Skip to content

SHAKE128 and SHAKE256#87099

Merged
vcsjones merged 23 commits intodotnet:mainfrom
vcsjones:xof
Jun 15, 2023
Merged

SHAKE128 and SHAKE256#87099
vcsjones merged 23 commits intodotnet:mainfrom
vcsjones:xof

Conversation

@vcsjones
Copy link
Member

@vcsjones vcsjones commented Jun 3, 2023

This implements SHAKE128 and SHAKE256.

Closes #20342

@ghost
Copy link

ghost commented Jun 3, 2023

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

@ghost ghost assigned vcsjones Jun 3, 2023
@ghost
Copy link

ghost commented Jun 3, 2023

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

This implements SHAKE128 and SHAKE256.

Closes #20342

Author: vcsjones
Assignees: -
Labels:

area-System.Security, new-api-needs-documentation
Milestone: -

@vcsjones vcsjones added this to the 8.0.0 milestone Jun 3, 2023
@vcsjones vcsjones requested a review from bartonjs June 3, 2023 17:27
@vcsjones
Copy link
Member Author

vcsjones commented Jun 3, 2023

/azp run runtime-extra-platforms

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 3, 2023

Azure Pipelines successfully started running 1 pipeline(s).

This was referenced Jun 3, 2023
Closed
Closed
@vcsjones vcsjones marked this pull request as ready for review June 3, 2023 23:00
@vcsjones vcsjones added the cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. label Jun 5, 2023
@jeffhandley jeffhandley requested a review from wfurt June 5, 2023 15:57
wfurt
wfurt approved these changes Jun 7, 2023
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. seems like boilerplate from other algorithms for most part, right?

@vcsjones
Copy link
Member Author

vcsjones commented Jun 7, 2023

LGTM. seems like boilerplate from other algorithms for most part, right?

For the most part, yes. A lot of the hashing capabilities that were needed were already defined. The "new" things were mostly different OpenSSL APIs to deal with the final "XOF" part of the hash.

bartonjs
bartonjs approved these changes Jun 8, 2023
View reviewed changes
Copy link
Member

@bartonjs bartonjs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor feedback, no blockers.

stephentoub
stephentoub reviewed Jun 8, 2023
View reviewed changes
src/native/libs/System.Security.Cryptography.Native/pal_evp.c Outdated
Comment on lines 187 to 193
int32_t ret = EVP_DigestUpdate(ctx, source, (size_t)sourceSize);

if (ret != SUCCESS)
{
CryptoNative_EvpMdCtxDestroy(ctx);
return 0;
}
Copy link
Member

@stephentoub stephentoub Jun 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On failure does the managed caller try to use GetLastError to retrieve failure information? I'm wondering if the call to CryptoNative_EvpMdCtxDestroy will overwrite any error information from the EVP_DigestUpdate call.

Copy link
Member Author

@vcsjones vcsjones Jun 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenSSL does this a bit differently than Win32. It maintains an error queue. Successful functions don't set the last error to "no error", they just don't add anything to the queue. So EVP_DigestUpdate error is still on the queue, then when we check the return value for failed we use ERR_peek_last_error to grab the error, then ERR_clear_error to clear the queue out.

@vcsjones
Copy link
Member Author

vcsjones commented Jun 8, 2023

There are some... odd... but probably relevant failures on Mono Linux ARM64. Will dig in to that.

bartonjs
bartonjs reviewed Jun 8, 2023
View reviewed changes
@vcsjones
Copy link
Member Author

vcsjones commented Jun 9, 2023

Memory issue is a bug in OpenSSL when handling zero length digests from FinalXOF.

@bartonjs extremely grateful for you catching I didn't have a test for that initially.

openssl/openssl#9431

@bartonjs
Copy link
Member

bartonjs commented Jun 9, 2023

Looking at the new tests, I don't see one like

const int TestOutputSize = 23 // or whatever
someData = any non-empty dataset

shake.AppendData(someData);
byte[] save = shake.GetCurrentHash(TestOutputSize);
byte[] empty = shake.GetCurrentHash(0);
// Assert.Equal(0, empty.Length), if desired.

byte[] check = shake.GetCurrentHash(TestOutputSize);
Assert.Equal(save, check);

// Could do it again with shake.GetCurrentHash(empty), if desired

shake.GetHashAndReset(empty);;
shake.GetCurrentHash(check);
Assert.NotEqual(save, check);
Assert.Equal(TShake.HashData(ReadOnlySpan<byte>.Empty, TestOutputSize), check);

shake.AppendData(someData);
shake.GetCurrentHash(check);
Assert.Equal(save, check);

Where Assert.Equal is really hexified things, the AssertExtensions.SequenceEqual version, or a new crypto helper that does SequenceEqual, then on failure does an assert of the hex versions (at least I find the hex differences, and the context around them, easier to work with than both the built-in base10/ToString array version and the base10 diff report from the sequence equal one).

@vcsjones
Copy link
Member Author

vcsjones commented Jun 9, 2023

Looking at the new tests, I don't see one like

Added a test that shows GetHashAndReset resets even when asking for a zero-length hash.

@build-analysis build-analysis bot mentioned this pull request Jun 9, 2023
Closed
@vcsjones
Copy link
Member Author

vcsjones commented Jun 15, 2023

Timeouts are being tracked by #76454. Tests pass locally and have passed in previous runs. Merging (with 👍 from @jeffhandley)

@vcsjones vcsjones merged commit 6b3f763 into dotnet:main Jun 15, 2023
@vcsjones vcsjones deleted the xof branch June 15, 2023 16:49
@Neustradamus Neustradamus mentioned this pull request Jun 15, 2023
Merged
@Neustradamus
Copy link

Neustradamus commented Jun 15, 2023
edited
Loading

@vcsjones: Thanks a lot for your work!

Linked to:

@Neustradamus Neustradamus mentioned this pull request Jun 15, 2023
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Jul 16, 2023
@bartonjs bartonjs removed the cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. label Jul 31, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@stephentoub stephentoub stephentoub approved these changes

@bartonjs bartonjs bartonjs approved these changes

@wfurt wfurt wfurt approved these changes

Assignees

@vcsjones vcsjones

Labels

area-System.Security new-api-needs-documentation

Projects

None yet

Milestone

8.0.0

Development

Successfully merging this pull request may close these issues.

Add support for SHA3 (Keccak)

5 participants

@vcsjones @bartonjs @Neustradamus @stephentoub @wfurt