Implement SHAKE in sha3.c

drivers/builtin/include/mbedtls/private/crypto_adjust_config_tweak_builtins.h

@@ -30,11 +30,36 @@
  */
 #define MBEDTLS_USE_PSA_CRYPTO
 
-/* Whether any Keccak variant is enabled, i.e. the bulk of sha3.c. */
+/* Whether any hash based on sha3 is enabled in psa_crypto_hash.c. */
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_SOME_HASH
+#endif
+
+/* If a SHAKE variant is enabled in psa_crypto_xof.c, tell sha3.c that we
+ * want it.
+ *
+ * Note that the PSA API (following NIST standards) defines hash algorithms
+ * that are SHAKE128 or SHAKE256 with a specific output lengths. From the
+ * perspective of sha3.c, these are just users of SHAKE128/SHAKE256, but
+ * from the perspective of psa_crypto_hash.c and psa_crypto_xof.c,
+ * they are hashes and not XOF. So, for example, if the SHAKE256/512 hash
+ * algorithm is enabled in the PSA API (for Ed448ph) but the SHAKE256 XOF
+ * algorithm is disabled, then MBEDTLS_PSA_BUILTIN_ALG_SHAKE256 will be
+ * disabled but we'll still need to enable MBEDTLS_SHA3_WANT_SHAKE256.
+ */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHAKE128)
+#define MBEDTLS_SHA3_WANT_SHAKE128
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHAKE256)
+#define MBEDTLS_SHA3_WANT_SHAKE256
+#endif
+
+/* Whether any Keccak variant is enabled, i.e. the bulk of sha3.c. */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_SOME_HASH) || \
+    defined(MBEDTLS_SHA3_WANT_SHAKE128) || defined(MBEDTLS_SHA3_WANT_SHAKE256)
 #define MBEDTLS_SHA3_C
 #endif
 

drivers/builtin/include/mbedtls/private/crypto_builtin_primitives.h

@@ -72,10 +72,7 @@ typedef struct {
         defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
         mbedtls_sha512_context sha512;
 #endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
-        defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_SOME_HASH)
         mbedtls_sha3_context sha3;
 #endif
     } MBEDTLS_PRIVATE(ctx);

drivers/builtin/include/mbedtls/private/sha3.h

@@ -1,7 +1,7 @@
 /**
  * \file sha3.h
  *
- * \brief This file contains SHA-3 definitions and functions.
+ * \brief This file contains SHA-3 and SHAKE definitions and functions.
  *
  * The Secure Hash Algorithms cryptographic
  * hash functions are defined in <em>FIPS 202: SHA-3 Standard:
@@ -30,7 +30,7 @@ extern "C" {
 
 #if defined(MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS)
 /**
- * SHA-3 family id.
+ * SHA-3 or SHAKE family id.
  *
  * It identifies the family (SHA3-256, SHA3-512, etc.)
  */
@@ -41,6 +41,8 @@ typedef enum {
     MBEDTLS_SHA3_256, /*!< SHA3-256 */
     MBEDTLS_SHA3_384, /*!< SHA3-384 */
     MBEDTLS_SHA3_512, /*!< SHA3-512 */
+    MBEDTLS_SHA3_SHAKE128, /*!< SHA3-SHAKE128 */
+    MBEDTLS_SHA3_SHAKE256, /*!< SHA3-SHAKE256 */
 } mbedtls_sha3_id;
 #endif /* MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS */
 
@@ -54,19 +56,20 @@ typedef struct {
     uint32_t MBEDTLS_PRIVATE(index);
     uint16_t MBEDTLS_PRIVATE(olen);
     uint16_t MBEDTLS_PRIVATE(max_block_size);
+    uint8_t MBEDTLS_PRIVATE(finished);
 }
 mbedtls_sha3_context;
 
 #if defined(MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS)
 /**
- * \brief          This function initializes a SHA-3 context.
+ * \brief          This function initializes a SHA-3 or SHAKE context.
  *
  * \param ctx      The SHA-3 context to initialize. This must not be \c NULL.
  */
 void mbedtls_sha3_init(mbedtls_sha3_context *ctx);
 
 /**
- * \brief          This function clears a SHA-3 context.
+ * \brief          This function clears a SHA-3 or SHAKE context.
  *
  * \param ctx      The SHA-3 context to clear. This may be \c NULL, in which
  *                 case this function returns immediately. If it is not \c NULL,
@@ -75,7 +78,7 @@ void mbedtls_sha3_init(mbedtls_sha3_context *ctx);
 void mbedtls_sha3_free(mbedtls_sha3_context *ctx);
 
 /**
- * \brief          This function clones the state of a SHA-3 context.
+ * \brief          This function clones the state of a SHA-3 or SHAKE context.
  *
  * \param dst      The destination context. This must be initialized.
  * \param src      The context to clone. This must be initialized.
@@ -84,11 +87,11 @@ void mbedtls_sha3_clone(mbedtls_sha3_context *dst,
                         const mbedtls_sha3_context *src);
 
 /**
- * \brief          This function starts a SHA-3 checksum
+ * \brief          This function starts a SHA-3 checksum or SHAKE XOF
  *                 calculation.
  *
  * \param ctx      The context to use. This must be initialized.
- * \param id       The id of the SHA-3 family.
+ * \param id       The id of the SHA-3 or SHAKE family.
  *
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
@@ -97,7 +100,7 @@ int mbedtls_sha3_starts(mbedtls_sha3_context *ctx, mbedtls_sha3_id id);
 
 /**
  * \brief          This function feeds an input buffer into an ongoing
- *                 SHA-3 checksum calculation.
+ *                 SHA-3 or SHAKE calculation.
  *
  * \param ctx      The SHA-3 context. This must be initialized
  *                 and have a hash operation started.
@@ -116,13 +119,21 @@ int mbedtls_sha3_update(mbedtls_sha3_context *ctx,
  * \brief          This function finishes the SHA-3 operation, and writes
  *                 the result to the output buffer.
  *
+ *                 In a SHA-3 calculation, this function must be called
+ *                 exactly once, and \p olen must be the length of the
+ *                 hash variant chosen in mbedtls_sha3_starts().
+ *                 In a SHAKE calculation, this function may be called
+ *                 any number of times to obtain successive chunks of
+ *                 the XOF output.
+ *
  * \param ctx      The SHA-3 context. This must be initialized
  *                 and have a hash operation started.
  * \param output   The SHA-3 checksum result.
  *                 This must be a writable buffer of length \c olen bytes.
  * \param olen     Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256,
  *                 SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64,
  *                 respectively.
+ *                 For SHAKE128 and SHAKE256 it can be an arbitrary number.
  *
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
@@ -131,8 +142,8 @@ int mbedtls_sha3_finish(mbedtls_sha3_context *ctx,
                         uint8_t *output, size_t olen);
 
 /**
- * \brief          This function calculates the SHA-3
- *                 checksum of a buffer.
+ * \brief          This function calculates the SHA-3 checksum
+ *                 or XOF output of a buffer.
  *
  *                 The function allocates the context, performs the
  *                 calculation, and frees the context.
@@ -149,6 +160,7 @@ int mbedtls_sha3_finish(mbedtls_sha3_context *ctx,
  * \param olen     Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256,
  *                 SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64,
  *                 respectively.
+ *                 For SHAKE128 and SHAKE256 it can be an arbitrary number.
  *
  * \return         \c 0 on success.
  * \return         A negative error code on failure.

drivers/builtin/src/psa_crypto_hash.c

@@ -74,10 +74,7 @@ psa_status_t mbedtls_psa_hash_abort(
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
         case PSA_ALG_SHA3_512:
 #endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_SOME_HASH)
             mbedtls_sha3_free(&operation->ctx.sha3);
             break;
 #endif
@@ -240,10 +237,7 @@ psa_status_t mbedtls_psa_hash_clone(
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
         case PSA_ALG_SHA3_512:
 #endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
-            defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_SOME_HASH)
             mbedtls_sha3_clone(&target_operation->ctx.sha3,
                                &source_operation->ctx.sha3);
             break;
@@ -320,10 +314,7 @@ psa_status_t mbedtls_psa_hash_update(
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
         case PSA_ALG_SHA3_512:
 #endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_SOME_HASH)
     ret = mbedtls_sha3_update(&operation->ctx.sha3,
                               input, input_length);
     break;
@@ -410,10 +401,7 @@ psa_status_t mbedtls_psa_hash_finish(
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
         case PSA_ALG_SHA3_512:
 #endif
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_SOME_HASH)
     ret = mbedtls_sha3_finish(&operation->ctx.sha3, hash, hash_size);
     break;
 #endif