]>
Commit | Line | Data |
---|---|---|
6e624a64 | 1 | /* |
da1c088f | 2 | * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. |
6e624a64 | 3 | * |
e06785a5 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
6e624a64 SL |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | /* | |
11 | * See SP800-185 "Appendix A - KMAC, .... in Terms of Keccak[c]" | |
12 | * | |
13 | * Inputs are: | |
14 | * K = Key (len(K) < 2^2040 bits) | |
15 | * X = Input | |
16 | * L = Output length (0 <= L < 2^2040 bits) | |
17 | * S = Customization String Default="" (len(S) < 2^2040 bits) | |
18 | * | |
19 | * KMAC128(K, X, L, S) | |
20 | * { | |
21 | * newX = bytepad(encode_string(K), 168) || X || right_encode(L). | |
97c21381 | 22 | * T = bytepad(encode_string("KMAC") || encode_string(S), 168). |
6e624a64 SL |
23 | * return KECCAK[256](T || newX || 00, L). |
24 | * } | |
25 | * | |
26 | * KMAC256(K, X, L, S) | |
27 | * { | |
28 | * newX = bytepad(encode_string(K), 136) || X || right_encode(L). | |
97c21381 | 29 | * T = bytepad(encode_string("KMAC") || encode_string(S), 136). |
6e624a64 SL |
30 | * return KECCAK[512](T || newX || 00, L). |
31 | * } | |
32 | * | |
33 | * KMAC128XOF(K, X, L, S) | |
34 | * { | |
35 | * newX = bytepad(encode_string(K), 168) || X || right_encode(0). | |
97c21381 | 36 | * T = bytepad(encode_string("KMAC") || encode_string(S), 168). |
6e624a64 SL |
37 | * return KECCAK[256](T || newX || 00, L). |
38 | * } | |
39 | * | |
40 | * KMAC256XOF(K, X, L, S) | |
41 | * { | |
42 | * newX = bytepad(encode_string(K), 136) || X || right_encode(0). | |
97c21381 | 43 | * T = bytepad(encode_string("KMAC") || encode_string(S), 136). |
6e624a64 SL |
44 | * return KECCAK[512](T || newX || 00, L). |
45 | * } | |
46 | * | |
47 | */ | |
48 | ||
49 | #include <stdlib.h> | |
e23cda00 | 50 | #include <string.h> |
23c48d94 | 51 | #include <openssl/core_dispatch.h> |
e23cda00 RL |
52 | #include <openssl/core_names.h> |
53 | #include <openssl/params.h> | |
6e624a64 | 54 | #include <openssl/evp.h> |
e23cda00 | 55 | #include <openssl/err.h> |
2741128e | 56 | #include <openssl/proverr.h> |
e23cda00 | 57 | |
af3e7e1b | 58 | #include "prov/implementations.h" |
ddd21319 RL |
59 | #include "prov/provider_ctx.h" |
60 | #include "prov/provider_util.h" | |
5b104a81 | 61 | #include "prov/providercommon.h" |
9acbbbae | 62 | #include "internal/cryptlib.h" /* ossl_assert */ |
e23cda00 RL |
63 | |
64 | /* | |
65 | * Forward declaration of everything implemented here. This is not strictly | |
66 | * necessary for the compiler, but provides an assurance that the signatures | |
67 | * of the functions in the dispatch table are correct. | |
68 | */ | |
363b1e5d DMSP |
69 | static OSSL_FUNC_mac_newctx_fn kmac128_new; |
70 | static OSSL_FUNC_mac_newctx_fn kmac256_new; | |
71 | static OSSL_FUNC_mac_dupctx_fn kmac_dup; | |
72 | static OSSL_FUNC_mac_freectx_fn kmac_free; | |
73 | static OSSL_FUNC_mac_gettable_ctx_params_fn kmac_gettable_ctx_params; | |
74 | static OSSL_FUNC_mac_get_ctx_params_fn kmac_get_ctx_params; | |
75 | static OSSL_FUNC_mac_settable_ctx_params_fn kmac_settable_ctx_params; | |
76 | static OSSL_FUNC_mac_set_ctx_params_fn kmac_set_ctx_params; | |
363b1e5d DMSP |
77 | static OSSL_FUNC_mac_init_fn kmac_init; |
78 | static OSSL_FUNC_mac_update_fn kmac_update; | |
79 | static OSSL_FUNC_mac_final_fn kmac_final; | |
6e624a64 | 80 | |
2b05439f | 81 | #define KMAC_MAX_BLOCKSIZE ((1600 - 128 * 2) / 8) /* 168 */ |
6e624a64 | 82 | |
2b05439f SL |
83 | /* |
84 | * Length encoding will be a 1 byte size + length in bits (3 bytes max) | |
85 | * This gives a range of 0..0XFFFFFF bits = 2097151 bytes). | |
86 | */ | |
87 | #define KMAC_MAX_OUTPUT_LEN (0xFFFFFF / 8) | |
88 | #define KMAC_MAX_ENCODED_HEADER_LEN (1 + 3) | |
6e624a64 SL |
89 | |
90 | /* | |
13eaa4ec P |
91 | * Restrict the maximum length of the customisation string. This must not |
92 | * exceed 64 bits = 8k bytes. | |
6e624a64 | 93 | */ |
211c47ca | 94 | #define KMAC_MAX_CUSTOM 512 |
6e624a64 SL |
95 | |
96 | /* Maximum size of encoded custom string */ | |
97 | #define KMAC_MAX_CUSTOM_ENCODED (KMAC_MAX_CUSTOM + KMAC_MAX_ENCODED_HEADER_LEN) | |
98 | ||
211c47ca | 99 | /* Maximum key size in bytes = 512 (4096 bits) */ |
100 | #define KMAC_MAX_KEY 512 | |
2b05439f | 101 | #define KMAC_MIN_KEY 4 |
6e624a64 SL |
102 | |
103 | /* | |
104 | * Maximum Encoded Key size will be padded to a multiple of the blocksize | |
211c47ca | 105 | * i.e KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN = 512 + 4 |
6e624a64 SL |
106 | * Padded to a multiple of KMAC_MAX_BLOCKSIZE |
107 | */ | |
211c47ca | 108 | #define KMAC_MAX_KEY_ENCODED (KMAC_MAX_BLOCKSIZE * 4) |
6e624a64 SL |
109 | |
110 | /* Fixed value of encode_string("KMAC") */ | |
111 | static const unsigned char kmac_string[] = { | |
112 | 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43 | |
113 | }; | |
114 | ||
6e624a64 SL |
115 | #define KMAC_FLAG_XOF_MODE 1 |
116 | ||
e23cda00 RL |
117 | struct kmac_data_st { |
118 | void *provctx; | |
6e624a64 | 119 | EVP_MD_CTX *ctx; |
96d7e273 | 120 | PROV_DIGEST digest; |
6e624a64 | 121 | size_t out_len; |
13eaa4ec P |
122 | size_t key_len; |
123 | size_t custom_len; | |
6e624a64 SL |
124 | /* If xof_mode = 1 then we use right_encode(0) */ |
125 | int xof_mode; | |
126 | /* key and custom are stored in encoded form */ | |
127 | unsigned char key[KMAC_MAX_KEY_ENCODED]; | |
128 | unsigned char custom[KMAC_MAX_CUSTOM_ENCODED]; | |
129 | }; | |
130 | ||
2b05439f | 131 | static int encode_string(unsigned char *out, size_t out_max_len, size_t *out_len, |
13eaa4ec | 132 | const unsigned char *in, size_t in_len); |
2b05439f SL |
133 | static int right_encode(unsigned char *out, size_t out_max_len, size_t *out_len, |
134 | size_t bits); | |
13eaa4ec P |
135 | static int bytepad(unsigned char *out, size_t *out_len, |
136 | const unsigned char *in1, size_t in1_len, | |
137 | const unsigned char *in2, size_t in2_len, | |
138 | size_t w); | |
2b05439f SL |
139 | static int kmac_bytepad_encode_key(unsigned char *out, size_t out_max_len, |
140 | size_t *out_len, | |
13eaa4ec P |
141 | const unsigned char *in, size_t in_len, |
142 | size_t w); | |
6e624a64 | 143 | |
e23cda00 | 144 | static void kmac_free(void *vmacctx) |
6e624a64 | 145 | { |
e23cda00 RL |
146 | struct kmac_data_st *kctx = vmacctx; |
147 | ||
6e624a64 SL |
148 | if (kctx != NULL) { |
149 | EVP_MD_CTX_free(kctx->ctx); | |
96d7e273 | 150 | ossl_prov_digest_reset(&kctx->digest); |
6e624a64 SL |
151 | OPENSSL_cleanse(kctx->key, kctx->key_len); |
152 | OPENSSL_cleanse(kctx->custom, kctx->custom_len); | |
153 | OPENSSL_free(kctx); | |
154 | } | |
155 | } | |
156 | ||
e23cda00 RL |
157 | /* |
158 | * We have KMAC implemented as a hash, which we can use instead of | |
159 | * reimplementing the EVP functionality with direct use of | |
160 | * keccak_mac_init() and friends. | |
161 | */ | |
96d7e273 | 162 | static struct kmac_data_st *kmac_new(void *provctx) |
6e624a64 | 163 | { |
96d7e273 | 164 | struct kmac_data_st *kctx; |
6e624a64 | 165 | |
5b104a81 P |
166 | if (!ossl_prov_is_running()) |
167 | return NULL; | |
168 | ||
6e624a64 SL |
169 | if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL |
170 | || (kctx->ctx = EVP_MD_CTX_new()) == NULL) { | |
171 | kmac_free(kctx); | |
172 | return NULL; | |
173 | } | |
e23cda00 | 174 | kctx->provctx = provctx; |
6e624a64 SL |
175 | return kctx; |
176 | } | |
177 | ||
96d7e273 | 178 | static void *kmac_fetch_new(void *provctx, const OSSL_PARAM *params) |
6e624a64 | 179 | { |
96d7e273 P |
180 | struct kmac_data_st *kctx = kmac_new(provctx); |
181 | ||
182 | if (kctx == NULL) | |
183 | return 0; | |
184 | if (!ossl_prov_digest_load_from_params(&kctx->digest, params, | |
a829b735 | 185 | PROV_LIBCTX_OF(provctx))) { |
f20a59cb | 186 | kmac_free(kctx); |
96d7e273 | 187 | return 0; |
f20a59cb | 188 | } |
96d7e273 | 189 | |
ed576acd | 190 | kctx->out_len = EVP_MD_get_size(ossl_prov_digest_md(&kctx->digest)); |
96d7e273 | 191 | return kctx; |
6e624a64 SL |
192 | } |
193 | ||
e23cda00 | 194 | static void *kmac128_new(void *provctx) |
6e624a64 | 195 | { |
96d7e273 P |
196 | static const OSSL_PARAM kmac128_params[] = { |
197 | OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC128, | |
198 | sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC128)), | |
199 | OSSL_PARAM_END | |
200 | }; | |
201 | return kmac_fetch_new(provctx, kmac128_params); | |
6e624a64 SL |
202 | } |
203 | ||
e23cda00 | 204 | static void *kmac256_new(void *provctx) |
6e624a64 | 205 | { |
96d7e273 P |
206 | static const OSSL_PARAM kmac256_params[] = { |
207 | OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC256, | |
208 | sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC256)), | |
209 | OSSL_PARAM_END | |
210 | }; | |
211 | return kmac_fetch_new(provctx, kmac256_params); | |
e23cda00 RL |
212 | } |
213 | ||
214 | static void *kmac_dup(void *vsrc) | |
215 | { | |
216 | struct kmac_data_st *src = vsrc; | |
5b104a81 P |
217 | struct kmac_data_st *dst; |
218 | ||
219 | if (!ossl_prov_is_running()) | |
220 | return NULL; | |
7ed66e26 | 221 | |
5b104a81 | 222 | dst = kmac_new(src->provctx); |
e23cda00 | 223 | if (dst == NULL) |
7ed66e26 KR |
224 | return NULL; |
225 | ||
e23cda00 | 226 | if (!EVP_MD_CTX_copy(dst->ctx, src->ctx) |
96d7e273 | 227 | || !ossl_prov_digest_copy(&dst->digest, &src->digest)) { |
e23cda00 | 228 | kmac_free(dst); |
7ed66e26 KR |
229 | return NULL; |
230 | } | |
231 | ||
e23cda00 RL |
232 | dst->out_len = src->out_len; |
233 | dst->key_len = src->key_len; | |
234 | dst->custom_len = src->custom_len; | |
235 | dst->xof_mode = src->xof_mode; | |
236 | memcpy(dst->key, src->key, src->key_len); | |
237 | memcpy(dst->custom, src->custom, dst->custom_len); | |
6e624a64 | 238 | |
e23cda00 | 239 | return dst; |
6e624a64 SL |
240 | } |
241 | ||
ac238428 P |
242 | static int kmac_setkey(struct kmac_data_st *kctx, const unsigned char *key, |
243 | size_t keylen) | |
244 | { | |
245 | const EVP_MD *digest = ossl_prov_digest_md(&kctx->digest); | |
ed576acd | 246 | int w = EVP_MD_get_block_size(digest); |
ac238428 | 247 | |
2b05439f | 248 | if (keylen < KMAC_MIN_KEY || keylen > KMAC_MAX_KEY) { |
ac238428 P |
249 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); |
250 | return 0; | |
251 | } | |
13eaa4ec P |
252 | if (w < 0) { |
253 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); | |
254 | return 0; | |
255 | } | |
2b05439f | 256 | if (!kmac_bytepad_encode_key(kctx->key, sizeof(kctx->key), &kctx->key_len, |
13eaa4ec | 257 | key, keylen, (size_t)w)) |
ac238428 P |
258 | return 0; |
259 | return 1; | |
260 | } | |
261 | ||
6e624a64 SL |
262 | /* |
263 | * The init() assumes that any ctrl methods are set beforehand for | |
264 | * md, key and custom. Setting the fields afterwards will have no | |
265 | * effect on the output mac. | |
266 | */ | |
ac238428 P |
267 | static int kmac_init(void *vmacctx, const unsigned char *key, |
268 | size_t keylen, const OSSL_PARAM params[]) | |
6e624a64 | 269 | { |
e23cda00 | 270 | struct kmac_data_st *kctx = vmacctx; |
6e624a64 | 271 | EVP_MD_CTX *ctx = kctx->ctx; |
13eaa4ec P |
272 | unsigned char *out; |
273 | size_t out_len, block_len; | |
274 | int res, t; | |
6e624a64 | 275 | |
ac238428 | 276 | if (!ossl_prov_is_running() || !kmac_set_ctx_params(kctx, params)) |
5b104a81 | 277 | return 0; |
13eaa4ec | 278 | |
ac238428 P |
279 | if (key != NULL) { |
280 | if (!kmac_setkey(kctx, key, keylen)) | |
281 | return 0; | |
282 | } else if (kctx->key_len == 0) { | |
283 | /* Check key has been set */ | |
f5f29796 | 284 | ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); |
6e624a64 SL |
285 | return 0; |
286 | } | |
96d7e273 P |
287 | if (!EVP_DigestInit_ex(kctx->ctx, ossl_prov_digest_md(&kctx->digest), |
288 | NULL)) | |
6e624a64 SL |
289 | return 0; |
290 | ||
ed576acd | 291 | t = EVP_MD_get_block_size(ossl_prov_digest_md(&kctx->digest)); |
13eaa4ec P |
292 | if (t < 0) { |
293 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); | |
0e2b6091 | 294 | return 0; |
13eaa4ec P |
295 | } |
296 | block_len = t; | |
6e624a64 SL |
297 | |
298 | /* Set default custom string if it is not already set */ | |
e23cda00 | 299 | if (kctx->custom_len == 0) { |
ac238428 | 300 | const OSSL_PARAM cparams[] = { |
e23cda00 RL |
301 | OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, "", 0), |
302 | OSSL_PARAM_END | |
303 | }; | |
ac238428 | 304 | (void)kmac_set_ctx_params(kctx, cparams); |
e23cda00 | 305 | } |
6e624a64 | 306 | |
13eaa4ec P |
307 | if (!bytepad(NULL, &out_len, kmac_string, sizeof(kmac_string), |
308 | kctx->custom, kctx->custom_len, block_len)) { | |
309 | ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); | |
310 | return 0; | |
311 | } | |
312 | out = OPENSSL_malloc(out_len); | |
e077455e | 313 | if (out == NULL) |
13eaa4ec | 314 | return 0; |
13eaa4ec P |
315 | res = bytepad(out, NULL, kmac_string, sizeof(kmac_string), |
316 | kctx->custom, kctx->custom_len, block_len) | |
317 | && EVP_DigestUpdate(ctx, out, out_len) | |
318 | && EVP_DigestUpdate(ctx, kctx->key, kctx->key_len); | |
319 | OPENSSL_free(out); | |
320 | return res; | |
6e624a64 SL |
321 | } |
322 | ||
e23cda00 | 323 | static int kmac_update(void *vmacctx, const unsigned char *data, |
6e624a64 SL |
324 | size_t datalen) |
325 | { | |
e23cda00 RL |
326 | struct kmac_data_st *kctx = vmacctx; |
327 | ||
6e624a64 SL |
328 | return EVP_DigestUpdate(kctx->ctx, data, datalen); |
329 | } | |
330 | ||
e23cda00 RL |
331 | static int kmac_final(void *vmacctx, unsigned char *out, size_t *outl, |
332 | size_t outsize) | |
6e624a64 | 333 | { |
e23cda00 | 334 | struct kmac_data_st *kctx = vmacctx; |
6e624a64 | 335 | EVP_MD_CTX *ctx = kctx->ctx; |
13eaa4ec | 336 | size_t lbits, len; |
6e624a64 | 337 | unsigned char encoded_outlen[KMAC_MAX_ENCODED_HEADER_LEN]; |
e23cda00 | 338 | int ok; |
6e624a64 | 339 | |
5b104a81 P |
340 | if (!ossl_prov_is_running()) |
341 | return 0; | |
342 | ||
6e624a64 SL |
343 | /* KMAC XOF mode sets the encoded length to 0 */ |
344 | lbits = (kctx->xof_mode ? 0 : (kctx->out_len * 8)); | |
345 | ||
2b05439f | 346 | ok = right_encode(encoded_outlen, sizeof(encoded_outlen), &len, lbits) |
e23cda00 RL |
347 | && EVP_DigestUpdate(ctx, encoded_outlen, len) |
348 | && EVP_DigestFinalXOF(ctx, out, kctx->out_len); | |
5f6a0b2f | 349 | *outl = kctx->out_len; |
e23cda00 | 350 | return ok; |
6e624a64 SL |
351 | } |
352 | ||
e23cda00 | 353 | static const OSSL_PARAM known_gettable_ctx_params[] = { |
703170d4 | 354 | OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), |
eb1b66f0 | 355 | OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL), |
e23cda00 RL |
356 | OSSL_PARAM_END |
357 | }; | |
eee323c3 P |
358 | static const OSSL_PARAM *kmac_gettable_ctx_params(ossl_unused void *ctx, |
359 | ossl_unused void *provctx) | |
6e624a64 | 360 | { |
e23cda00 | 361 | return known_gettable_ctx_params; |
6e624a64 SL |
362 | } |
363 | ||
92d9d0ae | 364 | static int kmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[]) |
6e624a64 | 365 | { |
eb1b66f0 | 366 | struct kmac_data_st *kctx = vmacctx; |
e23cda00 | 367 | OSSL_PARAM *p; |
eb1b66f0 P |
368 | int sz; |
369 | ||
370 | if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL | |
371 | && !OSSL_PARAM_set_size_t(p, kctx->out_len)) | |
372 | return 0; | |
6e624a64 | 373 | |
eb1b66f0 P |
374 | if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_BLOCK_SIZE)) != NULL) { |
375 | sz = EVP_MD_block_size(ossl_prov_digest_md(&kctx->digest)); | |
376 | if (!OSSL_PARAM_set_int(p, sz)) | |
377 | return 0; | |
378 | } | |
6e624a64 | 379 | |
e23cda00 | 380 | return 1; |
6e624a64 SL |
381 | } |
382 | ||
e23cda00 RL |
383 | static const OSSL_PARAM known_settable_ctx_params[] = { |
384 | OSSL_PARAM_int(OSSL_MAC_PARAM_XOF, NULL), | |
e23cda00 RL |
385 | OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), |
386 | OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, NULL, 0), | |
387 | OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, NULL, 0), | |
388 | OSSL_PARAM_END | |
389 | }; | |
eee323c3 P |
390 | static const OSSL_PARAM *kmac_settable_ctx_params(ossl_unused void *ctx, |
391 | ossl_unused void *provctx) | |
6e624a64 | 392 | { |
e23cda00 | 393 | return known_settable_ctx_params; |
6e624a64 SL |
394 | } |
395 | ||
e23cda00 RL |
396 | /* |
397 | * The following params can be set any time before final(): | |
398 | * - "outlen" or "size": The requested output length. | |
399 | * - "xof": If set, this indicates that right_encoded(0) | |
400 | * is part of the digested data, otherwise it | |
401 | * uses right_encoded(requested output length). | |
402 | * | |
403 | * All other params should be set before init(). | |
404 | */ | |
92d9d0ae | 405 | static int kmac_set_ctx_params(void *vmacctx, const OSSL_PARAM *params) |
6e624a64 | 406 | { |
e23cda00 RL |
407 | struct kmac_data_st *kctx = vmacctx; |
408 | const OSSL_PARAM *p; | |
6e624a64 | 409 | |
5a6b62bb P |
410 | if (params == NULL) |
411 | return 1; | |
412 | ||
e23cda00 RL |
413 | if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_XOF)) != NULL |
414 | && !OSSL_PARAM_get_int(p, &kctx->xof_mode)) | |
415 | return 0; | |
2b05439f SL |
416 | if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_SIZE)) != NULL) { |
417 | size_t sz = 0; | |
418 | ||
419 | if (!OSSL_PARAM_get_size_t(p, &sz)) | |
420 | return 0; | |
421 | if (sz > KMAC_MAX_OUTPUT_LEN) { | |
422 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH); | |
423 | return 0; | |
424 | } | |
425 | kctx->out_len = sz; | |
426 | } | |
ac238428 P |
427 | if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL |
428 | && !kmac_setkey(kctx, p->data, p->data_size)) | |
429 | return 0; | |
e23cda00 RL |
430 | if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CUSTOM)) |
431 | != NULL) { | |
432 | if (p->data_size > KMAC_MAX_CUSTOM) { | |
433 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CUSTOM_LENGTH); | |
434 | return 0; | |
435 | } | |
2b05439f | 436 | if (!encode_string(kctx->custom, sizeof(kctx->custom), &kctx->custom_len, |
e23cda00 RL |
437 | p->data, p->data_size)) |
438 | return 0; | |
439 | } | |
440 | return 1; | |
6e624a64 SL |
441 | } |
442 | ||
2b05439f | 443 | /* Encoding/Padding Methods. */ |
6e624a64 SL |
444 | |
445 | /* Returns the number of bytes required to store 'bits' into a byte array */ | |
446 | static unsigned int get_encode_size(size_t bits) | |
447 | { | |
448 | unsigned int cnt = 0, sz = sizeof(size_t); | |
449 | ||
450 | while (bits && (cnt < sz)) { | |
451 | ++cnt; | |
452 | bits >>= 8; | |
453 | } | |
454 | /* If bits is zero 1 byte is required */ | |
455 | if (cnt == 0) | |
456 | cnt = 1; | |
457 | return cnt; | |
458 | } | |
459 | ||
460 | /* | |
461 | * Convert an integer into bytes . The number of bytes is appended | |
462 | * to the end of the buffer. Returns an array of bytes 'out' of size | |
463 | * *out_len. | |
464 | * | |
465 | * e.g if bits = 32, out[2] = { 0x20, 0x01 } | |
6e624a64 | 466 | */ |
2b05439f SL |
467 | static int right_encode(unsigned char *out, size_t out_max_len, size_t *out_len, |
468 | size_t bits) | |
6e624a64 SL |
469 | { |
470 | unsigned int len = get_encode_size(bits); | |
471 | int i; | |
472 | ||
2b05439f | 473 | if (len >= out_max_len) { |
13eaa4ec | 474 | ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE); |
6e624a64 | 475 | return 0; |
13eaa4ec | 476 | } |
6e624a64 SL |
477 | |
478 | /* MSB's are at the start of the bytes array */ | |
479 | for (i = len - 1; i >= 0; --i) { | |
480 | out[i] = (unsigned char)(bits & 0xFF); | |
481 | bits >>= 8; | |
482 | } | |
483 | /* Tack the length onto the end */ | |
484 | out[len] = (unsigned char)len; | |
485 | ||
486 | /* The Returned length includes the tacked on byte */ | |
487 | *out_len = len + 1; | |
488 | return 1; | |
489 | } | |
490 | ||
491 | /* | |
492 | * Encodes a string with a left encoded length added. Note that the | |
493 | * in_len is converted to bits (*8). | |
494 | * | |
495 | * e.g- in="KMAC" gives out[6] = { 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43 } | |
496 | * len bits K M A C | |
497 | */ | |
2b05439f | 498 | static int encode_string(unsigned char *out, size_t out_max_len, size_t *out_len, |
13eaa4ec | 499 | const unsigned char *in, size_t in_len) |
6e624a64 SL |
500 | { |
501 | if (in == NULL) { | |
502 | *out_len = 0; | |
503 | } else { | |
2b05439f | 504 | size_t i, bits, len, sz; |
6e624a64 SL |
505 | |
506 | bits = 8 * in_len; | |
507 | len = get_encode_size(bits); | |
2b05439f SL |
508 | sz = 1 + len + in_len; |
509 | ||
510 | if (sz > out_max_len) { | |
13eaa4ec | 511 | ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE); |
6e624a64 | 512 | return 0; |
13eaa4ec | 513 | } |
6e624a64 | 514 | |
9acbbbae | 515 | out[0] = (unsigned char)len; |
6e624a64 SL |
516 | for (i = len; i > 0; --i) { |
517 | out[i] = (bits & 0xFF); | |
518 | bits >>= 8; | |
519 | } | |
520 | memcpy(out + len + 1, in, in_len); | |
2b05439f | 521 | *out_len = sz; |
6e624a64 SL |
522 | } |
523 | return 1; | |
524 | } | |
525 | ||
526 | /* | |
527 | * Returns a zero padded encoding of the inputs in1 and an optional | |
528 | * in2 (can be NULL). The padded output must be a multiple of the blocksize 'w'. | |
529 | * The value of w is in bytes (< 256). | |
530 | * | |
531 | * The returned output is: | |
532 | * zero_padded(multiple of w, (left_encode(w) || in1 [|| in2]) | |
533 | */ | |
13eaa4ec P |
534 | static int bytepad(unsigned char *out, size_t *out_len, |
535 | const unsigned char *in1, size_t in1_len, | |
536 | const unsigned char *in2, size_t in2_len, size_t w) | |
6e624a64 SL |
537 | { |
538 | int len; | |
539 | unsigned char *p = out; | |
540 | int sz = w; | |
541 | ||
13eaa4ec P |
542 | if (out == NULL) { |
543 | if (out_len == NULL) { | |
544 | ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); | |
545 | return 0; | |
546 | } | |
547 | sz = 2 + in1_len + (in2 != NULL ? in2_len : 0); | |
548 | *out_len = (sz + w - 1) / w * w; | |
549 | return 1; | |
550 | } | |
551 | ||
9acbbbae SL |
552 | if (!ossl_assert(w <= 255)) |
553 | return 0; | |
554 | ||
6e624a64 SL |
555 | /* Left encoded w */ |
556 | *p++ = 1; | |
9acbbbae | 557 | *p++ = (unsigned char)w; |
6e624a64 SL |
558 | /* || in1 */ |
559 | memcpy(p, in1, in1_len); | |
560 | p += in1_len; | |
561 | /* [ || in2 ] */ | |
562 | if (in2 != NULL && in2_len > 0) { | |
563 | memcpy(p, in2, in2_len); | |
564 | p += in2_len; | |
565 | } | |
566 | /* Figure out the pad size (divisible by w) */ | |
567 | len = p - out; | |
13eaa4ec | 568 | sz = (len + w - 1) / w * w; |
6e624a64 | 569 | /* zero pad the end of the buffer */ |
13eaa4ec P |
570 | if (sz != len) |
571 | memset(p, 0, sz - len); | |
572 | if (out_len != NULL) | |
573 | *out_len = sz; | |
6e624a64 SL |
574 | return 1; |
575 | } | |
576 | ||
2b05439f SL |
577 | /* Returns out = bytepad(encode_string(in), w) */ |
578 | static int kmac_bytepad_encode_key(unsigned char *out, size_t out_max_len, | |
579 | size_t *out_len, | |
13eaa4ec P |
580 | const unsigned char *in, size_t in_len, |
581 | size_t w) | |
6e624a64 SL |
582 | { |
583 | unsigned char tmp[KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN]; | |
13eaa4ec | 584 | size_t tmp_len; |
6e624a64 | 585 | |
2b05439f | 586 | if (!encode_string(tmp, sizeof(tmp), &tmp_len, in, in_len)) |
6e624a64 | 587 | return 0; |
2b05439f SL |
588 | if (!bytepad(NULL, out_len, tmp, tmp_len, NULL, 0, w)) |
589 | return 0; | |
590 | if (!ossl_assert(*out_len <= out_max_len)) | |
591 | return 0; | |
592 | return bytepad(out, NULL, tmp, tmp_len, NULL, 0, w); | |
6e624a64 SL |
593 | } |
594 | ||
1be63951 | 595 | const OSSL_DISPATCH ossl_kmac128_functions[] = { |
e23cda00 RL |
596 | { OSSL_FUNC_MAC_NEWCTX, (void (*)(void))kmac128_new }, |
597 | { OSSL_FUNC_MAC_DUPCTX, (void (*)(void))kmac_dup }, | |
598 | { OSSL_FUNC_MAC_FREECTX, (void (*)(void))kmac_free }, | |
599 | { OSSL_FUNC_MAC_INIT, (void (*)(void))kmac_init }, | |
600 | { OSSL_FUNC_MAC_UPDATE, (void (*)(void))kmac_update }, | |
601 | { OSSL_FUNC_MAC_FINAL, (void (*)(void))kmac_final }, | |
602 | { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS, | |
603 | (void (*)(void))kmac_gettable_ctx_params }, | |
92d9d0ae | 604 | { OSSL_FUNC_MAC_GET_CTX_PARAMS, (void (*)(void))kmac_get_ctx_params }, |
e23cda00 RL |
605 | { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS, |
606 | (void (*)(void))kmac_settable_ctx_params }, | |
92d9d0ae | 607 | { OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))kmac_set_ctx_params }, |
1e6bd31e | 608 | OSSL_DISPATCH_END |
6e624a64 SL |
609 | }; |
610 | ||
1be63951 | 611 | const OSSL_DISPATCH ossl_kmac256_functions[] = { |
e23cda00 RL |
612 | { OSSL_FUNC_MAC_NEWCTX, (void (*)(void))kmac256_new }, |
613 | { OSSL_FUNC_MAC_DUPCTX, (void (*)(void))kmac_dup }, | |
614 | { OSSL_FUNC_MAC_FREECTX, (void (*)(void))kmac_free }, | |
615 | { OSSL_FUNC_MAC_INIT, (void (*)(void))kmac_init }, | |
616 | { OSSL_FUNC_MAC_UPDATE, (void (*)(void))kmac_update }, | |
617 | { OSSL_FUNC_MAC_FINAL, (void (*)(void))kmac_final }, | |
618 | { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS, | |
619 | (void (*)(void))kmac_gettable_ctx_params }, | |
92d9d0ae | 620 | { OSSL_FUNC_MAC_GET_CTX_PARAMS, (void (*)(void))kmac_get_ctx_params }, |
e23cda00 RL |
621 | { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS, |
622 | (void (*)(void))kmac_settable_ctx_params }, | |
92d9d0ae | 623 | { OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))kmac_set_ctx_params }, |
1e6bd31e | 624 | OSSL_DISPATCH_END |
6e624a64 | 625 | }; |