Only SHA3/SHAKE Init Updates via FIPS202 API layer #2101
Conversation
Clean redefinition of SHAKE blocksize/rate macros; Update their use inside MLKEM and MLDSA.
Fix alignment Co-authored-by: Jake Massimo <[email protected]>
Add FIPS202 layer for FIPS202_Init and FIPS202_Reset functions Introduce SHA3_Init API change; remove the padding character from parameters; is it handled internally by the SHA3/SHAKE functions via the FIPS layer Introduce SHAKE_Init consuming FIPS202 layer APIs
manastasova
changed the title
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2101 +/- ##
=======================================
Coverage 78.95% 78.95%
=======================================
Files 610 610
Lines 105293 105302 +9
Branches 14911 14924 +13
=======================================
+ Hits 83129 83138 +9
- Misses 21511 21512 +1
+ Partials 653 652 -1 ☔ View full report in Codecov by Sentry. |
manastasova
force-pushed
the
sha3_only_rename
branch
from
29cc885 to
d3bba6b
Compare
| if (pad != SHA3_PAD_CHAR && | ||
| pad != SHAKE_PAD_CHAR) { | ||
| return 0; |
There was a problem hiding this comment.
Reading FIPS 202 section B.2 where it defines the sha and shake pad values, why are we using the q = 2 values? Should that be configurable in the future?
There was a problem hiding this comment.
The values for the padding are the same, however, they are 'interleaved' by 0's in case the message is shorter than the block. E.g. the pad for sha3 is 0x06 (added after the last byte of the input); the rest of the block size is set to zero, where the last byte of the block is set to 0x80. When the last byte (+1 byte) of the message (message of length block size - 1 bytes) and the last byte of the block coincide, the last byte becomes 0x06 ^ 0x80, which will be 0x86. When messages are shorter, more zero's are added in the middle of these values. However, the implementation covers all the cases using only the 0x06 and 0x1f pad, where all the rest is 0's and last block byte is 0x80.
| return SHA3_Init(ctx, SHAKE_PAD_CHAR, 0); | ||
| // FIPS202 APIs manage internal input/output buffer on top of Keccak1600 API layer | ||
| static void FIPS202_Reset(KECCAK1600_CTX *ctx) { | ||
| memset(ctx->A, 0, sizeof(ctx->A)); |
There was a problem hiding this comment.
Should this also zero out ctx->buf?
| memset(ctx->A, 0, sizeof(ctx->A)); | |
| OPENSSL_memset(ctx->A, 0, sizeof(ctx->A)); |
There was a problem hiding this comment.
The buf is only accessible through the buf_load value. So, even if it is not zero'ed, it should not be an issue. Once that data is placed into the buffer, the buf_load is assigned the number of bytes that are 'useful' and accessible. When buf_load is 0, there is no useful data in the buffer.
However, I can zero it.
Issues:
Resolves (some of) #CryptoAlg-2810
Description of changes:
AWS-LC supports SHA3 and SHAKE algorithms though low level SHA3_Init, SHA3_Update, SHA3_Final and SHAKE_init, SHAKE_Final APIs. Currently, there are two issues with the implementation and usage of SHA3 and SHAKE:
This PR introduces the APIs that need changes in the function parameter list. Particularly, SHA3_Init used a parameter |pad_char|, which was used for differentiating SHA3_Init from SHAKE_Init functions.
This PR introduces only the changes in the Init functions (FIPS202_Init, FIPS202_Reset, SHA3_Init, and SHAKE_Init):
Call-outs:
All SHA3_Init calls are updated:
Testing:
./crypto/crypto_test --gtest_filter="KeccakInternalTest.*"
./crypto/crypto_test --gtest_filter="SHA3Test.*"
./crypto/crypto_test --gtest_filter="SHAKETest.*"
./crypto/crypto_test --gtest_filter="All/PerKEMTest.*"
./crypto/crypto_test --gtest_filter="All/PQDSAParameterTest.*"
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.