tor  0.4.1.0-alpha-dev
crypto_digest.c
Go to the documentation of this file.
1 /* Copyright (c) 2001, Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2019, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
16 #include "lib/log/log.h"
17 #include "lib/log/util_bug.h"
18 
19 #include "keccak-tiny/keccak-tiny.h"
20 
21 #include <stdlib.h>
22 #include <string.h>
23 
24 #include "lib/arch/bytes.h"
25 
26 #ifdef ENABLE_NSS
27 DISABLE_GCC_WARNING(strict-prototypes)
28 #include <pk11pub.h>
29 ENABLE_GCC_WARNING(strict-prototypes)
30 #else
31 
33 
34 DISABLE_GCC_WARNING(redundant-decls)
35 
36 #include <openssl/hmac.h>
37 #include <openssl/sha.h>
38 
39 ENABLE_GCC_WARNING(redundant-decls)
40 
41 #ifdef HAVE_EVP_SHA3_256
42 #define OPENSSL_HAS_SHA3
43 #include <openssl/evp.h>
44 #endif
45 
46 #endif
47 
48 #ifdef ENABLE_NSS
49 
52 static SECOidTag
53 digest_alg_to_nss_oid(digest_algorithm_t alg)
54 {
55  switch (alg) {
56  case DIGEST_SHA1: return SEC_OID_SHA1;
57  case DIGEST_SHA256: return SEC_OID_SHA256;
58  case DIGEST_SHA512: return SEC_OID_SHA512;
59  case DIGEST_SHA3_256: /* Fall through */
60  case DIGEST_SHA3_512: /* Fall through */
61  default:
62  return SEC_OID_UNKNOWN;
63  }
64 }
65 
66 /* Helper: get an unkeyed digest via pk11wrap */
67 static int
68 digest_nss_internal(SECOidTag alg,
69  char *digest, unsigned len_out,
70  const char *msg, size_t msg_len)
71 {
72  if (alg == SEC_OID_UNKNOWN)
73  return -1;
74  tor_assert(msg_len <= UINT_MAX);
75 
76  int rv = -1;
77  SECStatus s;
78  PK11Context *ctx = PK11_CreateDigestContext(alg);
79  if (!ctx)
80  return -1;
81 
82  s = PK11_DigestBegin(ctx);
83  if (s != SECSuccess)
84  goto done;
85 
86  s = PK11_DigestOp(ctx, (const unsigned char *)msg, (unsigned int)msg_len);
87  if (s != SECSuccess)
88  goto done;
89 
90  unsigned int len = 0;
91  s = PK11_DigestFinal(ctx, (unsigned char *)digest, &len, len_out);
92  if (s != SECSuccess)
93  goto done;
94 
95  rv = 0;
96  done:
97  PK11_DestroyContext(ctx, PR_TRUE);
98  return rv;
99 }
100 
103 static bool
104 library_supports_digest(digest_algorithm_t alg)
105 {
106  switch (alg) {
107  case DIGEST_SHA1: /* Fall through */
108  case DIGEST_SHA256: /* Fall through */
109  case DIGEST_SHA512: /* Fall through */
110  return true;
111  case DIGEST_SHA3_256: /* Fall through */
112  case DIGEST_SHA3_512: /* Fall through */
113  default:
114  return false;
115  }
116 }
117 #endif
118 
119 /* Crypto digest functions */
120 
126 crypto_digest,(char *digest, const char *m, size_t len))
127 {
128  tor_assert(m);
129  tor_assert(digest);
130 #ifdef ENABLE_NSS
131  return digest_nss_internal(SEC_OID_SHA1, digest, DIGEST_LEN, m, len);
132 #else
133  if (SHA1((const unsigned char*)m,len,(unsigned char*)digest) == NULL) {
134  return -1;
135  }
136 #endif
137  return 0;
138 }
139 
143 int
144 crypto_digest256(char *digest, const char *m, size_t len,
145  digest_algorithm_t algorithm)
146 {
147  tor_assert(m);
148  tor_assert(digest);
149  tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
150 
151  int ret = 0;
152  if (algorithm == DIGEST_SHA256) {
153 #ifdef ENABLE_NSS
154  return digest_nss_internal(SEC_OID_SHA256, digest, DIGEST256_LEN, m, len);
155 #else
156  ret = (SHA256((const uint8_t*)m,len,(uint8_t*)digest) != NULL);
157 #endif
158  } else {
159 #ifdef OPENSSL_HAS_SHA3
160  unsigned int dlen = DIGEST256_LEN;
161  ret = EVP_Digest(m, len, (uint8_t*)digest, &dlen, EVP_sha3_256(), NULL);
162 #else
163  ret = (sha3_256((uint8_t *)digest, DIGEST256_LEN,(const uint8_t *)m, len)
164  > -1);
165 #endif
166  }
167 
168  if (!ret)
169  return -1;
170  return 0;
171 }
172 
176 int
177 crypto_digest512(char *digest, const char *m, size_t len,
178  digest_algorithm_t algorithm)
179 {
180  tor_assert(m);
181  tor_assert(digest);
182  tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
183 
184  int ret = 0;
185  if (algorithm == DIGEST_SHA512) {
186 #ifdef ENABLE_NSS
187  return digest_nss_internal(SEC_OID_SHA512, digest, DIGEST512_LEN, m, len);
188 #else
189  ret = (SHA512((const unsigned char*)m,len,(unsigned char*)digest)
190  != NULL);
191 #endif
192  } else {
193 #ifdef OPENSSL_HAS_SHA3
194  unsigned int dlen = DIGEST512_LEN;
195  ret = EVP_Digest(m, len, (uint8_t*)digest, &dlen, EVP_sha3_512(), NULL);
196 #else
197  ret = (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len)
198  > -1);
199 #endif
200  }
201 
202  if (!ret)
203  return -1;
204  return 0;
205 }
206 
210 int
211 crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len)
212 {
213  tor_assert(ds_out);
214  memset(ds_out, 0, sizeof(*ds_out));
215  if (crypto_digest(ds_out->d[DIGEST_SHA1], m, len) < 0)
216  return -1;
217  if (crypto_digest256(ds_out->d[DIGEST_SHA256], m, len, DIGEST_SHA256) < 0)
218  return -1;
219 
220  return 0;
221 }
222 
224 const char *
225 crypto_digest_algorithm_get_name(digest_algorithm_t alg)
226 {
227  switch (alg) {
228  case DIGEST_SHA1:
229  return "sha1";
230  case DIGEST_SHA256:
231  return "sha256";
232  case DIGEST_SHA512:
233  return "sha512";
234  case DIGEST_SHA3_256:
235  return "sha3-256";
236  case DIGEST_SHA3_512:
237  return "sha3-512";
238  // LCOV_EXCL_START
239  default:
241  return "??unknown_digest??";
242  // LCOV_EXCL_STOP
243  }
244 }
245 
248 int
250 {
251  if (!strcmp(name, "sha1"))
252  return DIGEST_SHA1;
253  else if (!strcmp(name, "sha256"))
254  return DIGEST_SHA256;
255  else if (!strcmp(name, "sha512"))
256  return DIGEST_SHA512;
257  else if (!strcmp(name, "sha3-256"))
258  return DIGEST_SHA3_256;
259  else if (!strcmp(name, "sha3-512"))
260  return DIGEST_SHA3_512;
261  else
262  return -1;
263 }
264 
266 size_t
267 crypto_digest_algorithm_get_length(digest_algorithm_t alg)
268 {
269  switch (alg) {
270  case DIGEST_SHA1:
271  return DIGEST_LEN;
272  case DIGEST_SHA256:
273  return DIGEST256_LEN;
274  case DIGEST_SHA512:
275  return DIGEST512_LEN;
276  case DIGEST_SHA3_256:
277  return DIGEST256_LEN;
278  case DIGEST_SHA3_512:
279  return DIGEST512_LEN;
280  default:
281  tor_assert(0); // LCOV_EXCL_LINE
282  return 0; /* Unreachable */ // LCOV_EXCL_LINE
283  }
284 }
285 
288  digest_algorithm_t algorithm;
293  union {
294 #ifdef ENABLE_NSS
295  PK11Context *ctx;
296 #else
297  SHA_CTX sha1;
298  SHA256_CTX sha2;
299  SHA512_CTX sha512;
300 #endif
301 #ifdef OPENSSL_HAS_SHA3
302  EVP_MD_CTX *md;
303 #else
304  keccak_state sha3;
305 #endif
306  } d;
307 };
308 
309 #ifdef TOR_UNIT_TESTS
310 
311 digest_algorithm_t
312 crypto_digest_get_algorithm(crypto_digest_t *digest)
313 {
314  tor_assert(digest);
315 
316  return digest->algorithm;
317 }
318 
319 #endif /* defined(TOR_UNIT_TESTS) */
320 
326 static size_t
327 crypto_digest_alloc_bytes(digest_algorithm_t alg)
328 {
329  /* Helper: returns the number of bytes in the 'f' field of 'st' */
330 #define STRUCT_FIELD_SIZE(st, f) (sizeof( ((st*)0)->f ))
331  /* Gives the length of crypto_digest_t through the end of the field 'd' */
332 #define END_OF_FIELD(f) (offsetof(crypto_digest_t, f) + \
333  STRUCT_FIELD_SIZE(crypto_digest_t, f))
334  switch (alg) {
335 #ifdef ENABLE_NSS
336  case DIGEST_SHA1: /* Fall through */
337  case DIGEST_SHA256: /* Fall through */
338  case DIGEST_SHA512:
339  return END_OF_FIELD(d.ctx);
340 #else
341  case DIGEST_SHA1:
342  return END_OF_FIELD(d.sha1);
343  case DIGEST_SHA256:
344  return END_OF_FIELD(d.sha2);
345  case DIGEST_SHA512:
346  return END_OF_FIELD(d.sha512);
347 #endif
348 #ifdef OPENSSL_HAS_SHA3
349  case DIGEST_SHA3_256: /* Fall through */
350  case DIGEST_SHA3_512:
351  return END_OF_FIELD(d.md);
352 #else
353  case DIGEST_SHA3_256: /* Fall through */
354  case DIGEST_SHA3_512:
355  return END_OF_FIELD(d.sha3);
356 #endif
357  default:
358  tor_assert(0); // LCOV_EXCL_LINE
359  return 0; // LCOV_EXCL_LINE
360  }
361 #undef END_OF_FIELD
362 #undef STRUCT_FIELD_SIZE
363 }
364 
369 static crypto_digest_t *
370 crypto_digest_new_internal(digest_algorithm_t algorithm)
371 {
372  crypto_digest_t *r = tor_malloc(crypto_digest_alloc_bytes(algorithm));
373  r->algorithm = algorithm;
374 
375  switch (algorithm)
376  {
377 #ifdef ENABLE_NSS
378  case DIGEST_SHA1: /* fall through */
379  case DIGEST_SHA256: /* fall through */
380  case DIGEST_SHA512:
381  r->d.ctx = PK11_CreateDigestContext(digest_alg_to_nss_oid(algorithm));
382  if (BUG(!r->d.ctx)) {
383  tor_free(r);
384  return NULL;
385  }
386  if (BUG(SECSuccess != PK11_DigestBegin(r->d.ctx))) {
387  crypto_digest_free(r);
388  return NULL;
389  }
390  break;
391 #else
392  case DIGEST_SHA1:
393  SHA1_Init(&r->d.sha1);
394  break;
395  case DIGEST_SHA256:
396  SHA256_Init(&r->d.sha2);
397  break;
398  case DIGEST_SHA512:
399  SHA512_Init(&r->d.sha512);
400  break;
401 #endif
402 #ifdef OPENSSL_HAS_SHA3
403  case DIGEST_SHA3_256:
404  r->d.md = EVP_MD_CTX_new();
405  if (!EVP_DigestInit(r->d.md, EVP_sha3_256())) {
406  crypto_digest_free(r);
407  return NULL;
408  }
409  break;
410  case DIGEST_SHA3_512:
411  r->d.md = EVP_MD_CTX_new();
412  if (!EVP_DigestInit(r->d.md, EVP_sha3_512())) {
413  crypto_digest_free(r);
414  return NULL;
415  }
416  break;
417 #else
418  case DIGEST_SHA3_256:
419  keccak_digest_init(&r->d.sha3, 256);
420  break;
421  case DIGEST_SHA3_512:
422  keccak_digest_init(&r->d.sha3, 512);
423  break;
424 #endif
425  default:
426  tor_assert_unreached();
427  }
428 
429  return r;
430 }
431 
436 {
437  return crypto_digest_new_internal(DIGEST_SHA1);
438 }
439 
447 crypto_digest256_new(digest_algorithm_t algorithm)
448 {
449  tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
450  return crypto_digest_new_internal(algorithm);
451 }
452 
456 crypto_digest512_new(digest_algorithm_t algorithm)
457 {
458  tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
459  return crypto_digest_new_internal(algorithm);
460 }
461 
464 void
466 {
467  if (!digest)
468  return;
469 #ifdef ENABLE_NSS
470  if (library_supports_digest(digest->algorithm)) {
471  PK11_DestroyContext(digest->d.ctx, PR_TRUE);
472  }
473 #endif
474 #ifdef OPENSSL_HAS_SHA3
475  if (digest->algorithm == DIGEST_SHA3_256 ||
476  digest->algorithm == DIGEST_SHA3_512) {
477  if (digest->d.md) {
478  EVP_MD_CTX_free(digest->d.md);
479  }
480  }
481 #endif
482  size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
483  memwipe(digest, 0, bytes);
484  tor_free(digest);
485 }
486 
492 void
493 crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
494  size_t len)
495 {
496  tor_assert(digest);
497  tor_assert(data);
498  /* Using the SHA*_*() calls directly means we don't support doing
499  * SHA in hardware. But so far the delay of getting the question
500  * to the hardware, and hearing the answer, is likely higher than
501  * just doing it ourselves. Hashes are fast.
502  */
503  switch (digest->algorithm) {
504 #ifdef ENABLE_NSS
505  case DIGEST_SHA1: /* fall through */
506  case DIGEST_SHA256: /* fall through */
507  case DIGEST_SHA512:
508  tor_assert(len <= UINT_MAX);
509  SECStatus s = PK11_DigestOp(digest->d.ctx,
510  (const unsigned char *)data,
511  (unsigned int)len);
512  tor_assert(s == SECSuccess);
513  break;
514 #else
515  case DIGEST_SHA1:
516  SHA1_Update(&digest->d.sha1, (void*)data, len);
517  break;
518  case DIGEST_SHA256:
519  SHA256_Update(&digest->d.sha2, (void*)data, len);
520  break;
521  case DIGEST_SHA512:
522  SHA512_Update(&digest->d.sha512, (void*)data, len);
523  break;
524 #endif
525 #ifdef OPENSSL_HAS_SHA3
526  case DIGEST_SHA3_256: /* FALLSTHROUGH */
527  case DIGEST_SHA3_512: {
528  int r = EVP_DigestUpdate(digest->d.md, data, len);
529  tor_assert(r);
530  }
531  break;
532 #else
533  case DIGEST_SHA3_256: /* FALLSTHROUGH */
534  case DIGEST_SHA3_512:
535  keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len);
536  break;
537 #endif
538  default:
539  /* LCOV_EXCL_START */
541  break;
542  /* LCOV_EXCL_STOP */
543  }
544 }
545 
553 void
555  char *out, size_t out_len)
556 {
557  unsigned char r[DIGEST512_LEN];
558  tor_assert(digest);
559  tor_assert(out);
561 
562  if (digest->algorithm == DIGEST_SHA3_256 ||
563  digest->algorithm == DIGEST_SHA3_512) {
564 #ifdef OPENSSL_HAS_SHA3
565  unsigned dlen = (unsigned)
567  EVP_MD_CTX *tmp = EVP_MD_CTX_new();
568  EVP_MD_CTX_copy(tmp, digest->d.md);
569  memset(r, 0xff, sizeof(r));
570  int res = EVP_DigestFinal(tmp, r, &dlen);
571  EVP_MD_CTX_free(tmp);
572  tor_assert(res == 1);
573  goto done;
574 #else
575  /* Tiny-Keccak handles copying into a temporary ctx, and also can handle
576  * short output buffers by truncating appropriately. */
577  keccak_digest_sum(&digest->d.sha3, (uint8_t *)out, out_len);
578  return;
579 #endif
580  }
581 
582 #ifdef ENABLE_NSS
583  /* Copy into a temporary buffer since DigestFinal (alters) the context */
584  unsigned char buf[1024];
585  unsigned int saved_len = 0;
586  unsigned rlen;
587  unsigned char *saved = PK11_SaveContextAlloc(digest->d.ctx,
588  buf, sizeof(buf),
589  &saved_len);
590  tor_assert(saved);
591  SECStatus s = PK11_DigestFinal(digest->d.ctx, r, &rlen, sizeof(r));
592  tor_assert(s == SECSuccess);
593  tor_assert(rlen >= out_len);
594  s = PK11_RestoreContext(digest->d.ctx, saved, saved_len);
595  tor_assert(s == SECSuccess);
596  if (saved != buf) {
597  PORT_ZFree(saved, saved_len);
598  }
599 #else
600  const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
601  crypto_digest_t tmpenv;
602  /* memcpy into a temporary ctx, since SHA*_Final clears the context */
603  memcpy(&tmpenv, digest, alloc_bytes);
604  switch (digest->algorithm) {
605  case DIGEST_SHA1:
606  SHA1_Final(r, &tmpenv.d.sha1);
607  break;
608  case DIGEST_SHA256:
609  SHA256_Final(r, &tmpenv.d.sha2);
610  break;
611  case DIGEST_SHA512:
612  SHA512_Final(r, &tmpenv.d.sha512);
613  break;
614 //LCOV_EXCL_START
615  case DIGEST_SHA3_256: /* FALLSTHROUGH */
616  case DIGEST_SHA3_512:
617  default:
618  log_warn(LD_BUG, "Handling unexpected algorithm %d", digest->algorithm);
619  /* This is fatal, because it should never happen. */
620  tor_assert_unreached();
621  break;
622 //LCOV_EXCL_STOP
623  }
624 #endif
625 
626 #ifdef OPENSSL_HAS_SHA3
627  done:
628 #endif
629  memcpy(out, r, out_len);
630  memwipe(r, 0, sizeof(r));
631 }
632 
641 {
642  tor_assert(digest);
643  const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
644  crypto_digest_t *result = tor_memdup(digest, alloc_bytes);
645 #ifdef ENABLE_NSS
646  if (library_supports_digest(digest->algorithm)) {
647  result->d.ctx = PK11_CloneContext(digest->d.ctx);
648  }
649 #endif
650 #ifdef OPENSSL_HAS_SHA3
651  if (digest->algorithm == DIGEST_SHA3_256 ||
652  digest->algorithm == DIGEST_SHA3_512) {
653  result->d.md = EVP_MD_CTX_new();
654  EVP_MD_CTX_copy(result->d.md, digest->d.md);
655  }
656 #endif
657  return result;
658 }
659 
663 void
665  const crypto_digest_t *digest)
666 {
667  const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
668  tor_assert(bytes <= sizeof(checkpoint->mem));
669 #ifdef ENABLE_NSS
670  if (library_supports_digest(digest->algorithm)) {
671  unsigned char *allocated;
672  allocated = PK11_SaveContextAlloc(digest->d.ctx,
673  (unsigned char *)checkpoint->mem,
674  sizeof(checkpoint->mem),
675  &checkpoint->bytes_used);
676  /* No allocation is allowed here. */
677  tor_assert(allocated == checkpoint->mem);
678  return;
679  }
680 #endif
681  memcpy(checkpoint->mem, digest, bytes);
682 }
683 
687 void
689  const crypto_digest_checkpoint_t *checkpoint)
690 {
691  const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
692 #ifdef ENABLE_NSS
693  if (library_supports_digest(digest->algorithm)) {
694  SECStatus s = PK11_RestoreContext(digest->d.ctx,
695  (unsigned char *)checkpoint->mem,
696  checkpoint->bytes_used);
697  tor_assert(s == SECSuccess);
698  return;
699  }
700 #endif
701  memcpy(digest, checkpoint->mem, bytes);
702 }
703 
708 void
710  const crypto_digest_t *from)
711 {
712  tor_assert(into);
713  tor_assert(from);
714  tor_assert(into->algorithm == from->algorithm);
715  const size_t alloc_bytes = crypto_digest_alloc_bytes(from->algorithm);
716 #ifdef ENABLE_NSS
717  if (library_supports_digest(from->algorithm)) {
718  PK11_DestroyContext(into->d.ctx, PR_TRUE);
719  into->d.ctx = PK11_CloneContext(from->d.ctx);
720  return;
721  }
722 #endif
723 
724 #ifdef OPENSSL_HAS_SHA3
725  if (from->algorithm == DIGEST_SHA3_256 ||
726  from->algorithm == DIGEST_SHA3_512) {
727  EVP_MD_CTX_copy(into->d.md, from->d.md);
728  return;
729  }
730 #endif
731 
732  memcpy(into,from,alloc_bytes);
733 }
734 
740 void
741 crypto_digest_smartlist(char *digest_out, size_t len_out,
742  const smartlist_t *lst,
743  const char *append,
744  digest_algorithm_t alg)
745 {
746  crypto_digest_smartlist_prefix(digest_out, len_out, NULL, lst, append, alg);
747 }
748 
755 void
756 crypto_digest_smartlist_prefix(char *digest_out, size_t len_out,
757  const char *prepend,
758  const smartlist_t *lst,
759  const char *append,
760  digest_algorithm_t alg)
761 {
763  if (prepend)
764  crypto_digest_add_bytes(d, prepend, strlen(prepend));
765  SMARTLIST_FOREACH(lst, const char *, cp,
766  crypto_digest_add_bytes(d, cp, strlen(cp)));
767  if (append)
768  crypto_digest_add_bytes(d, append, strlen(append));
769  crypto_digest_get_digest(d, digest_out, len_out);
770  crypto_digest_free(d);
771 }
772 
777 void
778 crypto_hmac_sha256(char *hmac_out,
779  const char *key, size_t key_len,
780  const char *msg, size_t msg_len)
781 {
782  /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
783  tor_assert(key_len < INT_MAX);
784  tor_assert(msg_len < INT_MAX);
785  tor_assert(hmac_out);
786 #ifdef ENABLE_NSS
787  PK11SlotInfo *slot = NULL;
788  PK11SymKey *symKey = NULL;
789  PK11Context *hmac = NULL;
790 
791  int ok = 0;
792  SECStatus s;
793  SECItem keyItem, paramItem;
794  keyItem.data = (unsigned char *)key;
795  keyItem.len = (unsigned)key_len;
796  paramItem.type = siBuffer;
797  paramItem.data = NULL;
798  paramItem.len = 0;
799 
800  slot = PK11_GetBestSlot(CKM_SHA256_HMAC, NULL);
801  if (!slot)
802  goto done;
803  symKey = PK11_ImportSymKey(slot, CKM_SHA256_HMAC,
804  PK11_OriginUnwrap, CKA_SIGN, &keyItem, NULL);
805  if (!symKey)
806  goto done;
807 
808  hmac = PK11_CreateContextBySymKey(CKM_SHA256_HMAC, CKA_SIGN, symKey,
809  &paramItem);
810  if (!hmac)
811  goto done;
812  s = PK11_DigestBegin(hmac);
813  if (s != SECSuccess)
814  goto done;
815  s = PK11_DigestOp(hmac, (const unsigned char *)msg, (unsigned int)msg_len);
816  if (s != SECSuccess)
817  goto done;
818  unsigned int len=0;
819  s = PK11_DigestFinal(hmac, (unsigned char *)hmac_out, &len, DIGEST256_LEN);
820  if (s != SECSuccess || len != DIGEST256_LEN)
821  goto done;
822  ok = 1;
823 
824  done:
825  if (hmac)
826  PK11_DestroyContext(hmac, PR_TRUE);
827  if (symKey)
828  PK11_FreeSymKey(symKey);
829  if (slot)
830  PK11_FreeSlot(slot);
831 
832  tor_assert(ok);
833 #else
834  unsigned char *rv = NULL;
835  rv = HMAC(EVP_sha256(), key, (int)key_len, (unsigned char*)msg, (int)msg_len,
836  (unsigned char*)hmac_out, NULL);
837  tor_assert(rv);
838 #endif
839 }
840 
845 void
846 crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
847  const uint8_t *key, size_t key_len,
848  const uint8_t *msg, size_t msg_len)
849 {
850  crypto_digest_t *digest;
851 
852  const uint64_t key_len_netorder = tor_htonll(key_len);
853 
854  tor_assert(mac_out);
855  tor_assert(key);
856  tor_assert(msg);
857 
858  digest = crypto_digest256_new(DIGEST_SHA3_256);
859 
860  /* Order matters here that is any subsystem using this function should
861  * expect this very precise ordering in the MAC construction. */
862  crypto_digest_add_bytes(digest, (const char *) &key_len_netorder,
863  sizeof(key_len_netorder));
864  crypto_digest_add_bytes(digest, (const char *) key, key_len);
865  crypto_digest_add_bytes(digest, (const char *) msg, msg_len);
866  crypto_digest_get_digest(digest, (char *) mac_out, len_out);
867  crypto_digest_free(digest);
868 }
869 
870 /* xof functions */
871 
873 struct crypto_xof_t {
874 #ifdef OPENSSL_HAS_SHAKE3_EVP
875  /* XXXX We can't enable this yet, because OpenSSL's
876  * DigestFinalXOF function can't be called repeatedly on the same
877  * XOF.
878  *
879  * We could in theory use the undocumented SHA3_absorb and SHA3_squeeze
880  * functions, but let's not mess with undocumented OpenSSL internals any
881  * more than we have to.
882  *
883  * We could also revise our XOF code so that it only allows a single
884  * squeeze operation; we don't require streaming squeeze operations
885  * outside the tests yet.
886  */
887  EVP_MD_CTX *ctx;
888 #else
889  keccak_state s;
890 #endif
891 };
892 
898 crypto_xof_t *
900 {
901  crypto_xof_t *xof;
902  xof = tor_malloc(sizeof(crypto_xof_t));
903 #ifdef OPENSSL_HAS_SHAKE256
904  xof->ctx = EVP_MD_CTX_new();
905  tor_assert(xof->ctx);
906  int r = EVP_DigestInit(xof->ctx, EVP_shake256());
907  tor_assert(r == 1);
908 #else
909  keccak_xof_init(&xof->s, 256);
910 #endif
911  return xof;
912 }
913 
918 void
919 crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
920 {
921 #ifdef OPENSSL_HAS_SHAKE256
922  int r = EVP_DigestUpdate(xof->ctx, data, len);
923  tor_assert(r == 1);
924 #else
925  int i = keccak_xof_absorb(&xof->s, data, len);
926  tor_assert(i == 0);
927 #endif
928 }
929 
933 void
934 crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
935 {
936 #ifdef OPENSSL_HAS_SHAKE256
937  int r = EVP_DigestFinalXOF(xof->ctx, out, len);
938  tor_assert(r == 1);
939 #else
940  int i = keccak_xof_squeeze(&xof->s, out, len);
941  tor_assert(i == 0);
942 #endif
943 }
944 
946 void
948 {
949  if (!xof)
950  return;
951 #ifdef OPENSSL_HAS_SHAKE256
952  if (xof->ctx)
953  EVP_MD_CTX_free(xof->ctx);
954 #endif
955  memwipe(xof, 0, sizeof(crypto_xof_t));
956  tor_free(xof);
957 }
958 
961 void
962 crypto_xof(uint8_t *output, size_t output_len,
963  const uint8_t *input, size_t input_len)
964 {
965 #ifdef OPENSSL_HAS_SHA3
966  EVP_MD_CTX *ctx = EVP_MD_CTX_new();
967  tor_assert(ctx);
968  int r = EVP_DigestInit(ctx, EVP_shake256());
969  tor_assert(r == 1);
970  r = EVP_DigestUpdate(ctx, input, input_len);
971  tor_assert(r == 1);
972  r = EVP_DigestFinalXOF(ctx, output, output_len);
973  tor_assert(r == 1);
974  EVP_MD_CTX_free(ctx);
975 #else
976  crypto_xof_t *xof = crypto_xof_new();
977  crypto_xof_add_bytes(xof, input, input_len);
978  crypto_xof_squeeze_bytes(xof, output, output_len);
979  crypto_xof_free(xof);
980 #endif
981 }
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
crypto_digest_t * crypto_digest512_new(digest_algorithm_t algorithm)
void crypto_digest_smartlist_prefix(char *digest_out, size_t len_out, const char *prepend, const smartlist_t *lst, const char *append, digest_algorithm_t alg)
Header for smartlist.c.
void crypto_digest_smartlist(char *digest_out, size_t len_out, const smartlist_t *lst, const char *append, digest_algorithm_t alg)
#define DIGEST512_LEN
Definition: digest_sizes.h:25
digest_algorithm_t algorithm
void crypto_digest_restore(crypto_digest_t *digest, const crypto_digest_checkpoint_t *checkpoint)
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
Headers for crypto_openssl_mgt.c.
int crypto_digest_algorithm_parse_name(const char *name)
crypto_digest_t * crypto_digest_new(void)
int crypto_digest512(char *digest, const char *m, size_t len, digest_algorithm_t algorithm)
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
#define tor_free(p)
Definition: malloc.h:52
#define tor_fragile_assert()
Definition: util_bug.h:221
int crypto_digest256(char *digest, const char *m, size_t len, digest_algorithm_t algorithm)
static crypto_digest_t * crypto_digest_new_internal(digest_algorithm_t algorithm)
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:57
void crypto_hmac_sha256(char *hmac_out, const char *key, size_t key_len, const char *msg, size_t msg_len)
SHA512_CTX sha512
void crypto_digest_checkpoint(crypto_digest_checkpoint_t *checkpoint, const crypto_digest_t *digest)
#define DIGEST256_LEN
Definition: digest_sizes.h:23
int crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len)
void crypto_digest_assign(crypto_digest_t *into, const crypto_digest_t *from)
Common functions for cryptographic routines.
tor_assert(buffer)
MOCK_IMPL(int, crypto_digest,(char *digest, const char *m, size_t len))
#define DIGEST_LEN
Definition: digest_sizes.h:20
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
keccak_state sha3
static uint64_t tor_htonll(uint64_t a)
Definition: bytes.h:167
Headers for crypto_digest.c.
void crypto_xof(uint8_t *output, size_t output_len, const uint8_t *input, size_t input_len)
const char * crypto_digest_algorithm_get_name(digest_algorithm_t alg)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
void crypto_xof_free_(crypto_xof_t *xof)
Inline functions for reading and writing multibyte values from the middle of strings, and for manipulating byte order.
void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, const uint8_t *key, size_t key_len, const uint8_t *msg, size_t msg_len)
crypto_digest_t * crypto_digest_dup(const crypto_digest_t *digest)
size_t crypto_digest_algorithm_get_length(digest_algorithm_t alg)
Headers for log.c.
Macros to manage assertions, fatal and non-fatal.
crypto_xof_t * crypto_xof_new(void)
static size_t crypto_digest_alloc_bytes(digest_algorithm_t alg)
#define LD_BUG
Definition: log.h:82
void crypto_digest_free_(crypto_digest_t *digest)
union crypto_digest_t::@3 d
SHA256_CTX sha2
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)