Refresh from upstream

Author: msprotz

Modules/_hacl/Hacl_Hash_SHA3.c

@@ -102,7 +102,6 @@ Hacl_Hash_SHA3_update_multi_sha3(
     uint8_t *block = blocks + i * block_len(a);
     Hacl_Impl_SHA3_absorb_inner(block_len(a), block, s);
   }
-  uint8_t *last = blocks + n_blocks * block_len(a);
 }
 
 void
@@ -487,27 +486,32 @@ finish_(
   Hacl_Impl_SHA3_squeeze(s, block_len(a11), hash_len(a11), dst);
 }
 
-uint32_t Hacl_Streaming_Keccak_finish(Hacl_Streaming_Keccak_state *s, uint8_t *dst, uint32_t l)
+Hacl_Streaming_Keccak_error_code
+Hacl_Streaming_Keccak_finish(Hacl_Streaming_Keccak_state *s, uint8_t *dst)
 {
   Spec_Hash_Definitions_hash_alg a1 = Hacl_Streaming_Keccak_get_alg(s);
-  if
-  (
-    (a1 == Spec_Hash_Definitions_Shake128 || a1 == Spec_Hash_Definitions_Shake256)
-    && l == (uint32_t)0U
-  )
+  if (a1 == Spec_Hash_Definitions_Shake128 || a1 == Spec_Hash_Definitions_Shake256)
   {
-    return (uint32_t)1U;
+    return Hacl_Streaming_Keccak_InvalidAlgorithm;
   }
-  if
-  (
-    !(a1 == Spec_Hash_Definitions_Shake128 || a1 == Spec_Hash_Definitions_Shake256)
-    && l != (uint32_t)0U
-  )
+  finish_(a1, s, dst, hash_len(a1));
+  return Hacl_Streaming_Keccak_Success;
+}
+
+Hacl_Streaming_Keccak_error_code
+Hacl_Streaming_Keccak_squeeze(Hacl_Streaming_Keccak_state *s, uint8_t *dst, uint32_t l)
+{
+  Spec_Hash_Definitions_hash_alg a1 = Hacl_Streaming_Keccak_get_alg(s);
+  if (!(a1 == Spec_Hash_Definitions_Shake128 || a1 == Spec_Hash_Definitions_Shake256))
   {
-    return (uint32_t)1U;
+    return Hacl_Streaming_Keccak_InvalidAlgorithm;
+  }
+  if (l == (uint32_t)0U)
+  {
+    return Hacl_Streaming_Keccak_InvalidLength;
   }
   finish_(a1, s, dst, l);
-  return (uint32_t)0U;
+  return Hacl_Streaming_Keccak_Success;
 }
 
 uint32_t Hacl_Streaming_Keccak_block_len(Hacl_Streaming_Keccak_state *s)

Modules/_hacl/Hacl_Hash_SHA3.h

@@ -65,8 +65,17 @@ void Hacl_Streaming_Keccak_reset(Hacl_Streaming_Keccak_state *s);
 uint32_t
 Hacl_Streaming_Keccak_update(Hacl_Streaming_Keccak_state *p, uint8_t *data, uint32_t len);
 
-uint32_t
-Hacl_Streaming_Keccak_finish(Hacl_Streaming_Keccak_state *s, uint8_t *dst, uint32_t l);
+#define Hacl_Streaming_Keccak_Success 0
+#define Hacl_Streaming_Keccak_InvalidAlgorithm 1
+#define Hacl_Streaming_Keccak_InvalidLength 2
+
+typedef uint8_t Hacl_Streaming_Keccak_error_code;
+
+Hacl_Streaming_Keccak_error_code
+Hacl_Streaming_Keccak_finish(Hacl_Streaming_Keccak_state *s, uint8_t *dst);
+
+Hacl_Streaming_Keccak_error_code
+Hacl_Streaming_Keccak_squeeze(Hacl_Streaming_Keccak_state *s, uint8_t *dst, uint32_t l);
 
 uint32_t Hacl_Streaming_Keccak_block_len(Hacl_Streaming_Keccak_state *s);
 

Modules/_hacl/include/krml/lowstar_endianness.h

@@ -77,7 +77,7 @@
 #  define le64toh(x) (x)
 
 /* ... for Windows (GCC-like, e.g. mingw or clang) */
-#elif (defined(_WIN32) || defined(_WIN64)) &&                                  \
+#elif (defined(_WIN32) || defined(_WIN64) || defined(__EMSCRIPTEN__)) &&       \
     (defined(__GNUC__) || defined(__clang__))
 
 #  define htobe16(x) __builtin_bswap16(x)

Modules/_hacl/refresh.sh

@@ -22,7 +22,7 @@ fi
 
 # Update this when updating to a new version after verifying that the changes
 # the update brings in are good.
-expected_hacl_star_rev=a41202dc7378b6e41c609d6b2f8f8b8e10581827
+expected_hacl_star_rev=363eae2c2eb60e46f182ddd4bd1cd3f1d00b35c9
 
 hacl_dir="$(realpath "$1")"
 cd "$(dirname "$0")"

Modules/sha3module.c

@@ -195,10 +195,9 @@ _sha3_sha3_224_digest_impl(SHA3object *self)
 /*[clinic end generated code: output=fd531842e20b2d5b input=5b2a659536bbd248]*/
 {
     unsigned char digest[SHA3_MAX_DIGESTSIZE];
-    // The only potential error here is an API misuse, such as trying to specify
-    // a user-provided length when using a non-Shake algorithm. We thus ignore
-    // the return code.
-    Hacl_Streaming_Keccak_finish(self->hash_state, digest, 0);
+    // This function errors out if the algorithm is Shake. Here, we know this
+    // not to be the case, and therefore do not perform error checking.
+    Hacl_Streaming_Keccak_finish(self->hash_state, digest);
     return PyBytes_FromStringAndSize((const char *)digest,
         Hacl_Streaming_Keccak_hash_len(self->hash_state));
 }
@@ -215,7 +214,7 @@ _sha3_sha3_224_hexdigest_impl(SHA3object *self)
 /*[clinic end generated code: output=75ad03257906918d input=2d91bb6e0d114ee3]*/
 {
     unsigned char digest[SHA3_MAX_DIGESTSIZE];
-    Hacl_Streaming_Keccak_finish(self->hash_state, digest, 0);
+    Hacl_Streaming_Keccak_finish(self->hash_state, digest);
     return _Py_strhex((const char *)digest,
         Hacl_Streaming_Keccak_hash_len(self->hash_state));
 }
@@ -397,8 +396,12 @@ _SHAKE_digest(SHA3object *self, unsigned long digestlen, int hex)
         return PyErr_NoMemory();
     }
 
-    /* Get the raw (binary) digest value */
-    Hacl_Streaming_Keccak_finish(self->hash_state, digest, digestlen);
+    /* Get the raw (binary) digest value. The HACL functions errors out if:
+     * - the algorith is not shake -- not the case here
+     * - the output length is zero -- we follow the existing behavior and return
+     *   an empty digest, without raising an error */
+    if (digestlen > 0)
+      Hacl_Streaming_Keccak_squeeze(self->hash_state, digest, digestlen);
     if (hex) {
          result = _Py_strhex((const char *)digest, digestlen);
     } else {