[thirdparty/openssl.git] / crypto / evp / m_sha3.c

/*
 * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include <string.h>

#include <openssl/evp.h>
#include <openssl/objects.h>
#include "crypto/evp.h"
#include "internal/sha3.h"
#include "evp_locl.h"

static int init(EVP_MD_CTX *ctx)
{
    return sha3_init(EVP_MD_CTX_md_data(ctx), '\x06', ctx->digest->md_size * 8);
}

static int update(EVP_MD_CTX *ctx, const void *_inp, size_t len)
{
    return sha3_update(EVP_MD_CTX_md_data(ctx), _inp, len);
}

static int final(EVP_MD_CTX *ctx, unsigned char *md)
{
    return sha3_final(md, EVP_MD_CTX_md_data(ctx));
}

static int shake_init(EVP_MD_CTX *ctx)
{
    return sha3_init(EVP_MD_CTX_md_data(ctx), '\x1f', ctx->digest->md_size * 8);
}

static int shake_ctrl(EVP_MD_CTX *evp_ctx, int cmd, int p1, void *p2)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;

    switch (cmd) {
    case EVP_MD_CTRL_XOF_LEN:
        ctx->md_size = p1;
        return 1;
    default:
        return 0;
    }
}

#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM)
/*
 * IBM S390X support
 */
# include "s390x_arch.h"

# define S390X_SHA3_FC(ctx)     ((ctx)->pad)

# define S390X_sha3_224_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_224)) &&  \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_224)))
# define S390X_sha3_256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_256)) &&  \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_256)))
# define S390X_sha3_384_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_384)) &&  \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_384)))
# define S390X_sha3_512_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_512)) &&  \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_512)))
# define S390X_shake128_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHAKE_128)) && \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHAKE_128)))
# define S390X_shake256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHAKE_256)) && \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHAKE_256)))

/* Convert md-size to block-size. */
# define S390X_KECCAK1600_BSZ(n) ((KECCAK1600_WIDTH - ((n) << 1)) >> 3)

static int s390x_sha3_init(EVP_MD_CTX *evp_ctx)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;
    const size_t bsz = evp_ctx->digest->block_size;

    /*-
     * KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD
     * function code.
     */
    switch (bsz) {
    case S390X_KECCAK1600_BSZ(224):
        ctx->pad = S390X_SHA3_224;
        break;
    case S390X_KECCAK1600_BSZ(256):
        ctx->pad = S390X_SHA3_256;
        break;
    case S390X_KECCAK1600_BSZ(384):
        ctx->pad = S390X_SHA3_384;
        break;
    case S390X_KECCAK1600_BSZ(512):
        ctx->pad = S390X_SHA3_512;
        break;
    default:
        return 0;
    }

    memset(ctx->A, 0, sizeof(ctx->A));
    ctx->bufsz = 0;
    ctx->block_size = bsz;
    ctx->md_size = evp_ctx->digest->md_size;
    return 1;
}

static int s390x_shake_init(EVP_MD_CTX *evp_ctx)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;
    const size_t bsz = evp_ctx->digest->block_size;

    /*-
     * KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD
     * function code.
     */
    switch (bsz) {
    case S390X_KECCAK1600_BSZ(128):
        ctx->pad = S390X_SHAKE_128;
        break;
    case S390X_KECCAK1600_BSZ(256):
        ctx->pad = S390X_SHAKE_256;
        break;
    default:
        return 0;
    }

    memset(ctx->A, 0, sizeof(ctx->A));
    ctx->bufsz = 0;
    ctx->block_size = bsz;
    ctx->md_size = evp_ctx->digest->md_size;
    return 1;
}

static int s390x_sha3_update(EVP_MD_CTX *evp_ctx, const void *_inp, size_t len)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;
    const unsigned char *inp = _inp;
    const size_t bsz = ctx->block_size;
    size_t num, rem;

    if (len == 0)
        return 1;

    if ((num = ctx->bufsz) != 0) {
        rem = bsz - num;

        if (len < rem) {
            memcpy(ctx->buf + num, inp, len);
            ctx->bufsz += len;
            return 1;
        }
        memcpy(ctx->buf + num, inp, rem);
        inp += rem;
        len -= rem;
        s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A);
        ctx->bufsz = 0;
    }
    rem = len % bsz;

    s390x_kimd(inp, len - rem, ctx->pad, ctx->A);

    if (rem) {
        memcpy(ctx->buf, inp + len - rem, rem);
        ctx->bufsz = rem;
    }
    return 1;
}

static int s390x_sha3_final(EVP_MD_CTX *evp_ctx, unsigned char *md)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;

    s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
    memcpy(md, ctx->A, ctx->md_size);
    return 1;
}

static int s390x_shake_final(EVP_MD_CTX *evp_ctx, unsigned char *md)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;

    s390x_klmd(ctx->buf, ctx->bufsz, md, ctx->md_size, ctx->pad, ctx->A);
    return 1;
}

# define EVP_MD_SHA3(bitlen)                         \
const EVP_MD *EVP_sha3_##bitlen(void)                \
{                                                    \
    static const EVP_MD s390x_sha3_##bitlen##_md = { \
        NID_sha3_##bitlen,                           \
        NID_RSA_SHA3_##bitlen,                       \
        bitlen / 8,                                  \
        EVP_MD_FLAG_DIGALGID_ABSENT,                 \
        s390x_sha3_init,                             \
        s390x_sha3_update,                           \
        s390x_sha3_final,                            \
        NULL,                                        \
        NULL,                                        \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,         \
        sizeof(KECCAK1600_CTX),                      \
    };                                               \
    static const EVP_MD sha3_##bitlen##_md = {       \
        NID_sha3_##bitlen,                           \
        NID_RSA_SHA3_##bitlen,                       \
        bitlen / 8,                                  \
        EVP_MD_FLAG_DIGALGID_ABSENT,                 \
        init,                                        \
        update,                                      \
        final,                                       \
        NULL,                                        \
        NULL,                                        \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,         \
        sizeof(KECCAK1600_CTX),                      \
    };                                               \
    return S390X_sha3_##bitlen##_CAPABLE ?           \
           &s390x_sha3_##bitlen##_md :               \
           &sha3_##bitlen##_md;                      \
}

# define EVP_MD_SHAKE(bitlen)                        \
const EVP_MD *EVP_shake##bitlen(void)                \
{                                                    \
    static const EVP_MD s390x_shake##bitlen##_md = { \
        NID_shake##bitlen,                           \
        0,                                           \
        bitlen / 8,                                  \
        EVP_MD_FLAG_XOF,                             \
        s390x_shake_init,                            \
        s390x_sha3_update,                           \
        s390x_shake_final,                           \
        NULL,                                        \
        NULL,                                        \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,         \
        sizeof(KECCAK1600_CTX),                      \
        shake_ctrl                                   \
    };                                               \
    static const EVP_MD shake##bitlen##_md = {       \
        NID_shake##bitlen,                           \
        0,                                           \
        bitlen / 8,                                  \
        EVP_MD_FLAG_XOF,                             \
        shake_init,                                  \
        update,                                      \
        final,                                       \
        NULL,                                        \
        NULL,                                        \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,         \
        sizeof(KECCAK1600_CTX),                      \
        shake_ctrl                                   \
    };                                               \
    return S390X_shake##bitlen##_CAPABLE ?           \
           &s390x_shake##bitlen##_md :               \
           &shake##bitlen##_md;                      \
}

#else

# define EVP_MD_SHA3(bitlen)                    \
const EVP_MD *EVP_sha3_##bitlen(void)           \
{                                               \
    static const EVP_MD sha3_##bitlen##_md = {  \
        NID_sha3_##bitlen,                      \
        NID_RSA_SHA3_##bitlen,                  \
        bitlen / 8,                             \
        EVP_MD_FLAG_DIGALGID_ABSENT,            \
        init,                                   \
        update,                                 \
        final,                                  \
        NULL,                                   \
        NULL,                                   \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,    \
        sizeof(KECCAK1600_CTX),                 \
    };                                          \
    return &sha3_##bitlen##_md;                 \
}

# define EVP_MD_SHAKE(bitlen)                   \
const EVP_MD *EVP_shake##bitlen(void)           \
{                                               \
    static const EVP_MD shake##bitlen##_md = {  \
        NID_shake##bitlen,                      \
        0,                                      \
        bitlen / 8,                             \
        EVP_MD_FLAG_XOF,                        \
        shake_init,                             \
        update,                                 \
        final,                                  \
        NULL,                                   \
        NULL,                                   \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,    \
        sizeof(KECCAK1600_CTX),                 \
        shake_ctrl                              \
    };                                          \
    return &shake##bitlen##_md;                 \
}

#endif

EVP_MD_SHA3(224)
EVP_MD_SHA3(256)
EVP_MD_SHA3(384)
EVP_MD_SHA3(512)

EVP_MD_SHAKE(128)
EVP_MD_SHAKE(256)
Commit	Line	Data
91ce87c0	1	/*
1212818e	2	* Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
91ce87c0	3	*
4a8b0c55	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
91ce87c0 AP	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <stdio.h>
	11	#include <string.h>
	12
	13	#include <openssl/evp.h>
	14	#include <openssl/objects.h>
25f2138b	15	#include "crypto/evp.h"
d5e5e2ff	16	#include "internal/sha3.h"
91ce87c0 AP	17	#include "evp_locl.h"
91ce87c0 AP	18
d5e5e2ff	19	static int init(EVP_MD_CTX *ctx)
91ce87c0	20	{
d5e5e2ff	21	return sha3_init(EVP_MD_CTX_md_data(ctx), '\x06', ctx->digest->md_size * 8);
91ce87c0 AP	22	}
91ce87c0 AP	23
d5e5e2ff	24	static int update(EVP_MD_CTX ctx, const void _inp, size_t len)
91ce87c0	25	{
d5e5e2ff	26	return sha3_update(EVP_MD_CTX_md_data(ctx), _inp, len);
91ce87c0 AP	27	}
91ce87c0 AP	28
d5e5e2ff	29	static int final(EVP_MD_CTX ctx, unsigned char md)
91ce87c0	30	{
d5e5e2ff	31	return sha3_final(md, EVP_MD_CTX_md_data(ctx));
91ce87c0 AP	32	}
91ce87c0 AP	33
d5e5e2ff	34	static int shake_init(EVP_MD_CTX *ctx)
6e624a64	35	{
d5e5e2ff	36	return sha3_init(EVP_MD_CTX_md_data(ctx), '\x1f', ctx->digest->md_size * 8);
91ce87c0 AP	37	}
91ce87c0 AP	38
bbde4740 AP	39	static int shake_ctrl(EVP_MD_CTX evp_ctx, int cmd, int p1, void p2)
	40	{
	41	KECCAK1600_CTX *ctx = evp_ctx->md_data;
	42
	43	switch (cmd) {
	44	case EVP_MD_CTRL_XOF_LEN:
	45	ctx->md_size = p1;
	46	return 1;
	47	default:
	48	return 0;
	49	}
	50	}
	51
f38edcab PS	52	#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM)
	53	/*
	54	* IBM S390X support
	55	*/
	56	# include "s390x_arch.h"
	57
	58	# define S390X_SHA3_FC(ctx) ((ctx)->pad)
	59
	60	# define S390X_sha3_224_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
	61	S390X_CAPBIT(S390X_SHA3_224)) && \
	62	(OPENSSL_s390xcap_P.klmd[0] & \
	63	S390X_CAPBIT(S390X_SHA3_224)))
	64	# define S390X_sha3_256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
	65	S390X_CAPBIT(S390X_SHA3_256)) && \
	66	(OPENSSL_s390xcap_P.klmd[0] & \
	67	S390X_CAPBIT(S390X_SHA3_256)))
	68	# define S390X_sha3_384_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
	69	S390X_CAPBIT(S390X_SHA3_384)) && \
	70	(OPENSSL_s390xcap_P.klmd[0] & \
	71	S390X_CAPBIT(S390X_SHA3_384)))
	72	# define S390X_sha3_512_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
	73	S390X_CAPBIT(S390X_SHA3_512)) && \
	74	(OPENSSL_s390xcap_P.klmd[0] & \
	75	S390X_CAPBIT(S390X_SHA3_512)))
	76	# define S390X_shake128_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
	77	S390X_CAPBIT(S390X_SHAKE_128)) && \
	78	(OPENSSL_s390xcap_P.klmd[0] & \
	79	S390X_CAPBIT(S390X_SHAKE_128)))
	80	# define S390X_shake256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
	81	S390X_CAPBIT(S390X_SHAKE_256)) && \
	82	(OPENSSL_s390xcap_P.klmd[0] & \
	83	S390X_CAPBIT(S390X_SHAKE_256)))
	84
	85	/* Convert md-size to block-size. */
	86	# define S390X_KECCAK1600_BSZ(n) ((KECCAK1600_WIDTH - ((n) << 1)) >> 3)
	87
	88	static int s390x_sha3_init(EVP_MD_CTX *evp_ctx)
	89	{
	90	KECCAK1600_CTX *ctx = evp_ctx->md_data;
	91	const size_t bsz = evp_ctx->digest->block_size;
	92
	93	/*-
	94	* KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD
	95	* function code.
	96	*/
	97	switch (bsz) {
	98	case S390X_KECCAK1600_BSZ(224):
	99	ctx->pad = S390X_SHA3_224;
	100	break;
	101	case S390X_KECCAK1600_BSZ(256):
	102	ctx->pad = S390X_SHA3_256;
	103	break;
	104	case S390X_KECCAK1600_BSZ(384):
	105	ctx->pad = S390X_SHA3_384;
	106	break;
	107	case S390X_KECCAK1600_BSZ(512):
	108	ctx->pad = S390X_SHA3_512;
	109	break;
	110	default:
	111	return 0;
	112	}
	113
	114	memset(ctx->A, 0, sizeof(ctx->A));
3d700c3f	115	ctx->bufsz = 0;
f38edcab PS	116	ctx->block_size = bsz;
	117	ctx->md_size = evp_ctx->digest->md_size;
	118	return 1;
	119	}
	120
	121	static int s390x_shake_init(EVP_MD_CTX *evp_ctx)
	122	{
	123	KECCAK1600_CTX *ctx = evp_ctx->md_data;
	124	const size_t bsz = evp_ctx->digest->block_size;
	125
	126	/*-
	127	* KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD
	128	* function code.
	129	*/
	130	switch (bsz) {
	131	case S390X_KECCAK1600_BSZ(128):
	132	ctx->pad = S390X_SHAKE_128;
	133	break;
	134	case S390X_KECCAK1600_BSZ(256):
	135	ctx->pad = S390X_SHAKE_256;
	136	break;
	137	default:
	138	return 0;
	139	}
	140
	141	memset(ctx->A, 0, sizeof(ctx->A));
3d700c3f	142	ctx->bufsz = 0;
f38edcab PS	143	ctx->block_size = bsz;
	144	ctx->md_size = evp_ctx->digest->md_size;
	145	return 1;
	146	}
	147
	148	static int s390x_sha3_update(EVP_MD_CTX evp_ctx, const void _inp, size_t len)
	149	{
	150	KECCAK1600_CTX *ctx = evp_ctx->md_data;
	151	const unsigned char *inp = _inp;
	152	const size_t bsz = ctx->block_size;
	153	size_t num, rem;
	154
	155	if (len == 0)
	156	return 1;
	157
3d700c3f	158	if ((num = ctx->bufsz) != 0) {
f38edcab PS	159	rem = bsz - num;
	160
	161	if (len < rem) {
	162	memcpy(ctx->buf + num, inp, len);
3d700c3f	163	ctx->bufsz += len;
f38edcab PS	164	return 1;
	165	}
	166	memcpy(ctx->buf + num, inp, rem);
	167	inp += rem;
	168	len -= rem;
	169	s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A);
3d700c3f	170	ctx->bufsz = 0;
f38edcab PS	171	}
	172	rem = len % bsz;
	173
	174	s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
	175
	176	if (rem) {
	177	memcpy(ctx->buf, inp + len - rem, rem);
3d700c3f	178	ctx->bufsz = rem;
f38edcab PS	179	}
	180	return 1;
	181	}
	182
	183	static int s390x_sha3_final(EVP_MD_CTX evp_ctx, unsigned char md)
	184	{
	185	KECCAK1600_CTX *ctx = evp_ctx->md_data;
	186
3d700c3f	187	s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
f38edcab PS	188	memcpy(md, ctx->A, ctx->md_size);
	189	return 1;
	190	}
	191
	192	static int s390x_shake_final(EVP_MD_CTX evp_ctx, unsigned char md)
	193	{
	194	KECCAK1600_CTX *ctx = evp_ctx->md_data;
	195
3d700c3f	196	s390x_klmd(ctx->buf, ctx->bufsz, md, ctx->md_size, ctx->pad, ctx->A);
f38edcab PS	197	return 1;
	198	}
	199
	200	# define EVP_MD_SHA3(bitlen) \
	201	const EVP_MD *EVP_sha3_##bitlen(void) \
	202	{ \
	203	static const EVP_MD s390x_sha3_##bitlen##_md = { \
	204	NID_sha3_##bitlen, \
	205	NID_RSA_SHA3_##bitlen, \
	206	bitlen / 8, \
	207	EVP_MD_FLAG_DIGALGID_ABSENT, \
	208	s390x_sha3_init, \
	209	s390x_sha3_update, \
	210	s390x_sha3_final, \
	211	NULL, \
	212	NULL, \
	213	(KECCAK1600_WIDTH - bitlen * 2) / 8, \
	214	sizeof(KECCAK1600_CTX), \
	215	}; \
	216	static const EVP_MD sha3_##bitlen##_md = { \
	217	NID_sha3_##bitlen, \
	218	NID_RSA_SHA3_##bitlen, \
	219	bitlen / 8, \
	220	EVP_MD_FLAG_DIGALGID_ABSENT, \
d5e5e2ff SL	221	init, \
	222	update, \
	223	final, \
f38edcab PS	224	NULL, \
	225	NULL, \
	226	(KECCAK1600_WIDTH - bitlen * 2) / 8, \
	227	sizeof(KECCAK1600_CTX), \
	228	}; \
	229	return S390X_sha3_##bitlen##_CAPABLE ? \
	230	&s390x_sha3_##bitlen##_md : \
	231	&sha3_##bitlen##_md; \
	232	}
	233
	234	# define EVP_MD_SHAKE(bitlen) \
	235	const EVP_MD *EVP_shake##bitlen(void) \
	236	{ \
	237	static const EVP_MD s390x_shake##bitlen##_md = { \
	238	NID_shake##bitlen, \
	239	0, \
	240	bitlen / 8, \
	241	EVP_MD_FLAG_XOF, \
	242	s390x_shake_init, \
	243	s390x_sha3_update, \
	244	s390x_shake_final, \
	245	NULL, \
	246	NULL, \
	247	(KECCAK1600_WIDTH - bitlen * 2) / 8, \
	248	sizeof(KECCAK1600_CTX), \
	249	shake_ctrl \
	250	}; \
	251	static const EVP_MD shake##bitlen##_md = { \
	252	NID_shake##bitlen, \
	253	0, \
	254	bitlen / 8, \
	255	EVP_MD_FLAG_XOF, \
	256	shake_init, \
d5e5e2ff SL	257	update, \
d5e5e2ff SL	258	final, \
f38edcab PS	259	NULL, \
	260	NULL, \
	261	(KECCAK1600_WIDTH - bitlen * 2) / 8, \
	262	sizeof(KECCAK1600_CTX), \
	263	shake_ctrl \
	264	}; \
	265	return S390X_shake##bitlen##_CAPABLE ? \
	266	&s390x_shake##bitlen##_md : \
	267	&shake##bitlen##_md; \
	268	}
	269
	270	#else
	271
	272	# define EVP_MD_SHA3(bitlen) \
91ce87c0 AP	273	const EVP_MD *EVP_sha3_##bitlen(void) \
	274	{ \
	275	static const EVP_MD sha3_##bitlen##_md = { \
	276	NID_sha3_##bitlen, \
c1ea7477	277	NID_RSA_SHA3_##bitlen, \
91ce87c0	278	bitlen / 8, \
c1ea7477	279	EVP_MD_FLAG_DIGALGID_ABSENT, \
d5e5e2ff SL	280	init, \
	281	update, \
	282	final, \
91ce87c0 AP	283	NULL, \
	284	NULL, \
	285	(KECCAK1600_WIDTH - bitlen * 2) / 8, \
	286	sizeof(KECCAK1600_CTX), \
	287	}; \
	288	return &sha3_##bitlen##_md; \
	289	}
	290
f38edcab	291	# define EVP_MD_SHAKE(bitlen) \
91ce87c0 AP	292	const EVP_MD *EVP_shake##bitlen(void) \
	293	{ \
	294	static const EVP_MD shake##bitlen##_md = { \
	295	NID_shake##bitlen, \
	296	0, \
bbde4740 AP	297	bitlen / 8, \
bbde4740 AP	298	EVP_MD_FLAG_XOF, \
91ce87c0	299	shake_init, \
d5e5e2ff SL	300	update, \
d5e5e2ff SL	301	final, \
91ce87c0 AP	302	NULL, \
	303	NULL, \
	304	(KECCAK1600_WIDTH - bitlen * 2) / 8, \
	305	sizeof(KECCAK1600_CTX), \
bbde4740	306	shake_ctrl \
91ce87c0 AP	307	}; \
	308	return &shake##bitlen##_md; \
	309	}
6e624a64	310
f38edcab PS	311	#endif
	312
	313	EVP_MD_SHA3(224)
	314	EVP_MD_SHA3(256)
	315	EVP_MD_SHA3(384)
	316	EVP_MD_SHA3(512)
91ce87c0 AP	317
	318	EVP_MD_SHAKE(128)
	319	EVP_MD_SHAKE(256)