Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SHAKE128 and SHAKE256 #87099

Merged
merged 23 commits into from Jun 15, 2023
Merged

SHAKE128 and SHAKE256 #87099

merged 23 commits into from Jun 15, 2023

Conversation

vcsjones
Copy link
Member

@vcsjones vcsjones commented Jun 3, 2023

This implements SHAKE128 and SHAKE256.

Closes #20342

@dotnet-issue-labeler
Copy link

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

@ghost ghost assigned vcsjones Jun 3, 2023
@ghost
Copy link

ghost commented Jun 3, 2023

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

This implements SHAKE128 and SHAKE256.

Closes #20342

Author: vcsjones
Assignees: -
Labels:

area-System.Security, new-api-needs-documentation
Milestone: -

@vcsjones vcsjones added this to the 8.0.0 milestone Jun 3, 2023
@vcsjones vcsjones requested a review from bartonjs June 3, 2023 17:27
@vcsjones
Copy link
Member Author

vcsjones commented Jun 3, 2023

/azp run runtime-extra-platforms

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

This was referenced Jun 3, 2023
Closed
Open
@vcsjones vcsjones marked this pull request as ready for review June 3, 2023 23:00
@vcsjones vcsjones added the cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. label Jun 5, 2023
@jeffhandley jeffhandley requested a review from wfurt June 5, 2023 15:57
wfurt
wfurt approved these changes Jun 7, 2023
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. seems like boilerplate from other algorithms for most part, right?

@vcsjones
Copy link
Member Author

vcsjones commented Jun 7, 2023

LGTM. seems like boilerplate from other algorithms for most part, right?

For the most part, yes. A lot of the hashing capabilities that were needed were already defined. The "new" things were mostly different OpenSSL APIs to deal with the final "XOF" part of the hash.

bartonjs
bartonjs approved these changes Jun 8, 2023
View reviewed changes
Copy link
Member

@bartonjs bartonjs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor feedback, no blockers.

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/LiteHash.Windows.cs Outdated Show resolved Hide resolved
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/Shake256.cs Show resolved Hide resolved
src/libraries/System.Security.Cryptography/tests/Shake128Tests.cs Show resolved Hide resolved
src/libraries/System.Security.Cryptography/tests/Shake128Tests.cs Show resolved Hide resolved
src/libraries/System.Security.Cryptography/tests/ShakeTestDriver.cs Outdated Show resolved Hide resolved
src/libraries/System.Security.Cryptography/tests/ShakeTestDriver.cs Show resolved Hide resolved
src/native/libs/System.Security.Cryptography.Native/pal_evp.c Show resolved Hide resolved
stephentoub
stephentoub reviewed Jun 8, 2023
View reviewed changes
src/native/libs/System.Security.Cryptography.Native/pal_evp.c Outdated
Comment on lines 187 to 193
int32_t ret = EVP_DigestUpdate(ctx, source, (size_t)sourceSize);

if (ret != SUCCESS)
{
CryptoNative_EvpMdCtxDestroy(ctx);
return 0;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On failure does the managed caller try to use GetLastError to retrieve failure information? I'm wondering if the call to CryptoNative_EvpMdCtxDestroy will overwrite any error information from the EVP_DigestUpdate call.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenSSL does this a bit differently than Win32. It maintains an error queue. Successful functions don't set the last error to "no error", they just don't add anything to the queue. So EVP_DigestUpdate error is still on the queue, then when we check the return value for failed we use ERR_peek_last_error to grab the error, then ERR_clear_error to clear the queue out.

@vcsjones
Copy link
Member Author

vcsjones commented Jun 8, 2023

There are some... odd... but probably relevant failures on Mono Linux ARM64. Will dig in to that.

@vcsjones
Copy link
Member Author

vcsjones commented Jun 9, 2023

Memory issue is a bug in OpenSSL when handling zero length digests from FinalXOF.

@bartonjs extremely grateful for you catching I didn't have a test for that initially.

openssl/openssl#9431

@bartonjs
Copy link
Member

bartonjs commented Jun 9, 2023

Looking at the new tests, I don't see one like

const int TestOutputSize = 23 // or whatever
someData = any non-empty dataset

shake.AppendData(someData);
byte[] save = shake.GetCurrentHash(TestOutputSize);
byte[] empty = shake.GetCurrentHash(0);
// Assert.Equal(0, empty.Length), if desired.

byte[] check = shake.GetCurrentHash(TestOutputSize);
Assert.Equal(save, check);

// Could do it again with shake.GetCurrentHash(empty), if desired

shake.GetHashAndReset(empty);;
shake.GetCurrentHash(check);
Assert.NotEqual(save, check);
Assert.Equal(TShake.HashData(ReadOnlySpan<byte>.Empty, TestOutputSize), check);

shake.AppendData(someData);
shake.GetCurrentHash(check);
Assert.Equal(save, check);

Where Assert.Equal is really hexified things, the AssertExtensions.SequenceEqual version, or a new crypto helper that does SequenceEqual, then on failure does an assert of the hex versions (at least I find the hex differences, and the context around them, easier to work with than both the built-in base10/ToString array version and the base10 diff report from the sequence equal one).

@vcsjones
Copy link
Member Author

vcsjones commented Jun 9, 2023

Looking at the new tests, I don't see one like

Added a test that shows GetHashAndReset resets even when asking for a zero-length hash.

@build-analysis build-analysis bot mentioned this pull request Jun 9, 2023
Closed
@vcsjones
Copy link
Member Author

Timeouts are being tracked by #76454. Tests pass locally and have passed in previous runs. Merging (with 👍 from @jeffhandley)

@vcsjones vcsjones merged commit 6b3f763 into dotnet:main Jun 15, 2023
111 of 115 checks passed
@vcsjones vcsjones deleted the xof branch June 15, 2023 16:49
@Neustradamus Neustradamus mentioned this pull request Jun 15, 2023
Merged
@Neustradamus
Copy link

Neustradamus commented Jun 15, 2023
edited

@vcsjones: Thanks a lot for your work!

Linked to:

@Neustradamus Neustradamus mentioned this pull request Jun 15, 2023
Closed
@dotnet dotnet locked as resolved and limited conversation to collaborators Jul 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@stephentoub stephentoub stephentoub approved these changes

@bartonjs bartonjs bartonjs approved these changes

@wfurt wfurt wfurt approved these changes

Assignees

@vcsjones vcsjones

Labels
area-System.Security cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. new-api-needs-documentation
Projects
None yet
Milestone
8.0.0
Development

Successfully merging this pull request may close these issues.

Add support for SHA3 (Keccak)
5 participants
@vcsjones @bartonjs @Neustradamus @stephentoub @wfurt