Added SHAKE128/256 code and test vectors.

sha3.c

@@ -124,7 +124,7 @@ int sha3_update(sha3_ctx_t *c, const void *data, size_t len)
     for (i = 0; i < len; i++) {
         c->st.b[j++] ^= ((const uint8_t *) data)[i];
         if (j >= c->rsiz) {
-            sha3_keccakf(c->st.q, SHA3_ROUNDS);
+            sha3_keccakf(c->st.q, KECCAKF_ROUNDS);
             j = 0;
         }
     }
@@ -141,7 +141,7 @@ int sha3_final(void *md, sha3_ctx_t *c)
 
     c->st.b[c->pt] ^= 0x06;
     c->st.b[c->rsiz - 1] ^= 0x80;
-    sha3_keccakf(c->st.q, SHA3_ROUNDS);
+    sha3_keccakf(c->st.q, KECCAKF_ROUNDS);
 
     for (i = 0; i < c->mdlen; i++) {
         ((uint8_t *) md)[i] = c->st.b[i];
@@ -163,3 +163,29 @@ void *sha3(const void *in, size_t inlen, void *md, int mdlen)
     return md;
 }
 
+// SHAKE128 and SHAKE256 extensible-output functionality
+
+void shake_xof(sha3_ctx_t *c)
+{
+    c->st.b[c->pt] ^= 0x1F;
+    c->st.b[c->rsiz - 1] ^= 0x80;
+    sha3_keccakf(c->st.q, KECCAKF_ROUNDS);
+    c->pt = 0;
+}
+
+void shake_out(sha3_ctx_t *c, void *out, size_t len)
+{
+    size_t i;
+    int j;
+
+    j = c->pt;
+    for (i = 0; i < len; i++) {
+        if (j >= c->rsiz) {
+            sha3_keccakf(c->st.q, KECCAKF_ROUNDS);
+            j = 0;
+        }
+        ((uint8_t *) out)[i] = c->st.b[j++];
+    }
+    c->pt = j;
+}
+