1 /* MIT License
2 *
3 * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
4 * Copyright (c) 2022-2023 HACL* Contributors
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in all
14 * copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25
26 #include "internal/Hacl_Hash_SHA3.h"
27
block_len(Spec_Hash_Definitions_hash_alg a)28 static uint32_t block_len(Spec_Hash_Definitions_hash_alg a)
29 {
30 switch (a)
31 {
32 case Spec_Hash_Definitions_SHA3_224:
33 {
34 return 144U;
35 }
36 case Spec_Hash_Definitions_SHA3_256:
37 {
38 return 136U;
39 }
40 case Spec_Hash_Definitions_SHA3_384:
41 {
42 return 104U;
43 }
44 case Spec_Hash_Definitions_SHA3_512:
45 {
46 return 72U;
47 }
48 case Spec_Hash_Definitions_Shake128:
49 {
50 return 168U;
51 }
52 case Spec_Hash_Definitions_Shake256:
53 {
54 return 136U;
55 }
56 default:
57 {
58 KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__);
59 KRML_HOST_EXIT(253U);
60 }
61 }
62 }
63
hash_len(Spec_Hash_Definitions_hash_alg a)64 static uint32_t hash_len(Spec_Hash_Definitions_hash_alg a)
65 {
66 switch (a)
67 {
68 case Spec_Hash_Definitions_SHA3_224:
69 {
70 return 28U;
71 }
72 case Spec_Hash_Definitions_SHA3_256:
73 {
74 return 32U;
75 }
76 case Spec_Hash_Definitions_SHA3_384:
77 {
78 return 48U;
79 }
80 case Spec_Hash_Definitions_SHA3_512:
81 {
82 return 64U;
83 }
84 default:
85 {
86 KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__);
87 KRML_HOST_EXIT(253U);
88 }
89 }
90 }
91
92 void
Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_hash_alg a,uint64_t * s,uint8_t * blocks,uint32_t n_blocks)93 Hacl_Hash_SHA3_update_multi_sha3(
94 Spec_Hash_Definitions_hash_alg a,
95 uint64_t *s,
96 uint8_t *blocks,
97 uint32_t n_blocks
98 )
99 {
100 for (uint32_t i = 0U; i < n_blocks; i++)
101 {
102 uint8_t *block = blocks + i * block_len(a);
103 Hacl_Hash_SHA3_absorb_inner(block_len(a), block, s);
104 }
105 }
106
107 void
Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_hash_alg a,uint64_t * s,uint8_t * input,uint32_t input_len)108 Hacl_Hash_SHA3_update_last_sha3(
109 Spec_Hash_Definitions_hash_alg a,
110 uint64_t *s,
111 uint8_t *input,
112 uint32_t input_len
113 )
114 {
115 uint8_t suffix;
116 if (a == Spec_Hash_Definitions_Shake128 || a == Spec_Hash_Definitions_Shake256)
117 {
118 suffix = 0x1fU;
119 }
120 else
121 {
122 suffix = 0x06U;
123 }
124 uint32_t len = block_len(a);
125 if (input_len == len)
126 {
127 Hacl_Hash_SHA3_absorb_inner(len, input, s);
128 uint8_t lastBlock_[200U] = { 0U };
129 uint8_t *lastBlock = lastBlock_;
130 memcpy(lastBlock, input + input_len, 0U * sizeof (uint8_t));
131 lastBlock[0U] = suffix;
132 Hacl_Hash_SHA3_loadState(len, lastBlock, s);
133 if (!(((uint32_t)suffix & 0x80U) == 0U) && 0U == len - 1U)
134 {
135 Hacl_Hash_SHA3_state_permute(s);
136 }
137 uint8_t nextBlock_[200U] = { 0U };
138 uint8_t *nextBlock = nextBlock_;
139 nextBlock[len - 1U] = 0x80U;
140 Hacl_Hash_SHA3_loadState(len, nextBlock, s);
141 Hacl_Hash_SHA3_state_permute(s);
142 return;
143 }
144 uint8_t lastBlock_[200U] = { 0U };
145 uint8_t *lastBlock = lastBlock_;
146 memcpy(lastBlock, input, input_len * sizeof (uint8_t));
147 lastBlock[input_len] = suffix;
148 Hacl_Hash_SHA3_loadState(len, lastBlock, s);
149 if (!(((uint32_t)suffix & 0x80U) == 0U) && input_len == len - 1U)
150 {
151 Hacl_Hash_SHA3_state_permute(s);
152 }
153 uint8_t nextBlock_[200U] = { 0U };
154 uint8_t *nextBlock = nextBlock_;
155 nextBlock[len - 1U] = 0x80U;
156 Hacl_Hash_SHA3_loadState(len, nextBlock, s);
157 Hacl_Hash_SHA3_state_permute(s);
158 }
159
160 typedef struct hash_buf2_s
161 {
162 Hacl_Hash_SHA3_hash_buf fst;
163 Hacl_Hash_SHA3_hash_buf snd;
164 }
165 hash_buf2;
166
Hacl_Hash_SHA3_get_alg(Hacl_Hash_SHA3_state_t * s)167 Spec_Hash_Definitions_hash_alg Hacl_Hash_SHA3_get_alg(Hacl_Hash_SHA3_state_t *s)
168 {
169 Hacl_Hash_SHA3_hash_buf block_state = (*s).block_state;
170 return block_state.fst;
171 }
172
Hacl_Hash_SHA3_malloc(Spec_Hash_Definitions_hash_alg a)173 Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_malloc(Spec_Hash_Definitions_hash_alg a)
174 {
175 KRML_CHECK_SIZE(sizeof (uint8_t), block_len(a));
176 uint8_t *buf0 = (uint8_t *)KRML_HOST_CALLOC(block_len(a), sizeof (uint8_t));
177 uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t));
178 Hacl_Hash_SHA3_hash_buf block_state = { .fst = a, .snd = buf };
179 Hacl_Hash_SHA3_state_t
180 s = { .block_state = block_state, .buf = buf0, .total_len = (uint64_t)0U };
181 Hacl_Hash_SHA3_state_t
182 *p = (Hacl_Hash_SHA3_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_SHA3_state_t));
183 p[0U] = s;
184 uint64_t *s1 = block_state.snd;
185 memset(s1, 0U, 25U * sizeof (uint64_t));
186 return p;
187 }
188
Hacl_Hash_SHA3_free(Hacl_Hash_SHA3_state_t * state)189 void Hacl_Hash_SHA3_free(Hacl_Hash_SHA3_state_t *state)
190 {
191 Hacl_Hash_SHA3_state_t scrut = *state;
192 uint8_t *buf = scrut.buf;
193 Hacl_Hash_SHA3_hash_buf block_state = scrut.block_state;
194 uint64_t *s = block_state.snd;
195 KRML_HOST_FREE(s);
196 KRML_HOST_FREE(buf);
197 KRML_HOST_FREE(state);
198 }
199
Hacl_Hash_SHA3_copy(Hacl_Hash_SHA3_state_t * state)200 Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_copy(Hacl_Hash_SHA3_state_t *state)
201 {
202 Hacl_Hash_SHA3_state_t scrut0 = *state;
203 Hacl_Hash_SHA3_hash_buf block_state0 = scrut0.block_state;
204 uint8_t *buf0 = scrut0.buf;
205 uint64_t total_len0 = scrut0.total_len;
206 Spec_Hash_Definitions_hash_alg i = block_state0.fst;
207 KRML_CHECK_SIZE(sizeof (uint8_t), block_len(i));
208 uint8_t *buf1 = (uint8_t *)KRML_HOST_CALLOC(block_len(i), sizeof (uint8_t));
209 memcpy(buf1, buf0, block_len(i) * sizeof (uint8_t));
210 uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t));
211 Hacl_Hash_SHA3_hash_buf block_state = { .fst = i, .snd = buf };
212 hash_buf2 scrut = { .fst = block_state0, .snd = block_state };
213 uint64_t *s_dst = scrut.snd.snd;
214 uint64_t *s_src = scrut.fst.snd;
215 memcpy(s_dst, s_src, 25U * sizeof (uint64_t));
216 Hacl_Hash_SHA3_state_t
217 s = { .block_state = block_state, .buf = buf1, .total_len = total_len0 };
218 Hacl_Hash_SHA3_state_t
219 *p = (Hacl_Hash_SHA3_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_SHA3_state_t));
220 p[0U] = s;
221 return p;
222 }
223
Hacl_Hash_SHA3_reset(Hacl_Hash_SHA3_state_t * state)224 void Hacl_Hash_SHA3_reset(Hacl_Hash_SHA3_state_t *state)
225 {
226 Hacl_Hash_SHA3_state_t scrut = *state;
227 uint8_t *buf = scrut.buf;
228 Hacl_Hash_SHA3_hash_buf block_state = scrut.block_state;
229 Spec_Hash_Definitions_hash_alg i = block_state.fst;
230 KRML_MAYBE_UNUSED_VAR(i);
231 uint64_t *s = block_state.snd;
232 memset(s, 0U, 25U * sizeof (uint64_t));
233 Hacl_Hash_SHA3_state_t
234 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U };
235 state[0U] = tmp;
236 }
237
238 Hacl_Streaming_Types_error_code
Hacl_Hash_SHA3_update(Hacl_Hash_SHA3_state_t * state,uint8_t * chunk,uint32_t chunk_len)239 Hacl_Hash_SHA3_update(Hacl_Hash_SHA3_state_t *state, uint8_t *chunk, uint32_t chunk_len)
240 {
241 Hacl_Hash_SHA3_state_t s = *state;
242 Hacl_Hash_SHA3_hash_buf block_state = s.block_state;
243 uint64_t total_len = s.total_len;
244 Spec_Hash_Definitions_hash_alg i = block_state.fst;
245 if ((uint64_t)chunk_len > 0xFFFFFFFFFFFFFFFFULL - total_len)
246 {
247 return Hacl_Streaming_Types_MaximumLengthExceeded;
248 }
249 uint32_t sz;
250 if (total_len % (uint64_t)block_len(i) == 0ULL && total_len > 0ULL)
251 {
252 sz = block_len(i);
253 }
254 else
255 {
256 sz = (uint32_t)(total_len % (uint64_t)block_len(i));
257 }
258 if (chunk_len <= block_len(i) - sz)
259 {
260 Hacl_Hash_SHA3_state_t s1 = *state;
261 Hacl_Hash_SHA3_hash_buf block_state1 = s1.block_state;
262 uint8_t *buf = s1.buf;
263 uint64_t total_len1 = s1.total_len;
264 uint32_t sz1;
265 if (total_len1 % (uint64_t)block_len(i) == 0ULL && total_len1 > 0ULL)
266 {
267 sz1 = block_len(i);
268 }
269 else
270 {
271 sz1 = (uint32_t)(total_len1 % (uint64_t)block_len(i));
272 }
273 uint8_t *buf2 = buf + sz1;
274 memcpy(buf2, chunk, chunk_len * sizeof (uint8_t));
275 uint64_t total_len2 = total_len1 + (uint64_t)chunk_len;
276 *state
277 =
278 ((Hacl_Hash_SHA3_state_t){ .block_state = block_state1, .buf = buf, .total_len = total_len2 });
279 }
280 else if (sz == 0U)
281 {
282 Hacl_Hash_SHA3_state_t s1 = *state;
283 Hacl_Hash_SHA3_hash_buf block_state1 = s1.block_state;
284 uint8_t *buf = s1.buf;
285 uint64_t total_len1 = s1.total_len;
286 uint32_t sz1;
287 if (total_len1 % (uint64_t)block_len(i) == 0ULL && total_len1 > 0ULL)
288 {
289 sz1 = block_len(i);
290 }
291 else
292 {
293 sz1 = (uint32_t)(total_len1 % (uint64_t)block_len(i));
294 }
295 if (!(sz1 == 0U))
296 {
297 Spec_Hash_Definitions_hash_alg a1 = block_state1.fst;
298 uint64_t *s2 = block_state1.snd;
299 Hacl_Hash_SHA3_update_multi_sha3(a1, s2, buf, block_len(i) / block_len(a1));
300 }
301 uint32_t ite;
302 if ((uint64_t)chunk_len % (uint64_t)block_len(i) == 0ULL && (uint64_t)chunk_len > 0ULL)
303 {
304 ite = block_len(i);
305 }
306 else
307 {
308 ite = (uint32_t)((uint64_t)chunk_len % (uint64_t)block_len(i));
309 }
310 uint32_t n_blocks = (chunk_len - ite) / block_len(i);
311 uint32_t data1_len = n_blocks * block_len(i);
312 uint32_t data2_len = chunk_len - data1_len;
313 uint8_t *data1 = chunk;
314 uint8_t *data2 = chunk + data1_len;
315 Spec_Hash_Definitions_hash_alg a1 = block_state1.fst;
316 uint64_t *s2 = block_state1.snd;
317 Hacl_Hash_SHA3_update_multi_sha3(a1, s2, data1, data1_len / block_len(a1));
318 uint8_t *dst = buf;
319 memcpy(dst, data2, data2_len * sizeof (uint8_t));
320 *state
321 =
322 (
323 (Hacl_Hash_SHA3_state_t){
324 .block_state = block_state1,
325 .buf = buf,
326 .total_len = total_len1 + (uint64_t)chunk_len
327 }
328 );
329 }
330 else
331 {
332 uint32_t diff = block_len(i) - sz;
333 uint8_t *chunk1 = chunk;
334 uint8_t *chunk2 = chunk + diff;
335 Hacl_Hash_SHA3_state_t s1 = *state;
336 Hacl_Hash_SHA3_hash_buf block_state10 = s1.block_state;
337 uint8_t *buf0 = s1.buf;
338 uint64_t total_len10 = s1.total_len;
339 uint32_t sz10;
340 if (total_len10 % (uint64_t)block_len(i) == 0ULL && total_len10 > 0ULL)
341 {
342 sz10 = block_len(i);
343 }
344 else
345 {
346 sz10 = (uint32_t)(total_len10 % (uint64_t)block_len(i));
347 }
348 uint8_t *buf2 = buf0 + sz10;
349 memcpy(buf2, chunk1, diff * sizeof (uint8_t));
350 uint64_t total_len2 = total_len10 + (uint64_t)diff;
351 *state
352 =
353 (
354 (Hacl_Hash_SHA3_state_t){
355 .block_state = block_state10,
356 .buf = buf0,
357 .total_len = total_len2
358 }
359 );
360 Hacl_Hash_SHA3_state_t s10 = *state;
361 Hacl_Hash_SHA3_hash_buf block_state1 = s10.block_state;
362 uint8_t *buf = s10.buf;
363 uint64_t total_len1 = s10.total_len;
364 uint32_t sz1;
365 if (total_len1 % (uint64_t)block_len(i) == 0ULL && total_len1 > 0ULL)
366 {
367 sz1 = block_len(i);
368 }
369 else
370 {
371 sz1 = (uint32_t)(total_len1 % (uint64_t)block_len(i));
372 }
373 if (!(sz1 == 0U))
374 {
375 Spec_Hash_Definitions_hash_alg a1 = block_state1.fst;
376 uint64_t *s2 = block_state1.snd;
377 Hacl_Hash_SHA3_update_multi_sha3(a1, s2, buf, block_len(i) / block_len(a1));
378 }
379 uint32_t ite;
380 if
381 (
382 (uint64_t)(chunk_len - diff)
383 % (uint64_t)block_len(i)
384 == 0ULL
385 && (uint64_t)(chunk_len - diff) > 0ULL
386 )
387 {
388 ite = block_len(i);
389 }
390 else
391 {
392 ite = (uint32_t)((uint64_t)(chunk_len - diff) % (uint64_t)block_len(i));
393 }
394 uint32_t n_blocks = (chunk_len - diff - ite) / block_len(i);
395 uint32_t data1_len = n_blocks * block_len(i);
396 uint32_t data2_len = chunk_len - diff - data1_len;
397 uint8_t *data1 = chunk2;
398 uint8_t *data2 = chunk2 + data1_len;
399 Spec_Hash_Definitions_hash_alg a1 = block_state1.fst;
400 uint64_t *s2 = block_state1.snd;
401 Hacl_Hash_SHA3_update_multi_sha3(a1, s2, data1, data1_len / block_len(a1));
402 uint8_t *dst = buf;
403 memcpy(dst, data2, data2_len * sizeof (uint8_t));
404 *state
405 =
406 (
407 (Hacl_Hash_SHA3_state_t){
408 .block_state = block_state1,
409 .buf = buf,
410 .total_len = total_len1 + (uint64_t)(chunk_len - diff)
411 }
412 );
413 }
414 return Hacl_Streaming_Types_Success;
415 }
416
417 static void
digest_(Spec_Hash_Definitions_hash_alg a,Hacl_Hash_SHA3_state_t * state,uint8_t * output,uint32_t l)418 digest_(
419 Spec_Hash_Definitions_hash_alg a,
420 Hacl_Hash_SHA3_state_t *state,
421 uint8_t *output,
422 uint32_t l
423 )
424 {
425 Hacl_Hash_SHA3_state_t scrut0 = *state;
426 Hacl_Hash_SHA3_hash_buf block_state = scrut0.block_state;
427 uint8_t *buf_ = scrut0.buf;
428 uint64_t total_len = scrut0.total_len;
429 uint32_t r;
430 if (total_len % (uint64_t)block_len(a) == 0ULL && total_len > 0ULL)
431 {
432 r = block_len(a);
433 }
434 else
435 {
436 r = (uint32_t)(total_len % (uint64_t)block_len(a));
437 }
438 uint8_t *buf_1 = buf_;
439 uint64_t buf[25U] = { 0U };
440 Hacl_Hash_SHA3_hash_buf tmp_block_state = { .fst = a, .snd = buf };
441 hash_buf2 scrut = { .fst = block_state, .snd = tmp_block_state };
442 uint64_t *s_dst = scrut.snd.snd;
443 uint64_t *s_src = scrut.fst.snd;
444 memcpy(s_dst, s_src, 25U * sizeof (uint64_t));
445 uint32_t ite;
446 if (r % block_len(a) == 0U && r > 0U)
447 {
448 ite = block_len(a);
449 }
450 else
451 {
452 ite = r % block_len(a);
453 }
454 uint8_t *buf_last = buf_1 + r - ite;
455 uint8_t *buf_multi = buf_1;
456 Spec_Hash_Definitions_hash_alg a1 = tmp_block_state.fst;
457 uint64_t *s0 = tmp_block_state.snd;
458 Hacl_Hash_SHA3_update_multi_sha3(a1, s0, buf_multi, 0U / block_len(a1));
459 Spec_Hash_Definitions_hash_alg a10 = tmp_block_state.fst;
460 uint64_t *s1 = tmp_block_state.snd;
461 Hacl_Hash_SHA3_update_last_sha3(a10, s1, buf_last, r);
462 Spec_Hash_Definitions_hash_alg a11 = tmp_block_state.fst;
463 uint64_t *s = tmp_block_state.snd;
464 if (a11 == Spec_Hash_Definitions_Shake128 || a11 == Spec_Hash_Definitions_Shake256)
465 {
466 Hacl_Hash_SHA3_squeeze0(s, block_len(a11), l, output);
467 return;
468 }
469 Hacl_Hash_SHA3_squeeze0(s, block_len(a11), hash_len(a11), output);
470 }
471
472 Hacl_Streaming_Types_error_code
Hacl_Hash_SHA3_digest(Hacl_Hash_SHA3_state_t * state,uint8_t * output)473 Hacl_Hash_SHA3_digest(Hacl_Hash_SHA3_state_t *state, uint8_t *output)
474 {
475 Spec_Hash_Definitions_hash_alg a1 = Hacl_Hash_SHA3_get_alg(state);
476 if (a1 == Spec_Hash_Definitions_Shake128 || a1 == Spec_Hash_Definitions_Shake256)
477 {
478 return Hacl_Streaming_Types_InvalidAlgorithm;
479 }
480 digest_(a1, state, output, hash_len(a1));
481 return Hacl_Streaming_Types_Success;
482 }
483
484 Hacl_Streaming_Types_error_code
Hacl_Hash_SHA3_squeeze(Hacl_Hash_SHA3_state_t * s,uint8_t * dst,uint32_t l)485 Hacl_Hash_SHA3_squeeze(Hacl_Hash_SHA3_state_t *s, uint8_t *dst, uint32_t l)
486 {
487 Spec_Hash_Definitions_hash_alg a1 = Hacl_Hash_SHA3_get_alg(s);
488 if (!(a1 == Spec_Hash_Definitions_Shake128 || a1 == Spec_Hash_Definitions_Shake256))
489 {
490 return Hacl_Streaming_Types_InvalidAlgorithm;
491 }
492 if (l == 0U)
493 {
494 return Hacl_Streaming_Types_InvalidLength;
495 }
496 digest_(a1, s, dst, l);
497 return Hacl_Streaming_Types_Success;
498 }
499
Hacl_Hash_SHA3_block_len(Hacl_Hash_SHA3_state_t * s)500 uint32_t Hacl_Hash_SHA3_block_len(Hacl_Hash_SHA3_state_t *s)
501 {
502 Spec_Hash_Definitions_hash_alg a1 = Hacl_Hash_SHA3_get_alg(s);
503 return block_len(a1);
504 }
505
Hacl_Hash_SHA3_hash_len(Hacl_Hash_SHA3_state_t * s)506 uint32_t Hacl_Hash_SHA3_hash_len(Hacl_Hash_SHA3_state_t *s)
507 {
508 Spec_Hash_Definitions_hash_alg a1 = Hacl_Hash_SHA3_get_alg(s);
509 return hash_len(a1);
510 }
511
Hacl_Hash_SHA3_is_shake(Hacl_Hash_SHA3_state_t * s)512 bool Hacl_Hash_SHA3_is_shake(Hacl_Hash_SHA3_state_t *s)
513 {
514 Spec_Hash_Definitions_hash_alg uu____0 = Hacl_Hash_SHA3_get_alg(s);
515 return uu____0 == Spec_Hash_Definitions_Shake128 || uu____0 == Spec_Hash_Definitions_Shake256;
516 }
517
518 void
Hacl_Hash_SHA3_shake128_hacl(uint32_t inputByteLen,uint8_t * input,uint32_t outputByteLen,uint8_t * output)519 Hacl_Hash_SHA3_shake128_hacl(
520 uint32_t inputByteLen,
521 uint8_t *input,
522 uint32_t outputByteLen,
523 uint8_t *output
524 )
525 {
526 Hacl_Hash_SHA3_keccak(1344U, 256U, inputByteLen, input, 0x1FU, outputByteLen, output);
527 }
528
529 void
Hacl_Hash_SHA3_shake256_hacl(uint32_t inputByteLen,uint8_t * input,uint32_t outputByteLen,uint8_t * output)530 Hacl_Hash_SHA3_shake256_hacl(
531 uint32_t inputByteLen,
532 uint8_t *input,
533 uint32_t outputByteLen,
534 uint8_t *output
535 )
536 {
537 Hacl_Hash_SHA3_keccak(1088U, 512U, inputByteLen, input, 0x1FU, outputByteLen, output);
538 }
539
Hacl_Hash_SHA3_sha3_224(uint8_t * output,uint8_t * input,uint32_t input_len)540 void Hacl_Hash_SHA3_sha3_224(uint8_t *output, uint8_t *input, uint32_t input_len)
541 {
542 Hacl_Hash_SHA3_keccak(1152U, 448U, input_len, input, 0x06U, 28U, output);
543 }
544
Hacl_Hash_SHA3_sha3_256(uint8_t * output,uint8_t * input,uint32_t input_len)545 void Hacl_Hash_SHA3_sha3_256(uint8_t *output, uint8_t *input, uint32_t input_len)
546 {
547 Hacl_Hash_SHA3_keccak(1088U, 512U, input_len, input, 0x06U, 32U, output);
548 }
549
Hacl_Hash_SHA3_sha3_384(uint8_t * output,uint8_t * input,uint32_t input_len)550 void Hacl_Hash_SHA3_sha3_384(uint8_t *output, uint8_t *input, uint32_t input_len)
551 {
552 Hacl_Hash_SHA3_keccak(832U, 768U, input_len, input, 0x06U, 48U, output);
553 }
554
Hacl_Hash_SHA3_sha3_512(uint8_t * output,uint8_t * input,uint32_t input_len)555 void Hacl_Hash_SHA3_sha3_512(uint8_t *output, uint8_t *input, uint32_t input_len)
556 {
557 Hacl_Hash_SHA3_keccak(576U, 1024U, input_len, input, 0x06U, 64U, output);
558 }
559
560 static const
561 uint32_t
562 keccak_rotc[24U] =
563 {
564 1U, 3U, 6U, 10U, 15U, 21U, 28U, 36U, 45U, 55U, 2U, 14U, 27U, 41U, 56U, 8U, 25U, 43U, 62U, 18U,
565 39U, 61U, 20U, 44U
566 };
567
568 static const
569 uint32_t
570 keccak_piln[24U] =
571 {
572 10U, 7U, 11U, 17U, 18U, 3U, 5U, 16U, 8U, 21U, 24U, 4U, 15U, 23U, 19U, 13U, 12U, 2U, 20U, 14U,
573 22U, 9U, 6U, 1U
574 };
575
576 static const
577 uint64_t
578 keccak_rndc[24U] =
579 {
580 0x0000000000000001ULL, 0x0000000000008082ULL, 0x800000000000808aULL, 0x8000000080008000ULL,
581 0x000000000000808bULL, 0x0000000080000001ULL, 0x8000000080008081ULL, 0x8000000000008009ULL,
582 0x000000000000008aULL, 0x0000000000000088ULL, 0x0000000080008009ULL, 0x000000008000000aULL,
583 0x000000008000808bULL, 0x800000000000008bULL, 0x8000000000008089ULL, 0x8000000000008003ULL,
584 0x8000000000008002ULL, 0x8000000000000080ULL, 0x000000000000800aULL, 0x800000008000000aULL,
585 0x8000000080008081ULL, 0x8000000000008080ULL, 0x0000000080000001ULL, 0x8000000080008008ULL
586 };
587
Hacl_Hash_SHA3_state_permute(uint64_t * s)588 void Hacl_Hash_SHA3_state_permute(uint64_t *s)
589 {
590 for (uint32_t i0 = 0U; i0 < 24U; i0++)
591 {
592 uint64_t _C[5U] = { 0U };
593 KRML_MAYBE_FOR5(i,
594 0U,
595 5U,
596 1U,
597 _C[i] = s[i + 0U] ^ (s[i + 5U] ^ (s[i + 10U] ^ (s[i + 15U] ^ s[i + 20U]))););
598 KRML_MAYBE_FOR5(i1,
599 0U,
600 5U,
601 1U,
602 uint64_t uu____0 = _C[(i1 + 1U) % 5U];
603 uint64_t _D = _C[(i1 + 4U) % 5U] ^ (uu____0 << 1U | uu____0 >> 63U);
604 KRML_MAYBE_FOR5(i, 0U, 5U, 1U, s[i1 + 5U * i] = s[i1 + 5U * i] ^ _D;););
605 uint64_t x = s[1U];
606 uint64_t current = x;
607 for (uint32_t i = 0U; i < 24U; i++)
608 {
609 uint32_t _Y = keccak_piln[i];
610 uint32_t r = keccak_rotc[i];
611 uint64_t temp = s[_Y];
612 uint64_t uu____1 = current;
613 s[_Y] = uu____1 << r | uu____1 >> (64U - r);
614 current = temp;
615 }
616 KRML_MAYBE_FOR5(i,
617 0U,
618 5U,
619 1U,
620 uint64_t v0 = s[0U + 5U * i] ^ (~s[1U + 5U * i] & s[2U + 5U * i]);
621 uint64_t v1 = s[1U + 5U * i] ^ (~s[2U + 5U * i] & s[3U + 5U * i]);
622 uint64_t v2 = s[2U + 5U * i] ^ (~s[3U + 5U * i] & s[4U + 5U * i]);
623 uint64_t v3 = s[3U + 5U * i] ^ (~s[4U + 5U * i] & s[0U + 5U * i]);
624 uint64_t v4 = s[4U + 5U * i] ^ (~s[0U + 5U * i] & s[1U + 5U * i]);
625 s[0U + 5U * i] = v0;
626 s[1U + 5U * i] = v1;
627 s[2U + 5U * i] = v2;
628 s[3U + 5U * i] = v3;
629 s[4U + 5U * i] = v4;);
630 uint64_t c = keccak_rndc[i0];
631 s[0U] = s[0U] ^ c;
632 }
633 }
634
Hacl_Hash_SHA3_loadState(uint32_t rateInBytes,uint8_t * input,uint64_t * s)635 void Hacl_Hash_SHA3_loadState(uint32_t rateInBytes, uint8_t *input, uint64_t *s)
636 {
637 uint8_t block[200U] = { 0U };
638 memcpy(block, input, rateInBytes * sizeof (uint8_t));
639 for (uint32_t i = 0U; i < 25U; i++)
640 {
641 uint64_t u = load64_le(block + i * 8U);
642 uint64_t x = u;
643 s[i] = s[i] ^ x;
644 }
645 }
646
storeState(uint32_t rateInBytes,uint64_t * s,uint8_t * res)647 static void storeState(uint32_t rateInBytes, uint64_t *s, uint8_t *res)
648 {
649 uint8_t block[200U] = { 0U };
650 for (uint32_t i = 0U; i < 25U; i++)
651 {
652 uint64_t sj = s[i];
653 store64_le(block + i * 8U, sj);
654 }
655 memcpy(res, block, rateInBytes * sizeof (uint8_t));
656 }
657
Hacl_Hash_SHA3_absorb_inner(uint32_t rateInBytes,uint8_t * block,uint64_t * s)658 void Hacl_Hash_SHA3_absorb_inner(uint32_t rateInBytes, uint8_t *block, uint64_t *s)
659 {
660 Hacl_Hash_SHA3_loadState(rateInBytes, block, s);
661 Hacl_Hash_SHA3_state_permute(s);
662 }
663
664 static void
absorb(uint64_t * s,uint32_t rateInBytes,uint32_t inputByteLen,uint8_t * input,uint8_t delimitedSuffix)665 absorb(
666 uint64_t *s,
667 uint32_t rateInBytes,
668 uint32_t inputByteLen,
669 uint8_t *input,
670 uint8_t delimitedSuffix
671 )
672 {
673 uint32_t n_blocks = inputByteLen / rateInBytes;
674 uint32_t rem = inputByteLen % rateInBytes;
675 for (uint32_t i = 0U; i < n_blocks; i++)
676 {
677 uint8_t *block = input + i * rateInBytes;
678 Hacl_Hash_SHA3_absorb_inner(rateInBytes, block, s);
679 }
680 uint8_t *last = input + n_blocks * rateInBytes;
681 uint8_t lastBlock_[200U] = { 0U };
682 uint8_t *lastBlock = lastBlock_;
683 memcpy(lastBlock, last, rem * sizeof (uint8_t));
684 lastBlock[rem] = delimitedSuffix;
685 Hacl_Hash_SHA3_loadState(rateInBytes, lastBlock, s);
686 if (!(((uint32_t)delimitedSuffix & 0x80U) == 0U) && rem == rateInBytes - 1U)
687 {
688 Hacl_Hash_SHA3_state_permute(s);
689 }
690 uint8_t nextBlock_[200U] = { 0U };
691 uint8_t *nextBlock = nextBlock_;
692 nextBlock[rateInBytes - 1U] = 0x80U;
693 Hacl_Hash_SHA3_loadState(rateInBytes, nextBlock, s);
694 Hacl_Hash_SHA3_state_permute(s);
695 }
696
697 void
Hacl_Hash_SHA3_squeeze0(uint64_t * s,uint32_t rateInBytes,uint32_t outputByteLen,uint8_t * output)698 Hacl_Hash_SHA3_squeeze0(
699 uint64_t *s,
700 uint32_t rateInBytes,
701 uint32_t outputByteLen,
702 uint8_t *output
703 )
704 {
705 uint32_t outBlocks = outputByteLen / rateInBytes;
706 uint32_t remOut = outputByteLen % rateInBytes;
707 uint8_t *last = output + outputByteLen - remOut;
708 uint8_t *blocks = output;
709 for (uint32_t i = 0U; i < outBlocks; i++)
710 {
711 storeState(rateInBytes, s, blocks + i * rateInBytes);
712 Hacl_Hash_SHA3_state_permute(s);
713 }
714 storeState(remOut, s, last);
715 }
716
717 void
Hacl_Hash_SHA3_keccak(uint32_t rate,uint32_t capacity,uint32_t inputByteLen,uint8_t * input,uint8_t delimitedSuffix,uint32_t outputByteLen,uint8_t * output)718 Hacl_Hash_SHA3_keccak(
719 uint32_t rate,
720 uint32_t capacity,
721 uint32_t inputByteLen,
722 uint8_t *input,
723 uint8_t delimitedSuffix,
724 uint32_t outputByteLen,
725 uint8_t *output
726 )
727 {
728 KRML_MAYBE_UNUSED_VAR(capacity);
729 uint32_t rateInBytes = rate / 8U;
730 uint64_t s[25U] = { 0U };
731 absorb(s, rateInBytes, inputByteLen, input, delimitedSuffix);
732 Hacl_Hash_SHA3_squeeze0(s, rateInBytes, outputByteLen, output);
733 }
734
735