1/*
2 * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <string.h>
11#include <openssl/core_names.h>
12#include <openssl/crypto.h>
13#include <openssl/evp.h>
14#include <openssl/params.h>
15#include <openssl/err.h>
16#include "internal/sha3.h"
17#include "prov/digestcommon.h"
18#include "prov/implementations.h"
19#include "prov/providercommonerr.h"
20
21/*
22 * Forward declaration of any unique methods implemented here. This is not strictly
23 * necessary for the compiler, but provides an assurance that the signatures
24 * of the functions in the dispatch table are correct.
25 */
26static OSSL_OP_digest_init_fn keccak_init;
27static OSSL_OP_digest_update_fn keccak_update;
28static OSSL_OP_digest_final_fn keccak_final;
29static OSSL_OP_digest_freectx_fn keccak_freectx;
30static OSSL_OP_digest_dupctx_fn keccak_dupctx;
31static OSSL_OP_digest_set_ctx_params_fn shake_set_ctx_params;
32static OSSL_OP_digest_settable_ctx_params_fn shake_settable_ctx_params;
33static sha3_absorb_fn generic_sha3_absorb;
34static sha3_final_fn generic_sha3_final;
35
36#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM)
37/*
38 * IBM S390X support
39 */
40# include "s390x_arch.h"
41# define S390_SHA3 1
42# define S390_SHA3_CAPABLE(name) \
43 ((OPENSSL_s390xcap_P.kimd[0] & S390X_CAPBIT(S390X_##name)) && \
44 (OPENSSL_s390xcap_P.klmd[0] & S390X_CAPBIT(S390X_##name)))
45
46#endif
47
48static int keccak_init(void *vctx)
49{
50 /* The newctx() handles most of the ctx fixed setup. */
51 sha3_reset((KECCAK1600_CTX *)vctx);
52 return 1;
53}
54
55static int keccak_update(void *vctx, const unsigned char *inp, size_t len)
56{
57 KECCAK1600_CTX *ctx = vctx;
58 const size_t bsz = ctx->block_size;
59 size_t num, rem;
60
61 if (len == 0)
62 return 1;
63
64 /* Is there anything in the buffer already ? */
65 if ((num = ctx->bufsz) != 0) {
66 /* Calculate how much space is left in the buffer */
67 rem = bsz - num;
68 /* If the new input does not fill the buffer then just add it */
69 if (len < rem) {
70 memcpy(ctx->buf + num, inp, len);
71 ctx->bufsz += len;
72 return 1;
73 }
74 /* otherwise fill up the buffer and absorb the buffer */
75 memcpy(ctx->buf + num, inp, rem);
76 /* Update the input pointer */
77 inp += rem;
78 len -= rem;
79 ctx->meth.absorb(ctx, ctx->buf, bsz);
80 ctx->bufsz = 0;
81 }
82 /* Absorb the input - rem = leftover part of the input < blocksize) */
83 rem = ctx->meth.absorb(ctx, inp, len);
84 /* Copy the leftover bit of the input into the buffer */
85 if (rem) {
86 memcpy(ctx->buf, inp + len - rem, rem);
87 ctx->bufsz = rem;
88 }
89 return 1;
90}
91
92static int keccak_final(void *vctx, unsigned char *out, size_t *outl,
93 size_t outsz)
94{
95 int ret = 1;
96 KECCAK1600_CTX *ctx = vctx;
97
98 if (outsz > 0)
99 ret = ctx->meth.final(out, ctx);
100
101 *outl = ctx->md_size;
102 return ret;
103}
104
105/*-
106 * Generic software version of the absorb() and final().
107 */
108static size_t generic_sha3_absorb(void *vctx, const void *inp, size_t len)
109{
110 KECCAK1600_CTX *ctx = vctx;
111
112 return SHA3_absorb(ctx->A, inp, len, ctx->block_size);
113}
114
115static int generic_sha3_final(unsigned char *md, void *vctx)
116{
117 return sha3_final(md, (KECCAK1600_CTX *)vctx);
118}
119
120static PROV_SHA3_METHOD sha3_generic_md =
121{
122 generic_sha3_absorb,
123 generic_sha3_final
124};
125
126#if defined(S390_SHA3)
127
128static sha3_absorb_fn s390x_sha3_absorb;
129static sha3_final_fn s390x_sha3_final;
130static sha3_final_fn s390x_shake_final;
131
132/*-
133 * The platform specific parts of the absorb() and final() for S390X.
134 */
135static size_t s390x_sha3_absorb(void *vctx, const void *inp, size_t len)
136{
137 KECCAK1600_CTX *ctx = vctx;
138 size_t rem = len % ctx->block_size;
139
140 s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
141 return rem;
142}
143
144static int s390x_sha3_final(unsigned char *md, void *vctx)
145{
146 KECCAK1600_CTX *ctx = vctx;
147
148 s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
149 memcpy(md, ctx->A, ctx->md_size);
150 return 1;
151}
152
153static int s390x_shake_final(unsigned char *md, void *vctx)
154{
155 KECCAK1600_CTX *ctx = vctx;
156
157 s390x_klmd(ctx->buf, ctx->bufsz, md, ctx->md_size, ctx->pad, ctx->A);
158 return 1;
159}
160
161static PROV_SHA3_METHOD sha3_s390x_md =
162{
163 s390x_sha3_absorb,
164 s390x_sha3_final
165};
166
167static PROV_SHA3_METHOD shake_s390x_md =
168{
169 s390x_sha3_absorb,
170 s390x_shake_final
171};
172
173# define SHA3_SET_MD(uname, typ) \
174 if (S390_SHA3_CAPABLE(uname)) { \
175 ctx->pad = S390X_##uname; \
176 ctx->meth = typ##_s390x_md; \
177 } else { \
178 ctx->meth = sha3_generic_md; \
179 }
180#else
181# define SHA3_SET_MD(uname, typ) ctx->meth = sha3_generic_md;
182#endif /* S390_SHA3 */
183
184#define SHA3_newctx(typ, uname, name, bitlen, pad) \
185static OSSL_OP_digest_newctx_fn name##_newctx; \
186static void *name##_newctx(void *provctx) \
187{ \
188 KECCAK1600_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \
189 \
190 if (ctx == NULL) \
191 return NULL; \
192 sha3_init(ctx, pad, bitlen); \
193 SHA3_SET_MD(uname, typ) \
194 return ctx; \
195}
196
197#define KMAC_newctx(uname, bitlen, pad) \
198static OSSL_OP_digest_newctx_fn uname##_newctx; \
199static void *uname##_newctx(void *provctx) \
200{ \
201 KECCAK1600_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \
202 \
203 if (ctx == NULL) \
204 return NULL; \
205 keccak_kmac_init(ctx, pad, bitlen); \
206 ctx->meth = sha3_generic_md; \
207 return ctx; \
208}
209
210#define PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags) \
211PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags) \
212const OSSL_DISPATCH name##_functions[] = { \
213 { OSSL_FUNC_DIGEST_NEWCTX, (void (*)(void))name##_newctx }, \
214 { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init }, \
215 { OSSL_FUNC_DIGEST_UPDATE, (void (*)(void))keccak_update }, \
216 { OSSL_FUNC_DIGEST_FINAL, (void (*)(void))keccak_final }, \
217 { OSSL_FUNC_DIGEST_FREECTX, (void (*)(void))keccak_freectx }, \
218 { OSSL_FUNC_DIGEST_DUPCTX, (void (*)(void))keccak_dupctx }, \
219 PROV_DISPATCH_FUNC_DIGEST_GET_PARAMS(name)
220
221#define PROV_FUNC_SHA3_DIGEST(name, bitlen, blksize, dgstsize, flags) \
222 PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \
223 PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END
224
225#define PROV_FUNC_SHAKE_DIGEST(name, bitlen, blksize, dgstsize, flags) \
226 PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \
227 { OSSL_FUNC_DIGEST_SET_CTX_PARAMS, (void (*)(void))shake_set_ctx_params }, \
228 { OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS, \
229 (void (*)(void))shake_settable_ctx_params }, \
230 PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END
231
232static void keccak_freectx(void *vctx)
233{
234 KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx;
235
236 OPENSSL_clear_free(ctx, sizeof(*ctx));
237}
238
239static void *keccak_dupctx(void *ctx)
240{
241 KECCAK1600_CTX *in = (KECCAK1600_CTX *)ctx;
242 KECCAK1600_CTX *ret = OPENSSL_malloc(sizeof(*ret));
243
244 if (ret != NULL)
245 *ret = *in;
246 return ret;
247}
248
249static const OSSL_PARAM known_shake_settable_ctx_params[] = {
250 {OSSL_DIGEST_PARAM_SSL3_MS, OSSL_PARAM_OCTET_STRING, NULL, 0, 0},
251 OSSL_PARAM_END
252};
253static const OSSL_PARAM *shake_settable_ctx_params(void)
254{
255 return known_shake_settable_ctx_params;
256}
257
258static int shake_set_ctx_params(void *vctx, const OSSL_PARAM params[])
259{
260 const OSSL_PARAM *p;
261 KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx;
262
263 if (ctx != NULL && params != NULL) {
264 p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_XOFLEN);
265 if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->md_size)) {
266 ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
267 return 0;
268 }
269 return 1;
270 }
271 return 0; /* Null Parameter */
272}
273
274#define IMPLEMENT_SHA3_functions(bitlen) \
275 SHA3_newctx(sha3, SHA3_##bitlen, sha3_##bitlen, bitlen, '\x06') \
276 PROV_FUNC_SHA3_DIGEST(sha3_##bitlen, bitlen, \
277 SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \
278 EVP_MD_FLAG_DIGALGID_ABSENT)
279
280#define IMPLEMENT_SHAKE_functions(bitlen) \
281 SHA3_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \
282 PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \
283 SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \
284 EVP_MD_FLAG_XOF)
285#define IMPLEMENT_KMAC_functions(bitlen) \
286 KMAC_newctx(keccak_kmac_##bitlen, bitlen, '\x04') \
287 PROV_FUNC_SHAKE_DIGEST(keccak_kmac_##bitlen, bitlen, \
288 SHA3_BLOCKSIZE(bitlen), KMAC_MDSIZE(bitlen), \
289 EVP_MD_FLAG_XOF)
290
291/* sha3_224_functions */
292IMPLEMENT_SHA3_functions(224)
293/* sha3_256_functions */
294IMPLEMENT_SHA3_functions(256)
295/* sha3_384_functions */
296IMPLEMENT_SHA3_functions(384)
297/* sha3_512_functions */
298IMPLEMENT_SHA3_functions(512)
299/* shake_128_functions */
300IMPLEMENT_SHAKE_functions(128)
301/* shake_256_functions */
302IMPLEMENT_SHAKE_functions(256)
303/* keccak_kmac_128_functions */
304IMPLEMENT_KMAC_functions(128)
305/* keccak_kmac_256_functions */
306IMPLEMENT_KMAC_functions(256)
307