#
dc5afb7e |
| 04-Sep-2024 |
Ingo Franzki |
s390x: Fix s390x_shake_squeeze() when MSA 12 is available On the first squeeze call, when finishing the absorb process, also set the NIP flag, if we are still in XOF_STATE_INIT state. Wh
s390x: Fix s390x_shake_squeeze() when MSA 12 is available On the first squeeze call, when finishing the absorb process, also set the NIP flag, if we are still in XOF_STATE_INIT state. When MSA 12 is available, the state buffer A has not been zeroed during initialization, thus we must also pass the NIP flag here. This situation can happen when a squeeze is performed without a preceding absorb (i.e. a SHAKE of the empty message). Add a test that performs a squeeze without a preceding absorb and check if the result is correct. Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25388)
show more ...
|
#
c48e5687 |
| 25-Aug-2024 |
slontis |
XOF / EVP_MD_size() changes. Added the function EVP_MD_CTX_get_size_ex() which checks for XOF and does a ctx get rather than just returning EVP_MD_size(). SHAKE did not have a get_ct
XOF / EVP_MD_size() changes. Added the function EVP_MD_CTX_get_size_ex() which checks for XOF and does a ctx get rather than just returning EVP_MD_size(). SHAKE did not have a get_ctx_params() so that had to be added to return the xoflen. Added a helper function EVP_MD_xof() EVP_MD_CTX_size() was just an aliased macro for EVP_MD_size(), so to keep it the same I added an extra function. EVP_MD_size() always returns 0 for SHAKE now, since it caches the value of md_size at the time of an EVP_MD_fetch(). This is probably better than returning the incorrect initial value it was before e.g (16 for SHAKE128) and returning tht always instead of the set xoflen. Note BLAKE2B uses "size" instead of "xoflen" to do a similar thing. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25285)
show more ...
|
#
53664908 |
| 21-Jul-2023 |
slontis |
Add EVP_DigestSqueeze() API. Fixes #7894 This allows SHAKE to squeeze multiple times with different output sizes. The existing EVP_DigestFinalXOF() API has been left as a o
Add EVP_DigestSqueeze() API. Fixes #7894 This allows SHAKE to squeeze multiple times with different output sizes. The existing EVP_DigestFinalXOF() API has been left as a one shot operation. A similar interface is used by another toolkit. The low level SHA3_Squeeze() function needed to change slightly so that it can handle multiple squeezes. This involves changing the assembler code so that it passes a boolean to indicate whether the Keccak function should be called on entry. At the provider level, the squeeze is buffered, so that it only requests a multiple of the blocksize when SHA3_Squeeze() is called. On the first call the value is zero, on subsequent calls the value passed is 1. This PR is derived from the excellent work done by @nmathewson in https://github.com/openssl/openssl/pull/7921 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21511)
show more ...
|