Skip to content

Implement HMAC over SHA3 truncated variants #2484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 22 commits into from
Jun 30, 2025
Merged

Implement HMAC over SHA3 truncated variants #2484

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
a99220c
Build works, untested against python
WillChilds-Klein Jun 12, 2025
cda6444
Partial fix, still hitting assert failure
WillChilds-Klein Jun 13, 2025
2d7708f
Fix SHA3 CBLOCK block size constants, python test_hmac passing!!
WillChilds-Klein Jun 16, 2025
5b7fd44
Revert HMAC MD order
WillChilds-Klein Jun 16, 2025
f6e042a
Revert edit to EVP_MAX_MD_SIZE
WillChilds-Klein Jun 16, 2025
08891f1
Re-internalize KECCAK1600_CTX and use compile-time assertion for safety
WillChilds-Klein Jun 17, 2025
94546aa
Clean up TODOs, code formatting, unimpld stubs
WillChilds-Klein Jun 17, 2025
5846475
Remove unnecessary exports from sha/internal.h
WillChilds-Klein Jun 17, 2025
09c1e3c
Re-export SH3_Init for tests
WillChilds-Klein Jun 17, 2025
8ad9088
Split out precomputed key macros, delete unnecessary stubs
WillChilds-Klein Jun 17, 2025
ce03e84
Add wycheproof KATs to test harness
WillChilds-Klein Jun 17, 2025
bf66a63
Add SHA3 entries to hmac_tests.txt, factor out pre-computed key tests
WillChilds-Klein Jun 19, 2025
0d09cd1
Cover precomputed-functions called with unsupported digest
WillChilds-Klein Jun 19, 2025
eccc231
Run "python3 ./util/generate_build_files.py"
WillChilds-Klein Jun 19, 2025
d2587a3
Check digest support first thing
WillChilds-Klein Jun 19, 2025
c27e9a5
Tweak non-precomputed key coverage
WillChilds-Klein Jun 19, 2025
578ab1f
Fix internal doc comments
WillChilds-Klein Jun 20, 2025
1a40c87
Remove redundant null check, update KAT names
WillChilds-Klein Jun 23, 2025
3d44f1a
Run "python3 ./util/generate_build_files.py"
WillChilds-Klein Jun 23, 2025
bdf8beb
Null-check, clarify comments
WillChilds-Klein Jun 24, 2025
e59c709
More PR feedback
WillChilds-Klein Jun 24, 2025
4553a6d
Remove outdated comment
WillChilds-Klein Jun 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 70 additions & 33 deletions crypto/fipsmodule/hmac/hmac.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,10 +96,6 @@ struct hmac_methods_st {
static int AWS_LC_TRAMPOLINE_##HASH_NAME##_Update(void *, const void *, \
size_t); \
static int AWS_LC_TRAMPOLINE_##HASH_NAME##_Final(uint8_t *, void *); \
static int AWS_LC_TRAMPOLINE_##HASH_NAME##_Init_from_state( \
void *, const uint8_t *, uint64_t); \
static int AWS_LC_TRAMPOLINE_##HASH_NAME##_get_state(void *, uint8_t *, \
uint64_t *); \
static int AWS_LC_TRAMPOLINE_##HASH_NAME##_Init(void *ctx) { \
return HASH_NAME##_Init((HASH_CTX *)ctx); \
} \
Expand All @@ -110,6 +106,18 @@ struct hmac_methods_st {
static int AWS_LC_TRAMPOLINE_##HASH_NAME##_Final(uint8_t *out, void *ctx) { \
return HASH_NAME##_Final(out, (HASH_CTX *)ctx); \
} \
OPENSSL_STATIC_ASSERT(HASH_CBLOCK % 8 == 0, \
HASH_NAME##_has_blocksize_not_divisible_by_eight_t) \
OPENSSL_STATIC_ASSERT(HASH_CBLOCK <= EVP_MAX_MD_BLOCK_SIZE, \
HASH_NAME##_has_overlarge_blocksize_t) \
OPENSSL_STATIC_ASSERT(sizeof(HASH_CTX) <= sizeof(union md_ctx_union), \
HASH_NAME##_has_overlarge_context_t)

// For merkle-damgard constructions, we also define functions for importing and
// exporting hash state for precomputed keys. These are not applicable to
// Keccak/SHA3.
#define MD_TRAMPOLINES_EXPLICIT_PRECOMPUTED(HASH_NAME, HASH_CTX, HASH_CBLOCK) \
MD_TRAMPOLINES_EXPLICIT(HASH_NAME, HASH_CTX, HASH_CBLOCK); \
static int AWS_LC_TRAMPOLINE_##HASH_NAME##_Init_from_state( \
void *ctx, const uint8_t *h, uint64_t n) { \
return HASH_NAME##_Init_from_state((HASH_CTX *)ctx, h, n); \
Expand All @@ -118,62 +126,75 @@ struct hmac_methods_st {
void *ctx, uint8_t *out_h, uint64_t *out_n) { \
return HASH_NAME##_get_state((HASH_CTX *)ctx, out_h, out_n); \
} \
OPENSSL_STATIC_ASSERT(HASH_CBLOCK % 8 == 0, \
HASH_NAME##_has_blocksize_not_divisible_by_eight_t) \
OPENSSL_STATIC_ASSERT(HASH_CBLOCK <= EVP_MAX_MD_BLOCK_SIZE, \
HASH_NAME##_has_overlarge_blocksize_t) \
OPENSSL_STATIC_ASSERT(HMAC_##HASH_NAME##_PRECOMPUTED_KEY_SIZE == \
2 * HASH_NAME##_CHAINING_LENGTH, \
HASH_NAME##_has_incorrect_precomputed_key_size) \
OPENSSL_STATIC_ASSERT(HMAC_##HASH_NAME##_PRECOMPUTED_KEY_SIZE <= \
HMAC_MAX_PRECOMPUTED_KEY_SIZE, \
HASH_NAME##_has_too_large_precomputed_key_size) \
OPENSSL_STATIC_ASSERT(sizeof(HASH_CTX) <= sizeof(union md_ctx_union), \
HASH_NAME##_has_overlarge_context_t)

// The maximum number of HMAC implementations
#define HMAC_METHOD_MAX 8

MD_TRAMPOLINES_EXPLICIT(MD5, MD5_CTX, MD5_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA1, SHA_CTX, SHA_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA224, SHA256_CTX, SHA256_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA256, SHA256_CTX, SHA256_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA384, SHA512_CTX, SHA512_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA512, SHA512_CTX, SHA512_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA512_224, SHA512_CTX, SHA512_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA512_256, SHA512_CTX, SHA512_CBLOCK)
#define HMAC_METHOD_MAX 12

MD_TRAMPOLINES_EXPLICIT_PRECOMPUTED(MD5, MD5_CTX, MD5_CBLOCK)
MD_TRAMPOLINES_EXPLICIT_PRECOMPUTED(SHA1, SHA_CTX, SHA_CBLOCK)
MD_TRAMPOLINES_EXPLICIT_PRECOMPUTED(SHA224, SHA256_CTX, SHA256_CBLOCK)
MD_TRAMPOLINES_EXPLICIT_PRECOMPUTED(SHA256, SHA256_CTX, SHA256_CBLOCK)
MD_TRAMPOLINES_EXPLICIT_PRECOMPUTED(SHA384, SHA512_CTX, SHA512_CBLOCK)
MD_TRAMPOLINES_EXPLICIT_PRECOMPUTED(SHA512, SHA512_CTX, SHA512_CBLOCK)
MD_TRAMPOLINES_EXPLICIT_PRECOMPUTED(SHA512_224, SHA512_CTX, SHA512_CBLOCK)
MD_TRAMPOLINES_EXPLICIT_PRECOMPUTED(SHA512_256, SHA512_CTX, SHA512_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA3_224, KECCAK1600_CTX, SHA3_224_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA3_256, KECCAK1600_CTX, SHA3_256_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA3_384, KECCAK1600_CTX, SHA3_384_CBLOCK)
MD_TRAMPOLINES_EXPLICIT(SHA3_512, KECCAK1600_CTX, SHA3_512_CBLOCK)

struct hmac_method_array_st {
HmacMethods methods[HMAC_METHOD_MAX];
};

// This macro does not set any values for precomputed keys for portable state,
// and as such is suitable for use with Keccak/SHA3.
#define DEFINE_IN_PLACE_METHODS(EVP_MD, HASH_NAME) { \
out->methods[idx].evp_md = EVP_MD; \
out->methods[idx].chaining_length = HASH_NAME##_CHAINING_LENGTH; \
out->methods[idx].init = AWS_LC_TRAMPOLINE_##HASH_NAME##_Init; \
out->methods[idx].update = AWS_LC_TRAMPOLINE_##HASH_NAME##_Update; \
out->methods[idx].finalize = AWS_LC_TRAMPOLINE_##HASH_NAME##_Final; \
out->methods[idx].init_from_state = \
AWS_LC_TRAMPOLINE_##HASH_NAME##_Init_from_state; \
out->methods[idx].get_state = AWS_LC_TRAMPOLINE_##HASH_NAME##_get_state; \
out->methods[idx].chaining_length = 0UL; \
out->methods[idx].init_from_state = NULL; \
out->methods[idx].get_state = NULL; \
idx++; \
assert(idx <= HMAC_METHOD_MAX); \
}

// Use |idx-1| because DEFINE_IN_PLACE_METHODS has already incremented it.
#define DEFINE_IN_PLACE_METHODS_PRECOMPUTED(EVP_MD, HASH_NAME) { \
DEFINE_IN_PLACE_METHODS(EVP_MD, HASH_NAME); \
assert(idx-1 >= 0); \
out->methods[idx-1].chaining_length = HASH_NAME##_CHAINING_LENGTH; \
out->methods[idx-1].init_from_state = \
AWS_LC_TRAMPOLINE_##HASH_NAME##_Init_from_state; \
out->methods[idx-1].get_state = \
AWS_LC_TRAMPOLINE_##HASH_NAME##_get_state; \
}

DEFINE_LOCAL_DATA(struct hmac_method_array_st, AWSLC_hmac_in_place_methods) {
OPENSSL_memset((void*) out->methods, 0, sizeof(out->methods));
int idx = 0;
// Since we search these linearly it helps (just a bit) to put the most common ones first.
// This isn't based on hard metrics and will not make a significant different on performance.
// FIXME: all hashes but SHA256 have been disabled to check first SHA256
DEFINE_IN_PLACE_METHODS(EVP_sha256(), SHA256);
DEFINE_IN_PLACE_METHODS(EVP_sha1(), SHA1);
DEFINE_IN_PLACE_METHODS(EVP_sha384(), SHA384);
DEFINE_IN_PLACE_METHODS(EVP_sha512(), SHA512);
DEFINE_IN_PLACE_METHODS(EVP_md5(), MD5);
DEFINE_IN_PLACE_METHODS(EVP_sha224(), SHA224);
DEFINE_IN_PLACE_METHODS(EVP_sha512_224(), SHA512_224);
DEFINE_IN_PLACE_METHODS(EVP_sha512_256(), SHA512_256);
DEFINE_IN_PLACE_METHODS_PRECOMPUTED(EVP_sha256(), SHA256);
DEFINE_IN_PLACE_METHODS_PRECOMPUTED(EVP_sha1(), SHA1);
DEFINE_IN_PLACE_METHODS_PRECOMPUTED(EVP_sha384(), SHA384);
DEFINE_IN_PLACE_METHODS_PRECOMPUTED(EVP_sha512(), SHA512);
DEFINE_IN_PLACE_METHODS_PRECOMPUTED(EVP_md5(), MD5);
DEFINE_IN_PLACE_METHODS_PRECOMPUTED(EVP_sha224(), SHA224);
DEFINE_IN_PLACE_METHODS_PRECOMPUTED(EVP_sha512_224(), SHA512_224);
DEFINE_IN_PLACE_METHODS_PRECOMPUTED(EVP_sha512_256(), SHA512_256);
DEFINE_IN_PLACE_METHODS(EVP_sha3_224(), SHA3_224);
DEFINE_IN_PLACE_METHODS(EVP_sha3_256(), SHA3_256);
DEFINE_IN_PLACE_METHODS(EVP_sha3_384(), SHA3_384);
DEFINE_IN_PLACE_METHODS(EVP_sha3_512(), SHA3_512);
}

static const HmacMethods *GetInPlaceMethods(const EVP_MD *evp_md) {
Expand Down Expand Up @@ -494,6 +515,11 @@ void HMAC_CTX_reset(HMAC_CTX *ctx) {
}

int HMAC_set_precomputed_key_export(HMAC_CTX *ctx) {
GUARD_PTR(ctx);
if (ctx->methods != NULL && ctx->methods->get_state == NULL) {
OPENSSL_PUT_ERROR(HMAC, HMAC_R_PRECOMPUTED_KEY_NOT_SUPPORTED_FOR_DIGEST);
return 0;
}
if (HMAC_STATE_INIT_NO_DATA != ctx->state &&
HMAC_STATE_PRECOMPUTED_KEY_EXPORT_READY != ctx->state) {
// HMAC_set_precomputed_key_export can only be called after Hmac_Init_*
Expand All @@ -505,6 +531,13 @@ int HMAC_set_precomputed_key_export(HMAC_CTX *ctx) {
}

int HMAC_get_precomputed_key(HMAC_CTX *ctx, uint8_t *out, size_t *out_len) {
GUARD_PTR(ctx);
GUARD_PTR(ctx->methods);
if (ctx->methods->get_state == NULL) {
OPENSSL_PUT_ERROR(HMAC, HMAC_R_PRECOMPUTED_KEY_NOT_SUPPORTED_FOR_DIGEST);
return 0;
}

if (HMAC_STATE_PRECOMPUTED_KEY_EXPORT_READY != ctx->state) {
OPENSSL_PUT_ERROR(EVP, HMAC_R_SET_PRECOMPUTED_KEY_EXPORT_NOT_CALLED);
return 0;
Expand Down Expand Up @@ -583,6 +616,10 @@ int HMAC_Init_from_precomputed_key(HMAC_CTX *ctx,
}

const HmacMethods *methods = ctx->methods;
if (ctx->methods->init_from_state == NULL) {
OPENSSL_PUT_ERROR(HMAC, HMAC_R_PRECOMPUTED_KEY_NOT_SUPPORTED_FOR_DIGEST);
return 0;
}

const size_t chaining_length = methods->chaining_length;
const size_t block_size = EVP_MD_block_size(methods->evp_md);
Expand Down
4 changes: 4 additions & 0 deletions crypto/fipsmodule/service_indicator/service_indicator.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -414,6 +414,10 @@ void HMAC_verify_service_indicator(const EVP_MD *evp_md) {
case NID_sha512:
case NID_sha512_224:
case NID_sha512_256:
case NID_sha3_224:
case NID_sha3_256:
case NID_sha3_384:
case NID_sha3_512:
FIPS_service_indicator_update_state();
break;
default:
Expand Down
59 changes: 57 additions & 2 deletions crypto/fipsmodule/sha/internal.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@

#include <openssl/base.h>

#include <openssl/hmac.h>

#include "../../internal.h"
#include "../cpucap/internal.h"

Expand All @@ -43,18 +45,22 @@ extern "C" {
#define KECCAK1600_WIDTH 1600

#define SHA3_224_CAPACITY_BYTES 56
#define SHA3_224_CBLOCK SHA3_BLOCKSIZE(SHA3_224_DIGEST_BITLENGTH)
#define SHA3_224_DIGEST_BITLENGTH 224
#define SHA3_224_DIGEST_LENGTH 28

#define SHA3_256_CAPACITY_BYTES 64
#define SHA3_256_CBLOCK SHA3_BLOCKSIZE(SHA3_256_DIGEST_BITLENGTH)
#define SHA3_256_DIGEST_BITLENGTH 256
#define SHA3_256_DIGEST_LENGTH 32

#define SHA3_384_CAPACITY_BYTES 96
#define SHA3_384_CBLOCK SHA3_BLOCKSIZE(SHA3_384_DIGEST_BITLENGTH)
#define SHA3_384_DIGEST_BITLENGTH 384
#define SHA3_384_DIGEST_LENGTH 48

#define SHA3_512_CAPACITY_BYTES 128
#define SHA3_512_CBLOCK SHA3_BLOCKSIZE(SHA3_512_DIGEST_BITLENGTH)
#define SHA3_512_DIGEST_BITLENGTH 512
#define SHA3_512_DIGEST_LENGTH 64

Expand All @@ -81,11 +87,11 @@ extern "C" {
// so that |SHAKE_Squeeze| cannot be called anymore.
#define KECCAK1600_STATE_FINAL 2

typedef struct keccak_st KECCAK1600_CTX;
typedef struct keccak_ctx_st KECCAK1600_CTX;

// The data buffer should have at least the maximum number of
// block size bytes to fit any SHA3/SHAKE block length.
struct keccak_st {
struct keccak_ctx_st {
uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS];
size_t block_size; // cached ctx->digest->block_size
size_t md_size; // output length, variable in XOF (SHAKE)
Expand All @@ -95,6 +101,15 @@ struct keccak_st {
uint8_t state; // denotes the keccak phase (absorb, squeeze, final)
};

// To avoid externalizing KECCAK1600_CTX, we hard-code the context size in
// hmac.h's |md_ctx_union| and use a compile time check here to make sure
// |KECCAK1600_CTX|'s size never exceeds that of |md_ctx_union|. This means
// that whenever a new field is added to |keccak_ctx_st| we must also update
// the hard-coded size of |sha3| in hmac.h's |md_ctx_union| with the new
// value given by |sizeof(keccaak_ctx_st)|.
OPENSSL_STATIC_ASSERT(sizeof(KECCAK1600_CTX) <= sizeof(union md_ctx_union),
hmac_md_ctx_union_sha3_size_needs_update)

// KECCAK1600 x4 batched context structure
typedef KECCAK1600_CTX KECCAK1600_CTX_x4[4];

Expand Down Expand Up @@ -445,6 +460,46 @@ int SHA3_Update(KECCAK1600_CTX *ctx, const void *data, size_t len);
// When call-discipline is maintained, this function never fails.
int SHA3_Final(uint8_t *md, KECCAK1600_CTX *ctx);

// SHA3_224_Init initialises |sha| and returns 1.
int SHA3_224_Init(KECCAK1600_CTX *sha);

// SHA3_224_Update adds |len| bytes from |data| to |sha| and returns 1.
int SHA3_224_Update(KECCAK1600_CTX *sha, const void *data, size_t len);

// SHA3_224_Final adds the final padding to |sha| and writes the resulting
// digest to |out|. It returns one on success and zero on programmer error.
int SHA3_224_Final(uint8_t out[SHA3_224_DIGEST_LENGTH], KECCAK1600_CTX *sha);

// SHA3_256_Init initialises |sha| and returns 1.
int SHA3_256_Init(KECCAK1600_CTX *sha);

// SHA3_256_Update adds |len| bytes from |data| to |sha| and returns 1.
int SHA3_256_Update(KECCAK1600_CTX *sha, const void *data, size_t len);

// SHA3_256_Final adds the final padding to |sha| and writes the resulting
// digest to |out|. It returns one on success and zero on programmer error.
int SHA3_256_Final(uint8_t out[SHA3_256_DIGEST_LENGTH], KECCAK1600_CTX *sha);

// SHA3_384_Init initialises |sha| and returns 1.
int SHA3_384_Init(KECCAK1600_CTX *sha);

// SHA3_384_Update adds |len| bytes from |data| to |sha| and returns 1.
int SHA3_384_Update(KECCAK1600_CTX *sha, const void *data, size_t len);

// SHA3_384_Final adds the final padding to |sha| and writes the resulting
// digest to |out|. It returns one on success and zero on programmer error.
int SHA3_384_Final(uint8_t out[SHA3_384_DIGEST_LENGTH], KECCAK1600_CTX *sha);

// SHA3_512_Init initialises |sha| and returns 1.
int SHA3_512_Init(KECCAK1600_CTX *sha);

// SHA3_512_Update adds |len| bytes from |data| to |sha| and returns 1.
int SHA3_512_Update(KECCAK1600_CTX *sha, const void *data, size_t len);

// SHA3_512_Final adds the final padding to |sha| and writes the resulting
// digest to |out|. It returns one on success and zero on programmer error.
int SHA3_512_Final(uint8_t out[SHA3_512_DIGEST_LENGTH], KECCAK1600_CTX *sha);

/*
* SHAKE APIs implement SHAKE functionalities on top of FIPS202 API layer
*
Expand Down
58 changes: 57 additions & 1 deletion crypto/fipsmodule/sha/sha3.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,11 +270,67 @@ int SHA3_Final(uint8_t *md, KECCAK1600_CTX *ctx) {

Keccak1600_Squeeze(ctx->A, md, ctx->md_size, ctx->block_size, ctx->state);
ctx->state = KECCAK1600_STATE_FINAL;

FIPS_service_indicator_update_state();
return 1;
}

int SHA3_224_Init(KECCAK1600_CTX *ctx) {
return SHA3_Init(ctx, SHA3_224_DIGEST_BITLENGTH);
}

int SHA3_224_Update(KECCAK1600_CTX *ctx, const void *data,
size_t len) {
return SHA3_Update(ctx, data, len);
}

int SHA3_224_Final(uint8_t out[SHA3_224_DIGEST_LENGTH],
KECCAK1600_CTX *ctx) {
return SHA3_Final(&out[0], ctx);
}

int SHA3_256_Init(KECCAK1600_CTX *ctx) {
return SHA3_Init(ctx, SHA3_256_DIGEST_BITLENGTH);
}

int SHA3_256_Update(KECCAK1600_CTX *ctx, const void *data,
size_t len) {
return SHA3_Update(ctx, data, len);
}

int SHA3_256_Final(uint8_t out[SHA3_256_DIGEST_LENGTH],
KECCAK1600_CTX *ctx) {
return SHA3_Final(&out[0], ctx);
}

int SHA3_384_Init(KECCAK1600_CTX *ctx) {
return SHA3_Init(ctx, SHA3_384_DIGEST_BITLENGTH);
}

int SHA3_384_Update(KECCAK1600_CTX *ctx, const void *data,
size_t len) {
return SHA3_Update(ctx, data, len);
}

int SHA3_384_Final(uint8_t out[SHA3_384_DIGEST_LENGTH],
KECCAK1600_CTX *ctx) {
return SHA3_Final(&out[0], ctx);
}

int SHA3_512_Init(KECCAK1600_CTX *ctx) {
return SHA3_Init(ctx, SHA3_512_DIGEST_BITLENGTH);
}

int SHA3_512_Update(KECCAK1600_CTX *ctx, const void *data,
size_t len) {
return SHA3_Update(ctx, data, len);
}

int SHA3_512_Final(uint8_t out[SHA3_512_DIGEST_LENGTH],
KECCAK1600_CTX *ctx) {
return SHA3_Final(&out[0], ctx);
}

/*
* SHAKE APIs implement SHAKE functionalities on top of FIPS202 API layer
*/
Expand Down
Loading
Loading