2 * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * See SP800-185 "Appendix A - KMAC, .... in Terms of Keccak[c]"
14 * K = Key (len(K) < 2^2040 bits)
16 * L = Output length (0 <= L < 2^2040 bits)
17 * S = Customization String Default="" (len(S) < 2^2040 bits)
21 * newX = bytepad(encode_string(K), 168) || X || right_encode(L).
22 * T = bytepad(encode_string("KMAC") || encode_string(S), 168).
23 * return KECCAK[256](T || newX || 00, L).
28 * newX = bytepad(encode_string(K), 136) || X || right_encode(L).
29 * T = bytepad(encode_string("KMAC") || encode_string(S), 136).
30 * return KECCAK[512](T || newX || 00, L).
33 * KMAC128XOF(K, X, L, S)
35 * newX = bytepad(encode_string(K), 168) || X || right_encode(0).
36 * T = bytepad(encode_string("KMAC") || encode_string(S), 168).
37 * return KECCAK[256](T || newX || 00, L).
40 * KMAC256XOF(K, X, L, S)
42 * newX = bytepad(encode_string(K), 136) || X || right_encode(0).
43 * T = bytepad(encode_string("KMAC") || encode_string(S), 136).
44 * return KECCAK[512](T || newX || 00, L).
51 #include <openssl/core_dispatch.h>
52 #include <openssl/core_names.h>
53 #include <openssl/params.h>
54 #include <openssl/evp.h>
55 #include <openssl/err.h>
56 #include <openssl/proverr.h>
58 #include "prov/implementations.h"
59 #include "prov/provider_ctx.h"
60 #include "prov/provider_util.h"
61 #include "prov/providercommon.h"
62 #include "internal/cryptlib.h" /* ossl_assert */
65 * Forward declaration of everything implemented here. This is not strictly
66 * necessary for the compiler, but provides an assurance that the signatures
67 * of the functions in the dispatch table are correct.
69 static OSSL_FUNC_mac_newctx_fn kmac128_new
;
70 static OSSL_FUNC_mac_newctx_fn kmac256_new
;
71 static OSSL_FUNC_mac_dupctx_fn kmac_dup
;
72 static OSSL_FUNC_mac_freectx_fn kmac_free
;
73 static OSSL_FUNC_mac_gettable_ctx_params_fn kmac_gettable_ctx_params
;
74 static OSSL_FUNC_mac_get_ctx_params_fn kmac_get_ctx_params
;
75 static OSSL_FUNC_mac_settable_ctx_params_fn kmac_settable_ctx_params
;
76 static OSSL_FUNC_mac_set_ctx_params_fn kmac_set_ctx_params
;
77 static OSSL_FUNC_mac_init_fn kmac_init
;
78 static OSSL_FUNC_mac_update_fn kmac_update
;
79 static OSSL_FUNC_mac_final_fn kmac_final
;
81 #define KMAC_MAX_BLOCKSIZE ((1600 - 128 * 2) / 8) /* 168 */
84 * Length encoding will be a 1 byte size + length in bits (3 bytes max)
85 * This gives a range of 0..0XFFFFFF bits = 2097151 bytes).
87 #define KMAC_MAX_OUTPUT_LEN (0xFFFFFF / 8)
88 #define KMAC_MAX_ENCODED_HEADER_LEN (1 + 3)
91 * Restrict the maximum length of the customisation string. This must not
92 * exceed 64 bits = 8k bytes.
94 #define KMAC_MAX_CUSTOM 512
96 /* Maximum size of encoded custom string */
97 #define KMAC_MAX_CUSTOM_ENCODED (KMAC_MAX_CUSTOM + KMAC_MAX_ENCODED_HEADER_LEN)
99 /* Maximum key size in bytes = 512 (4096 bits) */
100 #define KMAC_MAX_KEY 512
101 #define KMAC_MIN_KEY 4
104 * Maximum Encoded Key size will be padded to a multiple of the blocksize
105 * i.e KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN = 512 + 4
106 * Padded to a multiple of KMAC_MAX_BLOCKSIZE
108 #define KMAC_MAX_KEY_ENCODED (KMAC_MAX_BLOCKSIZE * 4)
110 /* Fixed value of encode_string("KMAC") */
111 static const unsigned char kmac_string
[] = {
112 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43
115 #define KMAC_FLAG_XOF_MODE 1
117 struct kmac_data_st
{
124 /* If xof_mode = 1 then we use right_encode(0) */
126 /* key and custom are stored in encoded form */
127 unsigned char key
[KMAC_MAX_KEY_ENCODED
];
128 unsigned char custom
[KMAC_MAX_CUSTOM_ENCODED
];
131 static int encode_string(unsigned char *out
, size_t out_max_len
, size_t *out_len
,
132 const unsigned char *in
, size_t in_len
);
133 static int right_encode(unsigned char *out
, size_t out_max_len
, size_t *out_len
,
135 static int bytepad(unsigned char *out
, size_t *out_len
,
136 const unsigned char *in1
, size_t in1_len
,
137 const unsigned char *in2
, size_t in2_len
,
139 static int kmac_bytepad_encode_key(unsigned char *out
, size_t out_max_len
,
141 const unsigned char *in
, size_t in_len
,
144 static void kmac_free(void *vmacctx
)
146 struct kmac_data_st
*kctx
= vmacctx
;
149 EVP_MD_CTX_free(kctx
->ctx
);
150 ossl_prov_digest_reset(&kctx
->digest
);
151 OPENSSL_cleanse(kctx
->key
, kctx
->key_len
);
152 OPENSSL_cleanse(kctx
->custom
, kctx
->custom_len
);
158 * We have KMAC implemented as a hash, which we can use instead of
159 * reimplementing the EVP functionality with direct use of
160 * keccak_mac_init() and friends.
162 static struct kmac_data_st
*kmac_new(void *provctx
)
164 struct kmac_data_st
*kctx
;
166 if (!ossl_prov_is_running())
169 if ((kctx
= OPENSSL_zalloc(sizeof(*kctx
))) == NULL
170 || (kctx
->ctx
= EVP_MD_CTX_new()) == NULL
) {
174 kctx
->provctx
= provctx
;
178 static void *kmac_fetch_new(void *provctx
, const OSSL_PARAM
*params
)
180 struct kmac_data_st
*kctx
= kmac_new(provctx
);
184 if (!ossl_prov_digest_load_from_params(&kctx
->digest
, params
,
185 PROV_LIBCTX_OF(provctx
))) {
190 kctx
->out_len
= EVP_MD_get_size(ossl_prov_digest_md(&kctx
->digest
));
194 static void *kmac128_new(void *provctx
)
196 static const OSSL_PARAM kmac128_params
[] = {
197 OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC128
,
198 sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC128
)),
201 return kmac_fetch_new(provctx
, kmac128_params
);
204 static void *kmac256_new(void *provctx
)
206 static const OSSL_PARAM kmac256_params
[] = {
207 OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC256
,
208 sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC256
)),
211 return kmac_fetch_new(provctx
, kmac256_params
);
214 static void *kmac_dup(void *vsrc
)
216 struct kmac_data_st
*src
= vsrc
;
217 struct kmac_data_st
*dst
;
219 if (!ossl_prov_is_running())
222 dst
= kmac_new(src
->provctx
);
226 if (!EVP_MD_CTX_copy(dst
->ctx
, src
->ctx
)
227 || !ossl_prov_digest_copy(&dst
->digest
, &src
->digest
)) {
232 dst
->out_len
= src
->out_len
;
233 dst
->key_len
= src
->key_len
;
234 dst
->custom_len
= src
->custom_len
;
235 dst
->xof_mode
= src
->xof_mode
;
236 memcpy(dst
->key
, src
->key
, src
->key_len
);
237 memcpy(dst
->custom
, src
->custom
, dst
->custom_len
);
242 static int kmac_setkey(struct kmac_data_st
*kctx
, const unsigned char *key
,
245 const EVP_MD
*digest
= ossl_prov_digest_md(&kctx
->digest
);
246 int w
= EVP_MD_get_block_size(digest
);
248 if (keylen
< KMAC_MIN_KEY
|| keylen
> KMAC_MAX_KEY
) {
249 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_KEY_LENGTH
);
253 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_DIGEST_LENGTH
);
256 if (!kmac_bytepad_encode_key(kctx
->key
, sizeof(kctx
->key
), &kctx
->key_len
,
257 key
, keylen
, (size_t)w
))
263 * The init() assumes that any ctrl methods are set beforehand for
264 * md, key and custom. Setting the fields afterwards will have no
265 * effect on the output mac.
267 static int kmac_init(void *vmacctx
, const unsigned char *key
,
268 size_t keylen
, const OSSL_PARAM params
[])
270 struct kmac_data_st
*kctx
= vmacctx
;
271 EVP_MD_CTX
*ctx
= kctx
->ctx
;
273 size_t out_len
, block_len
;
276 if (!ossl_prov_is_running() || !kmac_set_ctx_params(kctx
, params
))
280 if (!kmac_setkey(kctx
, key
, keylen
))
282 } else if (kctx
->key_len
== 0) {
283 /* Check key has been set */
284 ERR_raise(ERR_LIB_PROV
, PROV_R_NO_KEY_SET
);
287 if (!EVP_DigestInit_ex(kctx
->ctx
, ossl_prov_digest_md(&kctx
->digest
),
291 t
= EVP_MD_get_block_size(ossl_prov_digest_md(&kctx
->digest
));
293 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_DIGEST_LENGTH
);
298 /* Set default custom string if it is not already set */
299 if (kctx
->custom_len
== 0) {
300 const OSSL_PARAM cparams
[] = {
301 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM
, "", 0),
304 (void)kmac_set_ctx_params(kctx
, cparams
);
307 if (!bytepad(NULL
, &out_len
, kmac_string
, sizeof(kmac_string
),
308 kctx
->custom
, kctx
->custom_len
, block_len
)) {
309 ERR_raise(ERR_LIB_PROV
, ERR_R_INTERNAL_ERROR
);
312 out
= OPENSSL_malloc(out_len
);
315 res
= bytepad(out
, NULL
, kmac_string
, sizeof(kmac_string
),
316 kctx
->custom
, kctx
->custom_len
, block_len
)
317 && EVP_DigestUpdate(ctx
, out
, out_len
)
318 && EVP_DigestUpdate(ctx
, kctx
->key
, kctx
->key_len
);
323 static int kmac_update(void *vmacctx
, const unsigned char *data
,
326 struct kmac_data_st
*kctx
= vmacctx
;
328 return EVP_DigestUpdate(kctx
->ctx
, data
, datalen
);
331 static int kmac_final(void *vmacctx
, unsigned char *out
, size_t *outl
,
334 struct kmac_data_st
*kctx
= vmacctx
;
335 EVP_MD_CTX
*ctx
= kctx
->ctx
;
337 unsigned char encoded_outlen
[KMAC_MAX_ENCODED_HEADER_LEN
];
340 if (!ossl_prov_is_running())
343 /* KMAC XOF mode sets the encoded length to 0 */
344 lbits
= (kctx
->xof_mode
? 0 : (kctx
->out_len
* 8));
346 ok
= right_encode(encoded_outlen
, sizeof(encoded_outlen
), &len
, lbits
)
347 && EVP_DigestUpdate(ctx
, encoded_outlen
, len
)
348 && EVP_DigestFinalXOF(ctx
, out
, kctx
->out_len
);
349 *outl
= kctx
->out_len
;
353 static const OSSL_PARAM known_gettable_ctx_params
[] = {
354 OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE
, NULL
),
355 OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE
, NULL
),
358 static const OSSL_PARAM
*kmac_gettable_ctx_params(ossl_unused
void *ctx
,
359 ossl_unused
void *provctx
)
361 return known_gettable_ctx_params
;
364 static int kmac_get_ctx_params(void *vmacctx
, OSSL_PARAM params
[])
366 struct kmac_data_st
*kctx
= vmacctx
;
370 if ((p
= OSSL_PARAM_locate(params
, OSSL_MAC_PARAM_SIZE
)) != NULL
371 && !OSSL_PARAM_set_size_t(p
, kctx
->out_len
))
374 if ((p
= OSSL_PARAM_locate(params
, OSSL_MAC_PARAM_BLOCK_SIZE
)) != NULL
) {
375 sz
= EVP_MD_block_size(ossl_prov_digest_md(&kctx
->digest
));
376 if (!OSSL_PARAM_set_int(p
, sz
))
383 static const OSSL_PARAM known_settable_ctx_params
[] = {
384 OSSL_PARAM_int(OSSL_MAC_PARAM_XOF
, NULL
),
385 OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE
, NULL
),
386 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY
, NULL
, 0),
387 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM
, NULL
, 0),
390 static const OSSL_PARAM
*kmac_settable_ctx_params(ossl_unused
void *ctx
,
391 ossl_unused
void *provctx
)
393 return known_settable_ctx_params
;
397 * The following params can be set any time before final():
398 * - "outlen" or "size": The requested output length.
399 * - "xof": If set, this indicates that right_encoded(0)
400 * is part of the digested data, otherwise it
401 * uses right_encoded(requested output length).
403 * All other params should be set before init().
405 static int kmac_set_ctx_params(void *vmacctx
, const OSSL_PARAM
*params
)
407 struct kmac_data_st
*kctx
= vmacctx
;
413 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_MAC_PARAM_XOF
)) != NULL
414 && !OSSL_PARAM_get_int(p
, &kctx
->xof_mode
))
416 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_MAC_PARAM_SIZE
)) != NULL
) {
419 if (!OSSL_PARAM_get_size_t(p
, &sz
))
421 if (sz
> KMAC_MAX_OUTPUT_LEN
) {
422 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_OUTPUT_LENGTH
);
427 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_MAC_PARAM_KEY
)) != NULL
428 && !kmac_setkey(kctx
, p
->data
, p
->data_size
))
430 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_MAC_PARAM_CUSTOM
))
432 if (p
->data_size
> KMAC_MAX_CUSTOM
) {
433 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_CUSTOM_LENGTH
);
436 if (!encode_string(kctx
->custom
, sizeof(kctx
->custom
), &kctx
->custom_len
,
437 p
->data
, p
->data_size
))
443 /* Encoding/Padding Methods. */
445 /* Returns the number of bytes required to store 'bits' into a byte array */
446 static unsigned int get_encode_size(size_t bits
)
448 unsigned int cnt
= 0, sz
= sizeof(size_t);
450 while (bits
&& (cnt
< sz
)) {
454 /* If bits is zero 1 byte is required */
461 * Convert an integer into bytes . The number of bytes is appended
462 * to the end of the buffer. Returns an array of bytes 'out' of size
465 * e.g if bits = 32, out[2] = { 0x20, 0x01 }
467 static int right_encode(unsigned char *out
, size_t out_max_len
, size_t *out_len
,
470 unsigned int len
= get_encode_size(bits
);
473 if (len
>= out_max_len
) {
474 ERR_raise(ERR_LIB_PROV
, PROV_R_LENGTH_TOO_LARGE
);
478 /* MSB's are at the start of the bytes array */
479 for (i
= len
- 1; i
>= 0; --i
) {
480 out
[i
] = (unsigned char)(bits
& 0xFF);
483 /* Tack the length onto the end */
484 out
[len
] = (unsigned char)len
;
486 /* The Returned length includes the tacked on byte */
492 * Encodes a string with a left encoded length added. Note that the
493 * in_len is converted to bits (*8).
495 * e.g- in="KMAC" gives out[6] = { 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43 }
498 static int encode_string(unsigned char *out
, size_t out_max_len
, size_t *out_len
,
499 const unsigned char *in
, size_t in_len
)
504 size_t i
, bits
, len
, sz
;
507 len
= get_encode_size(bits
);
508 sz
= 1 + len
+ in_len
;
510 if (sz
> out_max_len
) {
511 ERR_raise(ERR_LIB_PROV
, PROV_R_LENGTH_TOO_LARGE
);
515 out
[0] = (unsigned char)len
;
516 for (i
= len
; i
> 0; --i
) {
517 out
[i
] = (bits
& 0xFF);
520 memcpy(out
+ len
+ 1, in
, in_len
);
527 * Returns a zero padded encoding of the inputs in1 and an optional
528 * in2 (can be NULL). The padded output must be a multiple of the blocksize 'w'.
529 * The value of w is in bytes (< 256).
531 * The returned output is:
532 * zero_padded(multiple of w, (left_encode(w) || in1 [|| in2])
534 static int bytepad(unsigned char *out
, size_t *out_len
,
535 const unsigned char *in1
, size_t in1_len
,
536 const unsigned char *in2
, size_t in2_len
, size_t w
)
539 unsigned char *p
= out
;
543 if (out_len
== NULL
) {
544 ERR_raise(ERR_LIB_PROV
, ERR_R_PASSED_NULL_PARAMETER
);
547 sz
= 2 + in1_len
+ (in2
!= NULL
? in2_len
: 0);
548 *out_len
= (sz
+ w
- 1) / w
* w
;
552 if (!ossl_assert(w
<= 255))
557 *p
++ = (unsigned char)w
;
559 memcpy(p
, in1
, in1_len
);
562 if (in2
!= NULL
&& in2_len
> 0) {
563 memcpy(p
, in2
, in2_len
);
566 /* Figure out the pad size (divisible by w) */
568 sz
= (len
+ w
- 1) / w
* w
;
569 /* zero pad the end of the buffer */
571 memset(p
, 0, sz
- len
);
577 /* Returns out = bytepad(encode_string(in), w) */
578 static int kmac_bytepad_encode_key(unsigned char *out
, size_t out_max_len
,
580 const unsigned char *in
, size_t in_len
,
583 unsigned char tmp
[KMAC_MAX_KEY
+ KMAC_MAX_ENCODED_HEADER_LEN
];
586 if (!encode_string(tmp
, sizeof(tmp
), &tmp_len
, in
, in_len
))
588 if (!bytepad(NULL
, out_len
, tmp
, tmp_len
, NULL
, 0, w
))
590 if (!ossl_assert(*out_len
<= out_max_len
))
592 return bytepad(out
, NULL
, tmp
, tmp_len
, NULL
, 0, w
);
595 const OSSL_DISPATCH ossl_kmac128_functions
[] = {
596 { OSSL_FUNC_MAC_NEWCTX
, (void (*)(void))kmac128_new
},
597 { OSSL_FUNC_MAC_DUPCTX
, (void (*)(void))kmac_dup
},
598 { OSSL_FUNC_MAC_FREECTX
, (void (*)(void))kmac_free
},
599 { OSSL_FUNC_MAC_INIT
, (void (*)(void))kmac_init
},
600 { OSSL_FUNC_MAC_UPDATE
, (void (*)(void))kmac_update
},
601 { OSSL_FUNC_MAC_FINAL
, (void (*)(void))kmac_final
},
602 { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS
,
603 (void (*)(void))kmac_gettable_ctx_params
},
604 { OSSL_FUNC_MAC_GET_CTX_PARAMS
, (void (*)(void))kmac_get_ctx_params
},
605 { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS
,
606 (void (*)(void))kmac_settable_ctx_params
},
607 { OSSL_FUNC_MAC_SET_CTX_PARAMS
, (void (*)(void))kmac_set_ctx_params
},
611 const OSSL_DISPATCH ossl_kmac256_functions
[] = {
612 { OSSL_FUNC_MAC_NEWCTX
, (void (*)(void))kmac256_new
},
613 { OSSL_FUNC_MAC_DUPCTX
, (void (*)(void))kmac_dup
},
614 { OSSL_FUNC_MAC_FREECTX
, (void (*)(void))kmac_free
},
615 { OSSL_FUNC_MAC_INIT
, (void (*)(void))kmac_init
},
616 { OSSL_FUNC_MAC_UPDATE
, (void (*)(void))kmac_update
},
617 { OSSL_FUNC_MAC_FINAL
, (void (*)(void))kmac_final
},
618 { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS
,
619 (void (*)(void))kmac_gettable_ctx_params
},
620 { OSSL_FUNC_MAC_GET_CTX_PARAMS
, (void (*)(void))kmac_get_ctx_params
},
621 { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS
,
622 (void (*)(void))kmac_settable_ctx_params
},
623 { OSSL_FUNC_MAC_SET_CTX_PARAMS
, (void (*)(void))kmac_set_ctx_params
},