Gitiles
Code Review Sign In
192.168.1.100 / R306 / 2dbc1526a2b84342aa5d5d2a0b7c25c960d13710 / . / ap / lib / libssl / openssl-1.1.1o / crypto / evp / m_sha3.c
blob: 54c592a3cce249bde2e49c8400983e01a91cc2b0 [file] [log] [blame]
yuezonghe824eb0c2024-06-27 02:32:26 -0700[diff] [blame]1/*
2 * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdio.h>
11#include <string.h>
12
13#include <openssl/evp.h>
14#include <openssl/objects.h>
15#include "crypto/evp.h"
16#include "evp_local.h"
17
18size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len,
19 size_t r);
20void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r);
21
22#define KECCAK1600_WIDTH 1600
23
24typedef struct {
25 uint64_t A[5][5];
26 size_t block_size; /* cached ctx->digest->block_size */
27 size_t md_size; /* output length, variable in XOF */
28 size_t num; /* used bytes in below buffer */
29 unsigned char buf[KECCAK1600_WIDTH / 8 - 32];
30 unsigned char pad;
31} KECCAK1600_CTX;
32
33static int init(EVP_MD_CTX *evp_ctx, unsigned char pad)
34{
35 KECCAK1600_CTX *ctx = evp_ctx->md_data;
36 size_t bsz = evp_ctx->digest->block_size;
37
38 if (bsz <= sizeof(ctx->buf)) {
39 memset(ctx->A, 0, sizeof(ctx->A));
40
41 ctx->num = 0;
42 ctx->block_size = bsz;
43 ctx->md_size = evp_ctx->digest->md_size;
44 ctx->pad = pad;
45
46 return 1;
47 }
48
49 return 0;
50}
51
52static int sha3_init(EVP_MD_CTX *evp_ctx)
53{
54 return init(evp_ctx, '\x06');
55}
56
57static int shake_init(EVP_MD_CTX *evp_ctx)
58{
59 return init(evp_ctx, '\x1f');
60}
61
62static int sha3_update(EVP_MD_CTX *evp_ctx, const void *_inp, size_t len)
63{
64 KECCAK1600_CTX *ctx = evp_ctx->md_data;
65 const unsigned char *inp = _inp;
66 size_t bsz = ctx->block_size;
67 size_t num, rem;
68
69 if (len == 0)
70 return 1;
71
72 if ((num = ctx->num) != 0) { /* process intermediate buffer? */
73 rem = bsz - num;
74
75 if (len < rem) {
76 memcpy(ctx->buf + num, inp, len);
77 ctx->num += len;
78 return 1;
79 }
80 /*
81 * We have enough data to fill or overflow the intermediate
82 * buffer. So we append |rem| bytes and process the block,
83 * leaving the rest for later processing...
84 */
85 memcpy(ctx->buf + num, inp, rem);
86 inp += rem, len -= rem;
87 (void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
88 ctx->num = 0;
89 /* ctx->buf is processed, ctx->num is guaranteed to be zero */
90 }
91
92 if (len >= bsz)
93 rem = SHA3_absorb(ctx->A, inp, len, bsz);
94 else
95 rem = len;
96
97 if (rem) {
98 memcpy(ctx->buf, inp + len - rem, rem);
99 ctx->num = rem;
100 }
101
102 return 1;
103}
104
105static int sha3_final(EVP_MD_CTX *evp_ctx, unsigned char *md)
106{
107 KECCAK1600_CTX *ctx = evp_ctx->md_data;
108 size_t bsz = ctx->block_size;
109 size_t num = ctx->num;
110
111 if (ctx->md_size == 0)
112 return 1;
113
114 /*
115 * Pad the data with 10*1. Note that |num| can be |bsz - 1|
116 * in which case both byte operations below are performed on
117 * same byte...
118 */
119 memset(ctx->buf + num, 0, bsz - num);
120 ctx->buf[num] = ctx->pad;
121 ctx->buf[bsz - 1] |= 0x80;
122
123 (void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
124
125 SHA3_squeeze(ctx->A, md, ctx->md_size, bsz);
126
127 return 1;
128}
129
130static int shake_ctrl(EVP_MD_CTX *evp_ctx, int cmd, int p1, void *p2)
131{
132 KECCAK1600_CTX *ctx = evp_ctx->md_data;
133
134 switch (cmd) {
135 case EVP_MD_CTRL_XOF_LEN:
136 ctx->md_size = p1;
137 return 1;
138 default:
139 return 0;
140 }
141}
142
143#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM)
144/*
145 * IBM S390X support
146 */
147# include "s390x_arch.h"
148
149# define S390X_SHA3_FC(ctx) ((ctx)->pad)
150
151# define S390X_sha3_224_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
152 S390X_CAPBIT(S390X_SHA3_224)) && \
153 (OPENSSL_s390xcap_P.klmd[0] & \
154 S390X_CAPBIT(S390X_SHA3_224)))
155# define S390X_sha3_256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
156 S390X_CAPBIT(S390X_SHA3_256)) && \
157 (OPENSSL_s390xcap_P.klmd[0] & \
158 S390X_CAPBIT(S390X_SHA3_256)))
159# define S390X_sha3_384_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
160 S390X_CAPBIT(S390X_SHA3_384)) && \
161 (OPENSSL_s390xcap_P.klmd[0] & \
162 S390X_CAPBIT(S390X_SHA3_384)))
163# define S390X_sha3_512_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
164 S390X_CAPBIT(S390X_SHA3_512)) && \
165 (OPENSSL_s390xcap_P.klmd[0] & \
166 S390X_CAPBIT(S390X_SHA3_512)))
167# define S390X_shake128_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
168 S390X_CAPBIT(S390X_SHAKE_128)) && \
169 (OPENSSL_s390xcap_P.klmd[0] & \
170 S390X_CAPBIT(S390X_SHAKE_128)))
171# define S390X_shake256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
172 S390X_CAPBIT(S390X_SHAKE_256)) && \
173 (OPENSSL_s390xcap_P.klmd[0] & \
174 S390X_CAPBIT(S390X_SHAKE_256)))
175
176/* Convert md-size to block-size. */
177# define S390X_KECCAK1600_BSZ(n) ((KECCAK1600_WIDTH - ((n) << 1)) >> 3)
178
179static int s390x_sha3_init(EVP_MD_CTX *evp_ctx)
180{
181 KECCAK1600_CTX *ctx = evp_ctx->md_data;
182 const size_t bsz = evp_ctx->digest->block_size;
183
184 /*-
185 * KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD
186 * function code.
187 */
188 switch (bsz) {
189 case S390X_KECCAK1600_BSZ(224):
190 ctx->pad = S390X_SHA3_224;
191 break;
192 case S390X_KECCAK1600_BSZ(256):
193 ctx->pad = S390X_SHA3_256;
194 break;
195 case S390X_KECCAK1600_BSZ(384):
196 ctx->pad = S390X_SHA3_384;
197 break;
198 case S390X_KECCAK1600_BSZ(512):
199 ctx->pad = S390X_SHA3_512;
200 break;
201 default:
202 return 0;
203 }
204
205 memset(ctx->A, 0, sizeof(ctx->A));
206 ctx->num = 0;
207 ctx->block_size = bsz;
208 ctx->md_size = evp_ctx->digest->md_size;
209 return 1;
210}
211
212static int s390x_shake_init(EVP_MD_CTX *evp_ctx)
213{
214 KECCAK1600_CTX *ctx = evp_ctx->md_data;
215 const size_t bsz = evp_ctx->digest->block_size;
216
217 /*-
218 * KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD
219 * function code.
220 */
221 switch (bsz) {
222 case S390X_KECCAK1600_BSZ(128):
223 ctx->pad = S390X_SHAKE_128;
224 break;
225 case S390X_KECCAK1600_BSZ(256):
226 ctx->pad = S390X_SHAKE_256;
227 break;
228 default:
229 return 0;
230 }
231
232 memset(ctx->A, 0, sizeof(ctx->A));
233 ctx->num = 0;
234 ctx->block_size = bsz;
235 ctx->md_size = evp_ctx->digest->md_size;
236 return 1;
237}
238
239static int s390x_sha3_update(EVP_MD_CTX *evp_ctx, const void *_inp, size_t len)
240{
241 KECCAK1600_CTX *ctx = evp_ctx->md_data;
242 const unsigned char *inp = _inp;
243 const size_t bsz = ctx->block_size;
244 size_t num, rem;
245
246 if (len == 0)
247 return 1;
248
249 if ((num = ctx->num) != 0) {
250 rem = bsz - num;
251
252 if (len < rem) {
253 memcpy(ctx->buf + num, inp, len);
254 ctx->num += len;
255 return 1;
256 }
257 memcpy(ctx->buf + num, inp, rem);
258 inp += rem;
259 len -= rem;
260 s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A);
261 ctx->num = 0;
262 }
263 rem = len % bsz;
264
265 s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
266
267 if (rem) {
268 memcpy(ctx->buf, inp + len - rem, rem);
269 ctx->num = rem;
270 }
271 return 1;
272}
273
274static int s390x_sha3_final(EVP_MD_CTX *evp_ctx, unsigned char *md)
275{
276 KECCAK1600_CTX *ctx = evp_ctx->md_data;
277
278 s390x_klmd(ctx->buf, ctx->num, NULL, 0, ctx->pad, ctx->A);
279 memcpy(md, ctx->A, ctx->md_size);
280 return 1;
281}
282
283static int s390x_shake_final(EVP_MD_CTX *evp_ctx, unsigned char *md)
284{
285 KECCAK1600_CTX *ctx = evp_ctx->md_data;
286
287 s390x_klmd(ctx->buf, ctx->num, md, ctx->md_size, ctx->pad, ctx->A);
288 return 1;
289}
290
291# define EVP_MD_SHA3(bitlen) \
292const EVP_MD *EVP_sha3_##bitlen(void) \
293{ \
294 static const EVP_MD s390x_sha3_##bitlen##_md = { \
295 NID_sha3_##bitlen, \
296 NID_RSA_SHA3_##bitlen, \
297 bitlen / 8, \
298 EVP_MD_FLAG_DIGALGID_ABSENT, \
299 s390x_sha3_init, \
300 s390x_sha3_update, \
301 s390x_sha3_final, \
302 NULL, \
303 NULL, \
304 (KECCAK1600_WIDTH - bitlen * 2) / 8, \
305 sizeof(KECCAK1600_CTX), \
306 }; \
307 static const EVP_MD sha3_##bitlen##_md = { \
308 NID_sha3_##bitlen, \
309 NID_RSA_SHA3_##bitlen, \
310 bitlen / 8, \
311 EVP_MD_FLAG_DIGALGID_ABSENT, \
312 sha3_init, \
313 sha3_update, \
314 sha3_final, \
315 NULL, \
316 NULL, \
317 (KECCAK1600_WIDTH - bitlen * 2) / 8, \
318 sizeof(KECCAK1600_CTX), \
319 }; \
320 return S390X_sha3_##bitlen##_CAPABLE ? \
321 &s390x_sha3_##bitlen##_md : \
322 &sha3_##bitlen##_md; \
323}
324
325# define EVP_MD_SHAKE(bitlen) \
326const EVP_MD *EVP_shake##bitlen(void) \
327{ \
328 static const EVP_MD s390x_shake##bitlen##_md = { \
329 NID_shake##bitlen, \
330 0, \
331 bitlen / 8, \
332 EVP_MD_FLAG_XOF, \
333 s390x_shake_init, \
334 s390x_sha3_update, \
335 s390x_shake_final, \
336 NULL, \
337 NULL, \
338 (KECCAK1600_WIDTH - bitlen * 2) / 8, \
339 sizeof(KECCAK1600_CTX), \
340 shake_ctrl \
341 }; \
342 static const EVP_MD shake##bitlen##_md = { \
343 NID_shake##bitlen, \
344 0, \
345 bitlen / 8, \
346 EVP_MD_FLAG_XOF, \
347 shake_init, \
348 sha3_update, \
349 sha3_final, \
350 NULL, \
351 NULL, \
352 (KECCAK1600_WIDTH - bitlen * 2) / 8, \
353 sizeof(KECCAK1600_CTX), \
354 shake_ctrl \
355 }; \
356 return S390X_shake##bitlen##_CAPABLE ? \
357 &s390x_shake##bitlen##_md : \
358 &shake##bitlen##_md; \
359}
360
361#else
362
363# define EVP_MD_SHA3(bitlen) \
364const EVP_MD *EVP_sha3_##bitlen(void) \
365{ \
366 static const EVP_MD sha3_##bitlen##_md = { \
367 NID_sha3_##bitlen, \
368 NID_RSA_SHA3_##bitlen, \
369 bitlen / 8, \
370 EVP_MD_FLAG_DIGALGID_ABSENT, \
371 sha3_init, \
372 sha3_update, \
373 sha3_final, \
374 NULL, \
375 NULL, \
376 (KECCAK1600_WIDTH - bitlen * 2) / 8, \
377 sizeof(KECCAK1600_CTX), \
378 }; \
379 return &sha3_##bitlen##_md; \
380}
381
382# define EVP_MD_SHAKE(bitlen) \
383const EVP_MD *EVP_shake##bitlen(void) \
384{ \
385 static const EVP_MD shake##bitlen##_md = { \
386 NID_shake##bitlen, \
387 0, \
388 bitlen / 8, \
389 EVP_MD_FLAG_XOF, \
390 shake_init, \
391 sha3_update, \
392 sha3_final, \
393 NULL, \
394 NULL, \
395 (KECCAK1600_WIDTH - bitlen * 2) / 8, \
396 sizeof(KECCAK1600_CTX), \
397 shake_ctrl \
398 }; \
399 return &shake##bitlen##_md; \
400}
401#endif
402
403EVP_MD_SHA3(224)
404EVP_MD_SHA3(256)
405EVP_MD_SHA3(384)
406EVP_MD_SHA3(512)
407
408EVP_MD_SHAKE(128)
409EVP_MD_SHAKE(256)