 0; |
1661 | | |
1662 | | return ret; |
1663 | | } |
1664 | | |
1665 | | /* Squeeze the state to produce pseudo-random output. |
1666 | | * |
1667 | | * shake wc_Shake object holding state. |
1668 | | * out Output buffer. |
1669 | | * blockCnt Number of blocks to write. |
1670 | | * returns 0 on success. |
1671 | | */ |
1672 | | int wc_Shake256_SqueezeBlocks(wc_Shake* shake, byte* out, word32 blockCnt) |
1673 | | { |
1674 | | if ((shake == NULL) || (out == NULL && blockCnt != 0)) { |
1675 | | return BAD_FUNC_ARG; |
1676 | | } |
1677 | | #if defined(WOLFSSL_LINUXKM) && defined(USE_INTEL_SPEEDUP) |
1678 | | if (SHA3_BLOCK == sha3_block_avx2) |
1679 | | SAVE_VECTOR_REGISTERS(return _svr_ret;); |
1680 | | #endif |
1681 | | for (; (blockCnt > 0); blockCnt--) { |
1682 | | #ifdef SHA3_FUNC_PTR |
1683 | | (*SHA3_BLOCK)(shake->s); |
1684 | | #else |
1685 | | BlockSha3(shake->s); |
1686 | | #endif |
1687 | | #if defined(BIG_ENDIAN_ORDER) |
1688 | | ByteReverseWords64((word64*)out, shake->s, WC_SHA3_256_COUNT * 8); |
1689 | | #else |
1690 | | XMEMCPY(out, shake->s, WC_SHA3_256_COUNT * 8); |
1691 | | #endif |
1692 | | out += WC_SHA3_256_COUNT * 8; |
1693 | | } |
1694 | | #if defined(WOLFSSL_LINUXKM) && defined(USE_INTEL_SPEEDUP) |
1695 | | if (SHA3_BLOCK == sha3_block_avx2) |
1696 | | RESTORE_VECTOR_REGISTERS(); |
1697 | | #endif |
1698 | | |
1699 | | return 0; |
1700 | | } |
1701 | | |
1702 | | /* Dispose of any dynamically allocated data from the SHAKE256 operation. |
1703 | | * (Required for async ops.) |
1704 | | * |
1705 | | * shake wc_Shake object holding state. |
1706 | | * returns 0 on success. |
1707 | | */ |
1708 | | void wc_Shake256_Free(wc_Shake* shake) |
1709 | | { |
1710 | | wc_Sha3Free(shake); |
1711 | | } |
1712 | | |
1713 | | /* Copy the state of the SHA3-512 operation. |
1714 | | * |
1715 | | * src wc_Shake object holding state top copy. |
1716 | | * dst wc_Shake object to copy into. |
1717 | | * returns 0 on success. |
1718 | | */ |
1719 | | int wc_Shake256_Copy(wc_Shake* src, wc_Shake* dst) |
1720 | | { |
1721 | | return wc_Sha3Copy(src, dst); |
1722 | | } |
1723 | | #endif |
1724 | | |
1725 | | #endif /* WOLFSSL_SHA3 */ |