cshake: fix zero padding when data already aligns to block boundary (#834)

When the buffer already aligns with the block boundary, the existing
implementation adds an additional block of zeros to the input. This
occurs when the total length of the function name and customization
string is a multiple of the block size.

This isn't compliant with the "bytepad" algorithm in section 2.3.3 of
[SP 800-185]. If the buffer already aligns with the block boundary,
skip the padding.

[SP 800-185]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf

Author: rpopplewell

cshake/src/lib.rs

@@ -16,7 +16,7 @@ use digest::{
     CollisionResistance, CustomizedInit, ExtendableOutput, HashMarker, Update, XofReader,
     array::Array,
     block_api::{AlgorithmName, BlockSizeUser},
-    block_buffer::{BlockSizes, EagerBuffer, ReadBuffer},
+    block_buffer::{BlockSizes, EagerBuffer, LazyBuffer, ReadBuffer},
     consts::{U16, U32, U136, U168},
 };
 use keccak::{Keccak, State1600};
@@ -79,7 +79,7 @@ impl<Rate: BlockSizes> CShake<Rate> {
         }
 
         keccak.with_f1600(|f1600| {
-            let mut buffer: EagerBuffer<Rate> = Default::default();
+            let mut buffer: LazyBuffer<Rate> = Default::default();
             let state = &mut state;
             let mut b = [0u8; 9];
 

cshake/tests/cshake.rs

@@ -71,3 +71,8 @@ macro_rules! new_cshake_test {
 
 new_cshake_test!(cshake128, cshake::CShake128);
 new_cshake_test!(cshake256, cshake::CShake256);
+
+// When bytepad output aligns exactly to the block boundary,
+// no extra zero block should be appended (SP 800-185 2.3.3).
+new_cshake_test!(cshake128_bytepad_block_aligned, cshake::CShake128);
+new_cshake_test!(cshake256_bytepad_block_aligned, cshake::CShake256);