Add x86 Keccak implementation

crypto/fipsmodule/CMakeLists.txt

@@ -262,6 +262,7 @@ if((((ARCH STREQUAL "x86_64") AND NOT MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) OR
                 ${S2N_BIGNUM_DIR}/curve25519/curve25519_x25519_alt.S
                 ${S2N_BIGNUM_DIR}/curve25519/curve25519_x25519base.S
                 ${S2N_BIGNUM_DIR}/curve25519/curve25519_x25519base_alt.S
+                ${S2N_BIGNUM_DIR}/sha3/sha3_keccak_f1600.S
     )
   elseif(ARCH STREQUAL "aarch64")
     # byte-level interface for aarch64 s2n-bignum x25519 are in

crypto/fipsmodule/sha/internal.h

@@ -342,7 +342,8 @@ void sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *data,
                                   size_t num);
 #endif
 
-#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64)
+#if !defined(OPENSSL_NO_ASM) && \
+                    (defined(OPENSSL_AARCH64) || defined(OPENSSL_X86_64))
 #define KECCAK1600_ASM
 #if defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE)
 #define KECCAK1600_S2N_BIGNUM_ASM

crypto/fipsmodule/sha/keccak1600.c

@@ -419,18 +419,20 @@ void Keccak1600_Squeeze(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], uint8_t *o
 #if defined(KECCAK1600_ASM)
 
 // Double-check that bit-interleaving is not used on AArch64
-#if BIT_INTERLEAVE != 0
+#if defined(BIT_INTERLEAVE) && BIT_INTERLEAVE
 #error Bit-interleaving of Keccak1600 states should be disabled for AArch64
 #endif
 
 // Scalar implementation from OpenSSL provided by keccak1600-armv8.pl
 extern void KeccakF1600_hw(uint64_t state[25]);
 
+#if defined(OPENSSL_AARCH64)
 static void keccak_log_dispatch(size_t id) {
 #if BORINGSSL_DISPATCH_TEST
     BORINGSSL_function_hit[id] = 1;
 #endif
 }
+#endif
 
 void KeccakF1600(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS]) {
     // Dispatch logic for Keccak-x1 on AArch64:
@@ -454,7 +456,7 @@ void KeccakF1600(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS]) {
     // Neoverse V1 and V2 do support SHA3 instructions, but they are only
     // implemented on 1/4 of Neon units, and are thus slower than a scalar
     // implementation.
-
+#if defined(OPENSSL_AARCH64)
 #if defined(KECCAK1600_S2N_BIGNUM_ASM)
     if (CRYPTO_is_Neoverse_N1() || CRYPTO_is_Neoverse_V1() || CRYPTO_is_Neoverse_V2()) {
         keccak_log_dispatch(10); // kFlag_sha3_keccak_f1600
@@ -473,6 +475,11 @@ void KeccakF1600(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS]) {
 
     keccak_log_dispatch(9); // kFlag_KeccakF1600_hw
     KeccakF1600_hw((uint64_t *) A);
+
+#elif defined(OPENSSL_X86_64) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX) && \
+    defined(KECCAK1600_S2N_BIGNUM_ASM)
+    sha3_keccak_f1600((uint64_t *)A, iotas);
+#endif
 }
 
 #else // KECCAK1600_ASM
@@ -524,8 +531,7 @@ static void Keccak1600_x4(uint64_t A[4][KECCAK1600_ROWS][KECCAK1600_ROWS]) {
     //   which is a straightforward implementation using the SHA3 extension.
     // - Otherwise, fall back to four times the 1-fold Keccak implementation
     //   (which has its own dispatch logic).
-
-#if defined(KECCAK1600_S2N_BIGNUM_ASM)
+#if defined(KECCAK1600_S2N_BIGNUM_ASM) && defined(OPENSSL_AARCH64)
     if (CRYPTO_is_Neoverse_N1()) {
         keccak_log_dispatch(13); // kFlag_sha3_keccak4_f1600_alt
         sha3_keccak4_f1600_alt((uint64_t *)A, iotas);

third_party/s2n-bignum/s2n-bignum-imported/x86_att/Makefile

@@ -286,6 +286,7 @@ OBJ = curve25519/bignum_add_p25519.o \
       secp256k1/secp256k1_jdouble_alt.o \
       secp256k1/secp256k1_jmixadd.o \
       secp256k1/secp256k1_jmixadd_alt.o \
+      sha3/sha3_keccak_f1600.o \
       sm2/bignum_add_sm2.o \
       sm2/bignum_cmul_sm2.o \
       sm2/bignum_cmul_sm2_alt.o \