src: support outputLength in XOF hash functions

Support `outputLength` option in crypto.hash() for XOF hash functions to align with the behaviour of crypto.createHash() API

Author: Aditi-1400

deps/ncrypto/ncrypto.cc

@@ -4190,6 +4190,36 @@ DataPointer hashDigest(const Buffer<const unsigned char>& buf,
 return data.resize(result_size);
 }
 
+DataPointer xofHashDigest(const Buffer<constunsignedchar>& buf,
+const EVP_MD* md,
+size_t output_length){
+if (md == nullptr) return{};
+
+ EVP_MD_CTX* ctx = EVP_MD_CTX_new();
+if (!ctx) return{};
+if (EVP_DigestInit_ex(ctx, md, nullptr) != 1){
+EVP_MD_CTX_free(ctx);
+return{};
+ }
+if (EVP_DigestUpdate(ctx, buf.data, buf.len) != 1){
+EVP_MD_CTX_free(ctx);
+return{};
+ }
+auto data = DataPointer::Alloc(output_length);
+if (!data){
+EVP_MD_CTX_free(ctx);
+return{};
+ }
+if (!EVP_DigestFinalXOF(
+ ctx, reinterpret_cast<unsignedchar*>(data.get()), output_length)){
+EVP_MD_CTX_free(ctx);
+return{};
+ }
+
+EVP_MD_CTX_free(ctx);
+return data;
+}
+
 // ============================================================================
 
 X509Name::X509Name() : name_(nullptr), total_(0){}

deps/ncrypto/ncrypto.h

@@ -278,8 +278,13 @@ class Digest final{
 const EVP_MD* md_ = nullptr;
 };
 
+// Computes a fixed-length digest.
 DataPointer hashDigest(const Buffer<constunsignedchar>& data,
 const EVP_MD* md);
+// Computes a variable-length digest for XOF algorithms (e.g. SHAKE128).
+DataPointer xofHashDigest(const Buffer<constunsignedchar>& data,
+const EVP_MD* md,
+size_t length);
 
 classCipherfinal{
 public:

doc/api/crypto.md

@@ -4187,7 +4187,7 @@ A convenient alias for [`crypto.webcrypto.getRandomValues()`][]. This
 implementation is not compliant with the Web Crypto spec, to write
 web-compatible code use [`crypto.webcrypto.getRandomValues()`][] instead.
 
-### `crypto.hash(algorithm, data[, outputEncoding])`
+### `crypto.hash(algorithm, data[, options])`
 
 <!-- YAML
 added:
@@ -4203,8 +4203,12 @@ added:
  input encoding is desired for a string input, user could encode the string
  into a `TypedArray` using either `TextEncoder` or `Buffer.from()` and passing
  the encoded `TypedArray` into this API instead.
-*`outputEncoding`{string|undefined} [Encoding][encoding] used to encode the
- returned digest. **Default:**`'hex'`.
+*`options`{Object|string}
+*`outputEncoding`{string|undefined} [Encoding][encoding] used to encode the
+ returned digest. **Default:**`'hex'`.
+*`outputLength`{number|undefined} For XOF hash functions such as 'shake256',
+ the outputLength option can be used to specify the desired output length in bytes.
+**Default:**`undefined`
 * Returns:{string|Buffer}
 
 A utility for creating one-shot hash digests of data. It can be faster than

lib/internal/crypto/hash.js

@@ -193,11 +193,24 @@ async function asyncDigest(algorithm, data){
 throwlazyDOMException('Unrecognized algorithm name','NotSupportedError');
 }
 
-functionhash(algorithm,input,outputEncoding='hex'){
+functionhash(algorithm,input,options={}){
 validateString(algorithm,'algorithm');
 if(typeofinput!=='string'&&!isArrayBufferView(input)){
 thrownewERR_INVALID_ARG_TYPE('input',['Buffer','TypedArray','DataView','string'],input);
 }
+letoutputEncoding='hex';
+letoutputLength;
+
+if(options!==null&&typeofoptions!=='function'){
+if(typeofoptions==='string'){
+outputEncoding=options;
+}elseif(typeofoptions==='object'){
+({ outputEncoding ='hex', outputLength }=options);
+}else{
+thrownewERR_INVALID_ARG_TYPE('options',['object','string'],options);
+}
+}
+
 letnormalized=outputEncoding;
 // Fast case: if it's 'hex', we don't need to validate it further.
 if(outputEncoding!=='hex'){
@@ -213,8 +226,14 @@ function hash(algorithm, input, outputEncoding = 'hex'){
 }
 }
 }
+if(outputLength!==undefined){
+validateUint32(outputLength,'outputLength');
+if(outputLength===0){
+returnnormalized==='buffer' ? Buffer.alloc(0) : '';
+}
+}
 returnoneShotDigest(algorithm,getCachedHashId(algorithm),getHashCache(),
-input,normalized,encodingsMap[normalized]);
+input,normalized,encodingsMap[normalized],outputLength);
 }
 
 module.exports={

src/crypto/crypto_hash.cc

@@ -208,17 +208,18 @@ const EVP_MD* GetDigestImplementation(Environment* env,
 }
 
 // crypto.digest(algorithm, algorithmId, algorithmCache,
-// input, outputEncoding, outputEncodingId)
+// input, outputEncoding, outputEncodingId, outputLength)
 voidHash::OneShotDigest(const FunctionCallbackInfo<Value>& args){
  Environment* env = Environment::GetCurrent(args);
  Isolate* isolate = env->isolate();
-CHECK_EQ(args.Length(), 6);
+CHECK_EQ(args.Length(), 7);
 CHECK(args[0]->IsString()); // algorithm
 CHECK(args[1]->IsInt32()); // algorithmId
 CHECK(args[2]->IsObject()); // algorithmCache
 CHECK(args[3]->IsString() || args[3]->IsArrayBufferView()); // input
 CHECK(args[4]->IsString()); // outputEncoding
 CHECK(args[5]->IsUint32() || args[5]->IsUndefined()); // outputEncodingId
+CHECK(args[6]->IsUint32() || args[6]->IsUndefined()); // outputLength
 
 const EVP_MD* md = GetDigestImplementation(env, args[0], args[1], args[2]);
 if (md == nullptr) [[unlikely]]{
@@ -230,21 +231,32 @@ void Hash::OneShotDigest(const FunctionCallbackInfo<Value>& args){
 
 enum encoding output_enc = ParseEncoding(isolate, args[4], args[5], HEX);
 
- DataPointer output = ([&]{
+ DataPointer output = ([&]() -> DataPointer{
+ Utf8Value utf8(isolate, args[3]);
+ ncrypto::Buffer<constunsignedchar> buf;
 if (args[3]->IsString()){
- Utf8Value utf8(isolate, args[3]);
- ncrypto::Buffer<constunsignedchar> buf{
+ buf ={
  .data = reinterpret_cast<constunsignedchar*>(utf8.out()),
  .len = utf8.length(),
  };
-returnncrypto::hashDigest(buf, md);
+ } else{
+ ArrayBufferViewContents<unsignedchar> input(args[3]);
+ buf ={
+ .data = reinterpret_cast<constunsignedchar*>(input.data()),
+ .len = input.length(),
+ };
  }
 
- ArrayBufferViewContents<unsignedchar> input(args[3]);
- ncrypto::Buffer<constunsignedchar> buf{
- .data = reinterpret_cast<constunsignedchar*>(input.data()),
- .len = input.length(),
- };
+if (!args[6]->IsUndefined()){
+bool isXOF = (EVP_MD_flags(md) & EVP_MD_FLAG_XOF) != 0;
+int output_length = args[6].As<Uint32>()->Value();
+if (isXOF){
+returnncrypto::xofHashDigest(buf, md, output_length);
+ } elseif (!isXOF && output_length != EVP_MD_get_size(md)){
+ThrowCryptoError(env, ERR_get_error(), "Invalid length or not XOF");
+return{};
+ }
+ }
 returnncrypto::hashDigest(buf, md);
  })();
 

test/parallel/test-crypto-oneshot-hash-xof.js

@@ -0,0 +1,95 @@
+'use strict';
+// This tests crypto.hash() works.
+constcommon=require('../common');
+
+if(!common.hasCrypto)common.skip('missing crypto');
+
+constassert=require('assert');
+constcrypto=require('crypto');
+
+// Test XOF hash functions and the outputLength option.
+{
+// Default outputLengths.
+assert.strictEqual(
+crypto.hash('shake128','','hex'),
+crypto.createHash('shake128').update('').digest('hex')
+);
+
+assert.strictEqual(
+crypto.hash('shake256','','hex'),
+crypto.createHash('shake256').update('').digest('hex')
+);
+
+// Short outputLengths.
+assert.strictEqual(crypto.hash('shake128','',{encoding: 'hex',outputLength: 0}),
+crypto.createHash('shake128',{outputLength: 0})
+.update('').digest('hex'));
+
+assert.strictEqual(
+crypto.hash('shake128','',{outputEncoding: 'hex',outputLength: 5}),
+crypto.createHash('shake128',{outputLength: 5}).update('').digest('hex')
+);
+// Check length
+assert.strictEqual(
+crypto.hash('shake128','',{outputEncoding: 'hex',outputLength: 5}).length,
+crypto.createHash('shake128',{outputLength: 5}).update('').digest('hex')
+.length
+);
+
+assert.strictEqual(
+crypto.hash('shake128','',{outputEncoding: 'hex',outputLength: 15}),
+crypto.createHash('shake128',{outputLength: 15}).update('').digest('hex')
+);
+// Check length
+assert.strictEqual(
+crypto.hash('shake128','',{outputEncoding: 'hex',outputLength: 15}).length,
+crypto.createHash('shake128',{outputLength: 15}).update('').digest('hex')
+.length
+);
+
+assert.strictEqual(
+crypto.hash('shake256','',{outputEncoding: 'hex',outputLength: 16}),
+crypto.createHash('shake256',{outputLength: 16}).update('').digest('hex')
+);
+// Check length
+assert.strictEqual(
+crypto.hash('shake256','',{outputEncoding: 'hex',outputLength: 16}).length,
+crypto.createHash('shake256',{outputLength: 16}).update('').digest('hex')
+.length
+);
+
+// Large outputLengths.
+assert.strictEqual(
+crypto.hash('shake128','',{outputEncoding: 'hex',outputLength: 128}),
+crypto
+.createHash('shake128',{outputLength: 128}).update('')
+.digest('hex')
+);
+// Check length without encoding
+assert.strictEqual(
+crypto.hash('shake128','',{outputLength: 128}).length,
+crypto
+.createHash('shake128',{outputLength: 128}).update('')
+.digest('hex').length
+);
+assert.strictEqual(
+crypto.hash('shake256','',{outputLength: 128}),
+crypto
+.createHash('shake256',{outputLength: 128}).update('')
+.digest('hex')
+);
+
+constactual=crypto.hash('shake256','The message is shorter than the hash!',{outputLength: 1024*1024});
+constexpected=crypto
+.createHash('shake256',{
+outputLength: 1024*1024,
+})
+.update('The message is shorter than the hash!')
+.digest('hex');
+assert.strictEqual(actual,expected);
+
+// Non-XOF hash functions should accept valid outputLength options as well.
+assert.strictEqual(crypto.hash('sha224','','hex',28),
+'d14a028c2a3a2bc9476102bb288234c4'+
+'15a2b01f828ea62ac5b3e42f');
+}

test/parallel/test-crypto-oneshot-hash.js

@@ -20,7 +20,7 @@ const fs = require('fs');
 assert.throws(()=>{crypto.hash('sha1',invalid);},{code: 'ERR_INVALID_ARG_TYPE'});
 });
 
-[null,true,1,()=>{},{}].forEach((invalid)=>{
+[0,1,NaN,true,Symbol(0)].forEach((invalid)=>{
 assert.throws(()=>{crypto.hash('sha1','test',invalid);},{code: 'ERR_INVALID_ARG_TYPE'});
 });