|
| 1 | +// SPDX-FileCopyrightText: 2015. Andrey Jivsov <crypto@brainhub.org> |
| 2 | +// SPDX-License-Identifier: MIT |
| 3 | + |
| 4 | +/* ------------------------------------------------------------------------- |
| 5 | + * Works when compiled for either 32-bit or 64-bit targets, optimized for |
| 6 | + * 64 bit. |
| 7 | + * |
| 8 | + * Canonical implementation of Init/Update/Finalize for SHA-3 byte input. |
| 9 | + * |
| 10 | + * SHA3-256, SHA3-384, SHA-512 are implemented. SHA-224 can easily be added. |
| 11 | + * |
| 12 | + * Based on code from http://keccak.noekeon.org/ . |
| 13 | + * |
| 14 | + * I place the code that I wrote into public domain, free to use. |
| 15 | + * |
| 16 | + * I would appreciate if you give credits to this work if you used it to |
| 17 | + * write or test * your code. |
| 18 | + * |
| 19 | + * Aug 2015. Andrey Jivsov. crypto@brainhub.org |
| 20 | + * ---------------------------------------------------------------------- */ |
| 21 | + |
| 22 | +#include <stdio.h> |
| 23 | +#include <stdint.h> |
| 24 | +#include <string.h> |
| 25 | + |
| 26 | +#include "sha3.h" |
| 27 | + |
| 28 | +#define SHA3_ASSERT(x) |
| 29 | +#define SHA3_TRACE(format, ...) |
| 30 | +#define SHA3_TRACE_BUF(format, buf, l) |
| 31 | + |
| 32 | +/* |
| 33 | + * This flag is used to configure "pure" Keccak, as opposed to NIST SHA3. |
| 34 | + */ |
| 35 | +#define SHA3_USE_KECCAK_FLAG 0x80000000 |
| 36 | +#define SHA3_CW(x) ((x) & (~SHA3_USE_KECCAK_FLAG)) |
| 37 | + |
| 38 | +#if defined(_MSC_VER) |
| 39 | +#define SHA3_CONST(x) x |
| 40 | +#else |
| 41 | +#define SHA3_CONST(x) x##L |
| 42 | +#endif |
| 43 | + |
| 44 | +#ifndef SHA3_ROTL64 |
| 45 | +#define SHA3_ROTL64(x, y) \ |
| 46 | + (((x) << (y)) | ((x) >> ((sizeof(uint64_t) * 8) - (y)))) |
| 47 | +#endif |
| 48 | + |
| 49 | +static const uint64_t keccakf_rndc[24] = { |
| 50 | + SHA3_CONST(0x0000000000000001UL), SHA3_CONST(0x0000000000008082UL), |
| 51 | + SHA3_CONST(0x800000000000808aUL), SHA3_CONST(0x8000000080008000UL), |
| 52 | + SHA3_CONST(0x000000000000808bUL), SHA3_CONST(0x0000000080000001UL), |
| 53 | + SHA3_CONST(0x8000000080008081UL), SHA3_CONST(0x8000000000008009UL), |
| 54 | + SHA3_CONST(0x000000000000008aUL), SHA3_CONST(0x0000000000000088UL), |
| 55 | + SHA3_CONST(0x0000000080008009UL), SHA3_CONST(0x000000008000000aUL), |
| 56 | + SHA3_CONST(0x000000008000808bUL), SHA3_CONST(0x800000000000008bUL), |
| 57 | + SHA3_CONST(0x8000000000008089UL), SHA3_CONST(0x8000000000008003UL), |
| 58 | + SHA3_CONST(0x8000000000008002UL), SHA3_CONST(0x8000000000000080UL), |
| 59 | + SHA3_CONST(0x000000000000800aUL), SHA3_CONST(0x800000008000000aUL), |
| 60 | + SHA3_CONST(0x8000000080008081UL), SHA3_CONST(0x8000000000008080UL), |
| 61 | + SHA3_CONST(0x0000000080000001UL), SHA3_CONST(0x8000000080008008UL) |
| 62 | +}; |
| 63 | + |
| 64 | +static const unsigned keccakf_rotc[24] = { |
| 65 | + 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, 27, 41, 56, 8, 25, 43, 62, |
| 66 | + 18, 39, 61, 20, 44 |
| 67 | +}; |
| 68 | + |
| 69 | +static const unsigned keccakf_piln[24] = { |
| 70 | + 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, 15, 23, 19, 13, 12, 2, 20, |
| 71 | + 14, 22, 9, 6, 1 |
| 72 | +}; |
| 73 | + |
| 74 | +/* generally called after SHA3_KECCAK_SPONGE_WORDS-ctx->capacityWords words |
| 75 | + * are XORed into the state s |
| 76 | + */ |
| 77 | +static void keccakf(uint64_t s[25]) { |
| 78 | + int i, j, round; |
| 79 | + uint64_t t, bc[5]; |
| 80 | +#define KECCAK_ROUNDS 24 |
| 81 | + |
| 82 | + for (round = 0; round < KECCAK_ROUNDS; round++) { |
| 83 | + |
| 84 | + /* Theta */ |
| 85 | + for (i = 0; i < 5; i++) |
| 86 | + bc[i] = s[i] ^ s[i + 5] ^ s[i + 10] ^ s[i + 15] ^ s[i + 20]; |
| 87 | + |
| 88 | + for (i = 0; i < 5; i++) { |
| 89 | + t = bc[(i + 4) % 5] ^ SHA3_ROTL64(bc[(i + 1) % 5], 1); |
| 90 | + for (j = 0; j < 25; j += 5) |
| 91 | + s[j + i] ^= t; |
| 92 | + } |
| 93 | + |
| 94 | + /* Rho Pi */ |
| 95 | + t = s[1]; |
| 96 | + for (i = 0; i < 24; i++) { |
| 97 | + j = keccakf_piln[i]; |
| 98 | + bc[0] = s[j]; |
| 99 | + s[j] = SHA3_ROTL64(t, keccakf_rotc[i]); |
| 100 | + t = bc[0]; |
| 101 | + } |
| 102 | + |
| 103 | + /* Chi */ |
| 104 | + for (j = 0; j < 25; j += 5) { |
| 105 | + for (i = 0; i < 5; i++) |
| 106 | + bc[i] = s[j + i]; |
| 107 | + for (i = 0; i < 5; i++) |
| 108 | + s[j + i] ^= (~bc[(i + 1) % 5]) & bc[(i + 2) % 5]; |
| 109 | + } |
| 110 | + |
| 111 | + /* Iota */ |
| 112 | + s[0] ^= keccakf_rndc[round]; |
| 113 | + } |
| 114 | +} |
| 115 | + |
| 116 | +/* *************************** Public Inteface ************************ */ |
| 117 | +/* For Init or Reset call these: */ |
| 118 | +sha3_return_t sha3_Init(void *priv, unsigned bitSize) { |
| 119 | + sha3_context *ctx = (sha3_context *)priv; |
| 120 | + if (bitSize != 224 && bitSize != 256 && bitSize != 384 && bitSize != 512) |
| 121 | + return SHA3_RETURN_BAD_PARAMS; |
| 122 | + memset(ctx, 0, sizeof(*ctx)); |
| 123 | + ctx->capacityWords = 2 * bitSize / (8 * sizeof(uint64_t)); |
| 124 | + return SHA3_RETURN_OK; |
| 125 | +} |
| 126 | + |
| 127 | +void sha3_Init224(void *priv) { |
| 128 | + sha3_Init(priv, 224); |
| 129 | +} |
| 130 | + |
| 131 | +void sha3_Init256(void *priv) { |
| 132 | + sha3_Init(priv, 256); |
| 133 | +} |
| 134 | + |
| 135 | +void sha3_Init384(void *priv) { |
| 136 | + sha3_Init(priv, 384); |
| 137 | +} |
| 138 | + |
| 139 | +void sha3_Init512(void *priv) { |
| 140 | + sha3_Init(priv, 512); |
| 141 | +} |
| 142 | + |
| 143 | +enum SHA3_FLAGS sha3_SetFlags(void *priv, enum SHA3_FLAGS flags) { |
| 144 | + sha3_context *ctx = (sha3_context *)priv; |
| 145 | + flags &= SHA3_FLAGS_KECCAK; |
| 146 | + ctx->capacityWords |= (flags == SHA3_FLAGS_KECCAK ? SHA3_USE_KECCAK_FLAG : 0); |
| 147 | + return flags; |
| 148 | +} |
| 149 | + |
| 150 | +void sha3_Update(void *priv, void const *bufIn, size_t len) { |
| 151 | + sha3_context *ctx = (sha3_context *)priv; |
| 152 | + |
| 153 | + /* 0...7 -- how much is needed to have a word */ |
| 154 | + unsigned old_tail = (8 - ctx->byteIndex) & 7; |
| 155 | + |
| 156 | + size_t words; |
| 157 | + unsigned tail; |
| 158 | + size_t i; |
| 159 | + |
| 160 | + const uint8_t *buf = bufIn; |
| 161 | + |
| 162 | + SHA3_TRACE_BUF("called to update with:", buf, len); |
| 163 | + |
| 164 | + SHA3_ASSERT(ctx->byteIndex < 8); |
| 165 | + SHA3_ASSERT(ctx->wordIndex < sizeof(ctx->u.s) / sizeof(ctx->u.s[0])); |
| 166 | + |
| 167 | + if (len < old_tail) { /* have no complete word or haven't started |
| 168 | + * the word yet */ |
| 169 | + SHA3_TRACE("because %d<%d, store it and return", (unsigned)len, |
| 170 | + (unsigned)old_tail); |
| 171 | + /* endian-independent code follows: */ |
| 172 | + while (len--) |
| 173 | + ctx->saved |= (uint64_t)(*(buf++)) << ((ctx->byteIndex++) * 8); |
| 174 | + SHA3_ASSERT(ctx->byteIndex < 8); |
| 175 | + return; |
| 176 | + } |
| 177 | + |
| 178 | + if (old_tail) { /* will have one word to process */ |
| 179 | + SHA3_TRACE("completing one word with %d bytes", (unsigned)old_tail); |
| 180 | + /* endian-independent code follows: */ |
| 181 | + len -= old_tail; |
| 182 | + while (old_tail--) |
| 183 | + ctx->saved |= (uint64_t)(*(buf++)) << ((ctx->byteIndex++) * 8); |
| 184 | + |
| 185 | + /* now ready to add saved to the sponge */ |
| 186 | + ctx->u.s[ctx->wordIndex] ^= ctx->saved; |
| 187 | + SHA3_ASSERT(ctx->byteIndex == 8); |
| 188 | + ctx->byteIndex = 0; |
| 189 | + ctx->saved = 0; |
| 190 | + if (++ctx->wordIndex == |
| 191 | + (SHA3_KECCAK_SPONGE_WORDS - SHA3_CW(ctx->capacityWords))) { |
| 192 | + keccakf(ctx->u.s); |
| 193 | + ctx->wordIndex = 0; |
| 194 | + } |
| 195 | + } |
| 196 | + |
| 197 | + /* now work in full words directly from input */ |
| 198 | + |
| 199 | + SHA3_ASSERT(ctx->byteIndex == 0); |
| 200 | + |
| 201 | + words = len / sizeof(uint64_t); |
| 202 | + tail = len - words * sizeof(uint64_t); |
| 203 | + |
| 204 | + SHA3_TRACE("have %d full words to process", (unsigned)words); |
| 205 | + |
| 206 | + for (i = 0; i < words; i++, buf += sizeof(uint64_t)) { |
| 207 | + const uint64_t t = (uint64_t)(buf[0]) | |
| 208 | + ((uint64_t)(buf[1]) << 8 * 1) | |
| 209 | + ((uint64_t)(buf[2]) << 8 * 2) | |
| 210 | + ((uint64_t)(buf[3]) << 8 * 3) | |
| 211 | + ((uint64_t)(buf[4]) << 8 * 4) | |
| 212 | + ((uint64_t)(buf[5]) << 8 * 5) | |
| 213 | + ((uint64_t)(buf[6]) << 8 * 6) | |
| 214 | + ((uint64_t)(buf[7]) << 8 * 7); |
| 215 | +#if defined(__x86_64__) || defined(__i386__) |
| 216 | + SHA3_ASSERT(memcmp(&t, buf, 8) == 0); |
| 217 | +#endif |
| 218 | + ctx->u.s[ctx->wordIndex] ^= t; |
| 219 | + if (++ctx->wordIndex == |
| 220 | + (SHA3_KECCAK_SPONGE_WORDS - SHA3_CW(ctx->capacityWords))) { |
| 221 | + keccakf(ctx->u.s); |
| 222 | + ctx->wordIndex = 0; |
| 223 | + } |
| 224 | + } |
| 225 | + |
| 226 | + SHA3_TRACE("have %d bytes left to process, save them", (unsigned)tail); |
| 227 | + |
| 228 | + /* finally, save the partial word */ |
| 229 | + SHA3_ASSERT(ctx->byteIndex == 0 && tail < 8); |
| 230 | + while (tail--) { |
| 231 | + SHA3_TRACE("Store byte %02x '%c'", *buf, *buf); |
| 232 | + ctx->saved |= (uint64_t)(*(buf++)) << ((ctx->byteIndex++) * 8); |
| 233 | + } |
| 234 | + SHA3_ASSERT(ctx->byteIndex < 8); |
| 235 | + SHA3_TRACE("Have saved=0x%016" PRIx64 " at the end", ctx->saved); |
| 236 | +} |
| 237 | + |
| 238 | +/* This is simply the 'update' with the padding block. |
| 239 | + * The padding block is 0x01 || 0x00* || 0x80. First 0x01 and last 0x80 |
| 240 | + * bytes are always present, but they can be the same byte. |
| 241 | + */ |
| 242 | +void const *sha3_Finalize(void *priv) { |
| 243 | + sha3_context *ctx = (sha3_context *)priv; |
| 244 | + |
| 245 | + SHA3_TRACE("called with %d bytes in the buffer", ctx->byteIndex); |
| 246 | + |
| 247 | + /* Append 2-bit suffix 01, per SHA-3 spec. Instead of 1 for padding we |
| 248 | + * use 1<<2 below. The 0x02 below corresponds to the suffix 01. |
| 249 | + * Overall, we feed 0, then 1, and finally 1 to start padding. Without |
| 250 | + * M || 01, we would simply use 1 to start padding. */ |
| 251 | + |
| 252 | + uint64_t t; |
| 253 | + |
| 254 | + if (ctx->capacityWords & SHA3_USE_KECCAK_FLAG) { |
| 255 | + /* Keccak version */ |
| 256 | + t = (uint64_t)(((uint64_t)1) << (ctx->byteIndex * 8)); |
| 257 | + } else { |
| 258 | + /* SHA3 version */ |
| 259 | + t = (uint64_t)(((uint64_t)(0x02 | (1 << 2))) << ((ctx->byteIndex) * 8)); |
| 260 | + } |
| 261 | + |
| 262 | + ctx->u.s[ctx->wordIndex] ^= ctx->saved ^ t; |
| 263 | + |
| 264 | + ctx->u.s[SHA3_KECCAK_SPONGE_WORDS - SHA3_CW(ctx->capacityWords) - 1] ^= |
| 265 | + SHA3_CONST(0x8000000000000000UL); |
| 266 | + keccakf(ctx->u.s); |
| 267 | + |
| 268 | + /* Return first bytes of the ctx->s. This conversion is not needed for |
| 269 | + * little-endian platforms e.g. wrap with #if !defined(__BYTE_ORDER__) |
| 270 | + * || !defined(__ORDER_LITTLE_ENDIAN__) || __BYTE_ORDER__!=__ORDER_LITTLE_ENDIAN__ |
| 271 | + * ... the conversion below ... |
| 272 | + * #endif */ |
| 273 | + { |
| 274 | + unsigned i; |
| 275 | + for (i = 0; i < SHA3_KECCAK_SPONGE_WORDS; i++) { |
| 276 | + const unsigned t1 = (uint32_t)ctx->u.s[i]; |
| 277 | + const unsigned t2 = (uint32_t)((ctx->u.s[i] >> 16) >> 16); |
| 278 | + ctx->u.sb[i * 8 + 0] = (uint8_t)(t1); |
| 279 | + ctx->u.sb[i * 8 + 1] = (uint8_t)(t1 >> 8); |
| 280 | + ctx->u.sb[i * 8 + 2] = (uint8_t)(t1 >> 16); |
| 281 | + ctx->u.sb[i * 8 + 3] = (uint8_t)(t1 >> 24); |
| 282 | + ctx->u.sb[i * 8 + 4] = (uint8_t)(t2); |
| 283 | + ctx->u.sb[i * 8 + 5] = (uint8_t)(t2 >> 8); |
| 284 | + ctx->u.sb[i * 8 + 6] = (uint8_t)(t2 >> 16); |
| 285 | + ctx->u.sb[i * 8 + 7] = (uint8_t)(t2 >> 24); |
| 286 | + } |
| 287 | + } |
| 288 | + |
| 289 | + SHA3_TRACE_BUF("Hash: (first 32 bytes)", ctx->u.sb, 256 / 8); |
| 290 | + |
| 291 | + return (ctx->u.sb); |
| 292 | +} |
0 commit comments