Fix Haraka digest API compliance

peterdettman · peterdettman · commit fcccf296f677 · 2022-10-10T00:19:40.000+07:00
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaS256Digest.java b/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaS256Digest.java
@@ -22,15 +22,14 @@ public String getAlgorithmName()
         return "HarakaS-256";
     }
 
-    @Override
     public int getDigestSize()
     {
         return 32;
     }
 
     public void update(byte in)
     {
-        if (off + 1 > 32)
+        if (off > 32 - 1)
         {
             throw new IllegalArgumentException("total input cannot be more than 32 bytes");
         }
@@ -40,7 +39,7 @@ public void update(byte in)
 
     public void update(byte[] in, int inOff, int len)
     {
-        if (off + len > 32)
+        if (off > 32 - len)
         {
             throw new IllegalArgumentException("total input cannot be more than 32 bytes");
         }
@@ -51,9 +50,11 @@ public void update(byte[] in, int inOff, int len)
 
     public int doFinal(byte[] output, int outOff)
     {
-        byte[] s = new byte[64];
+        // TODO Check received all 32 bytes of input?
+
+        byte[] s = new byte[32];
         haraka256Perm(s);
-        System.arraycopy(s, 0, output, outOff, output.length - outOff);
+        xor(s, 0, buffer, 0, output, outOff, 32);
 
         reset();
         
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaS512Digest.java b/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaS512Digest.java
@@ -22,15 +22,14 @@ public String getAlgorithmName()
         return "HarakaS-512";
     }
 
-    @Override
     public int getDigestSize()
     {
-        return 64;
+        return 32;
     }
 
     public void update(byte in)
     {
-        if (off + 1 > 64)
+        if (off > 64 - 1)
         {
             throw new IllegalArgumentException("total input cannot be more than 64 bytes");
         }
@@ -39,27 +38,23 @@ public void update(byte in)
 
     public void update(byte[] in, int inOff, int len)
     {
-        if (off + len > 64)
+        if (off > 64 - len)
         {
             throw new IllegalArgumentException("total input cannot be more than 64 bytes");
         }
         System.arraycopy(in, inOff, buffer, off, len);
         off += len;
     }
 
-
     public int doFinal(byte[] out, int outOff)
     {
+        // TODO Check received all 64 bytes of input?
+
         byte[] s = new byte[64];
         haraka512Perm(s);
-        for (int i = 0; i < 64; ++i)
-        {
-            s[i] ^= buffer[i];
-        }
-        System.arraycopy(s, 8, out, outOff, 8);
-        System.arraycopy(s, 24, out, outOff + 8, 8);
-        System.arraycopy(s, 32, out, outOff + 16, 8);
-        System.arraycopy(s, 48, out, outOff + 24, 8);
+        xor(s,  8, buffer,  8, out, outOff     ,  8);
+        xor(s, 24, buffer, 24, out, outOff +  8, 16);
+        xor(s, 48, buffer, 48, out, outOff + 24,  8);
 
         reset();
 
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaSBase.java b/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaSBase.java
@@ -162,11 +162,6 @@ protected void haraka256Perm(byte[] output)
             brEnc32Le(output, q[i << 1], i << 2);
             brEnc32Le(output, q[(i << 1) + 1], (i << 2) + 16);
         }
-
-        for (i = 0; i < 32; i++)
-        {
-            output[i] ^= buffer[i];
-        }
     }
 
     private void brEnc32Le(byte[] dst, int x, int startPos)
@@ -787,4 +782,12 @@ private void brAesCt64InterleaveOut(int[] w, long[] q, int pos)
         w[pos + 2] = (int)(x2 | (x2 >>> 16));
         w[pos + 3] = (int)(x3 | (x3 >>> 16));
     }
+
+    protected static void xor(byte[] x, int xOff, byte[] y, int yOff, byte[] z, int zOff, int zLen)
+    {
+        for (int i = 0; i < zLen; i++)
+        {
+            z[zOff + i] = (byte)(x[xOff + i] ^ y[yOff + i]);
+        }
+    }
 }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/SPHINCSPlusEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/SPHINCSPlusEngine.java
@@ -534,25 +534,25 @@ void init(byte[] pkSeed)
 
         public byte[] F(byte[] pkSeed, ADRS adrs, byte[] m1)
         {
-            byte[] rv = new byte[64];
+            byte[] hash = new byte[32];
             harakaS512Digest.update(adrs.value, 0, adrs.value.length);
             if (robust)
             {
-                byte[] mask = new byte[m1.length];
                 harakaS256Digest.update(adrs.value, 0, adrs.value.length);
-                harakaS256Digest.doFinal(mask, 0);
+                harakaS256Digest.doFinal(hash, 0);
                 for (int i = 0; i < m1.length; ++i)
                 {
-                    mask[i] ^= m1[i];
+                    hash[i] ^= m1[i];
                 }
-                harakaS512Digest.update(mask, 0, mask.length);
+                harakaS512Digest.update(hash, 0, m1.length);
             }
             else
             {
                 harakaS512Digest.update(m1, 0, m1.length);
             }
-            harakaS512Digest.doFinal(rv, 0);
-            return Arrays.copyOf(rv, N);
+            // NOTE The digest implementation implicitly pads the input with zeros up to 64 length
+            harakaS512Digest.doFinal(hash, 0);
+            return Arrays.copyOf(hash, N);
         }
 
         public byte[] H(byte[] pkSeed, ADRS adrs, byte[] m1, byte[] m2)

Original file line number	Diff line number	Diff line change
`@@ -22,15 +22,14 @@ public String getAlgorithmName()`
`22`	`22`	`return "HarakaS-256";`
`23`	`23`	`}`
`24`	`24`
`25`		`- @Override`
`26`	`25`	`public int getDigestSize()`
`27`	`26`	`{`
`28`	`27`	`return 32;`
`29`	`28`	`}`
`30`	`29`
`31`	`30`	`public void update(byte in)`
`32`	`31`	`{`
`33`		`- if (off + 1 > 32)`
	`32`	`+ if (off > 32 - 1)`
`34`	`33`	`{`
`35`	`34`	`throw new IllegalArgumentException("total input cannot be more than 32 bytes");`
`36`	`35`	`}`
`@@ -40,7 +39,7 @@ public void update(byte in)`
`40`	`39`
`41`	`40`	`public void update(byte[] in, int inOff, int len)`
`42`	`41`	`{`
`43`		`- if (off + len > 32)`
	`42`	`+ if (off > 32 - len)`
`44`	`43`	`{`
`45`	`44`	`throw new IllegalArgumentException("total input cannot be more than 32 bytes");`
`46`	`45`	`}`
`@@ -51,9 +50,11 @@ public void update(byte[] in, int inOff, int len)`
`51`	`50`
`52`	`51`	`public int doFinal(byte[] output, int outOff)`
`53`	`52`	`{`
`54`		`- byte[] s = new byte[64];`
	`53`	`+ // TODO Check received all 32 bytes of input?`
	`54`	`+`
	`55`	`+ byte[] s = new byte[32];`
`55`	`56`	`haraka256Perm(s);`
`56`		`- System.arraycopy(s, 0, output, outOff, output.length - outOff);`
	`57`	`+ xor(s, 0, buffer, 0, output, outOff, 32);`
`57`	`58`
`58`	`59`	`reset();`
`59`	`60`
Original file line number	Diff line number	Diff line change
`@@ -162,11 +162,6 @@ protected void haraka256Perm(byte[] output)`
`162`	`162`	`brEnc32Le(output, q[i << 1], i << 2);`
`163`	`163`	`brEnc32Le(output, q[(i << 1) + 1], (i << 2) + 16);`
`164`	`164`	`}`
`165`		`-`
`166`		`- for (i = 0; i < 32; i++)`
`167`		`- {`
`168`		`- output[i] ^= buffer[i];`
`169`		`- }`
`170`	`165`	`}`
`171`	`166`
`172`	`167`	`private void brEnc32Le(byte[] dst, int x, int startPos)`
`@@ -787,4 +782,12 @@ private void brAesCt64InterleaveOut(int[] w, long[] q, int pos)`
`787`	`782`	`w[pos + 2] = (int)(x2 \| (x2 >>> 16));`
`788`	`783`	`w[pos + 3] = (int)(x3 \| (x3 >>> 16));`
`789`	`784`	`}`
	`785`	`+`
	`786`	`+ protected static void xor(byte[] x, int xOff, byte[] y, int yOff, byte[] z, int zOff, int zLen)`
	`787`	`+ {`
	`788`	`+ for (int i = 0; i < zLen; i++)`
	`789`	`+ {`
	`790`	`+ z[zOff + i] = (byte)(x[xOff + i] ^ y[yOff + i]);`
	`791`	`+ }`
	`792`	`+ }`
`790`	`793`	`}`
Original file line number	Diff line number	Diff line change
`@@ -534,25 +534,25 @@ void init(byte[] pkSeed)`
`534`	`534`
`535`	`535`	`public byte[] F(byte[] pkSeed, ADRS adrs, byte[] m1)`
`536`	`536`	`{`
`537`		`- byte[] rv = new byte[64];`
	`537`	`+ byte[] hash = new byte[32];`
`538`	`538`	`harakaS512Digest.update(adrs.value, 0, adrs.value.length);`
`539`	`539`	`if (robust)`
`540`	`540`	`{`
`541`		`- byte[] mask = new byte[m1.length];`
`542`	`541`	`harakaS256Digest.update(adrs.value, 0, adrs.value.length);`
`543`		`- harakaS256Digest.doFinal(mask, 0);`
	`542`	`+ harakaS256Digest.doFinal(hash, 0);`
`544`	`543`	`for (int i = 0; i < m1.length; ++i)`
`545`	`544`	`{`
`546`		`- mask[i] ^= m1[i];`
	`545`	`+ hash[i] ^= m1[i];`
`547`	`546`	`}`
`548`		`- harakaS512Digest.update(mask, 0, mask.length);`
	`547`	`+ harakaS512Digest.update(hash, 0, m1.length);`
`549`	`548`	`}`
`550`	`549`	`else`
`551`	`550`	`{`
`552`	`551`	`harakaS512Digest.update(m1, 0, m1.length);`
`553`	`552`	`}`
`554`		`- harakaS512Digest.doFinal(rv, 0);`
`555`		`- return Arrays.copyOf(rv, N);`
	`553`	`+ // NOTE The digest implementation implicitly pads the input with zeros up to 64 length`
	`554`	`+ harakaS512Digest.doFinal(hash, 0);`
	`555`	`+ return Arrays.copyOf(hash, N);`
`556`	`556`	`}`
`557`	`557`
`558`	`558`	`public byte[] H(byte[] pkSeed, ADRS adrs, byte[] m1, byte[] m2)`