Hash: lc_hash_set_digestsize returns error state

The function now checks whether the setting of the digest was successful.
This is of particular importance when having a hash where this API is defined,
but the setting will never change the digest size. This is now checked and
if identified the call returns an error.

This prevents accidental use of a hash in lieu of an XOF. Yet, it allows
using a hash when the set digest size is identical to the requested size.
Such scenario is used in ML-DSA where either a SHA3-512, SHA2-512 or SHAKE-256
is allowed to be used where the digest size is always 512 bits.

Signed-off-by: Stephan Mueller <smueller@chronox.de>

Author: smuellerDD

apps/tests/leancrypto_check_with_ietf.sh

@@ -117,7 +117,7 @@ doc_init() {
 
 doc_one() {
 	local oid=$1
-	local type=$2 #both, expandedkey, seed, priv
+	local type=$2 #cert, both, expandedkey, seed, priv
 	local res=$3 #Y, N
 
 	touch $statusfile
@@ -171,7 +171,7 @@ check_one() {
 	local certfile=$1
 	local certcheck_only=$2
 	local oid=$3
-	local type="priv"
+	local type="cert"
 
 	if [ ! -f "$certfile" ]
 	then

apps/tests/meson.build

@@ -316,7 +316,7 @@ if (host_machine.system() != 'windows' and
 			     lc_pkcs7_generator.full_path(),
 			     meson.project_source_root() + '/apps/tests/'
 			   ],
-		     timeout: 300, suite: regression,
+		     timeout: 1000, suite: regression,
 		     should_fail: fips140_negative_expect_fail)
 
 	endif

curve448/src/ed448.c

@@ -324,12 +324,17 @@ LC_INTERFACE_FUNCTION(int, lc_ed448_keypair, struct lc_ed448_pk *pk,
 	return lc_ed448_keypair_nocheck(pk, sk, rng_ctx);
 }
 
-static inline void lc_ed448_xof_final(struct lc_hash_ctx *xof_ctx,
-				      uint8_t *digest, size_t digest_len)
+static inline int lc_ed448_xof_final(struct lc_hash_ctx *xof_ctx,
+				     uint8_t *digest, size_t digest_len)
 {
-	lc_hash_set_digestsize(xof_ctx, digest_len);
+	int ret;
+
+	CKINT(lc_hash_set_digestsize(xof_ctx, digest_len));
 	lc_hash_final(xof_ctx, digest);
 	lc_hash_zero(xof_ctx);
+
+out:
+	return ret;
 }
 
 static int curveed448_hash_init_with_dom(struct lc_hash_ctx *hash_ctx,
@@ -420,7 +425,7 @@ curveed448_sign_internal(uint8_t signature[LC_ED448_SIGBYTES],
 	{
 		uint8_t nonce[2 * LC_ED448_SECRETKEYBYTES];
 
-		lc_ed448_xof_final(shake256_ctx, nonce, sizeof(nonce));
+		CKINT(lc_ed448_xof_final(shake256_ctx, nonce, sizeof(nonce)));
 		curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
 		lc_memset_secure(nonce, 0, sizeof(nonce));
 	}
@@ -462,7 +467,8 @@ curveed448_sign_internal(uint8_t signature[LC_ED448_SIGBYTES],
 		lc_hash_update(shake256_ctx, message, message_len);
 
 		uint8_t challenge[2 * LC_ED448_SECRETKEYBYTES];
-		lc_ed448_xof_final(shake256_ctx, challenge, sizeof(challenge));
+		CKINT(lc_ed448_xof_final(shake256_ctx, challenge,
+					 sizeof(challenge)));
 		curve448_scalar_decode_long(challenge_scalar, challenge,
 					    sizeof(challenge));
 		lc_memset_secure(challenge, 0, sizeof(challenge));
@@ -701,7 +707,7 @@ curveed448_verify(const uint8_t signature[LC_ED448_SIGBYTES],
 
 	lc_hash_update(shake256_ctx, message, message_len);
 
-	lc_ed448_xof_final(shake256_ctx, challenge, sizeof(challenge));
+	CKINT(lc_ed448_xof_final(shake256_ctx, challenge, sizeof(challenge)));
 	curve448_scalar_decode_long(challenge_scalar, challenge,
 				    sizeof(challenge));
 

drng/src/selftest_rng.c

@@ -18,6 +18,7 @@
  */
 
 #include "ext_headers_internal.h"
+#include "ret_checkers.h"
 #include "selftest_rng.h"
 
 /*
@@ -29,14 +30,16 @@ static int selftest_rng_gen(void *_state, const uint8_t *addtl_input,
 			    size_t addtl_input_len, uint8_t *out, size_t outlen)
 {
 	struct lc_hash_ctx *state = _state;
+	int ret;
 
 	(void)addtl_input;
 	(void)addtl_input_len;
 
-	lc_hash_set_digestsize(state, outlen);
+	CKINT(lc_hash_set_digestsize(state, outlen));
 	lc_hash_final(state, out);
 
-	return 0;
+out:
+	return ret;
 }
 
 static int selftest_rng_seed(void *_state, const uint8_t *seed, size_t seedlen,

drng/src/selftest_shake256_rng.c

@@ -30,14 +30,16 @@ static int selftest_rng_gen(void *_state, const uint8_t *addtl_input,
 			    size_t addtl_input_len, uint8_t *out, size_t outlen)
 {
 	struct lc_hash_ctx *state = _state;
+	int ret;
 
 	(void)addtl_input;
 	(void)addtl_input_len;
 
-	lc_hash_set_digestsize(state, outlen);
+	CKINT(lc_hash_set_digestsize(state, outlen));
 	lc_hash_final(state, out);
 
-	return 0;
+out:
+	return ret;
 }
 
 static int selftest_rng_seed(void *_state, const uint8_t *seed, size_t seedlen,

drng/src/xdrbg.c

@@ -55,11 +55,17 @@ static inline uint8_t lc_xdrbg_keysize(struct lc_xdrbg_drng_state *state)
 	}
 }
 
-static inline void lc_xdrbg_xof_final(struct lc_hash_ctx *xof_ctx,
-				      uint8_t *digest, size_t digest_len)
+static inline int lc_xdrbg_xof_final(struct lc_hash_ctx *xof_ctx,
+				     uint8_t *digest, size_t digest_len)
 {
-	lc_hash_set_digestsize(xof_ctx, digest_len);
+	int ret = lc_hash_set_digestsize(xof_ctx, digest_len);
+
+	if (ret)
+		return ret;
+
 	lc_hash_final(xof_ctx, digest);
+
+	return 0;
 }
 
 /* Maximum size of the input data to calculate the encode value */

drng/tests/xdrbg128_tester.c

@@ -89,7 +89,8 @@ static int xdrbg128_drng_selftest(struct lc_rng_ctx *xdrbg128_ctx)
 	lc_hash_update(xdrbg128_compare, seed, sizeof(seed));
 	encode = 0;
 	lc_hash_update(xdrbg128_compare, &encode, sizeof(encode));
-	lc_hash_set_digestsize(xdrbg128_compare, LC_XDRBG128_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(xdrbg128_compare,
+				     LC_XDRBG128_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg128_compare, compare1);
 	unpoison(state->v, LC_XDRBG128_DRNG_KEYSIZE);
 	ret += lc_compare(compare1, state->v, LC_XDRBG128_DRNG_KEYSIZE,
@@ -102,7 +103,7 @@ static int xdrbg128_drng_selftest(struct lc_rng_ctx *xdrbg128_ctx)
 	lc_hash_update(xdrbg128_compare, compare1, LC_XDRBG128_DRNG_KEYSIZE);
 	encode = 2 * 85;
 	lc_hash_update(xdrbg128_compare, &encode, sizeof(encode));
-	lc_hash_set_digestsize(xdrbg128_compare, sizeof(compare1));
+	CKINT(lc_hash_set_digestsize(xdrbg128_compare, sizeof(compare1)));
 	lc_hash_final(xdrbg128_compare, compare1);
 	ret += lc_compare(compare1 + LC_XDRBG128_DRNG_KEYSIZE, exp1,
 			  sizeof(exp1), "Ascon DRNG verification");
@@ -152,7 +153,8 @@ static int xdrbg128_drng_selftest(struct lc_rng_ctx *xdrbg128_ctx)
 	lc_hash_update(xdrbg128_compare, &encode, sizeof(encode));
 
 	/* Verify: Now get the key for the next operation */
-	lc_hash_set_digestsize(xdrbg128_compare, LC_XDRBG128_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(xdrbg128_compare,
+				     LC_XDRBG128_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg128_compare, compare1);
 
 	if (lc_hash_init(xdrbg128_compare))
@@ -167,8 +169,8 @@ static int xdrbg128_drng_selftest(struct lc_rng_ctx *xdrbg128_ctx)
 	lc_hash_update(xdrbg128_compare, &encode, sizeof(encode));
 
 	/* Verify: Generate operation of the DRBG: generate data */
-	lc_hash_set_digestsize(xdrbg128_compare,
-			       LC_XDRBG128_DRNG_KEYSIZE + sizeof(act2));
+	CKINT(lc_hash_set_digestsize(xdrbg128_compare,
+				     LC_XDRBG128_DRNG_KEYSIZE + sizeof(act2)));
 	lc_hash_final(xdrbg128_compare, compare1);
 	ret += lc_compare(compare1 + LC_XDRBG128_DRNG_KEYSIZE, exp84,
 			  sizeof(exp84),
@@ -178,6 +180,7 @@ static int xdrbg128_drng_selftest(struct lc_rng_ctx *xdrbg128_ctx)
 
 	lc_hash_zero(xdrbg128_compare);
 
+out:
 	return ret;
 }
 

drng/tests/xdrbg256_tester.c

@@ -99,7 +99,8 @@ static int xdrbg256_drng_selftest(struct lc_rng_ctx *xdrbg256_ctx)
 	lc_hash_update(xdrbg256_compare, seed, sizeof(seed));
 	encode = 0;
 	lc_hash_update(xdrbg256_compare, &encode, sizeof(encode));
-	lc_hash_set_digestsize(xdrbg256_compare, LC_XDRBG256_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(xdrbg256_compare,
+				     LC_XDRBG256_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg256_compare, compare1);
 	unpoison(state->v, LC_XDRBG256_DRNG_KEYSIZE);
 	ret += lc_compare(compare1, state->v, LC_XDRBG256_DRNG_KEYSIZE,
@@ -115,10 +116,12 @@ static int xdrbg256_drng_selftest(struct lc_rng_ctx *xdrbg256_ctx)
 	encode = 2 * 85;
 	lc_hash_update(xdrbg256_compare, &encode, sizeof(encode));
 	/* First loop iteration: generate key */
-	lc_hash_set_digestsize(xdrbg256_compare, LC_XDRBG256_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(xdrbg256_compare,
+				     LC_XDRBG256_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg256_compare, compare1);
 	/* First loop iteratipn: generate data */
-	lc_hash_set_digestsize(xdrbg256_compare, LC_XDRBG256_DRNG_MAX_CHUNK);
+	CKINT(lc_hash_set_digestsize(xdrbg256_compare,
+				     LC_XDRBG256_DRNG_MAX_CHUNK));
 	lc_hash_final(xdrbg256_compare, compare1 + LC_XDRBG256_DRNG_KEYSIZE);
 
 	/* 2nd loop round as output size is larger than chunk size */
@@ -128,12 +131,13 @@ static int xdrbg256_drng_selftest(struct lc_rng_ctx *xdrbg256_ctx)
 	encode = 2 * 85;
 	lc_hash_update(xdrbg256_compare, &encode, sizeof(encode));
 	/* Second loop iteratipn: generate key */
-	lc_hash_set_digestsize(xdrbg256_compare, LC_XDRBG256_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(xdrbg256_compare,
+				     LC_XDRBG256_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg256_compare, compare1);
 	/* Second loop iteratipn: generate data */
-	lc_hash_set_digestsize(xdrbg256_compare,
-			       sizeof(compare1) - LC_XDRBG256_DRNG_MAX_CHUNK -
-				       LC_XDRBG256_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(
+		xdrbg256_compare, sizeof(compare1) - LC_XDRBG256_DRNG_MAX_CHUNK -
+				  LC_XDRBG256_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg256_compare, compare1 + LC_XDRBG256_DRNG_MAX_CHUNK +
 						LC_XDRBG256_DRNG_KEYSIZE);
 
@@ -185,7 +189,8 @@ static int xdrbg256_drng_selftest(struct lc_rng_ctx *xdrbg256_ctx)
 	lc_hash_update(xdrbg256_compare, &encode, sizeof(encode));
 
 	/* Verify: Now get the key for the next operation */
-	lc_hash_set_digestsize(xdrbg256_compare, LC_XDRBG256_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(xdrbg256_compare,
+				     LC_XDRBG256_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg256_compare, compare1);
 
 	if (lc_hash_init(xdrbg256_compare))
@@ -200,8 +205,8 @@ static int xdrbg256_drng_selftest(struct lc_rng_ctx *xdrbg256_ctx)
 	lc_hash_update(xdrbg256_compare, &encode, sizeof(encode));
 
 	/* Verify: Generate operation of the DRBG: generate data */
-	lc_hash_set_digestsize(xdrbg256_compare,
-			       LC_XDRBG256_DRNG_KEYSIZE + sizeof(act2));
+	CKINT(lc_hash_set_digestsize(xdrbg256_compare,
+				     LC_XDRBG256_DRNG_KEYSIZE + sizeof(act2)));
 	lc_hash_final(xdrbg256_compare, compare1);
 	ret += lc_compare(compare1 + LC_XDRBG256_DRNG_KEYSIZE, exp84,
 			  sizeof(exp84),
@@ -211,6 +216,7 @@ static int xdrbg256_drng_selftest(struct lc_rng_ctx *xdrbg256_ctx)
 
 	lc_hash_zero(xdrbg256_compare);
 
+out:
 	return ret;
 }
 

drng/tests/xdrbg512_tester.c

@@ -101,7 +101,8 @@ static int xdrbg512_drng_selftest(struct lc_rng_ctx *xdrbg512_ctx)
 	lc_hash_update(xdrbg512_compare, seed, sizeof(seed));
 	encode = 0;
 	lc_hash_update(xdrbg512_compare, &encode, sizeof(encode));
-	lc_hash_set_digestsize(xdrbg512_compare, LC_XDRBG512_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(xdrbg512_compare,
+				     LC_XDRBG512_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg512_compare, compare1);
 	unpoison(state->v, LC_XDRBG512_DRNG_KEYSIZE);
 	ret += lc_compare(compare1, state->v, LC_XDRBG512_DRNG_KEYSIZE,
@@ -117,10 +118,12 @@ static int xdrbg512_drng_selftest(struct lc_rng_ctx *xdrbg512_ctx)
 	encode = 2 * 85;
 	lc_hash_update(xdrbg512_compare, &encode, sizeof(encode));
 	/* First loop iteration: generate key */
-	lc_hash_set_digestsize(xdrbg512_compare, LC_XDRBG512_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(xdrbg512_compare,
+				     LC_XDRBG512_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg512_compare, compare1);
 	/* First loop iteratipn: generate data */
-	lc_hash_set_digestsize(xdrbg512_compare, LC_XDRBG512_DRNG_MAX_CHUNK);
+	CKINT(lc_hash_set_digestsize(xdrbg512_compare,
+				     LC_XDRBG512_DRNG_MAX_CHUNK));
 	lc_hash_final(xdrbg512_compare, compare1 + LC_XDRBG512_DRNG_KEYSIZE);
 
 	/* 2nd loop round as output size is larger than chunk size */
@@ -130,12 +133,13 @@ static int xdrbg512_drng_selftest(struct lc_rng_ctx *xdrbg512_ctx)
 	encode = 2 * 85;
 	lc_hash_update(xdrbg512_compare, &encode, sizeof(encode));
 	/* Second loop iteratipn: generate key */
-	lc_hash_set_digestsize(xdrbg512_compare, LC_XDRBG512_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(xdrbg512_compare,
+				     LC_XDRBG512_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg512_compare, compare1);
 	/* Second loop iteratipn: generate data */
-	lc_hash_set_digestsize(xdrbg512_compare,
-			       sizeof(compare1) - LC_XDRBG512_DRNG_MAX_CHUNK -
-				       LC_XDRBG512_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(
+		xdrbg512_compare, sizeof(compare1) - LC_XDRBG512_DRNG_MAX_CHUNK -
+				  LC_XDRBG512_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg512_compare, compare1 + LC_XDRBG512_DRNG_MAX_CHUNK +
 						LC_XDRBG512_DRNG_KEYSIZE);
 
@@ -190,7 +194,8 @@ static int xdrbg512_drng_selftest(struct lc_rng_ctx *xdrbg512_ctx)
 	lc_hash_update(xdrbg512_compare, &encode, sizeof(encode));
 
 	/* Verify: Now get the key for the next operation */
-	lc_hash_set_digestsize(xdrbg512_compare, LC_XDRBG512_DRNG_KEYSIZE);
+	CKINT(lc_hash_set_digestsize(xdrbg512_compare,
+				     LC_XDRBG512_DRNG_KEYSIZE));
 	lc_hash_final(xdrbg512_compare, compare1);
 
 	if (lc_hash_init(xdrbg512_compare))
@@ -205,8 +210,8 @@ static int xdrbg512_drng_selftest(struct lc_rng_ctx *xdrbg512_ctx)
 	lc_hash_update(xdrbg512_compare, &encode, sizeof(encode));
 
 	/* Verify: Generate operation of the DRBG: generate data */
-	lc_hash_set_digestsize(xdrbg512_compare,
-			       LC_XDRBG512_DRNG_KEYSIZE + sizeof(act2));
+	CKINT(lc_hash_set_digestsize(xdrbg512_compare,
+				     LC_XDRBG512_DRNG_KEYSIZE + sizeof(act2)));
 	lc_hash_final(xdrbg512_compare, compare1);
 	ret += lc_compare(compare1 + LC_XDRBG512_DRNG_KEYSIZE, exp84,
 			  sizeof(exp84),
@@ -216,6 +221,7 @@ static int xdrbg512_drng_selftest(struct lc_rng_ctx *xdrbg512_ctx)
 
 	lc_hash_zero(xdrbg512_compare);
 
+out:
 	return ret;
 }
 

hash/api/lc_cshake.h

@@ -72,12 +72,20 @@ int lc_cshake_init(struct lc_hash_ctx *ctx, const uint8_t *n, size_t nlen,
  * @param [out] out Buffer allocated by caller that is filled with the message
  *		    digest data.
  * @param [in] outlen Size of the output buffer to be filled.
+ *
+ * @return 0 on success; < 0 on error
  */
-static inline void lc_cshake_final(struct lc_hash_ctx *ctx, uint8_t *out,
-				   size_t outlen)
+static inline int lc_cshake_final(struct lc_hash_ctx *ctx, uint8_t *out,
+				  size_t outlen)
 {
-	lc_hash_set_digestsize(ctx, outlen);
+	int ret;
+
+	ret = lc_hash_set_digestsize(ctx, outlen);
+	if (ret)
+		return ret;
 	lc_hash_final(ctx, out);
+
+	return 0;
 }
 
 /*