crypto_digest.c (7272B)
1 /* Copyright (c) 2001, Matej Pfajfar. 2 * Copyright (c) 2001-2004, Roger Dingledine. 3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. 4 * Copyright (c) 2007-2021, The Tor Project, Inc. */ 5 /* See LICENSE for licensing information */ 6 7 /** 8 * \file crypto_digest.c 9 * \brief Block of functions related with digest and xof utilities and 10 * operations. 11 **/ 12 13 #include "lib/container/smartlist.h" 14 #include "lib/crypt_ops/crypto_digest.h" 15 #include "lib/crypt_ops/crypto_util.h" 16 #include "lib/log/log.h" 17 #include "lib/log/util_bug.h" 18 19 #include "keccak-tiny/keccak-tiny.h" 20 21 #include <stdlib.h> 22 #include <string.h> 23 24 #include "lib/arch/bytes.h" 25 26 /** Set the common_digests_t in <b>ds_out</b> to contain every digest on the 27 * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on 28 * success, -1 on failure. */ 29 int 30 crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len) 31 { 32 tor_assert(ds_out); 33 memset(ds_out, 0, sizeof(*ds_out)); 34 if (crypto_digest(ds_out->d[DIGEST_SHA1], m, len) < 0) 35 return -1; 36 if (crypto_digest256(ds_out->d[DIGEST_SHA256], m, len, DIGEST_SHA256) < 0) 37 return -1; 38 39 return 0; 40 } 41 42 /** Return the name of an algorithm, as used in directory documents. */ 43 const char * 44 crypto_digest_algorithm_get_name(digest_algorithm_t alg) 45 { 46 switch (alg) { 47 case DIGEST_SHA1: 48 return "sha1"; 49 case DIGEST_SHA256: 50 return "sha256"; 51 case DIGEST_SHA512: 52 return "sha512"; 53 case DIGEST_SHA3_256: 54 return "sha3-256"; 55 case DIGEST_SHA3_512: 56 return "sha3-512"; 57 // LCOV_EXCL_START 58 default: 59 tor_fragile_assert(); 60 return "??unknown_digest??"; 61 // LCOV_EXCL_STOP 62 } 63 } 64 65 /** Given the name of a digest algorithm, return its integer value, or -1 if 66 * the name is not recognized. */ 67 int 68 crypto_digest_algorithm_parse_name(const char *name) 69 { 70 if (!strcmp(name, "sha1")) 71 return DIGEST_SHA1; 72 else if (!strcmp(name, "sha256")) 73 return DIGEST_SHA256; 74 else if (!strcmp(name, "sha512")) 75 return DIGEST_SHA512; 76 else if (!strcmp(name, "sha3-256")) 77 return DIGEST_SHA3_256; 78 else if (!strcmp(name, "sha3-512")) 79 return DIGEST_SHA3_512; 80 else 81 return -1; 82 } 83 84 /** Given an algorithm, return the digest length in bytes. */ 85 size_t 86 crypto_digest_algorithm_get_length(digest_algorithm_t alg) 87 { 88 switch (alg) { 89 case DIGEST_SHA1: 90 return DIGEST_LEN; 91 case DIGEST_SHA256: 92 return DIGEST256_LEN; 93 case DIGEST_SHA512: 94 return DIGEST512_LEN; 95 case DIGEST_SHA3_256: 96 return DIGEST256_LEN; 97 case DIGEST_SHA3_512: 98 return DIGEST512_LEN; 99 default: 100 tor_assert(0); // LCOV_EXCL_LINE 101 return 0; /* Unreachable */ // LCOV_EXCL_LINE 102 } 103 } 104 105 /** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a 106 * <b>key</b> of length <b>key_len</b> and a <b>salt</b> of length 107 * <b>salt_len</b>. Store the result of <b>len_out</b> bytes in in 108 * <b>mac_out</b>. This function can't fail. */ 109 void 110 crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, 111 const uint8_t *key, size_t key_len, 112 const uint8_t *msg, size_t msg_len) 113 { 114 crypto_digest_t *digest; 115 116 const uint64_t key_len_netorder = tor_htonll(key_len); 117 118 tor_assert(mac_out); 119 tor_assert(key); 120 tor_assert(msg); 121 122 digest = crypto_digest256_new(DIGEST_SHA3_256); 123 124 /* Order matters here that is any subsystem using this function should 125 * expect this very precise ordering in the MAC construction. */ 126 crypto_digest_add_bytes(digest, (const char *) &key_len_netorder, 127 sizeof(key_len_netorder)); 128 crypto_digest_add_bytes(digest, (const char *) key, key_len); 129 crypto_digest_add_bytes(digest, (const char *) msg, msg_len); 130 crypto_digest_get_digest(digest, (char *) mac_out, len_out); 131 crypto_digest_free(digest); 132 } 133 134 /* xof functions */ 135 136 /** Internal state for a eXtendable-Output Function (XOF). */ 137 struct crypto_xof_t { 138 #ifdef OPENSSL_HAS_SHAKE3_EVP 139 /* XXXX We can't enable this yet, because OpenSSL's 140 * DigestFinalXOF function can't be called repeatedly on the same 141 * XOF. 142 * 143 * We could in theory use the undocumented SHA3_absorb and SHA3_squeeze 144 * functions, but let's not mess with undocumented OpenSSL internals any 145 * more than we have to. 146 * 147 * We could also revise our XOF code so that it only allows a single 148 * squeeze operation; we don't require streaming squeeze operations 149 * outside the tests yet. 150 */ 151 EVP_MD_CTX *ctx; 152 #else /* !defined(OPENSSL_HAS_SHAKE3_EVP) */ 153 /** 154 * State of the Keccak sponge for the SHAKE-256 computation. 155 **/ 156 keccak_state s; 157 #endif /* defined(OPENSSL_HAS_SHAKE3_EVP) */ 158 }; 159 160 /** Allocate a new XOF object backed by SHAKE-256. The security level 161 * provided is a function of the length of the output used. Read and 162 * understand FIPS-202 A.2 "Additional Consideration for Extendable-Output 163 * Functions" before using this construct. 164 */ 165 crypto_xof_t * 166 crypto_xof_new(void) 167 { 168 crypto_xof_t *xof; 169 xof = tor_malloc(sizeof(crypto_xof_t)); 170 #ifdef OPENSSL_HAS_SHAKE256 171 xof->ctx = EVP_MD_CTX_new(); 172 tor_assert(xof->ctx); 173 int r = EVP_DigestInit(xof->ctx, EVP_shake256()); 174 tor_assert(r == 1); 175 #else /* !defined(OPENSSL_HAS_SHAKE256) */ 176 keccak_xof_init(&xof->s, 256); 177 #endif /* defined(OPENSSL_HAS_SHAKE256) */ 178 return xof; 179 } 180 181 /** Absorb bytes into a XOF object. Must not be called after a call to 182 * crypto_xof_squeeze_bytes() for the same instance, and will assert 183 * if attempted. 184 */ 185 void 186 crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len) 187 { 188 #ifdef OPENSSL_HAS_SHAKE256 189 int r = EVP_DigestUpdate(xof->ctx, data, len); 190 tor_assert(r == 1); 191 #else 192 int i = keccak_xof_absorb(&xof->s, data, len); 193 tor_assert(i == 0); 194 #endif /* defined(OPENSSL_HAS_SHAKE256) */ 195 } 196 197 /** Squeeze bytes out of a XOF object. Calling this routine will render 198 * the XOF instance ineligible to absorb further data. 199 */ 200 void 201 crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len) 202 { 203 #ifdef OPENSSL_HAS_SHAKE256 204 int r = EVP_DigestFinalXOF(xof->ctx, out, len); 205 tor_assert(r == 1); 206 #else 207 int i = keccak_xof_squeeze(&xof->s, out, len); 208 tor_assert(i == 0); 209 #endif /* defined(OPENSSL_HAS_SHAKE256) */ 210 } 211 212 /** Cleanse and deallocate a XOF object. */ 213 void 214 crypto_xof_free_(crypto_xof_t *xof) 215 { 216 if (!xof) 217 return; 218 #ifdef OPENSSL_HAS_SHAKE256 219 if (xof->ctx) 220 EVP_MD_CTX_free(xof->ctx); 221 #endif 222 memwipe(xof, 0, sizeof(crypto_xof_t)); 223 tor_free(xof); 224 } 225 226 /** Compute the XOF (SHAKE256) of a <b>input_len</b> bytes at <b>input</b>, 227 * putting <b>output_len</b> bytes at <b>output</b>. */ 228 void 229 crypto_xof(uint8_t *output, size_t output_len, 230 const uint8_t *input, size_t input_len) 231 { 232 #ifdef OPENSSL_HAS_SHA3 233 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 234 tor_assert(ctx); 235 int r = EVP_DigestInit(ctx, EVP_shake256()); 236 tor_assert(r == 1); 237 r = EVP_DigestUpdate(ctx, input, input_len); 238 tor_assert(r == 1); 239 r = EVP_DigestFinalXOF(ctx, output, output_len); 240 tor_assert(r == 1); 241 EVP_MD_CTX_free(ctx); 242 #else /* !defined(OPENSSL_HAS_SHA3) */ 243 crypto_xof_t *xof = crypto_xof_new(); 244 crypto_xof_add_bytes(xof, input, input_len); 245 crypto_xof_squeeze_bytes(xof, output, output_len); 246 crypto_xof_free(xof); 247 #endif /* defined(OPENSSL_HAS_SHA3) */ 248 }