/src/openssl111/crypto/evp/m_sha3.c

Source (jump to first uncovered line)
/*
 * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include <string.h>

#include <openssl/evp.h>
#include <openssl/objects.h>
#include "crypto/evp.h"
#include "evp_local.h"

size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len,
                   size_t r);
void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r);

#define KECCAK1600_WIDTH 1600

typedef struct {
    uint64_t A[5][5];
    size_t block_size;          /* cached ctx->digest->block_size */
    size_t md_size;             /* output length, variable in XOF */
    size_t num;                 /* used bytes in below buffer */
    unsigned char buf[KECCAK1600_WIDTH / 8 - 32];
    unsigned char pad;
} KECCAK1600_CTX;

static int init(EVP_MD_CTX *evp_ctx, unsigned char pad)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;
    size_t bsz = evp_ctx->digest->block_size;

    if (bsz <= sizeof(ctx->buf)) {
        memset(ctx->A, 0, sizeof(ctx->A));

        ctx->num = 0;
        ctx->block_size = bsz;
        ctx->md_size = evp_ctx->digest->md_size;
        ctx->pad = pad;

        return 1;
    }

    return 0;
}

static int sha3_init(EVP_MD_CTX *evp_ctx)
{
    return init(evp_ctx, '\x06');
}

static int shake_init(EVP_MD_CTX *evp_ctx)
{
    return init(evp_ctx, '\x1f');
}

static int sha3_update(EVP_MD_CTX *evp_ctx, const void *_inp, size_t len)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;
    const unsigned char *inp = _inp;
    size_t bsz = ctx->block_size;
    size_t num, rem;

    if (len == 0)
        return 1;

    if ((num = ctx->num) != 0) {      /* process intermediate buffer? */
        rem = bsz - num;

        if (len < rem) {
            memcpy(ctx->buf + num, inp, len);
            ctx->num += len;
            return 1;
        }
        /*
         * We have enough data to fill or overflow the intermediate
         * buffer. So we append |rem| bytes and process the block,
         * leaving the rest for later processing...
         */
        memcpy(ctx->buf + num, inp, rem);
        inp += rem, len -= rem;
        (void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
        ctx->num = 0;
        /* ctx->buf is processed, ctx->num is guaranteed to be zero */
    }

    if (len >= bsz)
        rem = SHA3_absorb(ctx->A, inp, len, bsz);
    else
        rem = len;

    if (rem) {
        memcpy(ctx->buf, inp + len - rem, rem);
        ctx->num = rem;
    }

    return 1;
}

static int sha3_final(EVP_MD_CTX *evp_ctx, unsigned char *md)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;
    size_t bsz = ctx->block_size;
    size_t num = ctx->num;

    if (ctx->md_size == 0)
        return 1;

    /*
     * Pad the data with 10*1. Note that |num| can be |bsz - 1|
     * in which case both byte operations below are performed on
     * same byte...
     */
    memset(ctx->buf + num, 0, bsz - num);
    ctx->buf[num] = ctx->pad;
    ctx->buf[bsz - 1] |= 0x80;

    (void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);

    SHA3_squeeze(ctx->A, md, ctx->md_size, bsz);

    return 1;
}

static int shake_ctrl(EVP_MD_CTX *evp_ctx, int cmd, int p1, void *p2)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;

    switch (cmd) {
    case EVP_MD_CTRL_XOF_LEN:
        ctx->md_size = p1;
        return 1;
    default:
        return 0;
    }
}

#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM)
/*
 * IBM S390X support
 */
# include "s390x_arch.h"

# define S390X_SHA3_FC(ctx)     ((ctx)->pad)

# define S390X_sha3_224_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_224)) &&  \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_224)))
# define S390X_sha3_256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_256)) &&  \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_256)))
# define S390X_sha3_384_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_384)) &&  \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_384)))
# define S390X_sha3_512_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_512)) &&  \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHA3_512)))
# define S390X_shake128_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHAKE_128)) && \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHAKE_128)))
# define S390X_shake256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] &      \
                                  S390X_CAPBIT(S390X_SHAKE_256)) && \
                                 (OPENSSL_s390xcap_P.klmd[0] &      \
                                  S390X_CAPBIT(S390X_SHAKE_256)))

/* Convert md-size to block-size. */
# define S390X_KECCAK1600_BSZ(n) ((KECCAK1600_WIDTH - ((n) << 1)) >> 3)

static int s390x_sha3_init(EVP_MD_CTX *evp_ctx)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;
    const size_t bsz = evp_ctx->digest->block_size;

    /*-
     * KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD
     * function code.
     */
    switch (bsz) {
    case S390X_KECCAK1600_BSZ(224):
        ctx->pad = S390X_SHA3_224;
        break;
    case S390X_KECCAK1600_BSZ(256):
        ctx->pad = S390X_SHA3_256;
        break;
    case S390X_KECCAK1600_BSZ(384):
        ctx->pad = S390X_SHA3_384;
        break;
    case S390X_KECCAK1600_BSZ(512):
        ctx->pad = S390X_SHA3_512;
        break;
    default:
        return 0;
    }

    memset(ctx->A, 0, sizeof(ctx->A));
    ctx->num = 0;
    ctx->block_size = bsz;
    ctx->md_size = evp_ctx->digest->md_size;
    return 1;
}

static int s390x_shake_init(EVP_MD_CTX *evp_ctx)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;
    const size_t bsz = evp_ctx->digest->block_size;

    /*-
     * KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD
     * function code.
     */
    switch (bsz) {
    case S390X_KECCAK1600_BSZ(128):
        ctx->pad = S390X_SHAKE_128;
        break;
    case S390X_KECCAK1600_BSZ(256):
        ctx->pad = S390X_SHAKE_256;
        break;
    default:
        return 0;
    }

    memset(ctx->A, 0, sizeof(ctx->A));
    ctx->num = 0;
    ctx->block_size = bsz;
    ctx->md_size = evp_ctx->digest->md_size;
    return 1;
}

static int s390x_sha3_update(EVP_MD_CTX *evp_ctx, const void *_inp, size_t len)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;
    const unsigned char *inp = _inp;
    const size_t bsz = ctx->block_size;
    size_t num, rem;

    if (len == 0)
        return 1;

    if ((num = ctx->num) != 0) {
        rem = bsz - num;

        if (len < rem) {
            memcpy(ctx->buf + num, inp, len);
            ctx->num += len;
            return 1;
        }
        memcpy(ctx->buf + num, inp, rem);
        inp += rem;
        len -= rem;
        s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A);
        ctx->num = 0;
    }
    rem = len % bsz;

    s390x_kimd(inp, len - rem, ctx->pad, ctx->A);

    if (rem) {
        memcpy(ctx->buf, inp + len - rem, rem);
        ctx->num = rem;
    }
    return 1;
}

static int s390x_sha3_final(EVP_MD_CTX *evp_ctx, unsigned char *md)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;

    s390x_klmd(ctx->buf, ctx->num, NULL, 0, ctx->pad, ctx->A);
    memcpy(md, ctx->A, ctx->md_size);
    return 1;
}

static int s390x_shake_final(EVP_MD_CTX *evp_ctx, unsigned char *md)
{
    KECCAK1600_CTX *ctx = evp_ctx->md_data;

    s390x_klmd(ctx->buf, ctx->num, md, ctx->md_size, ctx->pad, ctx->A);
    return 1;
}

# define EVP_MD_SHA3(bitlen)                         \
const EVP_MD *EVP_sha3_##bitlen(void)                \
{                                                    \
    static const EVP_MD s390x_sha3_##bitlen##_md = { \
        NID_sha3_##bitlen,                           \
        NID_RSA_SHA3_##bitlen,                       \
        bitlen / 8,                                  \
        EVP_MD_FLAG_DIGALGID_ABSENT,                 \
        s390x_sha3_init,                             \
        s390x_sha3_update,                           \
        s390x_sha3_final,                            \
        NULL,                                        \
        NULL,                                        \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,         \
        sizeof(KECCAK1600_CTX),                      \
    };                                               \
    static const EVP_MD sha3_##bitlen##_md = {       \
        NID_sha3_##bitlen,                           \
        NID_RSA_SHA3_##bitlen,                       \
        bitlen / 8,                                  \
        EVP_MD_FLAG_DIGALGID_ABSENT,                 \
        sha3_init,                                   \
        sha3_update,                                 \
        sha3_final,                                  \
        NULL,                                        \
        NULL,                                        \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,         \
        sizeof(KECCAK1600_CTX),                      \
    };                                               \
    return S390X_sha3_##bitlen##_CAPABLE ?           \
           &s390x_sha3_##bitlen##_md :               \
           &sha3_##bitlen##_md;                      \
}

# define EVP_MD_SHAKE(bitlen)                        \
const EVP_MD *EVP_shake##bitlen(void)                \
{                                                    \
    static const EVP_MD s390x_shake##bitlen##_md = { \
        NID_shake##bitlen,                           \
        0,                                           \
        bitlen / 8,                                  \
        EVP_MD_FLAG_XOF,                             \
        s390x_shake_init,                            \
        s390x_sha3_update,                           \
        s390x_shake_final,                           \
        NULL,                                        \
        NULL,                                        \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,         \
        sizeof(KECCAK1600_CTX),                      \
        shake_ctrl                                   \
    };                                               \
    static const EVP_MD shake##bitlen##_md = {       \
        NID_shake##bitlen,                           \
        0,                                           \
        bitlen / 8,                                  \
        EVP_MD_FLAG_XOF,                             \
        shake_init,                                  \
        sha3_update,                                 \
        sha3_final,                                  \
        NULL,                                        \
        NULL,                                        \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,         \
        sizeof(KECCAK1600_CTX),                      \
        shake_ctrl                                   \
    };                                               \
    return S390X_shake##bitlen##_CAPABLE ?           \
           &s390x_shake##bitlen##_md :               \
           &shake##bitlen##_md;                      \
}

#else

# define EVP_MD_SHA3(bitlen)                    \
const EVP_MD *EVP_sha3_##bitlen(void)           \
{                                               \
    static const EVP_MD sha3_##bitlen##_md = {  \
        NID_sha3_##bitlen,                      \
        NID_RSA_SHA3_##bitlen,                  \
        bitlen / 8,                             \
        EVP_MD_FLAG_DIGALGID_ABSENT,            \
        sha3_init,                              \
        sha3_update,                            \
        sha3_final,                             \
        NULL,                                   \
        NULL,                                   \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,    \
        sizeof(KECCAK1600_CTX),                 \
    };                                          \
    return &sha3_##bitlen##_md;                 \
}

# define EVP_MD_SHAKE(bitlen)                   \
const EVP_MD *EVP_shake##bitlen(void)           \
{                                               \
    static const EVP_MD shake##bitlen##_md = {  \
        NID_shake##bitlen,                      \
        0,                                      \
        bitlen / 8,                             \
        EVP_MD_FLAG_XOF,                        \
        shake_init,                             \
        sha3_update,                            \
        sha3_final,                             \
        NULL,                                   \
        NULL,                                   \
        (KECCAK1600_WIDTH - bitlen * 2) / 8,    \
        sizeof(KECCAK1600_CTX),                 \
        shake_ctrl                              \
    };                                          \
    return &shake##bitlen##_md;                 \
}
#endif

EVP_MD_SHA3(224)
EVP_MD_SHA3(256)
EVP_MD_SHA3(384)
EVP_MD_SHA3(512)

EVP_MD_SHAKE(128)
EVP_MD_SHAKE(256)

Coverage Report

Created: 2023-06-08 06:40

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the OpenSSL license (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include <string.h>
12
13		#include <openssl/evp.h>
14		#include <openssl/objects.h>
15		#include "crypto/evp.h"
16		#include "evp_local.h"
17
18		size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len,
19		size_t r);
20		void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r);
21
22	0	#define KECCAK1600_WIDTH 1600
23
24		typedef struct {
25		uint64_t A[5][5];
26		size_t block_size; /* cached ctx->digest->block_size */
27		size_t md_size; /* output length, variable in XOF */
28		size_t num; /* used bytes in below buffer */
29		unsigned char buf[KECCAK1600_WIDTH / 8 - 32];
30		unsigned char pad;
31		} KECCAK1600_CTX;
32
33		static int init(EVP_MD_CTX *evp_ctx, unsigned char pad)
34	0	{
35	0	KECCAK1600_CTX *ctx = evp_ctx->md_data;
36	0	size_t bsz = evp_ctx->digest->block_size;
37
38	0	if (bsz <= sizeof(ctx->buf)) {
39	0	memset(ctx->A, 0, sizeof(ctx->A));
40
41	0	ctx->num = 0;
42	0	ctx->block_size = bsz;
43	0	ctx->md_size = evp_ctx->digest->md_size;
44	0	ctx->pad = pad;
45
46	0	return 1;
47	0	}
48
49	0	return 0;
50	0	}
51
52		static int sha3_init(EVP_MD_CTX *evp_ctx)
53	0	{
54	0	return init(evp_ctx, '\x06');
55	0	}
56
57		static int shake_init(EVP_MD_CTX *evp_ctx)
58	0	{
59	0	return init(evp_ctx, '\x1f');
60	0	}
61
62		static int sha3_update(EVP_MD_CTX evp_ctx, const void _inp, size_t len)
63	0	{
64	0	KECCAK1600_CTX *ctx = evp_ctx->md_data;
65	0	const unsigned char *inp = _inp;
66	0	size_t bsz = ctx->block_size;
67	0	size_t num, rem;
68
69	0	if (len == 0)
70	0	return 1;
71
72	0	if ((num = ctx->num) != 0) { /* process intermediate buffer? */
73	0	rem = bsz - num;
74
75	0	if (len < rem) {
76	0	memcpy(ctx->buf + num, inp, len);
77	0	ctx->num += len;
78	0	return 1;
79	0	}
80		/*
81		* We have enough data to fill or overflow the intermediate
82		* buffer. So we append \|rem\| bytes and process the block,
83		* leaving the rest for later processing...
84		*/
85	0	memcpy(ctx->buf + num, inp, rem);
86	0	inp += rem, len -= rem;
87	0	(void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
88	0	ctx->num = 0;
89		/* ctx->buf is processed, ctx->num is guaranteed to be zero */
90	0	}
91
92	0	if (len >= bsz)
93	0	rem = SHA3_absorb(ctx->A, inp, len, bsz);
94	0	else
95	0	rem = len;
96
97	0	if (rem) {
98	0	memcpy(ctx->buf, inp + len - rem, rem);
99	0	ctx->num = rem;
100	0	}
101
102	0	return 1;
103	0	}
104
105		static int sha3_final(EVP_MD_CTX evp_ctx, unsigned char md)
106	0	{
107	0	KECCAK1600_CTX *ctx = evp_ctx->md_data;
108	0	size_t bsz = ctx->block_size;
109	0	size_t num = ctx->num;
110
111	0	if (ctx->md_size == 0)
112	0	return 1;
113
114		/*
115		* Pad the data with 10*1. Note that \|num\| can be \|bsz - 1\|
116		* in which case both byte operations below are performed on
117		* same byte...
118		*/
119	0	memset(ctx->buf + num, 0, bsz - num);
120	0	ctx->buf[num] = ctx->pad;
121	0	ctx->buf[bsz - 1] \|= 0x80;
122
123	0	(void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
124
125	0	SHA3_squeeze(ctx->A, md, ctx->md_size, bsz);
126
127	0	return 1;
128	0	}
129
130		static int shake_ctrl(EVP_MD_CTX evp_ctx, int cmd, int p1, void p2)
131	0	{
132	0	KECCAK1600_CTX *ctx = evp_ctx->md_data;
133
134	0	switch (cmd) {
135	0	case EVP_MD_CTRL_XOF_LEN:
136	0	ctx->md_size = p1;
137	0	return 1;
138	0	default:
139	0	return 0;
140	0	}
141	0	}
142
143		#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM)
144		/*
145		* IBM S390X support
146		*/
147		# include "s390x_arch.h"
148
149		# define S390X_SHA3_FC(ctx) ((ctx)->pad)
150
151		# define S390X_sha3_224_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
152		S390X_CAPBIT(S390X_SHA3_224)) && \
153		(OPENSSL_s390xcap_P.klmd[0] & \
154		S390X_CAPBIT(S390X_SHA3_224)))
155		# define S390X_sha3_256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
156		S390X_CAPBIT(S390X_SHA3_256)) && \
157		(OPENSSL_s390xcap_P.klmd[0] & \
158		S390X_CAPBIT(S390X_SHA3_256)))
159		# define S390X_sha3_384_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
160		S390X_CAPBIT(S390X_SHA3_384)) && \
161		(OPENSSL_s390xcap_P.klmd[0] & \
162		S390X_CAPBIT(S390X_SHA3_384)))
163		# define S390X_sha3_512_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
164		S390X_CAPBIT(S390X_SHA3_512)) && \
165		(OPENSSL_s390xcap_P.klmd[0] & \
166		S390X_CAPBIT(S390X_SHA3_512)))
167		# define S390X_shake128_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
168		S390X_CAPBIT(S390X_SHAKE_128)) && \
169		(OPENSSL_s390xcap_P.klmd[0] & \
170		S390X_CAPBIT(S390X_SHAKE_128)))
171		# define S390X_shake256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \
172		S390X_CAPBIT(S390X_SHAKE_256)) && \
173		(OPENSSL_s390xcap_P.klmd[0] & \
174		S390X_CAPBIT(S390X_SHAKE_256)))
175
176		/* Convert md-size to block-size. */
177		# define S390X_KECCAK1600_BSZ(n) ((KECCAK1600_WIDTH - ((n) << 1)) >> 3)
178
179		static int s390x_sha3_init(EVP_MD_CTX *evp_ctx)
180		{
181		KECCAK1600_CTX *ctx = evp_ctx->md_data;
182		const size_t bsz = evp_ctx->digest->block_size;
183
184		/*-
185		* KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD
186		* function code.
187		*/
188		switch (bsz) {
189		case S390X_KECCAK1600_BSZ(224):
190		ctx->pad = S390X_SHA3_224;
191		break;
192		case S390X_KECCAK1600_BSZ(256):
193		ctx->pad = S390X_SHA3_256;
194		break;
195		case S390X_KECCAK1600_BSZ(384):
196		ctx->pad = S390X_SHA3_384;
197		break;
198		case S390X_KECCAK1600_BSZ(512):
199		ctx->pad = S390X_SHA3_512;
200		break;
201		default:
202		return 0;
203		}
204
205		memset(ctx->A, 0, sizeof(ctx->A));
206		ctx->num = 0;
207		ctx->block_size = bsz;
208		ctx->md_size = evp_ctx->digest->md_size;
209		return 1;
210		}
211
212		static int s390x_shake_init(EVP_MD_CTX *evp_ctx)
213		{
214		KECCAK1600_CTX *ctx = evp_ctx->md_data;
215		const size_t bsz = evp_ctx->digest->block_size;
216
217		/*-
218		* KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD
219		* function code.
220		*/
221		switch (bsz) {
222		case S390X_KECCAK1600_BSZ(128):
223		ctx->pad = S390X_SHAKE_128;
224		break;
225		case S390X_KECCAK1600_BSZ(256):
226		ctx->pad = S390X_SHAKE_256;
227		break;
228		default:
229		return 0;
230		}
231
232		memset(ctx->A, 0, sizeof(ctx->A));
233		ctx->num = 0;
234		ctx->block_size = bsz;
235		ctx->md_size = evp_ctx->digest->md_size;
236		return 1;
237		}
238
239		static int s390x_sha3_update(EVP_MD_CTX evp_ctx, const void _inp, size_t len)
240		{
241		KECCAK1600_CTX *ctx = evp_ctx->md_data;
242		const unsigned char *inp = _inp;
243		const size_t bsz = ctx->block_size;
244		size_t num, rem;
245
246		if (len == 0)
247		return 1;
248
249		if ((num = ctx->num) != 0) {
250		rem = bsz - num;
251
252		if (len < rem) {
253		memcpy(ctx->buf + num, inp, len);
254		ctx->num += len;
255		return 1;
256		}
257		memcpy(ctx->buf + num, inp, rem);
258		inp += rem;
259		len -= rem;
260		s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A);
261		ctx->num = 0;
262		}
263		rem = len % bsz;
264
265		s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
266
267		if (rem) {
268		memcpy(ctx->buf, inp + len - rem, rem);
269		ctx->num = rem;
270		}
271		return 1;
272		}
273
274		static int s390x_sha3_final(EVP_MD_CTX evp_ctx, unsigned char md)
275		{
276		KECCAK1600_CTX *ctx = evp_ctx->md_data;
277
278		s390x_klmd(ctx->buf, ctx->num, NULL, 0, ctx->pad, ctx->A);
279		memcpy(md, ctx->A, ctx->md_size);
280		return 1;
281		}
282
283		static int s390x_shake_final(EVP_MD_CTX evp_ctx, unsigned char md)
284		{
285		KECCAK1600_CTX *ctx = evp_ctx->md_data;
286
287		s390x_klmd(ctx->buf, ctx->num, md, ctx->md_size, ctx->pad, ctx->A);
288		return 1;
289		}
290
291		# define EVP_MD_SHA3(bitlen) \
292		const EVP_MD *EVP_sha3_##bitlen(void) \
293		{ \
294		static const EVP_MD s390x_sha3_##bitlen##_md = { \
295		NID_sha3_##bitlen, \
296		NID_RSA_SHA3_##bitlen, \
297		bitlen / 8, \
298		EVP_MD_FLAG_DIGALGID_ABSENT, \
299		s390x_sha3_init, \
300		s390x_sha3_update, \
301		s390x_sha3_final, \
302		NULL, \
303		NULL, \
304		(KECCAK1600_WIDTH - bitlen * 2) / 8, \
305		sizeof(KECCAK1600_CTX), \
306		}; \
307		static const EVP_MD sha3_##bitlen##_md = { \
308		NID_sha3_##bitlen, \
309		NID_RSA_SHA3_##bitlen, \
310		bitlen / 8, \
311		EVP_MD_FLAG_DIGALGID_ABSENT, \
312		sha3_init, \
313		sha3_update, \
314		sha3_final, \
315		NULL, \
316		NULL, \
317		(KECCAK1600_WIDTH - bitlen * 2) / 8, \
318		sizeof(KECCAK1600_CTX), \
319		}; \
320		return S390X_sha3_##bitlen##_CAPABLE ? \
321		&s390x_sha3_##bitlen##_md : \
322		&sha3_##bitlen##_md; \
323		}
324
325		# define EVP_MD_SHAKE(bitlen) \
326		const EVP_MD *EVP_shake##bitlen(void) \
327		{ \
328		static const EVP_MD s390x_shake##bitlen##_md = { \
329		NID_shake##bitlen, \
330		0, \
331		bitlen / 8, \
332		EVP_MD_FLAG_XOF, \
333		s390x_shake_init, \
334		s390x_sha3_update, \
335		s390x_shake_final, \
336		NULL, \
337		NULL, \
338		(KECCAK1600_WIDTH - bitlen * 2) / 8, \
339		sizeof(KECCAK1600_CTX), \
340		shake_ctrl \
341		}; \
342		static const EVP_MD shake##bitlen##_md = { \
343		NID_shake##bitlen, \
344		0, \
345		bitlen / 8, \
346		EVP_MD_FLAG_XOF, \
347		shake_init, \
348		sha3_update, \
349		sha3_final, \
350		NULL, \
351		NULL, \
352		(KECCAK1600_WIDTH - bitlen * 2) / 8, \
353		sizeof(KECCAK1600_CTX), \
354		shake_ctrl \
355		}; \
356		return S390X_shake##bitlen##_CAPABLE ? \
357		&s390x_shake##bitlen##_md : \
358		&shake##bitlen##_md; \
359		}
360
361		#else
362
363		# define EVP_MD_SHA3(bitlen) \
364	0	const EVP_MD *EVP_sha3_##bitlen(void) \
365	0	{ \
366	0	static const EVP_MD sha3_##bitlen##_md = { \
367	0	NID_sha3_##bitlen, \
368	0	NID_RSA_SHA3_##bitlen, \
369	0	bitlen / 8, \
370	0	EVP_MD_FLAG_DIGALGID_ABSENT, \
371	0	sha3_init, \
372	0	sha3_update, \
373	0	sha3_final, \
374	0	NULL, \
375	0	NULL, \
376	0	(KECCAK1600_WIDTH - bitlen * 2) / 8, \
377	0	sizeof(KECCAK1600_CTX), \
378	0	}; \
379	0	return &sha3_##bitlen##_md; \
380	0	} Unexecuted instantiation: EVP_sha3_224 Unexecuted instantiation: EVP_sha3_256 Unexecuted instantiation: EVP_sha3_384 Unexecuted instantiation: EVP_sha3_512
381
382		# define EVP_MD_SHAKE(bitlen) \
383	0	const EVP_MD *EVP_shake##bitlen(void) \
384	0	{ \
385	0	static const EVP_MD shake##bitlen##_md = { \
386	0	NID_shake##bitlen, \
387	0	0, \
388	0	bitlen / 8, \
389	0	EVP_MD_FLAG_XOF, \
390	0	shake_init, \
391	0	sha3_update, \
392	0	sha3_final, \
393	0	NULL, \
394	0	NULL, \
395	0	(KECCAK1600_WIDTH - bitlen * 2) / 8, \
396	0	sizeof(KECCAK1600_CTX), \
397	0	shake_ctrl \
398	0	}; \
399	0	return &shake##bitlen##_md; \
400	0	} Unexecuted instantiation: EVP_shake128 Unexecuted instantiation: EVP_shake256
401		#endif
402
403		EVP_MD_SHA3(224)
404		EVP_MD_SHA3(256)
405		EVP_MD_SHA3(384)
406		EVP_MD_SHA3(512)
407
408		EVP_MD_SHAKE(128)
409		EVP_MD_SHAKE(256)