2 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/core_names.h>
12 #include <openssl/crypto.h>
13 #include <openssl/evp.h>
14 #include <openssl/params.h>
15 #include <openssl/err.h>
16 #include <openssl/proverr.h>
17 #include "internal/sha3.h"
18 #include "prov/digestcommon.h"
19 #include "prov/implementations.h"
21 #define SHA3_FLAGS PROV_DIGEST_FLAG_ALGID_ABSENT
22 #define SHAKE_FLAGS PROV_DIGEST_FLAG_XOF
23 #define KMAC_FLAGS PROV_DIGEST_FLAG_XOF
26 * Forward declaration of any unique methods implemented here. This is not strictly
27 * necessary for the compiler, but provides an assurance that the signatures
28 * of the functions in the dispatch table are correct.
30 static OSSL_FUNC_digest_init_fn keccak_init;
31 static OSSL_FUNC_digest_init_fn keccak_init_params;
32 static OSSL_FUNC_digest_update_fn keccak_update;
33 static OSSL_FUNC_digest_final_fn keccak_final;
34 static OSSL_FUNC_digest_freectx_fn keccak_freectx;
35 static OSSL_FUNC_digest_dupctx_fn keccak_dupctx;
36 static OSSL_FUNC_digest_squeeze_fn shake_squeeze;
37 static OSSL_FUNC_digest_set_ctx_params_fn shake_set_ctx_params;
38 static OSSL_FUNC_digest_settable_ctx_params_fn shake_settable_ctx_params;
39 static sha3_absorb_fn generic_sha3_absorb;
40 static sha3_final_fn generic_sha3_final;
41 static sha3_squeeze_fn generic_sha3_squeeze;
43 #if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM)
47 # include "s390x_arch.h"
49 # define S390_SHA3_CAPABLE(name) \
50 ((OPENSSL_s390xcap_P.kimd[0] & S390X_CAPBIT(S390X_##name)) && \
51 (OPENSSL_s390xcap_P.klmd[0] & S390X_CAPBIT(S390X_##name)))
55 static int keccak_init(void *vctx, ossl_unused const OSSL_PARAM params[])
57 if (!ossl_prov_is_running())
59 /* The newctx() handles most of the ctx fixed setup. */
60 ossl_sha3_reset((KECCAK1600_CTX *)vctx);
64 static int keccak_init_params(void *vctx, const OSSL_PARAM params[])
66 return keccak_init(vctx, NULL)
67 && shake_set_ctx_params(vctx, params);
70 static int keccak_update(void *vctx, const unsigned char *inp, size_t len)
72 KECCAK1600_CTX *ctx = vctx;
73 const size_t bsz = ctx->block_size;
79 /* Is there anything in the buffer already ? */
80 if ((num = ctx->bufsz) != 0) {
81 /* Calculate how much space is left in the buffer */
83 /* If the new input does not fill the buffer then just add it */
85 memcpy(ctx->buf + num, inp, len);
89 /* otherwise fill up the buffer and absorb the buffer */
90 memcpy(ctx->buf + num, inp, rem);
91 /* Update the input pointer */
94 ctx->meth.absorb(ctx, ctx->buf, bsz);
97 /* Absorb the input - rem = leftover part of the input < blocksize) */
98 rem = ctx->meth.absorb(ctx, inp, len);
99 /* Copy the leftover bit of the input into the buffer */
101 memcpy(ctx->buf, inp + len - rem, rem);
107 static int keccak_final(void *vctx, unsigned char *out, size_t *outl,
111 KECCAK1600_CTX *ctx = vctx;
113 if (!ossl_prov_is_running())
116 ret = ctx->meth.final(ctx, out, ctx->md_size);
118 *outl = ctx->md_size;
122 static int shake_squeeze(void *vctx, unsigned char *out, size_t *outl,
126 KECCAK1600_CTX *ctx = vctx;
128 if (!ossl_prov_is_running())
130 if (ctx->meth.squeeze == NULL)
133 ret = ctx->meth.squeeze(ctx, out, outlen);
140 * Generic software version of the absorb() and final().
142 static size_t generic_sha3_absorb(void *vctx, const void *inp, size_t len)
144 KECCAK1600_CTX *ctx = vctx;
146 if (!(ctx->xof_state == XOF_STATE_INIT ||
147 ctx->xof_state == XOF_STATE_ABSORB))
149 ctx->xof_state = XOF_STATE_ABSORB;
150 return SHA3_absorb(ctx->A, inp, len, ctx->block_size);
153 static int generic_sha3_final(void *vctx, unsigned char *out, size_t outlen)
155 return ossl_sha3_final((KECCAK1600_CTX *)vctx, out, outlen);
158 static int generic_sha3_squeeze(void *vctx, unsigned char *out, size_t outlen)
160 return ossl_sha3_squeeze((KECCAK1600_CTX *)vctx, out, outlen);
163 static PROV_SHA3_METHOD sha3_generic_md =
170 static PROV_SHA3_METHOD shake_generic_md =
177 #if defined(S390_SHA3)
179 static sha3_absorb_fn s390x_sha3_absorb;
180 static sha3_final_fn s390x_sha3_final;
181 static sha3_final_fn s390x_shake_final;
184 * The platform specific parts of the absorb() and final() for S390X.
186 static size_t s390x_sha3_absorb(void *vctx, const void *inp, size_t len)
188 KECCAK1600_CTX *ctx = vctx;
189 size_t rem = len % ctx->block_size;
191 if (!(ctx->xof_state == XOF_STATE_INIT ||
192 ctx->xof_state == XOF_STATE_ABSORB))
194 ctx->xof_state = XOF_STATE_ABSORB;
195 s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
199 static int s390x_sha3_final(void *vctx, unsigned char *out, size_t outlen)
201 KECCAK1600_CTX *ctx = vctx;
203 if (!ossl_prov_is_running())
205 if (!(ctx->xof_state == XOF_STATE_INIT ||
206 ctx->xof_state == XOF_STATE_ABSORB))
208 ctx->xof_state = XOF_STATE_FINAL;
209 s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
210 memcpy(out, ctx->A, outlen);
214 static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen)
216 KECCAK1600_CTX *ctx = vctx;
218 if (!ossl_prov_is_running())
220 if (!(ctx->xof_state == XOF_STATE_INIT ||
221 ctx->xof_state == XOF_STATE_ABSORB))
223 ctx->xof_state = XOF_STATE_FINAL;
224 s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
228 static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen,
231 KECCAK1600_CTX *ctx = vctx;
232 size_t bsz = ctx->block_size;
233 size_t num = ctx->bufsz;
234 size_t needed = outlen;
236 if (!ossl_prov_is_running())
238 if (!(ctx->xof_state == XOF_STATE_INIT ||
239 ctx->xof_state == XOF_STATE_ABSORB))
241 ctx->xof_state = XOF_STATE_FINAL;
244 memset(ctx->buf + num, 0, bsz - num);
245 ctx->buf[num] = padding;
246 ctx->buf[bsz - 1] |= 0x80;
247 s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A);
248 num = needed > bsz ? bsz : needed;
249 memcpy(out, ctx->A, num);
252 s390x_klmd(NULL, 0, out + bsz, needed, ctx->pad | S390X_KLMD_PS, ctx->A);
257 static int s390x_keccak_final(void *vctx, unsigned char *out, size_t outlen)
259 return s390x_keccakc_final(vctx, out, outlen, 0x01);
262 static int s390x_kmac_final(void *vctx, unsigned char *out, size_t outlen)
264 return s390x_keccakc_final(vctx, out, outlen, 0x04);
267 static PROV_SHA3_METHOD sha3_s390x_md =
273 static PROV_SHA3_METHOD keccak_s390x_md =
279 static PROV_SHA3_METHOD shake_s390x_md =
285 static PROV_SHA3_METHOD kmac_s390x_md =
291 # define SHAKE_SET_MD(uname, typ) \
292 if (S390_SHA3_CAPABLE(uname)) { \
293 ctx->pad = S390X_##uname; \
294 ctx->meth = typ##_s390x_md; \
296 ctx->meth = shake_generic_md; \
299 # define SHA3_SET_MD(uname, typ) \
300 if (S390_SHA3_CAPABLE(uname)) { \
301 ctx->pad = S390X_##uname; \
302 ctx->meth = typ##_s390x_md; \
304 ctx->meth = sha3_generic_md; \
306 # define KMAC_SET_MD(bitlen) \
307 if (S390_SHA3_CAPABLE(SHAKE_##bitlen)) { \
308 ctx->pad = S390X_SHAKE_##bitlen; \
309 ctx->meth = kmac_s390x_md; \
311 ctx->meth = sha3_generic_md; \
313 #elif defined(__aarch64__) && defined(KECCAK1600_ASM)
314 # include "arm_arch.h"
316 static sha3_absorb_fn armsha3_sha3_absorb;
318 size_t SHA3_absorb_cext(uint64_t A[5][5], const unsigned char *inp, size_t len,
321 * Hardware-assisted ARMv8.2 SHA3 extension version of the absorb()
323 static size_t armsha3_sha3_absorb(void *vctx, const void *inp, size_t len)
325 KECCAK1600_CTX *ctx = vctx;
327 return SHA3_absorb_cext(ctx->A, inp, len, ctx->block_size);
330 static PROV_SHA3_METHOD sha3_ARMSHA3_md =
335 static PROV_SHA3_METHOD shake_ARMSHA3_md =
341 # define SHAKE_SET_MD(uname, typ) \
342 if (OPENSSL_armcap_P & ARMV8_HAVE_SHA3_AND_WORTH_USING) { \
343 ctx->meth = shake_ARMSHA3_md; \
345 ctx->meth = shake_generic_md; \
348 # define SHA3_SET_MD(uname, typ) \
349 if (OPENSSL_armcap_P & ARMV8_HAVE_SHA3_AND_WORTH_USING) { \
350 ctx->meth = sha3_ARMSHA3_md; \
352 ctx->meth = sha3_generic_md; \
354 # define KMAC_SET_MD(bitlen) \
355 if (OPENSSL_armcap_P & ARMV8_HAVE_SHA3_AND_WORTH_USING) { \
356 ctx->meth = sha3_ARMSHA3_md; \
358 ctx->meth = sha3_generic_md; \
361 # define SHA3_SET_MD(uname, typ) ctx->meth = sha3_generic_md;
362 # define KMAC_SET_MD(bitlen) ctx->meth = sha3_generic_md;
363 # define SHAKE_SET_MD(uname, typ) ctx->meth = shake_generic_md;
364 #endif /* S390_SHA3 */
366 #define SHA3_newctx(typ, uname, name, bitlen, pad) \
367 static OSSL_FUNC_digest_newctx_fn name##_newctx; \
368 static void *name##_newctx(void *provctx) \
370 KECCAK1600_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx)) \
375 ossl_sha3_init(ctx, pad, bitlen); \
376 SHA3_SET_MD(uname, typ) \
380 #define SHAKE_newctx(typ, uname, name, bitlen, pad) \
381 static OSSL_FUNC_digest_newctx_fn name##_newctx; \
382 static void *name##_newctx(void *provctx) \
384 KECCAK1600_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx))\
389 ossl_sha3_init(ctx, pad, bitlen); \
390 SHAKE_SET_MD(uname, typ) \
394 #define KMAC_newctx(uname, bitlen, pad) \
395 static OSSL_FUNC_digest_newctx_fn uname##_newctx; \
396 static void *uname##_newctx(void *provctx) \
398 KECCAK1600_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx)) \
403 ossl_keccak_kmac_init(ctx, pad, bitlen); \
404 KMAC_SET_MD(bitlen) \
408 #define PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags) \
409 PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags) \
410 const OSSL_DISPATCH ossl_##name##_functions[] = { \
411 { OSSL_FUNC_DIGEST_NEWCTX, (void (*)(void))name##_newctx }, \
412 { OSSL_FUNC_DIGEST_UPDATE, (void (*)(void))keccak_update }, \
413 { OSSL_FUNC_DIGEST_FINAL, (void (*)(void))keccak_final }, \
414 { OSSL_FUNC_DIGEST_FREECTX, (void (*)(void))keccak_freectx }, \
415 { OSSL_FUNC_DIGEST_DUPCTX, (void (*)(void))keccak_dupctx }, \
416 PROV_DISPATCH_FUNC_DIGEST_GET_PARAMS(name)
418 #define PROV_FUNC_SHA3_DIGEST(name, bitlen, blksize, dgstsize, flags) \
419 PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \
420 { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init }, \
421 PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END
423 #define PROV_FUNC_SHAKE_DIGEST(name, bitlen, blksize, dgstsize, flags) \
424 PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \
425 { OSSL_FUNC_DIGEST_SQUEEZE, (void (*)(void))shake_squeeze }, \
426 { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init_params }, \
427 { OSSL_FUNC_DIGEST_SET_CTX_PARAMS, (void (*)(void))shake_set_ctx_params }, \
428 { OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS, \
429 (void (*)(void))shake_settable_ctx_params }, \
430 PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END
432 static void keccak_freectx(void *vctx)
434 KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx;
436 OPENSSL_clear_free(ctx, sizeof(*ctx));
439 static void *keccak_dupctx(void *ctx)
441 KECCAK1600_CTX *in = (KECCAK1600_CTX *)ctx;
442 KECCAK1600_CTX *ret = ossl_prov_is_running() ? OPENSSL_malloc(sizeof(*ret))
450 static const OSSL_PARAM known_shake_settable_ctx_params[] = {
451 {OSSL_DIGEST_PARAM_XOFLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL, 0, 0},
454 static const OSSL_PARAM *shake_settable_ctx_params(ossl_unused void *ctx,
455 ossl_unused void *provctx)
457 return known_shake_settable_ctx_params;
460 static int shake_set_ctx_params(void *vctx, const OSSL_PARAM params[])
463 KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx;
470 p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_XOFLEN);
471 if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->md_size)) {
472 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
478 #define IMPLEMENT_SHA3_functions(bitlen) \
479 SHA3_newctx(sha3, SHA3_##bitlen, sha3_##bitlen, bitlen, '\x06') \
480 PROV_FUNC_SHA3_DIGEST(sha3_##bitlen, bitlen, \
481 SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \
484 #define IMPLEMENT_KECCAK_functions(bitlen) \
485 SHA3_newctx(keccak, KECCAK_##bitlen, keccak_##bitlen, bitlen, '\x01') \
486 PROV_FUNC_SHA3_DIGEST(keccak_##bitlen, bitlen, \
487 SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \
490 #define IMPLEMENT_SHAKE_functions(bitlen) \
491 SHAKE_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \
492 PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \
493 SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \
495 #define IMPLEMENT_KMAC_functions(bitlen) \
496 KMAC_newctx(keccak_kmac_##bitlen, bitlen, '\x04') \
497 PROV_FUNC_SHAKE_DIGEST(keccak_kmac_##bitlen, bitlen, \
498 SHA3_BLOCKSIZE(bitlen), KMAC_MDSIZE(bitlen), \
501 /* ossl_sha3_224_functions */
502 IMPLEMENT_SHA3_functions(224)
503 /* ossl_sha3_256_functions */
504 IMPLEMENT_SHA3_functions(256)
505 /* ossl_sha3_384_functions */
506 IMPLEMENT_SHA3_functions(384)
507 /* ossl_sha3_512_functions */
508 IMPLEMENT_SHA3_functions(512)
509 /* ossl_keccak_224_functions */
510 IMPLEMENT_KECCAK_functions(224)
511 /* ossl_keccak_256_functions */
512 IMPLEMENT_KECCAK_functions(256)
513 /* ossl_keccak_384_functions */
514 IMPLEMENT_KECCAK_functions(384)
515 /* ossl_keccak_512_functions */
516 IMPLEMENT_KECCAK_functions(512)
517 /* ossl_shake_128_functions */
518 IMPLEMENT_SHAKE_functions(128)
519 /* ossl_shake_256_functions */
520 IMPLEMENT_SHAKE_functions(256)
521 /* ossl_keccak_kmac_128_functions */
522 IMPLEMENT_KMAC_functions(128)
523 /* ossl_keccak_kmac_256_functions */
524 IMPLEMENT_KMAC_functions(256)