diff options
Diffstat (limited to 'providers/implementations/digests')
17 files changed, 1671 insertions, 0 deletions
diff --git a/providers/implementations/digests/blake2_impl.h b/providers/implementations/digests/blake2_impl.h new file mode 100644 index 000000000000..e7c31474a364 --- /dev/null +++ b/providers/implementations/digests/blake2_impl.h @@ -0,0 +1,118 @@ +/* + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Derived from the BLAKE2 reference implementation written by Samuel Neves. + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt> + * More information about the BLAKE2 hash function and its implementations + * can be found at https://blake2.net. + */ + +#include <string.h> +#include "internal/endian.h" + +static ossl_inline uint32_t load32(const uint8_t *src) +{ + DECLARE_IS_ENDIAN; + + if (IS_LITTLE_ENDIAN) { + uint32_t w; + memcpy(&w, src, sizeof(w)); + return w; + } else { + uint32_t w = ((uint32_t)src[0]) + | ((uint32_t)src[1] << 8) + | ((uint32_t)src[2] << 16) + | ((uint32_t)src[3] << 24); + return w; + } +} + +static ossl_inline uint64_t load64(const uint8_t *src) +{ + DECLARE_IS_ENDIAN; + + if (IS_LITTLE_ENDIAN) { + uint64_t w; + memcpy(&w, src, sizeof(w)); + return w; + } else { + uint64_t w = ((uint64_t)src[0]) + | ((uint64_t)src[1] << 8) + | ((uint64_t)src[2] << 16) + | ((uint64_t)src[3] << 24) + | ((uint64_t)src[4] << 32) + | ((uint64_t)src[5] << 40) + | ((uint64_t)src[6] << 48) + | ((uint64_t)src[7] << 56); + return w; + } +} + +static ossl_inline void store32(uint8_t *dst, uint32_t w) +{ + DECLARE_IS_ENDIAN; + + if (IS_LITTLE_ENDIAN) { + memcpy(dst, &w, sizeof(w)); + } else { + uint8_t *p = (uint8_t *)dst; + int i; + + for (i = 0; i < 4; i++) + p[i] = (uint8_t)(w >> (8 * i)); + } +} + +static ossl_inline void store64(uint8_t *dst, uint64_t w) +{ + DECLARE_IS_ENDIAN; + + if (IS_LITTLE_ENDIAN) { + memcpy(dst, &w, sizeof(w)); + } else { + uint8_t *p = (uint8_t *)dst; + int i; + + for (i = 0; i < 8; i++) + p[i] = (uint8_t)(w >> (8 * i)); + } +} + +static ossl_inline uint64_t load48(const uint8_t *src) +{ + uint64_t w = ((uint64_t)src[0]) + | ((uint64_t)src[1] << 8) + | ((uint64_t)src[2] << 16) + | ((uint64_t)src[3] << 24) + | ((uint64_t)src[4] << 32) + | ((uint64_t)src[5] << 40); + return w; +} + +static ossl_inline void store48(uint8_t *dst, uint64_t w) +{ + uint8_t *p = (uint8_t *)dst; + p[0] = (uint8_t)w; + p[1] = (uint8_t)(w>>8); + p[2] = (uint8_t)(w>>16); + p[3] = (uint8_t)(w>>24); + p[4] = (uint8_t)(w>>32); + p[5] = (uint8_t)(w>>40); +} + +static ossl_inline uint32_t rotr32(const uint32_t w, const unsigned int c) +{ + return (w >> c) | (w << (32 - c)); +} + +static ossl_inline uint64_t rotr64(const uint64_t w, const unsigned int c) +{ + return (w >> c) | (w << (64 - c)); +} diff --git a/providers/implementations/digests/blake2_prov.c b/providers/implementations/digests/blake2_prov.c new file mode 100644 index 000000000000..25342eedb832 --- /dev/null +++ b/providers/implementations/digests/blake2_prov.c @@ -0,0 +1,41 @@ +/* + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/crypto.h> +#include "prov/blake2.h" +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +int ossl_blake2s256_init(void *ctx) +{ + BLAKE2S_PARAM P; + + ossl_blake2s_param_init(&P); + return ossl_blake2s_init((BLAKE2S_CTX *)ctx, &P); +} + +int ossl_blake2b512_init(void *ctx) +{ + BLAKE2B_PARAM P; + + ossl_blake2b_param_init(&P); + return ossl_blake2b_init((BLAKE2B_CTX *)ctx, &P); +} + +/* ossl_blake2s256_functions */ +IMPLEMENT_digest_functions(blake2s256, BLAKE2S_CTX, + BLAKE2S_BLOCKBYTES, BLAKE2S_DIGEST_LENGTH, 0, + ossl_blake2s256_init, ossl_blake2s_update, + ossl_blake2s_final) + +/* ossl_blake2b512_functions */ +IMPLEMENT_digest_functions(blake2b512, BLAKE2B_CTX, + BLAKE2B_BLOCKBYTES, BLAKE2B_DIGEST_LENGTH, 0, + ossl_blake2b512_init, ossl_blake2b_update, + ossl_blake2b_final) diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c new file mode 100644 index 000000000000..44e0740745e8 --- /dev/null +++ b/providers/implementations/digests/blake2b_prov.c @@ -0,0 +1,333 @@ +/* + * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Derived from the BLAKE2 reference implementation written by Samuel Neves. + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt> + * More information about the BLAKE2 hash function and its implementations + * can be found at https://blake2.net. + */ + +#include <assert.h> +#include <string.h> +#include <openssl/crypto.h> +#include "blake2_impl.h" +#include "prov/blake2.h" + +static const uint64_t blake2b_IV[8] = +{ + 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, + 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, + 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, + 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL +}; + +static const uint8_t blake2b_sigma[12][16] = +{ + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } +}; + +/* Set that it's the last block we'll compress */ +static ossl_inline void blake2b_set_lastblock(BLAKE2B_CTX *S) +{ + S->f[0] = -1; +} + +/* Initialize the hashing state. */ +static ossl_inline void blake2b_init0(BLAKE2B_CTX *S) +{ + int i; + + memset(S, 0, sizeof(BLAKE2B_CTX)); + for (i = 0; i < 8; ++i) { + S->h[i] = blake2b_IV[i]; + } +} + +/* init xors IV with input parameter block and sets the output length */ +static void blake2b_init_param(BLAKE2B_CTX *S, const BLAKE2B_PARAM *P) +{ + size_t i; + const uint8_t *p = (const uint8_t *)(P); + + blake2b_init0(S); + S->outlen = P->digest_length; + + /* The param struct is carefully hand packed, and should be 64 bytes on + * every platform. */ + assert(sizeof(BLAKE2B_PARAM) == 64); + /* IV XOR ParamBlock */ + for (i = 0; i < 8; ++i) { + S->h[i] ^= load64(p + sizeof(S->h[i]) * i); + } +} + +/* Initialize the parameter block with default values */ +void ossl_blake2b_param_init(BLAKE2B_PARAM *P) +{ + P->digest_length = BLAKE2B_DIGEST_LENGTH; + P->key_length = 0; + P->fanout = 1; + P->depth = 1; + store32(P->leaf_length, 0); + store64(P->node_offset, 0); + P->node_depth = 0; + P->inner_length = 0; + memset(P->reserved, 0, sizeof(P->reserved)); + memset(P->salt, 0, sizeof(P->salt)); + memset(P->personal, 0, sizeof(P->personal)); +} + +void ossl_blake2b_param_set_digest_length(BLAKE2B_PARAM *P, uint8_t outlen) +{ + P->digest_length = outlen; +} + +void ossl_blake2b_param_set_key_length(BLAKE2B_PARAM *P, uint8_t keylen) +{ + P->key_length = keylen; +} + +void ossl_blake2b_param_set_personal(BLAKE2B_PARAM *P, const uint8_t *personal, + size_t len) +{ + memcpy(P->personal, personal, len); + memset(P->personal + len, 0, BLAKE2B_PERSONALBYTES - len); +} + +void ossl_blake2b_param_set_salt(BLAKE2B_PARAM *P, const uint8_t *salt, + size_t len) +{ + memcpy(P->salt, salt, len); + memset(P->salt + len, 0, BLAKE2B_SALTBYTES - len); +} + +/* + * Initialize the hashing context with the given parameter block. + * Always returns 1. + */ +int ossl_blake2b_init(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P) +{ + blake2b_init_param(c, P); + return 1; +} + +/* + * Initialize the hashing context with the given parameter block and key. + * Always returns 1. + */ +int ossl_blake2b_init_key(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P, + const void *key) +{ + blake2b_init_param(c, P); + + /* Pad the key to form first data block */ + { + uint8_t block[BLAKE2B_BLOCKBYTES] = {0}; + + memcpy(block, key, P->key_length); + ossl_blake2b_update(c, block, BLAKE2B_BLOCKBYTES); + OPENSSL_cleanse(block, BLAKE2B_BLOCKBYTES); + } + + return 1; +} + +/* Permute the state while xoring in the block of data. */ +static void blake2b_compress(BLAKE2B_CTX *S, + const uint8_t *blocks, + size_t len) +{ + uint64_t m[16]; + uint64_t v[16]; + int i; + size_t increment; + + /* + * There are two distinct usage vectors for this function: + * + * a) BLAKE2b_Update uses it to process complete blocks, + * possibly more than one at a time; + * + * b) BLAK2b_Final uses it to process last block, always + * single but possibly incomplete, in which case caller + * pads input with zeros. + */ + assert(len < BLAKE2B_BLOCKBYTES || len % BLAKE2B_BLOCKBYTES == 0); + + /* + * Since last block is always processed with separate call, + * |len| not being multiple of complete blocks can be observed + * only with |len| being less than BLAKE2B_BLOCKBYTES ("less" + * including even zero), which is why following assignment doesn't + * have to reside inside the main loop below. + */ + increment = len < BLAKE2B_BLOCKBYTES ? len : BLAKE2B_BLOCKBYTES; + + for (i = 0; i < 8; ++i) { + v[i] = S->h[i]; + } + + do { + for (i = 0; i < 16; ++i) { + m[i] = load64(blocks + i * sizeof(m[i])); + } + + /* blake2b_increment_counter */ + S->t[0] += increment; + S->t[1] += (S->t[0] < increment); + + v[8] = blake2b_IV[0]; + v[9] = blake2b_IV[1]; + v[10] = blake2b_IV[2]; + v[11] = blake2b_IV[3]; + v[12] = S->t[0] ^ blake2b_IV[4]; + v[13] = S->t[1] ^ blake2b_IV[5]; + v[14] = S->f[0] ^ blake2b_IV[6]; + v[15] = S->f[1] ^ blake2b_IV[7]; +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2b_sigma[r][2*i+0]]; \ + d = rotr64(d ^ a, 32); \ + c = c + d; \ + b = rotr64(b ^ c, 24); \ + a = a + b + m[blake2b_sigma[r][2*i+1]]; \ + d = rotr64(d ^ a, 16); \ + c = c + d; \ + b = rotr64(b ^ c, 63); \ + } while (0) +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while (0) +#if defined(OPENSSL_SMALL_FOOTPRINT) + /* 3x size reduction on x86_64, almost 7x on ARMv8, 9x on ARMv4 */ + for (i = 0; i < 12; i++) { + ROUND(i); + } +#else + ROUND(0); + ROUND(1); + ROUND(2); + ROUND(3); + ROUND(4); + ROUND(5); + ROUND(6); + ROUND(7); + ROUND(8); + ROUND(9); + ROUND(10); + ROUND(11); +#endif + + for (i = 0; i < 8; ++i) { + S->h[i] = v[i] ^= v[i + 8] ^ S->h[i]; + } +#undef G +#undef ROUND + blocks += increment; + len -= increment; + } while (len); +} + +/* Absorb the input data into the hash state. Always returns 1. */ +int ossl_blake2b_update(BLAKE2B_CTX *c, const void *data, size_t datalen) +{ + const uint8_t *in = data; + size_t fill; + + /* + * Intuitively one would expect intermediate buffer, c->buf, to + * store incomplete blocks. But in this case we are interested to + * temporarily stash even complete blocks, because last one in the + * stream has to be treated in special way, and at this point we + * don't know if last block in *this* call is last one "ever". This + * is the reason for why |datalen| is compared as >, and not >=. + */ + fill = sizeof(c->buf) - c->buflen; + if (datalen > fill) { + if (c->buflen) { + memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */ + blake2b_compress(c, c->buf, BLAKE2B_BLOCKBYTES); + c->buflen = 0; + in += fill; + datalen -= fill; + } + if (datalen > BLAKE2B_BLOCKBYTES) { + size_t stashlen = datalen % BLAKE2B_BLOCKBYTES; + /* + * If |datalen| is a multiple of the blocksize, stash + * last complete block, it can be final one... + */ + stashlen = stashlen ? stashlen : BLAKE2B_BLOCKBYTES; + datalen -= stashlen; + blake2b_compress(c, in, datalen); + in += datalen; + datalen = stashlen; + } + } + + assert(datalen <= BLAKE2B_BLOCKBYTES); + + memcpy(c->buf + c->buflen, in, datalen); + c->buflen += datalen; /* Be lazy, do not compress */ + + return 1; +} + +/* + * Calculate the final hash and save it in md. + * Always returns 1. + */ +int ossl_blake2b_final(unsigned char *md, BLAKE2B_CTX *c) +{ + uint8_t outbuffer[BLAKE2B_OUTBYTES] = {0}; + uint8_t *target = outbuffer; + int iter = (c->outlen + 7) / 8; + int i; + + /* Avoid writing to the temporary buffer if possible */ + if ((c->outlen % sizeof(c->h[0])) == 0) + target = md; + + blake2b_set_lastblock(c); + /* Padding */ + memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen); + blake2b_compress(c, c->buf, c->buflen); + + /* Output full hash to buffer */ + for (i = 0; i < iter; ++i) + store64(target + sizeof(c->h[i]) * i, c->h[i]); + + if (target != md) { + memcpy(md, target, c->outlen); + OPENSSL_cleanse(target, sizeof(outbuffer)); + } + + OPENSSL_cleanse(c, sizeof(BLAKE2B_CTX)); + return 1; +} diff --git a/providers/implementations/digests/blake2s_prov.c b/providers/implementations/digests/blake2s_prov.c new file mode 100644 index 000000000000..72cab1e9a12e --- /dev/null +++ b/providers/implementations/digests/blake2s_prov.c @@ -0,0 +1,324 @@ +/* + * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Derived from the BLAKE2 reference implementation written by Samuel Neves. + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt> + * More information about the BLAKE2 hash function and its implementations + * can be found at https://blake2.net. + */ + +#include <assert.h> +#include <string.h> +#include <openssl/crypto.h> +#include "blake2_impl.h" +#include "prov/blake2.h" + +static const uint32_t blake2s_IV[8] = +{ + 0x6A09E667U, 0xBB67AE85U, 0x3C6EF372U, 0xA54FF53AU, + 0x510E527FU, 0x9B05688CU, 0x1F83D9ABU, 0x5BE0CD19U +}; + +static const uint8_t blake2s_sigma[10][16] = +{ + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , +}; + +/* Set that it's the last block we'll compress */ +static ossl_inline void blake2s_set_lastblock(BLAKE2S_CTX *S) +{ + S->f[0] = -1; +} + +/* Initialize the hashing state. */ +static ossl_inline void blake2s_init0(BLAKE2S_CTX *S) +{ + int i; + + memset(S, 0, sizeof(BLAKE2S_CTX)); + for (i = 0; i < 8; ++i) { + S->h[i] = blake2s_IV[i]; + } +} + +/* init xors IV with input parameter block and sets the output length */ +static void blake2s_init_param(BLAKE2S_CTX *S, const BLAKE2S_PARAM *P) +{ + size_t i; + const uint8_t *p = (const uint8_t *)(P); + + blake2s_init0(S); + S->outlen = P->digest_length; + + /* The param struct is carefully hand packed, and should be 32 bytes on + * every platform. */ + assert(sizeof(BLAKE2S_PARAM) == 32); + /* IV XOR ParamBlock */ + for (i = 0; i < 8; ++i) { + S->h[i] ^= load32(&p[i*4]); + } +} + +void ossl_blake2s_param_init(BLAKE2S_PARAM *P) +{ + P->digest_length = BLAKE2S_DIGEST_LENGTH; + P->key_length = 0; + P->fanout = 1; + P->depth = 1; + store32(P->leaf_length, 0); + store48(P->node_offset, 0); + P->node_depth = 0; + P->inner_length = 0; + memset(P->salt, 0, sizeof(P->salt)); + memset(P->personal, 0, sizeof(P->personal)); +} + +void ossl_blake2s_param_set_digest_length(BLAKE2S_PARAM *P, uint8_t outlen) +{ + P->digest_length = outlen; +} + +void ossl_blake2s_param_set_key_length(BLAKE2S_PARAM *P, uint8_t keylen) +{ + P->key_length = keylen; +} + +void ossl_blake2s_param_set_personal(BLAKE2S_PARAM *P, const uint8_t *personal, + size_t len) +{ + memcpy(P->personal, personal, len); + memset(P->personal + len, 0, BLAKE2S_PERSONALBYTES - len); +} + +void ossl_blake2s_param_set_salt(BLAKE2S_PARAM *P, const uint8_t *salt, + size_t len) +{ + memcpy(P->salt, salt, len); + memset(P->salt + len, 0, BLAKE2S_SALTBYTES - len);} + +/* + * Initialize the hashing context with the given parameter block. + * Always returns 1. + */ +int ossl_blake2s_init(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P) +{ + blake2s_init_param(c, P); + return 1; +} + +/* + * Initialize the hashing context with the given parameter block and key. + * Always returns 1. + */ +int ossl_blake2s_init_key(BLAKE2S_CTX *c, const BLAKE2S_PARAM *P, + const void *key) +{ + blake2s_init_param(c, P); + + /* Pad the key to form first data block */ + { + uint8_t block[BLAKE2S_BLOCKBYTES] = {0}; + + memcpy(block, key, P->key_length); + ossl_blake2s_update(c, block, BLAKE2S_BLOCKBYTES); + OPENSSL_cleanse(block, BLAKE2S_BLOCKBYTES); + } + + return 1; +} + +/* Permute the state while xoring in the block of data. */ +static void blake2s_compress(BLAKE2S_CTX *S, + const uint8_t *blocks, + size_t len) +{ + uint32_t m[16]; + uint32_t v[16]; + size_t i; + size_t increment; + + /* + * There are two distinct usage vectors for this function: + * + * a) BLAKE2s_Update uses it to process complete blocks, + * possibly more than one at a time; + * + * b) BLAK2s_Final uses it to process last block, always + * single but possibly incomplete, in which case caller + * pads input with zeros. + */ + assert(len < BLAKE2S_BLOCKBYTES || len % BLAKE2S_BLOCKBYTES == 0); + + /* + * Since last block is always processed with separate call, + * |len| not being multiple of complete blocks can be observed + * only with |len| being less than BLAKE2S_BLOCKBYTES ("less" + * including even zero), which is why following assignment doesn't + * have to reside inside the main loop below. + */ + increment = len < BLAKE2S_BLOCKBYTES ? len : BLAKE2S_BLOCKBYTES; + + for (i = 0; i < 8; ++i) { + v[i] = S->h[i]; + } + + do { + for (i = 0; i < 16; ++i) { + m[i] = load32(blocks + i * sizeof(m[i])); + } + + /* blake2s_increment_counter */ + S->t[0] += increment; + S->t[1] += (S->t[0] < increment); + + v[ 8] = blake2s_IV[0]; + v[ 9] = blake2s_IV[1]; + v[10] = blake2s_IV[2]; + v[11] = blake2s_IV[3]; + v[12] = S->t[0] ^ blake2s_IV[4]; + v[13] = S->t[1] ^ blake2s_IV[5]; + v[14] = S->f[0] ^ blake2s_IV[6]; + v[15] = S->f[1] ^ blake2s_IV[7]; +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2s_sigma[r][2*i+0]]; \ + d = rotr32(d ^ a, 16); \ + c = c + d; \ + b = rotr32(b ^ c, 12); \ + a = a + b + m[blake2s_sigma[r][2*i+1]]; \ + d = rotr32(d ^ a, 8); \ + c = c + d; \ + b = rotr32(b ^ c, 7); \ + } while (0) +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while (0) +#if defined(OPENSSL_SMALL_FOOTPRINT) + /* almost 3x reduction on x86_64, 4.5x on ARMv8, 4x on ARMv4 */ + for (i = 0; i < 10; i++) { + ROUND(i); + } +#else + ROUND(0); + ROUND(1); + ROUND(2); + ROUND(3); + ROUND(4); + ROUND(5); + ROUND(6); + ROUND(7); + ROUND(8); + ROUND(9); +#endif + + for (i = 0; i < 8; ++i) { + S->h[i] = v[i] ^= v[i + 8] ^ S->h[i]; + } +#undef G +#undef ROUND + blocks += increment; + len -= increment; + } while (len); +} + +/* Absorb the input data into the hash state. Always returns 1. */ +int ossl_blake2s_update(BLAKE2S_CTX *c, const void *data, size_t datalen) +{ + const uint8_t *in = data; + size_t fill; + + /* + * Intuitively one would expect intermediate buffer, c->buf, to + * store incomplete blocks. But in this case we are interested to + * temporarily stash even complete blocks, because last one in the + * stream has to be treated in special way, and at this point we + * don't know if last block in *this* call is last one "ever". This + * is the reason for why |datalen| is compared as >, and not >=. + */ + fill = sizeof(c->buf) - c->buflen; + if (datalen > fill) { + if (c->buflen) { + memcpy(c->buf + c->buflen, in, fill); /* Fill buffer */ + blake2s_compress(c, c->buf, BLAKE2S_BLOCKBYTES); + c->buflen = 0; + in += fill; + datalen -= fill; + } + if (datalen > BLAKE2S_BLOCKBYTES) { + size_t stashlen = datalen % BLAKE2S_BLOCKBYTES; + /* + * If |datalen| is a multiple of the blocksize, stash + * last complete block, it can be final one... + */ + stashlen = stashlen ? stashlen : BLAKE2S_BLOCKBYTES; + datalen -= stashlen; + blake2s_compress(c, in, datalen); + in += datalen; + datalen = stashlen; + } + } + + assert(datalen <= BLAKE2S_BLOCKBYTES); + + memcpy(c->buf + c->buflen, in, datalen); + c->buflen += datalen; /* Be lazy, do not compress */ + + return 1; +} + +/* + * Calculate the final hash and save it in md. + * Always returns 1. + */ +int ossl_blake2s_final(unsigned char *md, BLAKE2S_CTX *c) +{ + uint8_t outbuffer[BLAKE2S_OUTBYTES] = {0}; + uint8_t *target = outbuffer; + int iter = (c->outlen + 3) / 4; + int i; + + /* Avoid writing to the temporary buffer if possible */ + if ((c->outlen % sizeof(c->h[0])) == 0) + target = md; + + blake2s_set_lastblock(c); + /* Padding */ + memset(c->buf + c->buflen, 0, sizeof(c->buf) - c->buflen); + blake2s_compress(c, c->buf, c->buflen); + + /* Output full hash to buffer */ + for (i = 0; i < iter; ++i) + store32(target + sizeof(c->h[i]) * i, c->h[i]); + + if (target != md) { + memcpy(md, target, c->outlen); + OPENSSL_cleanse(target, sizeof(outbuffer)); + } + + OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX)); + return 1; +} diff --git a/providers/implementations/digests/build.info b/providers/implementations/digests/build.info new file mode 100644 index 000000000000..d30975028e9f --- /dev/null +++ b/providers/implementations/digests/build.info @@ -0,0 +1,62 @@ +# We make separate GOAL variables for each algorithm, to make it easy to +# switch each to the Legacy provider when needed. + +$COMMON_GOAL=../../libcommon.a + +$SHA1_GOAL=../../libdefault.a ../../libfips.a +$SHA2_GOAL=../../libdefault.a ../../libfips.a +$SHA3_GOAL=../../libdefault.a ../../libfips.a +$BLAKE2_GOAL=../../libdefault.a +$SM3_GOAL=../../libdefault.a +$MD5_GOAL=../../libdefault.a +$NULL_GOAL=../../libdefault.a + +$MD2_GOAL=../../liblegacy.a +$MD4_GOAL=../../liblegacy.a +$MDC2_GOAL=../../liblegacy.a +$WHIRLPOOL_GOAL=../../liblegacy.a +IF[{- !$disabled{module} -}] + $RIPEMD_GOAL=../../libdefault.a ../../liblegacy.a +ELSE + $RIPEMD_GOAL=../../libdefault.a +ENDIF + +# This source is common for all digests in all our providers. +SOURCE[$COMMON_GOAL]=digestcommon.c + +SOURCE[$SHA2_GOAL]=sha2_prov.c +SOURCE[$SHA3_GOAL]=sha3_prov.c + +SOURCE[$NULL_GOAL]=null_prov.c + +IF[{- !$disabled{blake2} -}] + SOURCE[$BLAKE2_GOAL]=blake2_prov.c blake2b_prov.c blake2s_prov.c +ENDIF + +IF[{- !$disabled{sm3} -}] + SOURCE[$SM3_GOAL]=sm3_prov.c +ENDIF + +IF[{- !$disabled{md5} -}] + SOURCE[$MD5_GOAL]=md5_prov.c md5_sha1_prov.c +ENDIF + +IF[{- !$disabled{md2} -}] + SOURCE[$MD2_GOAL]=md2_prov.c +ENDIF + +IF[{- !$disabled{md4} -}] + SOURCE[$MD4_GOAL]=md4_prov.c +ENDIF + +IF[{- !$disabled{mdc2} -}] + SOURCE[$MDC2_GOAL]=mdc2_prov.c +ENDIF + +IF[{- !$disabled{whirlpool} -}] + SOURCE[$WHIRLPOOL_GOAL]=wp_prov.c +ENDIF + +IF[{- !$disabled{rmd160} -}] + SOURCE[$RIPEMD_GOAL]=ripemd_prov.c +ENDIF diff --git a/providers/implementations/digests/digestcommon.c b/providers/implementations/digests/digestcommon.c new file mode 100644 index 000000000000..5cd1d1620062 --- /dev/null +++ b/providers/implementations/digests/digestcommon.c @@ -0,0 +1,54 @@ +/* + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/err.h> +#include <openssl/proverr.h> +#include "prov/digestcommon.h" + +int ossl_digest_default_get_params(OSSL_PARAM params[], size_t blksz, + size_t paramsz, unsigned long flags) +{ + OSSL_PARAM *p = NULL; + + p = OSSL_PARAM_locate(params, OSSL_DIGEST_PARAM_BLOCK_SIZE); + if (p != NULL && !OSSL_PARAM_set_size_t(p, blksz)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + p = OSSL_PARAM_locate(params, OSSL_DIGEST_PARAM_SIZE); + if (p != NULL && !OSSL_PARAM_set_size_t(p, paramsz)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + p = OSSL_PARAM_locate(params, OSSL_DIGEST_PARAM_XOF); + if (p != NULL + && !OSSL_PARAM_set_int(p, (flags & PROV_DIGEST_FLAG_XOF) != 0)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + p = OSSL_PARAM_locate(params, OSSL_DIGEST_PARAM_ALGID_ABSENT); + if (p != NULL + && !OSSL_PARAM_set_int(p, (flags & PROV_DIGEST_FLAG_ALGID_ABSENT) != 0)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); + return 0; + } + return 1; +} + +static const OSSL_PARAM digest_default_known_gettable_params[] = { + OSSL_PARAM_size_t(OSSL_DIGEST_PARAM_BLOCK_SIZE, NULL), + OSSL_PARAM_size_t(OSSL_DIGEST_PARAM_SIZE, NULL), + OSSL_PARAM_int(OSSL_DIGEST_PARAM_XOF, NULL), + OSSL_PARAM_int(OSSL_DIGEST_PARAM_ALGID_ABSENT, NULL), + OSSL_PARAM_END +}; +const OSSL_PARAM *ossl_digest_default_gettable_params(void *provctx) +{ + return digest_default_known_gettable_params; +} diff --git a/providers/implementations/digests/md2_prov.c b/providers/implementations/digests/md2_prov.c new file mode 100644 index 000000000000..a41a02c19890 --- /dev/null +++ b/providers/implementations/digests/md2_prov.c @@ -0,0 +1,24 @@ +/* + * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * MD2 low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include <openssl/crypto.h> +#include <openssl/md2.h> +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +/* ossl_md2_functions */ +IMPLEMENT_digest_functions(md2, MD2_CTX, + MD2_BLOCK, MD2_DIGEST_LENGTH, 0, + MD2_Init, MD2_Update, MD2_Final) diff --git a/providers/implementations/digests/md4_prov.c b/providers/implementations/digests/md4_prov.c new file mode 100644 index 000000000000..97f73018c275 --- /dev/null +++ b/providers/implementations/digests/md4_prov.c @@ -0,0 +1,24 @@ +/* + * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * MD4 low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include <openssl/crypto.h> +#include <openssl/md4.h> +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +/* ossl_md4_functions */ +IMPLEMENT_digest_functions(md4, MD4_CTX, + MD4_CBLOCK, MD4_DIGEST_LENGTH, 0, + MD4_Init, MD4_Update, MD4_Final) diff --git a/providers/implementations/digests/md5_prov.c b/providers/implementations/digests/md5_prov.c new file mode 100644 index 000000000000..a330e057f547 --- /dev/null +++ b/providers/implementations/digests/md5_prov.c @@ -0,0 +1,24 @@ +/* + * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * MD5 low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include <openssl/crypto.h> +#include <openssl/md5.h> +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +/* ossl_md5_functions */ +IMPLEMENT_digest_functions(md5, MD5_CTX, + MD5_CBLOCK, MD5_DIGEST_LENGTH, 0, + MD5_Init, MD5_Update, MD5_Final) diff --git a/providers/implementations/digests/md5_sha1_prov.c b/providers/implementations/digests/md5_sha1_prov.c new file mode 100644 index 000000000000..e7b8389b2b5c --- /dev/null +++ b/providers/implementations/digests/md5_sha1_prov.c @@ -0,0 +1,61 @@ +/* + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * MD5 and SHA-1 low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include <string.h> +#include <openssl/crypto.h> +#include <openssl/evp.h> +#include <openssl/params.h> +#include <openssl/core_names.h> +#include "prov/md5_sha1.h" +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +static OSSL_FUNC_digest_set_ctx_params_fn md5_sha1_set_ctx_params; +static OSSL_FUNC_digest_settable_ctx_params_fn md5_sha1_settable_ctx_params; + +static const OSSL_PARAM known_md5_sha1_settable_ctx_params[] = { + {OSSL_DIGEST_PARAM_SSL3_MS, OSSL_PARAM_OCTET_STRING, NULL, 0, 0}, + OSSL_PARAM_END +}; + +static const OSSL_PARAM *md5_sha1_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) +{ + return known_md5_sha1_settable_ctx_params; +} + +/* Special set_params method for SSL3 */ +static int md5_sha1_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + MD5_SHA1_CTX *ctx = (MD5_SHA1_CTX *)vctx; + + if (ctx == NULL) + return 0; + if (params == NULL) + return 1; + + p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_SSL3_MS); + if (p != NULL && p->data_type == OSSL_PARAM_OCTET_STRING) + return ossl_md5_sha1_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET, + p->data_size, p->data); + return 1; +} + +/* ossl_md5_sha1_functions */ +IMPLEMENT_digest_functions_with_settable_ctx( + md5_sha1, MD5_SHA1_CTX, MD5_SHA1_CBLOCK, MD5_SHA1_DIGEST_LENGTH, 0, + ossl_md5_sha1_init, ossl_md5_sha1_update, ossl_md5_sha1_final, + md5_sha1_settable_ctx_params, md5_sha1_set_ctx_params) diff --git a/providers/implementations/digests/mdc2_prov.c b/providers/implementations/digests/mdc2_prov.c new file mode 100644 index 000000000000..de39f8a10482 --- /dev/null +++ b/providers/implementations/digests/mdc2_prov.c @@ -0,0 +1,61 @@ +/* + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * MDC2 low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include <openssl/crypto.h> +#include <openssl/params.h> +#include <openssl/mdc2.h> +#include <openssl/core_names.h> +#include <openssl/err.h> +#include <openssl/proverr.h> +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +static OSSL_FUNC_digest_set_ctx_params_fn mdc2_set_ctx_params; +static OSSL_FUNC_digest_settable_ctx_params_fn mdc2_settable_ctx_params; + +static const OSSL_PARAM known_mdc2_settable_ctx_params[] = { + OSSL_PARAM_uint(OSSL_DIGEST_PARAM_PAD_TYPE, NULL), + OSSL_PARAM_END +}; + +static const OSSL_PARAM *mdc2_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) +{ + return known_mdc2_settable_ctx_params; +} + +static int mdc2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + MDC2_CTX *ctx = (MDC2_CTX *)vctx; + + if (ctx == NULL) + return 0; + if (params == NULL) + return 1; + + p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_PAD_TYPE); + if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->pad_type)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + return 1; +} + +/* ossl_mdc2_functions */ +IMPLEMENT_digest_functions_with_settable_ctx( + mdc2, MDC2_CTX, MDC2_BLOCK, MDC2_DIGEST_LENGTH, 0, + MDC2_Init, MDC2_Update, MDC2_Final, + mdc2_settable_ctx_params, mdc2_set_ctx_params) diff --git a/providers/implementations/digests/null_prov.c b/providers/implementations/digests/null_prov.c new file mode 100644 index 000000000000..b220a1966ff7 --- /dev/null +++ b/providers/implementations/digests/null_prov.c @@ -0,0 +1,52 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/crypto.h> +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +typedef struct { + unsigned char nothing; +} NULLMD_CTX; + +static int null_init(NULLMD_CTX *ctx) +{ + return 1; +} + +static int null_update(NULLMD_CTX *ctx, const void *data, size_t datalen) +{ + return 1; +} + +static int null_final(unsigned char *md, NULLMD_CTX *ctx) +{ + return 1; +} + +/* + * We must override the PROV_FUNC_DIGEST_FINAL as dgstsize == 0 + * and that would cause compilation warnings with the default implementation. + */ +#undef PROV_FUNC_DIGEST_FINAL +#define PROV_FUNC_DIGEST_FINAL(name, dgstsize, fin) \ +static OSSL_FUNC_digest_final_fn name##_internal_final; \ +static int name##_internal_final(void *ctx, unsigned char *out, size_t *outl, \ + size_t outsz) \ +{ \ + if (ossl_prov_is_running() && fin(out, ctx)) { \ + *outl = dgstsize; \ + return 1; \ + } \ + return 0; \ +} + +IMPLEMENT_digest_functions(nullmd, NULLMD_CTX, + 0, 0, 0, + null_init, null_update, null_final) diff --git a/providers/implementations/digests/ripemd_prov.c b/providers/implementations/digests/ripemd_prov.c new file mode 100644 index 000000000000..526706c06dcc --- /dev/null +++ b/providers/implementations/digests/ripemd_prov.c @@ -0,0 +1,24 @@ +/* + * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * RIPEMD160 low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include <openssl/crypto.h> +#include <openssl/ripemd.h> +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +/* ossl_ripemd160_functions */ +IMPLEMENT_digest_functions(ripemd160, RIPEMD160_CTX, + RIPEMD160_CBLOCK, RIPEMD160_DIGEST_LENGTH, 0, + RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final) diff --git a/providers/implementations/digests/sha2_prov.c b/providers/implementations/digests/sha2_prov.c new file mode 100644 index 000000000000..3b731796bdc4 --- /dev/null +++ b/providers/implementations/digests/sha2_prov.c @@ -0,0 +1,95 @@ +/* + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * SHA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include <openssl/crypto.h> +#include <openssl/core_dispatch.h> +#include <openssl/evp.h> +#include <openssl/sha.h> +#include <openssl/evp.h> +#include <openssl/params.h> +#include <openssl/core_names.h> +#include "prov/digestcommon.h" +#include "prov/implementations.h" +#include "crypto/sha.h" + +#define SHA2_FLAGS PROV_DIGEST_FLAG_ALGID_ABSENT + +static OSSL_FUNC_digest_set_ctx_params_fn sha1_set_ctx_params; +static OSSL_FUNC_digest_settable_ctx_params_fn sha1_settable_ctx_params; + +static const OSSL_PARAM known_sha1_settable_ctx_params[] = { + {OSSL_DIGEST_PARAM_SSL3_MS, OSSL_PARAM_OCTET_STRING, NULL, 0, 0}, + OSSL_PARAM_END +}; +static const OSSL_PARAM *sha1_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) +{ + return known_sha1_settable_ctx_params; +} + +/* Special set_params method for SSL3 */ +static int sha1_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + SHA_CTX *ctx = (SHA_CTX *)vctx; + + if (ctx == NULL) + return 0; + if (params == NULL) + return 1; + + p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_SSL3_MS); + if (p != NULL && p->data_type == OSSL_PARAM_OCTET_STRING) + return ossl_sha1_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET, + p->data_size, p->data); + return 1; +} + +/* ossl_sha1_functions */ +IMPLEMENT_digest_functions_with_settable_ctx( + sha1, SHA_CTX, SHA_CBLOCK, SHA_DIGEST_LENGTH, SHA2_FLAGS, + SHA1_Init, SHA1_Update, SHA1_Final, + sha1_settable_ctx_params, sha1_set_ctx_params) + +/* ossl_sha224_functions */ +IMPLEMENT_digest_functions(sha224, SHA256_CTX, + SHA256_CBLOCK, SHA224_DIGEST_LENGTH, SHA2_FLAGS, + SHA224_Init, SHA224_Update, SHA224_Final) + +/* ossl_sha256_functions */ +IMPLEMENT_digest_functions(sha256, SHA256_CTX, + SHA256_CBLOCK, SHA256_DIGEST_LENGTH, SHA2_FLAGS, + SHA256_Init, SHA256_Update, SHA256_Final) + +/* ossl_sha384_functions */ +IMPLEMENT_digest_functions(sha384, SHA512_CTX, + SHA512_CBLOCK, SHA384_DIGEST_LENGTH, SHA2_FLAGS, + SHA384_Init, SHA384_Update, SHA384_Final) + +/* ossl_sha512_functions */ +IMPLEMENT_digest_functions(sha512, SHA512_CTX, + SHA512_CBLOCK, SHA512_DIGEST_LENGTH, SHA2_FLAGS, + SHA512_Init, SHA512_Update, SHA512_Final) + +/* ossl_sha512_224_functions */ +IMPLEMENT_digest_functions(sha512_224, SHA512_CTX, + SHA512_CBLOCK, SHA224_DIGEST_LENGTH, SHA2_FLAGS, + sha512_224_init, SHA512_Update, SHA512_Final) + +/* ossl_sha512_256_functions */ +IMPLEMENT_digest_functions(sha512_256, SHA512_CTX, + SHA512_CBLOCK, SHA256_DIGEST_LENGTH, SHA2_FLAGS, + sha512_256_init, SHA512_Update, SHA512_Final) + diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c new file mode 100644 index 000000000000..f6358e62562e --- /dev/null +++ b/providers/implementations/digests/sha3_prov.c @@ -0,0 +1,332 @@ +/* + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include <openssl/core_names.h> +#include <openssl/crypto.h> +#include <openssl/evp.h> +#include <openssl/params.h> +#include <openssl/err.h> +#include <openssl/proverr.h> +#include "internal/sha3.h" +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +#define SHA3_FLAGS PROV_DIGEST_FLAG_ALGID_ABSENT +#define SHAKE_FLAGS (PROV_DIGEST_FLAG_XOF | PROV_DIGEST_FLAG_ALGID_ABSENT) +#define KMAC_FLAGS PROV_DIGEST_FLAG_XOF + +/* + * Forward declaration of any unique methods implemented here. This is not strictly + * necessary for the compiler, but provides an assurance that the signatures + * of the functions in the dispatch table are correct. + */ +static OSSL_FUNC_digest_init_fn keccak_init; +static OSSL_FUNC_digest_init_fn keccak_init_params; +static OSSL_FUNC_digest_update_fn keccak_update; +static OSSL_FUNC_digest_final_fn keccak_final; +static OSSL_FUNC_digest_freectx_fn keccak_freectx; +static OSSL_FUNC_digest_dupctx_fn keccak_dupctx; +static OSSL_FUNC_digest_set_ctx_params_fn shake_set_ctx_params; +static OSSL_FUNC_digest_settable_ctx_params_fn shake_settable_ctx_params; +static sha3_absorb_fn generic_sha3_absorb; +static sha3_final_fn generic_sha3_final; + +#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM) +/* + * IBM S390X support + */ +# include "s390x_arch.h" +# define S390_SHA3 1 +# define S390_SHA3_CAPABLE(name) \ + ((OPENSSL_s390xcap_P.kimd[0] & S390X_CAPBIT(S390X_##name)) && \ + (OPENSSL_s390xcap_P.klmd[0] & S390X_CAPBIT(S390X_##name))) + +#endif + +static int keccak_init(void *vctx, ossl_unused const OSSL_PARAM params[]) +{ + if (!ossl_prov_is_running()) + return 0; + /* The newctx() handles most of the ctx fixed setup. */ + ossl_sha3_reset((KECCAK1600_CTX *)vctx); + return 1; +} + +static int keccak_init_params(void *vctx, const OSSL_PARAM params[]) +{ + return keccak_init(vctx, NULL) + && shake_set_ctx_params(vctx, params); +} + +static int keccak_update(void *vctx, const unsigned char *inp, size_t len) +{ + KECCAK1600_CTX *ctx = vctx; + const size_t bsz = ctx->block_size; + size_t num, rem; + + if (len == 0) + return 1; + + /* Is there anything in the buffer already ? */ + if ((num = ctx->bufsz) != 0) { + /* Calculate how much space is left in the buffer */ + rem = bsz - num; + /* If the new input does not fill the buffer then just add it */ + if (len < rem) { + memcpy(ctx->buf + num, inp, len); + ctx->bufsz += len; + return 1; + } + /* otherwise fill up the buffer and absorb the buffer */ + memcpy(ctx->buf + num, inp, rem); + /* Update the input pointer */ + inp += rem; + len -= rem; + ctx->meth.absorb(ctx, ctx->buf, bsz); + ctx->bufsz = 0; + } + /* Absorb the input - rem = leftover part of the input < blocksize) */ + rem = ctx->meth.absorb(ctx, inp, len); + /* Copy the leftover bit of the input into the buffer */ + if (rem) { + memcpy(ctx->buf, inp + len - rem, rem); + ctx->bufsz = rem; + } + return 1; +} + +static int keccak_final(void *vctx, unsigned char *out, size_t *outl, + size_t outsz) +{ + int ret = 1; + KECCAK1600_CTX *ctx = vctx; + + if (!ossl_prov_is_running()) + return 0; + if (outsz > 0) + ret = ctx->meth.final(out, ctx); + + *outl = ctx->md_size; + return ret; +} + +/*- + * Generic software version of the absorb() and final(). + */ +static size_t generic_sha3_absorb(void *vctx, const void *inp, size_t len) +{ + KECCAK1600_CTX *ctx = vctx; + + return SHA3_absorb(ctx->A, inp, len, ctx->block_size); +} + +static int generic_sha3_final(unsigned char *md, void *vctx) +{ + return ossl_sha3_final(md, (KECCAK1600_CTX *)vctx); +} + +static PROV_SHA3_METHOD sha3_generic_md = +{ + generic_sha3_absorb, + generic_sha3_final +}; + +#if defined(S390_SHA3) + +static sha3_absorb_fn s390x_sha3_absorb; +static sha3_final_fn s390x_sha3_final; +static sha3_final_fn s390x_shake_final; + +/*- + * The platform specific parts of the absorb() and final() for S390X. + */ +static size_t s390x_sha3_absorb(void *vctx, const void *inp, size_t len) +{ + KECCAK1600_CTX *ctx = vctx; + size_t rem = len % ctx->block_size; + + s390x_kimd(inp, len - rem, ctx->pad, ctx->A); + return rem; +} + +static int s390x_sha3_final(unsigned char *md, void *vctx) +{ + KECCAK1600_CTX *ctx = vctx; + + if (!ossl_prov_is_running()) + return 0; + s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A); + memcpy(md, ctx->A, ctx->md_size); + return 1; +} + +static int s390x_shake_final(unsigned char *md, void *vctx) +{ + KECCAK1600_CTX *ctx = vctx; + + if (!ossl_prov_is_running()) + return 0; + s390x_klmd(ctx->buf, ctx->bufsz, md, ctx->md_size, ctx->pad, ctx->A); + return 1; +} + +static PROV_SHA3_METHOD sha3_s390x_md = +{ + s390x_sha3_absorb, + s390x_sha3_final +}; + +static PROV_SHA3_METHOD shake_s390x_md = +{ + s390x_sha3_absorb, + s390x_shake_final +}; + +# define SHA3_SET_MD(uname, typ) \ + if (S390_SHA3_CAPABLE(uname)) { \ + ctx->pad = S390X_##uname; \ + ctx->meth = typ##_s390x_md; \ + } else { \ + ctx->meth = sha3_generic_md; \ + } +#else +# define SHA3_SET_MD(uname, typ) ctx->meth = sha3_generic_md; +#endif /* S390_SHA3 */ + +#define SHA3_newctx(typ, uname, name, bitlen, pad) \ +static OSSL_FUNC_digest_newctx_fn name##_newctx; \ +static void *name##_newctx(void *provctx) \ +{ \ + KECCAK1600_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx)) \ + : NULL; \ + \ + if (ctx == NULL) \ + return NULL; \ + ossl_sha3_init(ctx, pad, bitlen); \ + SHA3_SET_MD(uname, typ) \ + return ctx; \ +} + +#define KMAC_newctx(uname, bitlen, pad) \ +static OSSL_FUNC_digest_newctx_fn uname##_newctx; \ +static void *uname##_newctx(void *provctx) \ +{ \ + KECCAK1600_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx)) \ + : NULL; \ + \ + if (ctx == NULL) \ + return NULL; \ + ossl_keccak_kmac_init(ctx, pad, bitlen); \ + ctx->meth = sha3_generic_md; \ + return ctx; \ +} + +#define PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags) \ +PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags) \ +const OSSL_DISPATCH ossl_##name##_functions[] = { \ + { OSSL_FUNC_DIGEST_NEWCTX, (void (*)(void))name##_newctx }, \ + { OSSL_FUNC_DIGEST_UPDATE, (void (*)(void))keccak_update }, \ + { OSSL_FUNC_DIGEST_FINAL, (void (*)(void))keccak_final }, \ + { OSSL_FUNC_DIGEST_FREECTX, (void (*)(void))keccak_freectx }, \ + { OSSL_FUNC_DIGEST_DUPCTX, (void (*)(void))keccak_dupctx }, \ + PROV_DISPATCH_FUNC_DIGEST_GET_PARAMS(name) + +#define PROV_FUNC_SHA3_DIGEST(name, bitlen, blksize, dgstsize, flags) \ + PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \ + { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init }, \ + PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END + +#define PROV_FUNC_SHAKE_DIGEST(name, bitlen, blksize, dgstsize, flags) \ + PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \ + { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init_params }, \ + { OSSL_FUNC_DIGEST_SET_CTX_PARAMS, (void (*)(void))shake_set_ctx_params }, \ + { OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS, \ + (void (*)(void))shake_settable_ctx_params }, \ + PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END + +static void keccak_freectx(void *vctx) +{ + KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx; + + OPENSSL_clear_free(ctx, sizeof(*ctx)); +} + +static void *keccak_dupctx(void *ctx) +{ + KECCAK1600_CTX *in = (KECCAK1600_CTX *)ctx; + KECCAK1600_CTX *ret = ossl_prov_is_running() ? OPENSSL_malloc(sizeof(*ret)) + : NULL; + + if (ret != NULL) + *ret = *in; + return ret; +} + +static const OSSL_PARAM known_shake_settable_ctx_params[] = { + {OSSL_DIGEST_PARAM_XOFLEN, OSSL_PARAM_UNSIGNED_INTEGER, NULL, 0, 0}, + OSSL_PARAM_END +}; +static const OSSL_PARAM *shake_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) +{ + return known_shake_settable_ctx_params; +} + +static int shake_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx; + + if (ctx == NULL) + return 0; + if (params == NULL) + return 1; + + p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_XOFLEN); + if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->md_size)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + return 1; +} + +#define IMPLEMENT_SHA3_functions(bitlen) \ + SHA3_newctx(sha3, SHA3_##bitlen, sha3_##bitlen, bitlen, '\x06') \ + PROV_FUNC_SHA3_DIGEST(sha3_##bitlen, bitlen, \ + SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ + SHA3_FLAGS) + +#define IMPLEMENT_SHAKE_functions(bitlen) \ + SHA3_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \ + PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \ + SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ + SHAKE_FLAGS) +#define IMPLEMENT_KMAC_functions(bitlen) \ + KMAC_newctx(keccak_kmac_##bitlen, bitlen, '\x04') \ + PROV_FUNC_SHAKE_DIGEST(keccak_kmac_##bitlen, bitlen, \ + SHA3_BLOCKSIZE(bitlen), KMAC_MDSIZE(bitlen), \ + KMAC_FLAGS) + +/* ossl_sha3_224_functions */ +IMPLEMENT_SHA3_functions(224) +/* ossl_sha3_256_functions */ +IMPLEMENT_SHA3_functions(256) +/* ossl_sha3_384_functions */ +IMPLEMENT_SHA3_functions(384) +/* ossl_sha3_512_functions */ +IMPLEMENT_SHA3_functions(512) +/* ossl_shake_128_functions */ +IMPLEMENT_SHAKE_functions(128) +/* ossl_shake_256_functions */ +IMPLEMENT_SHAKE_functions(256) +/* ossl_keccak_kmac_128_functions */ +IMPLEMENT_KMAC_functions(128) +/* ossl_keccak_kmac_256_functions */ +IMPLEMENT_KMAC_functions(256) diff --git a/providers/implementations/digests/sm3_prov.c b/providers/implementations/digests/sm3_prov.c new file mode 100644 index 000000000000..9d6de5b6ac19 --- /dev/null +++ b/providers/implementations/digests/sm3_prov.c @@ -0,0 +1,18 @@ +/* + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/crypto.h> +#include "internal/sm3.h" +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +/* ossl_sm3_functions */ +IMPLEMENT_digest_functions(sm3, SM3_CTX, + SM3_CBLOCK, SM3_DIGEST_LENGTH, 0, + ossl_sm3_init, ossl_sm3_update, ossl_sm3_final) diff --git a/providers/implementations/digests/wp_prov.c b/providers/implementations/digests/wp_prov.c new file mode 100644 index 000000000000..2af70b337281 --- /dev/null +++ b/providers/implementations/digests/wp_prov.c @@ -0,0 +1,24 @@ +/* + * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Whirlpool low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include <openssl/crypto.h> +#include <openssl/whrlpool.h> +#include "prov/digestcommon.h" +#include "prov/implementations.h" + +/* ossl_wp_functions */ +IMPLEMENT_digest_functions(wp, WHIRLPOOL_CTX, + WHIRLPOOL_BBLOCK / 8, WHIRLPOOL_DIGEST_LENGTH, 0, + WHIRLPOOL_Init, WHIRLPOOL_Update, WHIRLPOOL_Final) |