From 7c214f1092f7622a1c2fdc5cfe70ddc94918daa3 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 4 Oct 2019 12:30:33 +0200 Subject: Providers: move all digests From providers/{common,default,legacy}/ to providers/implementations/ However, providers/common/digests/digest_common.c stays where it is, because it's support code rather than an implementation. To better support all kinds of implementations with common code, we add the library providers/libcommon.a. Code that ends up in this library must be FIPS agnostic. While we're moving things around, though, we move digestscommon.h from providers/common/include/internal to providers/common/include/prov, thereby starting on a provider specific include structure, which follows the line of thoughts of the recent header file reorganization. We modify the affected '#include "internal/something.h"' to '#include "prov/something.h"'. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10088) --- providers/implementations/digests/blake2_impl.h | 129 +++++++++ providers/implementations/digests/blake2_prov.c | 42 +++ providers/implementations/digests/blake2b_prov.c | 328 ++++++++++++++++++++++ providers/implementations/digests/blake2s_prov.c | 319 +++++++++++++++++++++ providers/implementations/digests/build.info | 52 ++++ providers/implementations/digests/md2_prov.c | 18 ++ providers/implementations/digests/md4_prov.c | 18 ++ providers/implementations/digests/md5_prov.c | 18 ++ providers/implementations/digests/md5_sha1_prov.c | 51 ++++ providers/implementations/digests/mdc2_prov.c | 52 ++++ providers/implementations/digests/ripemd_prov.c | 18 ++ providers/implementations/digests/sha2_prov.c | 89 ++++++ providers/implementations/digests/sha3_prov.c | 305 ++++++++++++++++++++ providers/implementations/digests/sm3_prov.c | 18 ++ providers/implementations/digests/wp_prov.c | 18 ++ 15 files changed, 1475 insertions(+) create mode 100644 providers/implementations/digests/blake2_impl.h create mode 100644 providers/implementations/digests/blake2_prov.c create mode 100644 providers/implementations/digests/blake2b_prov.c create mode 100644 providers/implementations/digests/blake2s_prov.c create mode 100644 providers/implementations/digests/build.info create mode 100644 providers/implementations/digests/md2_prov.c create mode 100644 providers/implementations/digests/md4_prov.c create mode 100644 providers/implementations/digests/md5_prov.c create mode 100644 providers/implementations/digests/md5_sha1_prov.c create mode 100644 providers/implementations/digests/mdc2_prov.c create mode 100644 providers/implementations/digests/ripemd_prov.c create mode 100644 providers/implementations/digests/sha2_prov.c create mode 100644 providers/implementations/digests/sha3_prov.c create mode 100644 providers/implementations/digests/sm3_prov.c create mode 100644 providers/implementations/digests/wp_prov.c (limited to 'providers/implementations/digests') diff --git a/providers/implementations/digests/blake2_impl.h b/providers/implementations/digests/blake2_impl.h new file mode 100644 index 0000000000..52477a8fe2 --- /dev/null +++ b/providers/implementations/digests/blake2_impl.h @@ -0,0 +1,129 @@ +/* + * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Derived from the BLAKE2 reference implementation written by Samuel Neves. + * Copyright 2012, Samuel Neves + * More information about the BLAKE2 hash function and its implementations + * can be found at https://blake2.net. + */ + +#include + +static ossl_inline uint32_t load32(const uint8_t *src) +{ + const union { + long one; + char little; + } is_endian = { 1 }; + + if (is_endian.little) { + uint32_t w; + memcpy(&w, src, sizeof(w)); + return w; + } else { + uint32_t w = ((uint32_t)src[0]) + | ((uint32_t)src[1] << 8) + | ((uint32_t)src[2] << 16) + | ((uint32_t)src[3] << 24); + return w; + } +} + +static ossl_inline uint64_t load64(const uint8_t *src) +{ + const union { + long one; + char little; + } is_endian = { 1 }; + + if (is_endian.little) { + uint64_t w; + memcpy(&w, src, sizeof(w)); + return w; + } else { + uint64_t w = ((uint64_t)src[0]) + | ((uint64_t)src[1] << 8) + | ((uint64_t)src[2] << 16) + | ((uint64_t)src[3] << 24) + | ((uint64_t)src[4] << 32) + | ((uint64_t)src[5] << 40) + | ((uint64_t)src[6] << 48) + | ((uint64_t)src[7] << 56); + return w; + } +} + +static ossl_inline void store32(uint8_t *dst, uint32_t w) +{ + const union { + long one; + char little; + } is_endian = { 1 }; + + if (is_endian.little) { + memcpy(dst, &w, sizeof(w)); + } else { + uint8_t *p = (uint8_t *)dst; + int i; + + for (i = 0; i < 4; i++) + p[i] = (uint8_t)(w >> (8 * i)); + } +} + +static ossl_inline void store64(uint8_t *dst, uint64_t w) +{ + const union { + long one; + char little; + } is_endian = { 1 }; + + if (is_endian.little) { + memcpy(dst, &w, sizeof(w)); + } else { + uint8_t *p = (uint8_t *)dst; + int i; + + for (i = 0; i < 8; i++) + p[i] = (uint8_t)(w >> (8 * i)); + } +} + +static ossl_inline uint64_t load48(const uint8_t *src) +{ + uint64_t w = ((uint64_t)src[0]) + | ((uint64_t)src[1] << 8) + | ((uint64_t)src[2] << 16) + | ((uint64_t)src[3] << 24) + | ((uint64_t)src[4] << 32) + | ((uint64_t)src[5] << 40); + return w; +} + +static ossl_inline void store48(uint8_t *dst, uint64_t w) +{ + uint8_t *p = (uint8_t *)dst; + p[0] = (uint8_t)w; + p[1] = (uint8_t)(w>>8); + p[2] = (uint8_t)(w>>16); + p[3] = (uint8_t)(w>>24); + p[4] = (uint8_t)(w>>32); + p[5] = (uint8_t)(w>>40); +} + +static ossl_inline uint32_t rotr32(const uint32_t w, const unsigned int c) +{ + return (w >> c) | (w << (32 - c)); +} + +static ossl_inline uint64_t rotr64(const uint64_t w, const unsigned int c) +{ + return (w >> c) | (w << (64 - c)); +} diff --git a/providers/implementations/digests/blake2_prov.c b/providers/implementations/digests/blake2_prov.c new file mode 100644 index 0000000000..16f301b177 --- /dev/null +++ b/providers/implementations/digests/blake2_prov.c @@ -0,0 +1,42 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "prov/blake2.h" +#include "prov/digestcommon.h" +#include "internal/provider_algs.h" + +OSSL_OP_digest_init_fn blake2s256_init; +OSSL_OP_digest_init_fn blake2b512_init; + +int blake2s256_init(void *ctx) +{ + BLAKE2S_PARAM P; + + blake2s_param_init(&P); + return blake2s_init((BLAKE2S_CTX *)ctx, &P); +} + +int blake2b512_init(void *ctx) +{ + BLAKE2B_PARAM P; + + blake2b_param_init(&P); + return blake2b_init((BLAKE2B_CTX *)ctx, &P); +} + +/* blake2s256_functions */ +IMPLEMENT_digest_functions(blake2s256, BLAKE2S_CTX, + BLAKE2S_BLOCKBYTES, BLAKE2S_DIGEST_LENGTH, 0, + blake2s256_init, blake2s_update, blake2s_final) + +/* blake2b512_functions */ +IMPLEMENT_digest_functions(blake2b512, BLAKE2B_CTX, + BLAKE2B_BLOCKBYTES, BLAKE2B_DIGEST_LENGTH, 0, + blake2b512_init, blake2b_update, blake2b_final) diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c new file mode 100644 index 0000000000..baa33e922f --- /dev/null +++ b/providers/implementations/digests/blake2b_prov.c @@ -0,0 +1,328 @@ +/* + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Derived from the BLAKE2 reference implementation written by Samuel Neves. + * Copyright 2012, Samuel Neves + * More information about the BLAKE2 hash function and its implementations + * can be found at https://blake2.net. + */ + +#include +#include +#include +#include "blake2_impl.h" +#include "prov/blake2.h" + +static const uint64_t blake2b_IV[8] = +{ + 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, + 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, + 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, + 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL +}; + +static const uint8_t blake2b_sigma[12][16] = +{ + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } +}; + +/* Set that it's the last block we'll compress */ +static ossl_inline void blake2b_set_lastblock(BLAKE2B_CTX *S) +{ + S->f[0] = -1; +} + +/* Initialize the hashing state. */ +static ossl_inline void blake2b_init0(BLAKE2B_CTX *S) +{ + int i; + + memset(S, 0, sizeof(BLAKE2B_CTX)); + for (i = 0; i < 8; ++i) { + S->h[i] = blake2b_IV[i]; + } +} + +/* init xors IV with input parameter block and sets the output length */ +static void blake2b_init_param(BLAKE2B_CTX *S, const BLAKE2B_PARAM *P) +{ + size_t i; + const uint8_t *p = (const uint8_t *)(P); + + blake2b_init0(S); + S->outlen = P->digest_length; + + /* The param struct is carefully hand packed, and should be 64 bytes on + * every platform. */ + assert(sizeof(BLAKE2B_PARAM) == 64); + /* IV XOR ParamBlock */ + for (i = 0; i < 8; ++i) { + S->h[i] ^= load64(p + sizeof(S->h[i]) * i); + } +} + +/* Initialize the parameter block with default values */ +void blake2b_param_init(BLAKE2B_PARAM *P) +{ + P->digest_length = BLAKE2B_DIGEST_LENGTH; + P->key_length = 0; + P->fanout = 1; + P->depth = 1; + store32(P->leaf_length, 0); + store64(P->node_offset, 0); + P->node_depth = 0; + P->inner_length = 0; + memset(P->reserved, 0, sizeof(P->reserved)); + memset(P->salt, 0, sizeof(P->salt)); + memset(P->personal, 0, sizeof(P->personal)); +} + +void blake2b_param_set_digest_length(BLAKE2B_PARAM *P, uint8_t outlen) +{ + P->digest_length = outlen; +} + +void blake2b_param_set_key_length(BLAKE2B_PARAM *P, uint8_t keylen) +{ + P->key_length = keylen; +} + +void blake2b_param_set_personal(BLAKE2B_PARAM *P, const uint8_t *personal, size_t len) +{ + memcpy(P->personal, personal, len); + memset(P->personal + len, 0, BLAKE2B_PERSONALBYTES - len); +} + +void blake2b_param_set_salt(BLAKE2B_PARAM *P, const uint8_t *salt, size_t len) +{ + memcpy(P->salt, salt, len); + memset(P->salt + len, 0, BLAKE2B_SALTBYTES - len); +} + +/* + * Initialize the hashing context with the given parameter block. + * Always returns 1. + */ +int blake2b_init(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P) +{ + blake2b_init_param(c, P); + return 1; +} + +/* + * Initialize the hashing context with the given parameter block and key. + * Always returns 1. + */ +int blake2b_init_key(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P, const void *key) +{ + blake2b_init_param(c, P); + + /* Pad the key to form first data block */ + { + uint8_t block[BLAKE2B_BLOCKBYTES] = {0}; + + memcpy(block, key, P->key_length); + blake2b_update(c, block, BLAKE2B_BLOCKBYTES); + OPENSSL_cleanse(block, BLAKE2B_BLOCKBYTES); + } + + return 1; +} + +/* Permute the state while xoring in the block of data. */ +static void blake2b_compress(BLAKE2B_CTX *S, + const uint8_t *blocks, + size_t len) +{ + uint64_t m[16]; + uint64_t v[16]; + int i; + size_t increment; + + /* + * There are two distinct usage vectors for this function: + * + * a) BLAKE2b_Update uses it to process complete blocks, + * possibly more than one at a time; + * + * b) BLAK2b_Final uses it to process last block, always + * single but possibly incomplete, in which case caller + * pads input with zeros. + */ + assert(len < BLAKE2B_BLOCKBYTES || len % BLAKE2B_BLOCKBYTES == 0); + + /* + * Since last block is always processed with separate call, + * |len| not being multiple of complete blocks can be observed + * only with |len| being less than BLAKE2B_BLOCKBYTES ("less" + * including even zero), which is why following assignment doesn't + * have to reside inside the main loop below. + */ + increment = len < BLAKE2B_BLOCKBYTES ? len : BLAKE2B_BLOCKBYTES; + + for (i = 0; i < 8; ++i) { + v[i] = S->h[i]; + } + + do { + for (i = 0; i < 16; ++i) { + m[i] = load64(blocks + i * sizeof(m[i])); + } + + /* blake2b_increment_counter */ + S->t[0] += increment; + S->t[1] += (S->t[0] < increment); + + v[8] = blake2b_IV[0]; + v[9] = blake2b_IV[1]; + v[10] = blake2b_IV[2]; + v[11] = blake2b_IV[3]; + v[12] = S->t[0] ^ blake2b_IV[4]; + v[13] = S->t[1] ^ blake2b_IV[5]; + v[14] = S->f[0] ^ blake2b_IV[6]; + v[15] = S->f[1] ^ blake2b_IV[7]; +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2b_sigma[r][2*i+0]]; \ + d = rotr64(d ^ a, 32); \ + c = c + d; \ + b = rotr64(b ^ c, 24); \ + a = a + b + m[blake2b_sigma[r][2*i+1]]; \ + d = rotr64(d ^ a, 16); \ + c = c + d; \ + b = rotr64(b ^ c, 63); \ + } while (0) +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while (0) +#if defined(OPENSSL_SMALL_FOOTPRINT) + /* 3x size reduction on x86_64, almost 7x on ARMv8, 9x on ARMv4 */ + for (i = 0; i < 12; i++) { + ROUND(i); + } +#else + ROUND(0); + ROUND(1); + ROUND(2); + ROUND(3); + ROUND(4); + ROUND(5); + ROUND(6); + ROUND(7); + ROUND(8); + ROUND(9); + ROUND(10); + ROUND(11); +#endif + + for (i = 0; i < 8; ++i) { + S->h[i] = v[i] ^= v[i + 8] ^ S->h[i]; + } +#undef G +#undef ROUND + blocks += increment; + len -= increment; + } while (len); +} + +/* Absorb the input data into the hash state. Always returns 1. */ +int blake2b_update(BLAKE2B_CTX *c, const void *data, size_t datalen) +{ + const uint8_t *in = data; + size_t fill; + + /* + * Intuitively one would expect intermediate buffer, c->buf, to + * store incomplete blocks. But in this case we are interested to + * temporarily stash even complete blocks, because last one in the + * stream has to be treated in special way, and at this point we + * don't know if last block in *this* call is last one "ever". This + * is the reason for why |datalen| is compared as >, and not >=. + */ + fill = sizeof(c->buf) - c->buflen; + if (datalen > fill) { + if (c->buflen) { + memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */ + blake2b_compress(c, c->buf, BLAKE2B_BLOCKBYTES); + c->buflen = 0; + in += fill; + datalen -= fill; + } + if (datalen > BLAKE2B_BLOCKBYTES) { + size_t stashlen = datalen % BLAKE2B_BLOCKBYTES; + /* + * If |datalen| is a multiple of the blocksize, stash + * last complete block, it can be final one... + */ + stashlen = stashlen ? stashlen : BLAKE2B_BLOCKBYTES; + datalen -= stashlen; + blake2b_compress(c, in, datalen); + in += datalen; + datalen = stashlen; + } + } + + assert(datalen <= BLAKE2B_BLOCKBYTES); + + memcpy(c->buf + c->buflen, in, datalen); + c->buflen += datalen; /* Be lazy, do not compress */ + + return 1; +} + +/* + * Calculate the final hash and save it in md. + * Always returns 1. + */ +int blake2b_final(unsigned char *md, BLAKE2B_CTX *c) +{ + uint8_t outbuffer[BLAKE2B_OUTBYTES] = {0}; + uint8_t *target = outbuffer; + int iter = (c->outlen + 7) / 8; + int i; + + /* Avoid writing to the temporary buffer if possible */ + if ((c->outlen % sizeof(c->h[0])) == 0) + target = md; + + blake2b_set_lastblock(c); + /* Padding */ + memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen); + blake2b_compress(c, c->buf, c->buflen); + + /* Output full hash to buffer */ + for (i = 0; i < iter; ++i) + store64(target + sizeof(c->h[i]) * i, c->h[i]); + + if (target != md) + memcpy(md, target, c->outlen); + + OPENSSL_cleanse(c, sizeof(BLAKE2B_CTX)); + return 1; +} diff --git a/providers/implementations/digests/blake2s_prov.c b/providers/implementations/digests/blake2s_prov.c new file mode 100644 index 0000000000..703d8a8fab --- /dev/null +++ b/providers/implementations/digests/blake2s_prov.c @@ -0,0 +1,319 @@ +/* + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Derived from the BLAKE2 reference implementation written by Samuel Neves. + * Copyright 2012, Samuel Neves + * More information about the BLAKE2 hash function and its implementations + * can be found at https://blake2.net. + */ + +#include +#include +#include +#include "blake2_impl.h" +#include "prov/blake2.h" + +static const uint32_t blake2s_IV[8] = +{ + 0x6A09E667U, 0xBB67AE85U, 0x3C6EF372U, 0xA54FF53AU, + 0x510E527FU, 0x9B05688CU, 0x1F83D9ABU, 0x5BE0CD19U +}; + +static const uint8_t blake2s_sigma[10][16] = +{ + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , +}; + +/* Set that it's the last block we'll compress */ +static ossl_inline void blake2s_set_lastblock(BLAKE2S_CTX *S) +{ + S->f[0] = -1; +} + +/* Initialize the hashing state. */ +static ossl_inline void blake2s_init0(BLAKE2S_CTX *S) +{ + int i; + + memset(S, 0, sizeof(BLAKE2S_CTX)); + for (i = 0; i < 8; ++i) { + S->h[i] = blake2s_IV[i]; + } +} + +/* init xors IV with input parameter block and sets the output length */ +static void blake2s_init_param(BLAKE2S_CTX *S, const BLAKE2S_PARAM *P) +{ + size_t i; + const uint8_t *p = (const uint8_t *)(P); + + blake2s_init0(S); + S->outlen = P->digest_length; + + /* The param struct is carefully hand packed, and should be 32 bytes on + * every platform. */ + assert(sizeof(BLAKE2S_PARAM) == 32); + /* IV XOR ParamBlock */ + for (i = 0; i < 8; ++i) { + S->h[i] ^= load32(&p[i*4]); + } +} + +void blake2s_param_init(BLAKE2S_PARAM *P) +{ + P->digest_length = BLAKE2S_DIGEST_LENGTH; + P->key_length = 0; + P->fanout = 1; + P->depth = 1; + store32(P->leaf_length, 0); + store48(P->node_offset, 0); + P->node_depth = 0; + P->inner_length = 0; + memset(P->salt, 0, sizeof(P->salt)); + memset(P->personal, 0, sizeof(P->personal)); +} + +void blake2s_param_set_digest_length(BLAKE2S_PARAM *P, uint8_t outlen) +{ + P->digest_length = outlen; +} + +void blake2s_param_set_key_length(BLAKE2S_PARAM *P, uint8_t keylen) +{ + P->key_length = keylen; +} + +void blake2s_param_set_personal(BLAKE2S_PARAM *P, const uint8_t *personal, size_t len) +{ + memcpy(P->personal, personal, len); + memset(P->personal + len, 0, BLAKE2S_PERSONALBYTES - len); +} + +void blake2s_param_set_salt(BLAKE2S_PARAM *P, const uint8_t *salt, size_t len) +{ + memcpy(P->salt, salt, len); + memset(P->salt + len, 0, BLAKE2S_SALTBYTES - len);} + +/* + * Initialize the hashing context with the given parameter block. + * Always returns 1. + */ +int blake2s_init(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P) +{ + blake2s_init_param(c, P); + return 1; +} + +/* + * Initialize the hashing context with the given parameter block and key. + * Always returns 1. + */ +int blake2s_init_key(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P, const void *key) +{ + blake2s_init_param(c, P); + + /* Pad the key to form first data block */ + { + uint8_t block[BLAKE2S_BLOCKBYTES] = {0}; + + memcpy(block, key, P->key_length); + blake2s_update(c, block, BLAKE2S_BLOCKBYTES); + OPENSSL_cleanse(block, BLAKE2S_BLOCKBYTES); + } + + return 1; +} + +/* Permute the state while xoring in the block of data. */ +static void blake2s_compress(BLAKE2S_CTX *S, + const uint8_t *blocks, + size_t len) +{ + uint32_t m[16]; + uint32_t v[16]; + size_t i; + size_t increment; + + /* + * There are two distinct usage vectors for this function: + * + * a) BLAKE2s_Update uses it to process complete blocks, + * possibly more than one at a time; + * + * b) BLAK2s_Final uses it to process last block, always + * single but possibly incomplete, in which case caller + * pads input with zeros. + */ + assert(len < BLAKE2S_BLOCKBYTES || len % BLAKE2S_BLOCKBYTES == 0); + + /* + * Since last block is always processed with separate call, + * |len| not being multiple of complete blocks can be observed + * only with |len| being less than BLAKE2S_BLOCKBYTES ("less" + * including even zero), which is why following assignment doesn't + * have to reside inside the main loop below. + */ + increment = len < BLAKE2S_BLOCKBYTES ? len : BLAKE2S_BLOCKBYTES; + + for (i = 0; i < 8; ++i) { + v[i] = S->h[i]; + } + + do { + for (i = 0; i < 16; ++i) { + m[i] = load32(blocks + i * sizeof(m[i])); + } + + /* blake2s_increment_counter */ + S->t[0] += increment; + S->t[1] += (S->t[0] < increment); + + v[ 8] = blake2s_IV[0]; + v[ 9] = blake2s_IV[1]; + v[10] = blake2s_IV[2]; + v[11] = blake2s_IV[3]; + v[12] = S->t[0] ^ blake2s_IV[4]; + v[13] = S->t[1] ^ blake2s_IV[5]; + v[14] = S->f[0] ^ blake2s_IV[6]; + v[15] = S->f[1] ^ blake2s_IV[7]; +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2s_sigma[r][2*i+0]]; \ + d = rotr32(d ^ a, 16); \ + c = c + d; \ + b = rotr32(b ^ c, 12); \ + a = a + b + m[blake2s_sigma[r][2*i+1]]; \ + d = rotr32(d ^ a, 8); \ + c = c + d; \ + b = rotr32(b ^ c, 7); \ + } while (0) +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while (0) +#if defined(OPENSSL_SMALL_FOOTPRINT) + /* almost 3x reduction on x86_64, 4.5x on ARMv8, 4x on ARMv4 */ + for (i = 0; i < 10; i++) { + ROUND(i); + } +#else + ROUND(0); + ROUND(1); + ROUND(2); + ROUND(3); + ROUND(4); + ROUND(5); + ROUND(6); + ROUND(7); + ROUND(8); + ROUND(9); +#endif + + for (i = 0; i < 8; ++i) { + S->h[i] = v[i] ^= v[i + 8] ^ S->h[i]; + } +#undef G +#undef ROUND + blocks += increment; + len -= increment; + } while (len); +} + +/* Absorb the input data into the hash state. Always returns 1. */ +int blake2s_update(BLAKE2S_CTX *c, const void *data, size_t datalen) +{ + const uint8_t *in = data; + size_t fill; + + /* + * Intuitively one would expect intermediate buffer, c->buf, to + * store incomplete blocks. But in this case we are interested to + * temporarily stash even complete blocks, because last one in the + * stream has to be treated in special way, and at this point we + * don't know if last block in *this* call is last one "ever". This + * is the reason for why |datalen| is compared as >, and not >=. + */ + fill = sizeof(c->buf) - c->buflen; + if (datalen > fill) { + if (c->buflen) { + memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */ + blake2s_compress(c, c->buf, BLAKE2S_BLOCKBYTES); + c->buflen = 0; + in += fill; + datalen -= fill; + } + if (datalen > BLAKE2S_BLOCKBYTES) { + size_t stashlen = datalen % BLAKE2S_BLOCKBYTES; + /* + * If |datalen| is a multiple of the blocksize, stash + * last complete block, it can be final one... + */ + stashlen = stashlen ? stashlen : BLAKE2S_BLOCKBYTES; + datalen -= stashlen; + blake2s_compress(c, in, datalen); + in += datalen; + datalen = stashlen; + } + } + + assert(datalen <= BLAKE2S_BLOCKBYTES); + + memcpy(c->buf + c->buflen, in, datalen); + c->buflen += datalen; /* Be lazy, do not compress */ + + return 1; +} + +/* + * Calculate the final hash and save it in md. + * Always returns 1. + */ +int blake2s_final(unsigned char *md, BLAKE2S_CTX *c) +{ + uint8_t outbuffer[BLAKE2S_OUTBYTES] = {0}; + uint8_t *target = outbuffer; + int iter = (c->outlen + 3) / 4; + int i; + + /* Avoid writing to the temporary buffer if possible */ + if ((c->outlen % sizeof(c->h[0])) == 0) + target = md; + + blake2s_set_lastblock(c); + /* Padding */ + memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen); + blake2s_compress(c, c->buf, c->buflen); + + /* Output full hash to buffer */ + for (i = 0; i < iter; ++i) + store32(target + sizeof(c->h[i]) * i, c->h[i]); + + if (target != md) + memcpy(md, target, c->outlen); + + OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX)); + return 1; +} diff --git a/providers/implementations/digests/build.info b/providers/implementations/digests/build.info new file mode 100644 index 0000000000..2026de95d7 --- /dev/null +++ b/providers/implementations/digests/build.info @@ -0,0 +1,52 @@ +# We make separate GOAL variables for each algorithm, to make it easy to +# switch each to the Legacy provider when needed. + +$SHA1_GOAL=../../libimplementations.a +$SHA2_GOAL=../../libimplementations.a +$SHA3_GOAL=../../libimplementations.a +$BLAKE2_GOAL=../../libimplementations.a +$SM3_GOAL=../../libimplementations.a +$MD5_GOAL=../../libimplementations.a + +$MD2_GOAL=../../liblegacy.a +$MD4_GOAL=../../liblegacy.a +$MDC2_GOAL=../../liblegacy.a +$WHIRLPOOL_GOAL=../../liblegacy.a +$RIPEMD_GOAL=../../liblegacy.a + +SOURCE[$SHA2_GOAL]=sha2_prov.c +SOURCE[$SHA3_GOAL]=sha3_prov.c + +$GOAL=../../libimplementations.a + +IF[{- !$disabled{blake2} -}] + SOURCE[$BLAKE2_GOAL]=blake2_prov.c blake2b_prov.c blake2s_prov.c +ENDIF + +IF[{- !$disabled{sm3} -}] + SOURCE[$SM3_GOAL]=sm3_prov.c +ENDIF + +IF[{- !$disabled{md5} -}] + SOURCE[$MD5_GOAL]=md5_prov.c md5_sha1_prov.c +ENDIF + +IF[{- !$disabled{md2} -}] + SOURCE[$MD2_GOAL]=md2_prov.c +ENDIF + +IF[{- !$disabled{md4} -}] + SOURCE[$MD4_GOAL]=md4_prov.c +ENDIF + +IF[{- !$disabled{mdc2} -}] + SOURCE[$MDC2_GOAL]=mdc2_prov.c +ENDIF + +IF[{- !$disabled{whirlpool} -}] + SOURCE[$WHIRLPOOL_GOAL]=wp_prov.c +ENDIF + +IF[{- !$disabled{rmd160} -}] + SOURCE[$RIPEMD_GOAL]=ripemd_prov.c +ENDIF diff --git a/providers/implementations/digests/md2_prov.c b/providers/implementations/digests/md2_prov.c new file mode 100644 index 0000000000..ab1d605218 --- /dev/null +++ b/providers/implementations/digests/md2_prov.c @@ -0,0 +1,18 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "prov/digestcommon.h" +#include "internal/provider_algs.h" + +/* md2_functions */ +IMPLEMENT_digest_functions(md2, MD2_CTX, + MD2_BLOCK, MD2_DIGEST_LENGTH, 0, + MD2_Init, MD2_Update, MD2_Final) diff --git a/providers/implementations/digests/md4_prov.c b/providers/implementations/digests/md4_prov.c new file mode 100644 index 0000000000..6b311c075d --- /dev/null +++ b/providers/implementations/digests/md4_prov.c @@ -0,0 +1,18 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "prov/digestcommon.h" +#include "internal/provider_algs.h" + +/* md4_functions */ +IMPLEMENT_digest_functions(md4, MD4_CTX, + MD4_CBLOCK, MD4_DIGEST_LENGTH, 0, + MD4_Init, MD4_Update, MD4_Final) diff --git a/providers/implementations/digests/md5_prov.c b/providers/implementations/digests/md5_prov.c new file mode 100644 index 0000000000..1205888ff9 --- /dev/null +++ b/providers/implementations/digests/md5_prov.c @@ -0,0 +1,18 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "prov/digestcommon.h" +#include "internal/provider_algs.h" + +/* md5_functions */ +IMPLEMENT_digest_functions(md5, MD5_CTX, + MD5_CBLOCK, MD5_DIGEST_LENGTH, 0, + MD5_Init, MD5_Update, MD5_Final) diff --git a/providers/implementations/digests/md5_sha1_prov.c b/providers/implementations/digests/md5_sha1_prov.c new file mode 100644 index 0000000000..ff6e2ed121 --- /dev/null +++ b/providers/implementations/digests/md5_sha1_prov.c @@ -0,0 +1,51 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include "prov/md5_sha1.h" +#include "prov/digestcommon.h" +#include "internal/provider_algs.h" + +static OSSL_OP_digest_set_ctx_params_fn md5_sha1_set_ctx_params; +static OSSL_OP_digest_settable_ctx_params_fn md5_sha1_settable_ctx_params; + +static const OSSL_PARAM known_md5_sha1_settable_ctx_params[] = { + {OSSL_DIGEST_PARAM_SSL3_MS, OSSL_PARAM_OCTET_STRING, NULL, 0, 0}, + OSSL_PARAM_END +}; + +static const OSSL_PARAM *md5_sha1_settable_ctx_params(void) +{ + return known_md5_sha1_settable_ctx_params; +} + +/* Special set_params method for SSL3 */ +static int md5_sha1_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + MD5_SHA1_CTX *ctx = (MD5_SHA1_CTX *)vctx; + + if (ctx != NULL && params != NULL) { + p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_SSL3_MS); + if (p != NULL && p->data_type == OSSL_PARAM_OCTET_STRING) + return md5_sha1_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET, p->data_size, + p->data); + } + return 0; +} + +/* md5_sha1_functions */ +IMPLEMENT_digest_functions_with_settable_ctx( + md5_sha1, MD5_SHA1_CTX, MD5_SHA1_CBLOCK, MD5_SHA1_DIGEST_LENGTH, 0, + md5_sha1_init, md5_sha1_update, md5_sha1_final, + md5_sha1_settable_ctx_params, md5_sha1_set_ctx_params) diff --git a/providers/implementations/digests/mdc2_prov.c b/providers/implementations/digests/mdc2_prov.c new file mode 100644 index 0000000000..f0ae8b3742 --- /dev/null +++ b/providers/implementations/digests/mdc2_prov.c @@ -0,0 +1,52 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include "prov/digestcommon.h" +#include "internal/provider_algs.h" +#include "internal/providercommonerr.h" + +static OSSL_OP_digest_set_ctx_params_fn mdc2_set_ctx_params; +static OSSL_OP_digest_settable_ctx_params_fn mdc2_settable_ctx_params; + +static const OSSL_PARAM known_mdc2_settable_ctx_params[] = { + OSSL_PARAM_uint(OSSL_DIGEST_PARAM_PAD_TYPE, NULL), + OSSL_PARAM_END +}; + +static const OSSL_PARAM *mdc2_settable_ctx_params(void) +{ + return known_mdc2_settable_ctx_params; +} + +static int mdc2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + MDC2_CTX *ctx = (MDC2_CTX *)vctx; + + if (ctx != NULL && params != NULL) { + p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_PAD_TYPE); + if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->pad_type)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + return 1; + } + return 0; /* Null Parameter */ +} + +/* mdc2_functions */ +IMPLEMENT_digest_functions_with_settable_ctx( + mdc2, MDC2_CTX, MDC2_BLOCK, MDC2_DIGEST_LENGTH, 0, + MDC2_Init, MDC2_Update, MDC2_Final, + mdc2_settable_ctx_params, mdc2_set_ctx_params) diff --git a/providers/implementations/digests/ripemd_prov.c b/providers/implementations/digests/ripemd_prov.c new file mode 100644 index 0000000000..4f11f79e4c --- /dev/null +++ b/providers/implementations/digests/ripemd_prov.c @@ -0,0 +1,18 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "prov/digestcommon.h" +#include "internal/provider_algs.h" + +/* ripemd160_functions */ +IMPLEMENT_digest_functions(ripemd160, RIPEMD160_CTX, + RIPEMD160_CBLOCK, RIPEMD160_DIGEST_LENGTH, 0, + RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final) diff --git a/providers/implementations/digests/sha2_prov.c b/providers/implementations/digests/sha2_prov.c new file mode 100644 index 0000000000..3c07e784cf --- /dev/null +++ b/providers/implementations/digests/sha2_prov.c @@ -0,0 +1,89 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include +#include +#include "prov/digestcommon.h" +#include "internal/provider_algs.h" +#include "crypto/sha.h" + +static OSSL_OP_digest_set_ctx_params_fn sha1_set_ctx_params; +static OSSL_OP_digest_settable_ctx_params_fn sha1_settable_ctx_params; + +static const OSSL_PARAM known_sha1_settable_ctx_params[] = { + {OSSL_DIGEST_PARAM_SSL3_MS, OSSL_PARAM_OCTET_STRING, NULL, 0, 0}, + OSSL_PARAM_END +}; +static const OSSL_PARAM *sha1_settable_ctx_params(void) +{ + return known_sha1_settable_ctx_params; +} + +/* Special set_params method for SSL3 */ +static int sha1_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + SHA_CTX *ctx = (SHA_CTX *)vctx; + + if (ctx != NULL && params != NULL) { + p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_SSL3_MS); + if (p != NULL && p->data_type == OSSL_PARAM_OCTET_STRING) + return sha1_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET, p->data_size, + p->data); + } + return 0; +} + +/* sha1_functions */ +IMPLEMENT_digest_functions_with_settable_ctx( + sha1, SHA_CTX, SHA_CBLOCK, SHA_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + SHA1_Init, SHA1_Update, SHA1_Final, + sha1_settable_ctx_params, sha1_set_ctx_params) + +/* sha224_functions */ +IMPLEMENT_digest_functions(sha224, SHA256_CTX, + SHA256_CBLOCK, SHA224_DIGEST_LENGTH, + EVP_MD_FLAG_DIGALGID_ABSENT, + SHA224_Init, SHA224_Update, SHA224_Final) + +/* sha256_functions */ +IMPLEMENT_digest_functions(sha256, SHA256_CTX, + SHA256_CBLOCK, SHA256_DIGEST_LENGTH, + EVP_MD_FLAG_DIGALGID_ABSENT, + SHA256_Init, SHA256_Update, SHA256_Final) + +/* sha384_functions */ +IMPLEMENT_digest_functions(sha384, SHA512_CTX, + SHA512_CBLOCK, SHA384_DIGEST_LENGTH, + EVP_MD_FLAG_DIGALGID_ABSENT, + SHA384_Init, SHA384_Update, SHA384_Final) + +/* sha512_functions */ +IMPLEMENT_digest_functions(sha512, SHA512_CTX, + SHA512_CBLOCK, SHA512_DIGEST_LENGTH, + EVP_MD_FLAG_DIGALGID_ABSENT, + SHA512_Init, SHA512_Update, SHA512_Final) + +/* sha512_224_functions */ +IMPLEMENT_digest_functions(sha512_224, SHA512_CTX, + SHA512_CBLOCK, SHA224_DIGEST_LENGTH, + EVP_MD_FLAG_DIGALGID_ABSENT, + sha512_224_init, SHA512_Update, SHA512_Final) + +/* sha512_256_functions */ +IMPLEMENT_digest_functions(sha512_256, SHA512_CTX, + SHA512_CBLOCK, SHA256_DIGEST_LENGTH, + EVP_MD_FLAG_DIGALGID_ABSENT, + sha512_256_init, SHA512_Update, SHA512_Final) + diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c new file mode 100644 index 0000000000..5adc7b2976 --- /dev/null +++ b/providers/implementations/digests/sha3_prov.c @@ -0,0 +1,305 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include +#include "internal/sha3.h" +#include "prov/digestcommon.h" +#include "internal/provider_algs.h" +#include "internal/providercommonerr.h" + +/* + * Forward declaration of any unique methods implemented here. This is not strictly + * necessary for the compiler, but provides an assurance that the signatures + * of the functions in the dispatch table are correct. + */ +static OSSL_OP_digest_init_fn keccak_init; +static OSSL_OP_digest_update_fn keccak_update; +static OSSL_OP_digest_final_fn keccak_final; +static OSSL_OP_digest_freectx_fn keccak_freectx; +static OSSL_OP_digest_dupctx_fn keccak_dupctx; +static OSSL_OP_digest_set_ctx_params_fn shake_set_ctx_params; +static OSSL_OP_digest_settable_ctx_params_fn shake_settable_ctx_params; +static sha3_absorb_fn generic_sha3_absorb; +static sha3_final_fn generic_sha3_final; + +#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM) +/* + * IBM S390X support + */ +# include "s390x_arch.h" +# define S390_SHA3 1 +# define S390_SHA3_CAPABLE(name) \ + ((OPENSSL_s390xcap_P.kimd[0] & S390X_CAPBIT(S390X_##name)) && \ + (OPENSSL_s390xcap_P.klmd[0] & S390X_CAPBIT(S390X_##name))) + +#endif + +static int keccak_init(void *vctx) +{ + /* The newctx() handles most of the ctx fixed setup. */ + sha3_reset((KECCAK1600_CTX *)vctx); + return 1; +} + +static int keccak_update(void *vctx, const unsigned char *inp, size_t len) +{ + KECCAK1600_CTX *ctx = vctx; + const size_t bsz = ctx->block_size; + size_t num, rem; + + if (len == 0) + return 1; + + /* Is there anything in the buffer already ? */ + if ((num = ctx->bufsz) != 0) { + /* Calculate how much space is left in the buffer */ + rem = bsz - num; + /* If the new input does not fill the buffer then just add it */ + if (len < rem) { + memcpy(ctx->buf + num, inp, len); + ctx->bufsz += len; + return 1; + } + /* otherwise fill up the buffer and absorb the buffer */ + memcpy(ctx->buf + num, inp, rem); + /* Update the input pointer */ + inp += rem; + len -= rem; + ctx->meth.absorb(ctx, ctx->buf, bsz); + ctx->bufsz = 0; + } + /* Absorb the input - rem = leftover part of the input < blocksize) */ + rem = ctx->meth.absorb(ctx, inp, len); + /* Copy the leftover bit of the input into the buffer */ + if (rem) { + memcpy(ctx->buf, inp + len - rem, rem); + ctx->bufsz = rem; + } + return 1; +} + +static int keccak_final(void *vctx, unsigned char *out, size_t *outl, + size_t outsz) +{ + int ret = 1; + KECCAK1600_CTX *ctx = vctx; + + if (outsz > 0) + ret = ctx->meth.final(out, ctx); + + *outl = ctx->md_size; + return ret; +} + +/*- + * Generic software version of the absorb() and final(). + */ +static size_t generic_sha3_absorb(void *vctx, const void *inp, size_t len) +{ + KECCAK1600_CTX *ctx = vctx; + + return SHA3_absorb(ctx->A, inp, len, ctx->block_size); +} + +static int generic_sha3_final(unsigned char *md, void *vctx) +{ + return sha3_final(md, (KECCAK1600_CTX *)vctx); +} + +static PROV_SHA3_METHOD sha3_generic_md = +{ + generic_sha3_absorb, + generic_sha3_final +}; + +#if defined(S390_SHA3) + +static sha3_absorb_fn s390x_sha3_absorb; +static sha3_final_fn s390x_sha3_final; +static sha3_final_fn s390x_shake_final; + +/*- + * The platform specific parts of the absorb() and final() for S390X. + */ +static size_t s390x_sha3_absorb(void *vctx, const void *inp, size_t len) +{ + KECCAK1600_CTX *ctx = vctx; + size_t rem = len % ctx->block_size; + + s390x_kimd(inp, len - rem, ctx->pad, ctx->A); + return rem; +} + +static int s390x_sha3_final(unsigned char *md, void *vctx) +{ + KECCAK1600_CTX *ctx = vctx; + + s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A); + memcpy(md, ctx->A, ctx->md_size); + return 1; +} + +static int s390x_shake_final(unsigned char *md, void *vctx) +{ + KECCAK1600_CTX *ctx = vctx; + + s390x_klmd(ctx->buf, ctx->bufsz, md, ctx->md_size, ctx->pad, ctx->A); + return 1; +} + +static PROV_SHA3_METHOD sha3_s390x_md = +{ + s390x_sha3_absorb, + s390x_sha3_final +}; + +static PROV_SHA3_METHOD shake_s390x_md = +{ + s390x_sha3_absorb, + s390x_shake_final +}; + +# define SHA3_SET_MD(uname, typ) \ + if (S390_SHA3_CAPABLE(uname)) { \ + ctx->pad = S390X_##uname; \ + ctx->meth = typ##_s390x_md; \ + } else { \ + ctx->meth = sha3_generic_md; \ + } +#else +# define SHA3_SET_MD(uname, typ) ctx->meth = sha3_generic_md; +#endif /* S390_SHA3 */ + +#define SHA3_newctx(typ, uname, name, bitlen, pad) \ +static OSSL_OP_digest_newctx_fn name##_newctx; \ +static void *name##_newctx(void *provctx) \ +{ \ + KECCAK1600_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \ + \ + if (ctx == NULL) \ + return NULL; \ + sha3_init(ctx, pad, bitlen); \ + SHA3_SET_MD(uname, typ) \ + return ctx; \ +} + +#define KMAC_newctx(uname, bitlen, pad) \ +static OSSL_OP_digest_newctx_fn uname##_newctx; \ +static void *uname##_newctx(void *provctx) \ +{ \ + KECCAK1600_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); \ + \ + if (ctx == NULL) \ + return NULL; \ + keccak_kmac_init(ctx, pad, bitlen); \ + ctx->meth = sha3_generic_md; \ + return ctx; \ +} + +#define PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags) \ +PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags) \ +const OSSL_DISPATCH name##_functions[] = { \ + { OSSL_FUNC_DIGEST_NEWCTX, (void (*)(void))name##_newctx }, \ + { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init }, \ + { OSSL_FUNC_DIGEST_UPDATE, (void (*)(void))keccak_update }, \ + { OSSL_FUNC_DIGEST_FINAL, (void (*)(void))keccak_final }, \ + { OSSL_FUNC_DIGEST_FREECTX, (void (*)(void))keccak_freectx }, \ + { OSSL_FUNC_DIGEST_DUPCTX, (void (*)(void))keccak_dupctx }, \ + PROV_DISPATCH_FUNC_DIGEST_GET_PARAMS(name) + +#define PROV_FUNC_SHA3_DIGEST(name, bitlen, blksize, dgstsize, flags) \ + PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \ + PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END + +#define PROV_FUNC_SHAKE_DIGEST(name, bitlen, blksize, dgstsize, flags) \ + PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \ + { OSSL_FUNC_DIGEST_SET_CTX_PARAMS, (void (*)(void))shake_set_ctx_params }, \ + { OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS, \ + (void (*)(void))shake_settable_ctx_params }, \ + PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END + +static void keccak_freectx(void *vctx) +{ + KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx; + + OPENSSL_clear_free(ctx, sizeof(*ctx)); +} + +static void *keccak_dupctx(void *ctx) +{ + KECCAK1600_CTX *in = (KECCAK1600_CTX *)ctx; + KECCAK1600_CTX *ret = OPENSSL_malloc(sizeof(*ret)); + + *ret = *in; + return ret; +} + +static const OSSL_PARAM known_shake_settable_ctx_params[] = { + {OSSL_DIGEST_PARAM_SSL3_MS, OSSL_PARAM_OCTET_STRING, NULL, 0, 0}, + OSSL_PARAM_END +}; +static const OSSL_PARAM *shake_settable_ctx_params(void) +{ + return known_shake_settable_ctx_params; +} + +static int shake_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx; + + if (ctx != NULL && params != NULL) { + p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_XOFLEN); + if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->md_size)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + return 1; + } + return 0; /* Null Parameter */ +} + +#define IMPLEMENT_SHA3_functions(bitlen) \ + SHA3_newctx(sha3, SHA3_##bitlen, sha3_##bitlen, bitlen, '\x06') \ + PROV_FUNC_SHA3_DIGEST(sha3_##bitlen, bitlen, \ + SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ + EVP_MD_FLAG_DIGALGID_ABSENT) + +#define IMPLEMENT_SHAKE_functions(bitlen) \ + SHA3_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \ + PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \ + SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ + EVP_MD_FLAG_XOF) +#define IMPLEMENT_KMAC_functions(bitlen) \ + KMAC_newctx(keccak_kmac_##bitlen, bitlen, '\x04') \ + PROV_FUNC_SHAKE_DIGEST(keccak_kmac_##bitlen, bitlen, \ + SHA3_BLOCKSIZE(bitlen), KMAC_MDSIZE(bitlen), \ + EVP_MD_FLAG_XOF) + +/* sha3_224_functions */ +IMPLEMENT_SHA3_functions(224) +/* sha3_256_functions */ +IMPLEMENT_SHA3_functions(256) +/* sha3_384_functions */ +IMPLEMENT_SHA3_functions(384) +/* sha3_512_functions */ +IMPLEMENT_SHA3_functions(512) +/* shake_128_functions */ +IMPLEMENT_SHAKE_functions(128) +/* shake_256_functions */ +IMPLEMENT_SHAKE_functions(256) +/* keccak_kmac_128_functions */ +IMPLEMENT_KMAC_functions(128) +/* keccak_kmac_256_functions */ +IMPLEMENT_KMAC_functions(256) diff --git a/providers/implementations/digests/sm3_prov.c b/providers/implementations/digests/sm3_prov.c new file mode 100644 index 0000000000..bd9d833184 --- /dev/null +++ b/providers/implementations/digests/sm3_prov.c @@ -0,0 +1,18 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "internal/sm3.h" +#include "prov/digestcommon.h" +#include "internal/provider_algs.h" + +/* sm3_functions */ +IMPLEMENT_digest_functions(sm3, SM3_CTX, + SM3_CBLOCK, SM3_DIGEST_LENGTH, 0, + sm3_init, sm3_update, sm3_final) diff --git a/providers/implementations/digests/wp_prov.c b/providers/implementations/digests/wp_prov.c new file mode 100644 index 0000000000..1dd5aa36e4 --- /dev/null +++ b/providers/implementations/digests/wp_prov.c @@ -0,0 +1,18 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "prov/digestcommon.h" +#include "internal/provider_algs.h" + +/* wp_functions */ +IMPLEMENT_digest_functions(wp, WHIRLPOOL_CTX, + WHIRLPOOL_BBLOCK / 8, WHIRLPOOL_DIGEST_LENGTH, 0, + WHIRLPOOL_Init, WHIRLPOOL_Update, WHIRLPOOL_Final) -- cgit v1.2.3