From 086d88a637ecf537af62260e16d4e0011dbb8d1b Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Wed, 13 Jul 2022 15:07:16 +0200
Subject: s390x: Fix Keccak implementation

s390x does not directly support keccak via CPACF since these instructions
hard-code the padding to either SHA-3 or SHAKE for the "compute last message
digest" function.  This caused test errors on Keccak digests.  Fix it by using
"compute intermediate message digest" and manually computing the padding for
Keccak.

Fixes: a8b238f0e4c1 ("Fix SHA, SHAKE, and KECCAK ASM flag passing")

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18794)
---
 providers/implementations/digests/sha3_prov.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c
index 20190cb35a..c297945570 100644
--- a/providers/implementations/digests/sha3_prov.c
+++ b/providers/implementations/digests/sha3_prov.c
@@ -177,6 +177,23 @@ static int s390x_shake_final(unsigned char *md, void *vctx)
     return 1;
 }
 
+static int s390x_keccak_final(unsigned char *md, void *vctx) {
+    KECCAK1600_CTX *ctx = vctx;
+    size_t bsz = ctx->block_size;
+    size_t num = ctx->bufsz;
+
+    if (!ossl_prov_is_running())
+        return 0;
+    if (ctx->md_size == 0)
+        return 1;
+    memset(ctx->buf + num, 0, bsz - num);
+    ctx->buf[num] = 0x01;
+    ctx->buf[bsz - 1] |= 0x80;
+    s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A);
+    memcpy(md, ctx->A, ctx->md_size);
+    return 1;
+}
+
 static PROV_SHA3_METHOD sha3_s390x_md =
 {
     s390x_sha3_absorb,
@@ -186,7 +203,7 @@ static PROV_SHA3_METHOD sha3_s390x_md =
 static PROV_SHA3_METHOD keccak_s390x_md =
 {
     s390x_sha3_absorb,
-    s390x_sha3_final
+    s390x_keccak_final
 };
 
 static PROV_SHA3_METHOD shake_s390x_md =
-- 
cgit v1.2.1