]> git.ipfire.org Git - thirdparty/openssl.git/blame - providers/implementations/macs/kmac_prov.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Copyright year updates
[thirdparty/openssl.git] / providers / implementations / macs / kmac_prov.c
CommitLineData
6e624a64 1/*
da1c088f 2 * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
6e624a64 3 *
e06785a5 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
6e624a64
SL		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * See SP800-185 "Appendix A - KMAC, .... in Terms of Keccak[c]"
12 *
13 * Inputs are:
14 * K = Key (len(K) < 2^2040 bits)
15 * X = Input
16 * L = Output length (0 <= L < 2^2040 bits)
17 * S = Customization String Default="" (len(S) < 2^2040 bits)
18 *
19 * KMAC128(K, X, L, S)
20 * {
21 * newX = bytepad(encode_string(K), 168) || X || right_encode(L).
97c21381 22 * T = bytepad(encode_string("KMAC") || encode_string(S), 168).
6e624a64
SL		 23 * return KECCAK[256](T || newX || 00, L).
24 * }
25 *
26 * KMAC256(K, X, L, S)
27 * {
28 * newX = bytepad(encode_string(K), 136) || X || right_encode(L).
97c21381 29 * T = bytepad(encode_string("KMAC") || encode_string(S), 136).
6e624a64
SL		 30 * return KECCAK[512](T || newX || 00, L).
31 * }
32 *
33 * KMAC128XOF(K, X, L, S)
34 * {
35 * newX = bytepad(encode_string(K), 168) || X || right_encode(0).
97c21381 36 * T = bytepad(encode_string("KMAC") || encode_string(S), 168).
6e624a64
SL		 37 * return KECCAK[256](T || newX || 00, L).
38 * }
39 *
40 * KMAC256XOF(K, X, L, S)
41 * {
42 * newX = bytepad(encode_string(K), 136) || X || right_encode(0).
97c21381 43 * T = bytepad(encode_string("KMAC") || encode_string(S), 136).
6e624a64
SL		 44 * return KECCAK[512](T || newX || 00, L).
45 * }
46 *
47 */
48
49#include <stdlib.h>
e23cda00 50#include <string.h>
23c48d94 51#include <openssl/core_dispatch.h>
e23cda00
RL		 52#include <openssl/core_names.h>
53#include <openssl/params.h>
6e624a64 54#include <openssl/evp.h>
e23cda00 55#include <openssl/err.h>
2741128e 56#include <openssl/proverr.h>
e23cda00 57
af3e7e1b 58#include "prov/implementations.h"
ddd21319
RL		 59#include "prov/provider_ctx.h"
60#include "prov/provider_util.h"
5b104a81 61#include "prov/providercommon.h"
9acbbbae 62#include "internal/cryptlib.h" /* ossl_assert */
e23cda00
RL		 63
64/*
65 * Forward declaration of everything implemented here. This is not strictly
66 * necessary for the compiler, but provides an assurance that the signatures
67 * of the functions in the dispatch table are correct.
68 */
363b1e5d
DMSP		 69static OSSL_FUNC_mac_newctx_fn kmac128_new;
70static OSSL_FUNC_mac_newctx_fn kmac256_new;
71static OSSL_FUNC_mac_dupctx_fn kmac_dup;
72static OSSL_FUNC_mac_freectx_fn kmac_free;
73static OSSL_FUNC_mac_gettable_ctx_params_fn kmac_gettable_ctx_params;
74static OSSL_FUNC_mac_get_ctx_params_fn kmac_get_ctx_params;
75static OSSL_FUNC_mac_settable_ctx_params_fn kmac_settable_ctx_params;
76static OSSL_FUNC_mac_set_ctx_params_fn kmac_set_ctx_params;
363b1e5d
DMSP		 77static OSSL_FUNC_mac_init_fn kmac_init;
78static OSSL_FUNC_mac_update_fn kmac_update;
79static OSSL_FUNC_mac_final_fn kmac_final;
6e624a64 80
2b05439f 81#define KMAC_MAX_BLOCKSIZE ((1600 - 128 * 2) / 8) /* 168 */
6e624a64 82
2b05439f
SL		 83/*
84 * Length encoding will be a 1 byte size + length in bits (3 bytes max)
85 * This gives a range of 0..0XFFFFFF bits = 2097151 bytes).
86 */
87#define KMAC_MAX_OUTPUT_LEN (0xFFFFFF / 8)
88#define KMAC_MAX_ENCODED_HEADER_LEN (1 + 3)
6e624a64
SL		 89
90/*
13eaa4ec
P		 91 * Restrict the maximum length of the customisation string. This must not
92 * exceed 64 bits = 8k bytes.
6e624a64 93 */
211c47ca 94#define KMAC_MAX_CUSTOM 512
6e624a64
SL		 95
96/* Maximum size of encoded custom string */
97#define KMAC_MAX_CUSTOM_ENCODED (KMAC_MAX_CUSTOM + KMAC_MAX_ENCODED_HEADER_LEN)
98
211c47ca 99/* Maximum key size in bytes = 512 (4096 bits) */
100#define KMAC_MAX_KEY 512
2b05439f 101#define KMAC_MIN_KEY 4
6e624a64
SL		 102
103/*
104 * Maximum Encoded Key size will be padded to a multiple of the blocksize
211c47ca 105 * i.e KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN = 512 + 4
6e624a64
SL		 106 * Padded to a multiple of KMAC_MAX_BLOCKSIZE
107 */
211c47ca 108#define KMAC_MAX_KEY_ENCODED (KMAC_MAX_BLOCKSIZE * 4)
6e624a64
SL		 109
110/* Fixed value of encode_string("KMAC") */
111static const unsigned char kmac_string[] = {
112 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43
113};
114
6e624a64
SL		 115#define KMAC_FLAG_XOF_MODE 1
116
e23cda00
RL		 117struct kmac_data_st {
118 void *provctx;
6e624a64 119 EVP_MD_CTX *ctx;
96d7e273 120 PROV_DIGEST digest;
6e624a64 121 size_t out_len;
13eaa4ec
P		 122 size_t key_len;
123 size_t custom_len;
6e624a64
SL		 124 /* If xof_mode = 1 then we use right_encode(0) */
125 int xof_mode;
126 /* key and custom are stored in encoded form */
127 unsigned char key[KMAC_MAX_KEY_ENCODED];
128 unsigned char custom[KMAC_MAX_CUSTOM_ENCODED];
129};
130
2b05439f 131static int encode_string(unsigned char *out, size_t out_max_len, size_t *out_len,
13eaa4ec 132 const unsigned char *in, size_t in_len);
2b05439f
SL		 133static int right_encode(unsigned char *out, size_t out_max_len, size_t *out_len,
134 size_t bits);
13eaa4ec
P		 135static int bytepad(unsigned char *out, size_t *out_len,
136 const unsigned char *in1, size_t in1_len,
137 const unsigned char *in2, size_t in2_len,
138 size_t w);
2b05439f
SL		 139static int kmac_bytepad_encode_key(unsigned char *out, size_t out_max_len,
140 size_t *out_len,
13eaa4ec
P		 141 const unsigned char *in, size_t in_len,
142 size_t w);
6e624a64 143
e23cda00 144static void kmac_free(void *vmacctx)
6e624a64 145{
e23cda00
RL		 146 struct kmac_data_st *kctx = vmacctx;
147
6e624a64
SL		 148 if (kctx != NULL) {
149 EVP_MD_CTX_free(kctx->ctx);
96d7e273 150 ossl_prov_digest_reset(&kctx->digest);
6e624a64
SL		 151 OPENSSL_cleanse(kctx->key, kctx->key_len);
152 OPENSSL_cleanse(kctx->custom, kctx->custom_len);
153 OPENSSL_free(kctx);
154 }
155}
156
e23cda00
RL		 157/*
158 * We have KMAC implemented as a hash, which we can use instead of
159 * reimplementing the EVP functionality with direct use of
160 * keccak_mac_init() and friends.
161 */
96d7e273 162static struct kmac_data_st *kmac_new(void *provctx)
6e624a64 163{
96d7e273 164 struct kmac_data_st *kctx;
6e624a64 165
5b104a81
P		 166 if (!ossl_prov_is_running())
167 return NULL;
168
6e624a64
SL		 169 if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL
170 || (kctx->ctx = EVP_MD_CTX_new()) == NULL) {
171 kmac_free(kctx);
172 return NULL;
173 }
e23cda00 174 kctx->provctx = provctx;
6e624a64
SL		 175 return kctx;
176}
177
96d7e273 178static void *kmac_fetch_new(void *provctx, const OSSL_PARAM *params)
6e624a64 179{
96d7e273
P		 180 struct kmac_data_st *kctx = kmac_new(provctx);
181
182 if (kctx == NULL)
183 return 0;
184 if (!ossl_prov_digest_load_from_params(&kctx->digest, params,
a829b735 185 PROV_LIBCTX_OF(provctx))) {
f20a59cb 186 kmac_free(kctx);
96d7e273 187 return 0;
f20a59cb 188 }
96d7e273 189
ed576acd 190 kctx->out_len = EVP_MD_get_size(ossl_prov_digest_md(&kctx->digest));
96d7e273 191 return kctx;
6e624a64
SL		 192}
193
e23cda00 194static void *kmac128_new(void *provctx)
6e624a64 195{
96d7e273
P		 196 static const OSSL_PARAM kmac128_params[] = {
197 OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC128,
198 sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC128)),
199 OSSL_PARAM_END
200 };
201 return kmac_fetch_new(provctx, kmac128_params);
6e624a64
SL		 202}
203
e23cda00 204static void *kmac256_new(void *provctx)
6e624a64 205{
96d7e273
P		 206 static const OSSL_PARAM kmac256_params[] = {
207 OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC256,
208 sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC256)),
209 OSSL_PARAM_END
210 };
211 return kmac_fetch_new(provctx, kmac256_params);
e23cda00
RL		 212}
213
214static void *kmac_dup(void *vsrc)
215{
216 struct kmac_data_st *src = vsrc;
5b104a81
P		 217 struct kmac_data_st *dst;
218
219 if (!ossl_prov_is_running())
220 return NULL;
7ed66e26 221
5b104a81 222 dst = kmac_new(src->provctx);
e23cda00 223 if (dst == NULL)
7ed66e26
KR		 224 return NULL;
225
e23cda00 226 if (!EVP_MD_CTX_copy(dst->ctx, src->ctx)
96d7e273 227 || !ossl_prov_digest_copy(&dst->digest, &src->digest)) {
e23cda00 228 kmac_free(dst);
7ed66e26
KR		 229 return NULL;
230 }
231
e23cda00
RL		 232 dst->out_len = src->out_len;
233 dst->key_len = src->key_len;
234 dst->custom_len = src->custom_len;
235 dst->xof_mode = src->xof_mode;
236 memcpy(dst->key, src->key, src->key_len);
237 memcpy(dst->custom, src->custom, dst->custom_len);
6e624a64 238
e23cda00 239 return dst;
6e624a64
SL		 240}
241
ac238428
P		 242static int kmac_setkey(struct kmac_data_st *kctx, const unsigned char *key,
243 size_t keylen)
244{
245 const EVP_MD *digest = ossl_prov_digest_md(&kctx->digest);
ed576acd 246 int w = EVP_MD_get_block_size(digest);
ac238428 247
2b05439f 248 if (keylen < KMAC_MIN_KEY || keylen > KMAC_MAX_KEY) {
ac238428
P		 249 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
250 return 0;
251 }
13eaa4ec
P		 252 if (w < 0) {
253 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
254 return 0;
255 }
2b05439f 256 if (!kmac_bytepad_encode_key(kctx->key, sizeof(kctx->key), &kctx->key_len,
13eaa4ec 257 key, keylen, (size_t)w))
ac238428
P		 258 return 0;
259 return 1;
260}
261
6e624a64
SL		 262/*
263 * The init() assumes that any ctrl methods are set beforehand for
264 * md, key and custom. Setting the fields afterwards will have no
265 * effect on the output mac.
266 */
ac238428
P		 267static int kmac_init(void *vmacctx, const unsigned char *key,
268 size_t keylen, const OSSL_PARAM params[])
6e624a64 269{
e23cda00 270 struct kmac_data_st *kctx = vmacctx;
6e624a64 271 EVP_MD_CTX *ctx = kctx->ctx;
13eaa4ec
P		 272 unsigned char *out;
273 size_t out_len, block_len;
274 int res, t;
6e624a64 275
ac238428 276 if (!ossl_prov_is_running() || !kmac_set_ctx_params(kctx, params))
5b104a81 277 return 0;
13eaa4ec 278
ac238428
P		 279 if (key != NULL) {
280 if (!kmac_setkey(kctx, key, keylen))
281 return 0;
282 } else if (kctx->key_len == 0) {
283 /* Check key has been set */
f5f29796 284 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
6e624a64
SL		 285 return 0;
286 }
96d7e273
P		 287 if (!EVP_DigestInit_ex(kctx->ctx, ossl_prov_digest_md(&kctx->digest),
288 NULL))
6e624a64
SL		 289 return 0;
290
ed576acd 291 t = EVP_MD_get_block_size(ossl_prov_digest_md(&kctx->digest));
13eaa4ec
P		 292 if (t < 0) {
293 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
0e2b6091 294 return 0;
13eaa4ec
P		 295 }
296 block_len = t;
6e624a64
SL		 297
298 /* Set default custom string if it is not already set */
e23cda00 299 if (kctx->custom_len == 0) {
ac238428 300 const OSSL_PARAM cparams[] = {
e23cda00
RL		 301 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, "", 0),
302 OSSL_PARAM_END
303 };
ac238428 304 (void)kmac_set_ctx_params(kctx, cparams);
e23cda00 305 }
6e624a64 306
13eaa4ec
P		 307 if (!bytepad(NULL, &out_len, kmac_string, sizeof(kmac_string),
308 kctx->custom, kctx->custom_len, block_len)) {
309 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
310 return 0;
311 }
312 out = OPENSSL_malloc(out_len);
e077455e 313 if (out == NULL)
13eaa4ec 314 return 0;
13eaa4ec
P		 315 res = bytepad(out, NULL, kmac_string, sizeof(kmac_string),
316 kctx->custom, kctx->custom_len, block_len)
317 && EVP_DigestUpdate(ctx, out, out_len)
318 && EVP_DigestUpdate(ctx, kctx->key, kctx->key_len);
319 OPENSSL_free(out);
320 return res;
6e624a64
SL		 321}
322
e23cda00 323static int kmac_update(void *vmacctx, const unsigned char *data,
6e624a64
SL		 324 size_t datalen)
325{
e23cda00
RL		 326 struct kmac_data_st *kctx = vmacctx;
327
6e624a64
SL		 328 return EVP_DigestUpdate(kctx->ctx, data, datalen);
329}
330
e23cda00
RL		 331static int kmac_final(void *vmacctx, unsigned char *out, size_t *outl,
332 size_t outsize)
6e624a64 333{
e23cda00 334 struct kmac_data_st *kctx = vmacctx;
6e624a64 335 EVP_MD_CTX *ctx = kctx->ctx;
13eaa4ec 336 size_t lbits, len;
6e624a64 337 unsigned char encoded_outlen[KMAC_MAX_ENCODED_HEADER_LEN];
e23cda00 338 int ok;
6e624a64 339
5b104a81
P		 340 if (!ossl_prov_is_running())
341 return 0;
342
6e624a64
SL		 343 /* KMAC XOF mode sets the encoded length to 0 */
344 lbits = (kctx->xof_mode ? 0 : (kctx->out_len * 8));
345
2b05439f 346 ok = right_encode(encoded_outlen, sizeof(encoded_outlen), &len, lbits)
e23cda00
RL		 347 && EVP_DigestUpdate(ctx, encoded_outlen, len)
348 && EVP_DigestFinalXOF(ctx, out, kctx->out_len);
5f6a0b2f 349 *outl = kctx->out_len;
e23cda00 350 return ok;
6e624a64
SL		 351}
352
e23cda00 353static const OSSL_PARAM known_gettable_ctx_params[] = {
703170d4 354 OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
eb1b66f0 355 OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
e23cda00
RL		 356 OSSL_PARAM_END
357};
eee323c3
P		 358static const OSSL_PARAM *kmac_gettable_ctx_params(ossl_unused void *ctx,
359 ossl_unused void *provctx)
6e624a64 360{
e23cda00 361 return known_gettable_ctx_params;
6e624a64
SL		 362}
363
92d9d0ae 364static int kmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])
6e624a64 365{
eb1b66f0 366 struct kmac_data_st *kctx = vmacctx;
e23cda00 367 OSSL_PARAM *p;
eb1b66f0
P		 368 int sz;
369
370 if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL
371 && !OSSL_PARAM_set_size_t(p, kctx->out_len))
372 return 0;
6e624a64 373
eb1b66f0
P		 374 if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_BLOCK_SIZE)) != NULL) {
375 sz = EVP_MD_block_size(ossl_prov_digest_md(&kctx->digest));
376 if (!OSSL_PARAM_set_int(p, sz))
377 return 0;
378 }
6e624a64 379
e23cda00 380 return 1;
6e624a64
SL		 381}
382
e23cda00
RL		 383static const OSSL_PARAM known_settable_ctx_params[] = {
384 OSSL_PARAM_int(OSSL_MAC_PARAM_XOF, NULL),
e23cda00
RL		 385 OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
386 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, NULL, 0),
387 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, NULL, 0),
388 OSSL_PARAM_END
389};
eee323c3
P		 390static const OSSL_PARAM *kmac_settable_ctx_params(ossl_unused void *ctx,
391 ossl_unused void *provctx)
6e624a64 392{
e23cda00 393 return known_settable_ctx_params;
6e624a64
SL		 394}
395
e23cda00
RL		 396/*
397 * The following params can be set any time before final():
398 * - "outlen" or "size": The requested output length.
399 * - "xof": If set, this indicates that right_encoded(0)
400 * is part of the digested data, otherwise it
401 * uses right_encoded(requested output length).
402 *
403 * All other params should be set before init().
404 */
92d9d0ae 405static int kmac_set_ctx_params(void *vmacctx, const OSSL_PARAM *params)
6e624a64 406{
e23cda00
RL		 407 struct kmac_data_st *kctx = vmacctx;
408 const OSSL_PARAM *p;
6e624a64 409
5a6b62bb
P		 410 if (params == NULL)
411 return 1;
412
e23cda00
RL		 413 if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_XOF)) != NULL
414 && !OSSL_PARAM_get_int(p, &kctx->xof_mode))
415 return 0;
2b05439f
SL		 416 if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_SIZE)) != NULL) {
417 size_t sz = 0;
418
419 if (!OSSL_PARAM_get_size_t(p, &sz))
420 return 0;
421 if (sz > KMAC_MAX_OUTPUT_LEN) {
422 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
423 return 0;
424 }
425 kctx->out_len = sz;
426 }
ac238428
P		 427 if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL
428 && !kmac_setkey(kctx, p->data, p->data_size))
429 return 0;
e23cda00
RL		 430 if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CUSTOM))
431 != NULL) {
432 if (p->data_size > KMAC_MAX_CUSTOM) {
433 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CUSTOM_LENGTH);
434 return 0;
435 }
2b05439f 436 if (!encode_string(kctx->custom, sizeof(kctx->custom), &kctx->custom_len,
e23cda00
RL		 437 p->data, p->data_size))
438 return 0;
439 }
440 return 1;
6e624a64
SL		 441}
442
2b05439f 443/* Encoding/Padding Methods. */
6e624a64
SL		 444
445/* Returns the number of bytes required to store 'bits' into a byte array */
446static unsigned int get_encode_size(size_t bits)
447{
448 unsigned int cnt = 0, sz = sizeof(size_t);
449
450 while (bits && (cnt < sz)) {
451 ++cnt;
452 bits >>= 8;
453 }
454 /* If bits is zero 1 byte is required */
455 if (cnt == 0)
456 cnt = 1;
457 return cnt;
458}
459
460/*
461 * Convert an integer into bytes . The number of bytes is appended
462 * to the end of the buffer. Returns an array of bytes 'out' of size
463 * *out_len.
464 *
465 * e.g if bits = 32, out[2] = { 0x20, 0x01 }
6e624a64 466 */
2b05439f
SL		 467static int right_encode(unsigned char *out, size_t out_max_len, size_t *out_len,
468 size_t bits)
6e624a64
SL		 469{
470 unsigned int len = get_encode_size(bits);
471 int i;
472
2b05439f 473 if (len >= out_max_len) {
13eaa4ec 474 ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE);
6e624a64 475 return 0;
13eaa4ec 476 }
6e624a64
SL		 477
478 /* MSB's are at the start of the bytes array */
479 for (i = len - 1; i >= 0; --i) {
480 out[i] = (unsigned char)(bits & 0xFF);
481 bits >>= 8;
482 }
483 /* Tack the length onto the end */
484 out[len] = (unsigned char)len;
485
486 /* The Returned length includes the tacked on byte */
487 *out_len = len + 1;
488 return 1;
489}
490
491/*
492 * Encodes a string with a left encoded length added. Note that the
493 * in_len is converted to bits (*8).
494 *
495 * e.g- in="KMAC" gives out[6] = { 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43 }
496 * len bits K M A C
497 */
2b05439f 498static int encode_string(unsigned char *out, size_t out_max_len, size_t *out_len,
13eaa4ec 499 const unsigned char *in, size_t in_len)
6e624a64
SL		 500{
501 if (in == NULL) {
502 *out_len = 0;
503 } else {
2b05439f 504 size_t i, bits, len, sz;
6e624a64
SL		 505
506 bits = 8 * in_len;
507 len = get_encode_size(bits);
2b05439f
SL		 508 sz = 1 + len + in_len;
509
510 if (sz > out_max_len) {
13eaa4ec 511 ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE);
6e624a64 512 return 0;
13eaa4ec 513 }
6e624a64 514
9acbbbae 515 out[0] = (unsigned char)len;
6e624a64
SL		 516 for (i = len; i > 0; --i) {
517 out[i] = (bits & 0xFF);
518 bits >>= 8;
519 }
520 memcpy(out + len + 1, in, in_len);
2b05439f 521 *out_len = sz;
6e624a64
SL		 522 }
523 return 1;
524}
525
526/*
527 * Returns a zero padded encoding of the inputs in1 and an optional
528 * in2 (can be NULL). The padded output must be a multiple of the blocksize 'w'.
529 * The value of w is in bytes (< 256).
530 *
531 * The returned output is:
532 * zero_padded(multiple of w, (left_encode(w) || in1 [|| in2])
533 */
13eaa4ec
P		 534static int bytepad(unsigned char *out, size_t *out_len,
535 const unsigned char *in1, size_t in1_len,
536 const unsigned char *in2, size_t in2_len, size_t w)
6e624a64
SL		 537{
538 int len;
539 unsigned char *p = out;
540 int sz = w;
541
13eaa4ec
P		 542 if (out == NULL) {
543 if (out_len == NULL) {
544 ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER);
545 return 0;
546 }
547 sz = 2 + in1_len + (in2 != NULL ? in2_len : 0);
548 *out_len = (sz + w - 1) / w * w;
549 return 1;
550 }
551
9acbbbae
SL		 552 if (!ossl_assert(w <= 255))
553 return 0;
554
6e624a64
SL		 555 /* Left encoded w */
556 *p++ = 1;
9acbbbae 557 *p++ = (unsigned char)w;
6e624a64
SL		 558 /* || in1 */
559 memcpy(p, in1, in1_len);
560 p += in1_len;
561 /* [ || in2 ] */
562 if (in2 != NULL && in2_len > 0) {
563 memcpy(p, in2, in2_len);
564 p += in2_len;
565 }
566 /* Figure out the pad size (divisible by w) */
567 len = p - out;
13eaa4ec 568 sz = (len + w - 1) / w * w;
6e624a64 569 /* zero pad the end of the buffer */
13eaa4ec
P		 570 if (sz != len)
571 memset(p, 0, sz - len);
572 if (out_len != NULL)
573 *out_len = sz;
6e624a64
SL		 574 return 1;
575}
576
2b05439f
SL		 577/* Returns out = bytepad(encode_string(in), w) */
578static int kmac_bytepad_encode_key(unsigned char *out, size_t out_max_len,
579 size_t *out_len,
13eaa4ec
P		 580 const unsigned char *in, size_t in_len,
581 size_t w)
6e624a64
SL		 582{
583 unsigned char tmp[KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN];
13eaa4ec 584 size_t tmp_len;
6e624a64 585
2b05439f 586 if (!encode_string(tmp, sizeof(tmp), &tmp_len, in, in_len))
6e624a64 587 return 0;
2b05439f
SL		 588 if (!bytepad(NULL, out_len, tmp, tmp_len, NULL, 0, w))
589 return 0;
590 if (!ossl_assert(*out_len <= out_max_len))
591 return 0;
592 return bytepad(out, NULL, tmp, tmp_len, NULL, 0, w);
6e624a64
SL		 593}
594
1be63951 595const OSSL_DISPATCH ossl_kmac128_functions[] = {
e23cda00
RL		 596 { OSSL_FUNC_MAC_NEWCTX, (void (*)(void))kmac128_new },
597 { OSSL_FUNC_MAC_DUPCTX, (void (*)(void))kmac_dup },
598 { OSSL_FUNC_MAC_FREECTX, (void (*)(void))kmac_free },
599 { OSSL_FUNC_MAC_INIT, (void (*)(void))kmac_init },
600 { OSSL_FUNC_MAC_UPDATE, (void (*)(void))kmac_update },
601 { OSSL_FUNC_MAC_FINAL, (void (*)(void))kmac_final },
602 { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS,
603 (void (*)(void))kmac_gettable_ctx_params },
92d9d0ae 604 { OSSL_FUNC_MAC_GET_CTX_PARAMS, (void (*)(void))kmac_get_ctx_params },
e23cda00
RL		 605 { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS,
606 (void (*)(void))kmac_settable_ctx_params },
92d9d0ae 607 { OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))kmac_set_ctx_params },
1e6bd31e 608 OSSL_DISPATCH_END
6e624a64
SL		 609};
610
1be63951 611const OSSL_DISPATCH ossl_kmac256_functions[] = {
e23cda00
RL		 612 { OSSL_FUNC_MAC_NEWCTX, (void (*)(void))kmac256_new },
613 { OSSL_FUNC_MAC_DUPCTX, (void (*)(void))kmac_dup },
614 { OSSL_FUNC_MAC_FREECTX, (void (*)(void))kmac_free },
615 { OSSL_FUNC_MAC_INIT, (void (*)(void))kmac_init },
616 { OSSL_FUNC_MAC_UPDATE, (void (*)(void))kmac_update },
617 { OSSL_FUNC_MAC_FINAL, (void (*)(void))kmac_final },
618 { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS,
619 (void (*)(void))kmac_gettable_ctx_params },
92d9d0ae 620 { OSSL_FUNC_MAC_GET_CTX_PARAMS, (void (*)(void))kmac_get_ctx_params },
e23cda00
RL		 621 { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS,
622 (void (*)(void))kmac_settable_ctx_params },
92d9d0ae 623 { OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))kmac_set_ctx_params },
1e6bd31e 624 OSSL_DISPATCH_END
6e624a64 625};
A mirror of the official openssl repository