diff --git a/crypto/fipsmodule/digest/digest.c b/crypto/fipsmodule/digest/digest.c index 5f1075c225..65a302456a 100644 --- a/crypto/fipsmodule/digest/digest.c +++ b/crypto/fipsmodule/digest/digest.c @@ -135,10 +135,9 @@ void EVP_MD_CTX_free(EVP_MD_CTX *ctx) { void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) { EVP_MD_CTX_free(ctx); } -// EVP_DigestFinalXOF is a single-shot XOF output generation function -// It can be called once. On sequential calls, it returns 0. -// The |ctx->digest| check prevents calling EVP_DigestFinalXOF consecutively. -// To catch single-shot XOF EVP_DigestFinalXOF calls after |EVP_DigestSqueeze|, +// EVP_DigestFinalXOF is a single-call XOF output generation function. +// The |ctx->digest| check prevents calling EVP_DigestFinalXOF consecutively. +// To catch single-call XOF EVP_DigestFinalXOF calls after |EVP_DigestSqueeze|, // the return |SHAKE_Final| value is used (the check is internally performed via // the |KECCAK1600_CTX *ctx| state flag). int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, uint8_t *out, size_t len) { @@ -154,7 +153,7 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, uint8_t *out, size_t len) { return ok; } -// EVP_DigestSqueeze is a streaming XOF output generation function +// EVP_DigestSqueeze is a streaming XOF output squeeze function // It can be called multiple times to generate an output of length // |len| bytes. int EVP_DigestSqueeze(EVP_MD_CTX *ctx, uint8_t *out, size_t len) { @@ -294,7 +293,7 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) { if (ctx->update == NULL) { return 0; } - return ctx->update(ctx, data, len);; + return ctx->update(ctx, data, len); } int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, uint8_t *md_out, unsigned int *size) { diff --git a/crypto/fipsmodule/digest/digests.c b/crypto/fipsmodule/digest/digests.c index 9a8ea44d82..87e6633f03 100644 --- a/crypto/fipsmodule/digest/digests.c +++ b/crypto/fipsmodule/digest/digests.c @@ -456,14 +456,14 @@ static void shake128_init(EVP_MD_CTX *ctx) { CHECK(SHAKE_Init(ctx->md_data, SHAKE128_BLOCKSIZE)); } -// Digest XOF functions return 1 on seccess and 0 on failure, returned +// shake128_update returns 1 on success and 0 on failure, returned // from |SHAKE_Absorb|, to restrict update calls after |squeezeXOF|. static int shake128_update(EVP_MD_CTX *ctx, const void *data, size_t count) { return SHAKE_Absorb(ctx->md_data, data, count); } -// Digest XOF functions return 1 on seccess and 0 on failure, -// returned from |SHAKE_Final|, to restrict Signle-Shot SHAKE_Final +// shake128_final returns 1 on success and 0 on failure, +// returned from |SHAKE_Final|, to restrict single-call SHAKE_Final // calls after |squeezeXOF|. static int shake128_final(EVP_MD_CTX *ctx, uint8_t *md, size_t len) { return SHAKE_Final(md, ctx->md_data, len); @@ -490,14 +490,14 @@ static void shake256_init(EVP_MD_CTX *ctx) { CHECK(SHAKE_Init(ctx->md_data, SHAKE256_BLOCKSIZE)); } -// Digest XOF functions return 1 on seccess and 0 on failure, returned +// shake256_update returns 1 on success and 0 on failure, returned // from |SHAKE_Absorb|, to restrict update calls after |squeezeXOF|. static int shake256_update(EVP_MD_CTX *ctx, const void *data, size_t count) { return SHAKE_Absorb(ctx->md_data, data, count); } -// Digest XOF functions return 1 on seccess and 0 on failure, -// returned from |SHAKE_Final|, to restrict Signle-Shot SHAKE_Final +// shake256_final returns 1 on success and 0 on failure, +// returned from |SHAKE_Final|, to restrict single-call SHAKE_Final // calls after |squeezeXOF|. static int shake256_final(EVP_MD_CTX *ctx, uint8_t *md, size_t len) { return SHAKE_Final(md, ctx->md_data, len); diff --git a/crypto/fipsmodule/digest/internal.h b/crypto/fipsmodule/digest/internal.h index a15ff67141..4d44a56b90 100644 --- a/crypto/fipsmodule/digest/internal.h +++ b/crypto/fipsmodule/digest/internal.h @@ -79,9 +79,9 @@ struct env_md_st { void (*init)(EVP_MD_CTX *ctx); // update hashes |len| bytes of |data| into the state in |ctx->md_data|. - // Digest functions always return 1. update calls after |final| are - // via checking the |ctx| (|final| cleanses the |ctx|). - // Digest XOF functions return 1 on seccess and 0 on failure, + // Digest update functions always return 1. update calls after |final| are + // restricted via |ctx| check (|final| cleanses the |ctx|). + // Digest XOF update functions return 1 on success and 0 on failure, // returned from |SHAKE_Absorb|, to restrict update calls after |squeezeXOF|. int (*update)(EVP_MD_CTX *ctx, const void *data, size_t count); @@ -95,8 +95,8 @@ struct env_md_st { unsigned ctx_size; // finalXOF completes the hash and writes |len| bytes of digest extended output - // to |out|. Returns 1 on seccess and 0 on failure, returned from |SHAKE_Final|, - // to restrict Signle-Shot finalXOF calls after |squeezeXOF|. + // to |out|. Returns 1 on success and 0 on failure, returned from |SHAKE_Final|, + // to restrict single-call finalXOF calls after |squeezeXOF|. int (*finalXOF)(EVP_MD_CTX *ctx, uint8_t *out, size_t len); // squeezeXOF incrementally generates |len| bytes of digest extended output diff --git a/crypto/fipsmodule/sha/sha3.c b/crypto/fipsmodule/sha/sha3.c index 77002a03e4..9bf91b0f06 100644 --- a/crypto/fipsmodule/sha/sha3.c +++ b/crypto/fipsmodule/sha/sha3.c @@ -292,8 +292,8 @@ int SHAKE_Absorb(KECCAK1600_CTX *ctx, const void *data, size_t len) { } // SHAKE_Final is to be called once to finalize absorb and squeeze phases -// |ctx->state| restricts consecutive calls to FIPS202_Finalize -// Function SHAKE_Squeeze should be used for incremental XOF output +// |ctx->state| restricts consecutive calls to |FIPS202_Finalize|. +// Function |SHAKE_Squeeze| should be used for incremental XOF output. int SHAKE_Final(uint8_t *md, KECCAK1600_CTX *ctx, size_t len) { if (ctx == NULL || md == NULL) { return 0; @@ -315,12 +315,15 @@ int SHAKE_Final(uint8_t *md, KECCAK1600_CTX *ctx, size_t len) { return 1; } -// SHAKE_Squeeze can be called multiple times -// SHAKE_Squeeze should be called for incremental XOF output +// SHAKE_Squeeze can be called multiple time for incremental XOF output int SHAKE_Squeeze(uint8_t *md, KECCAK1600_CTX *ctx, size_t len) { size_t block_bytes; ctx->md_size = len; + if (ctx == NULL || md == NULL) { + return 0; + } + if (ctx->md_size == 0) { return 1; } @@ -329,6 +332,8 @@ int SHAKE_Squeeze(uint8_t *md, KECCAK1600_CTX *ctx, size_t len) { return 0; } + + // Skip FIPS202_Finalize if the input has been padded and // the last block has been processed if (ctx->state == KECCAK1600_STATE_ABSORB) { @@ -339,24 +344,19 @@ int SHAKE_Squeeze(uint8_t *md, KECCAK1600_CTX *ctx, size_t len) { // Process previous data from output buffer if any if (ctx->buf_load != 0) { if (len <= ctx->buf_load) { - memcpy(md, ctx->buf + ctx->block_size - ctx->buf_load, len); + OPENSSL_memcpy(md, ctx->buf + ctx->block_size - ctx->buf_load, len); md += len; ctx->buf_load -= len; len = 0; return 1; } else { - memcpy(md, ctx->buf + ctx->block_size - ctx->buf_load, ctx->buf_load); + OPENSSL_memcpy(md, ctx->buf + ctx->block_size - ctx->buf_load, ctx->buf_load); md += ctx->buf_load; len -= ctx->buf_load; ctx->buf_load = 0; } } - // Use a single function to finalize SHAKE absorb phase and to generate - // incremental SHAKE_Squeeze extendable output. It allows consistency with the current - // single XOF function in the Digest EVP_MD |env_md_st->finalXOF| and - // EVP_DigestFinalXOF external APIs - // Process all full size output requested blocks block_bytes = ctx->block_size * (len / ctx->block_size); if (len > ctx->block_size) { @@ -372,7 +372,7 @@ int SHAKE_Squeeze(uint8_t *md, KECCAK1600_CTX *ctx, size_t len) { // to the output. The 'unused' output data is kept for processing in a sequenctual // call to SHAKE_Squeeze (incremental byte-wise SHAKE_Squeeze) Keccak1600_Squeeze(ctx->A, ctx->buf, ctx->block_size, ctx->block_size, ctx->state); - memcpy(md, ctx->buf, len); + OPENSSL_memcpy(md, ctx->buf, len); ctx->buf_load = ctx->block_size - len; // how much there is still in buffer to be consumed md += len; ctx->state = KECCAK1600_STATE_SQUEEZE;