disallow updates after squeezes

Author: initsecret

openssl/src/hash.rs

@@ -283,6 +283,18 @@ impl Hasher {
         if self.state == Finalized {
             self.init()?;
         }
+        if self.state == Squeeze {
+            // [`EVP_DigestUpdate`], depending on the implementation, may allow Updates after Squeezes.
+            // But, [FIPS 202], as shown in Figure 7, has a distinguished absorbing phase followed by a squeezing phase.
+            // Indeed, the [`sha3.c`] implmentation disallows Updates after Squeezes.
+            // For consistency, we always return an error when Update is called after Squeeze.
+            //
+            // [`EVP_DigestUpdate`]: https://github.com/openssl/openssl/blob/b3bb214720f20f3b126ae4b9c330e9a48b835415/crypto/evp/digest.c#L385-L393
+            // [FIPS 202]: https://dx.doi.org/10.6028/NIST.FIPS.202
+            // [`sha3.c`]: https://github.com/openssl/openssl/blob/b3bb214720f20f3b126ae4b9c330e9a48b835415/crypto/sha/sha3.c#L52-L63
+            let errors = ErrorStack::get();
+            return Err(errors);
+        }
         unsafe {
             cvt(ffi::EVP_DigestUpdate(
                 self.ctx,