Fix Haraka digest API compliance

jwcranford · Oct 9, 2022 · fcccf29 · fcccf29
1 parent 55d5c4b
commit fcccf29
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 30 deletions.
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaS256Digest.java b/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaS256Digest.java
@@ -22,15 +22,14 @@ public String getAlgorithmName()
         return "HarakaS-256";
     }
 
-    @Override
     public int getDigestSize()
     {
         return 32;
     }
 
     public void update(byte in)
     {
-        if (off + 1 > 32)
+        if (off > 32 - 1)
         {
             throw new IllegalArgumentException("total input cannot be more than 32 bytes");
         }
@@ -40,7 +39,7 @@ public void update(byte in)
 
     public void update(byte[] in, int inOff, int len)
     {
-        if (off + len > 32)
+        if (off > 32 - len)
         {
             throw new IllegalArgumentException("total input cannot be more than 32 bytes");
         }
@@ -51,9 +50,11 @@ public void update(byte[] in, int inOff, int len)
 
     public int doFinal(byte[] output, int outOff)
     {
-        byte[] s = new byte[64];
+        // TODO Check received all 32 bytes of input?
+
+        byte[] s = new byte[32];
         haraka256Perm(s);
-        System.arraycopy(s, 0, output, outOff, output.length - outOff);
+        xor(s, 0, buffer, 0, output, outOff, 32);
 
         reset();
 

diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaS512Digest.java b/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaS512Digest.java
@@ -22,15 +22,14 @@ public String getAlgorithmName()
         return "HarakaS-512";
     }
 
-    @Override
     public int getDigestSize()
     {
-        return 64;
+        return 32;
     }
 
     public void update(byte in)
     {
-        if (off + 1 > 64)
+        if (off > 64 - 1)
         {
             throw new IllegalArgumentException("total input cannot be more than 64 bytes");
         }
@@ -39,27 +38,23 @@ public void update(byte in)
 
     public void update(byte[] in, int inOff, int len)
     {
-        if (off + len > 64)
+        if (off > 64 - len)
         {
             throw new IllegalArgumentException("total input cannot be more than 64 bytes");
         }
         System.arraycopy(in, inOff, buffer, off, len);
         off += len;
     }
 
-
     public int doFinal(byte[] out, int outOff)
     {
+        // TODO Check received all 64 bytes of input?
+
         byte[] s = new byte[64];
         haraka512Perm(s);
-        for (int i = 0; i < 64; ++i)
-        {
-            s[i] ^= buffer[i];
-        }
-        System.arraycopy(s, 8, out, outOff, 8);
-        System.arraycopy(s, 24, out, outOff + 8, 8);
-        System.arraycopy(s, 32, out, outOff + 16, 8);
-        System.arraycopy(s, 48, out, outOff + 24, 8);
+        xor(s,  8, buffer,  8, out, outOff     ,  8);
+        xor(s, 24, buffer, 24, out, outOff +  8, 16);
+        xor(s, 48, buffer, 48, out, outOff + 24,  8);
 
         reset();
 

diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaSBase.java b/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/HarakaSBase.java
@@ -162,11 +162,6 @@ protected void haraka256Perm(byte[] output)
             brEnc32Le(output, q[i << 1], i << 2);
             brEnc32Le(output, q[(i << 1) + 1], (i << 2) + 16);
         }
-
-        for (i = 0; i < 32; i++)
-        {
-            output[i] ^= buffer[i];
-        }
     }
 
     private void brEnc32Le(byte[] dst, int x, int startPos)
@@ -787,4 +782,12 @@ private void brAesCt64InterleaveOut(int[] w, long[] q, int pos)
         w[pos + 2] = (int)(x2 | (x2 >>> 16));
         w[pos + 3] = (int)(x3 | (x3 >>> 16));
     }
+
+    protected static void xor(byte[] x, int xOff, byte[] y, int yOff, byte[] z, int zOff, int zLen)
+    {
+        for (int i = 0; i < zLen; i++)
+        {
+            z[zOff + i] = (byte)(x[xOff + i] ^ y[yOff + i]);
+        }
+    }
 }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/SPHINCSPlusEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/sphincsplus/SPHINCSPlusEngine.java
@@ -534,25 +534,25 @@ void init(byte[] pkSeed)
 
         public byte[] F(byte[] pkSeed, ADRS adrs, byte[] m1)
         {
-            byte[] rv = new byte[64];
+            byte[] hash = new byte[32];
             harakaS512Digest.update(adrs.value, 0, adrs.value.length);
             if (robust)
             {
-                byte[] mask = new byte[m1.length];
                 harakaS256Digest.update(adrs.value, 0, adrs.value.length);
-                harakaS256Digest.doFinal(mask, 0);
+                harakaS256Digest.doFinal(hash, 0);
                 for (int i = 0; i < m1.length; ++i)
                 {
-                    mask[i] ^= m1[i];
+                    hash[i] ^= m1[i];
                 }
-                harakaS512Digest.update(mask, 0, mask.length);
+                harakaS512Digest.update(hash, 0, m1.length);
             }
             else
             {
                 harakaS512Digest.update(m1, 0, m1.length);
             }
-            harakaS512Digest.doFinal(rv, 0);
-            return Arrays.copyOf(rv, N);
+            // NOTE The digest implementation implicitly pads the input with zeros up to 64 length
+            harakaS512Digest.doFinal(hash, 0);
+            return Arrays.copyOf(hash, N);
         }
 
         public byte[] H(byte[] pkSeed, ADRS adrs, byte[] m1, byte[] m2)