mirror of
https://github.com/openssl/openssl.git
synced 2024-12-27 06:21:43 +08:00
5366490822
Fixes #7894 This allows SHAKE to squeeze multiple times with different output sizes. The existing EVP_DigestFinalXOF() API has been left as a one shot operation. A similar interface is used by another toolkit. The low level SHA3_Squeeze() function needed to change slightly so that it can handle multiple squeezes. This involves changing the assembler code so that it passes a boolean to indicate whether the Keccak function should be called on entry. At the provider level, the squeeze is buffered, so that it only requests a multiple of the blocksize when SHA3_Squeeze() is called. On the first call the value is zero, on subsequent calls the value passed is 1. This PR is derived from the excellent work done by @nmathewson in https://github.com/openssl/openssl/pull/7921 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21511)
202 lines
5.4 KiB
C
202 lines
5.4 KiB
C
/*
|
|
* Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
#include <string.h>
|
|
#include "internal/sha3.h"
|
|
|
|
void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next);
|
|
|
|
void ossl_sha3_reset(KECCAK1600_CTX *ctx)
|
|
{
|
|
memset(ctx->A, 0, sizeof(ctx->A));
|
|
ctx->bufsz = 0;
|
|
ctx->xof_state = XOF_STATE_INIT;
|
|
}
|
|
|
|
int ossl_sha3_init(KECCAK1600_CTX *ctx, unsigned char pad, size_t bitlen)
|
|
{
|
|
size_t bsz = SHA3_BLOCKSIZE(bitlen);
|
|
|
|
if (bsz <= sizeof(ctx->buf)) {
|
|
ossl_sha3_reset(ctx);
|
|
ctx->block_size = bsz;
|
|
ctx->md_size = bitlen / 8;
|
|
ctx->pad = pad;
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int ossl_keccak_kmac_init(KECCAK1600_CTX *ctx, unsigned char pad, size_t bitlen)
|
|
{
|
|
int ret = ossl_sha3_init(ctx, pad, bitlen);
|
|
|
|
if (ret)
|
|
ctx->md_size *= 2;
|
|
return ret;
|
|
}
|
|
|
|
int ossl_sha3_update(KECCAK1600_CTX *ctx, const void *_inp, size_t len)
|
|
{
|
|
const unsigned char *inp = _inp;
|
|
size_t bsz = ctx->block_size;
|
|
size_t num, rem;
|
|
|
|
if (len == 0)
|
|
return 1;
|
|
|
|
if (ctx->xof_state == XOF_STATE_SQUEEZE
|
|
|| ctx->xof_state == XOF_STATE_FINAL)
|
|
return 0;
|
|
|
|
if ((num = ctx->bufsz) != 0) { /* process intermediate buffer? */
|
|
rem = bsz - num;
|
|
|
|
if (len < rem) {
|
|
memcpy(ctx->buf + num, inp, len);
|
|
ctx->bufsz += len;
|
|
return 1;
|
|
}
|
|
/*
|
|
* We have enough data to fill or overflow the intermediate
|
|
* buffer. So we append |rem| bytes and process the block,
|
|
* leaving the rest for later processing...
|
|
*/
|
|
memcpy(ctx->buf + num, inp, rem);
|
|
inp += rem, len -= rem;
|
|
(void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
|
|
ctx->bufsz = 0;
|
|
/* ctx->buf is processed, ctx->num is guaranteed to be zero */
|
|
}
|
|
|
|
if (len >= bsz)
|
|
rem = SHA3_absorb(ctx->A, inp, len, bsz);
|
|
else
|
|
rem = len;
|
|
|
|
if (rem) {
|
|
memcpy(ctx->buf, inp + len - rem, rem);
|
|
ctx->bufsz = rem;
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
* ossl_sha3_final()is a single shot method
|
|
* (Use ossl_sha3_squeeze for multiple calls).
|
|
* outlen is the variable size output.
|
|
*/
|
|
int ossl_sha3_final(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen)
|
|
{
|
|
size_t bsz = ctx->block_size;
|
|
size_t num = ctx->bufsz;
|
|
|
|
if (outlen == 0)
|
|
return 1;
|
|
if (ctx->xof_state == XOF_STATE_SQUEEZE
|
|
|| ctx->xof_state == XOF_STATE_FINAL)
|
|
return 0;
|
|
|
|
/*
|
|
* Pad the data with 10*1. Note that |num| can be |bsz - 1|
|
|
* in which case both byte operations below are performed on
|
|
* same byte...
|
|
*/
|
|
memset(ctx->buf + num, 0, bsz - num);
|
|
ctx->buf[num] = ctx->pad;
|
|
ctx->buf[bsz - 1] |= 0x80;
|
|
|
|
(void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
|
|
|
|
ctx->xof_state = XOF_STATE_FINAL;
|
|
SHA3_squeeze(ctx->A, out, outlen, bsz, 0);
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
* This method can be called multiple times.
|
|
* Rather than heavily modifying assembler for SHA3_squeeze(),
|
|
* we instead just use the limitations of the existing function.
|
|
* i.e. Only request multiples of the ctx->block_size when calling
|
|
* SHA3_squeeze(). For output length requests smaller than the
|
|
* ctx->block_size just request a single ctx->block_size bytes and
|
|
* buffer the results. The next request will use the buffer first
|
|
* to grab output bytes.
|
|
*/
|
|
int ossl_sha3_squeeze(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen)
|
|
{
|
|
size_t bsz = ctx->block_size;
|
|
size_t num = ctx->bufsz;
|
|
size_t len;
|
|
int next = 1;
|
|
|
|
if (outlen == 0)
|
|
return 1;
|
|
|
|
if (ctx->xof_state == XOF_STATE_FINAL)
|
|
return 0;
|
|
|
|
/*
|
|
* On the first squeeze call, finish the absorb process,
|
|
* by adding the trailing padding and then doing
|
|
* a final absorb.
|
|
*/
|
|
if (ctx->xof_state != XOF_STATE_SQUEEZE) {
|
|
/*
|
|
* Pad the data with 10*1. Note that |num| can be |bsz - 1|
|
|
* in which case both byte operations below are performed on
|
|
* same byte...
|
|
*/
|
|
memset(ctx->buf + num, 0, bsz - num);
|
|
ctx->buf[num] = ctx->pad;
|
|
ctx->buf[bsz - 1] |= 0x80;
|
|
(void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
|
|
ctx->xof_state = XOF_STATE_SQUEEZE;
|
|
num = ctx->bufsz = 0;
|
|
next = 0;
|
|
}
|
|
|
|
/*
|
|
* Step 1. Consume any bytes left over from a previous squeeze
|
|
* (See Step 4 below).
|
|
*/
|
|
if (num != 0) {
|
|
if (outlen > ctx->bufsz)
|
|
len = ctx->bufsz;
|
|
else
|
|
len = outlen;
|
|
memcpy(out, ctx->buf + bsz - ctx->bufsz, len);
|
|
out += len;
|
|
outlen -= len;
|
|
ctx->bufsz -= len;
|
|
}
|
|
if (outlen == 0)
|
|
return 1;
|
|
|
|
/* Step 2. Copy full sized squeezed blocks to the output buffer directly */
|
|
if (outlen >= bsz) {
|
|
len = bsz * (outlen / bsz);
|
|
SHA3_squeeze(ctx->A, out, len, bsz, next);
|
|
next = 1;
|
|
out += len;
|
|
outlen -= len;
|
|
}
|
|
if (outlen > 0) {
|
|
/* Step 3. Squeeze one more block into a buffer */
|
|
SHA3_squeeze(ctx->A, ctx->buf, bsz, bsz, next);
|
|
memcpy(out, ctx->buf, outlen);
|
|
/* Step 4. Remember the leftover part of the squeezed block */
|
|
ctx->bufsz = bsz - outlen;
|
|
}
|
|
|
|
return 1;
|
|
}
|