1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
|
/*
* Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include "internal/sha3.h"
void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next);
void ossl_sha3_reset(KECCAK1600_CTX *ctx)
{
memset(ctx->A, 0, sizeof(ctx->A));
ctx->bufsz = 0;
ctx->xof_state = XOF_STATE_INIT;
}
int ossl_sha3_init(KECCAK1600_CTX *ctx, unsigned char pad, size_t bitlen)
{
size_t bsz = SHA3_BLOCKSIZE(bitlen);
if (bsz <= sizeof(ctx->buf)) {
ossl_sha3_reset(ctx);
ctx->block_size = bsz;
ctx->md_size = bitlen / 8;
ctx->pad = pad;
return 1;
}
return 0;
}
int ossl_keccak_init(KECCAK1600_CTX *ctx, unsigned char pad, size_t bitlen, size_t mdlen)
{
int ret = ossl_sha3_init(ctx, pad, bitlen);
if (ret)
ctx->md_size = mdlen / 8;
return ret;
}
int ossl_sha3_update(KECCAK1600_CTX *ctx, const void *_inp, size_t len)
{
const unsigned char *inp = _inp;
size_t bsz = ctx->block_size;
size_t num, rem;
if (len == 0)
return 1;
if (ctx->xof_state == XOF_STATE_SQUEEZE
|| ctx->xof_state == XOF_STATE_FINAL)
return 0;
if ((num = ctx->bufsz) != 0) { /* process intermediate buffer? */
rem = bsz - num;
if (len < rem) {
memcpy(ctx->buf + num, inp, len);
ctx->bufsz += len;
return 1;
}
/*
* We have enough data to fill or overflow the intermediate
* buffer. So we append |rem| bytes and process the block,
* leaving the rest for later processing...
*/
memcpy(ctx->buf + num, inp, rem);
inp += rem, len -= rem;
(void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
ctx->bufsz = 0;
/* ctx->buf is processed, ctx->num is guaranteed to be zero */
}
if (len >= bsz)
rem = SHA3_absorb(ctx->A, inp, len, bsz);
else
rem = len;
if (rem) {
memcpy(ctx->buf, inp + len - rem, rem);
ctx->bufsz = rem;
}
return 1;
}
/*
* ossl_sha3_final()is a single shot method
* (Use ossl_sha3_squeeze for multiple calls).
* outlen is the variable size output.
*/
int ossl_sha3_final(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen)
{
size_t bsz = ctx->block_size;
size_t num = ctx->bufsz;
if (outlen == 0)
return 1;
if (ctx->xof_state == XOF_STATE_SQUEEZE
|| ctx->xof_state == XOF_STATE_FINAL)
return 0;
/*
* Pad the data with 10*1. Note that |num| can be |bsz - 1|
* in which case both byte operations below are performed on
* same byte...
*/
memset(ctx->buf + num, 0, bsz - num);
ctx->buf[num] = ctx->pad;
ctx->buf[bsz - 1] |= 0x80;
(void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
ctx->xof_state = XOF_STATE_FINAL;
SHA3_squeeze(ctx->A, out, outlen, bsz, 0);
return 1;
}
/*
* This method can be called multiple times.
* Rather than heavily modifying assembler for SHA3_squeeze(),
* we instead just use the limitations of the existing function.
* i.e. Only request multiples of the ctx->block_size when calling
* SHA3_squeeze(). For output length requests smaller than the
* ctx->block_size just request a single ctx->block_size bytes and
* buffer the results. The next request will use the buffer first
* to grab output bytes.
*/
int ossl_sha3_squeeze(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen)
{
size_t bsz = ctx->block_size;
size_t num = ctx->bufsz;
size_t len;
int next = 1;
if (outlen == 0)
return 1;
if (ctx->xof_state == XOF_STATE_FINAL)
return 0;
/*
* On the first squeeze call, finish the absorb process,
* by adding the trailing padding and then doing
* a final absorb.
*/
if (ctx->xof_state != XOF_STATE_SQUEEZE) {
/*
* Pad the data with 10*1. Note that |num| can be |bsz - 1|
* in which case both byte operations below are performed on
* same byte...
*/
memset(ctx->buf + num, 0, bsz - num);
ctx->buf[num] = ctx->pad;
ctx->buf[bsz - 1] |= 0x80;
(void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
ctx->xof_state = XOF_STATE_SQUEEZE;
num = ctx->bufsz = 0;
next = 0;
}
/*
* Step 1. Consume any bytes left over from a previous squeeze
* (See Step 4 below).
*/
if (num != 0) {
if (outlen > ctx->bufsz)
len = ctx->bufsz;
else
len = outlen;
memcpy(out, ctx->buf + bsz - ctx->bufsz, len);
out += len;
outlen -= len;
ctx->bufsz -= len;
}
if (outlen == 0)
return 1;
/* Step 2. Copy full sized squeezed blocks to the output buffer directly */
if (outlen >= bsz) {
len = bsz * (outlen / bsz);
SHA3_squeeze(ctx->A, out, len, bsz, next);
next = 1;
out += len;
outlen -= len;
}
if (outlen > 0) {
/* Step 3. Squeeze one more block into a buffer */
SHA3_squeeze(ctx->A, ctx->buf, bsz, bsz, next);
memcpy(out, ctx->buf, outlen);
/* Step 4. Remember the leftover part of the squeezed block */
ctx->bufsz = bsz - outlen;
}
return 1;
}
|
