From: Niels Möller Date: Sun, 24 Mar 2024 12:32:48 +0000 (+0100) Subject: Make shake256 call sha3_permute before, not after, generating output. X-Git-Tag: nettle_3.10rc1~19^2~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=842e203e3ab811c87130a541d6a92116c77da2a1;p=thirdparty%2Fnettle.git Make shake256 call sha3_permute before, not after, generating output. --- diff --git a/ChangeLog b/ChangeLog index d0cd4d19..b8a36979 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,14 @@ 2024-03-24 Niels Möller * sha3.c (_nettle_sha3_update): Use MD_FILL_OR_RETURN_INDEX. + (sha3_xor_block): New function, taken out from sha3_absorb. + (_nettle_sha3_pad): Call sha3_xor_block, not sha3_absorb. + * sha3-internal.h (_sha3_pad_shake): By above change, no longer + implies sha3_permute. + (_sha3_pad_hash): Update, to still include a + call to sha3_permute. + * shake256.c (sha3_256_shake, sha3_256_shake_output): Update to + call sha3_permute before generating output. 2024-03-20 Niels Möller diff --git a/sha3-internal.h b/sha3-internal.h index 9b01231a..3778c6a5 100644 --- a/sha3-internal.h +++ b/sha3-internal.h @@ -50,8 +50,10 @@ void _nettle_sha3_pad (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos, uint8_t magic); -#define _sha3_pad_hash(state, block_size, block, pos) \ - _nettle_sha3_pad (state, block_size, block, pos, SHA3_HASH_MAGIC) +#define _sha3_pad_hash(state, block_size, block, pos) do { \ + _nettle_sha3_pad (state, block_size, block, pos, SHA3_HASH_MAGIC); \ + sha3_permute (state); \ + } while (0) #define _sha3_pad_shake(state, block_size, block, pos) \ _nettle_sha3_pad (state, block_size, block, pos, SHA3_SHAKE_MAGIC) diff --git a/sha3.c b/sha3.c index d113f0fc..d5b0fe49 100644 --- a/sha3.c +++ b/sha3.c @@ -45,20 +45,25 @@ #include "md-internal.h" #include "memxor.h" +#if WORDS_BIGENDIAN static void -sha3_absorb (struct sha3_state *state, unsigned length, const uint8_t *data) +sha3_xor_block (struct sha3_state *state, unsigned length, const uint8_t *data) { assert ( (length & 7) == 0); -#if WORDS_BIGENDIAN { uint64_t *p; for (p = state->a; length > 0; p++, length -= 8, data += 8) *p ^= LE_READ_UINT64 (data); } +} #else /* !WORDS_BIGENDIAN */ - memxor (state->a, data, length); +#define sha3_xor_block(state, length, data) memxor (state->a, data, length) #endif +static void +sha3_absorb (struct sha3_state *state, unsigned length, const uint8_t *data) +{ + sha3_xor_block (state, length, data); sha3_permute (state); } @@ -93,5 +98,5 @@ _nettle_sha3_pad (struct sha3_state *state, memset (block + pos, 0, block_size - pos); block[block_size - 1] |= 0x80; - sha3_absorb (state, block_size, block); + sha3_xor_block (state, block_size, block); } diff --git a/shake256.c b/shake256.c index 9c418395..1bc9eb08 100644 --- a/shake256.c +++ b/shake256.c @@ -56,11 +56,12 @@ sha3_256_shake (struct sha3_256_ctx *ctx, _sha3_pad_shake (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index); while (length > SHA3_256_BLOCK_SIZE) { + sha3_permute (&ctx->state); _nettle_write_le64 (SHA3_256_BLOCK_SIZE, dst, ctx->state.a); length -= SHA3_256_BLOCK_SIZE; dst += SHA3_256_BLOCK_SIZE; - sha3_permute (&ctx->state); } + sha3_permute (&ctx->state); _nettle_write_le64 (length, dst, ctx->state.a); sha3_256_init (ctx); @@ -104,17 +105,17 @@ sha3_256_shake_output (struct sha3_256_ctx *ctx, /* Write full blocks. */ while (length > sizeof (ctx->block)) { + sha3_permute (&ctx->state); _nettle_write_le64 (sizeof (ctx->block), digest, ctx->state.a); length -= sizeof (ctx->block); digest += sizeof (ctx->block); - sha3_permute (&ctx->state); } if (length > 0) { /* Fill in the buffer for next call. */ - _nettle_write_le64 (sizeof (ctx->block), ctx->block, ctx->state.a); sha3_permute (&ctx->state); + _nettle_write_le64 (sizeof (ctx->block), ctx->block, ctx->state.a); memcpy (digest, ctx->block, length); ctx->index = length | INDEX_HIGH_BIT; }