1 /* 2 * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * See SP800-185 "Appendix A - KMAC, .... in Terms of Keccak[c]" 12 * 13 * Inputs are: 14 * K = Key (len(K) < 2^2040 bits) 15 * X = Input 16 * L = Output length (0 <= L < 2^2040 bits) 17 * S = Customization String Default="" (len(S) < 2^2040 bits) 18 * 19 * KMAC128(K, X, L, S) 20 * { 21 * newX = bytepad(encode_string(K), 168) || X || right_encode(L). 22 * T = bytepad(encode_string("KMAC") || encode_string(S), 168). 23 * return KECCAK[256](T || newX || 00, L). 24 * } 25 * 26 * KMAC256(K, X, L, S) 27 * { 28 * newX = bytepad(encode_string(K), 136) || X || right_encode(L). 29 * T = bytepad(encode_string("KMAC") || encode_string(S), 136). 30 * return KECCAK[512](T || newX || 00, L). 31 * } 32 * 33 * KMAC128XOF(K, X, L, S) 34 * { 35 * newX = bytepad(encode_string(K), 168) || X || right_encode(0). 36 * T = bytepad(encode_string("KMAC") || encode_string(S), 168). 37 * return KECCAK[256](T || newX || 00, L). 38 * } 39 * 40 * KMAC256XOF(K, X, L, S) 41 * { 42 * newX = bytepad(encode_string(K), 136) || X || right_encode(0). 43 * T = bytepad(encode_string("KMAC") || encode_string(S), 136). 44 * return KECCAK[512](T || newX || 00, L). 45 * } 46 * 47 */ 48 49 #include <stdlib.h> 50 #include <string.h> 51 #include <openssl/core_dispatch.h> 52 #include <openssl/core_names.h> 53 #include <openssl/params.h> 54 #include <openssl/evp.h> 55 #include <openssl/err.h> 56 #include <openssl/proverr.h> 57 #include <openssl/fips_names.h> 58 #include "prov/securitycheck.h" 59 #include "prov/implementations.h" 60 #include "prov/provider_ctx.h" 61 #include "prov/provider_util.h" 62 #include "prov/providercommon.h" 63 #include "internal/cryptlib.h" /* ossl_assert */ 64 65 /* 66 * Forward declaration of everything implemented here. This is not strictly 67 * necessary for the compiler, but provides an assurance that the signatures 68 * of the functions in the dispatch table are correct. 69 */ 70 static OSSL_FUNC_mac_newctx_fn kmac128_new; 71 static OSSL_FUNC_mac_newctx_fn kmac256_new; 72 static OSSL_FUNC_mac_dupctx_fn kmac_dup; 73 static OSSL_FUNC_mac_freectx_fn kmac_free; 74 static OSSL_FUNC_mac_gettable_ctx_params_fn kmac_gettable_ctx_params; 75 static OSSL_FUNC_mac_get_ctx_params_fn kmac_get_ctx_params; 76 static OSSL_FUNC_mac_settable_ctx_params_fn kmac_settable_ctx_params; 77 static OSSL_FUNC_mac_set_ctx_params_fn kmac_set_ctx_params; 78 static OSSL_FUNC_mac_init_fn kmac_init; 79 static OSSL_FUNC_mac_update_fn kmac_update; 80 static OSSL_FUNC_mac_final_fn kmac_final; 81 82 #define KMAC_MAX_BLOCKSIZE ((1600 - 128 * 2) / 8) /* 168 */ 83 84 /* 85 * Length encoding will be a 1 byte size + length in bits (3 bytes max) 86 * This gives a range of 0..0XFFFFFF bits = 2097151 bytes). 87 */ 88 #define KMAC_MAX_OUTPUT_LEN (0xFFFFFF / 8) 89 #define KMAC_MAX_ENCODED_HEADER_LEN (1 + 3) 90 91 /* 92 * Restrict the maximum length of the customisation string. This must not 93 * exceed 64 bits = 8k bytes. 94 */ 95 #define KMAC_MAX_CUSTOM 512 96 97 /* Maximum size of encoded custom string */ 98 #define KMAC_MAX_CUSTOM_ENCODED (KMAC_MAX_CUSTOM + KMAC_MAX_ENCODED_HEADER_LEN) 99 100 /* Maximum key size in bytes = 512 (4096 bits) */ 101 #define KMAC_MAX_KEY 512 102 #define KMAC_MIN_KEY 4 103 104 /* 105 * Maximum Encoded Key size will be padded to a multiple of the blocksize 106 * i.e KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN = 512 + 4 107 * Padded to a multiple of KMAC_MAX_BLOCKSIZE 108 */ 109 #define KMAC_MAX_KEY_ENCODED (KMAC_MAX_BLOCKSIZE * 4) 110 111 /* Fixed value of encode_string("KMAC") */ 112 static const unsigned char kmac_string[] = { 113 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43 114 }; 115 116 #define KMAC_FLAG_XOF_MODE 1 117 118 struct kmac_data_st { 119 void *provctx; 120 EVP_MD_CTX *ctx; 121 PROV_DIGEST digest; 122 size_t out_len; 123 size_t key_len; 124 size_t custom_len; 125 /* If xof_mode = 1 then we use right_encode(0) */ 126 int xof_mode; 127 /* key and custom are stored in encoded form */ 128 unsigned char key[KMAC_MAX_KEY_ENCODED]; 129 unsigned char custom[KMAC_MAX_CUSTOM_ENCODED]; 130 #ifdef FIPS_MODULE 131 /* 132 * 'internal' is set to 1 if KMAC is used inside another algorithm such as a 133 * KDF. In this case it is the parent algorithm that is responsible for 134 * performing any conditional FIPS indicator related checks for KMAC. 135 */ 136 int internal; 137 #endif 138 OSSL_FIPS_IND_DECLARE 139 }; 140 141 static int encode_string(unsigned char *out, size_t out_max_len, size_t *out_len, 142 const unsigned char *in, size_t in_len); 143 static int right_encode(unsigned char *out, size_t out_max_len, size_t *out_len, 144 size_t bits); 145 static int bytepad(unsigned char *out, size_t *out_len, 146 const unsigned char *in1, size_t in1_len, 147 const unsigned char *in2, size_t in2_len, 148 size_t w); 149 static int kmac_bytepad_encode_key(unsigned char *out, size_t out_max_len, 150 size_t *out_len, 151 const unsigned char *in, size_t in_len, 152 size_t w); 153 154 static void kmac_free(void *vmacctx) 155 { 156 struct kmac_data_st *kctx = vmacctx; 157 158 if (kctx != NULL) { 159 EVP_MD_CTX_free(kctx->ctx); 160 ossl_prov_digest_reset(&kctx->digest); 161 OPENSSL_cleanse(kctx->key, kctx->key_len); 162 OPENSSL_cleanse(kctx->custom, kctx->custom_len); 163 OPENSSL_free(kctx); 164 } 165 } 166 167 /* 168 * We have KMAC implemented as a hash, which we can use instead of 169 * reimplementing the EVP functionality with direct use of 170 * keccak_mac_init() and friends. 171 */ 172 static struct kmac_data_st *kmac_new(void *provctx) 173 { 174 struct kmac_data_st *kctx; 175 176 if (!ossl_prov_is_running()) 177 return NULL; 178 179 if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL 180 || (kctx->ctx = EVP_MD_CTX_new()) == NULL) { 181 kmac_free(kctx); 182 return NULL; 183 } 184 kctx->provctx = provctx; 185 OSSL_FIPS_IND_INIT(kctx) 186 return kctx; 187 } 188 189 static void *kmac_fetch_new(void *provctx, const OSSL_PARAM *params) 190 { 191 struct kmac_data_st *kctx = kmac_new(provctx); 192 int md_size; 193 194 if (kctx == NULL) 195 return 0; 196 if (!ossl_prov_digest_load_from_params(&kctx->digest, params, 197 PROV_LIBCTX_OF(provctx))) { 198 kmac_free(kctx); 199 return 0; 200 } 201 202 md_size = EVP_MD_get_size(ossl_prov_digest_md(&kctx->digest)); 203 if (md_size <= 0) { 204 kmac_free(kctx); 205 return 0; 206 } 207 kctx->out_len = (size_t)md_size; 208 return kctx; 209 } 210 211 static void *kmac128_new(void *provctx) 212 { 213 static const OSSL_PARAM kmac128_params[] = { 214 OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC128, 215 sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC128)), 216 OSSL_PARAM_END 217 }; 218 return kmac_fetch_new(provctx, kmac128_params); 219 } 220 221 static void *kmac256_new(void *provctx) 222 { 223 static const OSSL_PARAM kmac256_params[] = { 224 OSSL_PARAM_utf8_string("digest", OSSL_DIGEST_NAME_KECCAK_KMAC256, 225 sizeof(OSSL_DIGEST_NAME_KECCAK_KMAC256)), 226 OSSL_PARAM_END 227 }; 228 return kmac_fetch_new(provctx, kmac256_params); 229 } 230 231 static void *kmac_dup(void *vsrc) 232 { 233 struct kmac_data_st *src = vsrc; 234 struct kmac_data_st *dst; 235 236 if (!ossl_prov_is_running()) 237 return NULL; 238 239 dst = kmac_new(src->provctx); 240 if (dst == NULL) 241 return NULL; 242 243 if (!EVP_MD_CTX_copy(dst->ctx, src->ctx) 244 || !ossl_prov_digest_copy(&dst->digest, &src->digest)) { 245 kmac_free(dst); 246 return NULL; 247 } 248 #ifdef FIPS_MODULE 249 dst->internal = src->internal; 250 #endif 251 dst->out_len = src->out_len; 252 dst->key_len = src->key_len; 253 dst->custom_len = src->custom_len; 254 dst->xof_mode = src->xof_mode; 255 memcpy(dst->key, src->key, src->key_len); 256 memcpy(dst->custom, src->custom, dst->custom_len); 257 OSSL_FIPS_IND_COPY(dst, src) 258 259 return dst; 260 } 261 262 static int kmac_setkey(struct kmac_data_st *kctx, const unsigned char *key, 263 size_t keylen) 264 { 265 const EVP_MD *digest = ossl_prov_digest_md(&kctx->digest); 266 int w = EVP_MD_get_block_size(digest); 267 268 if (keylen < KMAC_MIN_KEY || keylen > KMAC_MAX_KEY) { 269 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 270 return 0; 271 } 272 #ifdef FIPS_MODULE 273 /* 274 * Only do the key check if KMAC is fetched directly. 275 * Other algorithms that embed KMAC such as SSKDF will ignore this check. 276 */ 277 if (!kctx->internal) { 278 int approved = ossl_mac_check_key_size(keylen); 279 280 if (!approved) { 281 if (!OSSL_FIPS_IND_ON_UNAPPROVED(kctx, OSSL_FIPS_IND_SETTABLE1, 282 PROV_LIBCTX_OF(kctx->provctx), 283 "KMAC", "Key size", 284 ossl_fips_config_kmac_key_check)) { 285 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); 286 return 0; 287 } 288 } 289 } 290 #endif 291 if (w <= 0) { 292 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); 293 return 0; 294 } 295 if (!kmac_bytepad_encode_key(kctx->key, sizeof(kctx->key), &kctx->key_len, 296 key, keylen, (size_t)w)) 297 return 0; 298 return 1; 299 } 300 301 /* 302 * The init() assumes that any ctrl methods are set beforehand for 303 * md, key and custom. Setting the fields afterwards will have no 304 * effect on the output mac. 305 */ 306 static int kmac_init(void *vmacctx, const unsigned char *key, 307 size_t keylen, const OSSL_PARAM params[]) 308 { 309 struct kmac_data_st *kctx = vmacctx; 310 EVP_MD_CTX *ctx = kctx->ctx; 311 unsigned char *out; 312 size_t out_len, block_len; 313 int res, t; 314 315 if (!ossl_prov_is_running() || !kmac_set_ctx_params(kctx, params)) 316 return 0; 317 318 if (key != NULL) { 319 if (!kmac_setkey(kctx, key, keylen)) 320 return 0; 321 } else if (kctx->key_len == 0) { 322 /* Check key has been set */ 323 ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); 324 return 0; 325 } 326 if (!EVP_DigestInit_ex(kctx->ctx, ossl_prov_digest_md(&kctx->digest), 327 NULL)) 328 return 0; 329 330 t = EVP_MD_get_block_size(ossl_prov_digest_md(&kctx->digest)); 331 if (t <= 0) { 332 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH); 333 return 0; 334 } 335 block_len = t; 336 337 /* Set default custom string if it is not already set */ 338 if (kctx->custom_len == 0) { 339 const OSSL_PARAM cparams[] = { 340 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, "", 0), 341 OSSL_PARAM_END 342 }; 343 (void)kmac_set_ctx_params(kctx, cparams); 344 } 345 346 if (!bytepad(NULL, &out_len, kmac_string, sizeof(kmac_string), 347 kctx->custom, kctx->custom_len, block_len)) { 348 ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); 349 return 0; 350 } 351 out = OPENSSL_malloc(out_len); 352 if (out == NULL) 353 return 0; 354 res = bytepad(out, NULL, kmac_string, sizeof(kmac_string), 355 kctx->custom, kctx->custom_len, block_len) 356 && EVP_DigestUpdate(ctx, out, out_len) 357 && EVP_DigestUpdate(ctx, kctx->key, kctx->key_len); 358 OPENSSL_free(out); 359 return res; 360 } 361 362 static int kmac_update(void *vmacctx, const unsigned char *data, 363 size_t datalen) 364 { 365 struct kmac_data_st *kctx = vmacctx; 366 367 return EVP_DigestUpdate(kctx->ctx, data, datalen); 368 } 369 370 static int kmac_final(void *vmacctx, unsigned char *out, size_t *outl, 371 size_t outsize) 372 { 373 struct kmac_data_st *kctx = vmacctx; 374 EVP_MD_CTX *ctx = kctx->ctx; 375 size_t lbits, len; 376 unsigned char encoded_outlen[KMAC_MAX_ENCODED_HEADER_LEN]; 377 int ok; 378 379 if (!ossl_prov_is_running()) 380 return 0; 381 382 /* KMAC XOF mode sets the encoded length to 0 */ 383 lbits = (kctx->xof_mode ? 0 : (kctx->out_len * 8)); 384 385 ok = right_encode(encoded_outlen, sizeof(encoded_outlen), &len, lbits) 386 && EVP_DigestUpdate(ctx, encoded_outlen, len) 387 && EVP_DigestFinalXOF(ctx, out, kctx->out_len); 388 *outl = kctx->out_len; 389 return ok; 390 } 391 392 static const OSSL_PARAM known_gettable_ctx_params[] = { 393 OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), 394 OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL), 395 OSSL_FIPS_IND_GETTABLE_CTX_PARAM() 396 OSSL_PARAM_END 397 }; 398 static const OSSL_PARAM *kmac_gettable_ctx_params(ossl_unused void *ctx, 399 ossl_unused void *provctx) 400 { 401 return known_gettable_ctx_params; 402 } 403 404 static int kmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[]) 405 { 406 struct kmac_data_st *kctx = vmacctx; 407 OSSL_PARAM *p; 408 int sz; 409 410 if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL 411 && !OSSL_PARAM_set_size_t(p, kctx->out_len)) 412 return 0; 413 414 if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_BLOCK_SIZE)) != NULL) { 415 sz = EVP_MD_block_size(ossl_prov_digest_md(&kctx->digest)); 416 if (!OSSL_PARAM_set_int(p, sz)) 417 return 0; 418 } 419 420 if (!OSSL_FIPS_IND_GET_CTX_PARAM(kctx, params)) 421 return 0; 422 423 return 1; 424 } 425 426 static const OSSL_PARAM known_settable_ctx_params[] = { 427 OSSL_PARAM_int(OSSL_MAC_PARAM_XOF, NULL), 428 OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), 429 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, NULL, 0), 430 OSSL_PARAM_octet_string(OSSL_MAC_PARAM_CUSTOM, NULL, 0), 431 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_MAC_PARAM_FIPS_NO_SHORT_MAC) 432 OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_MAC_PARAM_FIPS_KEY_CHECK) 433 OSSL_PARAM_END 434 }; 435 static const OSSL_PARAM *kmac_settable_ctx_params(ossl_unused void *ctx, 436 ossl_unused void *provctx) 437 { 438 return known_settable_ctx_params; 439 } 440 441 /* 442 * The following params can be set any time before final(): 443 * - "outlen" or "size": The requested output length. 444 * - "xof": If set, this indicates that right_encoded(0) 445 * is part of the digested data, otherwise it 446 * uses right_encoded(requested output length). 447 * 448 * All other params should be set before init(). 449 */ 450 static int kmac_set_ctx_params(void *vmacctx, const OSSL_PARAM *params) 451 { 452 struct kmac_data_st *kctx = vmacctx; 453 const OSSL_PARAM *p; 454 455 if (ossl_param_is_empty(params)) 456 return 1; 457 458 if (!OSSL_FIPS_IND_SET_CTX_PARAM(kctx, OSSL_FIPS_IND_SETTABLE0, params, 459 OSSL_MAC_PARAM_FIPS_NO_SHORT_MAC)) 460 return 0; 461 if (!OSSL_FIPS_IND_SET_CTX_PARAM(kctx, OSSL_FIPS_IND_SETTABLE1, params, 462 OSSL_MAC_PARAM_FIPS_KEY_CHECK)) 463 return 0; 464 465 if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_XOF)) != NULL 466 && !OSSL_PARAM_get_int(p, &kctx->xof_mode)) 467 return 0; 468 if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_SIZE)) != NULL) { 469 size_t sz = 0; 470 471 if (!OSSL_PARAM_get_size_t(p, &sz)) 472 return 0; 473 if (sz > KMAC_MAX_OUTPUT_LEN) { 474 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH); 475 return 0; 476 } 477 #ifdef FIPS_MODULE 478 /* SP 800-185 8.4.2 mandates a minimum of 32 bits of output */ 479 if (sz < 32 / 8) { 480 if (!OSSL_FIPS_IND_ON_UNAPPROVED(kctx, OSSL_FIPS_IND_SETTABLE0, 481 PROV_LIBCTX_OF(kctx->provctx), 482 "KMAC", "length", 483 ossl_fips_config_no_short_mac)) { 484 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH); 485 return 0; 486 } 487 } 488 #endif 489 kctx->out_len = sz; 490 } 491 if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL 492 && !kmac_setkey(kctx, p->data, p->data_size)) 493 return 0; 494 if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CUSTOM)) 495 != NULL) { 496 if (p->data_size > KMAC_MAX_CUSTOM) { 497 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CUSTOM_LENGTH); 498 return 0; 499 } 500 if (!encode_string(kctx->custom, sizeof(kctx->custom), &kctx->custom_len, 501 p->data, p->data_size)) 502 return 0; 503 } 504 return 1; 505 } 506 507 /* Encoding/Padding Methods. */ 508 509 /* Returns the number of bytes required to store 'bits' into a byte array */ 510 static unsigned int get_encode_size(size_t bits) 511 { 512 unsigned int cnt = 0, sz = sizeof(size_t); 513 514 while (bits && (cnt < sz)) { 515 ++cnt; 516 bits >>= 8; 517 } 518 /* If bits is zero 1 byte is required */ 519 if (cnt == 0) 520 cnt = 1; 521 return cnt; 522 } 523 524 /* 525 * Convert an integer into bytes . The number of bytes is appended 526 * to the end of the buffer. Returns an array of bytes 'out' of size 527 * *out_len. 528 * 529 * e.g if bits = 32, out[2] = { 0x20, 0x01 } 530 */ 531 static int right_encode(unsigned char *out, size_t out_max_len, size_t *out_len, 532 size_t bits) 533 { 534 unsigned int len = get_encode_size(bits); 535 int i; 536 537 if (len >= out_max_len) { 538 ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE); 539 return 0; 540 } 541 542 /* MSB's are at the start of the bytes array */ 543 for (i = len - 1; i >= 0; --i) { 544 out[i] = (unsigned char)(bits & 0xFF); 545 bits >>= 8; 546 } 547 /* Tack the length onto the end */ 548 out[len] = (unsigned char)len; 549 550 /* The Returned length includes the tacked on byte */ 551 *out_len = len + 1; 552 return 1; 553 } 554 555 /* 556 * Encodes a string with a left encoded length added. Note that the 557 * in_len is converted to bits (*8). 558 * 559 * e.g- in="KMAC" gives out[6] = { 0x01, 0x20, 0x4B, 0x4D, 0x41, 0x43 } 560 * len bits K M A C 561 */ 562 static int encode_string(unsigned char *out, size_t out_max_len, size_t *out_len, 563 const unsigned char *in, size_t in_len) 564 { 565 if (in == NULL) { 566 *out_len = 0; 567 } else { 568 size_t i, bits, len, sz; 569 570 bits = 8 * in_len; 571 len = get_encode_size(bits); 572 sz = 1 + len + in_len; 573 574 if (sz > out_max_len) { 575 ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE); 576 return 0; 577 } 578 579 out[0] = (unsigned char)len; 580 for (i = len; i > 0; --i) { 581 out[i] = (bits & 0xFF); 582 bits >>= 8; 583 } 584 memcpy(out + len + 1, in, in_len); 585 *out_len = sz; 586 } 587 return 1; 588 } 589 590 /* 591 * Returns a zero padded encoding of the inputs in1 and an optional 592 * in2 (can be NULL). The padded output must be a multiple of the blocksize 'w'. 593 * The value of w is in bytes (< 256). 594 * 595 * The returned output is: 596 * zero_padded(multiple of w, (left_encode(w) || in1 [|| in2]) 597 */ 598 static int bytepad(unsigned char *out, size_t *out_len, 599 const unsigned char *in1, size_t in1_len, 600 const unsigned char *in2, size_t in2_len, size_t w) 601 { 602 int len; 603 unsigned char *p = out; 604 int sz = w; 605 606 if (out == NULL) { 607 if (out_len == NULL) { 608 ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_NULL_PARAMETER); 609 return 0; 610 } 611 sz = 2 + in1_len + (in2 != NULL ? in2_len : 0); 612 *out_len = (sz + w - 1) / w * w; 613 return 1; 614 } 615 616 if (!ossl_assert(w <= 255)) 617 return 0; 618 619 /* Left encoded w */ 620 *p++ = 1; 621 *p++ = (unsigned char)w; 622 /* || in1 */ 623 memcpy(p, in1, in1_len); 624 p += in1_len; 625 /* [ || in2 ] */ 626 if (in2 != NULL && in2_len > 0) { 627 memcpy(p, in2, in2_len); 628 p += in2_len; 629 } 630 /* Figure out the pad size (divisible by w) */ 631 len = p - out; 632 sz = (len + w - 1) / w * w; 633 /* zero pad the end of the buffer */ 634 if (sz != len) 635 memset(p, 0, sz - len); 636 if (out_len != NULL) 637 *out_len = sz; 638 return 1; 639 } 640 641 /* Returns out = bytepad(encode_string(in), w) */ 642 static int kmac_bytepad_encode_key(unsigned char *out, size_t out_max_len, 643 size_t *out_len, 644 const unsigned char *in, size_t in_len, 645 size_t w) 646 { 647 unsigned char tmp[KMAC_MAX_KEY + KMAC_MAX_ENCODED_HEADER_LEN]; 648 size_t tmp_len; 649 650 if (!encode_string(tmp, sizeof(tmp), &tmp_len, in, in_len)) 651 return 0; 652 if (!bytepad(NULL, out_len, tmp, tmp_len, NULL, 0, w)) 653 return 0; 654 if (!ossl_assert(*out_len <= out_max_len)) 655 return 0; 656 return bytepad(out, NULL, tmp, tmp_len, NULL, 0, w); 657 } 658 659 #define IMPLEMENT_KMAC_TABLE(size, funcname, newname) \ 660 const OSSL_DISPATCH ossl_kmac##size##_##funcname[] = \ 661 { \ 662 { OSSL_FUNC_MAC_NEWCTX, (void (*)(void))kmac##size##_##newname }, \ 663 { OSSL_FUNC_MAC_DUPCTX, (void (*)(void))kmac_dup }, \ 664 { OSSL_FUNC_MAC_FREECTX, (void (*)(void))kmac_free }, \ 665 { OSSL_FUNC_MAC_INIT, (void (*)(void))kmac_init }, \ 666 { OSSL_FUNC_MAC_UPDATE, (void (*)(void))kmac_update }, \ 667 { OSSL_FUNC_MAC_FINAL, (void (*)(void))kmac_final }, \ 668 { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS, \ 669 (void (*)(void))kmac_gettable_ctx_params }, \ 670 { OSSL_FUNC_MAC_GET_CTX_PARAMS, (void (*)(void))kmac_get_ctx_params }, \ 671 { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS, \ 672 (void (*)(void))kmac_settable_ctx_params }, \ 673 { OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))kmac_set_ctx_params }, \ 674 OSSL_DISPATCH_END \ 675 } 676 677 #define KMAC_TABLE(size) IMPLEMENT_KMAC_TABLE(size, functions, new) 678 679 KMAC_TABLE(128); 680 KMAC_TABLE(256); 681 682 #ifdef FIPS_MODULE 683 # define KMAC_INTERNAL_TABLE(size) \ 684 static OSSL_FUNC_mac_newctx_fn kmac##size##_internal_new; \ 685 static void *kmac##size##_internal_new(void *provctx) \ 686 { \ 687 struct kmac_data_st *macctx = kmac##size##_new(provctx); \ 688 \ 689 if (macctx != NULL) \ 690 macctx->internal = 1; \ 691 return macctx; \ 692 } \ 693 IMPLEMENT_KMAC_TABLE(size, internal_functions, internal_new) 694 695 KMAC_INTERNAL_TABLE(128); 696 KMAC_INTERNAL_TABLE(256); 697 #endif /* FIPS_MODULE */ 698