8320192: SHAKE256 does not work correctly if n >= 137

Co-authored-by: Ferenc Rakoczi <ferenc.r.rakoczi@oracle.com>
Reviewed-by: mpowers, valeriep

Author: wangweij

src/java.base/share/classes/sun/security/provider/SHA3.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -108,7 +108,15 @@ void implDigest(byte[] out, int ofs) {
             throw new ProviderException("Incorrect pad size: " + numOfPadding);
         }
         implCompress(buffer, 0);
-        System.arraycopy(state, 0, out, ofs, engineGetDigestLength());
+        int availableBytes = buffer.length;
+        int numBytes = engineGetDigestLength();
+        while (numBytes > availableBytes) {
+            System.arraycopy(state, 0, out, ofs, availableBytes);
+            numBytes -= availableBytes;
+            ofs += availableBytes;
+            keccak();
+        }
+        System.arraycopy(state, 0, out, ofs, numBytes);
     }
 
     /**
@@ -162,7 +170,7 @@ private static void lanes2Bytes(long[] m, byte[] s) {
 
     /**
      * The function Keccak as defined in section 5.2 with
-     * rate r = 1600 and capacity c = (digest length x 2).
+     * rate r = 1600 and capacity c.
      */
     private void keccak() {
         // convert the 200-byte state into 25 lanes

src/java.base/share/classes/sun/security/provider/SHAKE128.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.provider;
+
+/*
+ * The SHAKE128 extendable output function.
+ */
+public final class SHAKE128 extends SHA3 {
+    public SHAKE128(int d) {
+        super("SHAKE128", d, (byte) 0x1F, 32);
+    }
+
+    public void update(byte in) {
+        engineUpdate(in);
+    }
+    public void update(byte[] in, int off, int len) {
+        engineUpdate(in, off, len);
+    }
+
+    public byte[] digest() {
+        return engineDigest();
+    }
+
+    public void reset() {
+        engineReset();
+    }
+}