]>
Commit | Line | Data |
---|---|---|
d5e5e2ff | 1 | /* |
fecb3aae | 2 | * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. |
d5e5e2ff SL |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
d5e5e2ff | 10 | #include <string.h> |
c85d5e02 | 11 | #include <openssl/core_names.h> |
d5e5e2ff SL |
12 | #include <openssl/crypto.h> |
13 | #include <openssl/evp.h> | |
14 | #include <openssl/params.h> | |
c85d5e02 | 15 | #include <openssl/err.h> |
2741128e | 16 | #include <openssl/proverr.h> |
d5e5e2ff | 17 | #include "internal/sha3.h" |
7c214f10 | 18 | #include "prov/digestcommon.h" |
af3e7e1b | 19 | #include "prov/implementations.h" |
d5e5e2ff | 20 | |
af53092c SL |
21 | #define SHA3_FLAGS PROV_DIGEST_FLAG_ALGID_ABSENT |
22 | #define SHAKE_FLAGS PROV_DIGEST_FLAG_XOF | |
23 | #define KMAC_FLAGS PROV_DIGEST_FLAG_XOF | |
24 | ||
d5e5e2ff SL |
25 | /* |
26 | * Forward declaration of any unique methods implemented here. This is not strictly | |
27 | * necessary for the compiler, but provides an assurance that the signatures | |
28 | * of the functions in the dispatch table are correct. | |
29 | */ | |
363b1e5d | 30 | static OSSL_FUNC_digest_init_fn keccak_init; |
d7ec1dda | 31 | static OSSL_FUNC_digest_init_fn keccak_init_params; |
363b1e5d DMSP |
32 | static OSSL_FUNC_digest_update_fn keccak_update; |
33 | static OSSL_FUNC_digest_final_fn keccak_final; | |
34 | static OSSL_FUNC_digest_freectx_fn keccak_freectx; | |
35 | static OSSL_FUNC_digest_dupctx_fn keccak_dupctx; | |
36 | static OSSL_FUNC_digest_set_ctx_params_fn shake_set_ctx_params; | |
37 | static OSSL_FUNC_digest_settable_ctx_params_fn shake_settable_ctx_params; | |
d5e5e2ff SL |
38 | static sha3_absorb_fn generic_sha3_absorb; |
39 | static sha3_final_fn generic_sha3_final; | |
40 | ||
41 | #if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM) | |
42 | /* | |
43 | * IBM S390X support | |
44 | */ | |
45 | # include "s390x_arch.h" | |
46 | # define S390_SHA3 1 | |
47 | # define S390_SHA3_CAPABLE(name) \ | |
48 | ((OPENSSL_s390xcap_P.kimd[0] & S390X_CAPBIT(S390X_##name)) && \ | |
49 | (OPENSSL_s390xcap_P.klmd[0] & S390X_CAPBIT(S390X_##name))) | |
50 | ||
51 | #endif | |
52 | ||
d7ec1dda | 53 | static int keccak_init(void *vctx, ossl_unused const OSSL_PARAM params[]) |
d5e5e2ff | 54 | { |
1c1daab9 P |
55 | if (!ossl_prov_is_running()) |
56 | return 0; | |
d5e5e2ff | 57 | /* The newctx() handles most of the ctx fixed setup. */ |
b68a947f | 58 | ossl_sha3_reset((KECCAK1600_CTX *)vctx); |
d5e5e2ff SL |
59 | return 1; |
60 | } | |
61 | ||
d7ec1dda P |
62 | static int keccak_init_params(void *vctx, const OSSL_PARAM params[]) |
63 | { | |
64 | return keccak_init(vctx, NULL) | |
65 | && shake_set_ctx_params(vctx, params); | |
66 | } | |
67 | ||
d5e5e2ff SL |
68 | static int keccak_update(void *vctx, const unsigned char *inp, size_t len) |
69 | { | |
70 | KECCAK1600_CTX *ctx = vctx; | |
71 | const size_t bsz = ctx->block_size; | |
72 | size_t num, rem; | |
73 | ||
74 | if (len == 0) | |
75 | return 1; | |
76 | ||
77 | /* Is there anything in the buffer already ? */ | |
78 | if ((num = ctx->bufsz) != 0) { | |
79 | /* Calculate how much space is left in the buffer */ | |
80 | rem = bsz - num; | |
81 | /* If the new input does not fill the buffer then just add it */ | |
82 | if (len < rem) { | |
83 | memcpy(ctx->buf + num, inp, len); | |
84 | ctx->bufsz += len; | |
85 | return 1; | |
86 | } | |
87 | /* otherwise fill up the buffer and absorb the buffer */ | |
88 | memcpy(ctx->buf + num, inp, rem); | |
89 | /* Update the input pointer */ | |
90 | inp += rem; | |
91 | len -= rem; | |
92 | ctx->meth.absorb(ctx, ctx->buf, bsz); | |
93 | ctx->bufsz = 0; | |
94 | } | |
95 | /* Absorb the input - rem = leftover part of the input < blocksize) */ | |
96 | rem = ctx->meth.absorb(ctx, inp, len); | |
97 | /* Copy the leftover bit of the input into the buffer */ | |
98 | if (rem) { | |
99 | memcpy(ctx->buf, inp + len - rem, rem); | |
100 | ctx->bufsz = rem; | |
101 | } | |
102 | return 1; | |
103 | } | |
104 | ||
105 | static int keccak_final(void *vctx, unsigned char *out, size_t *outl, | |
106 | size_t outsz) | |
107 | { | |
a890ef83 | 108 | int ret = 1; |
d5e5e2ff SL |
109 | KECCAK1600_CTX *ctx = vctx; |
110 | ||
1c1daab9 P |
111 | if (!ossl_prov_is_running()) |
112 | return 0; | |
a890ef83 PS |
113 | if (outsz > 0) |
114 | ret = ctx->meth.final(out, ctx); | |
115 | ||
d5e5e2ff SL |
116 | *outl = ctx->md_size; |
117 | return ret; | |
118 | } | |
119 | ||
120 | /*- | |
121 | * Generic software version of the absorb() and final(). | |
122 | */ | |
123 | static size_t generic_sha3_absorb(void *vctx, const void *inp, size_t len) | |
124 | { | |
125 | KECCAK1600_CTX *ctx = vctx; | |
126 | ||
127 | return SHA3_absorb(ctx->A, inp, len, ctx->block_size); | |
128 | } | |
129 | ||
130 | static int generic_sha3_final(unsigned char *md, void *vctx) | |
131 | { | |
b68a947f | 132 | return ossl_sha3_final(md, (KECCAK1600_CTX *)vctx); |
d5e5e2ff SL |
133 | } |
134 | ||
135 | static PROV_SHA3_METHOD sha3_generic_md = | |
136 | { | |
137 | generic_sha3_absorb, | |
138 | generic_sha3_final | |
139 | }; | |
140 | ||
141 | #if defined(S390_SHA3) | |
142 | ||
143 | static sha3_absorb_fn s390x_sha3_absorb; | |
144 | static sha3_final_fn s390x_sha3_final; | |
145 | static sha3_final_fn s390x_shake_final; | |
146 | ||
147 | /*- | |
148 | * The platform specific parts of the absorb() and final() for S390X. | |
149 | */ | |
150 | static size_t s390x_sha3_absorb(void *vctx, const void *inp, size_t len) | |
151 | { | |
152 | KECCAK1600_CTX *ctx = vctx; | |
153 | size_t rem = len % ctx->block_size; | |
154 | ||
155 | s390x_kimd(inp, len - rem, ctx->pad, ctx->A); | |
156 | return rem; | |
157 | } | |
158 | ||
159 | static int s390x_sha3_final(unsigned char *md, void *vctx) | |
160 | { | |
161 | KECCAK1600_CTX *ctx = vctx; | |
162 | ||
1c1daab9 P |
163 | if (!ossl_prov_is_running()) |
164 | return 0; | |
d5e5e2ff SL |
165 | s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A); |
166 | memcpy(md, ctx->A, ctx->md_size); | |
be1dc984 | 167 | return 1; |
d5e5e2ff SL |
168 | } |
169 | ||
170 | static int s390x_shake_final(unsigned char *md, void *vctx) | |
171 | { | |
172 | KECCAK1600_CTX *ctx = vctx; | |
173 | ||
1c1daab9 P |
174 | if (!ossl_prov_is_running()) |
175 | return 0; | |
d5e5e2ff SL |
176 | s390x_klmd(ctx->buf, ctx->bufsz, md, ctx->md_size, ctx->pad, ctx->A); |
177 | return 1; | |
178 | } | |
179 | ||
180 | static PROV_SHA3_METHOD sha3_s390x_md = | |
181 | { | |
182 | s390x_sha3_absorb, | |
183 | s390x_sha3_final | |
184 | }; | |
185 | ||
524f1261 UM |
186 | static PROV_SHA3_METHOD keccak_s390x_md = |
187 | { | |
188 | s390x_sha3_absorb, | |
189 | s390x_sha3_final | |
190 | }; | |
191 | ||
d5e5e2ff SL |
192 | static PROV_SHA3_METHOD shake_s390x_md = |
193 | { | |
194 | s390x_sha3_absorb, | |
195 | s390x_shake_final | |
196 | }; | |
197 | ||
c85d5e02 SL |
198 | # define SHA3_SET_MD(uname, typ) \ |
199 | if (S390_SHA3_CAPABLE(uname)) { \ | |
200 | ctx->pad = S390X_##uname; \ | |
201 | ctx->meth = typ##_s390x_md; \ | |
202 | } else { \ | |
203 | ctx->meth = sha3_generic_md; \ | |
d5e5e2ff SL |
204 | } |
205 | #else | |
206 | # define SHA3_SET_MD(uname, typ) ctx->meth = sha3_generic_md; | |
207 | #endif /* S390_SHA3 */ | |
208 | ||
c85d5e02 | 209 | #define SHA3_newctx(typ, uname, name, bitlen, pad) \ |
363b1e5d | 210 | static OSSL_FUNC_digest_newctx_fn name##_newctx; \ |
c85d5e02 SL |
211 | static void *name##_newctx(void *provctx) \ |
212 | { \ | |
1c1daab9 P |
213 | KECCAK1600_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx)) \ |
214 | : NULL; \ | |
c85d5e02 SL |
215 | \ |
216 | if (ctx == NULL) \ | |
217 | return NULL; \ | |
b68a947f | 218 | ossl_sha3_init(ctx, pad, bitlen); \ |
c85d5e02 SL |
219 | SHA3_SET_MD(uname, typ) \ |
220 | return ctx; \ | |
d5e5e2ff SL |
221 | } |
222 | ||
c85d5e02 | 223 | #define KMAC_newctx(uname, bitlen, pad) \ |
363b1e5d | 224 | static OSSL_FUNC_digest_newctx_fn uname##_newctx; \ |
c85d5e02 SL |
225 | static void *uname##_newctx(void *provctx) \ |
226 | { \ | |
1c1daab9 P |
227 | KECCAK1600_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx)) \ |
228 | : NULL; \ | |
c85d5e02 SL |
229 | \ |
230 | if (ctx == NULL) \ | |
231 | return NULL; \ | |
b68a947f | 232 | ossl_keccak_kmac_init(ctx, pad, bitlen); \ |
c85d5e02 SL |
233 | ctx->meth = sha3_generic_md; \ |
234 | return ctx; \ | |
d5e5e2ff SL |
235 | } |
236 | ||
c85d5e02 SL |
237 | #define PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags) \ |
238 | PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags) \ | |
1be63951 | 239 | const OSSL_DISPATCH ossl_##name##_functions[] = { \ |
c85d5e02 | 240 | { OSSL_FUNC_DIGEST_NEWCTX, (void (*)(void))name##_newctx }, \ |
c85d5e02 SL |
241 | { OSSL_FUNC_DIGEST_UPDATE, (void (*)(void))keccak_update }, \ |
242 | { OSSL_FUNC_DIGEST_FINAL, (void (*)(void))keccak_final }, \ | |
243 | { OSSL_FUNC_DIGEST_FREECTX, (void (*)(void))keccak_freectx }, \ | |
244 | { OSSL_FUNC_DIGEST_DUPCTX, (void (*)(void))keccak_dupctx }, \ | |
245 | PROV_DISPATCH_FUNC_DIGEST_GET_PARAMS(name) | |
246 | ||
247 | #define PROV_FUNC_SHA3_DIGEST(name, bitlen, blksize, dgstsize, flags) \ | |
248 | PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \ | |
d7ec1dda | 249 | { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init }, \ |
c85d5e02 SL |
250 | PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END |
251 | ||
252 | #define PROV_FUNC_SHAKE_DIGEST(name, bitlen, blksize, dgstsize, flags) \ | |
253 | PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \ | |
d7ec1dda | 254 | { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init_params }, \ |
c85d5e02 SL |
255 | { OSSL_FUNC_DIGEST_SET_CTX_PARAMS, (void (*)(void))shake_set_ctx_params }, \ |
256 | { OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS, \ | |
257 | (void (*)(void))shake_settable_ctx_params }, \ | |
258 | PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END | |
d5e5e2ff SL |
259 | |
260 | static void keccak_freectx(void *vctx) | |
261 | { | |
262 | KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx; | |
263 | ||
264 | OPENSSL_clear_free(ctx, sizeof(*ctx)); | |
265 | } | |
266 | ||
267 | static void *keccak_dupctx(void *ctx) | |
268 | { | |
269 | KECCAK1600_CTX *in = (KECCAK1600_CTX *)ctx; | |
1c1daab9 | 270 | KECCAK1600_CTX *ret = ossl_prov_is_running() ? OPENSSL_malloc(sizeof(*ret)) |
2c9da416 | 271 | : NULL; |
d5e5e2ff | 272 | |
a89befba P |
273 | if (ret != NULL) |
274 | *ret = *in; | |
d5e5e2ff SL |
275 | return ret; |
276 | } | |
277 | ||
ec02412b | 278 | static const OSSL_PARAM known_shake_settable_ctx_params[] = { |
1e55cbc8 | 279 | {OSSL_DIGEST_PARAM_XOFLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL, 0, 0}, |
ec02412b RL |
280 | OSSL_PARAM_END |
281 | }; | |
e772f25c P |
282 | static const OSSL_PARAM *shake_settable_ctx_params(ossl_unused void *ctx, |
283 | ossl_unused void *provctx) | |
ec02412b RL |
284 | { |
285 | return known_shake_settable_ctx_params; | |
286 | } | |
287 | ||
92d9d0ae | 288 | static int shake_set_ctx_params(void *vctx, const OSSL_PARAM params[]) |
d5e5e2ff SL |
289 | { |
290 | const OSSL_PARAM *p; | |
291 | KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx; | |
292 | ||
5506cd0b P |
293 | if (ctx == NULL) |
294 | return 0; | |
295 | if (params == NULL) | |
d5e5e2ff | 296 | return 1; |
5506cd0b P |
297 | |
298 | p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_XOFLEN); | |
299 | if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->md_size)) { | |
300 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); | |
301 | return 0; | |
d5e5e2ff | 302 | } |
5506cd0b | 303 | return 1; |
d5e5e2ff SL |
304 | } |
305 | ||
c85d5e02 SL |
306 | #define IMPLEMENT_SHA3_functions(bitlen) \ |
307 | SHA3_newctx(sha3, SHA3_##bitlen, sha3_##bitlen, bitlen, '\x06') \ | |
308 | PROV_FUNC_SHA3_DIGEST(sha3_##bitlen, bitlen, \ | |
309 | SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ | |
af53092c | 310 | SHA3_FLAGS) |
c85d5e02 | 311 | |
524f1261 UM |
312 | #define IMPLEMENT_KECCAK_functions(bitlen) \ |
313 | SHA3_newctx(keccak, KECCAK_##bitlen, keccak_##bitlen, bitlen, '\x01') \ | |
314 | PROV_FUNC_SHA3_DIGEST(keccak_##bitlen, bitlen, \ | |
315 | SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ | |
316 | SHA3_FLAGS) | |
317 | ||
c85d5e02 SL |
318 | #define IMPLEMENT_SHAKE_functions(bitlen) \ |
319 | SHA3_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \ | |
320 | PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \ | |
321 | SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ | |
af53092c | 322 | SHAKE_FLAGS) |
c85d5e02 SL |
323 | #define IMPLEMENT_KMAC_functions(bitlen) \ |
324 | KMAC_newctx(keccak_kmac_##bitlen, bitlen, '\x04') \ | |
325 | PROV_FUNC_SHAKE_DIGEST(keccak_kmac_##bitlen, bitlen, \ | |
326 | SHA3_BLOCKSIZE(bitlen), KMAC_MDSIZE(bitlen), \ | |
af53092c | 327 | KMAC_FLAGS) |
c85d5e02 | 328 | |
1be63951 | 329 | /* ossl_sha3_224_functions */ |
c85d5e02 | 330 | IMPLEMENT_SHA3_functions(224) |
1be63951 | 331 | /* ossl_sha3_256_functions */ |
c85d5e02 | 332 | IMPLEMENT_SHA3_functions(256) |
1be63951 | 333 | /* ossl_sha3_384_functions */ |
c85d5e02 | 334 | IMPLEMENT_SHA3_functions(384) |
1be63951 | 335 | /* ossl_sha3_512_functions */ |
c85d5e02 | 336 | IMPLEMENT_SHA3_functions(512) |
524f1261 UM |
337 | /* ossl_keccak_224_functions */ |
338 | IMPLEMENT_KECCAK_functions(224) | |
339 | /* ossl_keccak_256_functions */ | |
340 | IMPLEMENT_KECCAK_functions(256) | |
341 | /* ossl_keccak_384_functions */ | |
342 | IMPLEMENT_KECCAK_functions(384) | |
343 | /* ossl_keccak_512_functions */ | |
344 | IMPLEMENT_KECCAK_functions(512) | |
1be63951 | 345 | /* ossl_shake_128_functions */ |
c85d5e02 | 346 | IMPLEMENT_SHAKE_functions(128) |
1be63951 | 347 | /* ossl_shake_256_functions */ |
c85d5e02 | 348 | IMPLEMENT_SHAKE_functions(256) |
1be63951 | 349 | /* ossl_keccak_kmac_128_functions */ |
c85d5e02 | 350 | IMPLEMENT_KMAC_functions(128) |
1be63951 | 351 | /* ossl_keccak_kmac_256_functions */ |
c85d5e02 | 352 | IMPLEMENT_KMAC_functions(256) |