search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'maint-0.4.8'
[tor.git] / src / lib / crypt_ops / crypto_digest.c
blob3e165c2ce221f1302ea2226d699f66e25cb00eea
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6
7 /**
8 * \file crypto_digest.c
9 * \brief Block of functions related with digest and xof utilities and
10 * operations.
11 **/
12
13 #include "lib/container/smartlist.h"
14 #include "lib/crypt_ops/crypto_digest.h"
15 #include "lib/crypt_ops/crypto_util.h"
16 #include "lib/log/log.h"
17 #include "lib/log/util_bug.h"
18
19 #include "keccak-tiny/keccak-tiny.h"
20
21 #include <stdlib.h>
22 #include <string.h>
23
24 #include "lib/arch/bytes.h"
25
26 /** Set the common_digests_t in <b>ds_out</b> to contain every digest on the
27 * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
28 * success, -1 on failure. */
29 int
30 crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len)
31 {
32 tor_assert(ds_out);
33 memset(ds_out, 0, sizeof(*ds_out));
34 if (crypto_digest(ds_out->d[DIGEST_SHA1], m, len) < 0)
35 return -1;
36 if (crypto_digest256(ds_out->d[DIGEST_SHA256], m, len, DIGEST_SHA256) < 0)
37 return -1;
38
39 return 0;
40 }
41
42 /** Return the name of an algorithm, as used in directory documents. */
43 const char *
44 crypto_digest_algorithm_get_name(digest_algorithm_t alg)
45 {
46 switch (alg) {
47 case DIGEST_SHA1:
48 return "sha1";
49 case DIGEST_SHA256:
50 return "sha256";
51 case DIGEST_SHA512:
52 return "sha512";
53 case DIGEST_SHA3_256:
54 return "sha3-256";
55 case DIGEST_SHA3_512:
56 return "sha3-512";
57 // LCOV_EXCL_START
58 default:
59 tor_fragile_assert();
60 return "??unknown_digest??";
61 // LCOV_EXCL_STOP
62 }
63 }
64
65 /** Given the name of a digest algorithm, return its integer value, or -1 if
66 * the name is not recognized. */
67 int
68 crypto_digest_algorithm_parse_name(const char *name)
69 {
70 if (!strcmp(name, "sha1"))
71 return DIGEST_SHA1;
72 else if (!strcmp(name, "sha256"))
73 return DIGEST_SHA256;
74 else if (!strcmp(name, "sha512"))
75 return DIGEST_SHA512;
76 else if (!strcmp(name, "sha3-256"))
77 return DIGEST_SHA3_256;
78 else if (!strcmp(name, "sha3-512"))
79 return DIGEST_SHA3_512;
80 else
81 return -1;
82 }
83
84 /** Given an algorithm, return the digest length in bytes. */
85 size_t
86 crypto_digest_algorithm_get_length(digest_algorithm_t alg)
87 {
88 switch (alg) {
89 case DIGEST_SHA1:
90 return DIGEST_LEN;
91 case DIGEST_SHA256:
92 return DIGEST256_LEN;
93 case DIGEST_SHA512:
94 return DIGEST512_LEN;
95 case DIGEST_SHA3_256:
96 return DIGEST256_LEN;
97 case DIGEST_SHA3_512:
98 return DIGEST512_LEN;
99 default:
100 tor_assert(0); // LCOV_EXCL_LINE
101 return 0; /* Unreachable */ // LCOV_EXCL_LINE
102 }
103 }
104
105 /** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a
106 * <b>key</b> of length <b>key_len</b> and a <b>salt</b> of length
107 * <b>salt_len</b>. Store the result of <b>len_out</b> bytes in in
108 * <b>mac_out</b>. This function can't fail. */
109 void
110 crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
111 const uint8_t *key, size_t key_len,
112 const uint8_t *msg, size_t msg_len)
113 {
114 crypto_digest_t *digest;
115
116 const uint64_t key_len_netorder = tor_htonll(key_len);
117
118 tor_assert(mac_out);
119 tor_assert(key);
120 tor_assert(msg);
121
122 digest = crypto_digest256_new(DIGEST_SHA3_256);
123
124 /* Order matters here that is any subsystem using this function should
125 * expect this very precise ordering in the MAC construction. */
126 crypto_digest_add_bytes(digest, (const char *) &key_len_netorder,
127 sizeof(key_len_netorder));
128 crypto_digest_add_bytes(digest, (const char *) key, key_len);
129 crypto_digest_add_bytes(digest, (const char *) msg, msg_len);
130 crypto_digest_get_digest(digest, (char *) mac_out, len_out);
131 crypto_digest_free(digest);
132 }
133
134 /* xof functions */
135
136 /** Internal state for a eXtendable-Output Function (XOF). */
137 struct crypto_xof_t {
138 #ifdef OPENSSL_HAS_SHAKE3_EVP
139 /* XXXX We can't enable this yet, because OpenSSL's
140 * DigestFinalXOF function can't be called repeatedly on the same
141 * XOF.
142 *
143 * We could in theory use the undocumented SHA3_absorb and SHA3_squeeze
144 * functions, but let's not mess with undocumented OpenSSL internals any
145 * more than we have to.
146 *
147 * We could also revise our XOF code so that it only allows a single
148 * squeeze operation; we don't require streaming squeeze operations
149 * outside the tests yet.
150 */
151 EVP_MD_CTX *ctx;
152 #else /* !defined(OPENSSL_HAS_SHAKE3_EVP) */
153 /**
154 * State of the Keccak sponge for the SHAKE-256 computation.
155 **/
156 keccak_state s;
157 #endif /* defined(OPENSSL_HAS_SHAKE3_EVP) */
158 };
159
160 /** Allocate a new XOF object backed by SHAKE-256. The security level
161 * provided is a function of the length of the output used. Read and
162 * understand FIPS-202 A.2 "Additional Consideration for Extendable-Output
163 * Functions" before using this construct.
164 */
165 crypto_xof_t *
166 crypto_xof_new(void)
167 {
168 crypto_xof_t *xof;
169 xof = tor_malloc(sizeof(crypto_xof_t));
170 #ifdef OPENSSL_HAS_SHAKE256
171 xof->ctx = EVP_MD_CTX_new();
172 tor_assert(xof->ctx);
173 int r = EVP_DigestInit(xof->ctx, EVP_shake256());
174 tor_assert(r == 1);
175 #else /* !defined(OPENSSL_HAS_SHAKE256) */
176 keccak_xof_init(&xof->s, 256);
177 #endif /* defined(OPENSSL_HAS_SHAKE256) */
178 return xof;
179 }
180
181 /** Absorb bytes into a XOF object. Must not be called after a call to
182 * crypto_xof_squeeze_bytes() for the same instance, and will assert
183 * if attempted.
184 */
185 void
186 crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
187 {
188 #ifdef OPENSSL_HAS_SHAKE256
189 int r = EVP_DigestUpdate(xof->ctx, data, len);
190 tor_assert(r == 1);
191 #else
192 int i = keccak_xof_absorb(&xof->s, data, len);
193 tor_assert(i == 0);
194 #endif /* defined(OPENSSL_HAS_SHAKE256) */
195 }
196
197 /** Squeeze bytes out of a XOF object. Calling this routine will render
198 * the XOF instance ineligible to absorb further data.
199 */
200 void
201 crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
202 {
203 #ifdef OPENSSL_HAS_SHAKE256
204 int r = EVP_DigestFinalXOF(xof->ctx, out, len);
205 tor_assert(r == 1);
206 #else
207 int i = keccak_xof_squeeze(&xof->s, out, len);
208 tor_assert(i == 0);
209 #endif /* defined(OPENSSL_HAS_SHAKE256) */
210 }
211
212 /** Cleanse and deallocate a XOF object. */
213 void
214 crypto_xof_free_(crypto_xof_t *xof)
215 {
216 if (!xof)
217 return;
218 #ifdef OPENSSL_HAS_SHAKE256
219 if (xof->ctx)
220 EVP_MD_CTX_free(xof->ctx);
221 #endif
222 memwipe(xof, 0, sizeof(crypto_xof_t));
223 tor_free(xof);
224 }
225
226 /** Compute the XOF (SHAKE256) of a <b>input_len</b> bytes at <b>input</b>,
227 * putting <b>output_len</b> bytes at <b>output</b>. */
228 void
229 crypto_xof(uint8_t *output, size_t output_len,
230 const uint8_t *input, size_t input_len)
231 {
232 #ifdef OPENSSL_HAS_SHA3
233 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
234 tor_assert(ctx);
235 int r = EVP_DigestInit(ctx, EVP_shake256());
236 tor_assert(r == 1);
237 r = EVP_DigestUpdate(ctx, input, input_len);
238 tor_assert(r == 1);
239 r = EVP_DigestFinalXOF(ctx, output, output_len);
240 tor_assert(r == 1);
241 EVP_MD_CTX_free(ctx);
242 #else /* !defined(OPENSSL_HAS_SHA3) */
243 crypto_xof_t *xof = crypto_xof_new();
244 crypto_xof_add_bytes(xof, input, input_len);
245 crypto_xof_squeeze_bytes(xof, output, output_len);
246 crypto_xof_free(xof);
247 #endif /* defined(OPENSSL_HAS_SHA3) */
248 }
The Onion Router