/src/wolfssl-sp-math-all-8bit/wolfcrypt/src/sha3.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* sha3.c |
2 | | * |
3 | | * Copyright (C) 2006-2022 wolfSSL Inc. |
4 | | * |
5 | | * This file is part of wolfSSL. |
6 | | * |
7 | | * wolfSSL is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU General Public License as published by |
9 | | * the Free Software Foundation; either version 2 of the License, or |
10 | | * (at your option) any later version. |
11 | | * |
12 | | * wolfSSL is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU General Public License |
18 | | * along with this program; if not, write to the Free Software |
19 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
20 | | */ |
21 | | |
22 | | |
23 | | #ifdef HAVE_CONFIG_H |
24 | | #include <config.h> |
25 | | #endif |
26 | | |
27 | | #include <wolfssl/wolfcrypt/settings.h> |
28 | | |
29 | | #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_XILINX_CRYPT) && \ |
30 | | !defined(WOLFSSL_AFALG_XILINX_SHA3) |
31 | | |
32 | | #if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) |
33 | | /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ |
34 | | #define FIPS_NO_WRAPPERS |
35 | | |
36 | | #ifdef USE_WINDOWS_API |
37 | | #pragma code_seg(".fipsA$l") |
38 | | #pragma const_seg(".fipsB$l") |
39 | | #endif |
40 | | #endif |
41 | | |
42 | | #include <wolfssl/wolfcrypt/sha3.h> |
43 | | #include <wolfssl/wolfcrypt/error-crypt.h> |
44 | | #include <wolfssl/wolfcrypt/hash.h> |
45 | | |
46 | | #ifdef NO_INLINE |
47 | | #include <wolfssl/wolfcrypt/misc.h> |
48 | | #else |
49 | | #define WOLFSSL_MISC_INCLUDED |
50 | | #include <wolfcrypt/src/misc.c> |
51 | | #endif |
52 | | |
53 | | |
54 | | #if !defined(WOLFSSL_ARMASM) || !defined(WOLFSSL_ARMASM_CRYPTO_SHA3) |
55 | | #ifdef WOLFSSL_SHA3_SMALL |
56 | | /* Rotate a 64-bit value left. |
57 | | * |
58 | | * a Number to rotate left. |
59 | | * r Number od bits to rotate left. |
60 | | * returns the rotated number. |
61 | | */ |
62 | | #define ROTL64(a, n) (((a)<<(n))|((a)>>(64-(n)))) |
63 | | |
64 | | /* An array of values to XOR for block operation. */ |
65 | | static const word64 hash_keccak_r[24] = |
66 | | { |
67 | | 0x0000000000000001UL, 0x0000000000008082UL, |
68 | | 0x800000000000808aUL, 0x8000000080008000UL, |
69 | | 0x000000000000808bUL, 0x0000000080000001UL, |
70 | | 0x8000000080008081UL, 0x8000000000008009UL, |
71 | | 0x000000000000008aUL, 0x0000000000000088UL, |
72 | | 0x0000000080008009UL, 0x000000008000000aUL, |
73 | | 0x000000008000808bUL, 0x800000000000008bUL, |
74 | | 0x8000000000008089UL, 0x8000000000008003UL, |
75 | | 0x8000000000008002UL, 0x8000000000000080UL, |
76 | | 0x000000000000800aUL, 0x800000008000000aUL, |
77 | | 0x8000000080008081UL, 0x8000000000008080UL, |
78 | | 0x0000000080000001UL, 0x8000000080008008UL |
79 | | }; |
80 | | |
81 | | /* Indices used in swap and rotate operation. */ |
82 | | #define K_I_0 10 |
83 | | #define K_I_1 7 |
84 | | #define K_I_2 11 |
85 | | #define K_I_3 17 |
86 | | #define K_I_4 18 |
87 | | #define K_I_5 3 |
88 | | #define K_I_6 5 |
89 | | #define K_I_7 16 |
90 | | #define K_I_8 8 |
91 | | #define K_I_9 21 |
92 | | #define K_I_10 24 |
93 | | #define K_I_11 4 |
94 | | #define K_I_12 15 |
95 | | #define K_I_13 23 |
96 | | #define K_I_14 19 |
97 | | #define K_I_15 13 |
98 | | #define K_I_16 12 |
99 | | #define K_I_17 2 |
100 | | #define K_I_18 20 |
101 | | #define K_I_19 14 |
102 | | #define K_I_20 22 |
103 | | #define K_I_21 9 |
104 | | #define K_I_22 6 |
105 | | #define K_I_23 1 |
106 | | |
107 | | /* Number of bits to rotate in swap and rotate operation. */ |
108 | | #define K_R_0 1 |
109 | | #define K_R_1 3 |
110 | | #define K_R_2 6 |
111 | | #define K_R_3 10 |
112 | | #define K_R_4 15 |
113 | | #define K_R_5 21 |
114 | | #define K_R_6 28 |
115 | | #define K_R_7 36 |
116 | | #define K_R_8 45 |
117 | | #define K_R_9 55 |
118 | | #define K_R_10 2 |
119 | | #define K_R_11 14 |
120 | | #define K_R_12 27 |
121 | | #define K_R_13 41 |
122 | | #define K_R_14 56 |
123 | | #define K_R_15 8 |
124 | | #define K_R_16 25 |
125 | | #define K_R_17 43 |
126 | | #define K_R_18 62 |
127 | | #define K_R_19 18 |
128 | | #define K_R_20 39 |
129 | | #define K_R_21 61 |
130 | | #define K_R_22 20 |
131 | | #define K_R_23 44 |
132 | | |
133 | | /* Swap and rotate left operation. |
134 | | * |
135 | | * s The state. |
136 | | * t1 Temporary value. |
137 | | * t2 Second temporary value. |
138 | | * i The index of the loop. |
139 | | */ |
140 | | #define SWAP_ROTL(s, t1, t2, i) \ |
141 | | do { \ |
142 | | t2 = s[K_I_##i]; s[K_I_##i] = ROTL64(t1, K_R_##i); \ |
143 | | } \ |
144 | | while (0) |
145 | | |
146 | | /* Mix the XOR of the column's values into each number by column. |
147 | | * |
148 | | * s The state. |
149 | | * b Temporary array of XORed column values. |
150 | | * x The index of the column. |
151 | | * t Temporary variable. |
152 | | */ |
153 | | #define COL_MIX(s, b, x, t) \ |
154 | | do { \ |
155 | | for (x = 0; x < 5; x++) \ |
156 | | b[x] = s[x + 0] ^ s[x + 5] ^ s[x + 10] ^ s[x + 15] ^ s[x + 20]; \ |
157 | | for (x = 0; x < 5; x++) { \ |
158 | | t = b[(x + 4) % 5] ^ ROTL64(b[(x + 1) % 5], 1); \ |
159 | | s[x + 0] ^= t; \ |
160 | | s[x + 5] ^= t; \ |
161 | | s[x + 10] ^= t; \ |
162 | | s[x + 15] ^= t; \ |
163 | | s[x + 20] ^= t; \ |
164 | | } \ |
165 | | } \ |
166 | | while (0) |
167 | | |
168 | | #ifdef SHA3_BY_SPEC |
169 | | /* Mix the row values. |
170 | | * BMI1 has ANDN instruction ((~a) & b) - Haswell and above. |
171 | | * |
172 | | * s The state. |
173 | | * b Temporary array of XORed row values. |
174 | | * y The index of the row to work on. |
175 | | * x The index of the column. |
176 | | * t0 Temporary variable. |
177 | | * t1 Temporary variable. |
178 | | */ |
179 | | #define ROW_MIX(s, b, y, x, t0, t1) \ |
180 | | do { \ |
181 | | for (y = 0; y < 5; y++) { \ |
182 | | for (x = 0; x < 5; x++) \ |
183 | | b[x] = s[y * 5 + x]; \ |
184 | | for (x = 0; x < 5; x++) \ |
185 | | s[y * 5 + x] = b[x] ^ (~b[(x + 1) % 5] & b[(x + 2) % 5]); \ |
186 | | } \ |
187 | | } \ |
188 | | while (0) |
189 | | #else |
190 | | /* Mix the row values. |
191 | | * a ^ (~b & c) == a ^ (c & (b ^ c)) == (a ^ b) ^ (b | c) |
192 | | * |
193 | | * s The state. |
194 | | * b Temporary array of XORed row values. |
195 | | * y The index of the row to work on. |
196 | | * x The index of the column. |
197 | | * t0 Temporary variable. |
198 | | * t1 Temporary variable. |
199 | | */ |
200 | | #define ROW_MIX(s, b, y, x, t12, t34) \ |
201 | | do { \ |
202 | | for (y = 0; y < 5; y++) { \ |
203 | | for (x = 0; x < 5; x++) \ |
204 | | b[x] = s[y * 5 + x]; \ |
205 | | t12 = (b[1] ^ b[2]); t34 = (b[3] ^ b[4]); \ |
206 | | s[y * 5 + 0] = b[0] ^ (b[2] & t12); \ |
207 | | s[y * 5 + 1] = t12 ^ (b[2] | b[3]); \ |
208 | | s[y * 5 + 2] = b[2] ^ (b[4] & t34); \ |
209 | | s[y * 5 + 3] = t34 ^ (b[4] | b[0]); \ |
210 | | s[y * 5 + 4] = b[4] ^ (b[1] & (b[0] ^ b[1])); \ |
211 | | } \ |
212 | | } \ |
213 | | while (0) |
214 | | #endif /* SHA3_BY_SPEC */ |
215 | | |
216 | | /* The block operation performed on the state. |
217 | | * |
218 | | * s The state. |
219 | | */ |
220 | | static void BlockSha3(word64 *s) |
221 | | { |
222 | | byte i, x, y; |
223 | | word64 t0, t1; |
224 | | word64 b[5]; |
225 | | |
226 | | for (i = 0; i < 24; i++) |
227 | | { |
228 | | COL_MIX(s, b, x, t0); |
229 | | |
230 | | t0 = s[1]; |
231 | | SWAP_ROTL(s, t0, t1, 0); |
232 | | SWAP_ROTL(s, t1, t0, 1); |
233 | | SWAP_ROTL(s, t0, t1, 2); |
234 | | SWAP_ROTL(s, t1, t0, 3); |
235 | | SWAP_ROTL(s, t0, t1, 4); |
236 | | SWAP_ROTL(s, t1, t0, 5); |
237 | | SWAP_ROTL(s, t0, t1, 6); |
238 | | SWAP_ROTL(s, t1, t0, 7); |
239 | | SWAP_ROTL(s, t0, t1, 8); |
240 | | SWAP_ROTL(s, t1, t0, 9); |
241 | | SWAP_ROTL(s, t0, t1, 10); |
242 | | SWAP_ROTL(s, t1, t0, 11); |
243 | | SWAP_ROTL(s, t0, t1, 12); |
244 | | SWAP_ROTL(s, t1, t0, 13); |
245 | | SWAP_ROTL(s, t0, t1, 14); |
246 | | SWAP_ROTL(s, t1, t0, 15); |
247 | | SWAP_ROTL(s, t0, t1, 16); |
248 | | SWAP_ROTL(s, t1, t0, 17); |
249 | | SWAP_ROTL(s, t0, t1, 18); |
250 | | SWAP_ROTL(s, t1, t0, 19); |
251 | | SWAP_ROTL(s, t0, t1, 20); |
252 | | SWAP_ROTL(s, t1, t0, 21); |
253 | | SWAP_ROTL(s, t0, t1, 22); |
254 | | SWAP_ROTL(s, t1, t0, 23); |
255 | | |
256 | | ROW_MIX(s, b, y, x, t0, t1); |
257 | | |
258 | | s[0] ^= hash_keccak_r[i]; |
259 | | } |
260 | | } |
261 | | #else |
262 | | /* Rotate a 64-bit value left. |
263 | | * |
264 | | * a Number to rotate left. |
265 | | * r Number od bits to rotate left. |
266 | | * returns the rotated number. |
267 | | */ |
268 | 27.6M | #define ROTL64(a, n) (((a)<<(n))|((a)>>(64-(n)))) |
269 | | |
270 | | |
271 | | /* An array of values to XOR for block operation. */ |
272 | | static const word64 hash_keccak_r[24] = |
273 | | { |
274 | | W64LIT(0x0000000000000001), W64LIT(0x0000000000008082), |
275 | | W64LIT(0x800000000000808a), W64LIT(0x8000000080008000), |
276 | | W64LIT(0x000000000000808b), W64LIT(0x0000000080000001), |
277 | | W64LIT(0x8000000080008081), W64LIT(0x8000000000008009), |
278 | | W64LIT(0x000000000000008a), W64LIT(0x0000000000000088), |
279 | | W64LIT(0x0000000080008009), W64LIT(0x000000008000000a), |
280 | | W64LIT(0x000000008000808b), W64LIT(0x800000000000008b), |
281 | | W64LIT(0x8000000000008089), W64LIT(0x8000000000008003), |
282 | | W64LIT(0x8000000000008002), W64LIT(0x8000000000000080), |
283 | | W64LIT(0x000000000000800a), W64LIT(0x800000008000000a), |
284 | | W64LIT(0x8000000080008081), W64LIT(0x8000000000008080), |
285 | | W64LIT(0x0000000080000001), W64LIT(0x8000000080008008) |
286 | | }; |
287 | | |
288 | | /* Indices used in swap and rotate operation. */ |
289 | | #define KI_0 6 |
290 | | #define KI_1 12 |
291 | | #define KI_2 18 |
292 | | #define KI_3 24 |
293 | | #define KI_4 3 |
294 | | #define KI_5 9 |
295 | | #define KI_6 10 |
296 | | #define KI_7 16 |
297 | | #define KI_8 22 |
298 | | #define KI_9 1 |
299 | | #define KI_10 7 |
300 | | #define KI_11 13 |
301 | | #define KI_12 19 |
302 | | #define KI_13 20 |
303 | | #define KI_14 4 |
304 | | #define KI_15 5 |
305 | | #define KI_16 11 |
306 | | #define KI_17 17 |
307 | | #define KI_18 23 |
308 | | #define KI_19 2 |
309 | | #define KI_20 8 |
310 | | #define KI_21 14 |
311 | | #define KI_22 15 |
312 | | #define KI_23 21 |
313 | | |
314 | | /* Number of bits to rotate in swap and rotate operation. */ |
315 | | #define KR_0 44 |
316 | | #define KR_1 43 |
317 | | #define KR_2 21 |
318 | | #define KR_3 14 |
319 | | #define KR_4 28 |
320 | | #define KR_5 20 |
321 | | #define KR_6 3 |
322 | | #define KR_7 45 |
323 | | #define KR_8 61 |
324 | | #define KR_9 1 |
325 | | #define KR_10 6 |
326 | | #define KR_11 25 |
327 | | #define KR_12 8 |
328 | | #define KR_13 18 |
329 | | #define KR_14 27 |
330 | | #define KR_15 36 |
331 | | #define KR_16 10 |
332 | | #define KR_17 15 |
333 | | #define KR_18 56 |
334 | | #define KR_19 62 |
335 | | #define KR_20 55 |
336 | | #define KR_21 39 |
337 | | #define KR_22 41 |
338 | | #define KR_23 2 |
339 | | |
340 | | /* Mix the XOR of the column's values into each number by column. |
341 | | * |
342 | | * s The state. |
343 | | * b Temporary array of XORed column values. |
344 | | * x The index of the column. |
345 | | * t Temporary variable. |
346 | | */ |
347 | 954k | #define COL_MIX(s, b, x, t) \ |
348 | 954k | do { \ |
349 | 954k | (b)[0] = (s)[0] ^ (s)[5] ^ (s)[10] ^ (s)[15] ^ (s)[20]; \ |
350 | 954k | (b)[1] = (s)[1] ^ (s)[6] ^ (s)[11] ^ (s)[16] ^ (s)[21]; \ |
351 | 954k | (b)[2] = (s)[2] ^ (s)[7] ^ (s)[12] ^ (s)[17] ^ (s)[22]; \ |
352 | 954k | (b)[3] = (s)[3] ^ (s)[8] ^ (s)[13] ^ (s)[18] ^ (s)[23]; \ |
353 | 954k | (b)[4] = (s)[4] ^ (s)[9] ^ (s)[14] ^ (s)[19] ^ (s)[24]; \ |
354 | 954k | (t) = (b)[(0 + 4) % 5] ^ ROTL64((b)[(0 + 1) % 5], 1); \ |
355 | 954k | (s)[ 0] ^= (t); (s)[ 5] ^= (t); (s)[10] ^= (t); (s)[15] ^= (t); (s)[20] ^= (t); \ |
356 | 954k | (t) = (b)[(1 + 4) % 5] ^ ROTL64((b)[(1 + 1) % 5], 1); \ |
357 | 954k | (s)[ 1] ^= (t); (s)[ 6] ^= (t); (s)[11] ^= (t); (s)[16] ^= (t); (s)[21] ^= (t); \ |
358 | 954k | (t) = (b)[(2 + 4) % 5] ^ ROTL64((b)[(2 + 1) % 5], 1); \ |
359 | 954k | (s)[ 2] ^= (t); (s)[ 7] ^= (t); (s)[12] ^= (t); (s)[17] ^= (t); (s)[22] ^= (t); \ |
360 | 954k | (t) = (b)[(3 + 4) % 5] ^ ROTL64((b)[(3 + 1) % 5], 1); \ |
361 | 954k | (s)[ 3] ^= (t); (s)[ 8] ^= (t); (s)[13] ^= (t); (s)[18] ^= (t); (s)[23] ^= (t); \ |
362 | 954k | (t) = (b)[(4 + 4) % 5] ^ ROTL64((b)[(4 + 1) % 5], 1); \ |
363 | 954k | (s)[ 4] ^= (t); (s)[ 9] ^= (t); (s)[14] ^= (t); (s)[19] ^= (t); (s)[24] ^= (t); \ |
364 | 954k | } \ |
365 | 954k | while (0) |
366 | | |
367 | 22.9M | #define S(s1, i) ROTL64((s1)[KI_##i], KR_##i) |
368 | | |
369 | | #ifdef SHA3_BY_SPEC |
370 | | /* Mix the row values. |
371 | | * BMI1 has ANDN instruction ((~a) & b) - Haswell and above. |
372 | | * |
373 | | * s2 The new state. |
374 | | * s1 The current state. |
375 | | * b Temporary array of XORed row values. |
376 | | * t0 Temporary variable. (Unused) |
377 | | * t1 Temporary variable. (Unused) |
378 | | */ |
379 | | #define ROW_MIX(s2, s1, b, t0, t1) \ |
380 | | do { \ |
381 | | (b)[0] = (s1)[0]; \ |
382 | | (b)[1] = S((s1), 0); \ |
383 | | (b)[2] = S((s1), 1); \ |
384 | | (b)[3] = S((s1), 2); \ |
385 | | (b)[4] = S((s1), 3); \ |
386 | | (s2)[0] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
387 | | (s2)[1] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
388 | | (s2)[2] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
389 | | (s2)[3] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
390 | | (s2)[4] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
391 | | (b)[0] = S((s1), 4); \ |
392 | | (b)[1] = S((s1), 5); \ |
393 | | (b)[2] = S((s1), 6); \ |
394 | | (b)[3] = S((s1), 7); \ |
395 | | (b)[4] = S((s1), 8); \ |
396 | | (s2)[5] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
397 | | (s2)[6] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
398 | | (s2)[7] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
399 | | (s2)[8] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
400 | | (s2)[9] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
401 | | (b)[0] = S((s1), 9); \ |
402 | | (b)[1] = S((s1), 10); \ |
403 | | (b)[2] = S((s1), 11); \ |
404 | | (b)[3] = S((s1), 12); \ |
405 | | (b)[4] = S((s1), 13); \ |
406 | | (s2)[10] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
407 | | (s2)[11] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
408 | | (s2)[12] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
409 | | (s2)[13] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
410 | | (s2)[14] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
411 | | (b)[0] = S((s1), 14); \ |
412 | | (b)[1] = S((s1), 15); \ |
413 | | (b)[2] = S((s1), 16); \ |
414 | | (b)[3] = S((s1), 17); \ |
415 | | (b)[4] = S((s1), 18); \ |
416 | | (s2)[15] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
417 | | (s2)[16] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
418 | | (s2)[17] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
419 | | (s2)[18] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
420 | | (s2)[19] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
421 | | (b)[0] = S((s1), 19); \ |
422 | | (b)[1] = S((s1), 20); \ |
423 | | (b)[2] = S((s1), 21); \ |
424 | | (b)[3] = S((s1), 22); \ |
425 | | (b)[4] = S((s1), 23); \ |
426 | | (s2)[20] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
427 | | (s2)[21] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
428 | | (s2)[22] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
429 | | (s2)[23] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
430 | | (s2)[24] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
431 | | } \ |
432 | | while (0) |
433 | | #else |
434 | | /* Mix the row values. |
435 | | * a ^ (~b & c) == a ^ (c & (b ^ c)) == (a ^ b) ^ (b | c) |
436 | | * |
437 | | * s2 The new state. |
438 | | * s1 The current state. |
439 | | * b Temporary array of XORed row values. |
440 | | * t12 Temporary variable. |
441 | | * t34 Temporary variable. |
442 | | */ |
443 | 954k | #define ROW_MIX(s2, s1, b, t12, t34) \ |
444 | 954k | do { \ |
445 | 954k | (b)[0] = (s1)[0]; \ |
446 | 954k | (b)[1] = S((s1), 0); \ |
447 | 954k | (b)[2] = S((s1), 1); \ |
448 | 954k | (b)[3] = S((s1), 2); \ |
449 | 954k | (b)[4] = S((s1), 3); \ |
450 | 954k | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
451 | 954k | (s2)[0] = (b)[0] ^ ((b)[2] & (t12)); \ |
452 | 954k | (s2)[1] = (t12) ^ ((b)[2] | (b)[3]); \ |
453 | 954k | (s2)[2] = (b)[2] ^ ((b)[4] & (t34)); \ |
454 | 954k | (s2)[3] = (t34) ^ ((b)[4] | (b)[0]); \ |
455 | 954k | (s2)[4] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
456 | 954k | (b)[0] = S((s1), 4); \ |
457 | 954k | (b)[1] = S((s1), 5); \ |
458 | 954k | (b)[2] = S((s1), 6); \ |
459 | 954k | (b)[3] = S((s1), 7); \ |
460 | 954k | (b)[4] = S((s1), 8); \ |
461 | 954k | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
462 | 954k | (s2)[5] = (b)[0] ^ ((b)[2] & (t12)); \ |
463 | 954k | (s2)[6] = (t12) ^ ((b)[2] | (b)[3]); \ |
464 | 954k | (s2)[7] = (b)[2] ^ ((b)[4] & (t34)); \ |
465 | 954k | (s2)[8] = (t34) ^ ((b)[4] | (b)[0]); \ |
466 | 954k | (s2)[9] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
467 | 954k | (b)[0] = S((s1), 9); \ |
468 | 954k | (b)[1] = S((s1), 10); \ |
469 | 954k | (b)[2] = S((s1), 11); \ |
470 | 954k | (b)[3] = S((s1), 12); \ |
471 | 954k | (b)[4] = S((s1), 13); \ |
472 | 954k | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
473 | 954k | (s2)[10] = (b)[0] ^ ((b)[2] & (t12)); \ |
474 | 954k | (s2)[11] = (t12) ^ ((b)[2] | (b)[3]); \ |
475 | 954k | (s2)[12] = (b)[2] ^ ((b)[4] & (t34)); \ |
476 | 954k | (s2)[13] = (t34) ^ ((b)[4] | (b)[0]); \ |
477 | 954k | (s2)[14] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
478 | 954k | (b)[0] = S((s1), 14); \ |
479 | 954k | (b)[1] = S((s1), 15); \ |
480 | 954k | (b)[2] = S((s1), 16); \ |
481 | 954k | (b)[3] = S((s1), 17); \ |
482 | 954k | (b)[4] = S((s1), 18); \ |
483 | 954k | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
484 | 954k | (s2)[15] = (b)[0] ^ ((b)[2] & (t12)); \ |
485 | 954k | (s2)[16] = (t12) ^ ((b)[2] | (b)[3]); \ |
486 | 954k | (s2)[17] = (b)[2] ^ ((b)[4] & (t34)); \ |
487 | 954k | (s2)[18] = (t34) ^ ((b)[4] | (b)[0]); \ |
488 | 954k | (s2)[19] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
489 | 954k | (b)[0] = S((s1), 19); \ |
490 | 954k | (b)[1] = S((s1), 20); \ |
491 | 954k | (b)[2] = S((s1), 21); \ |
492 | 954k | (b)[3] = S((s1), 22); \ |
493 | 954k | (b)[4] = S((s1), 23); \ |
494 | 954k | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
495 | 954k | (s2)[20] = (b)[0] ^ ((b)[2] & (t12)); \ |
496 | 954k | (s2)[21] = (t12) ^ ((b)[2] | (b)[3]); \ |
497 | 954k | (s2)[22] = (b)[2] ^ ((b)[4] & (t34)); \ |
498 | 954k | (s2)[23] = (t34) ^ ((b)[4] | (b)[0]); \ |
499 | 954k | (s2)[24] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
500 | 954k | } \ |
501 | 954k | while (0) |
502 | | #endif /* SHA3_BY_SPEC */ |
503 | | |
504 | | /* The block operation performed on the state. |
505 | | * |
506 | | * s The state. |
507 | | */ |
508 | | static void BlockSha3(word64 *s) |
509 | 39.7k | { |
510 | 39.7k | word64 n[25]; |
511 | 39.7k | word64 b[5]; |
512 | 39.7k | word64 t0; |
513 | 39.7k | #ifndef SHA3_BY_SPEC |
514 | 39.7k | word64 t1; |
515 | 39.7k | #endif |
516 | 39.7k | byte i; |
517 | | |
518 | 516k | for (i = 0; i < 24; i += 2) |
519 | 477k | { |
520 | 477k | COL_MIX(s, b, x, t0); |
521 | 477k | ROW_MIX(n, s, b, t0, t1); |
522 | 477k | n[0] ^= hash_keccak_r[i]; |
523 | | |
524 | 477k | COL_MIX(n, b, x, t0); |
525 | 477k | ROW_MIX(s, n, b, t0, t1); |
526 | 477k | s[0] ^= hash_keccak_r[i+1]; |
527 | 477k | } |
528 | 39.7k | } |
529 | | #endif /* WOLFSSL_SHA3_SMALL */ |
530 | | #endif /* !WOLFSSL_ARMASM */ |
531 | | |
532 | | static WC_INLINE word64 Load64Unaligned(const unsigned char *a) |
533 | 319k | { |
534 | 319k | return ((word64)a[0] << 0) | |
535 | 319k | ((word64)a[1] << 8) | |
536 | 319k | ((word64)a[2] << 16) | |
537 | 319k | ((word64)a[3] << 24) | |
538 | 319k | ((word64)a[4] << 32) | |
539 | 319k | ((word64)a[5] << 40) | |
540 | 319k | ((word64)a[6] << 48) | |
541 | 319k | ((word64)a[7] << 56); |
542 | 319k | } |
543 | | |
544 | | /* Convert the array of bytes, in little-endian order, to a 64-bit integer. |
545 | | * |
546 | | * a Array of bytes. |
547 | | * returns a 64-bit integer. |
548 | | */ |
549 | | static word64 Load64BitBigEndian(const byte* a) |
550 | 260k | { |
551 | | #if defined(BIG_ENDIAN_ORDER) || (WOLFSSL_GENERAL_ALIGNMENT == 1) |
552 | | word64 n = 0; |
553 | | int i; |
554 | | |
555 | | for (i = 0; i < 8; i++) |
556 | | n |= (word64)a[i] << (8 * i); |
557 | | |
558 | | return n; |
559 | | #elif ((WOLFSSL_GENERAL_ALIGNMENT > 0) && (WOLFSSL_GENERAL_ALIGNMENT == 4)) |
560 | | word64 n; |
561 | | |
562 | | n = *(word32*) a; |
563 | | n |= ((word64)*(word32*)(a + 4)) << 32; |
564 | | |
565 | | return n; |
566 | | #elif ((WOLFSSL_GENERAL_ALIGNMENT > 0) && (WOLFSSL_GENERAL_ALIGNMENT == 2)) |
567 | | word64 n; |
568 | | |
569 | | n = *(word16*) a; |
570 | | n |= ((word64)*(word16*)(a + 2)) << 16; |
571 | | n |= ((word64)*(word16*)(a + 4)) << 32; |
572 | | n |= ((word64)*(word16*)(a + 6)) << 48; |
573 | | |
574 | | return n; |
575 | | #else |
576 | 260k | return *(const word64*)a; |
577 | 260k | #endif |
578 | 260k | } |
579 | | |
580 | | /* Initialize the state for a SHA3-224 hash operation. |
581 | | * |
582 | | * sha3 wc_Sha3 object holding state. |
583 | | * returns 0 on success. |
584 | | */ |
585 | | static int InitSha3(wc_Sha3* sha3) |
586 | 20.4k | { |
587 | 20.4k | int i; |
588 | | |
589 | 531k | for (i = 0; i < 25; i++) |
590 | 510k | sha3->s[i] = 0; |
591 | 20.4k | sha3->i = 0; |
592 | 20.4k | #ifdef WOLFSSL_HASH_FLAGS |
593 | 20.4k | sha3->flags = 0; |
594 | 20.4k | #endif |
595 | | |
596 | 20.4k | return 0; |
597 | 20.4k | } |
598 | | |
599 | | /* Update the SHA-3 hash state with message data. |
600 | | * |
601 | | * sha3 wc_Sha3 object holding state. |
602 | | * data Message data to be hashed. |
603 | | * len Length of the message data. |
604 | | * p Number of 64-bit numbers in a block of data to process. |
605 | | * returns 0 on success. |
606 | | */ |
607 | | static int Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) |
608 | 46.5k | { |
609 | 46.5k | word32 i; |
610 | 46.5k | byte l; |
611 | 46.5k | byte *t; |
612 | | |
613 | 46.5k | if (sha3->i > 0) { |
614 | 32.0k | l = p * 8 - sha3->i; |
615 | 32.0k | if (l > len) { |
616 | 30.6k | l = (byte)len; |
617 | 30.6k | } |
618 | | |
619 | 32.0k | t = &sha3->t[sha3->i]; |
620 | 774k | for (i = 0; i < l; i++) |
621 | 742k | t[i] = data[i]; |
622 | 32.0k | data += i; |
623 | 32.0k | len -= i; |
624 | 32.0k | sha3->i += (byte) i; |
625 | | |
626 | 32.0k | if (sha3->i == p * 8) { |
627 | 25.1k | for (i = 0; i < p; i++) |
628 | 23.7k | sha3->s[i] ^= Load64BitBigEndian(sha3->t + 8 * i); |
629 | 1.39k | BlockSha3(sha3->s); |
630 | 1.39k | sha3->i = 0; |
631 | 1.39k | } |
632 | 32.0k | } |
633 | 71.0k | while (len >= ((word32)(p * 8))) { |
634 | 343k | for (i = 0; i < p; i++) |
635 | 319k | sha3->s[i] ^= Load64Unaligned(data + 8 * i); |
636 | 24.4k | BlockSha3(sha3->s); |
637 | 24.4k | len -= p * 8; |
638 | 24.4k | data += p * 8; |
639 | 24.4k | } |
640 | 584k | for (i = 0; i < len; i++) |
641 | 537k | sha3->t[i] = data[i]; |
642 | 46.5k | sha3->i += (byte) i; |
643 | | |
644 | 46.5k | return 0; |
645 | 46.5k | } |
646 | | |
647 | | /* Calculate the SHA-3 hash based on all the message data seen. |
648 | | * |
649 | | * sha3 wc_Sha3 object holding state. |
650 | | * hash Buffer to hold the hash result. |
651 | | * p Number of 64-bit numbers in a block of data to process. |
652 | | * len Number of bytes in output. |
653 | | * returns 0 on success. |
654 | | */ |
655 | | static int Sha3Final(wc_Sha3* sha3, byte padChar, byte* hash, byte p, word32 l) |
656 | 13.7k | { |
657 | 13.7k | word32 rate = p * 8; |
658 | 13.7k | word32 j; |
659 | 13.7k | word32 i; |
660 | | |
661 | 13.7k | sha3->t[rate - 1] = 0x00; |
662 | 13.7k | #ifdef WOLFSSL_HASH_FLAGS |
663 | 13.7k | if (p == WC_SHA3_256_COUNT && sha3->flags & WC_HASH_SHA3_KECCAK256) |
664 | 0 | padChar = 0x01; |
665 | 13.7k | #endif |
666 | 13.7k | sha3->t[sha3->i ] = padChar; |
667 | 13.7k | sha3->t[rate - 1] |= 0x80; |
668 | 831k | for (i=sha3->i + 1; i < rate - 1; i++) |
669 | 817k | sha3->t[i] = 0; |
670 | 247k | for (i = 0; i < p; i++) |
671 | 233k | sha3->s[i] ^= Load64BitBigEndian(sha3->t + 8 * i); |
672 | 13.7k | for (j = 0; l - j >= rate; j += rate) { |
673 | 0 | BlockSha3(sha3->s); |
674 | | #if defined(BIG_ENDIAN_ORDER) |
675 | | ByteReverseWords64((word64*)(hash + j), sha3->s, rate); |
676 | | #else |
677 | 0 | XMEMCPY(hash + j, sha3->s, rate); |
678 | 0 | #endif |
679 | 0 | } |
680 | 13.7k | if (j != l) { |
681 | 13.7k | BlockSha3(sha3->s); |
682 | | #if defined(BIG_ENDIAN_ORDER) |
683 | | ByteReverseWords64(sha3->s, sha3->s, rate); |
684 | | #endif |
685 | 13.7k | XMEMCPY(hash + j, sha3->s, l - j); |
686 | 13.7k | } |
687 | 13.7k | return 0; |
688 | 13.7k | } |
689 | | |
690 | | /* Initialize the state for a SHA-3 hash operation. |
691 | | * |
692 | | * sha3 wc_Sha3 object holding state. |
693 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
694 | | * devId Device identifier for asynchronous operation. |
695 | | * returns 0 on success. |
696 | | */ |
697 | | static int wc_InitSha3(wc_Sha3* sha3, void* heap, int devId) |
698 | 6.49k | { |
699 | 6.49k | int ret = 0; |
700 | | |
701 | 6.49k | if (sha3 == NULL) |
702 | 0 | return BAD_FUNC_ARG; |
703 | | |
704 | 6.49k | sha3->heap = heap; |
705 | 6.49k | ret = InitSha3(sha3); |
706 | 6.49k | if (ret != 0) |
707 | 0 | return ret; |
708 | | |
709 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
710 | | ret = wolfAsync_DevCtxInit(&sha3->asyncDev, |
711 | | WOLFSSL_ASYNC_MARKER_SHA3, sha3->heap, devId); |
712 | | #else |
713 | 6.49k | (void)devId; |
714 | 6.49k | #endif /* WOLFSSL_ASYNC_CRYPT */ |
715 | | |
716 | 6.49k | return ret; |
717 | 6.49k | } |
718 | | |
719 | | /* Update the SHA-3 hash state with message data. |
720 | | * |
721 | | * sha3 wc_Sha3 object holding state. |
722 | | * data Message data to be hashed. |
723 | | * len Length of the message data. |
724 | | * p Number of 64-bit numbers in a block of data to process. |
725 | | * returns 0 on success. |
726 | | */ |
727 | | static int wc_Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) |
728 | 182 | { |
729 | 182 | int ret; |
730 | | |
731 | 182 | if (sha3 == NULL || (data == NULL && len > 0)) { |
732 | 0 | return BAD_FUNC_ARG; |
733 | 0 | } |
734 | | |
735 | 182 | if (data == NULL && len == 0) { |
736 | | /* valid, but do nothing */ |
737 | 47 | return 0; |
738 | 47 | } |
739 | | |
740 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
741 | | if (sha3->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA3) { |
742 | | #if defined(HAVE_INTEL_QA) && defined(QAT_V2) |
743 | | /* QAT only supports SHA3_256 */ |
744 | | if (p == WC_SHA3_256_COUNT) { |
745 | | ret = IntelQaSymSha3(&sha3->asyncDev, NULL, data, len); |
746 | | if (ret != NOT_COMPILED_IN) |
747 | | return ret; |
748 | | /* fall-through when unavailable */ |
749 | | } |
750 | | #endif |
751 | | } |
752 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
753 | | |
754 | 135 | ret = Sha3Update(sha3, data, len, p); |
755 | | |
756 | 135 | return ret; |
757 | 182 | } |
758 | | |
759 | | /* Calculate the SHA-3 hash based on all the message data seen. |
760 | | * |
761 | | * sha3 wc_Sha3 object holding state. |
762 | | * hash Buffer to hold the hash result. |
763 | | * p Number of 64-bit numbers in a block of data to process. |
764 | | * len Number of bytes in output. |
765 | | * returns 0 on success. |
766 | | */ |
767 | | static int wc_Sha3Final(wc_Sha3* sha3, byte* hash, byte p, byte len) |
768 | 182 | { |
769 | 182 | int ret; |
770 | | |
771 | 182 | if (sha3 == NULL || hash == NULL) { |
772 | 0 | return BAD_FUNC_ARG; |
773 | 0 | } |
774 | | |
775 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
776 | | if (sha3->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA3) { |
777 | | #if defined(HAVE_INTEL_QA) && defined(QAT_V2) |
778 | | /* QAT only supports SHA3_256 */ |
779 | | /* QAT SHA-3 only supported on v2 (8970 or later cards) */ |
780 | | if (len == WC_SHA3_256_DIGEST_SIZE) { |
781 | | ret = IntelQaSymSha3(&sha3->asyncDev, hash, NULL, len); |
782 | | if (ret != NOT_COMPILED_IN) |
783 | | return ret; |
784 | | /* fall-through when unavailable */ |
785 | | } |
786 | | #endif |
787 | | } |
788 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
789 | | |
790 | 182 | ret = Sha3Final(sha3, 0x06, hash, p, (word32)len); |
791 | 182 | if (ret != 0) |
792 | 0 | return ret; |
793 | | |
794 | 182 | return InitSha3(sha3); /* reset state */ |
795 | 182 | } |
796 | | |
797 | | /* Dispose of any dynamically allocated data from the SHA3-384 operation. |
798 | | * (Required for async ops.) |
799 | | * |
800 | | * sha3 wc_Sha3 object holding state. |
801 | | * returns 0 on success. |
802 | | */ |
803 | | static void wc_Sha3Free(wc_Sha3* sha3) |
804 | 6.49k | { |
805 | 6.49k | (void)sha3; |
806 | | |
807 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
808 | | if (sha3 == NULL) |
809 | | return; |
810 | | |
811 | | wolfAsync_DevCtxFree(&sha3->asyncDev, WOLFSSL_ASYNC_MARKER_SHA3); |
812 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
813 | 6.49k | } |
814 | | |
815 | | |
816 | | /* Copy the state of the SHA3 operation. |
817 | | * |
818 | | * src wc_Sha3 object holding state top copy. |
819 | | * dst wc_Sha3 object to copy into. |
820 | | * returns 0 on success. |
821 | | */ |
822 | | static int wc_Sha3Copy(wc_Sha3* src, wc_Sha3* dst) |
823 | 0 | { |
824 | 0 | int ret = 0; |
825 | |
|
826 | 0 | if (src == NULL || dst == NULL) |
827 | 0 | return BAD_FUNC_ARG; |
828 | | |
829 | 0 | XMEMCPY(dst, src, sizeof(wc_Sha3)); |
830 | |
|
831 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
832 | | ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev); |
833 | | #endif |
834 | 0 | #ifdef WOLFSSL_HASH_FLAGS |
835 | 0 | dst->flags |= WC_HASH_FLAG_ISCOPY; |
836 | 0 | #endif |
837 | |
|
838 | 0 | return ret; |
839 | 0 | } |
840 | | |
841 | | /* Calculate the SHA3-224 hash based on all the message data so far. |
842 | | * More message data can be added, after this operation, using the current |
843 | | * state. |
844 | | * |
845 | | * sha3 wc_Sha3 object holding state. |
846 | | * hash Buffer to hold the hash result. Must be at least 28 bytes. |
847 | | * p Number of 64-bit numbers in a block of data to process. |
848 | | * len Number of bytes in output. |
849 | | * returns 0 on success. |
850 | | */ |
851 | | static int wc_Sha3GetHash(wc_Sha3* sha3, byte* hash, byte p, byte len) |
852 | 0 | { |
853 | 0 | int ret; |
854 | 0 | wc_Sha3 tmpSha3; |
855 | |
|
856 | 0 | if (sha3 == NULL || hash == NULL) |
857 | 0 | return BAD_FUNC_ARG; |
858 | | |
859 | 0 | ret = wc_Sha3Copy(sha3, &tmpSha3); |
860 | 0 | if (ret == 0) { |
861 | 0 | ret = wc_Sha3Final(&tmpSha3, hash, p, len); |
862 | 0 | } |
863 | 0 | return ret; |
864 | 0 | } |
865 | | |
866 | | |
867 | | /* Initialize the state for a SHA3-224 hash operation. |
868 | | * |
869 | | * sha3 wc_Sha3 object holding state. |
870 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
871 | | * devId Device identifier for asynchronous operation. |
872 | | * returns 0 on success. |
873 | | */ |
874 | | int wc_InitSha3_224(wc_Sha3* sha3, void* heap, int devId) |
875 | 33 | { |
876 | 33 | return wc_InitSha3(sha3, heap, devId); |
877 | 33 | } |
878 | | |
879 | | /* Update the SHA3-224 hash state with message data. |
880 | | * |
881 | | * sha3 wc_Sha3 object holding state. |
882 | | * data Message data to be hashed. |
883 | | * len Length of the message data. |
884 | | * returns 0 on success. |
885 | | */ |
886 | | int wc_Sha3_224_Update(wc_Sha3* sha3, const byte* data, word32 len) |
887 | 33 | { |
888 | 33 | return wc_Sha3Update(sha3, data, len, WC_SHA3_224_COUNT); |
889 | 33 | } |
890 | | |
891 | | /* Calculate the SHA3-224 hash based on all the message data seen. |
892 | | * The state is initialized ready for a new message to hash. |
893 | | * |
894 | | * sha3 wc_Sha3 object holding state. |
895 | | * hash Buffer to hold the hash result. Must be at least 28 bytes. |
896 | | * returns 0 on success. |
897 | | */ |
898 | | int wc_Sha3_224_Final(wc_Sha3* sha3, byte* hash) |
899 | 33 | { |
900 | 33 | return wc_Sha3Final(sha3, hash, WC_SHA3_224_COUNT, WC_SHA3_224_DIGEST_SIZE); |
901 | 33 | } |
902 | | |
903 | | /* Dispose of any dynamically allocated data from the SHA3-224 operation. |
904 | | * (Required for async ops.) |
905 | | * |
906 | | * sha3 wc_Sha3 object holding state. |
907 | | * returns 0 on success. |
908 | | */ |
909 | | void wc_Sha3_224_Free(wc_Sha3* sha3) |
910 | 33 | { |
911 | 33 | wc_Sha3Free(sha3); |
912 | 33 | } |
913 | | |
914 | | /* Calculate the SHA3-224 hash based on all the message data so far. |
915 | | * More message data can be added, after this operation, using the current |
916 | | * state. |
917 | | * |
918 | | * sha3 wc_Sha3 object holding state. |
919 | | * hash Buffer to hold the hash result. Must be at least 28 bytes. |
920 | | * returns 0 on success. |
921 | | */ |
922 | | int wc_Sha3_224_GetHash(wc_Sha3* sha3, byte* hash) |
923 | 0 | { |
924 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_224_COUNT, WC_SHA3_224_DIGEST_SIZE); |
925 | 0 | } |
926 | | |
927 | | /* Copy the state of the SHA3-224 operation. |
928 | | * |
929 | | * src wc_Sha3 object holding state top copy. |
930 | | * dst wc_Sha3 object to copy into. |
931 | | * returns 0 on success. |
932 | | */ |
933 | | int wc_Sha3_224_Copy(wc_Sha3* src, wc_Sha3* dst) |
934 | 0 | { |
935 | 0 | return wc_Sha3Copy(src, dst); |
936 | 0 | } |
937 | | |
938 | | |
939 | | /* Initialize the state for a SHA3-256 hash operation. |
940 | | * |
941 | | * sha3 wc_Sha3 object holding state. |
942 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
943 | | * devId Device identifier for asynchronous operation. |
944 | | * returns 0 on success. |
945 | | */ |
946 | | int wc_InitSha3_256(wc_Sha3* sha3, void* heap, int devId) |
947 | 29 | { |
948 | 29 | return wc_InitSha3(sha3, heap, devId); |
949 | 29 | } |
950 | | |
951 | | /* Update the SHA3-256 hash state with message data. |
952 | | * |
953 | | * sha3 wc_Sha3 object holding state. |
954 | | * data Message data to be hashed. |
955 | | * len Length of the message data. |
956 | | * returns 0 on success. |
957 | | */ |
958 | | int wc_Sha3_256_Update(wc_Sha3* sha3, const byte* data, word32 len) |
959 | 29 | { |
960 | 29 | return wc_Sha3Update(sha3, data, len, WC_SHA3_256_COUNT); |
961 | 29 | } |
962 | | |
963 | | /* Calculate the SHA3-256 hash based on all the message data seen. |
964 | | * The state is initialized ready for a new message to hash. |
965 | | * |
966 | | * sha3 wc_Sha3 object holding state. |
967 | | * hash Buffer to hold the hash result. Must be at least 32 bytes. |
968 | | * returns 0 on success. |
969 | | */ |
970 | | int wc_Sha3_256_Final(wc_Sha3* sha3, byte* hash) |
971 | 29 | { |
972 | 29 | return wc_Sha3Final(sha3, hash, WC_SHA3_256_COUNT, WC_SHA3_256_DIGEST_SIZE); |
973 | 29 | } |
974 | | |
975 | | /* Dispose of any dynamically allocated data from the SHA3-256 operation. |
976 | | * (Required for async ops.) |
977 | | * |
978 | | * sha3 wc_Sha3 object holding state. |
979 | | * returns 0 on success. |
980 | | */ |
981 | | void wc_Sha3_256_Free(wc_Sha3* sha3) |
982 | 29 | { |
983 | 29 | wc_Sha3Free(sha3); |
984 | 29 | } |
985 | | |
986 | | /* Calculate the SHA3-256 hash based on all the message data so far. |
987 | | * More message data can be added, after this operation, using the current |
988 | | * state. |
989 | | * |
990 | | * sha3 wc_Sha3 object holding state. |
991 | | * hash Buffer to hold the hash result. Must be at least 32 bytes. |
992 | | * returns 0 on success. |
993 | | */ |
994 | | int wc_Sha3_256_GetHash(wc_Sha3* sha3, byte* hash) |
995 | 0 | { |
996 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_256_COUNT, WC_SHA3_256_DIGEST_SIZE); |
997 | 0 | } |
998 | | |
999 | | /* Copy the state of the SHA3-256 operation. |
1000 | | * |
1001 | | * src wc_Sha3 object holding state top copy. |
1002 | | * dst wc_Sha3 object to copy into. |
1003 | | * returns 0 on success. |
1004 | | */ |
1005 | | int wc_Sha3_256_Copy(wc_Sha3* src, wc_Sha3* dst) |
1006 | 0 | { |
1007 | 0 | return wc_Sha3Copy(src, dst); |
1008 | 0 | } |
1009 | | |
1010 | | |
1011 | | /* Initialize the state for a SHA3-384 hash operation. |
1012 | | * |
1013 | | * sha3 wc_Sha3 object holding state. |
1014 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1015 | | * devId Device identifier for asynchronous operation. |
1016 | | * returns 0 on success. |
1017 | | */ |
1018 | | int wc_InitSha3_384(wc_Sha3* sha3, void* heap, int devId) |
1019 | 35 | { |
1020 | 35 | return wc_InitSha3(sha3, heap, devId); |
1021 | 35 | } |
1022 | | |
1023 | | /* Update the SHA3-384 hash state with message data. |
1024 | | * |
1025 | | * sha3 wc_Sha3 object holding state. |
1026 | | * data Message data to be hashed. |
1027 | | * len Length of the message data. |
1028 | | * returns 0 on success. |
1029 | | */ |
1030 | | int wc_Sha3_384_Update(wc_Sha3* sha3, const byte* data, word32 len) |
1031 | 35 | { |
1032 | 35 | return wc_Sha3Update(sha3, data, len, WC_SHA3_384_COUNT); |
1033 | 35 | } |
1034 | | |
1035 | | /* Calculate the SHA3-384 hash based on all the message data seen. |
1036 | | * The state is initialized ready for a new message to hash. |
1037 | | * |
1038 | | * sha3 wc_Sha3 object holding state. |
1039 | | * hash Buffer to hold the hash result. Must be at least 48 bytes. |
1040 | | * returns 0 on success. |
1041 | | */ |
1042 | | int wc_Sha3_384_Final(wc_Sha3* sha3, byte* hash) |
1043 | 35 | { |
1044 | 35 | return wc_Sha3Final(sha3, hash, WC_SHA3_384_COUNT, WC_SHA3_384_DIGEST_SIZE); |
1045 | 35 | } |
1046 | | |
1047 | | /* Dispose of any dynamically allocated data from the SHA3-384 operation. |
1048 | | * (Required for async ops.) |
1049 | | * |
1050 | | * sha3 wc_Sha3 object holding state. |
1051 | | * returns 0 on success. |
1052 | | */ |
1053 | | void wc_Sha3_384_Free(wc_Sha3* sha3) |
1054 | 35 | { |
1055 | 35 | wc_Sha3Free(sha3); |
1056 | 35 | } |
1057 | | |
1058 | | /* Calculate the SHA3-384 hash based on all the message data so far. |
1059 | | * More message data can be added, after this operation, using the current |
1060 | | * state. |
1061 | | * |
1062 | | * sha3 wc_Sha3 object holding state. |
1063 | | * hash Buffer to hold the hash result. Must be at least 48 bytes. |
1064 | | * returns 0 on success. |
1065 | | */ |
1066 | | int wc_Sha3_384_GetHash(wc_Sha3* sha3, byte* hash) |
1067 | 0 | { |
1068 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_384_COUNT, WC_SHA3_384_DIGEST_SIZE); |
1069 | 0 | } |
1070 | | |
1071 | | /* Copy the state of the SHA3-384 operation. |
1072 | | * |
1073 | | * src wc_Sha3 object holding state top copy. |
1074 | | * dst wc_Sha3 object to copy into. |
1075 | | * returns 0 on success. |
1076 | | */ |
1077 | | int wc_Sha3_384_Copy(wc_Sha3* src, wc_Sha3* dst) |
1078 | 0 | { |
1079 | 0 | return wc_Sha3Copy(src, dst); |
1080 | 0 | } |
1081 | | |
1082 | | |
1083 | | /* Initialize the state for a SHA3-512 hash operation. |
1084 | | * |
1085 | | * sha3 wc_Sha3 object holding state. |
1086 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1087 | | * devId Device identifier for asynchronous operation. |
1088 | | * returns 0 on success. |
1089 | | */ |
1090 | | int wc_InitSha3_512(wc_Sha3* sha3, void* heap, int devId) |
1091 | 85 | { |
1092 | 85 | return wc_InitSha3(sha3, heap, devId); |
1093 | 85 | } |
1094 | | |
1095 | | /* Update the SHA3-512 hash state with message data. |
1096 | | * |
1097 | | * sha3 wc_Sha3 object holding state. |
1098 | | * data Message data to be hashed. |
1099 | | * len Length of the message data. |
1100 | | * returns 0 on success. |
1101 | | */ |
1102 | | int wc_Sha3_512_Update(wc_Sha3* sha3, const byte* data, word32 len) |
1103 | 85 | { |
1104 | 85 | return wc_Sha3Update(sha3, data, len, WC_SHA3_512_COUNT); |
1105 | 85 | } |
1106 | | |
1107 | | /* Calculate the SHA3-512 hash based on all the message data seen. |
1108 | | * The state is initialized ready for a new message to hash. |
1109 | | * |
1110 | | * sha3 wc_Sha3 object holding state. |
1111 | | * hash Buffer to hold the hash result. Must be at least 64 bytes. |
1112 | | * returns 0 on success. |
1113 | | */ |
1114 | | int wc_Sha3_512_Final(wc_Sha3* sha3, byte* hash) |
1115 | 85 | { |
1116 | 85 | return wc_Sha3Final(sha3, hash, WC_SHA3_512_COUNT, WC_SHA3_512_DIGEST_SIZE); |
1117 | 85 | } |
1118 | | |
1119 | | /* Dispose of any dynamically allocated data from the SHA3-512 operation. |
1120 | | * (Required for async ops.) |
1121 | | * |
1122 | | * sha3 wc_Sha3 object holding state. |
1123 | | * returns 0 on success. |
1124 | | */ |
1125 | | void wc_Sha3_512_Free(wc_Sha3* sha3) |
1126 | 85 | { |
1127 | 85 | wc_Sha3Free(sha3); |
1128 | 85 | } |
1129 | | |
1130 | | /* Calculate the SHA3-512 hash based on all the message data so far. |
1131 | | * More message data can be added, after this operation, using the current |
1132 | | * state. |
1133 | | * |
1134 | | * sha3 wc_Sha3 object holding state. |
1135 | | * hash Buffer to hold the hash result. Must be at least 64 bytes. |
1136 | | * returns 0 on success. |
1137 | | */ |
1138 | | int wc_Sha3_512_GetHash(wc_Sha3* sha3, byte* hash) |
1139 | 0 | { |
1140 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_512_COUNT, WC_SHA3_512_DIGEST_SIZE); |
1141 | 0 | } |
1142 | | |
1143 | | /* Copy the state of the SHA3-512 operation. |
1144 | | * |
1145 | | * src wc_Sha3 object holding state top copy. |
1146 | | * dst wc_Sha3 object to copy into. |
1147 | | * returns 0 on success. |
1148 | | */ |
1149 | | int wc_Sha3_512_Copy(wc_Sha3* src, wc_Sha3* dst) |
1150 | 0 | { |
1151 | 0 | return wc_Sha3Copy(src, dst); |
1152 | 0 | } |
1153 | | |
1154 | | #ifdef WOLFSSL_HASH_FLAGS |
1155 | | int wc_Sha3_SetFlags(wc_Sha3* sha3, word32 flags) |
1156 | 0 | { |
1157 | 0 | if (sha3) { |
1158 | 0 | sha3->flags = flags; |
1159 | 0 | } |
1160 | 0 | return 0; |
1161 | 0 | } |
1162 | | int wc_Sha3_GetFlags(wc_Sha3* sha3, word32* flags) |
1163 | 0 | { |
1164 | 0 | if (sha3 && flags) { |
1165 | 0 | *flags = sha3->flags; |
1166 | 0 | } |
1167 | 0 | return 0; |
1168 | 0 | } |
1169 | | #endif |
1170 | | |
1171 | | #ifdef WOLFSSL_SHAKE256 |
1172 | | /* Initialize the state for a Shake256 hash operation. |
1173 | | * |
1174 | | * shake wc_Shake object holding state. |
1175 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1176 | | * devId Device identifier for asynchronous operation. |
1177 | | * returns 0 on success. |
1178 | | */ |
1179 | | int wc_InitShake256(wc_Shake* shake, void* heap, int devId) |
1180 | 6.30k | { |
1181 | 6.30k | return wc_InitSha3(shake, heap, devId); |
1182 | 6.30k | } |
1183 | | |
1184 | | /* Update the SHAKE256 hash state with message data. |
1185 | | * |
1186 | | * shake wc_Shake object holding state. |
1187 | | * data Message data to be hashed. |
1188 | | * len Length of the message data. |
1189 | | * returns 0 on success. |
1190 | | */ |
1191 | | int wc_Shake256_Update(wc_Shake* shake, const byte* data, word32 len) |
1192 | 46.4k | { |
1193 | 46.4k | if (shake == NULL || (data == NULL && len > 0)) { |
1194 | 0 | return BAD_FUNC_ARG; |
1195 | 0 | } |
1196 | | |
1197 | 46.4k | if (data == NULL && len == 0) { |
1198 | | /* valid, but do nothing */ |
1199 | 0 | return 0; |
1200 | 0 | } |
1201 | | |
1202 | 46.4k | return Sha3Update(shake, data, len, WC_SHA3_256_COUNT); |
1203 | 46.4k | } |
1204 | | |
1205 | | /* Calculate the SHAKE256 hash based on all the message data seen. |
1206 | | * The state is initialized ready for a new message to hash. |
1207 | | * |
1208 | | * shake wc_Shake object holding state. |
1209 | | * hash Buffer to hold the hash result. Must be at least 64 bytes. |
1210 | | * returns 0 on success. |
1211 | | */ |
1212 | | int wc_Shake256_Final(wc_Shake* shake, byte* hash, word32 hashLen) |
1213 | 13.7k | { |
1214 | 13.7k | int ret; |
1215 | | |
1216 | 13.7k | if (shake == NULL || hash == NULL) { |
1217 | 0 | return BAD_FUNC_ARG; |
1218 | 0 | } |
1219 | | |
1220 | 13.7k | ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_256_COUNT, hashLen); |
1221 | 13.7k | if (ret != 0) |
1222 | 0 | return ret; |
1223 | | |
1224 | 13.7k | return InitSha3(shake); /* reset state */ |
1225 | 13.7k | } |
1226 | | |
1227 | | /* Dispose of any dynamically allocated data from the SHAKE256 operation. |
1228 | | * (Required for async ops.) |
1229 | | * |
1230 | | * shake wc_Shake object holding state. |
1231 | | * returns 0 on success. |
1232 | | */ |
1233 | | void wc_Shake256_Free(wc_Shake* shake) |
1234 | 6.30k | { |
1235 | 6.30k | wc_Sha3Free(shake); |
1236 | 6.30k | } |
1237 | | |
1238 | | /* Copy the state of the SHA3-512 operation. |
1239 | | * |
1240 | | * src wc_Shake object holding state top copy. |
1241 | | * dst wc_Shake object to copy into. |
1242 | | * returns 0 on success. |
1243 | | */ |
1244 | | int wc_Shake256_Copy(wc_Shake* src, wc_Shake* dst) |
1245 | 0 | { |
1246 | 0 | return wc_Sha3Copy(src, dst); |
1247 | 0 | } |
1248 | | #endif |
1249 | | |
1250 | | #endif /* WOLFSSL_SHA3 */ |