2022-06-25 20:28:31 +01:00
|
|
|
/*
|
|
|
|
* sha3.c
|
|
|
|
*
|
|
|
|
* Copyright (c) Atmosphère-NX
|
|
|
|
* Copyright (c) 2022, DarkMatterCore <pabloacurielz@gmail.com>.
|
|
|
|
*
|
|
|
|
* This file is part of nxdumptool (https://github.com/DarkMatterCore/nxdumptool).
|
|
|
|
* Loosely based on crypto_sha3_impl.cpp from Atmosphere-libs.
|
|
|
|
*
|
|
|
|
* nxdumptool is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* nxdumptool is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "nxdt_utils.h"
|
|
|
|
#include "sha3.h"
|
|
|
|
|
|
|
|
#define SHA3_NUM_ROUNDS 24
|
|
|
|
|
|
|
|
#define _SHA3_CTX_OPS(bits) \
|
|
|
|
void sha3##bits##ContextCreate(Sha3Context *out) { \
|
|
|
|
sha3ContextCreate(out, bits); \
|
|
|
|
} \
|
|
|
|
void sha3##bits##CalculateHash(void *dst, const void *src, size_t size) { \
|
|
|
|
Sha3Context ctx; \
|
|
|
|
sha3##bits##ContextCreate(&ctx); \
|
|
|
|
sha3ContextUpdate(&ctx, src, size); \
|
|
|
|
sha3ContextGetHash(&ctx, dst); \
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Global constants. */
|
|
|
|
|
|
|
|
static const u64 g_iotaRoundConstant[SHA3_NUM_ROUNDS] = {
|
|
|
|
0x0000000000000001, 0x0000000000008082,
|
|
|
|
0x800000000000808A, 0x8000000080008000,
|
|
|
|
0x000000000000808B, 0x0000000080000001,
|
|
|
|
0x8000000080008081, 0x8000000000008009,
|
|
|
|
0x000000000000008A, 0x0000000000000088,
|
|
|
|
0x0000000080008009, 0x000000008000000A,
|
|
|
|
0x000000008000808B, 0x800000000000008B,
|
|
|
|
0x8000000000008089, 0x8000000000008003,
|
|
|
|
0x8000000000008002, 0x8000000000000080,
|
|
|
|
0x000000000000800A, 0x800000008000000A,
|
|
|
|
0x8000000080008081, 0x8000000000008080,
|
|
|
|
0x0000000080000001, 0x8000000080008008
|
|
|
|
};
|
|
|
|
|
|
|
|
static const int g_rhoShiftBit[SHA3_NUM_ROUNDS] = {
|
|
|
|
1, 3, 6, 10, 15, 21, 28, 36,
|
|
|
|
45, 55, 2, 14, 27, 41, 56, 8,
|
|
|
|
25, 43, 62, 18, 39, 61, 20, 44
|
|
|
|
};
|
|
|
|
|
|
|
|
static const int g_rhoNextIndex[SHA3_NUM_ROUNDS] = {
|
|
|
|
10, 7, 11, 17, 18, 3, 5, 16,
|
|
|
|
8, 21, 24, 4, 15, 23, 19, 13,
|
|
|
|
12, 2, 20, 14, 22, 9, 6, 1
|
|
|
|
};
|
|
|
|
|
|
|
|
static const u64 g_finalMask = 0x8000000000000000;
|
|
|
|
|
|
|
|
/* Function prototypes. */
|
|
|
|
|
|
|
|
static u64 rotl_u64(u64 x, int s);
|
|
|
|
static u64 rotr_u64(u64 x, int s);
|
|
|
|
|
|
|
|
static void sha3ContextCreate(Sha3Context *out, u32 hash_size);
|
|
|
|
|
|
|
|
static void sha3ProcessBlock(Sha3Context *ctx);
|
|
|
|
static void sha3ProcessLastBlock(Sha3Context *ctx);
|
|
|
|
|
|
|
|
void sha3ContextUpdate(Sha3Context *ctx, const void *src, size_t size)
|
|
|
|
{
|
|
|
|
if (!ctx || !src || !size || ctx->finalized)
|
|
|
|
{
|
|
|
|
LOG_MSG("Invalid parameters!");
|
|
|
|
return;
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
const u8 *src_u8 = (u8*)src;
|
|
|
|
size_t remaining = size;
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Process we have anything buffered. */
|
|
|
|
if (ctx->buffered_bytes > 0)
|
|
|
|
{
|
|
|
|
/* Determine how much we can copy. */
|
|
|
|
const size_t copy_size = MIN(ctx->block_size - ctx->buffered_bytes, remaining);
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Mix the bytes into our state. */
|
|
|
|
u8 *dst = (((u8*)ctx->internal_state) + ctx->buffered_bytes);
|
|
|
|
for(size_t i = 0; i < copy_size; ++i) dst[i] ^= src_u8[i];
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Advance. */
|
|
|
|
src_u8 += copy_size;
|
|
|
|
remaining -= copy_size;
|
|
|
|
ctx->buffered_bytes += copy_size;
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Process a block, if we filled one. */
|
|
|
|
if (ctx->buffered_bytes == ctx->block_size)
|
|
|
|
{
|
|
|
|
sha3ProcessBlock(ctx);
|
|
|
|
ctx->buffered_bytes = 0;
|
|
|
|
}
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Process blocks, if we have any. */
|
|
|
|
while(remaining >= ctx->block_size)
|
|
|
|
{
|
|
|
|
/* Mix the bytes into our state. */
|
|
|
|
u8 *dst = (u8*)ctx->internal_state;
|
|
|
|
for(size_t i = 0; i < ctx->block_size; ++i) dst[i] ^= src_u8[i];
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
sha3ProcessBlock(ctx);
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
src_u8 += ctx->block_size;
|
|
|
|
remaining -= ctx->block_size;
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Copy any leftover data to our buffer. */
|
|
|
|
if (remaining > 0)
|
|
|
|
{
|
|
|
|
u8 *dst = (u8*)ctx->internal_state;
|
|
|
|
for(size_t i = 0; i < remaining; ++i) dst[i] ^= src_u8[i];
|
|
|
|
ctx->buffered_bytes = remaining;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void sha3ContextGetHash(Sha3Context *ctx, void *dst)
|
|
|
|
{
|
|
|
|
if (!ctx || !dst)
|
|
|
|
{
|
|
|
|
LOG_MSG("Invalid parameters!");
|
|
|
|
return;
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* If we need to, process the last block. */
|
|
|
|
if (!ctx->finalized)
|
|
|
|
{
|
|
|
|
sha3ProcessLastBlock(ctx);
|
|
|
|
ctx->finalized = true;
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Copy the output hash. */
|
|
|
|
memcpy(dst, ctx->internal_state, ctx->hash_size);
|
|
|
|
}
|
|
|
|
|
2022-06-29 07:55:35 +01:00
|
|
|
/* Functions for SHA3 context creation and simple all-in-one calculation. */
|
|
|
|
|
|
|
|
_SHA3_CTX_OPS(224);
|
|
|
|
_SHA3_CTX_OPS(256);
|
|
|
|
_SHA3_CTX_OPS(384);
|
|
|
|
_SHA3_CTX_OPS(512);
|
|
|
|
|
|
|
|
#undef _SHA3_CTX_OPS
|
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
static u64 rotl_u64(u64 x, int s)
|
|
|
|
{
|
|
|
|
int N = (sizeof(u64) * 8);
|
|
|
|
int r = (s % N);
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
if (r == 0)
|
|
|
|
{
|
|
|
|
return x;
|
|
|
|
} else
|
|
|
|
if (r > 0)
|
|
|
|
{
|
|
|
|
return ((x << r) | (x >> (N - r)));
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
return rotr_u64(x, -r);
|
|
|
|
}
|
|
|
|
|
|
|
|
static u64 rotr_u64(u64 x, int s)
|
|
|
|
{
|
|
|
|
int N = (sizeof(u64) * 8);
|
|
|
|
int r = (s % N);
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
if (r == 0)
|
|
|
|
{
|
|
|
|
return x;
|
|
|
|
} else
|
|
|
|
if (r > 0)
|
|
|
|
{
|
|
|
|
return ((x >> r) | (x << (N - r)));
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
return rotl_u64(x, -r);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void sha3ContextCreate(Sha3Context *out, u32 hash_size)
|
|
|
|
{
|
|
|
|
if (!out)
|
|
|
|
{
|
|
|
|
LOG_MSG("Invalid parameters!");
|
|
|
|
return;
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
memset(out, 0, sizeof(Sha3Context));
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
out->hash_size = SHA3_HASH_SIZE_BYTES(hash_size);
|
|
|
|
out->block_size = SHA3_BLOCK_SIZE(hash_size);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void sha3ProcessBlock(Sha3Context *ctx)
|
|
|
|
{
|
|
|
|
u64 tmp = 0, C[5] = {0};
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Perform all rounds. */
|
|
|
|
for(u8 round = 0; round < SHA3_NUM_ROUNDS; ++round)
|
|
|
|
{
|
|
|
|
/* Handle theta. */
|
|
|
|
for(size_t i = 0; i < 5; ++i)
|
|
|
|
{
|
|
|
|
C[i] = (ctx->internal_state[i] ^ ctx->internal_state[i + 5] ^ ctx->internal_state[i + 10] ^ ctx->internal_state[i + 15] ^ ctx->internal_state[i + 20]);
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
for(size_t i = 0; i < 5; ++i)
|
|
|
|
{
|
|
|
|
tmp = (C[(i + 4) % 5] ^ rotl_u64(C[(i + 1) % 5], 1));
|
|
|
|
for(size_t j = 0; j < 5; ++j) ctx->internal_state[(5 * j) + i] ^= tmp;
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Handle rho/pi. */
|
|
|
|
tmp = ctx->internal_state[1];
|
|
|
|
for(size_t i = 0; i < SHA3_NUM_ROUNDS; ++i)
|
|
|
|
{
|
|
|
|
const int rho_next_idx = g_rhoNextIndex[i];
|
|
|
|
C[0] = ctx->internal_state[rho_next_idx];
|
|
|
|
ctx->internal_state[rho_next_idx] = rotl_u64(tmp, g_rhoShiftBit[i]);
|
|
|
|
tmp = C[0];
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Handle chi. */
|
|
|
|
for(size_t i = 0; i < 5; ++i)
|
|
|
|
{
|
|
|
|
for(size_t j = 0; j < 5; ++j) C[j] = ctx->internal_state[(5 * i) + j];
|
|
|
|
for(size_t j = 0; j < 5; ++j) ctx->internal_state[(5 * i) + j] ^= ((~C[(j + 1) % 5]) & C[(j + 2) % 5]);
|
|
|
|
}
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Handle iota. */
|
|
|
|
ctx->internal_state[0] ^= g_iotaRoundConstant[round];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void sha3ProcessLastBlock(Sha3Context *ctx)
|
|
|
|
{
|
|
|
|
/* Mix final bits (011) into our state. */
|
|
|
|
((u8*)ctx->internal_state)[ctx->buffered_bytes] ^= 0b110;
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Mix in the high bit of the last word in our block. */
|
|
|
|
ctx->internal_state[(ctx->block_size / sizeof(u64)) - 1] ^= g_finalMask;
|
2022-07-05 02:04:28 +01:00
|
|
|
|
2022-06-25 20:28:31 +01:00
|
|
|
/* Process the last block. */
|
|
|
|
sha3ProcessBlock(ctx);
|
|
|
|
}
|