]>
Commit | Line | Data |
---|---|---|
d5e5e2ff SL |
1 | /* |
2 | * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
d5e5e2ff | 10 | #include <string.h> |
c85d5e02 | 11 | #include <openssl/core_names.h> |
d5e5e2ff SL |
12 | #include <openssl/crypto.h> |
13 | #include <openssl/evp.h> | |
14 | #include <openssl/params.h> | |
c85d5e02 | 15 | #include <openssl/err.h> |
d5e5e2ff | 16 | #include "internal/sha3.h" |
7c214f10 | 17 | #include "prov/digestcommon.h" |
af3e7e1b | 18 | #include "prov/implementations.h" |
ddd21319 | 19 | #include "prov/providercommonerr.h" |
d5e5e2ff SL |
20 | |
21 | /* | |
22 | * Forward declaration of any unique methods implemented here. This is not strictly | |
23 | * necessary for the compiler, but provides an assurance that the signatures | |
24 | * of the functions in the dispatch table are correct. | |
25 | */ | |
26 | static OSSL_OP_digest_init_fn keccak_init; | |
27 | static OSSL_OP_digest_update_fn keccak_update; | |
28 | static OSSL_OP_digest_final_fn keccak_final; | |
29 | static OSSL_OP_digest_freectx_fn keccak_freectx; | |
30 | static OSSL_OP_digest_dupctx_fn keccak_dupctx; | |
92d9d0ae | 31 | static OSSL_OP_digest_set_ctx_params_fn shake_set_ctx_params; |
ec02412b | 32 | static OSSL_OP_digest_settable_ctx_params_fn shake_settable_ctx_params; |
d5e5e2ff SL |
33 | static sha3_absorb_fn generic_sha3_absorb; |
34 | static sha3_final_fn generic_sha3_final; | |
35 | ||
36 | #if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM) | |
37 | /* | |
38 | * IBM S390X support | |
39 | */ | |
40 | # include "s390x_arch.h" | |
41 | # define S390_SHA3 1 | |
42 | # define S390_SHA3_CAPABLE(name) \ | |
43 | ((OPENSSL_s390xcap_P.kimd[0] & S390X_CAPBIT(S390X_##name)) && \ | |
44 | (OPENSSL_s390xcap_P.klmd[0] & S390X_CAPBIT(S390X_##name))) | |
45 | ||
46 | #endif | |
47 | ||
48 | static int keccak_init(void *vctx) | |
49 | { | |
50 | /* The newctx() handles most of the ctx fixed setup. */ | |
51 | sha3_reset((KECCAK1600_CTX *)vctx); | |
52 | return 1; | |
53 | } | |
54 | ||
55 | static int keccak_update(void *vctx, const unsigned char *inp, size_t len) | |
56 | { | |
57 | KECCAK1600_CTX *ctx = vctx; | |
58 | const size_t bsz = ctx->block_size; | |
59 | size_t num, rem; | |
60 | ||
61 | if (len == 0) | |
62 | return 1; | |
63 | ||
64 | /* Is there anything in the buffer already ? */ | |
65 | if ((num = ctx->bufsz) != 0) { | |
66 | /* Calculate how much space is left in the buffer */ | |
67 | rem = bsz - num; | |
68 | /* If the new input does not fill the buffer then just add it */ | |
69 | if (len < rem) { | |
70 | memcpy(ctx->buf + num, inp, len); | |
71 | ctx->bufsz += len; | |
72 | return 1; | |
73 | } | |
74 | /* otherwise fill up the buffer and absorb the buffer */ | |
75 | memcpy(ctx->buf + num, inp, rem); | |
76 | /* Update the input pointer */ | |
77 | inp += rem; | |
78 | len -= rem; | |
79 | ctx->meth.absorb(ctx, ctx->buf, bsz); | |
80 | ctx->bufsz = 0; | |
81 | } | |
82 | /* Absorb the input - rem = leftover part of the input < blocksize) */ | |
83 | rem = ctx->meth.absorb(ctx, inp, len); | |
84 | /* Copy the leftover bit of the input into the buffer */ | |
85 | if (rem) { | |
86 | memcpy(ctx->buf, inp + len - rem, rem); | |
87 | ctx->bufsz = rem; | |
88 | } | |
89 | return 1; | |
90 | } | |
91 | ||
92 | static int keccak_final(void *vctx, unsigned char *out, size_t *outl, | |
93 | size_t outsz) | |
94 | { | |
a890ef83 | 95 | int ret = 1; |
d5e5e2ff SL |
96 | KECCAK1600_CTX *ctx = vctx; |
97 | ||
a890ef83 PS |
98 | if (outsz > 0) |
99 | ret = ctx->meth.final(out, ctx); | |
100 | ||
d5e5e2ff SL |
101 | *outl = ctx->md_size; |
102 | return ret; | |
103 | } | |
104 | ||
105 | /*- | |
106 | * Generic software version of the absorb() and final(). | |
107 | */ | |
108 | static size_t generic_sha3_absorb(void *vctx, const void *inp, size_t len) | |
109 | { | |
110 | KECCAK1600_CTX *ctx = vctx; | |
111 | ||
112 | return SHA3_absorb(ctx->A, inp, len, ctx->block_size); | |
113 | } | |
114 | ||
115 | static int generic_sha3_final(unsigned char *md, void *vctx) | |
116 | { | |
117 | return sha3_final(md, (KECCAK1600_CTX *)vctx); | |
118 | } | |
119 | ||
120 | static PROV_SHA3_METHOD sha3_generic_md = | |
121 | { | |
122 | generic_sha3_absorb, | |
123 | generic_sha3_final | |
124 | }; | |
125 | ||
126 | #if defined(S390_SHA3) | |
127 | ||
128 | static sha3_absorb_fn s390x_sha3_absorb; | |
129 | static sha3_final_fn s390x_sha3_final; | |
130 | static sha3_final_fn s390x_shake_final; | |
131 | ||
132 | /*- | |
133 | * The platform specific parts of the absorb() and final() for S390X. | |
134 | */ | |
135 | static size_t s390x_sha3_absorb(void *vctx, const void *inp, size_t len) | |
136 | { | |
137 | KECCAK1600_CTX *ctx = vctx; | |
138 | size_t rem = len % ctx->block_size; | |
139 | ||
140 | s390x_kimd(inp, len - rem, ctx->pad, ctx->A); | |
141 | return rem; | |
142 | } | |
143 | ||
144 | static int s390x_sha3_final(unsigned char *md, void *vctx) | |
145 | { | |
146 | KECCAK1600_CTX *ctx = vctx; | |
147 | ||
148 | s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A); | |
149 | memcpy(md, ctx->A, ctx->md_size); | |
be1dc984 | 150 | return 1; |
d5e5e2ff SL |
151 | } |
152 | ||
153 | static int s390x_shake_final(unsigned char *md, void *vctx) | |
154 | { | |
155 | KECCAK1600_CTX *ctx = vctx; | |
156 | ||
157 | s390x_klmd(ctx->buf, ctx->bufsz, md, ctx->md_size, ctx->pad, ctx->A); | |
158 | return 1; | |
159 | } | |
160 | ||
161 | static PROV_SHA3_METHOD sha3_s390x_md = | |
162 | { | |
163 | s390x_sha3_absorb, | |
164 | s390x_sha3_final | |
165 | }; | |
166 | ||
167 | static PROV_SHA3_METHOD shake_s390x_md = | |
168 | { | |
169 | s390x_sha3_absorb, | |
170 | s390x_shake_final | |
171 | }; | |
172 | ||
c85d5e02 SL |
173 | # define SHA3_SET_MD(uname, typ) \ |
174 | if (S390_SHA3_CAPABLE(uname)) { \ | |
175 | ctx->pad = S390X_##uname; \ | |
176 | ctx->meth = typ##_s390x_md; \ | |
177 | } else { \ | |
178 | ctx->meth = sha3_generic_md; \ | |
d5e5e2ff SL |
179 | } |
180 | #else | |
181 | # define SHA3_SET_MD(uname, typ) ctx->meth = sha3_generic_md; | |
182 | #endif /* S390_SHA3 */ | |
183 | ||
c85d5e02 SL |
184 | #define SHA3_newctx(typ, uname, name, bitlen, pad) \ |
185 | static OSSL_OP_digest_newctx_fn name##_newctx; \ | |
186 | static void *name##_newctx(void *provctx) \ | |
187 | { \ | |
188 | KECCAK1600_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \ | |
189 | \ | |
190 | if (ctx == NULL) \ | |
191 | return NULL; \ | |
192 | sha3_init(ctx, pad, bitlen); \ | |
193 | SHA3_SET_MD(uname, typ) \ | |
194 | return ctx; \ | |
d5e5e2ff SL |
195 | } |
196 | ||
c85d5e02 SL |
197 | #define KMAC_newctx(uname, bitlen, pad) \ |
198 | static OSSL_OP_digest_newctx_fn uname##_newctx; \ | |
199 | static void *uname##_newctx(void *provctx) \ | |
200 | { \ | |
201 | KECCAK1600_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \ | |
202 | \ | |
203 | if (ctx == NULL) \ | |
204 | return NULL; \ | |
205 | keccak_kmac_init(ctx, pad, bitlen); \ | |
206 | ctx->meth = sha3_generic_md; \ | |
207 | return ctx; \ | |
d5e5e2ff SL |
208 | } |
209 | ||
c85d5e02 SL |
210 | #define PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags) \ |
211 | PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags) \ | |
212 | const OSSL_DISPATCH name##_functions[] = { \ | |
213 | { OSSL_FUNC_DIGEST_NEWCTX, (void (*)(void))name##_newctx }, \ | |
214 | { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init }, \ | |
215 | { OSSL_FUNC_DIGEST_UPDATE, (void (*)(void))keccak_update }, \ | |
216 | { OSSL_FUNC_DIGEST_FINAL, (void (*)(void))keccak_final }, \ | |
217 | { OSSL_FUNC_DIGEST_FREECTX, (void (*)(void))keccak_freectx }, \ | |
218 | { OSSL_FUNC_DIGEST_DUPCTX, (void (*)(void))keccak_dupctx }, \ | |
219 | PROV_DISPATCH_FUNC_DIGEST_GET_PARAMS(name) | |
220 | ||
221 | #define PROV_FUNC_SHA3_DIGEST(name, bitlen, blksize, dgstsize, flags) \ | |
222 | PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \ | |
223 | PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END | |
224 | ||
225 | #define PROV_FUNC_SHAKE_DIGEST(name, bitlen, blksize, dgstsize, flags) \ | |
226 | PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \ | |
227 | { OSSL_FUNC_DIGEST_SET_CTX_PARAMS, (void (*)(void))shake_set_ctx_params }, \ | |
228 | { OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS, \ | |
229 | (void (*)(void))shake_settable_ctx_params }, \ | |
230 | PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END | |
d5e5e2ff SL |
231 | |
232 | static void keccak_freectx(void *vctx) | |
233 | { | |
234 | KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx; | |
235 | ||
236 | OPENSSL_clear_free(ctx, sizeof(*ctx)); | |
237 | } | |
238 | ||
239 | static void *keccak_dupctx(void *ctx) | |
240 | { | |
241 | KECCAK1600_CTX *in = (KECCAK1600_CTX *)ctx; | |
242 | KECCAK1600_CTX *ret = OPENSSL_malloc(sizeof(*ret)); | |
243 | ||
244 | *ret = *in; | |
245 | return ret; | |
246 | } | |
247 | ||
ec02412b RL |
248 | static const OSSL_PARAM known_shake_settable_ctx_params[] = { |
249 | {OSSL_DIGEST_PARAM_SSL3_MS, OSSL_PARAM_OCTET_STRING, NULL, 0, 0}, | |
250 | OSSL_PARAM_END | |
251 | }; | |
ec02412b RL |
252 | static const OSSL_PARAM *shake_settable_ctx_params(void) |
253 | { | |
254 | return known_shake_settable_ctx_params; | |
255 | } | |
256 | ||
92d9d0ae | 257 | static int shake_set_ctx_params(void *vctx, const OSSL_PARAM params[]) |
d5e5e2ff SL |
258 | { |
259 | const OSSL_PARAM *p; | |
260 | KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx; | |
261 | ||
262 | if (ctx != NULL && params != NULL) { | |
4e7991b4 | 263 | p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_XOFLEN); |
c85d5e02 SL |
264 | if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->md_size)) { |
265 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); | |
d5e5e2ff | 266 | return 0; |
c85d5e02 | 267 | } |
d5e5e2ff SL |
268 | return 1; |
269 | } | |
270 | return 0; /* Null Parameter */ | |
271 | } | |
272 | ||
c85d5e02 SL |
273 | #define IMPLEMENT_SHA3_functions(bitlen) \ |
274 | SHA3_newctx(sha3, SHA3_##bitlen, sha3_##bitlen, bitlen, '\x06') \ | |
275 | PROV_FUNC_SHA3_DIGEST(sha3_##bitlen, bitlen, \ | |
276 | SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ | |
277 | EVP_MD_FLAG_DIGALGID_ABSENT) | |
278 | ||
279 | #define IMPLEMENT_SHAKE_functions(bitlen) \ | |
280 | SHA3_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \ | |
281 | PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \ | |
282 | SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ | |
283 | EVP_MD_FLAG_XOF) | |
284 | #define IMPLEMENT_KMAC_functions(bitlen) \ | |
285 | KMAC_newctx(keccak_kmac_##bitlen, bitlen, '\x04') \ | |
286 | PROV_FUNC_SHAKE_DIGEST(keccak_kmac_##bitlen, bitlen, \ | |
287 | SHA3_BLOCKSIZE(bitlen), KMAC_MDSIZE(bitlen), \ | |
288 | EVP_MD_FLAG_XOF) | |
289 | ||
290 | /* sha3_224_functions */ | |
291 | IMPLEMENT_SHA3_functions(224) | |
292 | /* sha3_256_functions */ | |
293 | IMPLEMENT_SHA3_functions(256) | |
294 | /* sha3_384_functions */ | |
295 | IMPLEMENT_SHA3_functions(384) | |
296 | /* sha3_512_functions */ | |
297 | IMPLEMENT_SHA3_functions(512) | |
298 | /* shake_128_functions */ | |
299 | IMPLEMENT_SHAKE_functions(128) | |
300 | /* shake_256_functions */ | |
301 | IMPLEMENT_SHAKE_functions(256) | |
302 | /* keccak_kmac_128_functions */ | |
303 | IMPLEMENT_KMAC_functions(128) | |
304 | /* keccak_kmac_256_functions */ | |
305 | IMPLEMENT_KMAC_functions(256) |