[RFC PATCH 0/4] crypto: Add support for shake128/256 XOFs

[RFC PATCH 0/4] crypto: Add support for shake128/256 XOFs

[Stefan Berger]

This series adds support for shake128/256 extended output functions (XOFs)
along with test cases to verify the produced digest and XOF output. A new
squeeze method is added to the shash_alg structure to get an arbitrary
number of bytes from these XOFs.

Regards,
   Stefan

Stefan Berger (4):
  crypto: Add squeeze function to shash_alg for support of XOFs
  crypto: Add shake128/256 to generic sha3 module
  crypto: Add tests cases for shake128 & shake256 to testmgr
  crypto: Extend testmgr with tests for shake128/256 XOFs

 crypto/hash_info.c             |   4 +
 crypto/sha3_generic.c          | 211 +++++++++++++
 crypto/shash.c                 |   9 +
 crypto/testmgr.c               |  72 +++++
 crypto/testmgr.h               | 522 +++++++++++++++++++++++++++++++++
 include/crypto/algapi.h        |   2 +-
 include/crypto/hash.h          |  25 +-
 include/crypto/sha3.h          |  19 ++
 include/uapi/linux/hash_info.h |   2 +
 9 files changed, 862 insertions(+), 4 deletions(-)

-- 
2.49.0

[RFC PATCH 1/4] crypto: Add squeeze function to shash_alg for support of XOFs

[Stefan Berger]

Add a squeeze function for support of shake128/256 XOFs. This function
accepts a variable-length output buffer for the XOFs to return their data
in. The final parameter clears the state of an XOF and should only be set
to 'true' when the last output is requested.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 crypto/shash.c        |  9 +++++++++
 include/crypto/hash.h | 20 ++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/crypto/shash.c b/crypto/shash.c
index 301ab42bf849..258494f49fce 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -59,6 +59,15 @@ int crypto_shash_final(struct shash_desc *desc, u8 *out)
 }
 EXPORT_SYMBOL_GPL(crypto_shash_final);
 
+int crypto_shash_squeeze(struct shash_desc *desc, u8 *out, size_t outlen,
+			 bool final)
+{
+	if (!crypto_shash_alg(desc->tfm)->squeeze)
+		return -EINVAL;
+	return crypto_shash_alg(desc->tfm)->squeeze(desc, out, outlen, final);
+}
+EXPORT_SYMBOL_GPL(crypto_shash_squeeze);
+
 static int shash_default_finup(struct shash_desc *desc, const u8 *data,
 			       unsigned int len, u8 *out)
 {
diff --git a/include/crypto/hash.h b/include/crypto/hash.h
index a67988316d06..9072652e8e60 100644
--- a/include/crypto/hash.h
+++ b/include/crypto/hash.h
@@ -183,6 +183,7 @@ struct shash_desc {
  * @final: see struct ahash_alg
  * @finup: see struct ahash_alg
  * @digest: see struct ahash_alg
+ * @squeeze: Get data from an XOF type of hash
  * @export: see struct ahash_alg
  * @import: see struct ahash_alg
  * @setkey: see struct ahash_alg
@@ -213,6 +214,8 @@ struct shash_alg {
 		     unsigned int len, u8 *out);
 	int (*digest)(struct shash_desc *desc, const u8 *data,
 		      unsigned int len, u8 *out);
+	int (*squeeze)(struct shash_desc *desc, u8 *out, size_t outlen,
+		       bool final);
 	int (*export)(struct shash_desc *desc, void *out);
 	int (*import)(struct shash_desc *desc, const void *in);
 	int (*setkey)(struct crypto_shash *tfm, const u8 *key,
@@ -980,6 +983,23 @@ int crypto_shash_final(struct shash_desc *desc, u8 *out);
 int crypto_shash_finup(struct shash_desc *desc, const u8 *data,
 		       unsigned int len, u8 *out);
 
+/**
+ * crypto_shash_squeeze() - get xof message digest data
+ * @desc: operational state handle that is already filled with data
+ * @out: output buffer filled with the XOF message digest
+ * @outlen: number of bytes to get from the XOF
+ * @final: whether this is the final squeeze call
+ *
+ * Get message digest data from an extend output function (XOF)
+ *
+ * Context: Any context.
+ * Return: 0 if the data could be created successfully; < 0 if an error
+ *         occurred
+ */
+int crypto_shash_squeeze(struct shash_desc *desc, u8 *out, size_t outlen,
+			 bool final);
+
+
 static inline void shash_desc_zero(struct shash_desc *desc)
 {
 	memzero_explicit(desc,
-- 
2.49.0

[RFC PATCH 2/4] crypto: Add shake128/256 to generic sha3 module

[Stefan Berger]

Extend the sha3 module with shake128 & shake256. For this, implement
functions to get (squeeze) a number of bytes or blocks from the keccak
sponge. A block here corresponds to the number of bytes available in a
buffer following a keccak permutation. On top of this functionality,
implement the general squeeze function that returns a requested number of
bytes to the user. Implement the 'final' function on top of the squeeze
function. The 'final' function will always request a fixed number of bytes
from the squeeze function and set the 'final' parameter to true, clearing
the state of the hash as usual.

Adjust the maximum hash description and block sizes due to shake128.

Extend the arrays for supported hashes with entries for shake128 and
shake256.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 crypto/hash_info.c             |   4 +
 crypto/sha3_generic.c          | 211 +++++++++++++++++++++++++++++++++
 include/crypto/algapi.h        |   2 +-
 include/crypto/hash.h          |   5 +-
 include/crypto/sha3.h          |  19 +++
 include/uapi/linux/hash_info.h |   2 +
 6 files changed, 239 insertions(+), 4 deletions(-)

diff --git a/crypto/hash_info.c b/crypto/hash_info.c
index 9a467638c971..2e426be89463 100644
--- a/crypto/hash_info.c
+++ b/crypto/hash_info.c
@@ -32,6 +32,8 @@ const char *const hash_algo_name[HASH_ALGO__LAST] = {
 	[HASH_ALGO_SHA3_256]    = "sha3-256",
 	[HASH_ALGO_SHA3_384]    = "sha3-384",
 	[HASH_ALGO_SHA3_512]    = "sha3-512",
+	[HASH_ALGO_SHAKE128]	= "shake128",
+	[HASH_ALGO_SHAKE256]	= "shake256",
 };
 EXPORT_SYMBOL_GPL(hash_algo_name);
 
@@ -59,5 +61,7 @@ const int hash_digest_size[HASH_ALGO__LAST] = {
 	[HASH_ALGO_SHA3_256]    = SHA3_256_DIGEST_SIZE,
 	[HASH_ALGO_SHA3_384]    = SHA3_384_DIGEST_SIZE,
 	[HASH_ALGO_SHA3_512]    = SHA3_512_DIGEST_SIZE,
+	[HASH_ALGO_SHAKE128]	= SHAKE128_DIGEST_SIZE,
+	[HASH_ALGO_SHAKE256]	= SHAKE256_DIGEST_SIZE,
 };
 EXPORT_SYMBOL_GPL(hash_digest_size);
diff --git a/crypto/sha3_generic.c b/crypto/sha3_generic.c
index b103642b56ea..4782303527fe 100644
--- a/crypto/sha3_generic.c
+++ b/crypto/sha3_generic.c
@@ -29,6 +29,8 @@
 #define SHA3_INLINE	noinline
 #endif
 
+#define DOMAIN_SEPARATOR_SHAKE	0x1F
+
 #define KECCAK_ROUNDS 24
 
 static const u64 keccakf_rndc[24] = {
@@ -237,6 +239,189 @@ int crypto_sha3_final(struct shash_desc *desc, u8 *out)
 }
 EXPORT_SYMBOL(crypto_sha3_final);
 
+static int crypto_shake_init(struct shash_desc *desc)
+{
+	struct shake_state *sctx = shash_desc_ctx(desc);
+	unsigned int digest_size = crypto_shash_digestsize(desc->tfm);
+
+	sctx->rsiz = 200 - 2 * digest_size;
+	sctx->rsizw = sctx->rsiz / 8;
+	sctx->partial = 0;
+	sctx->ridx = 0;
+	sctx->finalized = false;
+	sctx->permute = false;
+
+	memset(sctx->st, 0, sizeof(sctx->st));
+	return 0;
+}
+
+static int crypto_shake_update(struct shash_desc *desc, const u8 *data,
+			       unsigned int len)
+{
+	struct shake_state *sctx = shash_desc_ctx(desc);
+	unsigned int done;
+	const u8 *src;
+
+	done = 0;
+	src = data;
+
+	if ((sctx->partial + len) > (sctx->rsiz - 1)) {
+		if (sctx->partial) {
+			done = -sctx->partial;
+			memcpy(sctx->buf + sctx->partial, data,
+			       done + sctx->rsiz);
+			src = sctx->buf;
+		}
+
+		do {
+			unsigned int i;
+
+			for (i = 0; i < sctx->rsizw; i++)
+				sctx->st[i] ^= get_unaligned_le64(src + 8 * i);
+			keccakf(sctx->st);
+
+			done += sctx->rsiz;
+			src = data + done;
+		} while (done + (sctx->rsiz - 1) < len);
+
+		sctx->partial = 0;
+	}
+	memcpy(sctx->buf + sctx->partial, src, len - done);
+	sctx->partial += (len - done);
+
+	return 0;
+}
+
+static void crypto_shake_squeeze_bytes(struct shake_state *sctx,
+				       u8 **out, size_t n)
+{
+	size_t i, to_copy, loops;
+	__le64 *digest;
+	u8 *_out = *out;
+
+	if (n == 0)
+		return;
+
+	BUG_ON(sctx->ridx + n > sctx->rsiz);
+
+	if (sctx->permute) {
+		keccakf(sctx->st);
+		sctx->permute = false;
+	}
+
+	while (n) {
+		to_copy = (n < 8) ? n : 8 - (sctx->ridx & 7);
+		if (to_copy < 8) {
+			for (i = sctx->ridx; i < sctx->ridx + to_copy; i++)
+				*_out++ = sctx->st[i / 8] >> 8 * (i & 7);
+
+			sctx->ridx += to_copy;
+			n -= to_copy;
+			if (n == 0)
+				break;
+		}
+
+		BUG_ON((sctx->ridx & 7) != 0);
+		digest = (__le64 *)_out;
+		loops = n / 8;
+		for (i = sctx->ridx / 8; i < (sctx->ridx / 8) + loops; i++)
+			put_unaligned_le64(sctx->st[i], digest++);
+
+		sctx->ridx += 8 * loops;
+		n -= 8 * loops;
+		_out = (u8 *)digest;
+	}
+
+	if (sctx->ridx == sctx->rsiz) {
+		sctx->ridx = 0;
+		sctx->permute = true;
+	}
+	*out = _out;
+}
+
+static void crypto_shake_squeeze_blocks(struct shake_state *sctx,
+					u8 **out, size_t nblocks)
+{
+	__le64 *digest = (__le64 *)*out;
+	size_t i, j;
+
+	BUG_ON(sctx->ridx != 0);
+
+	for (i = 0; i < nblocks; i++) {
+		if (sctx->permute)
+			keccakf(sctx->st);
+		sctx->permute = true;
+
+		for (j = 0; j < sctx->rsiz / 8; j++)
+			put_unaligned_le64(sctx->st[j], digest++);
+	}
+	*out = (u8 *)digest;
+}
+
+static void crypto_shake_finalize(struct shake_state *sctx,
+				  u8 domsep)
+{
+	unsigned int inlen, i;
+
+	if (sctx->finalized)
+		return;
+
+	inlen = sctx->partial;
+	sctx->buf[inlen++] = domsep;
+	memset(sctx->buf + inlen, 0, sctx->rsiz - inlen);
+	sctx->buf[sctx->rsiz - 1] |= 0x80;
+
+	for (i = 0; i < sctx->rsizw; i++)
+		sctx->st[i] ^= get_unaligned_le64(sctx->buf + 8 * i);
+
+	sctx->finalized = true;
+	sctx->permute = true;
+}
+
+static int crypto_shake_squeeze(struct shash_desc *desc,
+				u8 *out, size_t outlen,
+				bool final)
+{
+	struct shake_state *sctx = shash_desc_ctx(desc);
+	size_t nblocks, to_copy;
+
+	if (!sctx->finalized)
+		crypto_shake_finalize(sctx, DOMAIN_SEPARATOR_SHAKE);
+
+	if (sctx->ridx > 0) {
+		to_copy = min(outlen, sctx->rsiz - sctx->ridx);
+
+		crypto_shake_squeeze_bytes(sctx, &out, to_copy);
+		outlen -= to_copy;
+		if (outlen == 0)
+			goto done;
+	}
+
+	nblocks = outlen / sctx->rsiz;
+	if (nblocks) {
+		crypto_shake_squeeze_blocks(sctx, &out, nblocks);
+		outlen -= nblocks * sctx->rsiz;
+	}
+
+	crypto_shake_squeeze_bytes(sctx, &out, outlen);
+
+done:
+	if (final)
+		memset(sctx, 0, sizeof(*sctx));
+
+	return 0;
+}
+
+static int crypto_shake_final(struct shash_desc *desc, u8 *out)
+{
+	unsigned int digest_size = crypto_shash_digestsize(desc->tfm);
+
+	crypto_shake_squeeze(desc, out, digest_size, true);
+
+	return 0;
+}
+
+
 static struct shash_alg algs[] = { {
 	.digestsize		= SHA3_224_DIGEST_SIZE,
 	.init			= crypto_sha3_init,
@@ -277,6 +462,28 @@ static struct shash_alg algs[] = { {
 	.base.cra_driver_name	= "sha3-512-generic",
 	.base.cra_blocksize	= SHA3_512_BLOCK_SIZE,
 	.base.cra_module	= THIS_MODULE,
+}, {
+	.digestsize		= SHAKE128_DIGEST_SIZE,
+	.init			= crypto_shake_init,
+	.update			= crypto_shake_update,
+	.final			= crypto_shake_final,
+	.squeeze		= crypto_shake_squeeze,
+	.descsize		= sizeof(struct shake_state),
+	.base.cra_name		= "shake128",
+	.base.cra_driver_name	= "shake128-generic",
+	.base.cra_blocksize	= SHAKE128_BLOCK_SIZE,
+	.base.cra_module	= THIS_MODULE,
+}, {
+	.digestsize		= SHAKE256_DIGEST_SIZE,
+	.init			= crypto_shake_init,
+	.update			= crypto_shake_update,
+	.final			= crypto_shake_final,
+	.squeeze		= crypto_shake_squeeze,
+	.descsize		= sizeof(struct shake_state),
+	.base.cra_name		= "shake256",
+	.base.cra_driver_name	= "shake256-generic",
+	.base.cra_blocksize	= SHAKE256_BLOCK_SIZE,
+	.base.cra_module	= THIS_MODULE,
 } };
 
 static int __init sha3_generic_mod_init(void)
@@ -303,3 +510,7 @@ MODULE_ALIAS_CRYPTO("sha3-384");
 MODULE_ALIAS_CRYPTO("sha3-384-generic");
 MODULE_ALIAS_CRYPTO("sha3-512");
 MODULE_ALIAS_CRYPTO("sha3-512-generic");
+MODULE_ALIAS_CRYPTO("shake128");
+MODULE_ALIAS_CRYPTO("shake128-generic");
+MODULE_ALIAS_CRYPTO("shake256");
+MODULE_ALIAS_CRYPTO("shake256-generic");
diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
index 6e07bbc04089..be30f895fe7b 100644
--- a/include/crypto/algapi.h
+++ b/include/crypto/algapi.h
@@ -20,7 +20,7 @@
  * static buffers that are big enough for any combination of
  * algs and architectures. Ciphers have a lower maximum size.
  */
-#define MAX_ALGAPI_BLOCKSIZE		160
+#define MAX_ALGAPI_BLOCKSIZE		168 /* shake128 */
 #define MAX_ALGAPI_ALIGNMASK		127
 #define MAX_CIPHER_BLOCKSIZE		16
 #define MAX_CIPHER_ALIGNMASK		15
diff --git a/include/crypto/hash.h b/include/crypto/hash.h
index 9072652e8e60..5d69c2d69b96 100644
--- a/include/crypto/hash.h
+++ b/include/crypto/hash.h
@@ -166,10 +166,9 @@ struct shash_desc {
 #define HASH_MAX_DIGESTSIZE	 64
 
 /*
- * Worst case is hmac(sha3-224-generic).  Its context is a nested 'shash_desc'
- * containing a 'struct sha3_state'.
+ * Worst case is shake128
  */
-#define HASH_MAX_DESCSIZE	(sizeof(struct shash_desc) + 360)
+#define HASH_MAX_DESCSIZE	(sizeof(struct shash_desc) + 384)
 
 #define SHASH_DESC_ON_STACK(shash, ctx)					     \
 	char __##shash##_desc[sizeof(struct shash_desc) + HASH_MAX_DESCSIZE] \
diff --git a/include/crypto/sha3.h b/include/crypto/sha3.h
index 080f60c2e6b1..d99d2bfbd27f 100644
--- a/include/crypto/sha3.h
+++ b/include/crypto/sha3.h
@@ -31,4 +31,23 @@ int crypto_sha3_update(struct shash_desc *desc, const u8 *data,
 		       unsigned int len);
 int crypto_sha3_final(struct shash_desc *desc, u8 *out);
 
+
+#define SHAKE128_DIGEST_SIZE	(128 / 8)
+#define SHAKE128_BLOCK_SIZE	(200 - 2 * SHAKE128_DIGEST_SIZE)
+
+#define SHAKE256_DIGEST_SIZE	(256 / 8)
+#define SHAKE256_BLOCK_SIZE	(200 - 2 * SHAKE256_DIGEST_SIZE)
+
+struct shake_state {
+	u64		st[25];
+	unsigned int	rsiz;
+	unsigned int	rsizw;
+
+	unsigned int	partial;
+	u8		buf[SHAKE128_BLOCK_SIZE];
+	bool		finalized;
+	bool		permute;
+	unsigned int	ridx;
+};
+
 #endif
diff --git a/include/uapi/linux/hash_info.h b/include/uapi/linux/hash_info.h
index 0af23ec196d8..97af74326d31 100644
--- a/include/uapi/linux/hash_info.h
+++ b/include/uapi/linux/hash_info.h
@@ -38,6 +38,8 @@ enum hash_algo {
 	HASH_ALGO_SHA3_256,
 	HASH_ALGO_SHA3_384,
 	HASH_ALGO_SHA3_512,
+	HASH_ALGO_SHAKE128,
+	HASH_ALGO_SHAKE256,
 	HASH_ALGO__LAST
 };
 
-- 
2.49.0

[RFC PATCH 3/4] crypto: Add tests cases for shake128 & shake256 to testmgr

[Stefan Berger]

Add test cases for shake128 & shake256 to the testmgr.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 crypto/testmgr.c |  14 +++
 crypto/testmgr.h | 310 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 324 insertions(+)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 82977ea25db3..2e4740448e3a 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -5558,6 +5558,20 @@ static const struct alg_test_desc alg_test_descs[] = {
 		.suite = {
 			.hash = __VECS(sha512_tv_template)
 		}
+	}, {
+		.alg = "shake128",
+		.test = alg_test_hash,
+		.fips_allowed = 1,
+		.suite = {
+			.hash = __VECS(shake128_tv_template)
+		}
+	}, {
+		.alg = "shake256",
+		.test = alg_test_hash,
+		.fips_allowed = 1,
+		.suite = {
+			.hash = __VECS(shake256_tv_template)
+		}
 	}, {
 		.alg = "sm3",
 		.test = alg_test_hash,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index afc10af59b0a..c99dc61353b1 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -5914,6 +5914,316 @@ static const struct hash_testvec sha3_512_tv_template[] = {
 	},
 };
 
+static const struct hash_testvec shake128_tv_template[] = {
+	{
+		.plaintext = "",
+		.digest	= "\x7f\x9c\x2b\xa4\xe8\x8f\x82\x7d"
+				"\x61\x60\x45\x50\x76\x05\x85\x3e",
+	}, {
+		.plaintext = "a",
+		.psize	= 1,
+		.digest	= "\x85\xc8\xde\x88\xd2\x88\x66\xbf"
+				"\x08\x68\x09\x0b\x39\x61\x16\x2b",
+	}, {
+		.plaintext = "abcdbcdecdefdefgefghfghighijhijkijkl"
+			     "jklmklmnlmnomnopnopq",
+		.psize	= 56,
+		.digest = "\x1a\x96\x18\x2b\x50\xfb\x8c\x7e"
+				"\x74\xe0\xa7\x07\x78\x8f\x55\xe9",
+	}, {
+		.plaintext = "\x08\x9f\x13\xaa\x41\xd8\x4c\xe3"
+			     "\x7a\x11\x85\x1c\xb3\x27\xbe\x55"
+			     "\xec\x60\xf7\x8e\x02\x99\x30\xc7"
+			     "\x3b\xd2\x69\x00\x74\x0b\xa2\x16"
+			     "\xad\x44\xdb\x4f\xe6\x7d\x14\x88"
+			     "\x1f\xb6\x2a\xc1\x58\xef\x63\xfa"
+			     "\x91\x05\x9c\x33\xca\x3e\xd5\x6c"
+			     "\x03\x77\x0e\xa5\x19\xb0\x47\xde"
+			     "\x52\xe9\x80\x17\x8b\x22\xb9\x2d"
+			     "\xc4\x5b\xf2\x66\xfd\x94\x08\x9f"
+			     "\x36\xcd\x41\xd8\x6f\x06\x7a\x11"
+			     "\xa8\x1c\xb3\x4a\xe1\x55\xec\x83"
+			     "\x1a\x8e\x25\xbc\x30\xc7\x5e\xf5"
+			     "\x69\x00\x97\x0b\xa2\x39\xd0\x44"
+			     "\xdb\x72\x09\x7d\x14\xab\x1f\xb6"
+			     "\x4d\xe4\x58\xef\x86\x1d\x91\x28"
+			     "\xbf\x33\xca\x61\xf8\x6c\x03\x9a"
+			     "\x0e\xa5\x3c\xd3\x47\xde\x75\x0c"
+			     "\x80\x17\xae\x22\xb9\x50\xe7\x5b"
+			     "\xf2\x89\x20\x94\x2b\xc2\x36\xcd"
+			     "\x64\xfb\x6f\x06\x9d\x11\xa8\x3f"
+			     "\xd6\x4a\xe1\x78\x0f\x83\x1a\xb1"
+			     "\x25\xbc\x53\xea\x5e\xf5\x8c\x00"
+			     "\x97\x2e\xc5\x39\xd0\x67\xfe\x72"
+			     "\x09\xa0\x14\xab\x42\xd9\x4d\xe4"
+			     "\x7b\x12\x86\x1d\xb4\x28\xbf\x56"
+			     "\xed\x61\xf8\x8f\x03\x9a\x31\xc8"
+			     "\x3c\xd3\x6a\x01\x75\x0c\xa3\x17"
+			     "\xae\x45\xdc\x50\xe7\x7e\x15\x89"
+			     "\x20\xb7\x2b\xc2\x59\xf0\x64\xfb"
+			     "\x92\x06\x9d\x34\xcb\x3f\xd6\x6d"
+			     "\x04\x78\x0f\xa6\x1a\xb1\x48\xdf"
+			     "\x53\xea\x81\x18\x8c\x23\xba\x2e"
+			     "\xc5\x5c\xf3\x67\xfe\x95\x09\xa0"
+			     "\x37\xce\x42\xd9\x70\x07\x7b\x12"
+			     "\xa9\x1d\xb4\x4b\xe2\x56\xed\x84"
+			     "\x1b\x8f\x26\xbd\x31\xc8\x5f\xf6"
+			     "\x6a\x01\x98\x0c\xa3\x3a\xd1\x45"
+			     "\xdc\x73\x0a\x7e\x15\xac\x20\xb7"
+			     "\x4e\xe5\x59\xf0\x87\x1e\x92\x29"
+			     "\xc0\x34\xcb\x62\xf9\x6d\x04\x9b"
+			     "\x0f\xa6\x3d\xd4\x48\xdf\x76\x0d"
+			     "\x81\x18\xaf\x23\xba\x51\xe8\x5c"
+			     "\xf3\x8a\x21\x95\x2c\xc3\x37\xce"
+			     "\x65\xfc\x70\x07\x9e\x12\xa9\x40"
+			     "\xd7\x4b\xe2\x79\x10\x84\x1b\xb2"
+			     "\x26\xbd\x54\xeb\x5f\xf6\x8d\x01"
+			     "\x98\x2f\xc6\x3a\xd1\x68\xff\x73"
+			     "\x0a\xa1\x15\xac\x43\xda\x4e\xe5"
+			     "\x7c\x13\x87\x1e\xb5\x29\xc0\x57"
+			     "\xee\x62\xf9\x90\x04\x9b\x32\xc9"
+			     "\x3d\xd4\x6b\x02\x76\x0d\xa4\x18"
+			     "\xaf\x46\xdd\x51\xe8\x7f\x16\x8a"
+			     "\x21\xb8\x2c\xc3\x5a\xf1\x65\xfc"
+			     "\x93\x07\x9e\x35\xcc\x40\xd7\x6e"
+			     "\x05\x79\x10\xa7\x1b\xb2\x49\xe0"
+			     "\x54\xeb\x82\x19\x8d\x24\xbb\x2f"
+			     "\xc6\x5d\xf4\x68\xff\x96\x0a\xa1"
+			     "\x38\xcf\x43\xda\x71\x08\x7c\x13"
+			     "\xaa\x1e\xb5\x4c\xe3\x57\xee\x85"
+			     "\x1c\x90\x27\xbe\x32\xc9\x60\xf7"
+			     "\x6b\x02\x99\x0d\xa4\x3b\xd2\x46"
+			     "\xdd\x74\x0b\x7f\x16\xad\x21\xb8"
+			     "\x4f\xe6\x5a\xf1\x88\x1f\x93\x2a"
+			     "\xc1\x35\xcc\x63\xfa\x6e\x05\x9c"
+			     "\x10\xa7\x3e\xd5\x49\xe0\x77\x0e"
+			     "\x82\x19\xb0\x24\xbb\x52\xe9\x5d"
+			     "\xf4\x8b\x22\x96\x2d\xc4\x38\xcf"
+			     "\x66\xfd\x71\x08\x9f\x13\xaa\x41"
+			     "\xd8\x4c\xe3\x7a\x11\x85\x1c\xb3"
+			     "\x27\xbe\x55\xec\x60\xf7\x8e\x02"
+			     "\x99\x30\xc7\x3b\xd2\x69\x00\x74"
+			     "\x0b\xa2\x16\xad\x44\xdb\x4f\xe6"
+			     "\x7d\x14\x88\x1f\xb6\x2a\xc1\x58"
+			     "\xef\x63\xfa\x91\x05\x9c\x33\xca"
+			     "\x3e\xd5\x6c\x03\x77\x0e\xa5\x19"
+			     "\xb0\x47\xde\x52\xe9\x80\x17\x8b"
+			     "\x22\xb9\x2d\xc4\x5b\xf2\x66\xfd"
+			     "\x94\x08\x9f\x36\xcd\x41\xd8\x6f"
+			     "\x06\x7a\x11\xa8\x1c\xb3\x4a\xe1"
+			     "\x55\xec\x83\x1a\x8e\x25\xbc\x30"
+			     "\xc7\x5e\xf5\x69\x00\x97\x0b\xa2"
+			     "\x39\xd0\x44\xdb\x72\x09\x7d\x14"
+			     "\xab\x1f\xb6\x4d\xe4\x58\xef\x86"
+			     "\x1d\x91\x28\xbf\x33\xca\x61\xf8"
+			     "\x6c\x03\x9a\x0e\xa5\x3c\xd3\x47"
+			     "\xde\x75\x0c\x80\x17\xae\x22\xb9"
+			     "\x50\xe7\x5b\xf2\x89\x20\x94\x2b"
+			     "\xc2\x36\xcd\x64\xfb\x6f\x06\x9d"
+			     "\x11\xa8\x3f\xd6\x4a\xe1\x78\x0f"
+			     "\x83\x1a\xb1\x25\xbc\x53\xea\x5e"
+			     "\xf5\x8c\x00\x97\x2e\xc5\x39\xd0"
+			     "\x67\xfe\x72\x09\xa0\x14\xab\x42"
+			     "\xd9\x4d\xe4\x7b\x12\x86\x1d\xb4"
+			     "\x28\xbf\x56\xed\x61\xf8\x8f\x03"
+			     "\x9a\x31\xc8\x3c\xd3\x6a\x01\x75"
+			     "\x0c\xa3\x17\xae\x45\xdc\x50\xe7"
+			     "\x7e\x15\x89\x20\xb7\x2b\xc2\x59"
+			     "\xf0\x64\xfb\x92\x06\x9d\x34\xcb"
+			     "\x3f\xd6\x6d\x04\x78\x0f\xa6\x1a"
+			     "\xb1\x48\xdf\x53\xea\x81\x18\x8c"
+			     "\x23\xba\x2e\xc5\x5c\xf3\x67\xfe"
+			     "\x95\x09\xa0\x37\xce\x42\xd9\x70"
+			     "\x07\x7b\x12\xa9\x1d\xb4\x4b\xe2"
+			     "\x56\xed\x84\x1b\x8f\x26\xbd\x31"
+			     "\xc8\x5f\xf6\x6a\x01\x98\x0c\xa3"
+			     "\x3a\xd1\x45\xdc\x73\x0a\x7e\x15"
+			     "\xac\x20\xb7\x4e\xe5\x59\xf0\x87"
+			     "\x1e\x92\x29\xc0\x34\xcb\x62\xf9"
+			     "\x6d\x04\x9b\x0f\xa6\x3d\xd4\x48"
+			     "\xdf\x76\x0d\x81\x18\xaf\x23\xba"
+			     "\x51\xe8\x5c\xf3\x8a\x21\x95\x2c"
+			     "\xc3\x37\xce\x65\xfc\x70\x07\x9e"
+			     "\x12\xa9\x40\xd7\x4b\xe2\x79\x10"
+			     "\x84\x1b\xb2\x26\xbd\x54\xeb\x5f"
+			     "\xf6\x8d\x01\x98\x2f\xc6\x3a\xd1"
+			     "\x68\xff\x73\x0a\xa1\x15\xac\x43"
+			     "\xda\x4e\xe5\x7c\x13\x87\x1e\xb5"
+			     "\x29\xc0\x57\xee\x62\xf9\x90\x04"
+			     "\x9b\x32\xc9\x3d\xd4\x6b\x02\x76"
+			     "\x0d\xa4\x18\xaf\x46\xdd\x51\xe8"
+			     "\x7f\x16\x8a\x21\xb8\x2c\xc3\x5a"
+			     "\xf1\x65\xfc\x93\x07\x9e\x35\xcc"
+			     "\x40\xd7\x6e\x05\x79\x10\xa7\x1b"
+			     "\xb2\x49\xe0\x54\xeb\x82\x19\x8d"
+			     "\x24\xbb\x2f\xc6\x5d\xf4\x68\xff"
+			     "\x96\x0a\xa1\x38\xcf\x43\xda\x71"
+			     "\x08\x7c\x13\xaa\x1e\xb5\x4c",
+		.psize     = 1023,
+		.digest    = "\x13\x0a\x5b\xcb\x83\x9f\x10\x89"
+			     "\xbb\x62\xda\xe4\xf4\xd3\x21\xf8",
+	},
+};
+
+static const struct hash_testvec shake256_tv_template[] = {
+	{
+		.plaintext = "",
+		.digest	= "\x46\xb9\xdd\x2b\x0b\xa8\x8d\x13"
+				"\x23\x3b\x3f\xeb\x74\x3e\xeb\x24"
+				"\x3f\xcd\x52\xea\x62\xb8\x1b\x82"
+				"\xb5\x0c\x27\x64\x6e\xd5\x76\x2f",
+	}, {
+		.plaintext = "a",
+		.psize	= 1,
+		.digest	= "\x86\x7e\x2c\xb0\x4f\x5a\x04\xdc"
+				"\xbd\x59\x25\x01\xa5\xe8\xfe\x9c"
+				"\xea\xaf\xca\x50\x25\x56\x26\xca"
+				"\x73\x6c\x13\x80\x42\x53\x0b\xa4",
+	}, {
+		.plaintext = "abcdbcdecdefdefgefghfghighijhijkijkl"
+			     "jklmklmnlmnomnopnopq",
+		.psize	= 56,
+		.digest = "\x4d\x8c\x2d\xd2\x43\x5a\x01\x28"
+				"\xee\xfb\xb8\xc3\x6f\x6f\x87\x13"
+				"\x3a\x79\x11\xe1\x8d\x97\x9e\xe1"
+				"\xae\x6b\xe5\xd4\xfd\x2e\x33\x29",
+	}, {
+		.plaintext = "\x08\x9f\x13\xaa\x41\xd8\x4c\xe3"
+			     "\x7a\x11\x85\x1c\xb3\x27\xbe\x55"
+			     "\xec\x60\xf7\x8e\x02\x99\x30\xc7"
+			     "\x3b\xd2\x69\x00\x74\x0b\xa2\x16"
+			     "\xad\x44\xdb\x4f\xe6\x7d\x14\x88"
+			     "\x1f\xb6\x2a\xc1\x58\xef\x63\xfa"
+			     "\x91\x05\x9c\x33\xca\x3e\xd5\x6c"
+			     "\x03\x77\x0e\xa5\x19\xb0\x47\xde"
+			     "\x52\xe9\x80\x17\x8b\x22\xb9\x2d"
+			     "\xc4\x5b\xf2\x66\xfd\x94\x08\x9f"
+			     "\x36\xcd\x41\xd8\x6f\x06\x7a\x11"
+			     "\xa8\x1c\xb3\x4a\xe1\x55\xec\x83"
+			     "\x1a\x8e\x25\xbc\x30\xc7\x5e\xf5"
+			     "\x69\x00\x97\x0b\xa2\x39\xd0\x44"
+			     "\xdb\x72\x09\x7d\x14\xab\x1f\xb6"
+			     "\x4d\xe4\x58\xef\x86\x1d\x91\x28"
+			     "\xbf\x33\xca\x61\xf8\x6c\x03\x9a"
+			     "\x0e\xa5\x3c\xd3\x47\xde\x75\x0c"
+			     "\x80\x17\xae\x22\xb9\x50\xe7\x5b"
+			     "\xf2\x89\x20\x94\x2b\xc2\x36\xcd"
+			     "\x64\xfb\x6f\x06\x9d\x11\xa8\x3f"
+			     "\xd6\x4a\xe1\x78\x0f\x83\x1a\xb1"
+			     "\x25\xbc\x53\xea\x5e\xf5\x8c\x00"
+			     "\x97\x2e\xc5\x39\xd0\x67\xfe\x72"
+			     "\x09\xa0\x14\xab\x42\xd9\x4d\xe4"
+			     "\x7b\x12\x86\x1d\xb4\x28\xbf\x56"
+			     "\xed\x61\xf8\x8f\x03\x9a\x31\xc8"
+			     "\x3c\xd3\x6a\x01\x75\x0c\xa3\x17"
+			     "\xae\x45\xdc\x50\xe7\x7e\x15\x89"
+			     "\x20\xb7\x2b\xc2\x59\xf0\x64\xfb"
+			     "\x92\x06\x9d\x34\xcb\x3f\xd6\x6d"
+			     "\x04\x78\x0f\xa6\x1a\xb1\x48\xdf"
+			     "\x53\xea\x81\x18\x8c\x23\xba\x2e"
+			     "\xc5\x5c\xf3\x67\xfe\x95\x09\xa0"
+			     "\x37\xce\x42\xd9\x70\x07\x7b\x12"
+			     "\xa9\x1d\xb4\x4b\xe2\x56\xed\x84"
+			     "\x1b\x8f\x26\xbd\x31\xc8\x5f\xf6"
+			     "\x6a\x01\x98\x0c\xa3\x3a\xd1\x45"
+			     "\xdc\x73\x0a\x7e\x15\xac\x20\xb7"
+			     "\x4e\xe5\x59\xf0\x87\x1e\x92\x29"
+			     "\xc0\x34\xcb\x62\xf9\x6d\x04\x9b"
+			     "\x0f\xa6\x3d\xd4\x48\xdf\x76\x0d"
+			     "\x81\x18\xaf\x23\xba\x51\xe8\x5c"
+			     "\xf3\x8a\x21\x95\x2c\xc3\x37\xce"
+			     "\x65\xfc\x70\x07\x9e\x12\xa9\x40"
+			     "\xd7\x4b\xe2\x79\x10\x84\x1b\xb2"
+			     "\x26\xbd\x54\xeb\x5f\xf6\x8d\x01"
+			     "\x98\x2f\xc6\x3a\xd1\x68\xff\x73"
+			     "\x0a\xa1\x15\xac\x43\xda\x4e\xe5"
+			     "\x7c\x13\x87\x1e\xb5\x29\xc0\x57"
+			     "\xee\x62\xf9\x90\x04\x9b\x32\xc9"
+			     "\x3d\xd4\x6b\x02\x76\x0d\xa4\x18"
+			     "\xaf\x46\xdd\x51\xe8\x7f\x16\x8a"
+			     "\x21\xb8\x2c\xc3\x5a\xf1\x65\xfc"
+			     "\x93\x07\x9e\x35\xcc\x40\xd7\x6e"
+			     "\x05\x79\x10\xa7\x1b\xb2\x49\xe0"
+			     "\x54\xeb\x82\x19\x8d\x24\xbb\x2f"
+			     "\xc6\x5d\xf4\x68\xff\x96\x0a\xa1"
+			     "\x38\xcf\x43\xda\x71\x08\x7c\x13"
+			     "\xaa\x1e\xb5\x4c\xe3\x57\xee\x85"
+			     "\x1c\x90\x27\xbe\x32\xc9\x60\xf7"
+			     "\x6b\x02\x99\x0d\xa4\x3b\xd2\x46"
+			     "\xdd\x74\x0b\x7f\x16\xad\x21\xb8"
+			     "\x4f\xe6\x5a\xf1\x88\x1f\x93\x2a"
+			     "\xc1\x35\xcc\x63\xfa\x6e\x05\x9c"
+			     "\x10\xa7\x3e\xd5\x49\xe0\x77\x0e"
+			     "\x82\x19\xb0\x24\xbb\x52\xe9\x5d"
+			     "\xf4\x8b\x22\x96\x2d\xc4\x38\xcf"
+			     "\x66\xfd\x71\x08\x9f\x13\xaa\x41"
+			     "\xd8\x4c\xe3\x7a\x11\x85\x1c\xb3"
+			     "\x27\xbe\x55\xec\x60\xf7\x8e\x02"
+			     "\x99\x30\xc7\x3b\xd2\x69\x00\x74"
+			     "\x0b\xa2\x16\xad\x44\xdb\x4f\xe6"
+			     "\x7d\x14\x88\x1f\xb6\x2a\xc1\x58"
+			     "\xef\x63\xfa\x91\x05\x9c\x33\xca"
+			     "\x3e\xd5\x6c\x03\x77\x0e\xa5\x19"
+			     "\xb0\x47\xde\x52\xe9\x80\x17\x8b"
+			     "\x22\xb9\x2d\xc4\x5b\xf2\x66\xfd"
+			     "\x94\x08\x9f\x36\xcd\x41\xd8\x6f"
+			     "\x06\x7a\x11\xa8\x1c\xb3\x4a\xe1"
+			     "\x55\xec\x83\x1a\x8e\x25\xbc\x30"
+			     "\xc7\x5e\xf5\x69\x00\x97\x0b\xa2"
+			     "\x39\xd0\x44\xdb\x72\x09\x7d\x14"
+			     "\xab\x1f\xb6\x4d\xe4\x58\xef\x86"
+			     "\x1d\x91\x28\xbf\x33\xca\x61\xf8"
+			     "\x6c\x03\x9a\x0e\xa5\x3c\xd3\x47"
+			     "\xde\x75\x0c\x80\x17\xae\x22\xb9"
+			     "\x50\xe7\x5b\xf2\x89\x20\x94\x2b"
+			     "\xc2\x36\xcd\x64\xfb\x6f\x06\x9d"
+			     "\x11\xa8\x3f\xd6\x4a\xe1\x78\x0f"
+			     "\x83\x1a\xb1\x25\xbc\x53\xea\x5e"
+			     "\xf5\x8c\x00\x97\x2e\xc5\x39\xd0"
+			     "\x67\xfe\x72\x09\xa0\x14\xab\x42"
+			     "\xd9\x4d\xe4\x7b\x12\x86\x1d\xb4"
+			     "\x28\xbf\x56\xed\x61\xf8\x8f\x03"
+			     "\x9a\x31\xc8\x3c\xd3\x6a\x01\x75"
+			     "\x0c\xa3\x17\xae\x45\xdc\x50\xe7"
+			     "\x7e\x15\x89\x20\xb7\x2b\xc2\x59"
+			     "\xf0\x64\xfb\x92\x06\x9d\x34\xcb"
+			     "\x3f\xd6\x6d\x04\x78\x0f\xa6\x1a"
+			     "\xb1\x48\xdf\x53\xea\x81\x18\x8c"
+			     "\x23\xba\x2e\xc5\x5c\xf3\x67\xfe"
+			     "\x95\x09\xa0\x37\xce\x42\xd9\x70"
+			     "\x07\x7b\x12\xa9\x1d\xb4\x4b\xe2"
+			     "\x56\xed\x84\x1b\x8f\x26\xbd\x31"
+			     "\xc8\x5f\xf6\x6a\x01\x98\x0c\xa3"
+			     "\x3a\xd1\x45\xdc\x73\x0a\x7e\x15"
+			     "\xac\x20\xb7\x4e\xe5\x59\xf0\x87"
+			     "\x1e\x92\x29\xc0\x34\xcb\x62\xf9"
+			     "\x6d\x04\x9b\x0f\xa6\x3d\xd4\x48"
+			     "\xdf\x76\x0d\x81\x18\xaf\x23\xba"
+			     "\x51\xe8\x5c\xf3\x8a\x21\x95\x2c"
+			     "\xc3\x37\xce\x65\xfc\x70\x07\x9e"
+			     "\x12\xa9\x40\xd7\x4b\xe2\x79\x10"
+			     "\x84\x1b\xb2\x26\xbd\x54\xeb\x5f"
+			     "\xf6\x8d\x01\x98\x2f\xc6\x3a\xd1"
+			     "\x68\xff\x73\x0a\xa1\x15\xac\x43"
+			     "\xda\x4e\xe5\x7c\x13\x87\x1e\xb5"
+			     "\x29\xc0\x57\xee\x62\xf9\x90\x04"
+			     "\x9b\x32\xc9\x3d\xd4\x6b\x02\x76"
+			     "\x0d\xa4\x18\xaf\x46\xdd\x51\xe8"
+			     "\x7f\x16\x8a\x21\xb8\x2c\xc3\x5a"
+			     "\xf1\x65\xfc\x93\x07\x9e\x35\xcc"
+			     "\x40\xd7\x6e\x05\x79\x10\xa7\x1b"
+			     "\xb2\x49\xe0\x54\xeb\x82\x19\x8d"
+			     "\x24\xbb\x2f\xc6\x5d\xf4\x68\xff"
+			     "\x96\x0a\xa1\x38\xcf\x43\xda\x71"
+			     "\x08\x7c\x13\xaa\x1e\xb5\x4c",
+		.psize     = 1023,
+		.digest    = "\x24\xab\xec\xa1\x22\x05\x1c\xf3"
+			     "\xce\xdc\xc1\x02\x31\x6c\x0f\x19"
+			     "\x0a\xb2\x77\x24\xe7\x68\x71\x3b"
+			     "\x9b\x6d\x5f\xbc\xcf\x60\x28\x4c",
+	},
+};
+
 
 /*
  * MD5 test vectors from RFC1321
-- 
2.49.0

[RFC PATCH 4/4] crypto: Extend testmgr with tests for shake128/256 XOFs

[Stefan Berger]

Extend the testmgr to run tests for XOFs where it squeezes a certain number
of bytes in a first step and then a different number in subsequent steps to
test for issues related to alignments and proper copying of bytes and
blocks.

Add test case data for shake128 and shake256 XOFs.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 crypto/testmgr.c |  58 +++++++++++++
 crypto/testmgr.h | 212 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 270 insertions(+)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 2e4740448e3a..267307bd609d 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1647,6 +1647,59 @@ static int test_ahash_vec_cfg(const struct hash_testvec *vec,
 				 driver, cfg);
 }
 
+static int test_shash_xof(const struct hash_testvec *vec,
+			  struct shash_desc *desc)
+{
+	struct shash_alg *alg = crypto_shash_alg(desc->tfm);
+	struct steps {
+		unsigned int first;
+		unsigned int other;
+	} steps[] = {
+		{ .first = 0, .other = alg->base.cra_blocksize, },
+		{ .first = 0, .other = alg->base.cra_blocksize + 1, },
+		{ .first = 1, .other = alg->base.cra_blocksize, },
+		{ .first = 1, .other = 1, },
+		{ .first = 1, .other = 33, },
+	};
+	unsigned char *output = NULL, *tmp;
+	unsigned int off, req;
+	int ret = 0;
+	size_t i;
+
+	for (i = 0; i < ARRAY_SIZE(steps); i++) {
+		if (!vec->xof)
+			continue;
+
+		tmp = krealloc(output, vec->xof_size, GFP_KERNEL);
+		if (IS_ERR(output))
+			return PTR_ERR(output);
+		output = tmp;
+
+		crypto_shash_init(desc);
+		crypto_shash_update(desc, vec->plaintext, vec->psize);
+		crypto_shash_squeeze(desc, output, steps[i].first, false);
+		off = steps[i].first;
+
+		while (off < vec->xof_size) {
+			req = steps[i].other;
+			if (off + req > vec->xof_size)
+				req = vec->xof_size - off;
+			crypto_shash_squeeze(desc, &output[off], req, false);
+			off += req;
+		}
+
+		if (memcmp(output, vec->xof, vec->xof_size) != 0) {
+			pr_err("XOF output of %s is wrong! (steps: %d, %d)\n",
+			       alg->base.cra_name, steps[i].first,
+			       steps[i].other);
+			ret = -EINVAL;
+		}
+	}
+	kfree(output);
+
+	return ret;
+}
+
 static int test_hash_vec_cfg(const struct hash_testvec *vec,
 			     const char *vec_name,
 			     const struct testvec_config *cfg,
@@ -1998,6 +2051,11 @@ static int __alg_test_hash(const struct hash_testvec *vecs,
 		err = test_hash_vec(&vecs[i], i, req, desc, tsgl, hashstate);
 		if (err)
 			goto out;
+		if (desc && crypto_shash_alg(desc->tfm)->squeeze) {
+			err = test_shash_xof(&vecs[i], desc);
+			if (err)
+				return err;
+		}
 		cond_resched();
 	}
 	err = test_hash_vs_generic_impl(generic_driver, maxkeysize, req,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index c99dc61353b1..5160e5bb0489 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -30,8 +30,10 @@
  * @key:	Pointer to key (NULL if none)
  * @plaintext:	Pointer to source data
  * @digest:	Pointer to expected digest
+ * @xof:        Pointer to extended output
  * @psize:	Length of source data in bytes
  * @ksize:	Length of @key in bytes (0 if no key)
+ * @xof_size:   Length of extended output
  * @setkey_error: Expected error from setkey()
  * @digest_error: Expected error from digest()
  * @fips_skip:	Skip the test vector in FIPS mode
@@ -40,8 +42,10 @@ struct hash_testvec {
 	const char *key;
 	const char *plaintext;
 	const char *digest;
+	const char *xof;
 	unsigned int psize;
 	unsigned short ksize;
+	unsigned short xof_size;
 	int setkey_error;
 	int digest_error;
 	bool fips_skip;
@@ -5919,17 +5923,95 @@ static const struct hash_testvec shake128_tv_template[] = {
 		.plaintext = "",
 		.digest	= "\x7f\x9c\x2b\xa4\xe8\x8f\x82\x7d"
 				"\x61\x60\x45\x50\x76\x05\x85\x3e",
+		.xof =  "\x7f\x9c\x2b\xa4\xe8\x8f\x82\x7d"
+			"\x61\x60\x45\x50\x76\x05\x85\x3e"
+			"\xd7\x3b\x80\x93\xf6\xef\xbc\x88"
+			"\xeb\x1a\x6e\xac\xfa\x66\xef\x26"
+			"\x3c\xb1\xee\xa9\x88\x00\x4b\x93"
+			"\x10\x3c\xfb\x0a\xee\xfd\x2a\x68"
+			"\x6e\x01\xfa\x4a\x58\xe8\xa3\x63"
+			"\x9c\xa8\xa1\xe3\xf9\xae\x57\xe2"
+			"\x35\xb8\xcc\x87\x3c\x23\xdc\x62"
+			"\xb8\xd2\x60\x16\x9a\xfa\x2f\x75"
+			"\xab\x91\x6a\x58\xd9\x74\x91\x88"
+			"\x35\xd2\x5e\x6a\x43\x50\x85\xb2"
+			"\xba\xdf\xd6\xdf\xaa\xc3\x59\xa5"
+			"\xef\xbb\x7b\xcc\x4b\x59\xd5\x38"
+			"\xdf\x9a\x04\x30\x2e\x10\xc8\xbc"
+			"\x1c\xbf\x1a\x0b\x3a\x51\x20\xea"
+			"\x17\xcd\xa7\xcf\xad\x76\x5f\x56"
+			"\x23\x47\x4d\x36\x8c\xcc\xa8\xaf"
+			"\x00\x07\xcd\x9f\x5e\x4c\x84\x9f"
+			"\x16\x7a\x58\x0b\x14\xaa\xbd\xef"
+			"\xae\xe7\xee\xf4\x7c\xb0\xfc\xa9"
+			"\x76\x7b\xe1\xfd\xa6\x94\x19\xdf"
+			"\xb9\x27\xe9\xdf\x07\x34\x8b\x19"
+			"\x66\x91\xab\xae\xb5\x80\xb3\x2d"
+			"\xef\x58\x53\x8b\x8d\x23\xf8\x77",
+		.xof_size = 200,
 	}, {
 		.plaintext = "a",
 		.psize	= 1,
 		.digest	= "\x85\xc8\xde\x88\xd2\x88\x66\xbf"
 				"\x08\x68\x09\x0b\x39\x61\x16\x2b",
+		.xof =  "\x85\xc8\xde\x88\xd2\x88\x66\xbf"
+			"\x08\x68\x09\x0b\x39\x61\x16\x2b"
+			"\xf8\x23\x92\xf6\x90\xd9\xe4\x73"
+			"\x09\x10\xf4\xaf\x7c\x6a\xb3\xee"
+			"\x43\x54\xb4\x9c\xa7\x29\xeb\x35"
+			"\x6e\xe3\xf5\xb0\xfb\xd2\x9b\x66"
+			"\x76\x93\x83\xe5\xe4\x01\xb1\xf8"
+			"\x5e\x04\x4c\x92\xbb\x52\x31\xaa"
+			"\x4d\xee\x17\x99\xaf\x7a\x7c\xee"
+			"\x21\x3a\x23\xad\xcd\x03\xc4\x80"
+			"\x6c\x9a\x8b\x0d\x8a\x2e\xea\xd8"
+			"\xea\x7a\x61\x34\xc1\x3e\x52\x3c"
+			"\xcf\x93\xad\x39\xd2\x27\xd3\xe7"
+			"\xd0\x22\xd9\x65\x4f\x3b\x49\x41"
+			"\x37\x88\x75\x8a\x64\x17\xe4\x2d"
+			"\x41\x95\x7c\xb3\x0c\xf0\x4d\xa3"
+			"\x7f\x26\x89\x7c\x2c\xf2\xf8\x00"
+			"\x55\x84\x62\x93\xfd\xe0\x23\x31"
+			"\xcf\x4a\x26\x9a\xaf\x2d\x47\xeb"
+			"\x27\xab\xa0\xfa\xba\x4a\x67\x8e"
+			"\xc0\x02\xbc\x0d\x30\x64\xea\xd0"
+			"\xa3\xf2\xe0\xd8\xa7\xfa\x40\x4a"
+			"\xf5\x4e\xbf\x4f\x5b\x18\x35\x62"
+			"\xa8\xda\xd7\x3b\x9a\x55\xbf\x1c"
+			"\x06\x6e\x00\x07\xe7\xab\x8a\x89",
+		.xof_size = 200,
 	}, {
 		.plaintext = "abcdbcdecdefdefgefghfghighijhijkijkl"
 			     "jklmklmnlmnomnopnopq",
 		.psize	= 56,
 		.digest = "\x1a\x96\x18\x2b\x50\xfb\x8c\x7e"
 				"\x74\xe0\xa7\x07\x78\x8f\x55\xe9",
+		.xof =  "\x1a\x96\x18\x2b\x50\xfb\x8c\x7e"
+			"\x74\xe0\xa7\x07\x78\x8f\x55\xe9"
+			"\x82\x09\xb8\xd9\x1f\xad\xe8\xf3"
+			"\x2f\x8d\xd5\xcf\xf7\xbf\x21\xf5"
+			"\x4e\xe5\xf1\x95\x50\x82\x5a\x6e"
+			"\x07\x00\x30\x51\x9e\x94\x42\x63"
+			"\xac\x1c\x67\x65\x28\x70\x65\x62"
+			"\x1f\x9f\xcb\x32\x01\x72\x3e\x32"
+			"\x23\xb6\x3a\x46\xc2\x93\x8a\xa9"
+			"\x53\xba\x84\x01\xd0\xea\x77\xb8"
+			"\xd2\x64\x90\x77\x55\x66\x40\x7b"
+			"\x95\x67\x3c\x0f\x4c\xc1\xce\x9f"
+			"\xd9\x66\x14\x8d\x7e\xfd\xff\x26"
+			"\xbb\xf9\xf4\x8a\x21\xc6\xda\x35"
+			"\xbf\xaa\x54\x56\x54\xf7\x0a\xe5"
+			"\x86\xff\x10\x13\x14\x20\x77\x14"
+			"\x83\xec\x92\xed\xab\x40\x8c\x76"
+			"\x7b\xf4\xc5\xb4\xff\xfa\xa8\x0c"
+			"\x8c\xa2\x14\xd8\x4c\x4d\xc7\x00"
+			"\xd0\xc5\x06\x30\xb2\xff\xc3\x79"
+			"\x3e\xa4\xd8\x72\x58\xb4\xc9\x54"
+			"\x8c\x54\x85\xa5\xca\x66\x6e\xf7"
+			"\x3f\xbd\x81\x6d\x41\x8a\xea\x63"
+			"\x95\xb5\x03\xad\xdd\x9b\x15\x0f"
+			"\x9e\x06\x63\x32\x5f\x01\xe5\x51",
+		.xof_size = 200,
 	}, {
 		.plaintext = "\x08\x9f\x13\xaa\x41\xd8\x4c\xe3"
 			     "\x7a\x11\x85\x1c\xb3\x27\xbe\x55"
@@ -6062,6 +6144,32 @@ static const struct hash_testvec shake128_tv_template[] = {
 		.psize     = 1023,
 		.digest    = "\x13\x0a\x5b\xcb\x83\x9f\x10\x89"
 			     "\xbb\x62\xda\xe4\xf4\xd3\x21\xf8",
+		.xof =	"\x13\x0a\x5b\xcb\x83\x9f\x10\x89"
+			"\xbb\x62\xda\xe4\xf4\xd3\x21\xf8"
+			"\xd1\xa1\x20\xeb\x55\x0a\x93\x04"
+			"\x9b\xe3\x14\x3c\x18\xd1\x7c\xa7"
+			"\xcd\xf3\x11\xe7\xe1\xcf\xaf\xbf"
+			"\x2e\x99\x8b\x4f\x5e\x0a\x13\x81"
+			"\x6e\x12\x36\x9e\x8e\x3a\xf6\x42"
+			"\xa1\x85\x4b\xda\xcf\x5a\x36\x65"
+			"\xe4\xea\x18\x3b\x19\x86\xf0\xd4"
+			"\xeb\x0f\x33\x98\xb5\x2b\xa7\x9b"
+			"\xba\x17\xd1\xd4\xc5\x5f\x0d\x8e"
+			"\x6c\xb0\xba\x4f\x94\x25\x29\x54"
+			"\xf8\x1d\x03\x14\xb7\xe5\x1e\xb2"
+			"\xf0\xe7\x0f\x32\x86\xfa\x13\x9f"
+			"\x60\x8d\x15\x03\x2d\x96\x2a\xa4"
+			"\x76\xf6\x49\x6c\x8a\x75\x7d\x79"
+			"\xa4\xcc\xcb\xe0\xf9\xbb\x7a\x80"
+			"\xc1\x20\x79\x32\x42\xe8\x0e\xd9"
+			"\x0f\x93\x0b\xaf\x56\x6e\x71\xc8"
+			"\x3f\xc3\x52\xe0\x4b\x4b\xbc\xf5"
+			"\x1f\xdf\xed\x88\xb8\x9d\x5a\x75"
+			"\x77\xa1\x59\x9b\x6a\x7c\x43\xe4"
+			"\x5b\x58\xaa\x84\x0a\x18\xb5\x37"
+			"\x3b\xda\xa8\xc9\x35\x76\x1b\x62"
+			"\x4f\x52\xc7\x42\x4e\x00\xb1\x46",
+		.xof_size = 200,
 	},
 };
 
@@ -6072,6 +6180,32 @@ static const struct hash_testvec shake256_tv_template[] = {
 				"\x23\x3b\x3f\xeb\x74\x3e\xeb\x24"
 				"\x3f\xcd\x52\xea\x62\xb8\x1b\x82"
 				"\xb5\x0c\x27\x64\x6e\xd5\x76\x2f",
+		.xof =  "\x46\xb9\xdd\x2b\x0b\xa8\x8d\x13"
+			"\x23\x3b\x3f\xeb\x74\x3e\xeb\x24"
+			"\x3f\xcd\x52\xea\x62\xb8\x1b\x82"
+			"\xb5\x0c\x27\x64\x6e\xd5\x76\x2f"
+			"\xd7\x5d\xc4\xdd\xd8\xc0\xf2\x00"
+			"\xcb\x05\x01\x9d\x67\xb5\x92\xf6"
+			"\xfc\x82\x1c\x49\x47\x9a\xb4\x86"
+			"\x40\x29\x2e\xac\xb3\xb7\xc4\xbe"
+			"\x14\x1e\x96\x61\x6f\xb1\x39\x57"
+			"\x69\x2c\xc7\xed\xd0\xb4\x5a\xe3"
+			"\xdc\x07\x22\x3c\x8e\x92\x93\x7b"
+			"\xef\x84\xbc\x0e\xab\x86\x28\x53"
+			"\x34\x9e\xc7\x55\x46\xf5\x8f\xb7"
+			"\xc2\x77\x5c\x38\x46\x2c\x50\x10"
+			"\xd8\x46\xc1\x85\xc1\x51\x11\xe5"
+			"\x95\x52\x2a\x6b\xcd\x16\xcf\x86"
+			"\xf3\xd1\x22\x10\x9e\x3b\x1f\xdd"
+			"\x94\x3b\x6a\xec\x46\x8a\x2d\x62"
+			"\x1a\x7c\x06\xc6\xa9\x57\xc6\x2b"
+			"\x54\xda\xfc\x3b\xe8\x75\x67\xd6"
+			"\x77\x23\x13\x95\xf6\x14\x72\x93"
+			"\xb6\x8c\xea\xb7\xa9\xe0\xc5\x8d"
+			"\x86\x4e\x8e\xfd\xe4\xe1\xb9\xa4"
+			"\x6c\xbe\x85\x47\x13\x67\x2f\x5c"
+			"\xaa\xae\x31\x4e\xd9\x08\x3d\xab",
+		.xof_size = 200,
 	}, {
 		.plaintext = "a",
 		.psize	= 1,
@@ -6079,6 +6213,32 @@ static const struct hash_testvec shake256_tv_template[] = {
 				"\xbd\x59\x25\x01\xa5\xe8\xfe\x9c"
 				"\xea\xaf\xca\x50\x25\x56\x26\xca"
 				"\x73\x6c\x13\x80\x42\x53\x0b\xa4",
+		.xof =  "\x86\x7e\x2c\xb0\x4f\x5a\x04\xdc"
+			"\xbd\x59\x25\x01\xa5\xe8\xfe\x9c"
+			"\xea\xaf\xca\x50\x25\x56\x26\xca"
+			"\x73\x6c\x13\x80\x42\x53\x0b\xa4"
+			"\x36\xb7\xb1\xec\x0e\x06\xa2\x79"
+			"\xbc\x79\x07\x33\xbb\x0a\xee\x6f"
+			"\xa8\x02\x68\x3c\x7b\x35\x50\x63"
+			"\xc4\x34\xe9\x11\x89\xb0\xc6\x51"
+			"\xd0\x92\xb0\x1e\x55\xce\x4d\x61"
+			"\x0b\x54\xa5\x46\x6d\x02\xf8\x8f"
+			"\xc3\x78\x09\x6f\xb0\xda\xd0\x25"
+			"\x48\x57\xfe\x1e\x63\x81\xab\xc0"
+			"\x4e\x07\xe3\x3d\x91\x69\x35\x93"
+			"\x56\x36\x00\x48\x96\xc5\xb1\x25"
+			"\x34\x64\xf1\xcb\x5e\xa7\x3b\x00"
+			"\x7b\xc5\x02\x8b\xbb\xea\x13\xeb"
+			"\xc2\x86\x68\xdb\xfc\x26\xb1\x24"
+			"\x0c\xe4\x23\x9f\x8d\x50\x62\x7d"
+			"\xda\xa0\x16\x41\xdf\xea\xa9\xd2"
+			"\xfe\xf0\x3d\xd0\x25\xe0\xb8\x2c"
+			"\xf0\x71\xfb\x9c\xa3\x23\x2c\x74"
+			"\x2d\x83\x6b\x3c\xbc\xc8\xc3\xcb"
+			"\xa5\xb0\x58\xb7\x67\x95\xc1\x77"
+			"\x01\x23\x14\x19\x6d\xc8\x22\x76"
+			"\x89\x91\xc0\xf1\x6f\x8a\x65\x5a",
+		.xof_size = 200,
 	}, {
 		.plaintext = "abcdbcdecdefdefgefghfghighijhijkijkl"
 			     "jklmklmnlmnomnopnopq",
@@ -6087,6 +6247,32 @@ static const struct hash_testvec shake256_tv_template[] = {
 				"\xee\xfb\xb8\xc3\x6f\x6f\x87\x13"
 				"\x3a\x79\x11\xe1\x8d\x97\x9e\xe1"
 				"\xae\x6b\xe5\xd4\xfd\x2e\x33\x29",
+		.xof =  "\x4d\x8c\x2d\xd2\x43\x5a\x01\x28"
+			"\xee\xfb\xb8\xc3\x6f\x6f\x87\x13"
+			"\x3a\x79\x11\xe1\x8d\x97\x9e\xe1"
+			"\xae\x6b\xe5\xd4\xfd\x2e\x33\x29"
+			"\x40\xd8\x68\x8a\x4e\x6a\x59\xaa"
+			"\x80\x60\xf1\xf9\xbc\x99\x6c\x05"
+			"\xac\xa3\xc6\x96\xa8\xb6\x62\x79"
+			"\xdc\x67\x2c\x74\x0b\xb2\x24\xec"
+			"\x37\xa9\x2b\x65\xdb\x05\x39\xc0"
+			"\x20\x34\x55\xf5\x1d\x97\xcc\xe4"
+			"\xcf\xc4\x91\x27\xd7\x26\x0a\xfc"
+			"\x67\x3a\xf2\x08\xba\xf1\x9b\xe2"
+			"\x12\x33\xf3\xde\xbe\x78\xd0\x67"
+			"\x60\xcf\xa5\x51\xee\x1e\x07\x91"
+			"\x41\xd4\x9d\xd3\xef\x7e\x18\x2b"
+			"\x15\x24\xdf\x82\xea\x1c\xef\xe1"
+			"\xc6\xc3\x96\x61\x75\xf0\x22\x8d"
+			"\x35\x88\x7c\xd9\xf0\x9b\x05\x45"
+			"\x7f\x6d\x95\x2f\x9b\x3b\x32\x46"
+			"\x4e\x0b\x3c\x54\xdc\xc1\x3e\xfd"
+			"\xb4\xc5\x4e\x29\xcd\xb4\x08\x8f"
+			"\xaf\x48\x2c\xdd\xd0\xa5\xe6\xb8"
+			"\x22\xf5\xa8\x0d\x0c\xc7\x8d\x4c"
+			"\xc9\x01\x31\x90\x6f\xd5\x15\x9e"
+			"\xb5\x14\x2e\x15\x50\x24\xb6\x24",
+		.xof_size = 200,
 	}, {
 		.plaintext = "\x08\x9f\x13\xaa\x41\xd8\x4c\xe3"
 			     "\x7a\x11\x85\x1c\xb3\x27\xbe\x55"
@@ -6221,6 +6407,32 @@ static const struct hash_testvec shake256_tv_template[] = {
 			     "\xce\xdc\xc1\x02\x31\x6c\x0f\x19"
 			     "\x0a\xb2\x77\x24\xe7\x68\x71\x3b"
 			     "\x9b\x6d\x5f\xbc\xcf\x60\x28\x4c",
+		.xof =  "\x24\xab\xec\xa1\x22\x05\x1c\xf3"
+			"\xce\xdc\xc1\x02\x31\x6c\x0f\x19"
+			"\x0a\xb2\x77\x24\xe7\x68\x71\x3b"
+			"\x9b\x6d\x5f\xbc\xcf\x60\x28\x4c"
+			"\x97\x76\xdc\x50\xda\xa5\x14\x5e"
+			"\xe6\xb9\x1e\xbc\x42\x1e\x8d\xd5"
+			"\xb5\xae\xe2\x77\x48\xde\x80\x1f"
+			"\x7a\x74\x30\x79\x86\xc8\x6f\x2e"
+			"\x90\x76\x07\xb3\xed\x74\xdf\x44"
+			"\xcc\x3b\x00\x64\xb4\xb1\xdc\x11"
+			"\xa8\xcf\xbf\x01\xfc\x21\x00\xac"
+			"\x2c\xa1\xea\xbd\x84\x1c\x84\xa2"
+			"\x6b\x02\x7a\x19\xb9\xbf\xbb\xc0"
+			"\x21\x71\x4b\xb2\xc0\x50\xa4\xe9"
+			"\xe1\x48\xd2\xca\x14\xcc\x3f\x65"
+			"\x87\x38\xc5\xfb\xc0\x03\x23\x64"
+			"\x65\x5d\xb8\xd1\x9d\xd6\xd4\x3a"
+			"\xeb\x57\xe7\x3c\x22\x17\xb6\x5a"
+			"\x8e\x4b\x73\xf4\x36\x4a\x36\x17"
+			"\x8c\xbe\x7d\x2b\x37\xaf\xde\xbc"
+			"\xc7\xe8\x52\x00\x90\x90\x0e\x3b"
+			"\x22\x6f\xa7\xec\x2f\x99\x6d\x32"
+			"\x36\x20\x12\x4d\x14\xa8\x7f\xc4"
+			"\x9e\xb5\x7f\x6b\xc6\xe9\xe2\x8e"
+			"\xd5\xc8\x25\xe6\xf1\x97\xbf\x76",
+		.xof_size = 200,
 	},
 };
 
-- 
2.49.0