1 /* 2 * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <string.h> 12 13 #include <openssl/evp.h> 14 #include <openssl/objects.h> 15 #include "crypto/evp.h" 16 #include "evp_local.h" 17 18 size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len, 19 size_t r); 20 void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r); 21 22 #define KECCAK1600_WIDTH 1600 23 24 typedef struct { 25 uint64_t A[5][5]; 26 size_t block_size; /* cached ctx->digest->block_size */ 27 size_t md_size; /* output length, variable in XOF */ 28 size_t num; /* used bytes in below buffer */ 29 unsigned char buf[KECCAK1600_WIDTH / 8 - 32]; 30 unsigned char pad; 31 } KECCAK1600_CTX; 32 33 static int init(EVP_MD_CTX *evp_ctx, unsigned char pad) 34 { 35 KECCAK1600_CTX *ctx = evp_ctx->md_data; 36 size_t bsz = evp_ctx->digest->block_size; 37 38 if (bsz <= sizeof(ctx->buf)) { 39 memset(ctx->A, 0, sizeof(ctx->A)); 40 41 ctx->num = 0; 42 ctx->block_size = bsz; 43 ctx->md_size = evp_ctx->digest->md_size; 44 ctx->pad = pad; 45 46 return 1; 47 } 48 49 return 0; 50 } 51 52 static int sha3_init(EVP_MD_CTX *evp_ctx) 53 { 54 return init(evp_ctx, '\x06'); 55 } 56 57 static int shake_init(EVP_MD_CTX *evp_ctx) 58 { 59 return init(evp_ctx, '\x1f'); 60 } 61 62 static int sha3_update(EVP_MD_CTX *evp_ctx, const void *_inp, size_t len) 63 { 64 KECCAK1600_CTX *ctx = evp_ctx->md_data; 65 const unsigned char *inp = _inp; 66 size_t bsz = ctx->block_size; 67 size_t num, rem; 68 69 if (len == 0) 70 return 1; 71 72 if ((num = ctx->num) != 0) { /* process intermediate buffer? */ 73 rem = bsz - num; 74 75 if (len < rem) { 76 memcpy(ctx->buf + num, inp, len); 77 ctx->num += len; 78 return 1; 79 } 80 /* 81 * We have enough data to fill or overflow the intermediate 82 * buffer. So we append |rem| bytes and process the block, 83 * leaving the rest for later processing... 84 */ 85 memcpy(ctx->buf + num, inp, rem); 86 inp += rem, len -= rem; 87 (void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz); 88 ctx->num = 0; 89 /* ctx->buf is processed, ctx->num is guaranteed to be zero */ 90 } 91 92 if (len >= bsz) 93 rem = SHA3_absorb(ctx->A, inp, len, bsz); 94 else 95 rem = len; 96 97 if (rem) { 98 memcpy(ctx->buf, inp + len - rem, rem); 99 ctx->num = rem; 100 } 101 102 return 1; 103 } 104 105 static int sha3_final(EVP_MD_CTX *evp_ctx, unsigned char *md) 106 { 107 KECCAK1600_CTX *ctx = evp_ctx->md_data; 108 size_t bsz = ctx->block_size; 109 size_t num = ctx->num; 110 111 if (ctx->md_size == 0) 112 return 1; 113 114 /* 115 * Pad the data with 10*1. Note that |num| can be |bsz - 1| 116 * in which case both byte operations below are performed on 117 * same byte... 118 */ 119 memset(ctx->buf + num, 0, bsz - num); 120 ctx->buf[num] = ctx->pad; 121 ctx->buf[bsz - 1] |= 0x80; 122 123 (void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz); 124 125 SHA3_squeeze(ctx->A, md, ctx->md_size, bsz); 126 127 return 1; 128 } 129 130 static int shake_ctrl(EVP_MD_CTX *evp_ctx, int cmd, int p1, void *p2) 131 { 132 KECCAK1600_CTX *ctx = evp_ctx->md_data; 133 134 switch (cmd) { 135 case EVP_MD_CTRL_XOF_LEN: 136 ctx->md_size = p1; 137 return 1; 138 default: 139 return 0; 140 } 141 } 142 143 #if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM) 144 /* 145 * IBM S390X support 146 */ 147 # include "s390x_arch.h" 148 149 # define S390X_SHA3_FC(ctx) ((ctx)->pad) 150 151 # define S390X_sha3_224_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ 152 S390X_CAPBIT(S390X_SHA3_224)) && \ 153 (OPENSSL_s390xcap_P.klmd[0] & \ 154 S390X_CAPBIT(S390X_SHA3_224))) 155 # define S390X_sha3_256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ 156 S390X_CAPBIT(S390X_SHA3_256)) && \ 157 (OPENSSL_s390xcap_P.klmd[0] & \ 158 S390X_CAPBIT(S390X_SHA3_256))) 159 # define S390X_sha3_384_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ 160 S390X_CAPBIT(S390X_SHA3_384)) && \ 161 (OPENSSL_s390xcap_P.klmd[0] & \ 162 S390X_CAPBIT(S390X_SHA3_384))) 163 # define S390X_sha3_512_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ 164 S390X_CAPBIT(S390X_SHA3_512)) && \ 165 (OPENSSL_s390xcap_P.klmd[0] & \ 166 S390X_CAPBIT(S390X_SHA3_512))) 167 # define S390X_shake128_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ 168 S390X_CAPBIT(S390X_SHAKE_128)) && \ 169 (OPENSSL_s390xcap_P.klmd[0] & \ 170 S390X_CAPBIT(S390X_SHAKE_128))) 171 # define S390X_shake256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ 172 S390X_CAPBIT(S390X_SHAKE_256)) && \ 173 (OPENSSL_s390xcap_P.klmd[0] & \ 174 S390X_CAPBIT(S390X_SHAKE_256))) 175 176 /* Convert md-size to block-size. */ 177 # define S390X_KECCAK1600_BSZ(n) ((KECCAK1600_WIDTH - ((n) << 1)) >> 3) 178 179 static int s390x_sha3_init(EVP_MD_CTX *evp_ctx) 180 { 181 KECCAK1600_CTX *ctx = evp_ctx->md_data; 182 const size_t bsz = evp_ctx->digest->block_size; 183 184 /*- 185 * KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD 186 * function code. 187 */ 188 switch (bsz) { 189 case S390X_KECCAK1600_BSZ(224): 190 ctx->pad = S390X_SHA3_224; 191 break; 192 case S390X_KECCAK1600_BSZ(256): 193 ctx->pad = S390X_SHA3_256; 194 break; 195 case S390X_KECCAK1600_BSZ(384): 196 ctx->pad = S390X_SHA3_384; 197 break; 198 case S390X_KECCAK1600_BSZ(512): 199 ctx->pad = S390X_SHA3_512; 200 break; 201 default: 202 return 0; 203 } 204 205 memset(ctx->A, 0, sizeof(ctx->A)); 206 ctx->num = 0; 207 ctx->block_size = bsz; 208 ctx->md_size = evp_ctx->digest->md_size; 209 return 1; 210 } 211 212 static int s390x_shake_init(EVP_MD_CTX *evp_ctx) 213 { 214 KECCAK1600_CTX *ctx = evp_ctx->md_data; 215 const size_t bsz = evp_ctx->digest->block_size; 216 217 /*- 218 * KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD 219 * function code. 220 */ 221 switch (bsz) { 222 case S390X_KECCAK1600_BSZ(128): 223 ctx->pad = S390X_SHAKE_128; 224 break; 225 case S390X_KECCAK1600_BSZ(256): 226 ctx->pad = S390X_SHAKE_256; 227 break; 228 default: 229 return 0; 230 } 231 232 memset(ctx->A, 0, sizeof(ctx->A)); 233 ctx->num = 0; 234 ctx->block_size = bsz; 235 ctx->md_size = evp_ctx->digest->md_size; 236 return 1; 237 } 238 239 static int s390x_sha3_update(EVP_MD_CTX *evp_ctx, const void *_inp, size_t len) 240 { 241 KECCAK1600_CTX *ctx = evp_ctx->md_data; 242 const unsigned char *inp = _inp; 243 const size_t bsz = ctx->block_size; 244 size_t num, rem; 245 246 if (len == 0) 247 return 1; 248 249 if ((num = ctx->num) != 0) { 250 rem = bsz - num; 251 252 if (len < rem) { 253 memcpy(ctx->buf + num, inp, len); 254 ctx->num += len; 255 return 1; 256 } 257 memcpy(ctx->buf + num, inp, rem); 258 inp += rem; 259 len -= rem; 260 s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A); 261 ctx->num = 0; 262 } 263 rem = len % bsz; 264 265 s390x_kimd(inp, len - rem, ctx->pad, ctx->A); 266 267 if (rem) { 268 memcpy(ctx->buf, inp + len - rem, rem); 269 ctx->num = rem; 270 } 271 return 1; 272 } 273 274 static int s390x_sha3_final(EVP_MD_CTX *evp_ctx, unsigned char *md) 275 { 276 KECCAK1600_CTX *ctx = evp_ctx->md_data; 277 278 s390x_klmd(ctx->buf, ctx->num, NULL, 0, ctx->pad, ctx->A); 279 memcpy(md, ctx->A, ctx->md_size); 280 return 1; 281 } 282 283 static int s390x_shake_final(EVP_MD_CTX *evp_ctx, unsigned char *md) 284 { 285 KECCAK1600_CTX *ctx = evp_ctx->md_data; 286 287 s390x_klmd(ctx->buf, ctx->num, md, ctx->md_size, ctx->pad, ctx->A); 288 return 1; 289 } 290 291 # define EVP_MD_SHA3(bitlen) \ 292 const EVP_MD *EVP_sha3_##bitlen(void) \ 293 { \ 294 static const EVP_MD s390x_sha3_##bitlen##_md = { \ 295 NID_sha3_##bitlen, \ 296 NID_RSA_SHA3_##bitlen, \ 297 bitlen / 8, \ 298 EVP_MD_FLAG_DIGALGID_ABSENT, \ 299 s390x_sha3_init, \ 300 s390x_sha3_update, \ 301 s390x_sha3_final, \ 302 NULL, \ 303 NULL, \ 304 (KECCAK1600_WIDTH - bitlen * 2) / 8, \ 305 sizeof(KECCAK1600_CTX), \ 306 }; \ 307 static const EVP_MD sha3_##bitlen##_md = { \ 308 NID_sha3_##bitlen, \ 309 NID_RSA_SHA3_##bitlen, \ 310 bitlen / 8, \ 311 EVP_MD_FLAG_DIGALGID_ABSENT, \ 312 sha3_init, \ 313 sha3_update, \ 314 sha3_final, \ 315 NULL, \ 316 NULL, \ 317 (KECCAK1600_WIDTH - bitlen * 2) / 8, \ 318 sizeof(KECCAK1600_CTX), \ 319 }; \ 320 return S390X_sha3_##bitlen##_CAPABLE ? \ 321 &s390x_sha3_##bitlen##_md : \ 322 &sha3_##bitlen##_md; \ 323 } 324 325 # define EVP_MD_SHAKE(bitlen) \ 326 const EVP_MD *EVP_shake##bitlen(void) \ 327 { \ 328 static const EVP_MD s390x_shake##bitlen##_md = { \ 329 NID_shake##bitlen, \ 330 0, \ 331 bitlen / 8, \ 332 EVP_MD_FLAG_XOF, \ 333 s390x_shake_init, \ 334 s390x_sha3_update, \ 335 s390x_shake_final, \ 336 NULL, \ 337 NULL, \ 338 (KECCAK1600_WIDTH - bitlen * 2) / 8, \ 339 sizeof(KECCAK1600_CTX), \ 340 shake_ctrl \ 341 }; \ 342 static const EVP_MD shake##bitlen##_md = { \ 343 NID_shake##bitlen, \ 344 0, \ 345 bitlen / 8, \ 346 EVP_MD_FLAG_XOF, \ 347 shake_init, \ 348 sha3_update, \ 349 sha3_final, \ 350 NULL, \ 351 NULL, \ 352 (KECCAK1600_WIDTH - bitlen * 2) / 8, \ 353 sizeof(KECCAK1600_CTX), \ 354 shake_ctrl \ 355 }; \ 356 return S390X_shake##bitlen##_CAPABLE ? \ 357 &s390x_shake##bitlen##_md : \ 358 &shake##bitlen##_md; \ 359 } 360 361 #else 362 363 # define EVP_MD_SHA3(bitlen) \ 364 const EVP_MD *EVP_sha3_##bitlen(void) \ 365 { \ 366 static const EVP_MD sha3_##bitlen##_md = { \ 367 NID_sha3_##bitlen, \ 368 NID_RSA_SHA3_##bitlen, \ 369 bitlen / 8, \ 370 EVP_MD_FLAG_DIGALGID_ABSENT, \ 371 sha3_init, \ 372 sha3_update, \ 373 sha3_final, \ 374 NULL, \ 375 NULL, \ 376 (KECCAK1600_WIDTH - bitlen * 2) / 8, \ 377 sizeof(KECCAK1600_CTX), \ 378 }; \ 379 return &sha3_##bitlen##_md; \ 380 } 381 382 # define EVP_MD_SHAKE(bitlen) \ 383 const EVP_MD *EVP_shake##bitlen(void) \ 384 { \ 385 static const EVP_MD shake##bitlen##_md = { \ 386 NID_shake##bitlen, \ 387 0, \ 388 bitlen / 8, \ 389 EVP_MD_FLAG_XOF, \ 390 shake_init, \ 391 sha3_update, \ 392 sha3_final, \ 393 NULL, \ 394 NULL, \ 395 (KECCAK1600_WIDTH - bitlen * 2) / 8, \ 396 sizeof(KECCAK1600_CTX), \ 397 shake_ctrl \ 398 }; \ 399 return &shake##bitlen##_md; \ 400 } 401 #endif 402 403 EVP_MD_SHA3(224) 404 EVP_MD_SHA3(256) 405 EVP_MD_SHA3(384) 406 EVP_MD_SHA3(512) 407 408 EVP_MD_SHAKE(128) 409 EVP_MD_SHAKE(256) 410
Indexes created Sat Feb 28 05:31:39 UTC 2026