lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2952535.lGaqSPkdTl@graviton.chronox.de>
Date: Fri, 19 Sep 2025 04:42:29 +0200
From: Stephan MĂĽller <smueller@...onox.de>
To: Eric Biggers <ebiggers@...nel.org>, David Howells <dhowells@...hat.com>
Cc: dhowells@...hat.com, "Jason A. Donenfeld" <Jason@...c4.com>,
 Ard Biesheuvel <ardb@...nel.org>, Herbert Xu <herbert@...dor.apana.org.au>,
 linux-crypto@...r.kernel.org, keyrings@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] lib/crypto: Add SHA3-224, SHA3-256, SHA3-384, SHA-512,
 SHAKE128, SHAKE256

Am Freitag, 19. September 2025, 00:07:28 Mitteleuropäische Sommerzeit schrieb 
David Howells:

Hi David,

as you mentioned that this patch as a basis for ML-DSA then may I outline the 
following: the ML-DSA code requires a multi-staged squeeze operation. For 
example:

squeeze(state, 10 bytes);
squeeze(state, 10 bytes);

must be identical to

squeeze(state, 20 bytes);

With this in mind, may I highlight that potentially the following code does 
not support this notion:

> +/**
> + * sha3_final() - Finish computing a SHA3 message digest of any type
> + * @ctx: the context to finalize; must have been initialized
> + * @out: (output) the resulting message digest
> + *
> + * Finish the computation of a SHA3 message digest of any type and perform
> the + * "Keccak sponge squeezing" phase.  The digest is written to @out
> buffer and + * the size of the digest is returned.  Before returning, the
> context @ctx is + * cleared so that the caller does not need to do it.
> + */
> +int sha3_final(struct sha3_ctx *ctx, u8 *out)
> +{
> +	struct sha3_state *state = &ctx->state;
> +	unsigned int digest_size = ctx->digest_size;
> +	unsigned int bsize = ctx->block_size;
> +	u8 end_marker = 0x80;
> +
> +	sha3_absorb_xorle(ctx, &ctx->padding, 1);
> +	ctx->partial = bsize - 1;
> +	sha3_absorb_xorle(ctx, &end_marker, 1);
> +	sha3_keccakf(ctx->state.st);

This logic above should only be invoked for the first squeeze operation.

May I suggest you consider the code at:

https://github.com/smuellerDD/leancrypto/blob/master/hash/src/sha3_c.c#L625

> +
> +#ifdef __LITTLE_ENDIAN
> +	for (;;) {
> +		unsigned int part = umin(digest_size, bsize);
> +
> +		memcpy(out, state->st, part);
> +		digest_size -= part;
> +		if (!digest_size)
> +			goto done;
> +		out += part;
> +		sha3_keccakf(ctx->state.st);
> +	}

This loop needs to honor a starting offset in case the previous call only 
requested a subset of the rate.

May I suggest to consider the code at:

https://github.com/smuellerDD/leancrypto/blob/master/hash/src/sha3_c.c#L643


> +#else
> +	__le64 *digest = (__le64 *)out, *s;
> +
> +	while (digest_size >= bsize) {
> +		for (int i = 0; i < bsize / 8; i++)
> +			put_unaligned_le64(state->st[i], digest++);
> +		digest_size -= bsize;
> +		if (!digest_size)
> +			goto done;
> +		sha3_keccakf(ctx->state.st);
> +	}
> +
> +	s = state->st;
> +	for (; digest_size >= 8; digest_size -= 8)
> +		put_unaligned_le64(*s++, digest++);
> +
> +	u8 *sc = (u8 *)s;
> +	u8 *dc = (u8 *)digest;
> +
> +	for (; digest_size >= 1; digest_size -= 1)
> +		*dc++ = *sc++;
> +#endif
> +done:
> +	digest_size = ctx->digest_size;
> +	memzero_explicit(ctx, sizeof(*ctx));

For a multi-stage squeeze, it is perhaps not helpful to zeroize the context 
here.

Ciao
Stephan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ