/*
- * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/params.h>
#include <openssl/evp.h>
#include <openssl/err.h>
+#include <openssl/proverr.h>
-#include "prov/providercommonerr.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
+#include "prov/providercommon.h"
+#include "internal/cryptlib.h" /* ossl_assert */
/*
* Forward declaration of everything implemented here. This is not strictly
* necessary for the compiler, but provides an assurance that the signatures
* of the functions in the dispatch table are correct.
*/
-static OSSL_OP_mac_newctx_fn kmac128_new;
-static OSSL_OP_mac_newctx_fn kmac256_new;
-static OSSL_OP_mac_dupctx_fn kmac_dup;
-static OSSL_OP_mac_freectx_fn kmac_free;
-static OSSL_OP_mac_gettable_ctx_params_fn kmac_gettable_ctx_params;
-static OSSL_OP_mac_get_ctx_params_fn kmac_get_ctx_params;
-static OSSL_OP_mac_settable_ctx_params_fn kmac_settable_ctx_params;
-static OSSL_OP_mac_set_ctx_params_fn kmac_set_ctx_params;
-static OSSL_OP_mac_size_fn kmac_size;
-static OSSL_OP_mac_init_fn kmac_init;
-static OSSL_OP_mac_update_fn kmac_update;
-static OSSL_OP_mac_final_fn kmac_final;
-
-#define KMAC_MAX_BLOCKSIZE ((1600 - 128*2) / 8) /* 168 */
-#define KMAC_MIN_BLOCKSIZE ((1600 - 256*2) / 8) /* 136 */
-
-/* Length encoding will be a 1 byte size + length in bits (2 bytes max) */
-#define KMAC_MAX_ENCODED_HEADER_LEN 3
+static OSSL_FUNC_mac_newctx_fn kmac128_new;
+static OSSL_FUNC_mac_newctx_fn kmac256_new;
+static OSSL_FUNC_mac_dupctx_fn kmac_dup;
+static OSSL_FUNC_mac_freectx_fn kmac_free;
+static OSSL_FUNC_mac_gettable_ctx_params_fn kmac_gettable_ctx_params;
+static OSSL_FUNC_mac_get_ctx_params_fn kmac_get_ctx_params;
+static OSSL_FUNC_mac_settable_ctx_params_fn kmac_settable_ctx_params;
+static OSSL_FUNC_mac_set_ctx_params_fn kmac_set_ctx_params;
+static OSSL_FUNC_mac_init_fn kmac_init;
+static OSSL_FUNC_mac_update_fn kmac_update;
+static OSSL_FUNC_mac_final_fn kmac_final;
+
+#define KMAC_MAX_BLOCKSIZE ((1600 - 128 * 2) / 8) /* 168 */
/*
- * Custom string max size is chosen such that:
- * len(encoded_string(custom) + len(kmac_encoded_string) <= KMAC_MIN_BLOCKSIZE
- * i.e: (KMAC_MAX_CUSTOM + KMAC_MAX_ENCODED_LEN) + 6 <= 136
+ * Length encoding will be a 1 byte size + length in bits (3 bytes max)
+ * This gives a range of 0..0XFFFFFF bits = 2097151 bytes).
*/
-#define KMAC_MAX_CUSTOM 127
+#define KMAC_MAX_OUTPUT_LEN (0xFFFFFF / 8)
+#define KMAC_MAX_ENCODED_HEADER_LEN (1 + 3)
+
+/*
+ * Restrict the maximum length of the customisation string. This must not
+ * exceed 64 bits = 8k bytes.
+ */
+#define KMAC_MAX_CUSTOM 512
/* Maximum size of encoded custom string */
#define KMAC_MAX_CUSTOM_ENCODED (KMAC_MAX_CUSTOM + KMAC_MAX_ENCODED_HEADER_LEN)
-/* Maximum key size in bytes = 2040 / 8 */
-#define KMAC_MAX_KEY 255
+/* Maximum key size in bytes = 512 (4096 bits) */
+#define KMAC_MAX_KEY 512
+#define KMAC_MIN_KEY 4
/*
* Maximum Encoded Key size will be padded to a multiple of the blocksize
- * i.e KMAC_MAX_KEY + KMAC_MAX_ENCODED_LEN = 258
+ * i.e KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN = 512 + 4
* Padded to a multiple of KMAC_MAX_BLOCKSIZE
*/
-#define KMAC_MAX_KEY_ENCODED (KMAC_MAX_BLOCKSIZE * 2)
+#define KMAC_MAX_KEY_ENCODED (KMAC_MAX_BLOCKSIZE * 4)
/* Fixed value of encode_string("KMAC") */
static const unsigned char kmac_string[] = {
0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43
};
-
#define KMAC_FLAG_XOF_MODE 1
struct kmac_data_st {
EVP_MD_CTX *ctx;
PROV_DIGEST digest;
size_t out_len;
- int key_len;
- int custom_len;
+ size_t key_len;
+ size_t custom_len;
/* If xof_mode = 1 then we use right_encode(0) */
int xof_mode;
/* key and custom are stored in encoded form */
unsigned char custom[KMAC_MAX_CUSTOM_ENCODED];
};
-static int encode_string(unsigned char *out, int *out_len,
- const unsigned char *in, int in_len);
-static int right_encode(unsigned char *out, int *out_len, size_t bits);
-static int bytepad(unsigned char *out, int *out_len,
- const unsigned char *in1, int in1_len,
- const unsigned char *in2, int in2_len,
- int w);
-static int kmac_bytepad_encode_key(unsigned char *out, int *out_len,
- const unsigned char *in, int in_len,
- int w);
+static int encode_string(unsigned char *out, size_t out_max_len, size_t *out_len,
+ const unsigned char *in, size_t in_len);
+static int right_encode(unsigned char *out, size_t out_max_len, size_t *out_len,
+ size_t bits);
+static int bytepad(unsigned char *out, size_t *out_len,
+ const unsigned char *in1, size_t in1_len,
+ const unsigned char *in2, size_t in2_len,
+ size_t w);
+static int kmac_bytepad_encode_key(unsigned char *out, size_t out_max_len,
+ size_t *out_len,
+ const unsigned char *in, size_t in_len,
+ size_t w);
static void kmac_free(void *vmacctx)
{
{
struct kmac_data_st *kctx;
+ if (!ossl_prov_is_running())
+ return NULL;
+
if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL
|| (kctx->ctx = EVP_MD_CTX_new()) == NULL) {
kmac_free(kctx);
static void *kmac_fetch_new(void *provctx, const OSSL_PARAM *params)
{
struct kmac_data_st *kctx = kmac_new(provctx);
+ int md_size;
if (kctx == NULL)
return 0;
if (!ossl_prov_digest_load_from_params(&kctx->digest, params,
- PROV_LIBRARY_CONTEXT_OF(provctx))) {
+ PROV_LIBCTX_OF(provctx))) {
kmac_free(kctx);
return 0;
}
- kctx->out_len = EVP_MD_size(ossl_prov_digest_md(&kctx->digest));
+ md_size = EVP_MD_get_size(ossl_prov_digest_md(&kctx->digest));
+ if (md_size <= 0) {
+ kmac_free(kctx);
+ return 0;
+ }
+ kctx->out_len = (size_t)md_size;
return kctx;
}
static void *kmac_dup(void *vsrc)
{
struct kmac_data_st *src = vsrc;
- struct kmac_data_st *dst = kmac_new(src->provctx);
+ struct kmac_data_st *dst;
+ if (!ossl_prov_is_running())
+ return NULL;
+
+ dst = kmac_new(src->provctx);
if (dst == NULL)
return NULL;
return dst;
}
+static int kmac_setkey(struct kmac_data_st *kctx, const unsigned char *key,
+ size_t keylen)
+{
+ const EVP_MD *digest = ossl_prov_digest_md(&kctx->digest);
+ int w = EVP_MD_get_block_size(digest);
+
+ if (keylen < KMAC_MIN_KEY || keylen > KMAC_MAX_KEY) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+ if (w <= 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
+ return 0;
+ }
+ if (!kmac_bytepad_encode_key(kctx->key, sizeof(kctx->key), &kctx->key_len,
+ key, keylen, (size_t)w))
+ return 0;
+ return 1;
+}
+
/*
* The init() assumes that any ctrl methods are set beforehand for
* md, key and custom. Setting the fields afterwards will have no
* effect on the output mac.
*/
-static int kmac_init(void *vmacctx)
+static int kmac_init(void *vmacctx, const unsigned char *key,
+ size_t keylen, const OSSL_PARAM params[])
{
struct kmac_data_st *kctx = vmacctx;
EVP_MD_CTX *ctx = kctx->ctx;
- unsigned char out[KMAC_MAX_BLOCKSIZE];
- int out_len, block_len;
+ unsigned char *out;
+ size_t out_len, block_len;
+ int res, t;
+ if (!ossl_prov_is_running() || !kmac_set_ctx_params(kctx, params))
+ return 0;
- /* Check key has been set */
- if (kctx->key_len == 0) {
- EVPerr(EVP_F_KMAC_INIT, EVP_R_NO_KEY_SET);
+ if (key != NULL) {
+ if (!kmac_setkey(kctx, key, keylen))
+ return 0;
+ } else if (kctx->key_len == 0) {
+ /* Check key has been set */
+ ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
return 0;
}
if (!EVP_DigestInit_ex(kctx->ctx, ossl_prov_digest_md(&kctx->digest),
NULL))
return 0;
- block_len = EVP_MD_block_size(ossl_prov_digest_md(&kctx->digest));
- if (block_len < 0)
+ t = EVP_MD_get_block_size(ossl_prov_digest_md(&kctx->digest));
+ if (t <= 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
return 0;
+ }
+ block_len = t;
/* Set default custom string if it is not already set */
if (kctx->custom_len == 0) {
- const OSSL_PARAM params[] = {
+ const OSSL_PARAM cparams[] = {
OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, "", 0),
OSSL_PARAM_END
};
- (void)kmac_set_ctx_params(kctx, params);
+ (void)kmac_set_ctx_params(kctx, cparams);
}
- return bytepad(out, &out_len, kmac_string, sizeof(kmac_string),
- kctx->custom, kctx->custom_len, block_len)
- && EVP_DigestUpdate(ctx, out, out_len)
- && EVP_DigestUpdate(ctx, kctx->key, kctx->key_len);
-}
-
-static size_t kmac_size(void *vmacctx)
-{
- struct kmac_data_st *kctx = vmacctx;
-
- return kctx->out_len;
+ if (!bytepad(NULL, &out_len, kmac_string, sizeof(kmac_string),
+ kctx->custom, kctx->custom_len, block_len)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ out = OPENSSL_malloc(out_len);
+ if (out == NULL)
+ return 0;
+ res = bytepad(out, NULL, kmac_string, sizeof(kmac_string),
+ kctx->custom, kctx->custom_len, block_len)
+ && EVP_DigestUpdate(ctx, out, out_len)
+ && EVP_DigestUpdate(ctx, kctx->key, kctx->key_len);
+ OPENSSL_free(out);
+ return res;
}
static int kmac_update(void *vmacctx, const unsigned char *data,
{
struct kmac_data_st *kctx = vmacctx;
EVP_MD_CTX *ctx = kctx->ctx;
- int lbits, len;
+ size_t lbits, len;
unsigned char encoded_outlen[KMAC_MAX_ENCODED_HEADER_LEN];
int ok;
+ if (!ossl_prov_is_running())
+ return 0;
+
/* KMAC XOF mode sets the encoded length to 0 */
lbits = (kctx->xof_mode ? 0 : (kctx->out_len * 8));
- ok = right_encode(encoded_outlen, &len, lbits)
+ ok = right_encode(encoded_outlen, sizeof(encoded_outlen), &len, lbits)
&& EVP_DigestUpdate(ctx, encoded_outlen, len)
&& EVP_DigestFinalXOF(ctx, out, kctx->out_len);
- if (ok && outl != NULL)
- *outl = kctx->out_len;
+ *outl = kctx->out_len;
return ok;
}
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
+ OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
OSSL_PARAM_END
};
-static const OSSL_PARAM *kmac_gettable_ctx_params(void)
+static const OSSL_PARAM *kmac_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
{
return known_gettable_ctx_params;
}
static int kmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])
{
+ struct kmac_data_st *kctx = vmacctx;
OSSL_PARAM *p;
+ int sz;
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL
+ && !OSSL_PARAM_set_size_t(p, kctx->out_len))
+ return 0;
- if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL)
- return OSSL_PARAM_set_size_t(p, kmac_size(vmacctx));
+ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_BLOCK_SIZE)) != NULL) {
+ sz = EVP_MD_block_size(ossl_prov_digest_md(&kctx->digest));
+ if (!OSSL_PARAM_set_int(p, sz))
+ return 0;
+ }
return 1;
}
OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, NULL, 0),
OSSL_PARAM_END
};
-static const OSSL_PARAM *kmac_settable_ctx_params(void)
+static const OSSL_PARAM *kmac_settable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
{
return known_settable_ctx_params;
}
{
struct kmac_data_st *kctx = vmacctx;
const OSSL_PARAM *p;
- const EVP_MD *digest = ossl_prov_digest_md(&kctx->digest);
+
+ if (params == NULL)
+ return 1;
if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_XOF)) != NULL
&& !OSSL_PARAM_get_int(p, &kctx->xof_mode))
return 0;
- if (((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_SIZE)) != NULL)
- && !OSSL_PARAM_get_size_t(p, &kctx->out_len))
- return 0;
- if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) {
- if (p->data_size < 4 || p->data_size > KMAC_MAX_KEY) {
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_SIZE)) != NULL) {
+ size_t sz = 0;
+
+ if (!OSSL_PARAM_get_size_t(p, &sz))
return 0;
- }
- if (!kmac_bytepad_encode_key(kctx->key, &kctx->key_len,
- p->data, p->data_size,
- EVP_MD_block_size(digest)))
+ if (sz > KMAC_MAX_OUTPUT_LEN) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
return 0;
+ }
+ kctx->out_len = sz;
}
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL
+ && !kmac_setkey(kctx, p->data, p->data_size))
+ return 0;
if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CUSTOM))
!= NULL) {
if (p->data_size > KMAC_MAX_CUSTOM) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CUSTOM_LENGTH);
return 0;
}
- if (!encode_string(kctx->custom, &kctx->custom_len,
+ if (!encode_string(kctx->custom, sizeof(kctx->custom), &kctx->custom_len,
p->data, p->data_size))
return 0;
}
return 1;
}
-/*
- * Encoding/Padding Methods.
- */
+/* Encoding/Padding Methods. */
/* Returns the number of bytes required to store 'bits' into a byte array */
static unsigned int get_encode_size(size_t bits)
* *out_len.
*
* e.g if bits = 32, out[2] = { 0x20, 0x01 }
- *
*/
-static int right_encode(unsigned char *out, int *out_len, size_t bits)
+static int right_encode(unsigned char *out, size_t out_max_len, size_t *out_len,
+ size_t bits)
{
unsigned int len = get_encode_size(bits);
int i;
- /* The length is constrained to a single byte: 2040/8 = 255 */
- if (len > 0xFF)
+ if (len >= out_max_len) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE);
return 0;
+ }
/* MSB's are at the start of the bytes array */
for (i = len - 1; i >= 0; --i) {
* e.g- in="KMAC" gives out[6] = { 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43 }
* len bits K M A C
*/
-static int encode_string(unsigned char *out, int *out_len,
- const unsigned char *in, int in_len)
+static int encode_string(unsigned char *out, size_t out_max_len, size_t *out_len,
+ const unsigned char *in, size_t in_len)
{
if (in == NULL) {
*out_len = 0;
} else {
- int i, bits, len;
+ size_t i, bits, len, sz;
bits = 8 * in_len;
len = get_encode_size(bits);
- if (len > 0xFF)
+ sz = 1 + len + in_len;
+
+ if (sz > out_max_len) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE);
return 0;
+ }
- out[0] = len;
+ out[0] = (unsigned char)len;
for (i = len; i > 0; --i) {
out[i] = (bits & 0xFF);
bits >>= 8;
}
memcpy(out + len + 1, in, in_len);
- *out_len = (1 + len + in_len);
+ *out_len = sz;
}
return 1;
}
* The returned output is:
* zero_padded(multiple of w, (left_encode(w) || in1 [|| in2])
*/
-static int bytepad(unsigned char *out, int *out_len,
- const unsigned char *in1, int in1_len,
- const unsigned char *in2, int in2_len, int w)
+static int bytepad(unsigned char *out, size_t *out_len,
+ const unsigned char *in1, size_t in1_len,
+ const unsigned char *in2, size_t in2_len, size_t w)
{
int len;
unsigned char *p = out;
int sz = w;
+ if (out == NULL) {
+ if (out_len == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
+ }
+ sz = 2 + in1_len + (in2 != NULL ? in2_len : 0);
+ *out_len = (sz + w - 1) / w * w;
+ return 1;
+ }
+
+ if (!ossl_assert(w <= 255))
+ return 0;
+
/* Left encoded w */
*p++ = 1;
- *p++ = w;
+ *p++ = (unsigned char)w;
/* || in1 */
memcpy(p, in1, in1_len);
p += in1_len;
}
/* Figure out the pad size (divisible by w) */
len = p - out;
- while (len > sz) {
- sz += w;
- }
+ sz = (len + w - 1) / w * w;
/* zero pad the end of the buffer */
- memset(p, 0, sz - len);
- *out_len = sz;
+ if (sz != len)
+ memset(p, 0, sz - len);
+ if (out_len != NULL)
+ *out_len = sz;
return 1;
}
-/*
- * Returns out = bytepad(encode_string(in), w)
- */
-static int kmac_bytepad_encode_key(unsigned char *out, int *out_len,
- const unsigned char *in, int in_len,
- int w)
+/* Returns out = bytepad(encode_string(in), w) */
+static int kmac_bytepad_encode_key(unsigned char *out, size_t out_max_len,
+ size_t *out_len,
+ const unsigned char *in, size_t in_len,
+ size_t w)
{
unsigned char tmp[KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN];
- int tmp_len;
+ size_t tmp_len;
- if (!encode_string(tmp, &tmp_len, in, in_len))
+ if (!encode_string(tmp, sizeof(tmp), &tmp_len, in, in_len))
return 0;
-
- return bytepad(out, out_len, tmp, tmp_len, NULL, 0, w);
+ if (!bytepad(NULL, out_len, tmp, tmp_len, NULL, 0, w))
+ return 0;
+ if (!ossl_assert(*out_len <= out_max_len))
+ return 0;
+ return bytepad(out, NULL, tmp, tmp_len, NULL, 0, w);
}
-const OSSL_DISPATCH kmac128_functions[] = {
+const OSSL_DISPATCH ossl_kmac128_functions[] = {
{ OSSL_FUNC_MAC_NEWCTX, (void (*)(void))kmac128_new },
{ OSSL_FUNC_MAC_DUPCTX, (void (*)(void))kmac_dup },
{ OSSL_FUNC_MAC_FREECTX, (void (*)(void))kmac_free },
{ OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS,
(void (*)(void))kmac_settable_ctx_params },
{ OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))kmac_set_ctx_params },
- { 0, NULL }
+ OSSL_DISPATCH_END
};
-const OSSL_DISPATCH kmac256_functions[] = {
+const OSSL_DISPATCH ossl_kmac256_functions[] = {
{ OSSL_FUNC_MAC_NEWCTX, (void (*)(void))kmac256_new },
{ OSSL_FUNC_MAC_DUPCTX, (void (*)(void))kmac_dup },
{ OSSL_FUNC_MAC_FREECTX, (void (*)(void))kmac_free },
{ OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS,
(void (*)(void))kmac_settable_ctx_params },
{ OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))kmac_set_ctx_params },
- { 0, NULL }
+ OSSL_DISPATCH_END
};