From 27354690cbe5df439ae7f35af3864caa5ce33e62 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 3 Mar 2021 17:45:06 +0100 Subject: [PATCH] Use a bit-size in the algorithm name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Call it “SHAKE256-512”, just like SHA3-512 has 512 bits of output. SHAKE256-64 looks like it's 64 bits of output, but this is 64 bytes. Signed-off-by: Gilles Peskine --- include/psa/crypto_values.h | 8 ++++---- programs/psa/psa_constant_names_generated.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index ecccbdc6da..c67ec64385 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -803,13 +803,13 @@ #define PSA_ALG_SHA3_384 ((psa_algorithm_t)0x02000012) /** SHA3-512 */ #define PSA_ALG_SHA3_512 ((psa_algorithm_t)0x02000013) -/** The first 64 bytes of the SHAKE256 output. +/** The first 512 bits (64 bytes) of the SHAKE256 output. * * This is the prehashing for Ed448ph (see #PSA_ALG_ED448PH). For other * scenarios where a hash function based on SHA3/SHAKE is desired, SHA3-512 * has the same output size and a (theoretically) higher security strength. */ -#define PSA_ALG_SHAKE256_64 ((psa_algorithm_t)0x02000015) +#define PSA_ALG_SHAKE256_512 ((psa_algorithm_t)0x02000015) /** In a hash-and-sign algorithm policy, allow any hash algorithm. * @@ -1448,13 +1448,13 @@ * - or calculate the first 64 bytes of the SHAKE256 output of the message * with psa_hash_compute() * or with a multi-part hash operation started with psa_hash_setup(), - * using the hash algorithm #PSA_ALG_SHAKE256_64, + * using the hash algorithm #PSA_ALG_SHAKE256_512, * then sign the calculated hash with psa_sign_hash(). * Verifying a signature is similar, using psa_verify_message() or * psa_verify_hash() instead of the signature function. */ #define PSA_ALG_ED448PH \ - (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHAKE256_64 & PSA_ALG_HASH_MASK)) + (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHAKE256_512 & PSA_ALG_HASH_MASK)) /* Default definition, to be overridden if the library is extended with * more hash-and-sign algorithms that we want to keep out of this header diff --git a/programs/psa/psa_constant_names_generated.c b/programs/psa/psa_constant_names_generated.c index 5906b6d5fa..2175af9ff8 100644 --- a/programs/psa/psa_constant_names_generated.c +++ b/programs/psa/psa_constant_names_generated.c @@ -67,7 +67,7 @@ static const char *psa_hash_algorithm_name(psa_algorithm_t hash_alg) case PSA_ALG_SHA3_256: return "PSA_ALG_SHA3_256"; case PSA_ALG_SHA3_384: return "PSA_ALG_SHA3_384"; case PSA_ALG_SHA3_512: return "PSA_ALG_SHA3_512"; - case PSA_ALG_SHAKE256_64: return "PSA_ALG_SHAKE256_64"; + case PSA_ALG_SHAKE256_512: return "PSA_ALG_SHAKE256_512"; case PSA_ALG_SHA_1: return "PSA_ALG_SHA_1"; case PSA_ALG_SHA_224: return "PSA_ALG_SHA_224"; case PSA_ALG_SHA_256: return "PSA_ALG_SHA_256"; @@ -231,7 +231,7 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size, case PSA_ALG_SHA3_256: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA3_256", 16); break; case PSA_ALG_SHA3_384: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA3_384", 16); break; case PSA_ALG_SHA3_512: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA3_512", 16); break; - case PSA_ALG_SHAKE256_64: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHAKE256_64", 19); break; + case PSA_ALG_SHAKE256_512: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHAKE256_512", 20); break; case PSA_ALG_SHA_1: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA_1", 13); break; case PSA_ALG_SHA_224: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA_224", 15); break; case PSA_ALG_SHA_256: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA_256", 15); break;