s390x: Fix s390x_shake_squeeze() when MSA 12 is available

On the first squeeze call, when finishing the absorb process, also set
the NIP flag, if we are still in XOF_STATE_INIT state. Wh

s390x: Fix s390x_shake_squeeze() when MSA 12 is available

On the first squeeze call, when finishing the absorb process, also set
the NIP flag, if we are still in XOF_STATE_INIT state. When MSA 12 is
available, the state buffer A has not been zeroed during initialization,
thus we must also pass the NIP flag here. This situation can happen
when a squeeze is performed without a preceding absorb (i.e. a SHAKE
of the empty message).

Add a test that performs a squeeze without a preceding absorb and check
if the result is correct.

Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25388)

show more ...

s390x: Fix s390x_sha3_absorb() when no data is processed by KIMD

If the data to absorb is less than a block, then the KIMD instruction is
called with zero bytes. This is superfluous, and

s390x: Fix s390x_sha3_absorb() when no data is processed by KIMD

If the data to absorb is less than a block, then the KIMD instruction is
called with zero bytes. This is superfluous, and causes incorrect hash
output later on if this is the very first absorb call, i.e. when the
xof_state is still XOF_STATE_INIT and MSA 12 is available. In this case
the NIP flag is set in the function code for KIMD, but KIMD ignores the
NIP flag when it is called with zero bytes to process.

Skip any KIMD calls for zero length data. Also do not set the xof_state
to XOF_STATE_ABSORB until the first call to KIMD with data. That way,
the next KIMD (with non-zero length data) or KLMD call will get the NIP
flag set and will then honor it to produce correct output.

Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25388)

show more ...

Copyright year updates


Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes

s390x: support CPACF sha3/shake performance improvements

On newer machines the SHA3/SHAKE performance of CPACF instructions KIMD and KLMD
can be enhanced by using additional modifier bit

s390x: support CPACF sha3/shake performance improvements

On newer machines the SHA3/SHAKE performance of CPACF instructions KIMD and KLMD
can be enhanced by using additional modifier bits. This allows the application
to omit initializing the ICV, but also affects the internal processing of the
instructions. Performance is mostly gained when processing short messages.

The new CPACF feature is backwards compatible with older machines, i.e. the new
modifier bits are ignored on older machines. However, to save the ICV
initialization, the application must detect the MSA level and omit the ICV
initialization only if this feature is supported.

Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25235)

show more ...

XOF / EVP_MD_size() changes.

Added the function EVP_MD_CTX_get_size_ex() which checks for XOF and
does a ctx get rather than just returning EVP_MD_size().
SHAKE did not have a get_ct

XOF / EVP_MD_size() changes.

Added the function EVP_MD_CTX_get_size_ex() which checks for XOF and
does a ctx get rather than just returning EVP_MD_size().
SHAKE did not have a get_ctx_params() so that had to be added to return the xoflen.

Added a helper function EVP_MD_xof()
EVP_MD_CTX_size() was just an aliased macro for EVP_MD_size(), so to
keep it the same I added an extra function.

EVP_MD_size() always returns 0 for SHAKE now, since it caches the value
of md_size at the time of an EVP_MD_fetch(). This is probably better
than returning the incorrect initial value it was before e.g (16 for
SHAKE128) and returning tht always instead of the set xoflen.

Note BLAKE2B uses "size" instead of "xoflen" to do a similar thing.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25285)

show more ...

that open brace { should be on the previous line

Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed

that open brace { should be on the previous line

Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)

show more ...

Intentionally break EVP_DigestFinal for SHAKE128 and SHAKE256

It will work only if OSSL_DIGEST_PARAM_XOFLEN is set.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane

Intentionally break EVP_DigestFinal for SHAKE128 and SHAKE256

It will work only if OSSL_DIGEST_PARAM_XOFLEN is set.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24105)

show more ...

Support EVP_DigestSqueeze() for in the digest provider for s390x.

The new EVP_DigestSqueeze() API requires changes to all keccak-based
digest provider implementations. Update the s390x-p

Support EVP_DigestSqueeze() for in the digest provider for s390x.

The new EVP_DigestSqueeze() API requires changes to all keccak-based
digest provider implementations. Update the s390x-part of the SHA3
digest provider.

Squeeze for SHA3 is not supported, so add an empty function pointer
(NULL).

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)

show more ...

Fix state handling of keccak_final for s390x.

The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_keccac_final() according to the updated state

Fix state handling of keccak_final for s390x.

The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_keccac_final() according to the updated state
diagram.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)

show more ...

Fix state handling of shake_final for s390x.

The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_shake_final() according to the updated state

Fix state handling of shake_final for s390x.

The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_shake_final() according to the updated state
diagram.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)

show more ...

Fix state handling of sha3_final for s390x.

The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_sha3_final() according to the updated state

Fix state handling of sha3_final for s390x.

The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_sha3_final() according to the updated state
diagram.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)

show more ...

Fix state handling of sha3_absorb for s390x.

The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_sha3_aborb() according to the updated state

Fix state handling of sha3_absorb for s390x.

The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_sha3_aborb() according to the updated state
diagram.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)

show more ...

Add xof state handing for generic sha3 absorb.

The digest life-cycle diagram specifies state transitions to `updated`
(aka XOF_STATE_ABSORB) only from `initialised` and `updated`. Add th

Add xof state handing for generic sha3 absorb.

The digest life-cycle diagram specifies state transitions to `updated`
(aka XOF_STATE_ABSORB) only from `initialised` and `updated`. Add this
checking to the generic sha3 absorb implementation.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)

show more ...

Add EVP_DigestSqueeze() API.

Fixes #7894

This allows SHAKE to squeeze multiple times with different output sizes.

The existing EVP_DigestFinalXOF() API has been left as a o

Add EVP_DigestSqueeze() API.

Fixes #7894

This allows SHAKE to squeeze multiple times with different output sizes.

The existing EVP_DigestFinalXOF() API has been left as a one shot
operation. A similar interface is used by another toolkit.

The low level SHA3_Squeeze() function needed to change slightly so
that it can handle multiple squeezes. This involves changing the
assembler code so that it passes a boolean to indicate whether
the Keccak function should be called on entry.
At the provider level, the squeeze is buffered, so that it only requests
a multiple of the blocksize when SHA3_Squeeze() is called. On the first
call the value is zero, on subsequent calls the value passed is 1.

This PR is derived from the excellent work done by @nmathewson in
https://github.com/openssl/openssl/pull/7921

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21511)

show more ...

Fix build of SHA3 on ARM64 with no-asm

Fixes #22089

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pau

Fix build of SHA3 on ARM64 with no-asm

Fixes #22089

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22090)

show more ...

Copyright year updates


Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes

Update with `ARMV8_HAVE_SHA3_AND_WORTH_USING`

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/open

Update with `ARMV8_HAVE_SHA3_AND_WORTH_USING`

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21398)

show more ...

Move CPU detection to armcap.c

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21398)

Enable ARMv8.2 accelerated SHA3 on compatible Apple CPUs

The hardware-assisted ARMv8.2 implementation is already in keccak1600-armv8.pl.
It is not called because the author mentioned tha

Enable ARMv8.2 accelerated SHA3 on compatible Apple CPUs

The hardware-assisted ARMv8.2 implementation is already in keccak1600-armv8.pl.
It is not called because the author mentioned that it's not actually obvious
that it will provide performance improvements. The test on Apple M1 Firestorm
shows that the ARMv8.2 implementation could improve about 36% for large blocks.
So let's enable ARMv8.2 accelerated SHA3 on Apple CPU family.

Fixes #21380

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21398)

show more ...

S390X: Accelerate keccak XOF

The keccak XOF used for KMAC can be simplified by using klmd. This speeds up
XOF processing in cases where more than one result block is needed.

Si

S390X: Accelerate keccak XOF

The keccak XOF used for KMAC can be simplified by using klmd. This speeds up
XOF processing in cases where more than one result block is needed.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20431)

show more ...

s390x: Fix keccak xofs via CPACF

CPACF does not directly support xofs. Emulate this by using single block
operations on an empty input block.

Fixes: affc070aabc9 ("s390x: Optim

s390x: Fix keccak xofs via CPACF

CPACF does not directly support xofs. Emulate this by using single block
operations on an empty input block.

Fixes: affc070aabc9 ("s390x: Optimize kmac")

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19983)

show more ...

s390x: Optimize kmac

Use hardware acceleration for kmac on s390x. Since klmd does not support
kmac, perform padding of the last block by hand and use kimd. Yields a
performance imp

s390x: Optimize kmac

Use hardware acceleration for kmac on s390x. Since klmd does not support
kmac, perform padding of the last block by hand and use kimd. Yields a
performance improvement of between 2x and 3x.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18863)

show more ...

s390x: Fix Keccak implementation

s390x does not directly support keccak via CPACF since these instructions
hard-code the padding to either SHA-3 or SHAKE for the "compute last message

s390x: Fix Keccak implementation

s390x does not directly support keccak via CPACF since these instructions
hard-code the padding to either SHA-3 or SHAKE for the "compute last message
digest" function. This caused test errors on Keccak digests. Fix it by using
"compute intermediate message digest" and manually computing the padding for
Keccak.

Fixes: a8b238f0e4c1 ("Fix SHA, SHAKE, and KECCAK ASM flag passing")

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18794)

show more ...

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

fix indentation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17529)