/src/wolfssl-fastmath/wolfcrypt/src/sha3.c
Line | Count | Source |
1 | | /* sha3.c |
2 | | * |
3 | | * Copyright (C) 2006-2025 wolfSSL Inc. |
4 | | * |
5 | | * This file is part of wolfSSL. |
6 | | * |
7 | | * wolfSSL is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU General Public License as published by |
9 | | * the Free Software Foundation; either version 3 of the License, or |
10 | | * (at your option) any later version. |
11 | | * |
12 | | * wolfSSL is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU General Public License |
18 | | * along with this program; if not, write to the Free Software |
19 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
20 | | */ |
21 | | |
22 | | #include <wolfssl/wolfcrypt/libwolfssl_sources.h> |
23 | | |
24 | | #ifdef WC_SHA3_NO_ASM |
25 | | #undef USE_INTEL_SPEEDUP |
26 | | #undef WOLFSSL_ARMASM |
27 | | #undef WOLFSSL_RISCV_ASM |
28 | | #endif |
29 | | |
30 | | #if defined(WOLFSSL_PSOC6_CRYPTO) |
31 | | #include <wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h> |
32 | | #endif |
33 | | |
34 | | #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_XILINX_CRYPT) && \ |
35 | | !defined(WOLFSSL_AFALG_XILINX_SHA3) |
36 | | |
37 | | #if FIPS_VERSION3_GE(2,0,0) |
38 | | /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ |
39 | | #define FIPS_NO_WRAPPERS |
40 | | |
41 | | #ifdef USE_WINDOWS_API |
42 | | #pragma code_seg(".fipsA$n") |
43 | | #pragma const_seg(".fipsB$n") |
44 | | #endif |
45 | | #endif |
46 | | |
47 | | #include <wolfssl/wolfcrypt/sha3.h> |
48 | | #include <wolfssl/wolfcrypt/hash.h> |
49 | | |
50 | | #ifdef WOLF_CRYPTO_CB |
51 | | #include <wolfssl/wolfcrypt/cryptocb.h> |
52 | | #endif |
53 | | #ifdef NO_INLINE |
54 | | #include <wolfssl/wolfcrypt/misc.h> |
55 | | #else |
56 | | #define WOLFSSL_MISC_INCLUDED |
57 | | #include <wolfcrypt/src/misc.c> |
58 | | #endif |
59 | | |
60 | | #if FIPS_VERSION3_GE(6,0,0) |
61 | | const unsigned int wolfCrypt_FIPS_sha3_ro_sanity[2] = |
62 | | { 0x1a2b3c4d, 0x00000016 }; |
63 | | int wolfCrypt_FIPS_SHA3_sanity(void) |
64 | | { |
65 | | return 0; |
66 | | } |
67 | | #endif |
68 | | |
69 | | |
70 | | #if defined(USE_INTEL_SPEEDUP) || (defined(__aarch64__) && \ |
71 | | defined(WOLFSSL_ARMASM)) |
72 | | #include <wolfssl/wolfcrypt/cpuid.h> |
73 | | |
74 | | static cpuid_flags_t cpuid_flags = WC_CPUID_INITIALIZER; |
75 | | #ifdef WC_C_DYNAMIC_FALLBACK |
76 | | #define SHA3_BLOCK (sha3->sha3_block) |
77 | | #define SHA3_BLOCK_N (sha3->sha3_block_n) |
78 | | #else |
79 | | void (*sha3_block)(word64 *s) = NULL; |
80 | | void (*sha3_block_n)(word64 *s, const byte* data, word32 n, |
81 | | word64 c) = NULL; |
82 | | #define SHA3_BLOCK sha3_block |
83 | | #define SHA3_BLOCK_N sha3_block_n |
84 | | #endif |
85 | | #endif |
86 | | |
87 | | #if !defined(WOLFSSL_ARMASM) && !defined(WOLFSSL_RISCV_ASM) |
88 | | |
89 | | #ifdef WOLFSSL_SHA3_SMALL |
90 | | /* Rotate a 64-bit value left. |
91 | | * |
92 | | * a Number to rotate left. |
93 | | * r Number od bits to rotate left. |
94 | | * returns the rotated number. |
95 | | */ |
96 | | #define ROTL64(a, n) (((a)<<(n))|((a)>>(64-(n)))) |
97 | | |
98 | | /* An array of values to XOR for block operation. */ |
99 | | static const word64 hash_keccak_r[24] = |
100 | | { |
101 | | 0x0000000000000001UL, 0x0000000000008082UL, |
102 | | 0x800000000000808aUL, 0x8000000080008000UL, |
103 | | 0x000000000000808bUL, 0x0000000080000001UL, |
104 | | 0x8000000080008081UL, 0x8000000000008009UL, |
105 | | 0x000000000000008aUL, 0x0000000000000088UL, |
106 | | 0x0000000080008009UL, 0x000000008000000aUL, |
107 | | 0x000000008000808bUL, 0x800000000000008bUL, |
108 | | 0x8000000000008089UL, 0x8000000000008003UL, |
109 | | 0x8000000000008002UL, 0x8000000000000080UL, |
110 | | 0x000000000000800aUL, 0x800000008000000aUL, |
111 | | 0x8000000080008081UL, 0x8000000000008080UL, |
112 | | 0x0000000080000001UL, 0x8000000080008008UL |
113 | | }; |
114 | | |
115 | | /* Indices used in swap and rotate operation. */ |
116 | | #define K_I_0 10 |
117 | | #define K_I_1 7 |
118 | | #define K_I_2 11 |
119 | | #define K_I_3 17 |
120 | | #define K_I_4 18 |
121 | | #define K_I_5 3 |
122 | | #define K_I_6 5 |
123 | | #define K_I_7 16 |
124 | | #define K_I_8 8 |
125 | | #define K_I_9 21 |
126 | | #define K_I_10 24 |
127 | | #define K_I_11 4 |
128 | | #define K_I_12 15 |
129 | | #define K_I_13 23 |
130 | | #define K_I_14 19 |
131 | | #define K_I_15 13 |
132 | | #define K_I_16 12 |
133 | | #define K_I_17 2 |
134 | | #define K_I_18 20 |
135 | | #define K_I_19 14 |
136 | | #define K_I_20 22 |
137 | | #define K_I_21 9 |
138 | | #define K_I_22 6 |
139 | | #define K_I_23 1 |
140 | | |
141 | | /* Number of bits to rotate in swap and rotate operation. */ |
142 | | #define K_R_0 1 |
143 | | #define K_R_1 3 |
144 | | #define K_R_2 6 |
145 | | #define K_R_3 10 |
146 | | #define K_R_4 15 |
147 | | #define K_R_5 21 |
148 | | #define K_R_6 28 |
149 | | #define K_R_7 36 |
150 | | #define K_R_8 45 |
151 | | #define K_R_9 55 |
152 | | #define K_R_10 2 |
153 | | #define K_R_11 14 |
154 | | #define K_R_12 27 |
155 | | #define K_R_13 41 |
156 | | #define K_R_14 56 |
157 | | #define K_R_15 8 |
158 | | #define K_R_16 25 |
159 | | #define K_R_17 43 |
160 | | #define K_R_18 62 |
161 | | #define K_R_19 18 |
162 | | #define K_R_20 39 |
163 | | #define K_R_21 61 |
164 | | #define K_R_22 20 |
165 | | #define K_R_23 44 |
166 | | |
167 | | /* Swap and rotate left operation. |
168 | | * |
169 | | * s The state. |
170 | | * t1 Temporary value. |
171 | | * t2 Second temporary value. |
172 | | * i The index of the loop. |
173 | | */ |
174 | | #define SWAP_ROTL(s, t1, t2, i) \ |
175 | | do { \ |
176 | | t2 = s[K_I_##i]; s[K_I_##i] = ROTL64(t1, K_R_##i); \ |
177 | | } \ |
178 | | while (0) |
179 | | |
180 | | /* Mix the XOR of the column's values into each number by column. |
181 | | * |
182 | | * s The state. |
183 | | * b Temporary array of XORed column values. |
184 | | * x The index of the column. |
185 | | * t Temporary variable. |
186 | | */ |
187 | | #define COL_MIX(s, b, x, t) \ |
188 | | do { \ |
189 | | for (x = 0; x < 5; x++) \ |
190 | | b[x] = s[x + 0] ^ s[x + 5] ^ s[x + 10] ^ s[x + 15] ^ s[x + 20]; \ |
191 | | for (x = 0; x < 5; x++) { \ |
192 | | t = b[(x + 4) % 5] ^ ROTL64(b[(x + 1) % 5], 1); \ |
193 | | s[x + 0] ^= t; \ |
194 | | s[x + 5] ^= t; \ |
195 | | s[x + 10] ^= t; \ |
196 | | s[x + 15] ^= t; \ |
197 | | s[x + 20] ^= t; \ |
198 | | } \ |
199 | | } \ |
200 | | while (0) |
201 | | |
202 | | #ifdef SHA3_BY_SPEC |
203 | | /* Mix the row values. |
204 | | * BMI1 has ANDN instruction ((~a) & b) - Haswell and above. |
205 | | * |
206 | | * s The state. |
207 | | * b Temporary array of XORed row values. |
208 | | * y The index of the row to work on. |
209 | | * x The index of the column. |
210 | | * t0 Temporary variable. |
211 | | * t1 Temporary variable. |
212 | | */ |
213 | | #define ROW_MIX(s, b, y, x, t0, t1) \ |
214 | | do { \ |
215 | | for (y = 0; y < 5; y++) { \ |
216 | | for (x = 0; x < 5; x++) \ |
217 | | b[x] = s[y * 5 + x]; \ |
218 | | for (x = 0; x < 5; x++) \ |
219 | | s[y * 5 + x] = b[x] ^ (~b[(x + 1) % 5] & b[(x + 2) % 5]); \ |
220 | | } \ |
221 | | } \ |
222 | | while (0) |
223 | | #else |
224 | | /* Mix the row values. |
225 | | * a ^ (~b & c) == a ^ (c & (b ^ c)) == (a ^ b) ^ (b | c) |
226 | | * |
227 | | * s The state. |
228 | | * b Temporary array of XORed row values. |
229 | | * y The index of the row to work on. |
230 | | * x The index of the column. |
231 | | * t0 Temporary variable. |
232 | | * t1 Temporary variable. |
233 | | */ |
234 | | #define ROW_MIX(s, b, y, x, t12, t34) \ |
235 | | do { \ |
236 | | for (y = 0; y < 5; y++) { \ |
237 | | for (x = 0; x < 5; x++) \ |
238 | | b[x] = s[y * 5 + x]; \ |
239 | | t12 = (b[1] ^ b[2]); t34 = (b[3] ^ b[4]); \ |
240 | | s[y * 5 + 0] = b[0] ^ (b[2] & t12); \ |
241 | | s[y * 5 + 1] = t12 ^ (b[2] | b[3]); \ |
242 | | s[y * 5 + 2] = b[2] ^ (b[4] & t34); \ |
243 | | s[y * 5 + 3] = t34 ^ (b[4] | b[0]); \ |
244 | | s[y * 5 + 4] = b[4] ^ (b[1] & (b[0] ^ b[1])); \ |
245 | | } \ |
246 | | } \ |
247 | | while (0) |
248 | | #endif /* SHA3_BY_SPEC */ |
249 | | |
250 | | /* The block operation performed on the state. |
251 | | * |
252 | | * s The state. |
253 | | */ |
254 | | void BlockSha3(word64* s) |
255 | | { |
256 | | byte i, x, y; |
257 | | word64 t0, t1; |
258 | | word64 b[5]; |
259 | | |
260 | | for (i = 0; i < 24; i++) |
261 | | { |
262 | | COL_MIX(s, b, x, t0); |
263 | | |
264 | | t0 = s[1]; |
265 | | SWAP_ROTL(s, t0, t1, 0); |
266 | | SWAP_ROTL(s, t1, t0, 1); |
267 | | SWAP_ROTL(s, t0, t1, 2); |
268 | | SWAP_ROTL(s, t1, t0, 3); |
269 | | SWAP_ROTL(s, t0, t1, 4); |
270 | | SWAP_ROTL(s, t1, t0, 5); |
271 | | SWAP_ROTL(s, t0, t1, 6); |
272 | | SWAP_ROTL(s, t1, t0, 7); |
273 | | SWAP_ROTL(s, t0, t1, 8); |
274 | | SWAP_ROTL(s, t1, t0, 9); |
275 | | SWAP_ROTL(s, t0, t1, 10); |
276 | | SWAP_ROTL(s, t1, t0, 11); |
277 | | SWAP_ROTL(s, t0, t1, 12); |
278 | | SWAP_ROTL(s, t1, t0, 13); |
279 | | SWAP_ROTL(s, t0, t1, 14); |
280 | | SWAP_ROTL(s, t1, t0, 15); |
281 | | SWAP_ROTL(s, t0, t1, 16); |
282 | | SWAP_ROTL(s, t1, t0, 17); |
283 | | SWAP_ROTL(s, t0, t1, 18); |
284 | | SWAP_ROTL(s, t1, t0, 19); |
285 | | SWAP_ROTL(s, t0, t1, 20); |
286 | | SWAP_ROTL(s, t1, t0, 21); |
287 | | SWAP_ROTL(s, t0, t1, 22); |
288 | | SWAP_ROTL(s, t1, t0, 23); |
289 | | |
290 | | ROW_MIX(s, b, y, x, t0, t1); |
291 | | |
292 | | s[0] ^= hash_keccak_r[i]; |
293 | | } |
294 | | } |
295 | | #else |
296 | | /* Rotate a 64-bit value left. |
297 | | * |
298 | | * a Number to rotate left. |
299 | | * r Number od bits to rotate left. |
300 | | * returns the rotated number. |
301 | | */ |
302 | 25.6M | #define ROTL64(a, n) (((a)<<(n))|((a)>>(64-(n)))) |
303 | | |
304 | | #if !defined(STM32_HASH_SHA3) && !defined(PSOC6_HASH_SHA3) |
305 | | /* An array of values to XOR for block operation. */ |
306 | | static const word64 hash_keccak_r[24] = |
307 | | { |
308 | | W64LIT(0x0000000000000001), W64LIT(0x0000000000008082), |
309 | | W64LIT(0x800000000000808a), W64LIT(0x8000000080008000), |
310 | | W64LIT(0x000000000000808b), W64LIT(0x0000000080000001), |
311 | | W64LIT(0x8000000080008081), W64LIT(0x8000000000008009), |
312 | | W64LIT(0x000000000000008a), W64LIT(0x0000000000000088), |
313 | | W64LIT(0x0000000080008009), W64LIT(0x000000008000000a), |
314 | | W64LIT(0x000000008000808b), W64LIT(0x800000000000008b), |
315 | | W64LIT(0x8000000000008089), W64LIT(0x8000000000008003), |
316 | | W64LIT(0x8000000000008002), W64LIT(0x8000000000000080), |
317 | | W64LIT(0x000000000000800a), W64LIT(0x800000008000000a), |
318 | | W64LIT(0x8000000080008081), W64LIT(0x8000000000008080), |
319 | | W64LIT(0x0000000080000001), W64LIT(0x8000000080008008) |
320 | | }; |
321 | | #endif |
322 | | |
323 | | /* Indices used in swap and rotate operation. */ |
324 | | #define KI_0 6 |
325 | | #define KI_1 12 |
326 | | #define KI_2 18 |
327 | | #define KI_3 24 |
328 | | #define KI_4 3 |
329 | | #define KI_5 9 |
330 | | #define KI_6 10 |
331 | | #define KI_7 16 |
332 | | #define KI_8 22 |
333 | | #define KI_9 1 |
334 | | #define KI_10 7 |
335 | | #define KI_11 13 |
336 | | #define KI_12 19 |
337 | | #define KI_13 20 |
338 | | #define KI_14 4 |
339 | | #define KI_15 5 |
340 | | #define KI_16 11 |
341 | | #define KI_17 17 |
342 | | #define KI_18 23 |
343 | | #define KI_19 2 |
344 | | #define KI_20 8 |
345 | | #define KI_21 14 |
346 | | #define KI_22 15 |
347 | | #define KI_23 21 |
348 | | |
349 | | /* Number of bits to rotate in swap and rotate operation. */ |
350 | | #define KR_0 44 |
351 | | #define KR_1 43 |
352 | | #define KR_2 21 |
353 | | #define KR_3 14 |
354 | | #define KR_4 28 |
355 | | #define KR_5 20 |
356 | | #define KR_6 3 |
357 | | #define KR_7 45 |
358 | | #define KR_8 61 |
359 | | #define KR_9 1 |
360 | | #define KR_10 6 |
361 | | #define KR_11 25 |
362 | | #define KR_12 8 |
363 | | #define KR_13 18 |
364 | | #define KR_14 27 |
365 | | #define KR_15 36 |
366 | | #define KR_16 10 |
367 | | #define KR_17 15 |
368 | | #define KR_18 56 |
369 | | #define KR_19 62 |
370 | | #define KR_20 55 |
371 | | #define KR_21 39 |
372 | | #define KR_22 41 |
373 | | #define KR_23 2 |
374 | | |
375 | | /* Mix the XOR of the column's values into each number by column. |
376 | | * |
377 | | * s The state. |
378 | | * b Temporary array of XORed column values. |
379 | | * x The index of the column. |
380 | | * t Temporary variable. |
381 | | */ |
382 | 884k | #define COL_MIX(s, b, x, t) \ |
383 | 884k | do { \ |
384 | 884k | (b)[0] = (s)[0] ^ (s)[5] ^ (s)[10] ^ (s)[15] ^ (s)[20]; \ |
385 | 884k | (b)[1] = (s)[1] ^ (s)[6] ^ (s)[11] ^ (s)[16] ^ (s)[21]; \ |
386 | 884k | (b)[2] = (s)[2] ^ (s)[7] ^ (s)[12] ^ (s)[17] ^ (s)[22]; \ |
387 | 884k | (b)[3] = (s)[3] ^ (s)[8] ^ (s)[13] ^ (s)[18] ^ (s)[23]; \ |
388 | 884k | (b)[4] = (s)[4] ^ (s)[9] ^ (s)[14] ^ (s)[19] ^ (s)[24]; \ |
389 | 884k | (t) = (b)[(0 + 4) % 5] ^ ROTL64((b)[(0 + 1) % 5], 1); \ |
390 | 884k | (s)[ 0] ^= (t); (s)[ 5] ^= (t); (s)[10] ^= (t); (s)[15] ^= (t); (s)[20] ^= (t); \ |
391 | 884k | (t) = (b)[(1 + 4) % 5] ^ ROTL64((b)[(1 + 1) % 5], 1); \ |
392 | 884k | (s)[ 1] ^= (t); (s)[ 6] ^= (t); (s)[11] ^= (t); (s)[16] ^= (t); (s)[21] ^= (t); \ |
393 | 884k | (t) = (b)[(2 + 4) % 5] ^ ROTL64((b)[(2 + 1) % 5], 1); \ |
394 | 884k | (s)[ 2] ^= (t); (s)[ 7] ^= (t); (s)[12] ^= (t); (s)[17] ^= (t); (s)[22] ^= (t); \ |
395 | 884k | (t) = (b)[(3 + 4) % 5] ^ ROTL64((b)[(3 + 1) % 5], 1); \ |
396 | 884k | (s)[ 3] ^= (t); (s)[ 8] ^= (t); (s)[13] ^= (t); (s)[18] ^= (t); (s)[23] ^= (t); \ |
397 | 884k | (t) = (b)[(4 + 4) % 5] ^ ROTL64((b)[(4 + 1) % 5], 1); \ |
398 | 884k | (s)[ 4] ^= (t); (s)[ 9] ^= (t); (s)[14] ^= (t); (s)[19] ^= (t); (s)[24] ^= (t); \ |
399 | 884k | } \ |
400 | 884k | while (0) |
401 | | |
402 | 21.2M | #define S(s1, i) ROTL64((s1)[KI_##i], KR_##i) |
403 | | |
404 | | #ifdef SHA3_BY_SPEC |
405 | | /* Mix the row values. |
406 | | * BMI1 has ANDN instruction ((~a) & b) - Haswell and above. |
407 | | * |
408 | | * s2 The new state. |
409 | | * s1 The current state. |
410 | | * b Temporary array of XORed row values. |
411 | | * t0 Temporary variable. (Unused) |
412 | | * t1 Temporary variable. (Unused) |
413 | | */ |
414 | | #define ROW_MIX(s2, s1, b, t0, t1) \ |
415 | | do { \ |
416 | | (b)[0] = (s1)[0]; \ |
417 | | (b)[1] = S((s1), 0); \ |
418 | | (b)[2] = S((s1), 1); \ |
419 | | (b)[3] = S((s1), 2); \ |
420 | | (b)[4] = S((s1), 3); \ |
421 | | (s2)[0] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
422 | | (s2)[1] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
423 | | (s2)[2] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
424 | | (s2)[3] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
425 | | (s2)[4] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
426 | | (b)[0] = S((s1), 4); \ |
427 | | (b)[1] = S((s1), 5); \ |
428 | | (b)[2] = S((s1), 6); \ |
429 | | (b)[3] = S((s1), 7); \ |
430 | | (b)[4] = S((s1), 8); \ |
431 | | (s2)[5] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
432 | | (s2)[6] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
433 | | (s2)[7] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
434 | | (s2)[8] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
435 | | (s2)[9] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
436 | | (b)[0] = S((s1), 9); \ |
437 | | (b)[1] = S((s1), 10); \ |
438 | | (b)[2] = S((s1), 11); \ |
439 | | (b)[3] = S((s1), 12); \ |
440 | | (b)[4] = S((s1), 13); \ |
441 | | (s2)[10] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
442 | | (s2)[11] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
443 | | (s2)[12] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
444 | | (s2)[13] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
445 | | (s2)[14] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
446 | | (b)[0] = S((s1), 14); \ |
447 | | (b)[1] = S((s1), 15); \ |
448 | | (b)[2] = S((s1), 16); \ |
449 | | (b)[3] = S((s1), 17); \ |
450 | | (b)[4] = S((s1), 18); \ |
451 | | (s2)[15] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
452 | | (s2)[16] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
453 | | (s2)[17] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
454 | | (s2)[18] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
455 | | (s2)[19] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
456 | | (b)[0] = S((s1), 19); \ |
457 | | (b)[1] = S((s1), 20); \ |
458 | | (b)[2] = S((s1), 21); \ |
459 | | (b)[3] = S((s1), 22); \ |
460 | | (b)[4] = S((s1), 23); \ |
461 | | (s2)[20] = (b)[0] ^ (~(b)[1] & (b)[2]); \ |
462 | | (s2)[21] = (b)[1] ^ (~(b)[2] & (b)[3]); \ |
463 | | (s2)[22] = (b)[2] ^ (~(b)[3] & (b)[4]); \ |
464 | | (s2)[23] = (b)[3] ^ (~(b)[4] & (b)[0]); \ |
465 | | (s2)[24] = (b)[4] ^ (~(b)[0] & (b)[1]); \ |
466 | | } \ |
467 | | while (0) |
468 | | #else |
469 | | /* Mix the row values. |
470 | | * a ^ (~b & c) == a ^ (c & (b ^ c)) == (a ^ b) ^ (b | c) |
471 | | * |
472 | | * s2 The new state. |
473 | | * s1 The current state. |
474 | | * b Temporary array of XORed row values. |
475 | | * t12 Temporary variable. |
476 | | * t34 Temporary variable. |
477 | | */ |
478 | 884k | #define ROW_MIX(s2, s1, b, t12, t34) \ |
479 | 884k | do { \ |
480 | 884k | (b)[0] = (s1)[0]; \ |
481 | 884k | (b)[1] = S((s1), 0); \ |
482 | 884k | (b)[2] = S((s1), 1); \ |
483 | 884k | (b)[3] = S((s1), 2); \ |
484 | 884k | (b)[4] = S((s1), 3); \ |
485 | 884k | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
486 | 884k | (s2)[0] = (b)[0] ^ ((b)[2] & (t12)); \ |
487 | 884k | (s2)[1] = (t12) ^ ((b)[2] | (b)[3]); \ |
488 | 884k | (s2)[2] = (b)[2] ^ ((b)[4] & (t34)); \ |
489 | 884k | (s2)[3] = (t34) ^ ((b)[4] | (b)[0]); \ |
490 | 884k | (s2)[4] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
491 | 884k | (b)[0] = S((s1), 4); \ |
492 | 884k | (b)[1] = S((s1), 5); \ |
493 | 884k | (b)[2] = S((s1), 6); \ |
494 | 884k | (b)[3] = S((s1), 7); \ |
495 | 884k | (b)[4] = S((s1), 8); \ |
496 | 884k | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
497 | 884k | (s2)[5] = (b)[0] ^ ((b)[2] & (t12)); \ |
498 | 884k | (s2)[6] = (t12) ^ ((b)[2] | (b)[3]); \ |
499 | 884k | (s2)[7] = (b)[2] ^ ((b)[4] & (t34)); \ |
500 | 884k | (s2)[8] = (t34) ^ ((b)[4] | (b)[0]); \ |
501 | 884k | (s2)[9] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
502 | 884k | (b)[0] = S((s1), 9); \ |
503 | 884k | (b)[1] = S((s1), 10); \ |
504 | 884k | (b)[2] = S((s1), 11); \ |
505 | 884k | (b)[3] = S((s1), 12); \ |
506 | 884k | (b)[4] = S((s1), 13); \ |
507 | 884k | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
508 | 884k | (s2)[10] = (b)[0] ^ ((b)[2] & (t12)); \ |
509 | 884k | (s2)[11] = (t12) ^ ((b)[2] | (b)[3]); \ |
510 | 884k | (s2)[12] = (b)[2] ^ ((b)[4] & (t34)); \ |
511 | 884k | (s2)[13] = (t34) ^ ((b)[4] | (b)[0]); \ |
512 | 884k | (s2)[14] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
513 | 884k | (b)[0] = S((s1), 14); \ |
514 | 884k | (b)[1] = S((s1), 15); \ |
515 | 884k | (b)[2] = S((s1), 16); \ |
516 | 884k | (b)[3] = S((s1), 17); \ |
517 | 884k | (b)[4] = S((s1), 18); \ |
518 | 884k | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
519 | 884k | (s2)[15] = (b)[0] ^ ((b)[2] & (t12)); \ |
520 | 884k | (s2)[16] = (t12) ^ ((b)[2] | (b)[3]); \ |
521 | 884k | (s2)[17] = (b)[2] ^ ((b)[4] & (t34)); \ |
522 | 884k | (s2)[18] = (t34) ^ ((b)[4] | (b)[0]); \ |
523 | 884k | (s2)[19] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
524 | 884k | (b)[0] = S((s1), 19); \ |
525 | 884k | (b)[1] = S((s1), 20); \ |
526 | 884k | (b)[2] = S((s1), 21); \ |
527 | 884k | (b)[3] = S((s1), 22); \ |
528 | 884k | (b)[4] = S((s1), 23); \ |
529 | 884k | (t12) = ((b)[1] ^ (b)[2]); (t34) = ((b)[3] ^ (b)[4]); \ |
530 | 884k | (s2)[20] = (b)[0] ^ ((b)[2] & (t12)); \ |
531 | 884k | (s2)[21] = (t12) ^ ((b)[2] | (b)[3]); \ |
532 | 884k | (s2)[22] = (b)[2] ^ ((b)[4] & (t34)); \ |
533 | 884k | (s2)[23] = (t34) ^ ((b)[4] | (b)[0]); \ |
534 | 884k | (s2)[24] = (b)[4] ^ ((b)[1] & ((b)[0] ^ (b)[1])); \ |
535 | 884k | } \ |
536 | 884k | while (0) |
537 | | #endif /* SHA3_BY_SPEC */ |
538 | | |
539 | | #if !defined(STM32_HASH_SHA3) && !defined(PSOC6_HASH_SHA3) |
540 | | /* The block operation performed on the state. |
541 | | * |
542 | | * s The state. |
543 | | */ |
544 | | void BlockSha3(word64* s) |
545 | 36.8k | { |
546 | 36.8k | word64 n[25]; |
547 | 36.8k | word64 b[5]; |
548 | 36.8k | word64 t0; |
549 | 36.8k | #ifndef SHA3_BY_SPEC |
550 | 36.8k | word64 t1; |
551 | 36.8k | #endif |
552 | 36.8k | word32 i; |
553 | | |
554 | 479k | for (i = 0; i < 24; i += 2) |
555 | 442k | { |
556 | 442k | COL_MIX(s, b, x, t0); |
557 | 442k | ROW_MIX(n, s, b, t0, t1); |
558 | 442k | n[0] ^= hash_keccak_r[i]; |
559 | | |
560 | 442k | COL_MIX(n, b, x, t0); |
561 | 442k | ROW_MIX(s, n, b, t0, t1); |
562 | 442k | s[0] ^= hash_keccak_r[i+1]; |
563 | 442k | } |
564 | 36.8k | } |
565 | | #endif /* WOLFSSL_SHA3_SMALL */ |
566 | | #endif /* STM32_HASH_SHA3 */ |
567 | | #endif /* !WOLFSSL_ARMASM && !WOLFSSL_RISCV_ASM */ |
568 | | |
569 | | #if !defined(STM32_HASH_SHA3) && !defined(PSOC6_HASH_SHA3) |
570 | | #if defined(BIG_ENDIAN_ORDER) |
571 | | static WC_INLINE word64 Load64Unaligned(const unsigned char *a) |
572 | | { |
573 | | return ((word64)a[0] << 0) | |
574 | | ((word64)a[1] << 8) | |
575 | | ((word64)a[2] << 16) | |
576 | | ((word64)a[3] << 24) | |
577 | | ((word64)a[4] << 32) | |
578 | | ((word64)a[5] << 40) | |
579 | | ((word64)a[6] << 48) | |
580 | | ((word64)a[7] << 56); |
581 | | } |
582 | | |
583 | | /* Convert the array of bytes, in little-endian order, to a 64-bit integer. |
584 | | * |
585 | | * a Array of bytes. |
586 | | * returns a 64-bit integer. |
587 | | */ |
588 | | static word64 Load64BitBigEndian(const byte* a) |
589 | | { |
590 | | word64 n = 0; |
591 | | int i; |
592 | | |
593 | | for (i = 0; i < 8; i++) |
594 | | n |= (word64)a[i] << (8 * i); |
595 | | |
596 | | return n; |
597 | | } |
598 | | #endif |
599 | | |
600 | | /* Initialize the state for a SHA3-224 hash operation. |
601 | | * |
602 | | * sha3 wc_Sha3 object holding state. |
603 | | * returns 0 on success. |
604 | | */ |
605 | | |
606 | | static int InitSha3(wc_Sha3* sha3) |
607 | 18.8k | { |
608 | 18.8k | int i; |
609 | | |
610 | 489k | for (i = 0; i < 25; i++) |
611 | 470k | sha3->s[i] = 0; |
612 | 18.8k | sha3->i = 0; |
613 | 18.8k | #ifdef WOLFSSL_HASH_FLAGS |
614 | 18.8k | sha3->flags = 0; |
615 | 18.8k | #endif |
616 | | |
617 | | #ifdef USE_INTEL_SPEEDUP |
618 | | { |
619 | | int cpuid_flags_were_updated = cpuid_get_flags_ex(&cpuid_flags); |
620 | | #ifdef WC_C_DYNAMIC_FALLBACK |
621 | | (void)cpuid_flags_were_updated; |
622 | | if (! CAN_SAVE_VECTOR_REGISTERS()) { |
623 | | SHA3_BLOCK = BlockSha3; |
624 | | SHA3_BLOCK_N = NULL; |
625 | | } |
626 | | else |
627 | | #else |
628 | | if ((! cpuid_flags_were_updated) && (SHA3_BLOCK != NULL)) { |
629 | | } |
630 | | else |
631 | | #endif |
632 | | if (IS_INTEL_AVX2(cpuid_flags)) { |
633 | | SHA3_BLOCK = sha3_block_avx2; |
634 | | SHA3_BLOCK_N = sha3_block_n_avx2; |
635 | | } |
636 | | else if (IS_INTEL_BMI1(cpuid_flags) && IS_INTEL_BMI2(cpuid_flags)) { |
637 | | SHA3_BLOCK = sha3_block_bmi2; |
638 | | SHA3_BLOCK_N = sha3_block_n_bmi2; |
639 | | } |
640 | | else { |
641 | | SHA3_BLOCK = BlockSha3; |
642 | | SHA3_BLOCK_N = NULL; |
643 | | } |
644 | | } |
645 | | #define SHA3_FUNC_PTR |
646 | | #endif /* USE_INTEL_SPEEDUP */ |
647 | | #if defined(__aarch64__) && defined(WOLFSSL_ARMASM) |
648 | | { |
649 | | int cpuid_flags_were_updated = cpuid_get_flags_ex(&cpuid_flags); |
650 | | if ((! cpuid_flags_were_updated) && (SHA3_BLOCK != NULL)) { |
651 | | } |
652 | | else |
653 | | #ifdef WOLFSSL_ARMASM_CRYPTO_SHA3 |
654 | | if (IS_AARCH64_SHA3(cpuid_flags)) { |
655 | | SHA3_BLOCK = BlockSha3_crypto; |
656 | | SHA3_BLOCK_N = NULL; |
657 | | } |
658 | | else |
659 | | #endif |
660 | | { |
661 | | SHA3_BLOCK = BlockSha3_base; |
662 | | SHA3_BLOCK_N = NULL; |
663 | | } |
664 | | } |
665 | | #define SHA3_FUNC_PTR |
666 | | #endif |
667 | | |
668 | 18.8k | return 0; |
669 | 18.8k | } |
670 | | |
671 | | #if defined(__aarch64__) && defined(WOLFSSL_ARMASM) |
672 | | void BlockSha3(word64* s) |
673 | | { |
674 | | (*SHA3_BLOCK)(s); |
675 | | } |
676 | | #endif |
677 | | |
678 | | /* Update the SHA-3 hash state with message data. |
679 | | * |
680 | | * sha3 wc_Sha3 object holding state. |
681 | | * data Message data to be hashed. |
682 | | * len Length of the message data. |
683 | | * p Number of 64-bit numbers in a block of data to process. |
684 | | * returns 0 on success. |
685 | | */ |
686 | | static int Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) |
687 | 282k | { |
688 | 282k | word32 i; |
689 | 282k | word32 blocks; |
690 | | |
691 | | #if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) |
692 | | if (SHA3_BLOCK == sha3_block_avx2) { |
693 | | SAVE_VECTOR_REGISTERS(return _svr_ret;); |
694 | | } |
695 | | #endif |
696 | 282k | if (sha3->i > 0) { |
697 | 224k | byte *t; |
698 | 224k | byte l = (byte)(p * 8 - sha3->i); |
699 | 224k | if (l > len) { |
700 | 222k | l = (byte)len; |
701 | 222k | } |
702 | | |
703 | 224k | t = &sha3->t[sha3->i]; |
704 | 927k | for (i = 0; i < l; i++) { |
705 | 703k | t[i] = data[i]; |
706 | 703k | } |
707 | 224k | data += i; |
708 | 224k | len -= i; |
709 | 224k | sha3->i = (byte)(sha3->i + i); |
710 | | |
711 | 224k | if (sha3->i == p * 8) { |
712 | 2.13k | #if !defined(BIG_ENDIAN_ORDER) |
713 | 2.13k | xorbuf(sha3->s, sha3->t, (word32)(p * 8)); |
714 | | #else |
715 | | for (i = 0; i < p; i++) { |
716 | | sha3->s[i] ^= Load64BitBigEndian(sha3->t + 8 * i); |
717 | | } |
718 | | #endif |
719 | | #ifdef SHA3_FUNC_PTR |
720 | | (*SHA3_BLOCK)(sha3->s); |
721 | | #else |
722 | 2.13k | BlockSha3(sha3->s); |
723 | 2.13k | #endif |
724 | 2.13k | sha3->i = 0; |
725 | 2.13k | } |
726 | 224k | } |
727 | 282k | blocks = len / (p * 8U); |
728 | | #ifdef SHA3_FUNC_PTR |
729 | | if ((SHA3_BLOCK_N != NULL) && (blocks > 0)) { |
730 | | (*SHA3_BLOCK_N)(sha3->s, data, blocks, p * 8U); |
731 | | len -= blocks * (p * 8U); |
732 | | data += blocks * (p * 8U); |
733 | | blocks = 0; |
734 | | } |
735 | | #endif |
736 | 304k | for (; blocks > 0; blocks--) { |
737 | 22.0k | #if !defined(BIG_ENDIAN_ORDER) |
738 | 22.0k | xorbuf(sha3->s, data, (word32)(p * 8)); |
739 | | #else |
740 | | for (i = 0; i < p; i++) { |
741 | | sha3->s[i] ^= Load64Unaligned(data + 8 * i); |
742 | | } |
743 | | #endif |
744 | | #ifdef SHA3_FUNC_PTR |
745 | | (*SHA3_BLOCK)(sha3->s); |
746 | | #else |
747 | 22.0k | BlockSha3(sha3->s); |
748 | 22.0k | #endif |
749 | 22.0k | len -= p * 8U; |
750 | 22.0k | data += p * 8U; |
751 | 22.0k | } |
752 | | #if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) |
753 | | if (SHA3_BLOCK == sha3_block_avx2) { |
754 | | RESTORE_VECTOR_REGISTERS(); |
755 | | } |
756 | | #endif |
757 | 282k | if (len > 0) { |
758 | 14.9k | XMEMCPY(sha3->t, data, len); |
759 | 14.9k | } |
760 | 282k | sha3->i = (byte)(sha3->i + len); |
761 | | |
762 | 282k | return 0; |
763 | 282k | } |
764 | | |
765 | | /* Calculate the SHA-3 hash based on all the message data seen. |
766 | | * |
767 | | * sha3 wc_Sha3 object holding state. |
768 | | * hash Buffer to hold the hash result. |
769 | | * p Number of 64-bit numbers in a block of data to process. |
770 | | * len Number of bytes in output. |
771 | | * returns 0 on success. |
772 | | */ |
773 | | static int Sha3Final(wc_Sha3* sha3, byte padChar, byte* hash, byte p, word32 l) |
774 | 12.7k | { |
775 | 12.7k | word32 rate = p * 8U; |
776 | 12.7k | word32 j; |
777 | | #if defined(BIG_ENDIAN_ORDER) |
778 | | word32 i; |
779 | | #endif |
780 | | |
781 | 12.7k | #if !defined(BIG_ENDIAN_ORDER) |
782 | 12.7k | xorbuf(sha3->s, sha3->t, sha3->i); |
783 | 12.7k | #ifdef WOLFSSL_HASH_FLAGS |
784 | 12.7k | if ((p == WC_SHA3_256_COUNT) && (sha3->flags & WC_HASH_SHA3_KECCAK256)) { |
785 | 0 | padChar = 0x01; |
786 | 0 | } |
787 | 12.7k | #endif |
788 | 12.7k | ((byte*)sha3->s)[sha3->i ] ^= padChar; |
789 | 12.7k | ((byte*)sha3->s)[rate - 1] ^= 0x80; |
790 | | #else |
791 | | sha3->t[rate - 1] = 0x00; |
792 | | #ifdef WOLFSSL_HASH_FLAGS |
793 | | if ((p == WC_SHA3_256_COUNT) && (sha3->flags & WC_HASH_SHA3_KECCAK256)) { |
794 | | padChar = 0x01; |
795 | | } |
796 | | #endif |
797 | | sha3->t[sha3->i ] = padChar; |
798 | | sha3->t[rate - 1] |= 0x80; |
799 | | if (rate - 1 > (word32)sha3->i + 1) { |
800 | | XMEMSET(sha3->t + sha3->i + 1, 0, rate - 1U - (sha3->i + 1U)); |
801 | | } |
802 | | for (i = 0; i < p; i++) { |
803 | | sha3->s[i] ^= Load64BitBigEndian(sha3->t + 8 * i); |
804 | | } |
805 | | #endif |
806 | | |
807 | | #if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) |
808 | | if (SHA3_BLOCK == sha3_block_avx2) |
809 | | SAVE_VECTOR_REGISTERS(return _svr_ret;); |
810 | | #endif |
811 | | |
812 | 12.7k | for (j = 0; l - j >= rate; j += rate) { |
813 | | #ifdef SHA3_FUNC_PTR |
814 | | (*SHA3_BLOCK)(sha3->s); |
815 | | #else |
816 | 0 | BlockSha3(sha3->s); |
817 | 0 | #endif |
818 | | #if defined(BIG_ENDIAN_ORDER) |
819 | | ByteReverseWords64((word64*)(hash + j), sha3->s, rate); |
820 | | #else |
821 | 0 | XMEMCPY(hash + j, sha3->s, rate); |
822 | 0 | #endif |
823 | 0 | } |
824 | 12.7k | if (j != l) { |
825 | | #ifdef SHA3_FUNC_PTR |
826 | | (*SHA3_BLOCK)(sha3->s); |
827 | | #else |
828 | 12.7k | BlockSha3(sha3->s); |
829 | 12.7k | #endif |
830 | | #if defined(BIG_ENDIAN_ORDER) |
831 | | ByteReverseWords64(sha3->s, sha3->s, rate); |
832 | | #endif |
833 | 12.7k | XMEMCPY(hash + j, sha3->s, l - j); |
834 | 12.7k | } |
835 | | #if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) |
836 | | if (SHA3_BLOCK == sha3_block_avx2) { |
837 | | RESTORE_VECTOR_REGISTERS(); |
838 | | } |
839 | | #endif |
840 | | |
841 | 12.7k | return 0; |
842 | 12.7k | } |
843 | | #endif |
844 | | #if defined(STM32_HASH_SHA3) |
845 | | |
846 | | /* Supports CubeMX HAL or Standard Peripheral Library */ |
847 | | |
848 | | static int wc_InitSha3(wc_Sha3* sha3, void* heap, int devId) |
849 | | { |
850 | | if (sha3 == NULL) |
851 | | return BAD_FUNC_ARG; |
852 | | |
853 | | (void)devId; |
854 | | (void)heap; |
855 | | |
856 | | XMEMSET(sha3, 0, sizeof(wc_Sha3)); |
857 | | wc_Stm32_Hash_Init(&sha3->stmCtx); |
858 | | return 0; |
859 | | } |
860 | | |
861 | | static int Stm32GetAlgo(byte p) |
862 | | { |
863 | | switch(p) { |
864 | | case WC_SHA3_224_COUNT: |
865 | | return HASH_ALGOSELECTION_SHA3_224; |
866 | | case WC_SHA3_256_COUNT: |
867 | | return HASH_ALGOSELECTION_SHA3_256; |
868 | | case WC_SHA3_384_COUNT: |
869 | | return HASH_ALGOSELECTION_SHA3_384; |
870 | | case WC_SHA3_512_COUNT: |
871 | | return HASH_ALGOSELECTION_SHA3_512; |
872 | | } |
873 | | /* Should never get here */ |
874 | | return WC_SHA3_224_COUNT; |
875 | | } |
876 | | |
877 | | static int wc_Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) |
878 | | { |
879 | | int ret = 0; |
880 | | |
881 | | if (sha3 == NULL) { |
882 | | return BAD_FUNC_ARG; |
883 | | } |
884 | | if (data == NULL && len == 0) { |
885 | | /* valid, but do nothing */ |
886 | | return 0; |
887 | | } |
888 | | if (data == NULL) { |
889 | | return BAD_FUNC_ARG; |
890 | | } |
891 | | |
892 | | ret = wolfSSL_CryptHwMutexLock(); |
893 | | if (ret == 0) { |
894 | | ret = wc_Stm32_Hash_Update(&sha3->stmCtx, |
895 | | Stm32GetAlgo(p), data, len, p * 8); |
896 | | wolfSSL_CryptHwMutexUnLock(); |
897 | | } |
898 | | return ret; |
899 | | } |
900 | | |
901 | | static int wc_Sha3Final(wc_Sha3* sha3, byte* hash, byte p, byte len) |
902 | | { |
903 | | int ret = 0; |
904 | | |
905 | | if (sha3 == NULL || hash == NULL) { |
906 | | return BAD_FUNC_ARG; |
907 | | } |
908 | | |
909 | | ret = wolfSSL_CryptHwMutexLock(); |
910 | | if (ret == 0) { |
911 | | ret = wc_Stm32_Hash_Final(&sha3->stmCtx, |
912 | | Stm32GetAlgo(p), hash, len); |
913 | | wolfSSL_CryptHwMutexUnLock(); |
914 | | } |
915 | | |
916 | | (void)wc_InitSha3(sha3, NULL, 0); /* reset state */ |
917 | | |
918 | | return ret; |
919 | | } |
920 | | #elif defined(PSOC6_HASH_SHA3) |
921 | | |
922 | | static int wc_InitSha3(wc_Sha3* sha3, void* heap, int devId) |
923 | | { |
924 | | int ret; |
925 | | if (sha3 == NULL) { |
926 | | return BAD_FUNC_ARG; |
927 | | } |
928 | | (void)devId; |
929 | | (void)heap; |
930 | | |
931 | | /* Lock the mutex to perform crypto operations */ |
932 | | ret = wolfSSL_CryptHwMutexLock(); |
933 | | if (ret == 0) { |
934 | | /* Initialize hash state for SHA-3 operation */ |
935 | | ret = wc_Psoc6_Sha3_Init(sha3); |
936 | | /* Release the lock */ |
937 | | wolfSSL_CryptHwMutexUnLock(); |
938 | | } |
939 | | |
940 | | return ret; |
941 | | } |
942 | | |
943 | | static int wc_Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) |
944 | | { |
945 | | int ret; |
946 | | |
947 | | if (sha3 == NULL || (data == NULL && len > 0)) { |
948 | | return BAD_FUNC_ARG; |
949 | | } |
950 | | |
951 | | if (data == NULL && len == 0) { |
952 | | /* valid, but do nothing */ |
953 | | return 0; |
954 | | } |
955 | | |
956 | | /* Lock the mutex to perform crypto operations */ |
957 | | ret = wolfSSL_CryptHwMutexLock(); |
958 | | if (ret == 0) { |
959 | | /* Perform SHA3 on the input data and update the hash state */ |
960 | | ret = wc_Psoc6_Sha3_Update(sha3, data, len, p); |
961 | | /* Release the lock */ |
962 | | wolfSSL_CryptHwMutexUnLock(); |
963 | | } |
964 | | |
965 | | return ret; |
966 | | } |
967 | | |
968 | | static int wc_Sha3Final(wc_Sha3* sha3, byte* hash, byte p, byte len) |
969 | | { |
970 | | int ret; |
971 | | |
972 | | if (sha3 == NULL || hash == NULL) { |
973 | | return BAD_FUNC_ARG; |
974 | | } |
975 | | |
976 | | /* Lock the mutex to perform crypto operations */ |
977 | | ret = wolfSSL_CryptHwMutexLock(); |
978 | | if (ret == 0) { |
979 | | /* Finalize SHA3 operations and produce digest */ |
980 | | ret = wc_Psoc6_Sha3_Final(sha3, 0x06, hash, p, len); |
981 | | if (ret == 0) { |
982 | | /* Initialize hash state for SHA-3 operation */ |
983 | | ret = wc_Psoc6_Sha3_Init(sha3); |
984 | | } |
985 | | /* Release the lock */ |
986 | | wolfSSL_CryptHwMutexUnLock(); |
987 | | } |
988 | | |
989 | | return ret; |
990 | | } |
991 | | |
992 | | #else |
993 | | |
994 | | /* Initialize the state for a SHA-3 hash operation. |
995 | | * |
996 | | * sha3 wc_Sha3 object holding state. |
997 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
998 | | * devId Device identifier for asynchronous operation. |
999 | | * returns 0 on success. |
1000 | | */ |
1001 | | static int wc_InitSha3(wc_Sha3* sha3, void* heap, int devId) |
1002 | 6.11k | { |
1003 | 6.11k | int ret = 0; |
1004 | | |
1005 | 6.11k | if (sha3 == NULL) |
1006 | 0 | return BAD_FUNC_ARG; |
1007 | | |
1008 | 6.11k | sha3->heap = heap; |
1009 | 6.11k | ret = InitSha3(sha3); |
1010 | 6.11k | if (ret != 0) |
1011 | 0 | return ret; |
1012 | | |
1013 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
1014 | | ret = wolfAsync_DevCtxInit(&sha3->asyncDev, |
1015 | | WOLFSSL_ASYNC_MARKER_SHA3, sha3->heap, devId); |
1016 | | #endif |
1017 | 6.11k | #if defined(WOLF_CRYPTO_CB) |
1018 | 6.11k | sha3->devId = devId; |
1019 | | /* Set to none to determine the hash type later */ |
1020 | | /* in the update/final functions based on the p value */ |
1021 | 6.11k | sha3->hashType = WC_HASH_TYPE_NONE; |
1022 | 6.11k | #endif |
1023 | 6.11k | (void)devId; |
1024 | | |
1025 | 6.11k | return ret; |
1026 | 6.11k | } |
1027 | | |
1028 | | /* Update the SHA-3 hash state with message data. |
1029 | | * |
1030 | | * sha3 wc_Sha3 object holding state. |
1031 | | * data Message data to be hashed. |
1032 | | * len Length of the message data. |
1033 | | * p Number of 64-bit numbers in a block of data to process. |
1034 | | * returns 0 on success. |
1035 | | */ |
1036 | | static int wc_Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) |
1037 | 118 | { |
1038 | 118 | int ret; |
1039 | | |
1040 | 118 | if (sha3 == NULL || (data == NULL && len > 0)) { |
1041 | 0 | return BAD_FUNC_ARG; |
1042 | 0 | } |
1043 | | |
1044 | 118 | if (data == NULL && len == 0) { |
1045 | | /* valid, but do nothing */ |
1046 | 36 | return 0; |
1047 | 36 | } |
1048 | | |
1049 | 82 | #ifdef WOLF_CRYPTO_CB |
1050 | 82 | #ifndef WOLF_CRYPTO_CB_FIND |
1051 | 82 | if (sha3->devId != INVALID_DEVID) |
1052 | 0 | #endif |
1053 | 0 | { |
1054 | | /* If the hash type is not set, determine it based on the p value */ |
1055 | | /* We can skip the switch statement if the hash type set already */ |
1056 | 0 | if (sha3->hashType == WC_HASH_TYPE_NONE) { |
1057 | 0 | switch (p) { |
1058 | 0 | case WC_SHA3_224_COUNT: |
1059 | 0 | sha3->hashType = WC_HASH_TYPE_SHA3_224; break; |
1060 | 0 | case WC_SHA3_256_COUNT: |
1061 | 0 | sha3->hashType = WC_HASH_TYPE_SHA3_256; break; |
1062 | 0 | case WC_SHA3_384_COUNT: |
1063 | 0 | sha3->hashType = WC_HASH_TYPE_SHA3_384; break; |
1064 | 0 | case WC_SHA3_512_COUNT: |
1065 | 0 | sha3->hashType = WC_HASH_TYPE_SHA3_512; break; |
1066 | 0 | default: return BAD_FUNC_ARG; |
1067 | 0 | } |
1068 | 0 | } |
1069 | 0 | ret = wc_CryptoCb_Sha3Hash(sha3, sha3->hashType, data, len, NULL); |
1070 | 0 | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) |
1071 | 0 | return ret; |
1072 | | /* fall-through when unavailable */ |
1073 | 0 | } |
1074 | 82 | #endif |
1075 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
1076 | | if (sha3->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA3) { |
1077 | | #if defined(HAVE_INTEL_QA) && defined(QAT_V2) |
1078 | | /* QAT only supports SHA3_256 */ |
1079 | | if (p == WC_SHA3_256_COUNT) { |
1080 | | ret = IntelQaSymSha3(&sha3->asyncDev, NULL, data, len); |
1081 | | if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN)) |
1082 | | return ret; |
1083 | | /* fall-through when unavailable */ |
1084 | | } |
1085 | | #endif |
1086 | | } |
1087 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
1088 | | |
1089 | 82 | ret = Sha3Update(sha3, data, len, p); |
1090 | | |
1091 | 82 | return ret; |
1092 | 82 | } |
1093 | | |
1094 | | /* Calculate the SHA-3 hash based on all the message data seen. |
1095 | | * |
1096 | | * sha3 wc_Sha3 object holding state. |
1097 | | * hash Buffer to hold the hash result. |
1098 | | * p Number of 64-bit numbers in a block of data to process. |
1099 | | * len Number of bytes in output. |
1100 | | * returns 0 on success. |
1101 | | */ |
1102 | | static int wc_Sha3Final(wc_Sha3* sha3, byte* hash, byte p, byte len) |
1103 | 118 | { |
1104 | 118 | int ret; |
1105 | | |
1106 | 118 | if (sha3 == NULL || hash == NULL) { |
1107 | 0 | return BAD_FUNC_ARG; |
1108 | 0 | } |
1109 | | |
1110 | 118 | #ifdef WOLF_CRYPTO_CB |
1111 | 118 | #ifndef WOLF_CRYPTO_CB_FIND |
1112 | 118 | if (sha3->devId != INVALID_DEVID) |
1113 | 0 | #endif |
1114 | 0 | { |
1115 | | /* If the hash type is not set, determine it based on the p value */ |
1116 | | /* We can skip the switch statement if the hash type is set already */ |
1117 | 0 | if (sha3->hashType == WC_HASH_TYPE_NONE) { |
1118 | 0 | switch (p) { |
1119 | 0 | case WC_SHA3_224_COUNT: |
1120 | 0 | sha3->hashType = WC_HASH_TYPE_SHA3_224; break; |
1121 | 0 | case WC_SHA3_256_COUNT: |
1122 | 0 | sha3->hashType = WC_HASH_TYPE_SHA3_256; break; |
1123 | 0 | case WC_SHA3_384_COUNT: |
1124 | 0 | sha3->hashType = WC_HASH_TYPE_SHA3_384; break; |
1125 | 0 | case WC_SHA3_512_COUNT: |
1126 | 0 | sha3->hashType = WC_HASH_TYPE_SHA3_512; break; |
1127 | 0 | default: return BAD_FUNC_ARG; |
1128 | 0 | } |
1129 | 0 | } |
1130 | 0 | ret = wc_CryptoCb_Sha3Hash(sha3, sha3->hashType, NULL, 0, hash); |
1131 | 0 | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) |
1132 | 0 | return ret; |
1133 | | /* fall-through when unavailable */ |
1134 | 0 | } |
1135 | 118 | #endif |
1136 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
1137 | | if (sha3->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA3) { |
1138 | | #if defined(HAVE_INTEL_QA) && defined(QAT_V2) |
1139 | | /* QAT only supports SHA3_256 */ |
1140 | | /* QAT SHA-3 only supported on v2 (8970 or later cards) */ |
1141 | | if (len == WC_SHA3_256_DIGEST_SIZE) { |
1142 | | ret = IntelQaSymSha3(&sha3->asyncDev, hash, NULL, len); |
1143 | | if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN)) |
1144 | | return ret; |
1145 | | /* fall-through when unavailable */ |
1146 | | } |
1147 | | #endif |
1148 | | } |
1149 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
1150 | | |
1151 | 118 | ret = Sha3Final(sha3, 0x06, hash, p, (word32)len); |
1152 | 118 | if (ret != 0) |
1153 | 0 | return ret; |
1154 | | |
1155 | 118 | return InitSha3(sha3); /* reset state */ |
1156 | 118 | } |
1157 | | #endif |
1158 | | |
1159 | | /* Dispose of any dynamically allocated data from the SHA3-384 operation. |
1160 | | * (Required for async ops.) |
1161 | | * |
1162 | | * sha3 wc_Sha3 object holding state. |
1163 | | * returns 0 on success. |
1164 | | */ |
1165 | | static void wc_Sha3Free(wc_Sha3* sha3) |
1166 | 6.11k | { |
1167 | | #if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_FREE) |
1168 | | int ret = 0; |
1169 | | #endif |
1170 | | |
1171 | 6.11k | (void)sha3; |
1172 | | |
1173 | | #if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_FREE) |
1174 | | if (sha3 == NULL) |
1175 | | return; |
1176 | | |
1177 | | #ifndef WOLF_CRYPTO_CB_FIND |
1178 | | if (sha3->devId != INVALID_DEVID) |
1179 | | #endif |
1180 | | { |
1181 | | ret = wc_CryptoCb_Free(sha3->devId, WC_ALGO_TYPE_HASH, |
1182 | | sha3->hashType, (void*)sha3); |
1183 | | /* If they want the standard free, they can call it themselves */ |
1184 | | /* via their callback setting devId to INVALID_DEVID */ |
1185 | | /* otherwise assume the callback handled it */ |
1186 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) |
1187 | | return; |
1188 | | /* fall-through when unavailable */ |
1189 | | } |
1190 | | |
1191 | | /* silence compiler warning */ |
1192 | | (void)ret; |
1193 | | |
1194 | | #endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_FREE */ |
1195 | | |
1196 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
1197 | | if (sha3 == NULL) |
1198 | | return; |
1199 | | |
1200 | | wolfAsync_DevCtxFree(&sha3->asyncDev, WOLFSSL_ASYNC_MARKER_SHA3); |
1201 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
1202 | | |
1203 | | #if defined(PSOC6_HASH_SHA3) |
1204 | | wc_Psoc6_Sha_Free(); |
1205 | | #endif |
1206 | 6.11k | } |
1207 | | |
1208 | | /* Copy the state of the SHA3 operation. |
1209 | | * |
1210 | | * src wc_Sha3 object holding state top copy. |
1211 | | * dst wc_Sha3 object to copy into. |
1212 | | * returns 0 on success. |
1213 | | */ |
1214 | | static int wc_Sha3Copy(wc_Sha3* src, wc_Sha3* dst) |
1215 | 0 | { |
1216 | 0 | int ret = 0; |
1217 | |
|
1218 | 0 | if (src == NULL || dst == NULL) |
1219 | 0 | return BAD_FUNC_ARG; |
1220 | | |
1221 | | #if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_COPY) |
1222 | | #ifndef WOLF_CRYPTO_CB_FIND |
1223 | | if (src->devId != INVALID_DEVID) |
1224 | | #endif |
1225 | | { |
1226 | | /* Cast the source and destination to be void to keep the abstraction */ |
1227 | | ret = wc_CryptoCb_Copy(src->devId, WC_ALGO_TYPE_HASH, |
1228 | | src->hashType, (void*)src, (void*)dst); |
1229 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) |
1230 | | return ret; |
1231 | | /* fall-through when unavailable */ |
1232 | | } |
1233 | | ret = 0; /* Reset ret to 0 to avoid returning the callback error code */ |
1234 | | #endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_COPY */ |
1235 | | |
1236 | 0 | XMEMCPY(dst, src, sizeof(wc_Sha3)); |
1237 | |
|
1238 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) |
1239 | | ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev); |
1240 | | #endif |
1241 | |
|
1242 | | #if defined(PSOC6_HASH_SHA3) |
1243 | | /* Re-initialize internal pointers in hash_state that point inside sha_buffers */ |
1244 | | dst->hash_state.hash = (uint8_t*)((cy_stc_crypto_v2_sha3_buffers_t *)&dst->sha_buffers)->hash; |
1245 | | #endif |
1246 | |
|
1247 | 0 | #ifdef WOLFSSL_HASH_FLAGS |
1248 | 0 | dst->flags |= WC_HASH_FLAG_ISCOPY; |
1249 | 0 | #endif |
1250 | |
|
1251 | 0 | return ret; |
1252 | 0 | } |
1253 | | |
1254 | | /* Calculate the SHA3-224 hash based on all the message data so far. |
1255 | | * More message data can be added, after this operation, using the current |
1256 | | * state. |
1257 | | * |
1258 | | * sha3 wc_Sha3 object holding state. |
1259 | | * hash Buffer to hold the hash result. Must be at least 28 bytes. |
1260 | | * p Number of 64-bit numbers in a block of data to process. |
1261 | | * len Number of bytes in output. |
1262 | | * returns 0 on success. |
1263 | | */ |
1264 | | static int wc_Sha3GetHash(wc_Sha3* sha3, byte* hash, byte p, byte len) |
1265 | 0 | { |
1266 | 0 | int ret; |
1267 | 0 | wc_Sha3 tmpSha3; |
1268 | |
|
1269 | 0 | if (sha3 == NULL || hash == NULL) |
1270 | 0 | return BAD_FUNC_ARG; |
1271 | | |
1272 | 0 | ret = wc_Sha3Copy(sha3, &tmpSha3); |
1273 | 0 | if (ret == 0) { |
1274 | 0 | ret = wc_Sha3Final(&tmpSha3, hash, p, len); |
1275 | 0 | } |
1276 | 0 | return ret; |
1277 | 0 | } |
1278 | | |
1279 | | /* Initialize the state for a SHA3-224 hash operation. |
1280 | | * |
1281 | | * sha3 wc_Sha3 object holding state. |
1282 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1283 | | * devId Device identifier for asynchronous operation. |
1284 | | * returns 0 on success. |
1285 | | */ |
1286 | | int wc_InitSha3_224(wc_Sha3* sha3, void* heap, int devId) |
1287 | 21 | { |
1288 | 21 | return wc_InitSha3(sha3, heap, devId); |
1289 | 21 | } |
1290 | | |
1291 | | /* Update the SHA3-224 hash state with message data. |
1292 | | * |
1293 | | * sha3 wc_Sha3 object holding state. |
1294 | | * data Message data to be hashed. |
1295 | | * len Length of the message data. |
1296 | | * returns 0 on success. |
1297 | | */ |
1298 | | int wc_Sha3_224_Update(wc_Sha3* sha3, const byte* data, word32 len) |
1299 | 21 | { |
1300 | 21 | return wc_Sha3Update(sha3, data, len, WC_SHA3_224_COUNT); |
1301 | 21 | } |
1302 | | |
1303 | | /* Calculate the SHA3-224 hash based on all the message data seen. |
1304 | | * The state is initialized ready for a new message to hash. |
1305 | | * |
1306 | | * sha3 wc_Sha3 object holding state. |
1307 | | * hash Buffer to hold the hash result. Must be at least 28 bytes. |
1308 | | * returns 0 on success. |
1309 | | */ |
1310 | | int wc_Sha3_224_Final(wc_Sha3* sha3, byte* hash) |
1311 | 21 | { |
1312 | 21 | return wc_Sha3Final(sha3, hash, WC_SHA3_224_COUNT, WC_SHA3_224_DIGEST_SIZE); |
1313 | 21 | } |
1314 | | |
1315 | | /* Dispose of any dynamically allocated data from the SHA3-224 operation. |
1316 | | * (Required for async ops.) |
1317 | | * |
1318 | | * sha3 wc_Sha3 object holding state. |
1319 | | * returns 0 on success. |
1320 | | */ |
1321 | | void wc_Sha3_224_Free(wc_Sha3* sha3) |
1322 | 21 | { |
1323 | 21 | wc_Sha3Free(sha3); |
1324 | 21 | } |
1325 | | |
1326 | | /* Calculate the SHA3-224 hash based on all the message data so far. |
1327 | | * More message data can be added, after this operation, using the current |
1328 | | * state. |
1329 | | * |
1330 | | * sha3 wc_Sha3 object holding state. |
1331 | | * hash Buffer to hold the hash result. Must be at least 28 bytes. |
1332 | | * returns 0 on success. |
1333 | | */ |
1334 | | int wc_Sha3_224_GetHash(wc_Sha3* sha3, byte* hash) |
1335 | 0 | { |
1336 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_224_COUNT, WC_SHA3_224_DIGEST_SIZE); |
1337 | 0 | } |
1338 | | |
1339 | | /* Copy the state of the SHA3-224 operation. |
1340 | | * |
1341 | | * src wc_Sha3 object holding state top copy. |
1342 | | * dst wc_Sha3 object to copy into. |
1343 | | * returns 0 on success. |
1344 | | */ |
1345 | | int wc_Sha3_224_Copy(wc_Sha3* src, wc_Sha3* dst) |
1346 | 0 | { |
1347 | 0 | return wc_Sha3Copy(src, dst); |
1348 | 0 | } |
1349 | | |
1350 | | |
1351 | | /* Initialize the state for a SHA3-256 hash operation. |
1352 | | * |
1353 | | * sha3 wc_Sha3 object holding state. |
1354 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1355 | | * devId Device identifier for asynchronous operation. |
1356 | | * returns 0 on success. |
1357 | | */ |
1358 | | int wc_InitSha3_256(wc_Sha3* sha3, void* heap, int devId) |
1359 | 21 | { |
1360 | 21 | return wc_InitSha3(sha3, heap, devId); |
1361 | 21 | } |
1362 | | |
1363 | | /* Update the SHA3-256 hash state with message data. |
1364 | | * |
1365 | | * sha3 wc_Sha3 object holding state. |
1366 | | * data Message data to be hashed. |
1367 | | * len Length of the message data. |
1368 | | * returns 0 on success. |
1369 | | */ |
1370 | | int wc_Sha3_256_Update(wc_Sha3* sha3, const byte* data, word32 len) |
1371 | 21 | { |
1372 | 21 | return wc_Sha3Update(sha3, data, len, WC_SHA3_256_COUNT); |
1373 | 21 | } |
1374 | | |
1375 | | /* Calculate the SHA3-256 hash based on all the message data seen. |
1376 | | * The state is initialized ready for a new message to hash. |
1377 | | * |
1378 | | * sha3 wc_Sha3 object holding state. |
1379 | | * hash Buffer to hold the hash result. Must be at least 32 bytes. |
1380 | | * returns 0 on success. |
1381 | | */ |
1382 | | int wc_Sha3_256_Final(wc_Sha3* sha3, byte* hash) |
1383 | 21 | { |
1384 | 21 | return wc_Sha3Final(sha3, hash, WC_SHA3_256_COUNT, WC_SHA3_256_DIGEST_SIZE); |
1385 | 21 | } |
1386 | | |
1387 | | /* Dispose of any dynamically allocated data from the SHA3-256 operation. |
1388 | | * (Required for async ops.) |
1389 | | * |
1390 | | * sha3 wc_Sha3 object holding state. |
1391 | | * returns 0 on success. |
1392 | | */ |
1393 | | void wc_Sha3_256_Free(wc_Sha3* sha3) |
1394 | 21 | { |
1395 | 21 | wc_Sha3Free(sha3); |
1396 | 21 | } |
1397 | | |
1398 | | /* Calculate the SHA3-256 hash based on all the message data so far. |
1399 | | * More message data can be added, after this operation, using the current |
1400 | | * state. |
1401 | | * |
1402 | | * sha3 wc_Sha3 object holding state. |
1403 | | * hash Buffer to hold the hash result. Must be at least 32 bytes. |
1404 | | * returns 0 on success. |
1405 | | */ |
1406 | | int wc_Sha3_256_GetHash(wc_Sha3* sha3, byte* hash) |
1407 | 0 | { |
1408 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_256_COUNT, WC_SHA3_256_DIGEST_SIZE); |
1409 | 0 | } |
1410 | | |
1411 | | /* Copy the state of the SHA3-256 operation. |
1412 | | * |
1413 | | * src wc_Sha3 object holding state top copy. |
1414 | | * dst wc_Sha3 object to copy into. |
1415 | | * returns 0 on success. |
1416 | | */ |
1417 | | int wc_Sha3_256_Copy(wc_Sha3* src, wc_Sha3* dst) |
1418 | 0 | { |
1419 | 0 | return wc_Sha3Copy(src, dst); |
1420 | 0 | } |
1421 | | |
1422 | | |
1423 | | /* Initialize the state for a SHA3-384 hash operation. |
1424 | | * |
1425 | | * sha3 wc_Sha3 object holding state. |
1426 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1427 | | * devId Device identifier for asynchronous operation. |
1428 | | * returns 0 on success. |
1429 | | */ |
1430 | | int wc_InitSha3_384(wc_Sha3* sha3, void* heap, int devId) |
1431 | 17 | { |
1432 | 17 | return wc_InitSha3(sha3, heap, devId); |
1433 | 17 | } |
1434 | | |
1435 | | /* Update the SHA3-384 hash state with message data. |
1436 | | * |
1437 | | * sha3 wc_Sha3 object holding state. |
1438 | | * data Message data to be hashed. |
1439 | | * len Length of the message data. |
1440 | | * returns 0 on success. |
1441 | | */ |
1442 | | int wc_Sha3_384_Update(wc_Sha3* sha3, const byte* data, word32 len) |
1443 | 17 | { |
1444 | 17 | return wc_Sha3Update(sha3, data, len, WC_SHA3_384_COUNT); |
1445 | 17 | } |
1446 | | |
1447 | | /* Calculate the SHA3-384 hash based on all the message data seen. |
1448 | | * The state is initialized ready for a new message to hash. |
1449 | | * |
1450 | | * sha3 wc_Sha3 object holding state. |
1451 | | * hash Buffer to hold the hash result. Must be at least 48 bytes. |
1452 | | * returns 0 on success. |
1453 | | */ |
1454 | | int wc_Sha3_384_Final(wc_Sha3* sha3, byte* hash) |
1455 | 17 | { |
1456 | 17 | return wc_Sha3Final(sha3, hash, WC_SHA3_384_COUNT, WC_SHA3_384_DIGEST_SIZE); |
1457 | 17 | } |
1458 | | |
1459 | | /* Dispose of any dynamically allocated data from the SHA3-384 operation. |
1460 | | * (Required for async ops.) |
1461 | | * |
1462 | | * sha3 wc_Sha3 object holding state. |
1463 | | * returns 0 on success. |
1464 | | */ |
1465 | | void wc_Sha3_384_Free(wc_Sha3* sha3) |
1466 | 17 | { |
1467 | 17 | wc_Sha3Free(sha3); |
1468 | 17 | } |
1469 | | |
1470 | | /* Calculate the SHA3-384 hash based on all the message data so far. |
1471 | | * More message data can be added, after this operation, using the current |
1472 | | * state. |
1473 | | * |
1474 | | * sha3 wc_Sha3 object holding state. |
1475 | | * hash Buffer to hold the hash result. Must be at least 48 bytes. |
1476 | | * returns 0 on success. |
1477 | | */ |
1478 | | int wc_Sha3_384_GetHash(wc_Sha3* sha3, byte* hash) |
1479 | 0 | { |
1480 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_384_COUNT, WC_SHA3_384_DIGEST_SIZE); |
1481 | 0 | } |
1482 | | |
1483 | | /* Copy the state of the SHA3-384 operation. |
1484 | | * |
1485 | | * src wc_Sha3 object holding state top copy. |
1486 | | * dst wc_Sha3 object to copy into. |
1487 | | * returns 0 on success. |
1488 | | */ |
1489 | | int wc_Sha3_384_Copy(wc_Sha3* src, wc_Sha3* dst) |
1490 | 0 | { |
1491 | 0 | return wc_Sha3Copy(src, dst); |
1492 | 0 | } |
1493 | | |
1494 | | |
1495 | | /* Initialize the state for a SHA3-512 hash operation. |
1496 | | * |
1497 | | * sha3 wc_Sha3 object holding state. |
1498 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1499 | | * devId Device identifier for asynchronous operation. |
1500 | | * returns 0 on success. |
1501 | | */ |
1502 | | int wc_InitSha3_512(wc_Sha3* sha3, void* heap, int devId) |
1503 | 59 | { |
1504 | 59 | return wc_InitSha3(sha3, heap, devId); |
1505 | 59 | } |
1506 | | |
1507 | | /* Update the SHA3-512 hash state with message data. |
1508 | | * |
1509 | | * sha3 wc_Sha3 object holding state. |
1510 | | * data Message data to be hashed. |
1511 | | * len Length of the message data. |
1512 | | * returns 0 on success. |
1513 | | */ |
1514 | | int wc_Sha3_512_Update(wc_Sha3* sha3, const byte* data, word32 len) |
1515 | 59 | { |
1516 | 59 | return wc_Sha3Update(sha3, data, len, WC_SHA3_512_COUNT); |
1517 | 59 | } |
1518 | | |
1519 | | /* Calculate the SHA3-512 hash based on all the message data seen. |
1520 | | * The state is initialized ready for a new message to hash. |
1521 | | * |
1522 | | * sha3 wc_Sha3 object holding state. |
1523 | | * hash Buffer to hold the hash result. Must be at least 64 bytes. |
1524 | | * returns 0 on success. |
1525 | | */ |
1526 | | int wc_Sha3_512_Final(wc_Sha3* sha3, byte* hash) |
1527 | 59 | { |
1528 | 59 | return wc_Sha3Final(sha3, hash, WC_SHA3_512_COUNT, WC_SHA3_512_DIGEST_SIZE); |
1529 | 59 | } |
1530 | | |
1531 | | /* Dispose of any dynamically allocated data from the SHA3-512 operation. |
1532 | | * (Required for async ops.) |
1533 | | * |
1534 | | * sha3 wc_Sha3 object holding state. |
1535 | | * returns 0 on success. |
1536 | | */ |
1537 | | void wc_Sha3_512_Free(wc_Sha3* sha3) |
1538 | 59 | { |
1539 | 59 | wc_Sha3Free(sha3); |
1540 | 59 | } |
1541 | | |
1542 | | /* Calculate the SHA3-512 hash based on all the message data so far. |
1543 | | * More message data can be added, after this operation, using the current |
1544 | | * state. |
1545 | | * |
1546 | | * sha3 wc_Sha3 object holding state. |
1547 | | * hash Buffer to hold the hash result. Must be at least 64 bytes. |
1548 | | * returns 0 on success. |
1549 | | */ |
1550 | | int wc_Sha3_512_GetHash(wc_Sha3* sha3, byte* hash) |
1551 | 0 | { |
1552 | 0 | return wc_Sha3GetHash(sha3, hash, WC_SHA3_512_COUNT, WC_SHA3_512_DIGEST_SIZE); |
1553 | 0 | } |
1554 | | |
1555 | | /* Copy the state of the SHA3-512 operation. |
1556 | | * |
1557 | | * src wc_Sha3 object holding state top copy. |
1558 | | * dst wc_Sha3 object to copy into. |
1559 | | * returns 0 on success. |
1560 | | */ |
1561 | | int wc_Sha3_512_Copy(wc_Sha3* src, wc_Sha3* dst) |
1562 | 0 | { |
1563 | 0 | return wc_Sha3Copy(src, dst); |
1564 | 0 | } |
1565 | | |
1566 | | #ifdef WOLFSSL_HASH_FLAGS |
1567 | | int wc_Sha3_SetFlags(wc_Sha3* sha3, word32 flags) |
1568 | 0 | { |
1569 | 0 | if (sha3) { |
1570 | 0 | sha3->flags = flags; |
1571 | 0 | } |
1572 | 0 | return 0; |
1573 | 0 | } |
1574 | | int wc_Sha3_GetFlags(wc_Sha3* sha3, word32* flags) |
1575 | 0 | { |
1576 | 0 | if (sha3 && flags) { |
1577 | 0 | *flags = sha3->flags; |
1578 | 0 | } |
1579 | 0 | return 0; |
1580 | 0 | } |
1581 | | #endif |
1582 | | |
1583 | | #ifdef WOLFSSL_SHAKE128 |
1584 | | /* Initialize the state for a Shake128 hash operation. |
1585 | | * |
1586 | | * shake wc_Shake object holding state. |
1587 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1588 | | * devId Device identifier for asynchronous operation. |
1589 | | * returns 0 on success. |
1590 | | */ |
1591 | | int wc_InitShake128(wc_Shake* shake, void* heap, int devId) |
1592 | 0 | { |
1593 | 0 | return wc_InitSha3(shake, heap, devId); |
1594 | 0 | } |
1595 | | |
1596 | | #if defined(PSOC6_HASH_SHA3) |
1597 | | |
1598 | | int wc_Shake128_Update(wc_Shake* shake, const byte* data, word32 len) |
1599 | | { |
1600 | | int ret; |
1601 | | if (shake == NULL || (data == NULL && len > 0)) { |
1602 | | return BAD_FUNC_ARG; |
1603 | | } |
1604 | | |
1605 | | if (data == NULL && len == 0) { |
1606 | | /* valid, but do nothing */ |
1607 | | return 0; |
1608 | | } |
1609 | | |
1610 | | /* Lock the mutex to perform crypto operations */ |
1611 | | ret = wolfSSL_CryptHwMutexLock(); |
1612 | | if (ret == 0) { |
1613 | | /* Perform SHA3 on the input data and update the hash state */ |
1614 | | ret = wc_Psoc6_Sha3_Update(shake, data, len, WC_SHA3_128_COUNT); |
1615 | | /* Release the lock */ |
1616 | | wolfSSL_CryptHwMutexUnLock(); |
1617 | | } |
1618 | | |
1619 | | return ret; |
1620 | | } |
1621 | | |
1622 | | int wc_Shake128_Final(wc_Shake* shake, byte* hash, word32 hashLen) |
1623 | | { |
1624 | | int ret; |
1625 | | |
1626 | | if (shake == NULL || hash == NULL) { |
1627 | | return BAD_FUNC_ARG; |
1628 | | } |
1629 | | |
1630 | | /* Lock the mutex to perform crypto operations */ |
1631 | | ret = wolfSSL_CryptHwMutexLock(); |
1632 | | if (ret == 0) { |
1633 | | /* Finalize SHA3 operations and produce digest */ |
1634 | | ret = wc_Psoc6_Sha3_Final(shake, 0x1f, hash, WC_SHA3_128_COUNT, hashLen); |
1635 | | if (ret == 0) { |
1636 | | /* Initialize hash state for SHA-3 operation */ |
1637 | | ret = wc_Psoc6_Sha3_Init(shake); |
1638 | | } |
1639 | | /* Release the lock */ |
1640 | | wolfSSL_CryptHwMutexUnLock(); |
1641 | | } |
1642 | | |
1643 | | return ret; |
1644 | | |
1645 | | } |
1646 | | |
1647 | | int wc_Shake128_Absorb(wc_Shake* shake, const byte* data, word32 len) |
1648 | | { |
1649 | | int ret; |
1650 | | |
1651 | | if ((shake == NULL) || (data == NULL && len != 0)) { |
1652 | | return BAD_FUNC_ARG; |
1653 | | } |
1654 | | |
1655 | | /* Lock the mutex to perform crypto operations */ |
1656 | | ret = wolfSSL_CryptHwMutexLock(); |
1657 | | if (ret == 0) { |
1658 | | /* Perform SHA3 on the input data and update the hash state */ |
1659 | | ret = wc_Psoc6_Sha3_Update(shake, data, len, WC_SHA3_128_COUNT); |
1660 | | if (ret == 0) { |
1661 | | /* Finalize SHA3 operations and produce digest */ |
1662 | | ret = wc_Psoc6_Sha3_Final(shake, 0x1f, NULL, WC_SHA3_128_COUNT, 0); |
1663 | | } |
1664 | | /* Release the lock */ |
1665 | | wolfSSL_CryptHwMutexUnLock(); |
1666 | | } |
1667 | | |
1668 | | return ret; |
1669 | | } |
1670 | | |
1671 | | |
1672 | | int wc_Shake128_SqueezeBlocks(wc_Shake* shake, byte* out, word32 blockCnt) |
1673 | | { |
1674 | | int ret; |
1675 | | if ((shake == NULL) || (out == NULL && blockCnt != 0)) { |
1676 | | return BAD_FUNC_ARG; |
1677 | | } |
1678 | | |
1679 | | /* Lock the mutex to perform crypto operations */ |
1680 | | ret = wolfSSL_CryptHwMutexLock(); |
1681 | | if (ret == 0) { |
1682 | | /* Squeeze output blocks from current hash state */ |
1683 | | ret = wc_Psoc6_Shake_SqueezeBlocks(shake, out, blockCnt); |
1684 | | /* Release the lock */ |
1685 | | wolfSSL_CryptHwMutexUnLock(); |
1686 | | } |
1687 | | |
1688 | | return ret; |
1689 | | } |
1690 | | #else |
1691 | | /* Update the SHAKE128 hash state with message data. |
1692 | | * |
1693 | | * shake wc_Shake object holding state. |
1694 | | * data Message data to be hashed. |
1695 | | * len Length of the message data. |
1696 | | * returns 0 on success. |
1697 | | */ |
1698 | | int wc_Shake128_Update(wc_Shake* shake, const byte* data, word32 len) |
1699 | 0 | { |
1700 | 0 | if (shake == NULL || (data == NULL && len > 0)) { |
1701 | 0 | return BAD_FUNC_ARG; |
1702 | 0 | } |
1703 | | |
1704 | 0 | if (data == NULL && len == 0) { |
1705 | | /* valid, but do nothing */ |
1706 | 0 | return 0; |
1707 | 0 | } |
1708 | | |
1709 | 0 | return Sha3Update(shake, data, len, WC_SHA3_128_COUNT); |
1710 | 0 | } |
1711 | | |
1712 | | /* Calculate the SHAKE128 hash based on all the message data seen. |
1713 | | * The state is initialized ready for a new message to hash. |
1714 | | * |
1715 | | * shake wc_Shake object holding state. |
1716 | | * hash Buffer to hold the hash result. Must be at least 64 bytes. |
1717 | | * returns 0 on success. |
1718 | | */ |
1719 | | int wc_Shake128_Final(wc_Shake* shake, byte* hash, word32 hashLen) |
1720 | 0 | { |
1721 | 0 | int ret; |
1722 | |
|
1723 | 0 | if (shake == NULL || hash == NULL) { |
1724 | 0 | return BAD_FUNC_ARG; |
1725 | 0 | } |
1726 | | |
1727 | 0 | ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_128_COUNT, hashLen); |
1728 | 0 | if (ret != 0) |
1729 | 0 | return ret; |
1730 | | |
1731 | 0 | return InitSha3(shake); /* reset state */ |
1732 | 0 | } |
1733 | | |
1734 | | /* Absorb the data for squeezing. |
1735 | | * |
1736 | | * Update and final with data but no output and no reset |
1737 | | * |
1738 | | * shake wc_Shake object holding state. |
1739 | | * data Data to absorb. |
1740 | | * len Length of d to absorb in bytes. |
1741 | | * returns 0 on success. |
1742 | | */ |
1743 | | int wc_Shake128_Absorb(wc_Shake* shake, const byte* data, word32 len) |
1744 | 0 | { |
1745 | 0 | int ret; |
1746 | |
|
1747 | 0 | if ((shake == NULL) || (data == NULL && len != 0)) { |
1748 | 0 | return BAD_FUNC_ARG; |
1749 | 0 | } |
1750 | | |
1751 | 0 | ret = Sha3Update(shake, data, len, WC_SHA3_128_COUNT); |
1752 | 0 | if (ret == 0) { |
1753 | 0 | byte hash[1]; |
1754 | 0 | ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_128_COUNT, 0); |
1755 | 0 | } |
1756 | | /* No partial data. */ |
1757 | 0 | shake->i = 0; |
1758 | |
|
1759 | 0 | return ret; |
1760 | 0 | } |
1761 | | |
1762 | | #ifdef WC_C_DYNAMIC_FALLBACK |
1763 | | #undef SHA3_BLOCK |
1764 | | #undef SHA3_BLOCK_N |
1765 | | #define SHA3_BLOCK (shake->sha3_block) |
1766 | | #define SHA3_BLOCK_N (shake->sha3_block_n) |
1767 | | #endif |
1768 | | |
1769 | | /* Squeeze the state to produce pseudo-random output. |
1770 | | * |
1771 | | * shake wc_Shake object holding state. |
1772 | | * out Output buffer. |
1773 | | * blockCnt Number of blocks to write. |
1774 | | * returns 0 on success. |
1775 | | */ |
1776 | | int wc_Shake128_SqueezeBlocks(wc_Shake* shake, byte* out, word32 blockCnt) |
1777 | 0 | { |
1778 | 0 | if ((shake == NULL) || (out == NULL && blockCnt != 0)) { |
1779 | 0 | return BAD_FUNC_ARG; |
1780 | 0 | } |
1781 | | #if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) |
1782 | | if (SHA3_BLOCK == sha3_block_avx2) |
1783 | | SAVE_VECTOR_REGISTERS(return _svr_ret;); |
1784 | | #endif |
1785 | 0 | for (; (blockCnt > 0); blockCnt--) { |
1786 | | #ifdef SHA3_FUNC_PTR |
1787 | | (*SHA3_BLOCK)(shake->s); |
1788 | | #else |
1789 | 0 | BlockSha3(shake->s); |
1790 | 0 | #endif |
1791 | | #if defined(BIG_ENDIAN_ORDER) |
1792 | | ByteReverseWords64((word64*)out, shake->s, WC_SHA3_128_COUNT * 8); |
1793 | | #else |
1794 | 0 | XMEMCPY(out, shake->s, WC_SHA3_128_COUNT * 8); |
1795 | 0 | #endif |
1796 | 0 | out += WC_SHA3_128_COUNT * 8; |
1797 | 0 | } |
1798 | | #if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) |
1799 | | if (SHA3_BLOCK == sha3_block_avx2) |
1800 | | RESTORE_VECTOR_REGISTERS(); |
1801 | | #endif |
1802 | |
|
1803 | 0 | return 0; |
1804 | 0 | } |
1805 | | #endif |
1806 | | |
1807 | | |
1808 | | /* Dispose of any dynamically allocated data from the SHAKE128 operation. |
1809 | | * (Required for async ops.) |
1810 | | * |
1811 | | * shake wc_Shake object holding state. |
1812 | | * returns 0 on success. |
1813 | | */ |
1814 | | void wc_Shake128_Free(wc_Shake* shake) |
1815 | 0 | { |
1816 | 0 | wc_Sha3Free(shake); |
1817 | 0 | } |
1818 | | |
1819 | | /* Copy the state of the SHA3-512 operation. |
1820 | | * |
1821 | | * src wc_Shake object holding state top copy. |
1822 | | * dst wc_Shake object to copy into. |
1823 | | * returns 0 on success. |
1824 | | */ |
1825 | | int wc_Shake128_Copy(wc_Shake* src, wc_Shake* dst) |
1826 | 0 | { |
1827 | 0 | return wc_Sha3Copy(src, dst); |
1828 | 0 | } |
1829 | | #endif |
1830 | | |
1831 | | #ifdef WOLFSSL_SHAKE256 |
1832 | | /* Initialize the state for a Shake256 hash operation. |
1833 | | * |
1834 | | * shake wc_Shake object holding state. |
1835 | | * heap Heap reference for dynamic memory allocation. (Used in async ops.) |
1836 | | * devId Device identifier for asynchronous operation. |
1837 | | * returns 0 on success. |
1838 | | */ |
1839 | | int wc_InitShake256(wc_Shake* shake, void* heap, int devId) |
1840 | 5.99k | { |
1841 | 5.99k | return wc_InitSha3(shake, heap, devId); |
1842 | 5.99k | } |
1843 | | |
1844 | | |
1845 | | #ifdef PSOC6_HASH_SHA3 |
1846 | | |
1847 | | int wc_Shake256_Update(wc_Shake* shake, const byte* data, word32 len) |
1848 | | { |
1849 | | int ret; |
1850 | | if (shake == NULL || (data == NULL && len > 0)) { |
1851 | | return BAD_FUNC_ARG; |
1852 | | } |
1853 | | |
1854 | | if (data == NULL && len == 0) { |
1855 | | /* valid, but do nothing */ |
1856 | | return 0; |
1857 | | } |
1858 | | |
1859 | | /* Lock the mutex to perform crypto operations */ |
1860 | | ret = wolfSSL_CryptHwMutexLock(); |
1861 | | if (ret == 0) { |
1862 | | /* Perform SHA3 on the input data and update the hash state */ |
1863 | | ret = wc_Psoc6_Sha3_Update(shake, data, len, WC_SHA3_256_COUNT); |
1864 | | /* Release the lock */ |
1865 | | wolfSSL_CryptHwMutexUnLock(); |
1866 | | } |
1867 | | |
1868 | | return ret; |
1869 | | } |
1870 | | |
1871 | | int wc_Shake256_Final(wc_Shake* shake, byte* hash, word32 hashLen) |
1872 | | { |
1873 | | int ret; |
1874 | | if (shake == NULL || hash == NULL) { |
1875 | | return BAD_FUNC_ARG; |
1876 | | } |
1877 | | |
1878 | | /* Lock the mutex to perform crypto operations */ |
1879 | | ret = wolfSSL_CryptHwMutexLock(); |
1880 | | if (ret == 0) { |
1881 | | /* Finalize SHA3 operations and produce digest */ |
1882 | | ret = wc_Psoc6_Sha3_Final(shake, 0x1f, hash, WC_SHA3_256_COUNT, hashLen); |
1883 | | if (ret == 0) { |
1884 | | /* Initialize hash state for SHA-3 operation */ |
1885 | | ret = wc_Psoc6_Sha3_Init(shake); |
1886 | | } |
1887 | | /* Release the lock */ |
1888 | | wolfSSL_CryptHwMutexUnLock(); |
1889 | | } |
1890 | | |
1891 | | return ret; |
1892 | | } |
1893 | | |
1894 | | int wc_Shake256_Absorb(wc_Shake* shake, const byte* data, word32 len) |
1895 | | { |
1896 | | int ret; |
1897 | | |
1898 | | if ((shake == NULL) || (data == NULL && len != 0)) { |
1899 | | return BAD_FUNC_ARG; |
1900 | | } |
1901 | | |
1902 | | /* Lock the mutex to perform crypto operations */ |
1903 | | ret = wolfSSL_CryptHwMutexLock(); |
1904 | | if (ret == 0) { |
1905 | | /* Perform SHA3 on the input data and update the hash state */ |
1906 | | ret = wc_Psoc6_Sha3_Update(shake, data, len, WC_SHA3_256_COUNT); |
1907 | | if (ret == 0) { |
1908 | | /* Finalize SHA3 operations and produce digest */ |
1909 | | ret = wc_Psoc6_Sha3_Final(shake, 0x1f, NULL, WC_SHA3_256_COUNT, 0); |
1910 | | } |
1911 | | /* Release the lock */ |
1912 | | wolfSSL_CryptHwMutexUnLock(); |
1913 | | } |
1914 | | |
1915 | | return ret; |
1916 | | } |
1917 | | |
1918 | | int wc_Shake256_SqueezeBlocks(wc_Shake* shake, byte* out, word32 blockCnt) |
1919 | | { |
1920 | | int ret; |
1921 | | if ((shake == NULL) || (out == NULL && blockCnt != 0)) { |
1922 | | return BAD_FUNC_ARG; |
1923 | | } |
1924 | | |
1925 | | /* Lock the mutex to perform crypto operations */ |
1926 | | ret = wolfSSL_CryptHwMutexLock(); |
1927 | | if (ret == 0) { |
1928 | | /* Squeeze output blocks from current hash state */ |
1929 | | ret = wc_Psoc6_Shake_SqueezeBlocks(shake, out, blockCnt); |
1930 | | /* Release the lock */ |
1931 | | wolfSSL_CryptHwMutexUnLock(); |
1932 | | } |
1933 | | |
1934 | | return ret; |
1935 | | } |
1936 | | |
1937 | | #else |
1938 | | /* Update the SHAKE256 hash state with message data. |
1939 | | * |
1940 | | * shake wc_Shake object holding state. |
1941 | | * data Message data to be hashed. |
1942 | | * len Length of the message data. |
1943 | | * returns 0 on success. |
1944 | | */ |
1945 | | int wc_Shake256_Update(wc_Shake* shake, const byte* data, word32 len) |
1946 | 281k | { |
1947 | 281k | if (shake == NULL || (data == NULL && len > 0)) { |
1948 | 0 | return BAD_FUNC_ARG; |
1949 | 0 | } |
1950 | | |
1951 | 281k | if (data == NULL && len == 0) { |
1952 | | /* valid, but do nothing */ |
1953 | 0 | return 0; |
1954 | 0 | } |
1955 | | |
1956 | 281k | return Sha3Update(shake, data, len, WC_SHA3_256_COUNT); |
1957 | 281k | } |
1958 | | |
1959 | | /* Calculate the SHAKE256 hash based on all the message data seen. |
1960 | | * The state is initialized ready for a new message to hash. |
1961 | | * |
1962 | | * shake wc_Shake object holding state. |
1963 | | * hash Buffer to hold the hash result. Must be at least 64 bytes. |
1964 | | * hashLen Size of hash in bytes. |
1965 | | * returns 0 on success. |
1966 | | */ |
1967 | | int wc_Shake256_Final(wc_Shake* shake, byte* hash, word32 hashLen) |
1968 | 12.5k | { |
1969 | 12.5k | int ret; |
1970 | | |
1971 | 12.5k | if (shake == NULL || hash == NULL) { |
1972 | 0 | return BAD_FUNC_ARG; |
1973 | 0 | } |
1974 | | |
1975 | 12.5k | ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_256_COUNT, hashLen); |
1976 | 12.5k | if (ret != 0) |
1977 | 0 | return ret; |
1978 | | |
1979 | 12.5k | return InitSha3(shake); /* reset state */ |
1980 | 12.5k | } |
1981 | | |
1982 | | /* Absorb the data for squeezing. |
1983 | | * |
1984 | | * Update and final with data but no output and no reset |
1985 | | * |
1986 | | * shake wc_Shake object holding state. |
1987 | | * data Data to absorb. |
1988 | | * len Length of d to absorb in bytes. |
1989 | | * returns 0 on success. |
1990 | | */ |
1991 | | int wc_Shake256_Absorb(wc_Shake* shake, const byte* data, word32 len) |
1992 | 0 | { |
1993 | 0 | int ret; |
1994 | |
|
1995 | 0 | if ((shake == NULL) || (data == NULL && len != 0)) { |
1996 | 0 | return BAD_FUNC_ARG; |
1997 | 0 | } |
1998 | | |
1999 | 0 | ret = Sha3Update(shake, data, len, WC_SHA3_256_COUNT); |
2000 | 0 | if (ret == 0) { |
2001 | 0 | byte hash[1]; |
2002 | 0 | ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_256_COUNT, 0); |
2003 | 0 | } |
2004 | | /* No partial data. */ |
2005 | 0 | shake->i = 0; |
2006 | |
|
2007 | 0 | return ret; |
2008 | 0 | } |
2009 | | |
2010 | | /* Squeeze the state to produce pseudo-random output. |
2011 | | * |
2012 | | * shake wc_Shake object holding state. |
2013 | | * out Output buffer. |
2014 | | * blockCnt Number of blocks to write. |
2015 | | * returns 0 on success. |
2016 | | */ |
2017 | | int wc_Shake256_SqueezeBlocks(wc_Shake* shake, byte* out, word32 blockCnt) |
2018 | 0 | { |
2019 | 0 | if ((shake == NULL) || (out == NULL && blockCnt != 0)) { |
2020 | 0 | return BAD_FUNC_ARG; |
2021 | 0 | } |
2022 | | #if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) |
2023 | | if (SHA3_BLOCK == sha3_block_avx2) |
2024 | | SAVE_VECTOR_REGISTERS(return _svr_ret;); |
2025 | | #endif |
2026 | 0 | for (; (blockCnt > 0); blockCnt--) { |
2027 | | #ifdef SHA3_FUNC_PTR |
2028 | | (*SHA3_BLOCK)(shake->s); |
2029 | | #else |
2030 | 0 | BlockSha3(shake->s); |
2031 | 0 | #endif |
2032 | | #if defined(BIG_ENDIAN_ORDER) |
2033 | | ByteReverseWords64((word64*)out, shake->s, WC_SHA3_256_COUNT * 8); |
2034 | | #else |
2035 | 0 | XMEMCPY(out, shake->s, WC_SHA3_256_COUNT * 8); |
2036 | 0 | #endif |
2037 | 0 | out += WC_SHA3_256_COUNT * 8; |
2038 | 0 | } |
2039 | | #if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) |
2040 | | if (SHA3_BLOCK == sha3_block_avx2) |
2041 | | RESTORE_VECTOR_REGISTERS(); |
2042 | | #endif |
2043 | |
|
2044 | 0 | return 0; |
2045 | 0 | } |
2046 | | #endif |
2047 | | |
2048 | | /* Dispose of any dynamically allocated data from the SHAKE256 operation. |
2049 | | * (Required for async ops.) |
2050 | | * |
2051 | | * shake wc_Shake object holding state. |
2052 | | * returns 0 on success. |
2053 | | */ |
2054 | | void wc_Shake256_Free(wc_Shake* shake) |
2055 | 5.99k | { |
2056 | 5.99k | wc_Sha3Free(shake); |
2057 | 5.99k | } |
2058 | | |
2059 | | /* Copy the state of the SHA3-512 operation. |
2060 | | * |
2061 | | * src wc_Shake object holding state top copy. |
2062 | | * dst wc_Shake object to copy into. |
2063 | | * returns 0 on success. |
2064 | | */ |
2065 | | int wc_Shake256_Copy(wc_Shake* src, wc_Shake* dst) |
2066 | 0 | { |
2067 | 0 | return wc_Sha3Copy(src, dst); |
2068 | 0 | } |
2069 | | #endif |
2070 | | |
2071 | | #endif /* WOLFSSL_SHA3 */ |