/*
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
#include <string.h>
#include <assert.h>
-#ifndef KECCAK1600_ASM
+size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len,
+ size_t r);
+void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r);
+
+#if !defined(KECCAK1600_ASM) || !defined(SELFTEST)
+
+/*
+ * Choose some sensible defaults
+ */
+#if !defined(KECCAK_REF) && !defined(KECCAK_1X) && !defined(KECCAK_1X_ALT) && \
+ !defined(KECCAK_2X) && !defined(KECCAK_INPLACE)
+# define KECCAK_2X /* default to KECCAK_2X variant */
+#endif
+
+#if defined(__i386) || defined(__i386__) || defined(_M_IX86)
+# define KECCAK_COMPLEMENTING_TRANSFORM
+#endif
#if defined(__x86_64__) || defined(__aarch64__) || \
defined(__mips64) || defined(__ia64) || \
A[0][0] ^= iotas[i];
}
-void KeccakF1600(uint64_t A[5][5])
+static void KeccakF1600(uint64_t A[5][5])
{
size_t i;
A[4][4] = C[4] ^ (~C[0] & C[1]);
}
-void KeccakF1600(uint64_t A[5][5])
+static void KeccakF1600(uint64_t A[5][5])
{
size_t i;
A[0][0] ^= iotas[i];
}
-void KeccakF1600(uint64_t A[5][5])
+static void KeccakF1600(uint64_t A[5][5])
{
size_t i;
* This implementation is variant of KECCAK_1X above with outer-most
* round loop unrolled twice. This allows to take temporary storage
* out of round procedure and simplify references to it by alternating
- * it with actual data (see round loop below). Just like original, it's
- * rather meant as reference for an assembly implementation. It's likely
- * to provide best instruction per processed byte ratio at minimal
- * round unroll factor...
+ * it with actual data (see round loop below). Originally it was meant
+ * rather as reference for an assembly implementation, but it seems to
+ * play best with compilers [as well as provide best instruction per
+ * processed byte ratio at minimal round unroll factor]...
*/
static void Round(uint64_t R[5][5], uint64_t A[5][5], size_t i)
{
#endif
}
-void KeccakF1600(uint64_t A[5][5])
+static void KeccakF1600(uint64_t A[5][5])
{
uint64_t T[5][5];
size_t i;
#endif
}
-#else
+#else /* define KECCAK_INPLACE to compile this code path */
/*
* This implementation is KECCAK_1X from above combined 4 times with
* a twist that allows to omit temporary storage and perform in-place
* processing. It's discussed in section 2.5 of "Keccak implementation
* overview". It's likely to be best suited for processors with large
- * register bank...
+ * register bank... On the other hand processor with large register
+ * bank can as well use KECCAK_1X_ALT, it would be as fast but much
+ * more compact...
*/
static void FourRounds(uint64_t A[5][5], size_t i)
{
/* C[4] ^= */ A[4][4] = B[4] ^ (~B[0] & B[1]);
}
-void KeccakF1600(uint64_t A[5][5])
+static void KeccakF1600(uint64_t A[5][5])
{
size_t i;
* as blocksize. It is commonly (1600 - 256*n)/8, e.g. 168, 136, 104,
* 72, but can also be (1600 - 448)/8 = 144. All this means that message
* padding and intermediate sub-block buffering, byte- or bitwise, is
- * caller's reponsibility.
+ * caller's responsibility.
*/
size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len,
size_t r)
void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r)
{
uint64_t *A_flat = (uint64_t *)A;
- size_t i, rem, w = r / 8;
+ size_t i, w = r / 8;
assert(r < (25 * sizeof(A[0][0])) && (r % 8) == 0);
- while (len >= r) {
- for (i = 0; i < w; i++) {
+ while (len != 0) {
+ for (i = 0; i < w && len != 0; i++) {
uint64_t Ai = BitDeinterleave(A_flat[i]);
+ if (len < 8) {
+ for (i = 0; i < len; i++) {
+ *out++ = (unsigned char)Ai;
+ Ai >>= 8;
+ }
+ return;
+ }
+
out[0] = (unsigned char)(Ai);
out[1] = (unsigned char)(Ai >> 8);
out[2] = (unsigned char)(Ai >> 16);
out[6] = (unsigned char)(Ai >> 48);
out[7] = (unsigned char)(Ai >> 56);
out += 8;
+ len -= 8;
}
- len -= r;
if (len)
KeccakF1600(A);
}
-
- rem = len % 8;
- len /= 8;
-
- for (i = 0; i < len; i++) {
- uint64_t Ai = BitDeinterleave(A_flat[i]);
-
- out[0] = (unsigned char)(Ai);
- out[1] = (unsigned char)(Ai >> 8);
- out[2] = (unsigned char)(Ai >> 16);
- out[3] = (unsigned char)(Ai >> 24);
- out[4] = (unsigned char)(Ai >> 32);
- out[5] = (unsigned char)(Ai >> 40);
- out[6] = (unsigned char)(Ai >> 48);
- out[7] = (unsigned char)(Ai >> 56);
- out += 8;
- }
-
- if (rem) {
- uint64_t Ai = BitDeinterleave(A_flat[i]);
-
- for (i = 0; i < rem; i++) {
- *out++ = (unsigned char)Ai;
- Ai >>= 8;
- }
- }
}
-#else
-size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len,
- size_t r);
-void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r);
#endif
#ifdef SELFTEST