Coverage Report

Created: 2022-08-24 06:37

/src/wolfssl-sp-math-all-8bit/wolfcrypt/src/sha3.c
Line
Count
Source (jump to first uncovered line)
1
/* sha3.c
2
 *
3
 * Copyright (C) 2006-2022 wolfSSL Inc.
4
 *
5
 * This file is part of wolfSSL.
6
 *
7
 * wolfSSL is free software; you can redistribute it and/or modify
8
 * it under the terms of the GNU General Public License as published by
9
 * the Free Software Foundation; either version 2 of the License, or
10
 * (at your option) any later version.
11
 *
12
 * wolfSSL is distributed in the hope that it will be useful,
13
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15
 * GNU General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU General Public License
18
 * along with this program; if not, write to the Free Software
19
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20
 */
21
22
23
#ifdef HAVE_CONFIG_H
24
    #include <config.h>
25
#endif
26
27
#include <wolfssl/wolfcrypt/settings.h>
28
29
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_XILINX_CRYPT) && \
30
   !defined(WOLFSSL_AFALG_XILINX_SHA3)
31
32
#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
33
    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
34
    #define FIPS_NO_WRAPPERS
35
36
    #ifdef USE_WINDOWS_API
37
        #pragma code_seg(".fipsA$l")
38
        #pragma const_seg(".fipsB$l")
39
    #endif
40
#endif
41
42
#include <wolfssl/wolfcrypt/sha3.h>
43
#include <wolfssl/wolfcrypt/error-crypt.h>
44
#include <wolfssl/wolfcrypt/hash.h>
45
46
#ifdef NO_INLINE
47
    #include <wolfssl/wolfcrypt/misc.h>
48
#else
49
    #define WOLFSSL_MISC_INCLUDED
50
    #include <wolfcrypt/src/misc.c>
51
#endif
52
53
54
#if !defined(WOLFSSL_ARMASM) || !defined(WOLFSSL_ARMASM_CRYPTO_SHA3)
55
#ifdef WOLFSSL_SHA3_SMALL
56
/* Rotate a 64-bit value left.
57
 *
58
 * a  Number to rotate left.
59
 * r  Number od bits to rotate left.
60
 * returns the rotated number.
61
 */
62
#define ROTL64(a, n)    (((a)<<(n))|((a)>>(64-(n))))
63
64
/* An array of values to XOR for block operation. */
65
static const word64 hash_keccak_r[24] =
66
{
67
    0x0000000000000001UL, 0x0000000000008082UL,
68
    0x800000000000808aUL, 0x8000000080008000UL,
69
    0x000000000000808bUL, 0x0000000080000001UL,
70
    0x8000000080008081UL, 0x8000000000008009UL,
71
    0x000000000000008aUL, 0x0000000000000088UL,
72
    0x0000000080008009UL, 0x000000008000000aUL,
73
    0x000000008000808bUL, 0x800000000000008bUL,
74
    0x8000000000008089UL, 0x8000000000008003UL,
75
    0x8000000000008002UL, 0x8000000000000080UL,
76
    0x000000000000800aUL, 0x800000008000000aUL,
77
    0x8000000080008081UL, 0x8000000000008080UL,
78
    0x0000000080000001UL, 0x8000000080008008UL
79
};
80
81
/* Indices used in swap and rotate operation. */
82
#define K_I_0   10
83
#define K_I_1    7
84
#define K_I_2   11
85
#define K_I_3   17
86
#define K_I_4   18
87
#define K_I_5    3
88
#define K_I_6    5
89
#define K_I_7   16
90
#define K_I_8    8
91
#define K_I_9   21
92
#define K_I_10  24
93
#define K_I_11   4
94
#define K_I_12  15
95
#define K_I_13  23
96
#define K_I_14  19
97
#define K_I_15  13
98
#define K_I_16  12
99
#define K_I_17   2
100
#define K_I_18  20
101
#define K_I_19  14
102
#define K_I_20  22
103
#define K_I_21   9
104
#define K_I_22   6
105
#define K_I_23   1
106
107
/* Number of bits to rotate in swap and rotate operation. */
108
#define K_R_0    1
109
#define K_R_1    3
110
#define K_R_2    6
111
#define K_R_3   10
112
#define K_R_4   15
113
#define K_R_5   21
114
#define K_R_6   28
115
#define K_R_7   36
116
#define K_R_8   45
117
#define K_R_9   55
118
#define K_R_10   2
119
#define K_R_11  14
120
#define K_R_12  27
121
#define K_R_13  41
122
#define K_R_14  56
123
#define K_R_15   8
124
#define K_R_16  25
125
#define K_R_17  43
126
#define K_R_18  62
127
#define K_R_19  18
128
#define K_R_20  39
129
#define K_R_21  61
130
#define K_R_22  20
131
#define K_R_23  44
132
133
/* Swap and rotate left operation.
134
 *
135
 * s   The state.
136
 * t1  Temporary value.
137
 * t2  Second temporary value.
138
 * i   The index of the loop.
139
 */
140
#define SWAP_ROTL(s, t1, t2, i)                                         \
141
do {                                                                    \
142
    t2 = s[K_I_##i]; s[K_I_##i] = ROTL64(t1, K_R_##i);                  \
143
}                                                                       \
144
while (0)
145
146
/* Mix the XOR of the column's values into each number by column.
147
 *
148
 * s  The state.
149
 * b  Temporary array of XORed column values.
150
 * x  The index of the column.
151
 * t  Temporary variable.
152
 */
153
#define COL_MIX(s, b, x, t)                                             \
154
do {                                                                    \
155
    for (x = 0; x < 5; x++)                                             \
156
        b[x] = s[x + 0] ^ s[x + 5] ^ s[x + 10] ^ s[x + 15] ^ s[x + 20]; \
157
    for (x = 0; x < 5; x++) {                                           \
158
        t = b[(x + 4) % 5] ^ ROTL64(b[(x + 1) % 5], 1);                 \
159
        s[x +  0] ^= t;                                                 \
160
        s[x +  5] ^= t;                                                 \
161
        s[x + 10] ^= t;                                                 \
162
        s[x + 15] ^= t;                                                 \
163
        s[x + 20] ^= t;                                                 \
164
    }                                                                   \
165
}                                                                       \
166
while (0)
167
168
#ifdef SHA3_BY_SPEC
169
/* Mix the row values.
170
 * BMI1 has ANDN instruction ((~a) & b) - Haswell and above.
171
 *
172
 * s   The state.
173
 * b   Temporary array of XORed row values.
174
 * y   The index of the row to work on.
175
 * x   The index of the column.
176
 * t0  Temporary variable.
177
 * t1  Temporary variable.
178
 */
179
#define ROW_MIX(s, b, y, x, t0, t1)                                     \
180
do {                                                                    \
181
    for (y = 0; y < 5; y++) {                                           \
182
        for (x = 0; x < 5; x++)                                         \
183
            b[x] = s[y * 5 + x];                                        \
184
        for (x = 0; x < 5; x++)                                         \
185
            s[y * 5 + x] = b[x] ^ (~b[(x + 1) % 5] & b[(x + 2) % 5]);   \
186
    }                                                                   \
187
}                                                                       \
188
while (0)
189
#else
190
/* Mix the row values.
191
 * a ^ (~b & c) == a ^ (c & (b ^ c)) == (a ^ b) ^ (b | c)
192
 *
193
 * s   The state.
194
 * b   Temporary array of XORed row values.
195
 * y   The index of the row to work on.
196
 * x   The index of the column.
197
 * t0  Temporary variable.
198
 * t1  Temporary variable.
199
 */
200
#define ROW_MIX(s, b, y, x, t12, t34)                                   \
201
do {                                                                    \
202
    for (y = 0; y < 5; y++) {                                           \
203
        for (x = 0; x < 5; x++)                                         \
204
            b[x] = s[y * 5 + x];                                        \
205
        t12 = (b[1] ^ b[2]); t34 = (b[3] ^ b[4]);                       \
206
        s[y * 5 + 0] = b[0] ^ (b[2] &  t12);                            \
207
        s[y * 5 + 1] =  t12 ^ (b[2] | b[3]);                            \
208
        s[y * 5 + 2] = b[2] ^ (b[4] &  t34);                            \
209
        s[y * 5 + 3] =  t34 ^ (b[4] | b[0]);                            \
210
        s[y * 5 + 4] = b[4] ^ (b[1] & (b[0] ^ b[1]));                   \
211
    }                                                                   \
212
}                                                                       \
213
while (0)
214
#endif /* SHA3_BY_SPEC */
215
216
/* The block operation performed on the state.
217
 *
218
 * s  The state.
219
 */
220
static void BlockSha3(word64 *s)
221
{
222
    byte i, x, y;
223
    word64 t0, t1;
224
    word64 b[5];
225
226
    for (i = 0; i < 24; i++)
227
    {
228
        COL_MIX(s, b, x, t0);
229
230
        t0 = s[1];
231
        SWAP_ROTL(s, t0, t1,  0);
232
        SWAP_ROTL(s, t1, t0,  1);
233
        SWAP_ROTL(s, t0, t1,  2);
234
        SWAP_ROTL(s, t1, t0,  3);
235
        SWAP_ROTL(s, t0, t1,  4);
236
        SWAP_ROTL(s, t1, t0,  5);
237
        SWAP_ROTL(s, t0, t1,  6);
238
        SWAP_ROTL(s, t1, t0,  7);
239
        SWAP_ROTL(s, t0, t1,  8);
240
        SWAP_ROTL(s, t1, t0,  9);
241
        SWAP_ROTL(s, t0, t1, 10);
242
        SWAP_ROTL(s, t1, t0, 11);
243
        SWAP_ROTL(s, t0, t1, 12);
244
        SWAP_ROTL(s, t1, t0, 13);
245
        SWAP_ROTL(s, t0, t1, 14);
246
        SWAP_ROTL(s, t1, t0, 15);
247
        SWAP_ROTL(s, t0, t1, 16);
248
        SWAP_ROTL(s, t1, t0, 17);
249
        SWAP_ROTL(s, t0, t1, 18);
250
        SWAP_ROTL(s, t1, t0, 19);
251
        SWAP_ROTL(s, t0, t1, 20);
252
        SWAP_ROTL(s, t1, t0, 21);
253
        SWAP_ROTL(s, t0, t1, 22);
254
        SWAP_ROTL(s, t1, t0, 23);
255
256
        ROW_MIX(s, b, y, x, t0, t1);
257
258
        s[0] ^= hash_keccak_r[i];
259
    }
260
}
261
#else
262
/* Rotate a 64-bit value left.
263
 *
264
 * a  Number to rotate left.
265
 * r  Number od bits to rotate left.
266
 * returns the rotated number.
267
 */
268
27.6M
#define ROTL64(a, n)    (((a)<<(n))|((a)>>(64-(n))))
269
270
271
/* An array of values to XOR for block operation. */
272
static const word64 hash_keccak_r[24] =
273
{
274
    W64LIT(0x0000000000000001), W64LIT(0x0000000000008082),
275
    W64LIT(0x800000000000808a), W64LIT(0x8000000080008000),
276
    W64LIT(0x000000000000808b), W64LIT(0x0000000080000001),
277
    W64LIT(0x8000000080008081), W64LIT(0x8000000000008009),
278
    W64LIT(0x000000000000008a), W64LIT(0x0000000000000088),
279
    W64LIT(0x0000000080008009), W64LIT(0x000000008000000a),
280
    W64LIT(0x000000008000808b), W64LIT(0x800000000000008b),
281
    W64LIT(0x8000000000008089), W64LIT(0x8000000000008003),
282
    W64LIT(0x8000000000008002), W64LIT(0x8000000000000080),
283
    W64LIT(0x000000000000800a), W64LIT(0x800000008000000a),
284
    W64LIT(0x8000000080008081), W64LIT(0x8000000000008080),
285
    W64LIT(0x0000000080000001), W64LIT(0x8000000080008008)
286
};
287
288
/* Indices used in swap and rotate operation. */
289
#define KI_0     6
290
#define KI_1    12
291
#define KI_2    18
292
#define KI_3    24
293
#define KI_4     3
294
#define KI_5     9
295
#define KI_6    10
296
#define KI_7    16
297
#define KI_8    22
298
#define KI_9     1
299
#define KI_10    7
300
#define KI_11   13
301
#define KI_12   19
302
#define KI_13   20
303
#define KI_14    4
304
#define KI_15    5
305
#define KI_16   11
306
#define KI_17   17
307
#define KI_18   23
308
#define KI_19    2
309
#define KI_20    8
310
#define KI_21   14
311
#define KI_22   15
312
#define KI_23   21
313
314
/* Number of bits to rotate in swap and rotate operation. */
315
#define KR_0    44
316
#define KR_1    43
317
#define KR_2    21
318
#define KR_3    14
319
#define KR_4    28
320
#define KR_5    20
321
#define KR_6     3
322
#define KR_7    45
323
#define KR_8    61
324
#define KR_9     1
325
#define KR_10    6
326
#define KR_11   25
327
#define KR_12    8
328
#define KR_13   18
329
#define KR_14   27
330
#define KR_15   36
331
#define KR_16   10
332
#define KR_17   15
333
#define KR_18   56
334
#define KR_19   62
335
#define KR_20   55
336
#define KR_21   39
337
#define KR_22   41
338
#define KR_23    2
339
340
/* Mix the XOR of the column's values into each number by column.
341
 *
342
 * s  The state.
343
 * b  Temporary array of XORed column values.
344
 * x  The index of the column.
345
 * t  Temporary variable.
346
 */
347
954k
#define COL_MIX(s, b, x, t)                                                         \
348
954k
do {                                                                                \
349
954k
    (b)[0] = (s)[0] ^ (s)[5] ^ (s)[10] ^ (s)[15] ^ (s)[20];                         \
350
954k
    (b)[1] = (s)[1] ^ (s)[6] ^ (s)[11] ^ (s)[16] ^ (s)[21];                         \
351
954k
    (b)[2] = (s)[2] ^ (s)[7] ^ (s)[12] ^ (s)[17] ^ (s)[22];                         \
352
954k
    (b)[3] = (s)[3] ^ (s)[8] ^ (s)[13] ^ (s)[18] ^ (s)[23];                         \
353
954k
    (b)[4] = (s)[4] ^ (s)[9] ^ (s)[14] ^ (s)[19] ^ (s)[24];                         \
354
954k
    (t) = (b)[(0 + 4) % 5] ^ ROTL64((b)[(0 + 1) % 5], 1);                           \
355
954k
    (s)[ 0] ^= (t); (s)[ 5] ^= (t); (s)[10] ^= (t); (s)[15] ^= (t); (s)[20] ^= (t); \
356
954k
    (t) = (b)[(1 + 4) % 5] ^ ROTL64((b)[(1 + 1) % 5], 1);                           \
357
954k
    (s)[ 1] ^= (t); (s)[ 6] ^= (t); (s)[11] ^= (t); (s)[16] ^= (t); (s)[21] ^= (t); \
358
954k
    (t) = (b)[(2 + 4) % 5] ^ ROTL64((b)[(2 + 1) % 5], 1);                           \
359
954k
    (s)[ 2] ^= (t); (s)[ 7] ^= (t); (s)[12] ^= (t); (s)[17] ^= (t); (s)[22] ^= (t); \
360
954k
    (t) = (b)[(3 + 4) % 5] ^ ROTL64((b)[(3 + 1) % 5], 1);                           \
361
954k
    (s)[ 3] ^= (t); (s)[ 8] ^= (t); (s)[13] ^= (t); (s)[18] ^= (t); (s)[23] ^= (t); \
362
954k
    (t) = (b)[(4 + 4) % 5] ^ ROTL64((b)[(4 + 1) % 5], 1);                           \
363
954k
    (s)[ 4] ^= (t); (s)[ 9] ^= (t); (s)[14] ^= (t); (s)[19] ^= (t); (s)[24] ^= (t); \
364
954k
}                                                                                   \
365
954k
while (0)
366
367
22.9M
#define S(s1, i) ROTL64((s1)[KI_##i], KR_##i)
368
369
#ifdef SHA3_BY_SPEC
370
/* Mix the row values.
371
 * BMI1 has ANDN instruction ((~a) & b) - Haswell and above.
372
 *
373
 * s2  The new state.
374
 * s1  The current state.
375
 * b   Temporary array of XORed row values.
376
 * t0  Temporary variable. (Unused)
377
 * t1  Temporary variable. (Unused)
378
 */
379
#define ROW_MIX(s2, s1, b, t0, t1)                    \
380
do {                                                  \
381
    (b)[0] = (s1)[0];                                 \
382
    (b)[1] = S((s1), 0);                              \
383
    (b)[2] = S((s1), 1);                              \
384
    (b)[3] = S((s1), 2);                              \
385
    (b)[4] = S((s1), 3);                              \
386
    (s2)[0] = (b)[0] ^ (~(b)[1] & (b)[2]);            \
387
    (s2)[1] = (b)[1] ^ (~(b)[2] & (b)[3]);            \
388
    (s2)[2] = (b)[2] ^ (~(b)[3] & (b)[4]);            \
389
    (s2)[3] = (b)[3] ^ (~(b)[4] & (b)[0]);            \
390
    (s2)[4] = (b)[4] ^ (~(b)[0] & (b)[1]);            \
391
    (b)[0] = S((s1), 4);                              \
392
    (b)[1] = S((s1), 5);                              \
393
    (b)[2] = S((s1), 6);                              \
394
    (b)[3] = S((s1), 7);                              \
395
    (b)[4] = S((s1), 8);                              \
396
    (s2)[5] = (b)[0] ^ (~(b)[1] & (b)[2]);            \
397
    (s2)[6] = (b)[1] ^ (~(b)[2] & (b)[3]);            \
398
    (s2)[7] = (b)[2] ^ (~(b)[3] & (b)[4]);            \
399
    (s2)[8] = (b)[3] ^ (~(b)[4] & (b)[0]);            \
400
    (s2)[9] = (b)[4] ^ (~(b)[0] & (b)[1]);            \
401
    (b)[0] = S((s1), 9);                              \
402
    (b)[1] = S((s1), 10);                             \
403
    (b)[2] = S((s1), 11);                             \
404
    (b)[3] = S((s1), 12);                             \
405
    (b)[4] = S((s1), 13);                             \
406
    (s2)[10] = (b)[0] ^ (~(b)[1] & (b)[2]);           \
407
    (s2)[11] = (b)[1] ^ (~(b)[2] & (b)[3]);           \
408
    (s2)[12] = (b)[2] ^ (~(b)[3] & (b)[4]);           \
409
    (s2)[13] = (b)[3] ^ (~(b)[4] & (b)[0]);           \
410
    (s2)[14] = (b)[4] ^ (~(b)[0] & (b)[1]);           \
411
    (b)[0] = S((s1), 14);                             \
412
    (b)[1] = S((s1), 15);                             \
413
    (b)[2] = S((s1), 16);                             \
414
    (b)[3] = S((s1), 17);                             \
415
    (b)[4] = S((s1), 18);                             \
416
    (s2)[15] = (b)[0] ^ (~(b)[1] & (b)[2]);           \
417
    (s2)[16] = (b)[1] ^ (~(b)[2] & (b)[3]);           \
418
    (s2)[17] = (b)[2] ^ (~(b)[3] & (b)[4]);           \
419
    (s2)[18] = (b)[3] ^ (~(b)[4] & (b)[0]);           \
420
    (s2)[19] = (b)[4] ^ (~(b)[0] & (b)[1]);           \
421
    (b)[0] = S((s1), 19);                             \
422
    (b)[1] = S((s1), 20);                             \
423
    (b)[2] = S((s1), 21);                             \
424
    (b)[3] = S((s1), 22);                             \
425
    (b)[4] = S((s1), 23);                             \
426
    (s2)[20] = (b)[0] ^ (~(b)[1] & (b)[2]);           \
427
    (s2)[21] = (b)[1] ^ (~(b)[2] & (b)[3]);           \
428
    (s2)[22] = (b)[2] ^ (~(b)[3] & (b)[4]);           \
429
    (s2)[23] = (b)[3] ^ (~(b)[4] & (b)[0]);           \
430
    (s2)[24] = (b)[4] ^ (~(b)[0] & (b)[1]);           \
431
}                                                     \
432
while (0)
433
#else
434
/* Mix the row values.
435
 * a ^ (~b & c) == a ^ (c & (b ^ c)) == (a ^ b) ^ (b | c)
436
 *
437
 * s2  The new state.
438
 * s1  The current state.
439
 * b   Temporary array of XORed row values.
440
 * t12 Temporary variable.
441
 * t34 Temporary variable.
442
 */
443
954k
#define ROW_MIX(s2, s1, b, t12, t34)                      \
444
954k
do {                                                      \
445
954k
    (b)[0] = (s1)[0];                                     \
446
954k
    (b)[1] = S((s1), 0);                                  \
447
954k
    (b)[2] = S((s1), 1);                                  \
448
954k
    (b)[3] = S((s1), 2);                                  \
449
954k
    (b)[4] = S((s1), 3);                                  \
450
954k
    (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \
451
954k
    (s2)[0] = (b)[0] ^ ((b)[2] &  (t12));                 \
452
954k
    (s2)[1] =  (t12) ^ ((b)[2] | (b)[3]);                 \
453
954k
    (s2)[2] = (b)[2] ^ ((b)[4] &  (t34));                 \
454
954k
    (s2)[3] =  (t34) ^ ((b)[4] | (b)[0]);                 \
455
954k
    (s2)[4] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1]));      \
456
954k
    (b)[0] = S((s1), 4);                                  \
457
954k
    (b)[1] = S((s1), 5);                                  \
458
954k
    (b)[2] = S((s1), 6);                                  \
459
954k
    (b)[3] = S((s1), 7);                                  \
460
954k
    (b)[4] = S((s1), 8);                                  \
461
954k
    (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \
462
954k
    (s2)[5] = (b)[0] ^ ((b)[2] &  (t12));                 \
463
954k
    (s2)[6] =  (t12) ^ ((b)[2] | (b)[3]);                 \
464
954k
    (s2)[7] = (b)[2] ^ ((b)[4] &  (t34));                 \
465
954k
    (s2)[8] =  (t34) ^ ((b)[4] | (b)[0]);                 \
466
954k
    (s2)[9] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1]));      \
467
954k
    (b)[0] = S((s1), 9);                                  \
468
954k
    (b)[1] = S((s1), 10);                                 \
469
954k
    (b)[2] = S((s1), 11);                                 \
470
954k
    (b)[3] = S((s1), 12);                                 \
471
954k
    (b)[4] = S((s1), 13);                                 \
472
954k
    (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \
473
954k
    (s2)[10] = (b)[0] ^ ((b)[2] &  (t12));                \
474
954k
    (s2)[11] =  (t12) ^ ((b)[2] | (b)[3]);                \
475
954k
    (s2)[12] = (b)[2] ^ ((b)[4] &  (t34));                \
476
954k
    (s2)[13] =  (t34) ^ ((b)[4] | (b)[0]);                \
477
954k
    (s2)[14] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1]));     \
478
954k
    (b)[0] = S((s1), 14);                                 \
479
954k
    (b)[1] = S((s1), 15);                                 \
480
954k
    (b)[2] = S((s1), 16);                                 \
481
954k
    (b)[3] = S((s1), 17);                                 \
482
954k
    (b)[4] = S((s1), 18);                                 \
483
954k
    (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \
484
954k
    (s2)[15] = (b)[0] ^ ((b)[2] &  (t12));                \
485
954k
    (s2)[16] =  (t12) ^ ((b)[2] | (b)[3]);                \
486
954k
    (s2)[17] = (b)[2] ^ ((b)[4] &  (t34));                \
487
954k
    (s2)[18] =  (t34) ^ ((b)[4] | (b)[0]);                \
488
954k
    (s2)[19] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1]));     \
489
954k
    (b)[0] = S((s1), 19);                                 \
490
954k
    (b)[1] = S((s1), 20);                                 \
491
954k
    (b)[2] = S((s1), 21);                                 \
492
954k
    (b)[3] = S((s1), 22);                                 \
493
954k
    (b)[4] = S((s1), 23);                                 \
494
954k
    (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \
495
954k
    (s2)[20] = (b)[0] ^ ((b)[2] &  (t12));                \
496
954k
    (s2)[21] =  (t12) ^ ((b)[2] | (b)[3]);                \
497
954k
    (s2)[22] = (b)[2] ^ ((b)[4] &  (t34));                \
498
954k
    (s2)[23] =  (t34) ^ ((b)[4] | (b)[0]);                \
499
954k
    (s2)[24] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1]));     \
500
954k
}                                                         \
501
954k
while (0)
502
#endif /* SHA3_BY_SPEC */
503
504
/* The block operation performed on the state.
505
 *
506
 * s  The state.
507
 */
508
static void BlockSha3(word64 *s)
509
39.7k
{
510
39.7k
    word64 n[25];
511
39.7k
    word64 b[5];
512
39.7k
    word64 t0;
513
39.7k
#ifndef SHA3_BY_SPEC
514
39.7k
    word64 t1;
515
39.7k
#endif
516
39.7k
    byte i;
517
518
516k
    for (i = 0; i < 24; i += 2)
519
477k
    {
520
477k
        COL_MIX(s, b, x, t0);
521
477k
        ROW_MIX(n, s, b, t0, t1);
522
477k
        n[0] ^= hash_keccak_r[i];
523
524
477k
        COL_MIX(n, b, x, t0);
525
477k
        ROW_MIX(s, n, b, t0, t1);
526
477k
        s[0] ^= hash_keccak_r[i+1];
527
477k
    }
528
39.7k
}
529
#endif /* WOLFSSL_SHA3_SMALL */
530
#endif /* !WOLFSSL_ARMASM */
531
532
static WC_INLINE word64 Load64Unaligned(const unsigned char *a)
533
319k
{
534
319k
    return ((word64)a[0] <<  0) |
535
319k
           ((word64)a[1] <<  8) |
536
319k
           ((word64)a[2] << 16) |
537
319k
           ((word64)a[3] << 24) |
538
319k
           ((word64)a[4] << 32) |
539
319k
           ((word64)a[5] << 40) |
540
319k
           ((word64)a[6] << 48) |
541
319k
           ((word64)a[7] << 56);
542
319k
}
543
544
/* Convert the array of bytes, in little-endian order, to a 64-bit integer.
545
 *
546
 * a  Array of bytes.
547
 * returns a 64-bit integer.
548
 */
549
static word64 Load64BitBigEndian(const byte* a)
550
260k
{
551
#if defined(BIG_ENDIAN_ORDER) || (WOLFSSL_GENERAL_ALIGNMENT == 1)
552
    word64 n = 0;
553
    int i;
554
555
    for (i = 0; i < 8; i++)
556
        n |= (word64)a[i] << (8 * i);
557
558
    return n;
559
#elif ((WOLFSSL_GENERAL_ALIGNMENT > 0) && (WOLFSSL_GENERAL_ALIGNMENT == 4))
560
    word64 n;
561
562
    n  =          *(word32*) a;
563
    n |= ((word64)*(word32*)(a + 4)) << 32;
564
565
    return n;
566
#elif ((WOLFSSL_GENERAL_ALIGNMENT > 0) && (WOLFSSL_GENERAL_ALIGNMENT == 2))
567
    word64 n;
568
569
    n  =          *(word16*) a;
570
    n |= ((word64)*(word16*)(a + 2)) << 16;
571
    n |= ((word64)*(word16*)(a + 4)) << 32;
572
    n |= ((word64)*(word16*)(a + 6)) << 48;
573
574
    return n;
575
#else
576
260k
    return *(const word64*)a;
577
260k
#endif
578
260k
}
579
580
/* Initialize the state for a SHA3-224 hash operation.
581
 *
582
 * sha3   wc_Sha3 object holding state.
583
 * returns 0 on success.
584
 */
585
static int InitSha3(wc_Sha3* sha3)
586
20.4k
{
587
20.4k
    int i;
588
589
531k
    for (i = 0; i < 25; i++)
590
510k
        sha3->s[i] = 0;
591
20.4k
    sha3->i = 0;
592
20.4k
#ifdef WOLFSSL_HASH_FLAGS
593
20.4k
    sha3->flags = 0;
594
20.4k
#endif
595
596
20.4k
    return 0;
597
20.4k
}
598
599
/* Update the SHA-3 hash state with message data.
600
 *
601
 * sha3  wc_Sha3 object holding state.
602
 * data  Message data to be hashed.
603
 * len   Length of the message data.
604
 * p     Number of 64-bit numbers in a block of data to process.
605
 * returns 0 on success.
606
 */
607
static int Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p)
608
46.5k
{
609
46.5k
    word32 i;
610
46.5k
    byte l;
611
46.5k
    byte *t;
612
613
46.5k
    if (sha3->i > 0) {
614
32.0k
        l = p * 8 - sha3->i;
615
32.0k
        if (l > len) {
616
30.6k
            l = (byte)len;
617
30.6k
        }
618
619
32.0k
        t = &sha3->t[sha3->i];
620
774k
        for (i = 0; i < l; i++)
621
742k
            t[i] = data[i];
622
32.0k
        data += i;
623
32.0k
        len -= i;
624
32.0k
        sha3->i += (byte) i;
625
626
32.0k
        if (sha3->i == p * 8) {
627
25.1k
            for (i = 0; i < p; i++)
628
23.7k
                sha3->s[i] ^= Load64BitBigEndian(sha3->t + 8 * i);
629
1.39k
            BlockSha3(sha3->s);
630
1.39k
            sha3->i = 0;
631
1.39k
        }
632
32.0k
    }
633
71.0k
    while (len >= ((word32)(p * 8))) {
634
343k
        for (i = 0; i < p; i++)
635
319k
            sha3->s[i] ^= Load64Unaligned(data + 8 * i);
636
24.4k
        BlockSha3(sha3->s);
637
24.4k
        len -= p * 8;
638
24.4k
        data += p * 8;
639
24.4k
    }
640
584k
    for (i = 0; i < len; i++)
641
537k
        sha3->t[i] = data[i];
642
46.5k
    sha3->i += (byte) i;
643
644
46.5k
    return 0;
645
46.5k
}
646
647
/* Calculate the SHA-3 hash based on all the message data seen.
648
 *
649
 * sha3  wc_Sha3 object holding state.
650
 * hash  Buffer to hold the hash result.
651
 * p     Number of 64-bit numbers in a block of data to process.
652
 * len   Number of bytes in output.
653
 * returns 0 on success.
654
 */
655
static int Sha3Final(wc_Sha3* sha3, byte padChar, byte* hash, byte p, word32 l)
656
13.7k
{
657
13.7k
    word32 rate = p * 8;
658
13.7k
    word32 j;
659
13.7k
    word32 i;
660
661
13.7k
    sha3->t[rate - 1]  = 0x00;
662
13.7k
#ifdef WOLFSSL_HASH_FLAGS
663
13.7k
    if (p == WC_SHA3_256_COUNT && sha3->flags & WC_HASH_SHA3_KECCAK256)
664
0
        padChar = 0x01;
665
13.7k
#endif
666
13.7k
    sha3->t[sha3->i ]  = padChar;
667
13.7k
    sha3->t[rate - 1] |= 0x80;
668
831k
    for (i=sha3->i + 1; i < rate - 1; i++)
669
817k
        sha3->t[i] = 0;
670
247k
    for (i = 0; i < p; i++)
671
233k
        sha3->s[i] ^= Load64BitBigEndian(sha3->t + 8 * i);
672
13.7k
    for (j = 0; l - j >= rate; j += rate) {
673
0
        BlockSha3(sha3->s);
674
    #if defined(BIG_ENDIAN_ORDER)
675
        ByteReverseWords64((word64*)(hash + j), sha3->s, rate);
676
    #else
677
0
        XMEMCPY(hash + j, sha3->s, rate);
678
0
    #endif
679
0
    }
680
13.7k
    if (j != l) {
681
13.7k
        BlockSha3(sha3->s);
682
    #if defined(BIG_ENDIAN_ORDER)
683
        ByteReverseWords64(sha3->s, sha3->s, rate);
684
    #endif
685
13.7k
        XMEMCPY(hash + j, sha3->s, l - j);
686
13.7k
    }
687
13.7k
    return 0;
688
13.7k
}
689
690
/* Initialize the state for a SHA-3 hash operation.
691
 *
692
 * sha3   wc_Sha3 object holding state.
693
 * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
694
 * devId  Device identifier for asynchronous operation.
695
 * returns 0 on success.
696
 */
697
static int wc_InitSha3(wc_Sha3* sha3, void* heap, int devId)
698
6.49k
{
699
6.49k
    int ret = 0;
700
701
6.49k
    if (sha3 == NULL)
702
0
        return BAD_FUNC_ARG;
703
704
6.49k
    sha3->heap = heap;
705
6.49k
    ret = InitSha3(sha3);
706
6.49k
    if (ret != 0)
707
0
        return ret;
708
709
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3)
710
    ret = wolfAsync_DevCtxInit(&sha3->asyncDev,
711
                        WOLFSSL_ASYNC_MARKER_SHA3, sha3->heap, devId);
712
#else
713
6.49k
    (void)devId;
714
6.49k
#endif /* WOLFSSL_ASYNC_CRYPT */
715
716
6.49k
    return ret;
717
6.49k
}
718
719
/* Update the SHA-3 hash state with message data.
720
 *
721
 * sha3  wc_Sha3 object holding state.
722
 * data  Message data to be hashed.
723
 * len   Length of the message data.
724
 * p     Number of 64-bit numbers in a block of data to process.
725
 * returns 0 on success.
726
 */
727
static int wc_Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p)
728
182
{
729
182
    int ret;
730
731
182
    if (sha3 == NULL || (data == NULL && len > 0)) {
732
0
        return BAD_FUNC_ARG;
733
0
    }
734
735
182
    if (data == NULL && len == 0) {
736
        /* valid, but do nothing */
737
47
        return 0;
738
47
    }
739
740
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3)
741
    if (sha3->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA3) {
742
    #if defined(HAVE_INTEL_QA) && defined(QAT_V2)
743
        /* QAT only supports SHA3_256 */
744
        if (p == WC_SHA3_256_COUNT) {
745
            ret = IntelQaSymSha3(&sha3->asyncDev, NULL, data, len);
746
            if (ret != NOT_COMPILED_IN)
747
                return ret;
748
            /* fall-through when unavailable */
749
        }
750
    #endif
751
    }
752
#endif /* WOLFSSL_ASYNC_CRYPT */
753
754
135
    ret = Sha3Update(sha3, data, len, p);
755
756
135
    return ret;
757
182
}
758
759
/* Calculate the SHA-3 hash based on all the message data seen.
760
 *
761
 * sha3  wc_Sha3 object holding state.
762
 * hash  Buffer to hold the hash result.
763
 * p     Number of 64-bit numbers in a block of data to process.
764
 * len   Number of bytes in output.
765
 * returns 0 on success.
766
 */
767
static int wc_Sha3Final(wc_Sha3* sha3, byte* hash, byte p, byte len)
768
182
{
769
182
    int ret;
770
771
182
    if (sha3 == NULL || hash == NULL) {
772
0
        return BAD_FUNC_ARG;
773
0
    }
774
775
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3)
776
    if (sha3->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA3) {
777
    #if defined(HAVE_INTEL_QA) && defined(QAT_V2)
778
        /* QAT only supports SHA3_256 */
779
        /* QAT SHA-3 only supported on v2 (8970 or later cards) */
780
        if (len == WC_SHA3_256_DIGEST_SIZE) {
781
            ret = IntelQaSymSha3(&sha3->asyncDev, hash, NULL, len);
782
            if (ret != NOT_COMPILED_IN)
783
                return ret;
784
            /* fall-through when unavailable */
785
        }
786
    #endif
787
    }
788
#endif /* WOLFSSL_ASYNC_CRYPT */
789
790
182
    ret = Sha3Final(sha3, 0x06, hash, p, (word32)len);
791
182
    if (ret != 0)
792
0
        return ret;
793
794
182
    return InitSha3(sha3);  /* reset state */
795
182
}
796
797
/* Dispose of any dynamically allocated data from the SHA3-384 operation.
798
 * (Required for async ops.)
799
 *
800
 * sha3  wc_Sha3 object holding state.
801
 * returns 0 on success.
802
 */
803
static void wc_Sha3Free(wc_Sha3* sha3)
804
6.49k
{
805
6.49k
    (void)sha3;
806
807
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3)
808
    if (sha3 == NULL)
809
        return;
810
811
    wolfAsync_DevCtxFree(&sha3->asyncDev, WOLFSSL_ASYNC_MARKER_SHA3);
812
#endif /* WOLFSSL_ASYNC_CRYPT */
813
6.49k
}
814
815
816
/* Copy the state of the SHA3 operation.
817
 *
818
 * src  wc_Sha3 object holding state top copy.
819
 * dst  wc_Sha3 object to copy into.
820
 * returns 0 on success.
821
 */
822
static int wc_Sha3Copy(wc_Sha3* src, wc_Sha3* dst)
823
0
{
824
0
    int ret = 0;
825
826
0
    if (src == NULL || dst == NULL)
827
0
        return BAD_FUNC_ARG;
828
829
0
    XMEMCPY(dst, src, sizeof(wc_Sha3));
830
831
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3)
832
    ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
833
#endif
834
0
#ifdef WOLFSSL_HASH_FLAGS
835
0
     dst->flags |= WC_HASH_FLAG_ISCOPY;
836
0
#endif
837
838
0
    return ret;
839
0
}
840
841
/* Calculate the SHA3-224 hash based on all the message data so far.
842
 * More message data can be added, after this operation, using the current
843
 * state.
844
 *
845
 * sha3  wc_Sha3 object holding state.
846
 * hash  Buffer to hold the hash result. Must be at least 28 bytes.
847
 * p     Number of 64-bit numbers in a block of data to process.
848
 * len   Number of bytes in output.
849
 * returns 0 on success.
850
 */
851
static int wc_Sha3GetHash(wc_Sha3* sha3, byte* hash, byte p, byte len)
852
0
{
853
0
    int ret;
854
0
    wc_Sha3 tmpSha3;
855
856
0
    if (sha3 == NULL || hash == NULL)
857
0
        return BAD_FUNC_ARG;
858
859
0
    ret = wc_Sha3Copy(sha3, &tmpSha3);
860
0
    if (ret == 0) {
861
0
        ret = wc_Sha3Final(&tmpSha3, hash, p, len);
862
0
    }
863
0
    return ret;
864
0
}
865
866
867
/* Initialize the state for a SHA3-224 hash operation.
868
 *
869
 * sha3   wc_Sha3 object holding state.
870
 * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
871
 * devId  Device identifier for asynchronous operation.
872
 * returns 0 on success.
873
 */
874
int wc_InitSha3_224(wc_Sha3* sha3, void* heap, int devId)
875
33
{
876
33
    return wc_InitSha3(sha3, heap, devId);
877
33
}
878
879
/* Update the SHA3-224 hash state with message data.
880
 *
881
 * sha3  wc_Sha3 object holding state.
882
 * data  Message data to be hashed.
883
 * len   Length of the message data.
884
 * returns 0 on success.
885
 */
886
int wc_Sha3_224_Update(wc_Sha3* sha3, const byte* data, word32 len)
887
33
{
888
33
    return wc_Sha3Update(sha3, data, len, WC_SHA3_224_COUNT);
889
33
}
890
891
/* Calculate the SHA3-224 hash based on all the message data seen.
892
 * The state is initialized ready for a new message to hash.
893
 *
894
 * sha3  wc_Sha3 object holding state.
895
 * hash  Buffer to hold the hash result. Must be at least 28 bytes.
896
 * returns 0 on success.
897
 */
898
int wc_Sha3_224_Final(wc_Sha3* sha3, byte* hash)
899
33
{
900
33
    return wc_Sha3Final(sha3, hash, WC_SHA3_224_COUNT, WC_SHA3_224_DIGEST_SIZE);
901
33
}
902
903
/* Dispose of any dynamically allocated data from the SHA3-224 operation.
904
 * (Required for async ops.)
905
 *
906
 * sha3  wc_Sha3 object holding state.
907
 * returns 0 on success.
908
 */
909
void wc_Sha3_224_Free(wc_Sha3* sha3)
910
33
{
911
33
    wc_Sha3Free(sha3);
912
33
}
913
914
/* Calculate the SHA3-224 hash based on all the message data so far.
915
 * More message data can be added, after this operation, using the current
916
 * state.
917
 *
918
 * sha3  wc_Sha3 object holding state.
919
 * hash  Buffer to hold the hash result. Must be at least 28 bytes.
920
 * returns 0 on success.
921
 */
922
int wc_Sha3_224_GetHash(wc_Sha3* sha3, byte* hash)
923
0
{
924
0
    return wc_Sha3GetHash(sha3, hash, WC_SHA3_224_COUNT, WC_SHA3_224_DIGEST_SIZE);
925
0
}
926
927
/* Copy the state of the SHA3-224 operation.
928
 *
929
 * src  wc_Sha3 object holding state top copy.
930
 * dst  wc_Sha3 object to copy into.
931
 * returns 0 on success.
932
 */
933
int wc_Sha3_224_Copy(wc_Sha3* src, wc_Sha3* dst)
934
0
{
935
0
    return wc_Sha3Copy(src, dst);
936
0
}
937
938
939
/* Initialize the state for a SHA3-256 hash operation.
940
 *
941
 * sha3   wc_Sha3 object holding state.
942
 * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
943
 * devId  Device identifier for asynchronous operation.
944
 * returns 0 on success.
945
 */
946
int wc_InitSha3_256(wc_Sha3* sha3, void* heap, int devId)
947
29
{
948
29
    return wc_InitSha3(sha3, heap, devId);
949
29
}
950
951
/* Update the SHA3-256 hash state with message data.
952
 *
953
 * sha3  wc_Sha3 object holding state.
954
 * data  Message data to be hashed.
955
 * len   Length of the message data.
956
 * returns 0 on success.
957
 */
958
int wc_Sha3_256_Update(wc_Sha3* sha3, const byte* data, word32 len)
959
29
{
960
29
    return wc_Sha3Update(sha3, data, len, WC_SHA3_256_COUNT);
961
29
}
962
963
/* Calculate the SHA3-256 hash based on all the message data seen.
964
 * The state is initialized ready for a new message to hash.
965
 *
966
 * sha3  wc_Sha3 object holding state.
967
 * hash  Buffer to hold the hash result. Must be at least 32 bytes.
968
 * returns 0 on success.
969
 */
970
int wc_Sha3_256_Final(wc_Sha3* sha3, byte* hash)
971
29
{
972
29
    return wc_Sha3Final(sha3, hash, WC_SHA3_256_COUNT, WC_SHA3_256_DIGEST_SIZE);
973
29
}
974
975
/* Dispose of any dynamically allocated data from the SHA3-256 operation.
976
 * (Required for async ops.)
977
 *
978
 * sha3  wc_Sha3 object holding state.
979
 * returns 0 on success.
980
 */
981
void wc_Sha3_256_Free(wc_Sha3* sha3)
982
29
{
983
29
    wc_Sha3Free(sha3);
984
29
}
985
986
/* Calculate the SHA3-256 hash based on all the message data so far.
987
 * More message data can be added, after this operation, using the current
988
 * state.
989
 *
990
 * sha3  wc_Sha3 object holding state.
991
 * hash  Buffer to hold the hash result. Must be at least 32 bytes.
992
 * returns 0 on success.
993
 */
994
int wc_Sha3_256_GetHash(wc_Sha3* sha3, byte* hash)
995
0
{
996
0
    return wc_Sha3GetHash(sha3, hash, WC_SHA3_256_COUNT, WC_SHA3_256_DIGEST_SIZE);
997
0
}
998
999
/* Copy the state of the SHA3-256 operation.
1000
 *
1001
 * src  wc_Sha3 object holding state top copy.
1002
 * dst  wc_Sha3 object to copy into.
1003
 * returns 0 on success.
1004
 */
1005
int wc_Sha3_256_Copy(wc_Sha3* src, wc_Sha3* dst)
1006
0
{
1007
0
    return wc_Sha3Copy(src, dst);
1008
0
}
1009
1010
1011
/* Initialize the state for a SHA3-384 hash operation.
1012
 *
1013
 * sha3   wc_Sha3 object holding state.
1014
 * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
1015
 * devId  Device identifier for asynchronous operation.
1016
 * returns 0 on success.
1017
 */
1018
int wc_InitSha3_384(wc_Sha3* sha3, void* heap, int devId)
1019
35
{
1020
35
    return wc_InitSha3(sha3, heap, devId);
1021
35
}
1022
1023
/* Update the SHA3-384 hash state with message data.
1024
 *
1025
 * sha3  wc_Sha3 object holding state.
1026
 * data  Message data to be hashed.
1027
 * len   Length of the message data.
1028
 * returns 0 on success.
1029
 */
1030
int wc_Sha3_384_Update(wc_Sha3* sha3, const byte* data, word32 len)
1031
35
{
1032
35
    return wc_Sha3Update(sha3, data, len, WC_SHA3_384_COUNT);
1033
35
}
1034
1035
/* Calculate the SHA3-384 hash based on all the message data seen.
1036
 * The state is initialized ready for a new message to hash.
1037
 *
1038
 * sha3  wc_Sha3 object holding state.
1039
 * hash  Buffer to hold the hash result. Must be at least 48 bytes.
1040
 * returns 0 on success.
1041
 */
1042
int wc_Sha3_384_Final(wc_Sha3* sha3, byte* hash)
1043
35
{
1044
35
    return wc_Sha3Final(sha3, hash, WC_SHA3_384_COUNT, WC_SHA3_384_DIGEST_SIZE);
1045
35
}
1046
1047
/* Dispose of any dynamically allocated data from the SHA3-384 operation.
1048
 * (Required for async ops.)
1049
 *
1050
 * sha3  wc_Sha3 object holding state.
1051
 * returns 0 on success.
1052
 */
1053
void wc_Sha3_384_Free(wc_Sha3* sha3)
1054
35
{
1055
35
    wc_Sha3Free(sha3);
1056
35
}
1057
1058
/* Calculate the SHA3-384 hash based on all the message data so far.
1059
 * More message data can be added, after this operation, using the current
1060
 * state.
1061
 *
1062
 * sha3  wc_Sha3 object holding state.
1063
 * hash  Buffer to hold the hash result. Must be at least 48 bytes.
1064
 * returns 0 on success.
1065
 */
1066
int wc_Sha3_384_GetHash(wc_Sha3* sha3, byte* hash)
1067
0
{
1068
0
    return wc_Sha3GetHash(sha3, hash, WC_SHA3_384_COUNT, WC_SHA3_384_DIGEST_SIZE);
1069
0
}
1070
1071
/* Copy the state of the SHA3-384 operation.
1072
 *
1073
 * src  wc_Sha3 object holding state top copy.
1074
 * dst  wc_Sha3 object to copy into.
1075
 * returns 0 on success.
1076
 */
1077
int wc_Sha3_384_Copy(wc_Sha3* src, wc_Sha3* dst)
1078
0
{
1079
0
    return wc_Sha3Copy(src, dst);
1080
0
}
1081
1082
1083
/* Initialize the state for a SHA3-512 hash operation.
1084
 *
1085
 * sha3   wc_Sha3 object holding state.
1086
 * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
1087
 * devId  Device identifier for asynchronous operation.
1088
 * returns 0 on success.
1089
 */
1090
int wc_InitSha3_512(wc_Sha3* sha3, void* heap, int devId)
1091
85
{
1092
85
    return wc_InitSha3(sha3, heap, devId);
1093
85
}
1094
1095
/* Update the SHA3-512 hash state with message data.
1096
 *
1097
 * sha3  wc_Sha3 object holding state.
1098
 * data  Message data to be hashed.
1099
 * len   Length of the message data.
1100
 * returns 0 on success.
1101
 */
1102
int wc_Sha3_512_Update(wc_Sha3* sha3, const byte* data, word32 len)
1103
85
{
1104
85
    return wc_Sha3Update(sha3, data, len, WC_SHA3_512_COUNT);
1105
85
}
1106
1107
/* Calculate the SHA3-512 hash based on all the message data seen.
1108
 * The state is initialized ready for a new message to hash.
1109
 *
1110
 * sha3  wc_Sha3 object holding state.
1111
 * hash  Buffer to hold the hash result. Must be at least 64 bytes.
1112
 * returns 0 on success.
1113
 */
1114
int wc_Sha3_512_Final(wc_Sha3* sha3, byte* hash)
1115
85
{
1116
85
    return wc_Sha3Final(sha3, hash, WC_SHA3_512_COUNT, WC_SHA3_512_DIGEST_SIZE);
1117
85
}
1118
1119
/* Dispose of any dynamically allocated data from the SHA3-512 operation.
1120
 * (Required for async ops.)
1121
 *
1122
 * sha3  wc_Sha3 object holding state.
1123
 * returns 0 on success.
1124
 */
1125
void wc_Sha3_512_Free(wc_Sha3* sha3)
1126
85
{
1127
85
    wc_Sha3Free(sha3);
1128
85
}
1129
1130
/* Calculate the SHA3-512 hash based on all the message data so far.
1131
 * More message data can be added, after this operation, using the current
1132
 * state.
1133
 *
1134
 * sha3  wc_Sha3 object holding state.
1135
 * hash  Buffer to hold the hash result. Must be at least 64 bytes.
1136
 * returns 0 on success.
1137
 */
1138
int wc_Sha3_512_GetHash(wc_Sha3* sha3, byte* hash)
1139
0
{
1140
0
    return wc_Sha3GetHash(sha3, hash, WC_SHA3_512_COUNT, WC_SHA3_512_DIGEST_SIZE);
1141
0
}
1142
1143
/* Copy the state of the SHA3-512 operation.
1144
 *
1145
 * src  wc_Sha3 object holding state top copy.
1146
 * dst  wc_Sha3 object to copy into.
1147
 * returns 0 on success.
1148
 */
1149
int wc_Sha3_512_Copy(wc_Sha3* src, wc_Sha3* dst)
1150
0
{
1151
0
    return wc_Sha3Copy(src, dst);
1152
0
}
1153
1154
#ifdef WOLFSSL_HASH_FLAGS
1155
int wc_Sha3_SetFlags(wc_Sha3* sha3, word32 flags)
1156
0
{
1157
0
    if (sha3) {
1158
0
        sha3->flags = flags;
1159
0
    }
1160
0
    return 0;
1161
0
}
1162
int wc_Sha3_GetFlags(wc_Sha3* sha3, word32* flags)
1163
0
{
1164
0
    if (sha3 && flags) {
1165
0
        *flags = sha3->flags;
1166
0
    }
1167
0
    return 0;
1168
0
}
1169
#endif
1170
1171
#ifdef WOLFSSL_SHAKE256
1172
/* Initialize the state for a Shake256 hash operation.
1173
 *
1174
 * shake  wc_Shake object holding state.
1175
 * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
1176
 * devId  Device identifier for asynchronous operation.
1177
 * returns 0 on success.
1178
 */
1179
int wc_InitShake256(wc_Shake* shake, void* heap, int devId)
1180
6.30k
{
1181
6.30k
    return wc_InitSha3(shake, heap, devId);
1182
6.30k
}
1183
1184
/* Update the SHAKE256 hash state with message data.
1185
 *
1186
 * shake  wc_Shake object holding state.
1187
 * data  Message data to be hashed.
1188
 * len   Length of the message data.
1189
 * returns 0 on success.
1190
 */
1191
int wc_Shake256_Update(wc_Shake* shake, const byte* data, word32 len)
1192
46.4k
{
1193
46.4k
    if (shake == NULL || (data == NULL && len > 0)) {
1194
0
         return BAD_FUNC_ARG;
1195
0
    }
1196
1197
46.4k
    if (data == NULL && len == 0) {
1198
        /* valid, but do nothing */
1199
0
        return 0;
1200
0
    }
1201
1202
46.4k
    return Sha3Update(shake, data, len, WC_SHA3_256_COUNT);
1203
46.4k
}
1204
1205
/* Calculate the SHAKE256 hash based on all the message data seen.
1206
 * The state is initialized ready for a new message to hash.
1207
 *
1208
 * shake  wc_Shake object holding state.
1209
 * hash  Buffer to hold the hash result. Must be at least 64 bytes.
1210
 * returns 0 on success.
1211
 */
1212
int wc_Shake256_Final(wc_Shake* shake, byte* hash, word32 hashLen)
1213
13.7k
{
1214
13.7k
    int ret;
1215
1216
13.7k
    if (shake == NULL || hash == NULL) {
1217
0
        return BAD_FUNC_ARG;
1218
0
    }
1219
1220
13.7k
    ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_256_COUNT, hashLen);
1221
13.7k
    if (ret != 0)
1222
0
        return ret;
1223
1224
13.7k
    return InitSha3(shake);  /* reset state */
1225
13.7k
}
1226
1227
/* Dispose of any dynamically allocated data from the SHAKE256 operation.
1228
 * (Required for async ops.)
1229
 *
1230
 * shake  wc_Shake object holding state.
1231
 * returns 0 on success.
1232
 */
1233
void wc_Shake256_Free(wc_Shake* shake)
1234
6.30k
{
1235
6.30k
    wc_Sha3Free(shake);
1236
6.30k
}
1237
1238
/* Copy the state of the SHA3-512 operation.
1239
 *
1240
 * src  wc_Shake object holding state top copy.
1241
 * dst  wc_Shake object to copy into.
1242
 * returns 0 on success.
1243
 */
1244
int wc_Shake256_Copy(wc_Shake* src, wc_Shake* dst)
1245
0
{
1246
0
    return wc_Sha3Copy(src, dst);
1247
0
}
1248
#endif
1249
1250
#endif /* WOLFSSL_SHA3 */