Lines Matching +full:- +full:s
2 * FIPS-202 compliant SHA3 implementation
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
8 * The SHA-3 Secure Hash Standard was published by NIST in 2015.
24 * these; the defaults here should give sensible trade-offs for gcc and clang on aarch64 and
25 * x86-64.
28 #define MBEDTLS_SHA3_THETA_UNROLL 0 //no-check-names
32 #define MBEDTLS_SHA3_CHI_UNROLL 0 //no-check-names
34 #define MBEDTLS_SHA3_CHI_UNROLL 1 //no-check-names
38 #define MBEDTLS_SHA3_PI_UNROLL 1 //no-check-names
41 #define MBEDTLS_SHA3_RHO_UNROLL 1 //no-check-names
58 * Each round uses a 64-bit mask value. In each mask values, only
59 * bits whose position is of the form 2^k-1 can be set, thus only
63 * are moved to bits 4-6. This allows us to make each mask value
69 * There's a bit more computation, but less memory bandwidth. A quick
94 #define ROTR64(x, y) (((x) << (64U - (y))) | ((x) >> (y))) // 64-bit rotate right
95 #define ABSORB(ctx, idx, v) do { ctx->state[(idx) >> 3] ^= ((uint64_t) (v)) << (((idx) & 0x7) << 3)…
97 #define SQUEEZE(ctx, idx) ((uint8_t) (ctx->state[(idx) >> 3] >> (((idx) & 0x7) << 3)))
104 uint64_t *s = ctx->state; in keccak_f1600() local
111 #if MBEDTLS_SHA3_THETA_UNROLL == 0 //no-check-names in keccak_f1600()
113 lane[i] = s[i] ^ s[i + 5] ^ s[i + 10] ^ s[i + 15] ^ s[i + 20]; in keccak_f1600()
117 s[i] ^= t; s[i + 5] ^= t; s[i + 10] ^= t; s[i + 15] ^= t; s[i + 20] ^= t; in keccak_f1600()
120 lane[0] = s[0] ^ s[5] ^ s[10] ^ s[15] ^ s[20]; in keccak_f1600()
121 lane[1] = s[1] ^ s[6] ^ s[11] ^ s[16] ^ s[21]; in keccak_f1600()
122 lane[2] = s[2] ^ s[7] ^ s[12] ^ s[17] ^ s[22]; in keccak_f1600()
123 lane[3] = s[3] ^ s[8] ^ s[13] ^ s[18] ^ s[23]; in keccak_f1600()
124 lane[4] = s[4] ^ s[9] ^ s[14] ^ s[19] ^ s[24]; in keccak_f1600()
127 s[0] ^= t; s[5] ^= t; s[10] ^= t; s[15] ^= t; s[20] ^= t; in keccak_f1600()
130 s[1] ^= t; s[6] ^= t; s[11] ^= t; s[16] ^= t; s[21] ^= t; in keccak_f1600()
133 s[2] ^= t; s[7] ^= t; s[12] ^= t; s[17] ^= t; s[22] ^= t; in keccak_f1600()
136 s[3] ^= t; s[8] ^= t; s[13] ^= t; s[18] ^= t; s[23] ^= t; in keccak_f1600()
139 s[4] ^= t; s[9] ^= t; s[14] ^= t; s[19] ^= t; s[24] ^= t; in keccak_f1600()
144 uint32_t r = rho[(i - 1) >> 2]; in keccak_f1600()
149 s[j] = ROTR64(s[j], r8); in keccak_f1600()
152 s[i + 0] = ROTR64(s[i + 0], MBEDTLS_BYTE_3(r)); in keccak_f1600()
153 s[i + 1] = ROTR64(s[i + 1], MBEDTLS_BYTE_2(r)); in keccak_f1600()
154 s[i + 2] = ROTR64(s[i + 2], MBEDTLS_BYTE_1(r)); in keccak_f1600()
155 s[i + 3] = ROTR64(s[i + 3], MBEDTLS_BYTE_0(r)); in keccak_f1600()
160 t = s[1]; in keccak_f1600()
165 SWAP(s[p & 0xff], t); in keccak_f1600()
171 SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); in keccak_f1600()
172 SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); in keccak_f1600()
174 SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); in keccak_f1600()
175 SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); in keccak_f1600()
177 SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); in keccak_f1600()
178 SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); in keccak_f1600()
180 SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); in keccak_f1600()
181 SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); in keccak_f1600()
183 SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); in keccak_f1600()
184 SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); in keccak_f1600()
186 SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t); in keccak_f1600()
187 SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t); in keccak_f1600()
191 #if MBEDTLS_SHA3_CHI_UNROLL == 0 //no-check-names in keccak_f1600()
193 lane[0] = s[i]; lane[1] = s[i + 1]; lane[2] = s[i + 2]; in keccak_f1600()
194 lane[3] = s[i + 3]; lane[4] = s[i + 4]; in keccak_f1600()
195 s[i + 0] ^= (~lane[1]) & lane[2]; in keccak_f1600()
196 s[i + 1] ^= (~lane[2]) & lane[3]; in keccak_f1600()
197 s[i + 2] ^= (~lane[3]) & lane[4]; in keccak_f1600()
198 s[i + 3] ^= (~lane[4]) & lane[0]; in keccak_f1600()
199 s[i + 4] ^= (~lane[0]) & lane[1]; in keccak_f1600()
202 lane[0] = s[0]; lane[1] = s[1]; lane[2] = s[2]; lane[3] = s[3]; lane[4] = s[4]; in keccak_f1600()
203 s[0] ^= (~lane[1]) & lane[2]; in keccak_f1600()
204 s[1] ^= (~lane[2]) & lane[3]; in keccak_f1600()
205 s[2] ^= (~lane[3]) & lane[4]; in keccak_f1600()
206 s[3] ^= (~lane[4]) & lane[0]; in keccak_f1600()
207 s[4] ^= (~lane[0]) & lane[1]; in keccak_f1600()
209 lane[0] = s[5]; lane[1] = s[6]; lane[2] = s[7]; lane[3] = s[8]; lane[4] = s[9]; in keccak_f1600()
210 s[5] ^= (~lane[1]) & lane[2]; in keccak_f1600()
211 s[6] ^= (~lane[2]) & lane[3]; in keccak_f1600()
212 s[7] ^= (~lane[3]) & lane[4]; in keccak_f1600()
213 s[8] ^= (~lane[4]) & lane[0]; in keccak_f1600()
214 s[9] ^= (~lane[0]) & lane[1]; in keccak_f1600()
216 lane[0] = s[10]; lane[1] = s[11]; lane[2] = s[12]; lane[3] = s[13]; lane[4] = s[14]; in keccak_f1600()
217 s[10] ^= (~lane[1]) & lane[2]; in keccak_f1600()
218 s[11] ^= (~lane[2]) & lane[3]; in keccak_f1600()
219 s[12] ^= (~lane[3]) & lane[4]; in keccak_f1600()
220 s[13] ^= (~lane[4]) & lane[0]; in keccak_f1600()
221 s[14] ^= (~lane[0]) & lane[1]; in keccak_f1600()
223 lane[0] = s[15]; lane[1] = s[16]; lane[2] = s[17]; lane[3] = s[18]; lane[4] = s[19]; in keccak_f1600()
224 s[15] ^= (~lane[1]) & lane[2]; in keccak_f1600()
225 s[16] ^= (~lane[2]) & lane[3]; in keccak_f1600()
226 s[17] ^= (~lane[3]) & lane[4]; in keccak_f1600()
227 s[18] ^= (~lane[4]) & lane[0]; in keccak_f1600()
228 s[19] ^= (~lane[0]) & lane[1]; in keccak_f1600()
230 lane[0] = s[20]; lane[1] = s[21]; lane[2] = s[22]; lane[3] = s[23]; lane[4] = s[24]; in keccak_f1600()
231 s[20] ^= (~lane[1]) & lane[2]; in keccak_f1600()
232 s[21] ^= (~lane[2]) & lane[3]; in keccak_f1600()
233 s[22] ^= (~lane[3]) & lane[4]; in keccak_f1600()
234 s[23] ^= (~lane[4]) & lane[0]; in keccak_f1600()
235 s[24] ^= (~lane[0]) & lane[1]; in keccak_f1600()
240 s[0] ^= ((iota_r_packed[round] & 0x40ull) << 57 | in keccak_f1600()
268 * SHA-3 context setup
274 ctx->olen = 224 / 8; in mbedtls_sha3_starts()
275 ctx->max_block_size = 1152 / 8; in mbedtls_sha3_starts()
278 ctx->olen = 256 / 8; in mbedtls_sha3_starts()
279 ctx->max_block_size = 1088 / 8; in mbedtls_sha3_starts()
282 ctx->olen = 384 / 8; in mbedtls_sha3_starts()
283 ctx->max_block_size = 832 / 8; in mbedtls_sha3_starts()
286 ctx->olen = 512 / 8; in mbedtls_sha3_starts()
287 ctx->max_block_size = 576 / 8; in mbedtls_sha3_starts()
293 memset(ctx->state, 0, sizeof(ctx->state)); in mbedtls_sha3_starts()
294 ctx->index = 0; in mbedtls_sha3_starts()
300 * SHA-3 process buffer
307 // 8-byte align index in mbedtls_sha3_update()
308 int align_bytes = 8 - (ctx->index % 8); in mbedtls_sha3_update()
310 for (; align_bytes > 0; align_bytes--) { in mbedtls_sha3_update()
311 ABSORB(ctx, ctx->index, *input++); in mbedtls_sha3_update()
312 ilen--; in mbedtls_sha3_update()
313 ctx->index++; in mbedtls_sha3_update()
315 if ((ctx->index = ctx->index % ctx->max_block_size) == 0) { in mbedtls_sha3_update()
320 // process input in 8-byte chunks in mbedtls_sha3_update()
322 ABSORB(ctx, ctx->index, MBEDTLS_GET_UINT64_LE(input, 0)); in mbedtls_sha3_update()
324 ilen -= 8; in mbedtls_sha3_update()
325 if ((ctx->index = (ctx->index + 8) % ctx->max_block_size) == 0) { in mbedtls_sha3_update()
332 while (ilen-- > 0) { in mbedtls_sha3_update()
333 ABSORB(ctx, ctx->index, *input++); in mbedtls_sha3_update()
334 if ((ctx->index = (ctx->index + 1) % ctx->max_block_size) == 0) { in mbedtls_sha3_update()
347 /* Catch SHA-3 families, with fixed output length */ in mbedtls_sha3_finish()
348 if (ctx->olen > 0) { in mbedtls_sha3_finish()
349 if (ctx->olen > olen) { in mbedtls_sha3_finish()
353 olen = ctx->olen; in mbedtls_sha3_finish()
356 ABSORB(ctx, ctx->index, XOR_BYTE); in mbedtls_sha3_finish()
357 ABSORB(ctx, ctx->max_block_size - 1, 0x80); in mbedtls_sha3_finish()
359 ctx->index = 0; in mbedtls_sha3_finish()
361 while (olen-- > 0) { in mbedtls_sha3_finish()
362 *output++ = SQUEEZE(ctx, ctx->index); in mbedtls_sha3_finish()
364 if ((ctx->index = (ctx->index + 1) % ctx->max_block_size) == 0) { in mbedtls_sha3_finish()
377 * output = SHA-3( input buffer )
406 /**************** Self-tests ****************/
549 mbedtls_printf(" %s test %d error code: %d\n", in mbedtls_sha3_kat_test()
575 mbedtls_printf(" %s test %d failed\n", type_name, test_num); in mbedtls_sha3_kat_test()
578 return -1; in mbedtls_sha3_kat_test()
582 mbedtls_printf(" %s test %d passed\n", type_name, test_num); in mbedtls_sha3_kat_test()
600 mbedtls_printf(" %s long KAT test ", type_name); in mbedtls_sha3_long_kat_test()
669 /* SHA-3 Known Answer Tests (KAT) */ in mbedtls_sha3_self_test()
672 "SHA3-224", MBEDTLS_SHA3_224, i)) { in mbedtls_sha3_self_test()
677 "SHA3-256", MBEDTLS_SHA3_256, i)) { in mbedtls_sha3_self_test()
682 "SHA3-384", MBEDTLS_SHA3_384, i)) { in mbedtls_sha3_self_test()
687 "SHA3-512", MBEDTLS_SHA3_512, i)) { in mbedtls_sha3_self_test()
692 /* SHA-3 long KAT tests */ in mbedtls_sha3_self_test()
694 "SHA3-224", MBEDTLS_SHA3_224)) { in mbedtls_sha3_self_test()
699 "SHA3-256", MBEDTLS_SHA3_256)) { in mbedtls_sha3_self_test()
704 "SHA3-384", MBEDTLS_SHA3_384)) { in mbedtls_sha3_self_test()
709 "SHA3-512", MBEDTLS_SHA3_512)) { in mbedtls_sha3_self_test()