microsoft · qmuntal · Dec 18, 2024 · Dec 18, 2024 · Dec 18, 2024 · Dec 18, 2024
diff --git a/cng/hash.go b/cng/hash.go
@@ -11,6 +11,7 @@ import (
 	"crypto"
 	"hash"
 	"runtime"
+	"slices"
 	"unsafe"
 
 	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
@@ -304,3 +305,163 @@ func (h *hashX) Sum(in []byte) []byte {
 	}
 	return append(in, h.buf...)
 }
+
+// SupportsSHAKE128 returns true if the SHAKE128 extendable output function is
+// supported.
+func SupportsSHAKE128() bool {
+	_, err := loadHash(bcrypt.CSHAKE128_ALGORITHM, bcrypt.ALG_NONE_FLAG)
+	return err == nil
+}
+
+// SupportsSHAKE256 returns true if the SHAKE256 extendable output function is
+// supported.
+func SupportsSHAKE256() bool {
+	_, err := loadHash(bcrypt.CSHAKE256_ALGORITHM, bcrypt.ALG_NONE_FLAG)
+	return err == nil
+}
+
+// SumSHAKE128 applies the SHAKE128 extendable output function to data and
+// returns an output of the given length in bytes.
+func SumSHAKE128(data []byte, length int) []byte {
+	out := make([]byte, length)
+	if err := hashOneShot(bcrypt.CSHAKE128_ALGORITHM, data, out); err != nil {
+		panic("bcrypt: CSHAKE128_ALGORITHM failed")
+	}
+	return out
+}
+
+// SumSHAKE256 applies the SHAKE256 extendable output function to data and
+// returns an output of the given length in bytes.
+func SumSHAKE256(data []byte, length int) []byte {
+	out := make([]byte, length)
+	if err := hashOneShot(bcrypt.CSHAKE256_ALGORITHM, data, out); err != nil {
+		panic("bcrypt: CSHAKE256_ALGORITHM failed")
+	}
+	return out
+}
+
+// SHAKE is an instance of a SHAKE extendable output function.
+type SHAKE struct {
+	alg  *hashAlgorithm
+	ctx  bcrypt.HASH_HANDLE
+	n, s []byte
+}
+
+func newShake(id string, N, S []byte) *SHAKE {
+	alg, err := loadHash(id, bcrypt.ALG_NONE_FLAG)
+	if err != nil {
+		panic(err)
+	}
+	h := &SHAKE{alg: alg, n: slices.Clone(N), s: slices.Clone(S)}
+	err = bcrypt.CreateHash(h.alg.handle, &h.ctx, nil, nil, 0)
+	if err != nil {
+		panic(err)
+	}
+	if len(N) != 0 {
+		if err := bcrypt.SetProperty(bcrypt.HANDLE(h.ctx), utf16PtrFromString(bcrypt.FUNCTION_NAME_STRING), N, 0); err != nil {
+			panic(err)
+		}
+	}
+	if len(S) != 0 {
+		if err := bcrypt.SetProperty(bcrypt.HANDLE(h.ctx), utf16PtrFromString(bcrypt.CUSTOMIZATION_STRING), S, 0); err != nil {
+			panic(err)
+		}
+	}
+	runtime.SetFinalizer(h, (*SHAKE).finalize)
+	return h
+}
+
+// NewSHAKE128 creates a new SHAKE128 XOF.
+func NewSHAKE128() *SHAKE {
+	return newShake(bcrypt.CSHAKE128_ALGORITHM, nil, nil)
+}
+
+// NewSHAKE256 creates a new SHAKE256 XOF.
+func NewSHAKE256() *SHAKE {
+	return newShake(bcrypt.CSHAKE256_ALGORITHM, nil, nil)
+}
+
+// NewCSHAKE128 creates a new cSHAKE128 XOF.
+//
+// N is used to define functions based on cSHAKE, it can be empty when plain
+// cSHAKE is desired. S is a customization byte string used for domain
+// separation. When N and S are both empty, this is equivalent to NewSHAKE128.
+func NewCSHAKE128(N, S []byte) *SHAKE {
+	return newShake(bcrypt.CSHAKE128_ALGORITHM, N, S)
+}
+
+// NewCSHAKE256 creates a new cSHAKE256 XOF.
+//
+// N is used to define functions based on cSHAKE, it can be empty when plain
+// cSHAKE is desired. S is a customization byte string used for domain
+// separation. When N and S are both empty, this is equivalent to NewSHAKE256.
+func NewCSHAKE256(N, S []byte) *SHAKE {
+	return newShake(bcrypt.CSHAKE256_ALGORITHM, N, S)
+}
+
+func (h *SHAKE) finalize() {
+	bcrypt.DestroyHash(h.ctx)
+}
+
+// Write absorbs more data into the XOF's state.
+//
+// It panics if any output has already been read.
+func (s *SHAKE) Write(p []byte) (n int, err error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+	defer runtime.KeepAlive(s)
+	for n < len(p) && err == nil {
+		nn := len32(p[n:])
+		err = bcrypt.HashData(s.ctx, p[n:n+nn], 0)
+		n += nn
+	}
+	if err != nil {
+		panic(err)
+	}
+	return len(p), nil
+}
+
+// Read squeezes more output from the XOF.
+//
+// Any call to Write after a call to Read will panic.
+func (s *SHAKE) Read(p []byte) (n int, err error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+	defer runtime.KeepAlive(s)
+	for n < len(p) && err == nil {
+		nn := len32(p[n:])
+		err = bcrypt.FinishHash(s.ctx, p[n:n+nn], bcrypt.HASH_DONT_RESET_FLAG)
+		n += nn
+	}
+	if err != nil {
+		panic(err)
+	}
+	return len(p), nil
+}
+
+// Reset resets the XOF to its initial state.
+func (s *SHAKE) Reset() {
+	defer runtime.KeepAlive(s)
+	bcrypt.DestroyHash(s.ctx)
+	err := bcrypt.CreateHash(s.alg.handle, &s.ctx, nil, nil, 0)
+	if err != nil {
+		panic(err)
+	}
+	if len(s.n) != 0 {
+		if err := bcrypt.SetProperty(bcrypt.HANDLE(s.ctx), utf16PtrFromString(bcrypt.FUNCTION_NAME_STRING), s.n, 0); err != nil {
+			panic(err)
+		}
+	}
+	if len(s.s) != 0 {
+		if err := bcrypt.SetProperty(bcrypt.HANDLE(s.ctx), utf16PtrFromString(bcrypt.CUSTOMIZATION_STRING), s.s, 0); err != nil {
+			panic(err)
+		}
+	}
+}
+
+// BlockSize returns the rate of the XOF.
+func (s *SHAKE) BlockSize() int {
+	return int(s.alg.blockSize)
+}