2 * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * See SP800-185 "Appendix A - KMAC, .... in Terms of Keccak[c]"
14 * K = Key (len(K) < 2^2040 bits)
16 * L = Output length (0 <= L < 2^2040 bits)
17 * S = Customization String Default="" (len(S) < 2^2040 bits)
21 * newX = bytepad(encode_string(K), 168) || X || right_encode(L).
22 * T = bytepad(encode_string("KMAC") || encode_string(S), 168).
23 * return KECCAK[256](T || newX || 00, L).
28 * newX = bytepad(encode_string(K), 136) || X || right_encode(L).
29 * T = bytepad(encode_string("KMAC") || encode_string(S), 136).
30 * return KECCAK[512](T || newX || 00, L).
33 * KMAC128XOF(K, X, L, S)
35 * newX = bytepad(encode_string(K), 168) || X || right_encode(0).
36 * T = bytepad(encode_string("KMAC") || encode_string(S), 168).
37 * return KECCAK[256](T || newX || 00, L).
40 * KMAC256XOF(K, X, L, S)
42 * newX = bytepad(encode_string(K), 136) || X || right_encode(0).
43 * T = bytepad(encode_string("KMAC") || encode_string(S), 136).
44 * return KECCAK[512](T || newX || 00, L).
51 #include <openssl/core_dispatch.h>
52 #include <openssl/core_names.h>
53 #include <openssl/params.h>
54 #include <openssl/evp.h>
55 #include <openssl/err.h>
56 #include <openssl/proverr.h>
58 #include "prov/implementations.h"
59 #include "prov/provider_ctx.h"
60 #include "prov/provider_util.h"
61 #include "prov/providercommon.h"
62 #include "internal/cryptlib.h" /* ossl_assert */
65 * Forward declaration of everything implemented here. This is not strictly
66 * necessary for the compiler, but provides an assurance that the signatures
67 * of the functions in the dispatch table are correct.
69 static OSSL_FUNC_mac_newctx_fn kmac128_new
;
70 static OSSL_FUNC_mac_newctx_fn kmac256_new
;
71 static OSSL_FUNC_mac_dupctx_fn kmac_dup
;
72 static OSSL_FUNC_mac_freectx_fn kmac_free
;
73 static OSSL_FUNC_mac_gettable_ctx_params_fn kmac_gettable_ctx_params
;
74 static OSSL_FUNC_mac_get_ctx_params_fn kmac_get_ctx_params
;
75 static OSSL_FUNC_mac_settable_ctx_params_fn kmac_settable_ctx_params
;
76 static OSSL_FUNC_mac_set_ctx_params_fn kmac_set_ctx_params
;
77 static OSSL_FUNC_mac_init_fn kmac_init
;
78 static OSSL_FUNC_mac_update_fn kmac_update
;
79 static OSSL_FUNC_mac_final_fn kmac_final
;
81 #define KMAC_MAX_BLOCKSIZE ((1600 - 128 * 2) / 8) /* 168 */
84 * Length encoding will be a 1 byte size + length in bits (3 bytes max)
85 * This gives a range of 0..0XFFFFFF bits = 2097151 bytes).
87 #define KMAC_MAX_OUTPUT_LEN (0xFFFFFF / 8)
88 #define KMAC_MAX_ENCODED_HEADER_LEN (1 + 3)
91 * Restrict the maximum length of the customisation string. This must not
92 * exceed 64 bits = 8k bytes.
94 #define KMAC_MAX_CUSTOM 256
96 /* Maximum size of encoded custom string */
97 #define KMAC_MAX_CUSTOM_ENCODED (KMAC_MAX_CUSTOM + KMAC_MAX_ENCODED_HEADER_LEN)
99 /* Maximum key size in bytes = 256 (2048 bits) */
100 #define KMAC_MAX_KEY 256
101 #define KMAC_MIN_KEY 4
104 * Maximum Encoded Key size will be padded to a multiple of the blocksize
105 * i.e KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN = 256 + 4
106 * Padded to a multiple of KMAC_MAX_BLOCKSIZE
108 #define KMAC_MAX_KEY_ENCODED (KMAC_MAX_BLOCKSIZE * 2)
110 /* Fixed value of encode_string("KMAC") */
111 static const unsigned char kmac_string
[] = {
112 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43
115 #define KMAC_FLAG_XOF_MODE 1
117 struct kmac_data_st
{
124 /* If xof_mode = 1 then we use right_encode(0) */
126 /* key and custom are stored in encoded form */
127 unsigned char key
[KMAC_MAX_KEY_ENCODED
];
128 unsigned char custom
[KMAC_MAX_CUSTOM_ENCODED
];
131 static int encode_string(unsigned char *out
, size_t out_max_len
, size_t *out_len
,
132 const unsigned char *in
, size_t in_len
);
133 static int right_encode(unsigned char *out
, size_t out_max_len
, size_t *out_len
,
135 static int bytepad(unsigned char *out
, size_t *out_len
,
136 const unsigned char *in1
, size_t in1_len
,
137 const unsigned char *in2
, size_t in2_len
,
139 static int kmac_bytepad_encode_key(unsigned char *out
, size_t out_max_len
,
141 const unsigned char *in
, size_t in_len
,
144 static void kmac_free(void *vmacctx
)
146 struct kmac_data_st
*kctx
= vmacctx
;
149 EVP_MD_CTX_free(kctx
->ctx
);
150 ossl_prov_digest_reset(&kctx
->digest
);
151 OPENSSL_cleanse(kctx
->key
, kctx
->key_len
);
152 OPENSSL_cleanse(kctx
->custom
, kctx
->custom_len
);
158 * We have KMAC implemented as a hash, which we can use instead of
159 * reimplementing the EVP functionality with direct use of
160 * keccak_mac_init() and friends.
162 static struct kmac_data_st
*kmac_new(void *provctx
)
164 struct kmac_data_st
*kctx
;
166 if (!ossl_prov_is_running())
169 if ((kctx
= OPENSSL_zalloc(sizeof(*kctx
))) == NULL
170 || (kctx
->ctx
= EVP_MD_CTX_new()) == NULL
) {
174 kctx
->provctx
= provctx
;
178 static void *kmac_fetch_new(void *provctx
, const OSSL_PARAM
*params
)
180 struct kmac_data_st
*kctx
= kmac_new(provctx
);
184 if (!ossl_prov_digest_load_from_params(&kctx
->digest
, params
,
185 PROV_LIBCTX_OF(provctx
))) {
190 kctx
->out_len
= EVP_MD_get_size(ossl_prov_digest_md(&kctx
->digest
));
194 static void *kmac128_new(void *provctx
)
196 static const OSSL_PARAM kmac128_params
[] = {
197 OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC128
,
198 sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC128
)),
201 return kmac_fetch_new(provctx
, kmac128_params
);
204 static void *kmac256_new(void *provctx
)
206 static const OSSL_PARAM kmac256_params
[] = {
207 OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC256
,
208 sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC256
)),
211 return kmac_fetch_new(provctx
, kmac256_params
);
214 static void *kmac_dup(void *vsrc
)
216 struct kmac_data_st
*src
= vsrc
;
217 struct kmac_data_st
*dst
;
219 if (!ossl_prov_is_running())
222 dst
= kmac_new(src
->provctx
);
226 if (!EVP_MD_CTX_copy(dst
->ctx
, src
->ctx
)
227 || !ossl_prov_digest_copy(&dst
->digest
, &src
->digest
)) {
232 dst
->out_len
= src
->out_len
;
233 dst
->key_len
= src
->key_len
;
234 dst
->custom_len
= src
->custom_len
;
235 dst
->xof_mode
= src
->xof_mode
;
236 memcpy(dst
->key
, src
->key
, src
->key_len
);
237 memcpy(dst
->custom
, src
->custom
, dst
->custom_len
);
242 static int kmac_setkey(struct kmac_data_st
*kctx
, const unsigned char *key
,
245 const EVP_MD
*digest
= ossl_prov_digest_md(&kctx
->digest
);
246 int w
= EVP_MD_get_block_size(digest
);
248 if (keylen
< KMAC_MIN_KEY
|| keylen
> KMAC_MAX_KEY
) {
249 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_KEY_LENGTH
);
253 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_DIGEST_LENGTH
);
256 if (!kmac_bytepad_encode_key(kctx
->key
, sizeof(kctx
->key
), &kctx
->key_len
,
257 key
, keylen
, (size_t)w
))
263 * The init() assumes that any ctrl methods are set beforehand for
264 * md, key and custom. Setting the fields afterwards will have no
265 * effect on the output mac.
267 static int kmac_init(void *vmacctx
, const unsigned char *key
,
268 size_t keylen
, const OSSL_PARAM params
[])
270 struct kmac_data_st
*kctx
= vmacctx
;
271 EVP_MD_CTX
*ctx
= kctx
->ctx
;
273 size_t out_len
, block_len
;
276 if (!ossl_prov_is_running() || !kmac_set_ctx_params(kctx
, params
))
280 if (!kmac_setkey(kctx
, key
, keylen
))
282 } else if (kctx
->key_len
== 0) {
283 /* Check key has been set */
284 ERR_raise(ERR_LIB_PROV
, PROV_R_NO_KEY_SET
);
287 if (!EVP_DigestInit_ex(kctx
->ctx
, ossl_prov_digest_md(&kctx
->digest
),
291 t
= EVP_MD_get_block_size(ossl_prov_digest_md(&kctx
->digest
));
293 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_DIGEST_LENGTH
);
298 /* Set default custom string if it is not already set */
299 if (kctx
->custom_len
== 0) {
300 const OSSL_PARAM cparams
[] = {
301 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM
, "", 0),
304 (void)kmac_set_ctx_params(kctx
, cparams
);
307 if (!bytepad(NULL
, &out_len
, kmac_string
, sizeof(kmac_string
),
308 kctx
->custom
, kctx
->custom_len
, block_len
)) {
309 ERR_raise(ERR_LIB_PROV
, ERR_R_INTERNAL_ERROR
);
312 out
= OPENSSL_malloc(out_len
);
314 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
317 res
= bytepad(out
, NULL
, kmac_string
, sizeof(kmac_string
),
318 kctx
->custom
, kctx
->custom_len
, block_len
)
319 && EVP_DigestUpdate(ctx
, out
, out_len
)
320 && EVP_DigestUpdate(ctx
, kctx
->key
, kctx
->key_len
);
325 static int kmac_update(void *vmacctx
, const unsigned char *data
,
328 struct kmac_data_st
*kctx
= vmacctx
;
330 return EVP_DigestUpdate(kctx
->ctx
, data
, datalen
);
333 static int kmac_final(void *vmacctx
, unsigned char *out
, size_t *outl
,
336 struct kmac_data_st
*kctx
= vmacctx
;
337 EVP_MD_CTX
*ctx
= kctx
->ctx
;
339 unsigned char encoded_outlen
[KMAC_MAX_ENCODED_HEADER_LEN
];
342 if (!ossl_prov_is_running())
345 /* KMAC XOF mode sets the encoded length to 0 */
346 lbits
= (kctx
->xof_mode
? 0 : (kctx
->out_len
* 8));
348 ok
= right_encode(encoded_outlen
, sizeof(encoded_outlen
), &len
, lbits
)
349 && EVP_DigestUpdate(ctx
, encoded_outlen
, len
)
350 && EVP_DigestFinalXOF(ctx
, out
, kctx
->out_len
);
351 *outl
= kctx
->out_len
;
355 static const OSSL_PARAM known_gettable_ctx_params
[] = {
356 OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE
, NULL
),
357 OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE
, NULL
),
360 static const OSSL_PARAM
*kmac_gettable_ctx_params(ossl_unused
void *ctx
,
361 ossl_unused
void *provctx
)
363 return known_gettable_ctx_params
;
366 static int kmac_get_ctx_params(void *vmacctx
, OSSL_PARAM params
[])
368 struct kmac_data_st
*kctx
= vmacctx
;
372 if ((p
= OSSL_PARAM_locate(params
, OSSL_MAC_PARAM_SIZE
)) != NULL
373 && !OSSL_PARAM_set_size_t(p
, kctx
->out_len
))
376 if ((p
= OSSL_PARAM_locate(params
, OSSL_MAC_PARAM_BLOCK_SIZE
)) != NULL
) {
377 sz
= EVP_MD_block_size(ossl_prov_digest_md(&kctx
->digest
));
378 if (!OSSL_PARAM_set_int(p
, sz
))
385 static const OSSL_PARAM known_settable_ctx_params
[] = {
386 OSSL_PARAM_int(OSSL_MAC_PARAM_XOF
, NULL
),
387 OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE
, NULL
),
388 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY
, NULL
, 0),
389 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM
, NULL
, 0),
392 static const OSSL_PARAM
*kmac_settable_ctx_params(ossl_unused
void *ctx
,
393 ossl_unused
void *provctx
)
395 return known_settable_ctx_params
;
399 * The following params can be set any time before final():
400 * - "outlen" or "size": The requested output length.
401 * - "xof": If set, this indicates that right_encoded(0)
402 * is part of the digested data, otherwise it
403 * uses right_encoded(requested output length).
405 * All other params should be set before init().
407 static int kmac_set_ctx_params(void *vmacctx
, const OSSL_PARAM
*params
)
409 struct kmac_data_st
*kctx
= vmacctx
;
415 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_MAC_PARAM_XOF
)) != NULL
416 && !OSSL_PARAM_get_int(p
, &kctx
->xof_mode
))
418 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_MAC_PARAM_SIZE
)) != NULL
) {
421 if (!OSSL_PARAM_get_size_t(p
, &sz
))
423 if (sz
> KMAC_MAX_OUTPUT_LEN
) {
424 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_OUTPUT_LENGTH
);
429 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_MAC_PARAM_KEY
)) != NULL
430 && !kmac_setkey(kctx
, p
->data
, p
->data_size
))
432 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_MAC_PARAM_CUSTOM
))
434 if (p
->data_size
> KMAC_MAX_CUSTOM
) {
435 ERR_raise(ERR_LIB_PROV
, PROV_R_INVALID_CUSTOM_LENGTH
);
438 if (!encode_string(kctx
->custom
, sizeof(kctx
->custom
), &kctx
->custom_len
,
439 p
->data
, p
->data_size
))
445 /* Encoding/Padding Methods. */
447 /* Returns the number of bytes required to store 'bits' into a byte array */
448 static unsigned int get_encode_size(size_t bits
)
450 unsigned int cnt
= 0, sz
= sizeof(size_t);
452 while (bits
&& (cnt
< sz
)) {
456 /* If bits is zero 1 byte is required */
463 * Convert an integer into bytes . The number of bytes is appended
464 * to the end of the buffer. Returns an array of bytes 'out' of size
467 * e.g if bits = 32, out[2] = { 0x20, 0x01 }
469 static int right_encode(unsigned char *out
, size_t out_max_len
, size_t *out_len
,
472 unsigned int len
= get_encode_size(bits
);
475 if (len
>= out_max_len
) {
476 ERR_raise(ERR_LIB_PROV
, PROV_R_LENGTH_TOO_LARGE
);
480 /* MSB's are at the start of the bytes array */
481 for (i
= len
- 1; i
>= 0; --i
) {
482 out
[i
] = (unsigned char)(bits
& 0xFF);
485 /* Tack the length onto the end */
486 out
[len
] = (unsigned char)len
;
488 /* The Returned length includes the tacked on byte */
494 * Encodes a string with a left encoded length added. Note that the
495 * in_len is converted to bits (*8).
497 * e.g- in="KMAC" gives out[6] = { 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43 }
500 static int encode_string(unsigned char *out
, size_t out_max_len
, size_t *out_len
,
501 const unsigned char *in
, size_t in_len
)
506 size_t i
, bits
, len
, sz
;
509 len
= get_encode_size(bits
);
510 sz
= 1 + len
+ in_len
;
512 if (sz
> out_max_len
) {
513 ERR_raise(ERR_LIB_PROV
, PROV_R_LENGTH_TOO_LARGE
);
517 out
[0] = (unsigned char)len
;
518 for (i
= len
; i
> 0; --i
) {
519 out
[i
] = (bits
& 0xFF);
522 memcpy(out
+ len
+ 1, in
, in_len
);
529 * Returns a zero padded encoding of the inputs in1 and an optional
530 * in2 (can be NULL). The padded output must be a multiple of the blocksize 'w'.
531 * The value of w is in bytes (< 256).
533 * The returned output is:
534 * zero_padded(multiple of w, (left_encode(w) || in1 [|| in2])
536 static int bytepad(unsigned char *out
, size_t *out_len
,
537 const unsigned char *in1
, size_t in1_len
,
538 const unsigned char *in2
, size_t in2_len
, size_t w
)
541 unsigned char *p
= out
;
545 if (out_len
== NULL
) {
546 ERR_raise(ERR_LIB_PROV
, ERR_R_PASSED_NULL_PARAMETER
);
549 sz
= 2 + in1_len
+ (in2
!= NULL
? in2_len
: 0);
550 *out_len
= (sz
+ w
- 1) / w
* w
;
554 if (!ossl_assert(w
<= 255))
559 *p
++ = (unsigned char)w
;
561 memcpy(p
, in1
, in1_len
);
564 if (in2
!= NULL
&& in2_len
> 0) {
565 memcpy(p
, in2
, in2_len
);
568 /* Figure out the pad size (divisible by w) */
570 sz
= (len
+ w
- 1) / w
* w
;
571 /* zero pad the end of the buffer */
573 memset(p
, 0, sz
- len
);
579 /* Returns out = bytepad(encode_string(in), w) */
580 static int kmac_bytepad_encode_key(unsigned char *out
, size_t out_max_len
,
582 const unsigned char *in
, size_t in_len
,
585 unsigned char tmp
[KMAC_MAX_KEY
+ KMAC_MAX_ENCODED_HEADER_LEN
];
588 if (!encode_string(tmp
, sizeof(tmp
), &tmp_len
, in
, in_len
))
590 if (!bytepad(NULL
, out_len
, tmp
, tmp_len
, NULL
, 0, w
))
592 if (!ossl_assert(*out_len
<= out_max_len
))
594 return bytepad(out
, NULL
, tmp
, tmp_len
, NULL
, 0, w
);
597 const OSSL_DISPATCH ossl_kmac128_functions
[] = {
598 { OSSL_FUNC_MAC_NEWCTX
, (void (*)(void))kmac128_new
},
599 { OSSL_FUNC_MAC_DUPCTX
, (void (*)(void))kmac_dup
},
600 { OSSL_FUNC_MAC_FREECTX
, (void (*)(void))kmac_free
},
601 { OSSL_FUNC_MAC_INIT
, (void (*)(void))kmac_init
},
602 { OSSL_FUNC_MAC_UPDATE
, (void (*)(void))kmac_update
},
603 { OSSL_FUNC_MAC_FINAL
, (void (*)(void))kmac_final
},
604 { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS
,
605 (void (*)(void))kmac_gettable_ctx_params
},
606 { OSSL_FUNC_MAC_GET_CTX_PARAMS
, (void (*)(void))kmac_get_ctx_params
},
607 { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS
,
608 (void (*)(void))kmac_settable_ctx_params
},
609 { OSSL_FUNC_MAC_SET_CTX_PARAMS
, (void (*)(void))kmac_set_ctx_params
},
613 const OSSL_DISPATCH ossl_kmac256_functions
[] = {
614 { OSSL_FUNC_MAC_NEWCTX
, (void (*)(void))kmac256_new
},
615 { OSSL_FUNC_MAC_DUPCTX
, (void (*)(void))kmac_dup
},
616 { OSSL_FUNC_MAC_FREECTX
, (void (*)(void))kmac_free
},
617 { OSSL_FUNC_MAC_INIT
, (void (*)(void))kmac_init
},
618 { OSSL_FUNC_MAC_UPDATE
, (void (*)(void))kmac_update
},
619 { OSSL_FUNC_MAC_FINAL
, (void (*)(void))kmac_final
},
620 { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS
,
621 (void (*)(void))kmac_gettable_ctx_params
},
622 { OSSL_FUNC_MAC_GET_CTX_PARAMS
, (void (*)(void))kmac_get_ctx_params
},
623 { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS
,
624 (void (*)(void))kmac_settable_ctx_params
},
625 { OSSL_FUNC_MAC_SET_CTX_PARAMS
, (void (*)(void))kmac_set_ctx_params
},