openssl/crypto/sha/sha3.c
Patrick Steuer a890ef833d Directly return from final sha3/keccak_final if no bytes are requested
Requesting zero bytes from shake previously led to out-of-bounds write
on some platforms.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9433)
2019-08-18 21:06:03 +02:00

110 lines
2.6 KiB
C

/*
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include "internal/sha3.h"
void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r);
void sha3_reset(KECCAK1600_CTX *ctx)
{
memset(ctx->A, 0, sizeof(ctx->A));
ctx->bufsz = 0;
}
int sha3_init(KECCAK1600_CTX *ctx, unsigned char pad, size_t bitlen)
{
size_t bsz = SHA3_BLOCKSIZE(bitlen);
if (bsz <= sizeof(ctx->buf)) {
sha3_reset(ctx);
ctx->block_size = bsz;
ctx->md_size = bitlen / 8;
ctx->pad = pad;
return 1;
}
return 0;
}
int keccak_kmac_init(KECCAK1600_CTX *ctx, unsigned char pad, size_t bitlen)
{
int ret = sha3_init(ctx, pad, bitlen);
if (ret)
ctx->md_size *= 2;
return ret;
}
int sha3_update(KECCAK1600_CTX *ctx, const void *_inp, size_t len)
{
const unsigned char *inp = _inp;
size_t bsz = ctx->block_size;
size_t num, rem;
if (len == 0)
return 1;
if ((num = ctx->bufsz) != 0) { /* process intermediate buffer? */
rem = bsz - num;
if (len < rem) {
memcpy(ctx->buf + num, inp, len);
ctx->bufsz += len;
return 1;
}
/*
* We have enough data to fill or overflow the intermediate
* buffer. So we append |rem| bytes and process the block,
* leaving the rest for later processing...
*/
memcpy(ctx->buf + num, inp, rem);
inp += rem, len -= rem;
(void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
ctx->bufsz = 0;
/* ctx->buf is processed, ctx->num is guaranteed to be zero */
}
if (len >= bsz)
rem = SHA3_absorb(ctx->A, inp, len, bsz);
else
rem = len;
if (rem) {
memcpy(ctx->buf, inp + len - rem, rem);
ctx->bufsz = rem;
}
return 1;
}
int sha3_final(unsigned char *md, KECCAK1600_CTX *ctx)
{
size_t bsz = ctx->block_size;
size_t num = ctx->bufsz;
if (ctx->md_size == 0)
return 1;
/*
* Pad the data with 10*1. Note that |num| can be |bsz - 1|
* in which case both byte operations below are performed on
* same byte...
*/
memset(ctx->buf + num, 0, bsz - num);
ctx->buf[num] = ctx->pad;
ctx->buf[bsz - 1] |= 0x80;
(void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz);
SHA3_squeeze(ctx->A, md, ctx->md_size, bsz);
return 1;
}