]> git.ipfire.org Git - thirdparty/openssl.git/blame - providers/implementations/macs/kmac_prov.c
Cleanup: move remaining providers/common/include/internal/*.h
[thirdparty/openssl.git] / providers / implementations / macs / kmac_prov.c
CommitLineData
6e624a64
SL
1/*
2 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
e06785a5 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
6e624a64
SL
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * See SP800-185 "Appendix A - KMAC, .... in Terms of Keccak[c]"
12 *
13 * Inputs are:
14 * K = Key (len(K) < 2^2040 bits)
15 * X = Input
16 * L = Output length (0 <= L < 2^2040 bits)
17 * S = Customization String Default="" (len(S) < 2^2040 bits)
18 *
19 * KMAC128(K, X, L, S)
20 * {
21 * newX = bytepad(encode_string(K), 168) || X || right_encode(L).
97c21381 22 * T = bytepad(encode_string("KMAC") || encode_string(S), 168).
6e624a64
SL
23 * return KECCAK[256](T || newX || 00, L).
24 * }
25 *
26 * KMAC256(K, X, L, S)
27 * {
28 * newX = bytepad(encode_string(K), 136) || X || right_encode(L).
97c21381 29 * T = bytepad(encode_string("KMAC") || encode_string(S), 136).
6e624a64
SL
30 * return KECCAK[512](T || newX || 00, L).
31 * }
32 *
33 * KMAC128XOF(K, X, L, S)
34 * {
35 * newX = bytepad(encode_string(K), 168) || X || right_encode(0).
97c21381 36 * T = bytepad(encode_string("KMAC") || encode_string(S), 168).
6e624a64
SL
37 * return KECCAK[256](T || newX || 00, L).
38 * }
39 *
40 * KMAC256XOF(K, X, L, S)
41 * {
42 * newX = bytepad(encode_string(K), 136) || X || right_encode(0).
97c21381 43 * T = bytepad(encode_string("KMAC") || encode_string(S), 136).
6e624a64
SL
44 * return KECCAK[512](T || newX || 00, L).
45 * }
46 *
47 */
48
49#include <stdlib.h>
e23cda00
RL
50#include <string.h>
51#include <openssl/core_numbers.h>
52#include <openssl/core_names.h>
53#include <openssl/params.h>
6e624a64 54#include <openssl/evp.h>
e23cda00
RL
55#include <openssl/err.h>
56
ddd21319 57#include "prov/providercommonerr.h"
af3e7e1b 58#include "prov/implementations.h"
ddd21319
RL
59#include "prov/provider_ctx.h"
60#include "prov/provider_util.h"
e23cda00
RL
61
62/*
63 * Forward declaration of everything implemented here. This is not strictly
64 * necessary for the compiler, but provides an assurance that the signatures
65 * of the functions in the dispatch table are correct.
66 */
67static OSSL_OP_mac_newctx_fn kmac128_new;
68static OSSL_OP_mac_newctx_fn kmac256_new;
69static OSSL_OP_mac_dupctx_fn kmac_dup;
70static OSSL_OP_mac_freectx_fn kmac_free;
71static OSSL_OP_mac_gettable_ctx_params_fn kmac_gettable_ctx_params;
92d9d0ae 72static OSSL_OP_mac_get_ctx_params_fn kmac_get_ctx_params;
e23cda00 73static OSSL_OP_mac_settable_ctx_params_fn kmac_settable_ctx_params;
92d9d0ae 74static OSSL_OP_mac_set_ctx_params_fn kmac_set_ctx_params;
e23cda00
RL
75static OSSL_OP_mac_size_fn kmac_size;
76static OSSL_OP_mac_init_fn kmac_init;
77static OSSL_OP_mac_update_fn kmac_update;
78static OSSL_OP_mac_final_fn kmac_final;
6e624a64
SL
79
80#define KMAC_MAX_BLOCKSIZE ((1600 - 128*2) / 8) /* 168 */
81#define KMAC_MIN_BLOCKSIZE ((1600 - 256*2) / 8) /* 136 */
82
83/* Length encoding will be a 1 byte size + length in bits (2 bytes max) */
84#define KMAC_MAX_ENCODED_HEADER_LEN 3
85
86/*
87 * Custom string max size is chosen such that:
88 * len(encoded_string(custom) + len(kmac_encoded_string) <= KMAC_MIN_BLOCKSIZE
89 * i.e: (KMAC_MAX_CUSTOM + KMAC_MAX_ENCODED_LEN) + 6 <= 136
90 */
91#define KMAC_MAX_CUSTOM 127
92
93/* Maximum size of encoded custom string */
94#define KMAC_MAX_CUSTOM_ENCODED (KMAC_MAX_CUSTOM + KMAC_MAX_ENCODED_HEADER_LEN)
95
96/* Maximum key size in bytes = 2040 / 8 */
97#define KMAC_MAX_KEY 255
98
99/*
100 * Maximum Encoded Key size will be padded to a multiple of the blocksize
101 * i.e KMAC_MAX_KEY + KMAC_MAX_ENCODED_LEN = 258
102 * Padded to a multiple of KMAC_MAX_BLOCKSIZE
103 */
104#define KMAC_MAX_KEY_ENCODED (KMAC_MAX_BLOCKSIZE * 2)
105
106/* Fixed value of encode_string("KMAC") */
107static const unsigned char kmac_string[] = {
108 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43
109};
110
111
112#define KMAC_FLAG_XOF_MODE 1
113
e23cda00
RL
114struct kmac_data_st {
115 void *provctx;
6e624a64 116 EVP_MD_CTX *ctx;
96d7e273 117 PROV_DIGEST digest;
6e624a64
SL
118 size_t out_len;
119 int key_len;
120 int custom_len;
121 /* If xof_mode = 1 then we use right_encode(0) */
122 int xof_mode;
123 /* key and custom are stored in encoded form */
124 unsigned char key[KMAC_MAX_KEY_ENCODED];
125 unsigned char custom[KMAC_MAX_CUSTOM_ENCODED];
126};
127
128static int encode_string(unsigned char *out, int *out_len,
129 const unsigned char *in, int in_len);
130static int right_encode(unsigned char *out, int *out_len, size_t bits);
131static int bytepad(unsigned char *out, int *out_len,
132 const unsigned char *in1, int in1_len,
133 const unsigned char *in2, int in2_len,
134 int w);
135static int kmac_bytepad_encode_key(unsigned char *out, int *out_len,
136 const unsigned char *in, int in_len,
137 int w);
6e624a64 138
e23cda00 139static void kmac_free(void *vmacctx)
6e624a64 140{
e23cda00
RL
141 struct kmac_data_st *kctx = vmacctx;
142
6e624a64
SL
143 if (kctx != NULL) {
144 EVP_MD_CTX_free(kctx->ctx);
96d7e273 145 ossl_prov_digest_reset(&kctx->digest);
6e624a64
SL
146 OPENSSL_cleanse(kctx->key, kctx->key_len);
147 OPENSSL_cleanse(kctx->custom, kctx->custom_len);
148 OPENSSL_free(kctx);
149 }
150}
151
e23cda00
RL
152/*
153 * We have KMAC implemented as a hash, which we can use instead of
154 * reimplementing the EVP functionality with direct use of
155 * keccak_mac_init() and friends.
156 */
96d7e273 157static struct kmac_data_st *kmac_new(void *provctx)
6e624a64 158{
96d7e273 159 struct kmac_data_st *kctx;
6e624a64
SL
160
161 if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL
162 || (kctx->ctx = EVP_MD_CTX_new()) == NULL) {
163 kmac_free(kctx);
164 return NULL;
165 }
e23cda00 166 kctx->provctx = provctx;
6e624a64
SL
167 return kctx;
168}
169
96d7e273 170static void *kmac_fetch_new(void *provctx, const OSSL_PARAM *params)
6e624a64 171{
96d7e273
P
172 struct kmac_data_st *kctx = kmac_new(provctx);
173
174 if (kctx == NULL)
175 return 0;
176 if (!ossl_prov_digest_load_from_params(&kctx->digest, params,
f20a59cb
P
177 PROV_LIBRARY_CONTEXT_OF(provctx))) {
178 kmac_free(kctx);
96d7e273 179 return 0;
f20a59cb 180 }
96d7e273
P
181
182 kctx->out_len = EVP_MD_size(ossl_prov_digest_md(&kctx->digest));
183 return kctx;
6e624a64
SL
184}
185
e23cda00 186static void *kmac128_new(void *provctx)
6e624a64 187{
96d7e273
P
188 static const OSSL_PARAM kmac128_params[] = {
189 OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC128,
190 sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC128)),
191 OSSL_PARAM_END
192 };
193 return kmac_fetch_new(provctx, kmac128_params);
6e624a64
SL
194}
195
e23cda00 196static void *kmac256_new(void *provctx)
6e624a64 197{
96d7e273
P
198 static const OSSL_PARAM kmac256_params[] = {
199 OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC256,
200 sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC256)),
201 OSSL_PARAM_END
202 };
203 return kmac_fetch_new(provctx, kmac256_params);
e23cda00
RL
204}
205
206static void *kmac_dup(void *vsrc)
207{
208 struct kmac_data_st *src = vsrc;
96d7e273 209 struct kmac_data_st *dst = kmac_new(src->provctx);
7ed66e26 210
e23cda00 211 if (dst == NULL)
7ed66e26
KR
212 return NULL;
213
e23cda00 214 if (!EVP_MD_CTX_copy(dst->ctx, src->ctx)
96d7e273 215 || !ossl_prov_digest_copy(&dst->digest, &src->digest)) {
e23cda00 216 kmac_free(dst);
7ed66e26
KR
217 return NULL;
218 }
219
e23cda00
RL
220 dst->out_len = src->out_len;
221 dst->key_len = src->key_len;
222 dst->custom_len = src->custom_len;
223 dst->xof_mode = src->xof_mode;
224 memcpy(dst->key, src->key, src->key_len);
225 memcpy(dst->custom, src->custom, dst->custom_len);
6e624a64 226
e23cda00 227 return dst;
6e624a64
SL
228}
229
230/*
231 * The init() assumes that any ctrl methods are set beforehand for
232 * md, key and custom. Setting the fields afterwards will have no
233 * effect on the output mac.
234 */
e23cda00 235static int kmac_init(void *vmacctx)
6e624a64 236{
e23cda00 237 struct kmac_data_st *kctx = vmacctx;
6e624a64
SL
238 EVP_MD_CTX *ctx = kctx->ctx;
239 unsigned char out[KMAC_MAX_BLOCKSIZE];
240 int out_len, block_len;
241
e23cda00 242
6e624a64
SL
243 /* Check key has been set */
244 if (kctx->key_len == 0) {
245 EVPerr(EVP_F_KMAC_INIT, EVP_R_NO_KEY_SET);
246 return 0;
247 }
96d7e273
P
248 if (!EVP_DigestInit_ex(kctx->ctx, ossl_prov_digest_md(&kctx->digest),
249 NULL))
6e624a64
SL
250 return 0;
251
96d7e273 252 block_len = EVP_MD_block_size(ossl_prov_digest_md(&kctx->digest));
6e624a64
SL
253
254 /* Set default custom string if it is not already set */
e23cda00
RL
255 if (kctx->custom_len == 0) {
256 const OSSL_PARAM params[] = {
257 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, "", 0),
258 OSSL_PARAM_END
259 };
92d9d0ae 260 (void)kmac_set_ctx_params(kctx, params);
e23cda00 261 }
6e624a64
SL
262
263 return bytepad(out, &out_len, kmac_string, sizeof(kmac_string),
264 kctx->custom, kctx->custom_len, block_len)
265 && EVP_DigestUpdate(ctx, out, out_len)
266 && EVP_DigestUpdate(ctx, kctx->key, kctx->key_len);
267}
268
e23cda00 269static size_t kmac_size(void *vmacctx)
6e624a64 270{
e23cda00
RL
271 struct kmac_data_st *kctx = vmacctx;
272
6e624a64
SL
273 return kctx->out_len;
274}
275
e23cda00 276static int kmac_update(void *vmacctx, const unsigned char *data,
6e624a64
SL
277 size_t datalen)
278{
e23cda00
RL
279 struct kmac_data_st *kctx = vmacctx;
280
6e624a64
SL
281 return EVP_DigestUpdate(kctx->ctx, data, datalen);
282}
283
e23cda00
RL
284static int kmac_final(void *vmacctx, unsigned char *out, size_t *outl,
285 size_t outsize)
6e624a64 286{
e23cda00 287 struct kmac_data_st *kctx = vmacctx;
6e624a64
SL
288 EVP_MD_CTX *ctx = kctx->ctx;
289 int lbits, len;
290 unsigned char encoded_outlen[KMAC_MAX_ENCODED_HEADER_LEN];
e23cda00 291 int ok;
6e624a64
SL
292
293 /* KMAC XOF mode sets the encoded length to 0 */
294 lbits = (kctx->xof_mode ? 0 : (kctx->out_len * 8));
295
e23cda00
RL
296 ok = right_encode(encoded_outlen, &len, lbits)
297 && EVP_DigestUpdate(ctx, encoded_outlen, len)
298 && EVP_DigestFinalXOF(ctx, out, kctx->out_len);
299 if (ok && outl != NULL)
300 *outl = kctx->out_len;
301 return ok;
6e624a64
SL
302}
303
e23cda00 304static const OSSL_PARAM known_gettable_ctx_params[] = {
703170d4 305 OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
e23cda00
RL
306 OSSL_PARAM_END
307};
308static const OSSL_PARAM *kmac_gettable_ctx_params(void)
6e624a64 309{
e23cda00 310 return known_gettable_ctx_params;
6e624a64
SL
311}
312
92d9d0ae 313static int kmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])
6e624a64 314{
e23cda00 315 OSSL_PARAM *p;
6e624a64 316
703170d4 317 if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL)
e23cda00 318 return OSSL_PARAM_set_size_t(p, kmac_size(vmacctx));
6e624a64 319
e23cda00 320 return 1;
6e624a64
SL
321}
322
e23cda00
RL
323static const OSSL_PARAM known_settable_ctx_params[] = {
324 OSSL_PARAM_int(OSSL_MAC_PARAM_XOF, NULL),
e23cda00
RL
325 OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
326 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, NULL, 0),
327 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, NULL, 0),
328 OSSL_PARAM_END
329};
330static const OSSL_PARAM *kmac_settable_ctx_params(void)
6e624a64 331{
e23cda00 332 return known_settable_ctx_params;
6e624a64
SL
333}
334
e23cda00
RL
335/*
336 * The following params can be set any time before final():
337 * - "outlen" or "size": The requested output length.
338 * - "xof": If set, this indicates that right_encoded(0)
339 * is part of the digested data, otherwise it
340 * uses right_encoded(requested output length).
341 *
342 * All other params should be set before init().
343 */
92d9d0ae 344static int kmac_set_ctx_params(void *vmacctx, const OSSL_PARAM *params)
6e624a64 345{
e23cda00
RL
346 struct kmac_data_st *kctx = vmacctx;
347 const OSSL_PARAM *p;
96d7e273 348 const EVP_MD *digest = ossl_prov_digest_md(&kctx->digest);
6e624a64 349
e23cda00
RL
350 if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_XOF)) != NULL
351 && !OSSL_PARAM_get_int(p, &kctx->xof_mode))
352 return 0;
703170d4 353 if (((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_SIZE)) != NULL)
e23cda00
RL
354 && !OSSL_PARAM_get_size_t(p, &kctx->out_len))
355 return 0;
356 if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) {
357 if (p->data_size < 4 || p->data_size > KMAC_MAX_KEY) {
358 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
359 return 0;
360 }
361 if (!kmac_bytepad_encode_key(kctx->key, &kctx->key_len,
362 p->data, p->data_size,
96d7e273 363 EVP_MD_block_size(digest)))
e23cda00
RL
364 return 0;
365 }
366 if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CUSTOM))
367 != NULL) {
368 if (p->data_size > KMAC_MAX_CUSTOM) {
369 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CUSTOM_LENGTH);
370 return 0;
371 }
372 if (!encode_string(kctx->custom, &kctx->custom_len,
373 p->data, p->data_size))
374 return 0;
375 }
376 return 1;
6e624a64
SL
377}
378
379/*
380 * Encoding/Padding Methods.
381 */
382
383/* Returns the number of bytes required to store 'bits' into a byte array */
384static unsigned int get_encode_size(size_t bits)
385{
386 unsigned int cnt = 0, sz = sizeof(size_t);
387
388 while (bits && (cnt < sz)) {
389 ++cnt;
390 bits >>= 8;
391 }
392 /* If bits is zero 1 byte is required */
393 if (cnt == 0)
394 cnt = 1;
395 return cnt;
396}
397
398/*
399 * Convert an integer into bytes . The number of bytes is appended
400 * to the end of the buffer. Returns an array of bytes 'out' of size
401 * *out_len.
402 *
403 * e.g if bits = 32, out[2] = { 0x20, 0x01 }
404 *
405 */
406static int right_encode(unsigned char *out, int *out_len, size_t bits)
407{
408 unsigned int len = get_encode_size(bits);
409 int i;
410
411 /* The length is constrained to a single byte: 2040/8 = 255 */
412 if (len > 0xFF)
413 return 0;
414
415 /* MSB's are at the start of the bytes array */
416 for (i = len - 1; i >= 0; --i) {
417 out[i] = (unsigned char)(bits & 0xFF);
418 bits >>= 8;
419 }
420 /* Tack the length onto the end */
421 out[len] = (unsigned char)len;
422
423 /* The Returned length includes the tacked on byte */
424 *out_len = len + 1;
425 return 1;
426}
427
428/*
429 * Encodes a string with a left encoded length added. Note that the
430 * in_len is converted to bits (*8).
431 *
432 * e.g- in="KMAC" gives out[6] = { 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43 }
433 * len bits K M A C
434 */
435static int encode_string(unsigned char *out, int *out_len,
436 const unsigned char *in, int in_len)
437{
438 if (in == NULL) {
439 *out_len = 0;
440 } else {
441 int i, bits, len;
442
443 bits = 8 * in_len;
444 len = get_encode_size(bits);
445 if (len > 0xFF)
446 return 0;
447
448 out[0] = len;
449 for (i = len; i > 0; --i) {
450 out[i] = (bits & 0xFF);
451 bits >>= 8;
452 }
453 memcpy(out + len + 1, in, in_len);
454 *out_len = (1 + len + in_len);
455 }
456 return 1;
457}
458
459/*
460 * Returns a zero padded encoding of the inputs in1 and an optional
461 * in2 (can be NULL). The padded output must be a multiple of the blocksize 'w'.
462 * The value of w is in bytes (< 256).
463 *
464 * The returned output is:
465 * zero_padded(multiple of w, (left_encode(w) || in1 [|| in2])
466 */
467static int bytepad(unsigned char *out, int *out_len,
468 const unsigned char *in1, int in1_len,
469 const unsigned char *in2, int in2_len, int w)
470{
471 int len;
472 unsigned char *p = out;
473 int sz = w;
474
475 /* Left encoded w */
476 *p++ = 1;
477 *p++ = w;
478 /* || in1 */
479 memcpy(p, in1, in1_len);
480 p += in1_len;
481 /* [ || in2 ] */
482 if (in2 != NULL && in2_len > 0) {
483 memcpy(p, in2, in2_len);
484 p += in2_len;
485 }
486 /* Figure out the pad size (divisible by w) */
487 len = p - out;
488 while (len > sz) {
489 sz += w;
490 }
491 /* zero pad the end of the buffer */
492 memset(p, 0, sz - len);
493 *out_len = sz;
494 return 1;
495}
496
497/*
498 * Returns out = bytepad(encode_string(in), w)
499 */
500static int kmac_bytepad_encode_key(unsigned char *out, int *out_len,
501 const unsigned char *in, int in_len,
502 int w)
503{
504 unsigned char tmp[KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN];
505 int tmp_len;
506
507 if (!encode_string(tmp, &tmp_len, in, in_len))
508 return 0;
509
510 return bytepad(out, out_len, tmp, tmp_len, NULL, 0, w);
511}
512
e23cda00
RL
513const OSSL_DISPATCH kmac128_functions[] = {
514 { OSSL_FUNC_MAC_NEWCTX, (void (*)(void))kmac128_new },
515 { OSSL_FUNC_MAC_DUPCTX, (void (*)(void))kmac_dup },
516 { OSSL_FUNC_MAC_FREECTX, (void (*)(void))kmac_free },
517 { OSSL_FUNC_MAC_INIT, (void (*)(void))kmac_init },
518 { OSSL_FUNC_MAC_UPDATE, (void (*)(void))kmac_update },
519 { OSSL_FUNC_MAC_FINAL, (void (*)(void))kmac_final },
520 { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS,
521 (void (*)(void))kmac_gettable_ctx_params },
92d9d0ae 522 { OSSL_FUNC_MAC_GET_CTX_PARAMS, (void (*)(void))kmac_get_ctx_params },
e23cda00
RL
523 { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS,
524 (void (*)(void))kmac_settable_ctx_params },
92d9d0ae 525 { OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))kmac_set_ctx_params },
e23cda00 526 { 0, NULL }
6e624a64
SL
527};
528
e23cda00
RL
529const OSSL_DISPATCH kmac256_functions[] = {
530 { OSSL_FUNC_MAC_NEWCTX, (void (*)(void))kmac256_new },
531 { OSSL_FUNC_MAC_DUPCTX, (void (*)(void))kmac_dup },
532 { OSSL_FUNC_MAC_FREECTX, (void (*)(void))kmac_free },
533 { OSSL_FUNC_MAC_INIT, (void (*)(void))kmac_init },
534 { OSSL_FUNC_MAC_UPDATE, (void (*)(void))kmac_update },
535 { OSSL_FUNC_MAC_FINAL, (void (*)(void))kmac_final },
536 { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS,
537 (void (*)(void))kmac_gettable_ctx_params },
92d9d0ae 538 { OSSL_FUNC_MAC_GET_CTX_PARAMS, (void (*)(void))kmac_get_ctx_params },
e23cda00
RL
539 { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS,
540 (void (*)(void))kmac_settable_ctx_params },
92d9d0ae 541 { OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))kmac_set_ctx_params },
e23cda00 542 { 0, NULL }
6e624a64 543};