crypto_digest_nss.c (17192B)
1 /* Copyright (c) 2001, Matej Pfajfar. 2 * Copyright (c) 2001-2004, Roger Dingledine. 3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. 4 * Copyright (c) 2007-2021, The Tor Project, Inc. */ 5 /* See LICENSE for licensing information */ 6 7 /** 8 * \file crypto_digest_nss.c 9 * \brief Block of functions related with digest and xof utilities and 10 * operations (NSS specific implementations). 11 **/ 12 13 #include "lib/container/smartlist.h" 14 #include "lib/crypt_ops/crypto_digest.h" 15 #include "lib/crypt_ops/crypto_util.h" 16 #include "lib/log/log.h" 17 #include "lib/log/util_bug.h" 18 19 #include "keccak-tiny/keccak-tiny.h" 20 21 #include <stdlib.h> 22 #include <string.h> 23 24 #include "lib/arch/bytes.h" 25 26 DISABLE_GCC_WARNING("-Wstrict-prototypes") 27 #include <pk11pub.h> 28 ENABLE_GCC_WARNING("-Wstrict-prototypes") 29 30 /** 31 * Convert a digest_algorithm_t (used by tor) to a HashType (used by NSS). 32 * On failure, return SEC_OID_UNKNOWN. */ 33 static SECOidTag 34 digest_alg_to_nss_oid(digest_algorithm_t alg) 35 { 36 switch (alg) { 37 case DIGEST_SHA1: return SEC_OID_SHA1; 38 case DIGEST_SHA256: return SEC_OID_SHA256; 39 case DIGEST_SHA512: return SEC_OID_SHA512; 40 case DIGEST_SHA3_256: FALLTHROUGH; 41 case DIGEST_SHA3_512: FALLTHROUGH; 42 default: 43 return SEC_OID_UNKNOWN; 44 } 45 } 46 47 /** Helper: Compute an unkeyed digest of the <b>msg_len</b> bytes at 48 * <b>msg</b>, using the digest algorithm specified by <b>alg</b>. 49 * Store the result in the <b>len_out</b>-byte buffer at <b>digest</b>. 50 * Return the number of bytes written on success, and -1 on failure. 51 **/ 52 static int 53 digest_nss_internal(SECOidTag alg, 54 char *digest, unsigned len_out, 55 const char *msg, size_t msg_len) 56 { 57 if (alg == SEC_OID_UNKNOWN) 58 return -1; 59 tor_assert(msg_len <= UINT_MAX); 60 61 int rv = -1; 62 SECStatus s; 63 PK11Context *ctx = PK11_CreateDigestContext(alg); 64 if (!ctx) 65 return -1; 66 67 s = PK11_DigestBegin(ctx); 68 if (s != SECSuccess) 69 goto done; 70 71 s = PK11_DigestOp(ctx, (const unsigned char *)msg, (unsigned int)msg_len); 72 if (s != SECSuccess) 73 goto done; 74 75 unsigned int len = 0; 76 s = PK11_DigestFinal(ctx, (unsigned char *)digest, &len, len_out); 77 if (s != SECSuccess) 78 goto done; 79 80 rv = 0; 81 done: 82 PK11_DestroyContext(ctx, PR_TRUE); 83 return rv; 84 } 85 86 /** True iff alg is implemented in our crypto library, and we want to use that 87 * implementation */ 88 static bool 89 library_supports_digest(digest_algorithm_t alg) 90 { 91 switch (alg) { 92 case DIGEST_SHA1: FALLTHROUGH; 93 case DIGEST_SHA256: FALLTHROUGH; 94 case DIGEST_SHA512: 95 return true; 96 case DIGEST_SHA3_256: FALLTHROUGH; 97 case DIGEST_SHA3_512: FALLTHROUGH; 98 default: 99 return false; 100 } 101 } 102 103 /* Crypto digest functions */ 104 105 /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in 106 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>. 107 * Return 0 on success, -1 on failure. 108 */ 109 MOCK_IMPL(int, 110 crypto_digest,(char *digest, const char *m, size_t len)) 111 { 112 tor_assert(m); 113 tor_assert(digest); 114 return digest_nss_internal(SEC_OID_SHA1, digest, DIGEST_LEN, m, len); 115 } 116 117 /** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>, 118 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result 119 * into <b>digest</b>. Return 0 on success, -1 on failure. */ 120 int 121 crypto_digest256(char *digest, const char *m, size_t len, 122 digest_algorithm_t algorithm) 123 { 124 tor_assert(m); 125 tor_assert(digest); 126 tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256); 127 128 int ret = 0; 129 if (algorithm == DIGEST_SHA256) { 130 return digest_nss_internal(SEC_OID_SHA256, digest, DIGEST256_LEN, m, len); 131 } else { 132 ret = (sha3_256((uint8_t *)digest, DIGEST256_LEN,(const uint8_t *)m, len) 133 > -1); 134 } 135 136 if (!ret) 137 return -1; 138 return 0; 139 } 140 141 /** Compute a 512-bit digest of <b>len</b> bytes in data stored in <b>m</b>, 142 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN512-byte result 143 * into <b>digest</b>. Return 0 on success, -1 on failure. */ 144 int 145 crypto_digest512(char *digest, const char *m, size_t len, 146 digest_algorithm_t algorithm) 147 { 148 tor_assert(m); 149 tor_assert(digest); 150 tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512); 151 152 int ret = 0; 153 if (algorithm == DIGEST_SHA512) { 154 return digest_nss_internal(SEC_OID_SHA512, digest, DIGEST512_LEN, m, len); 155 } else { 156 ret = (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len) 157 > -1); 158 } 159 160 if (!ret) 161 return -1; 162 return 0; 163 } 164 165 /** Intermediate information about the digest of a stream of data. */ 166 struct crypto_digest_t { 167 digest_algorithm_t algorithm; /**< Which algorithm is in use? */ 168 /** State for the digest we're using. Only one member of the 169 * union is usable, depending on the value of <b>algorithm</b>. Note also 170 * that space for other members might not even be allocated! 171 */ 172 union { 173 PK11Context *ctx; 174 keccak_state sha3; /**< state for SHA3-[256,512] */ 175 } d; 176 }; 177 178 #ifdef TOR_UNIT_TESTS 179 180 digest_algorithm_t 181 crypto_digest_get_algorithm(crypto_digest_t *digest) 182 { 183 tor_assert(digest); 184 185 return digest->algorithm; 186 } 187 188 #endif /* defined(TOR_UNIT_TESTS) */ 189 190 /** 191 * Return the number of bytes we need to malloc in order to get a 192 * crypto_digest_t for <b>alg</b>, or the number of bytes we need to wipe 193 * when we free one. 194 */ 195 static size_t 196 crypto_digest_alloc_bytes(digest_algorithm_t alg) 197 { 198 /* Helper: returns the number of bytes in the 'f' field of 'st' */ 199 #define STRUCT_FIELD_SIZE(st, f) (sizeof( ((st*)0)->f )) 200 /* Gives the length of crypto_digest_t through the end of the field 'd' */ 201 #define END_OF_FIELD(f) (offsetof(crypto_digest_t, f) + \ 202 STRUCT_FIELD_SIZE(crypto_digest_t, f)) 203 switch (alg) { 204 case DIGEST_SHA1: FALLTHROUGH; 205 case DIGEST_SHA256: FALLTHROUGH; 206 case DIGEST_SHA512: 207 return END_OF_FIELD(d.ctx); 208 case DIGEST_SHA3_256: 209 case DIGEST_SHA3_512: 210 return END_OF_FIELD(d.sha3); 211 default: 212 tor_assert(0); // LCOV_EXCL_LINE 213 return 0; // LCOV_EXCL_LINE 214 } 215 #undef END_OF_FIELD 216 #undef STRUCT_FIELD_SIZE 217 } 218 219 /** 220 * Internal function: create and return a new digest object for 'algorithm'. 221 * Does not typecheck the algorithm. 222 */ 223 static crypto_digest_t * 224 crypto_digest_new_internal(digest_algorithm_t algorithm) 225 { 226 crypto_digest_t *r = tor_malloc(crypto_digest_alloc_bytes(algorithm)); 227 r->algorithm = algorithm; 228 229 switch (algorithm) 230 { 231 case DIGEST_SHA1: FALLTHROUGH; 232 case DIGEST_SHA256: FALLTHROUGH; 233 case DIGEST_SHA512: 234 r->d.ctx = PK11_CreateDigestContext(digest_alg_to_nss_oid(algorithm)); 235 if (BUG(!r->d.ctx)) { 236 tor_free(r); 237 return NULL; 238 } 239 if (BUG(SECSuccess != PK11_DigestBegin(r->d.ctx))) { 240 crypto_digest_free(r); 241 return NULL; 242 } 243 break; 244 case DIGEST_SHA3_256: 245 keccak_digest_init(&r->d.sha3, 256); 246 break; 247 case DIGEST_SHA3_512: 248 keccak_digest_init(&r->d.sha3, 512); 249 break; 250 default: 251 tor_assert_unreached(); 252 } 253 254 return r; 255 } 256 257 /** Allocate and return a new digest object to compute SHA1 digests. 258 */ 259 crypto_digest_t * 260 crypto_digest_new(void) 261 { 262 return crypto_digest_new_internal(DIGEST_SHA1); 263 } 264 265 /** Allocate and return a new digest object to compute 256-bit digests 266 * using <b>algorithm</b>. 267 * 268 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest256_new` 269 * C_RUST_COUPLED: `crypto::digest::Sha256::default` 270 */ 271 crypto_digest_t * 272 crypto_digest256_new(digest_algorithm_t algorithm) 273 { 274 tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256); 275 return crypto_digest_new_internal(algorithm); 276 } 277 278 /** Allocate and return a new digest object to compute 512-bit digests 279 * using <b>algorithm</b>. */ 280 crypto_digest_t * 281 crypto_digest512_new(digest_algorithm_t algorithm) 282 { 283 tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512); 284 return crypto_digest_new_internal(algorithm); 285 } 286 287 /** Deallocate a digest object. 288 */ 289 void 290 crypto_digest_free_(crypto_digest_t *digest) 291 { 292 if (!digest) 293 return; 294 if (library_supports_digest(digest->algorithm)) { 295 PK11_DestroyContext(digest->d.ctx, PR_TRUE); 296 } 297 size_t bytes = crypto_digest_alloc_bytes(digest->algorithm); 298 memwipe(digest, 0, bytes); 299 tor_free(digest); 300 } 301 302 /** Add <b>len</b> bytes from <b>data</b> to the digest object. 303 * 304 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_add_bytess` 305 * C_RUST_COUPLED: `crypto::digest::Sha256::process` 306 */ 307 void 308 crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, 309 size_t len) 310 { 311 tor_assert(digest); 312 tor_assert(data); 313 /* Using the SHA*_*() calls directly means we don't support doing 314 * SHA in hardware. But so far the delay of getting the question 315 * to the hardware, and hearing the answer, is likely higher than 316 * just doing it ourselves. Hashes are fast. 317 */ 318 switch (digest->algorithm) { 319 case DIGEST_SHA1: FALLTHROUGH; 320 case DIGEST_SHA256: FALLTHROUGH; 321 case DIGEST_SHA512: 322 tor_assert(len <= UINT_MAX); 323 SECStatus s = PK11_DigestOp(digest->d.ctx, 324 (const unsigned char *)data, 325 (unsigned int)len); 326 tor_assert(s == SECSuccess); 327 break; 328 case DIGEST_SHA3_256: FALLTHROUGH; 329 case DIGEST_SHA3_512: 330 keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len); 331 break; 332 default: 333 /* LCOV_EXCL_START */ 334 tor_fragile_assert(); 335 break; 336 /* LCOV_EXCL_STOP */ 337 } 338 } 339 340 /** Compute the hash of the data that has been passed to the digest 341 * object; write the first out_len bytes of the result to <b>out</b>. 342 * <b>out_len</b> must be \<= DIGEST512_LEN. 343 * 344 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_get_digest` 345 * C_RUST_COUPLED: `impl digest::FixedOutput for Sha256` 346 */ 347 void 348 crypto_digest_get_digest(crypto_digest_t *digest, 349 char *out, size_t out_len) 350 { 351 unsigned char r[DIGEST512_LEN]; 352 tor_assert(digest); 353 tor_assert(out); 354 tor_assert(out_len <= crypto_digest_algorithm_get_length(digest->algorithm)); 355 356 /* The SHA-3 code handles copying into a temporary ctx, and also can handle 357 * short output buffers by truncating appropriately. */ 358 if (digest->algorithm == DIGEST_SHA3_256 || 359 digest->algorithm == DIGEST_SHA3_512) { 360 keccak_digest_sum(&digest->d.sha3, (uint8_t *)out, out_len); 361 return; 362 } 363 364 /* Copy into a temporary buffer since DigestFinal (alters) the context */ 365 unsigned char buf[1024]; 366 unsigned int saved_len = 0; 367 unsigned rlen; 368 unsigned char *saved = PK11_SaveContextAlloc(digest->d.ctx, 369 buf, sizeof(buf), 370 &saved_len); 371 tor_assert(saved); 372 SECStatus s = PK11_DigestFinal(digest->d.ctx, r, &rlen, sizeof(r)); 373 tor_assert(s == SECSuccess); 374 tor_assert(rlen >= out_len); 375 s = PK11_RestoreContext(digest->d.ctx, saved, saved_len); 376 tor_assert(s == SECSuccess); 377 378 if (saved != buf) { 379 PORT_ZFree(saved, saved_len); 380 } 381 memcpy(out, r, out_len); 382 memwipe(r, 0, sizeof(r)); 383 } 384 385 /** Allocate and return a new digest object with the same state as 386 * <b>digest</b> 387 * 388 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_dup` 389 * C_RUST_COUPLED: `impl Clone for crypto::digest::Sha256` 390 */ 391 crypto_digest_t * 392 crypto_digest_dup(const crypto_digest_t *digest) 393 { 394 tor_assert(digest); 395 const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm); 396 crypto_digest_t *result = tor_memdup(digest, alloc_bytes); 397 398 if (library_supports_digest(digest->algorithm)) { 399 result->d.ctx = PK11_CloneContext(digest->d.ctx); 400 } 401 402 return result; 403 } 404 405 /** Temporarily save the state of <b>digest</b> in <b>checkpoint</b>. 406 * Asserts that <b>digest</b> is a SHA1 digest object. 407 */ 408 void 409 crypto_digest_checkpoint(crypto_digest_checkpoint_t *checkpoint, 410 const crypto_digest_t *digest) 411 { 412 const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm); 413 tor_assert(bytes <= sizeof(checkpoint->mem)); 414 if (library_supports_digest(digest->algorithm)) { 415 unsigned char *allocated; 416 allocated = PK11_SaveContextAlloc(digest->d.ctx, 417 (unsigned char *)checkpoint->mem, 418 sizeof(checkpoint->mem), 419 &checkpoint->bytes_used); 420 /* No allocation is allowed here. */ 421 tor_assert(allocated == checkpoint->mem); 422 return; 423 } 424 memcpy(checkpoint->mem, digest, bytes); 425 } 426 427 /** Restore the state of <b>digest</b> from <b>checkpoint</b>. 428 * Asserts that <b>digest</b> is a SHA1 digest object. Requires that the 429 * state was previously stored with crypto_digest_checkpoint() */ 430 void 431 crypto_digest_restore(crypto_digest_t *digest, 432 const crypto_digest_checkpoint_t *checkpoint) 433 { 434 const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm); 435 if (library_supports_digest(digest->algorithm)) { 436 SECStatus s = PK11_RestoreContext(digest->d.ctx, 437 (unsigned char *)checkpoint->mem, 438 checkpoint->bytes_used); 439 tor_assert(s == SECSuccess); 440 return; 441 } 442 memcpy(digest, checkpoint->mem, bytes); 443 } 444 445 /** Replace the state of the digest object <b>into</b> with the state 446 * of the digest object <b>from</b>. Requires that 'into' and 'from' 447 * have the same digest type. 448 */ 449 void 450 crypto_digest_assign(crypto_digest_t *into, 451 const crypto_digest_t *from) 452 { 453 tor_assert(into); 454 tor_assert(from); 455 tor_assert(into->algorithm == from->algorithm); 456 const size_t alloc_bytes = crypto_digest_alloc_bytes(from->algorithm); 457 if (library_supports_digest(from->algorithm)) { 458 PK11_DestroyContext(into->d.ctx, PR_TRUE); 459 into->d.ctx = PK11_CloneContext(from->d.ctx); 460 return; 461 } 462 memcpy(into,from,alloc_bytes); 463 } 464 465 /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest 466 * at <b>digest_out</b> to the hash of the concatenation of those strings, 467 * plus the optional string <b>append</b>, computed with the algorithm 468 * <b>alg</b>. 469 * <b>out_len</b> must be \<= DIGEST512_LEN. */ 470 void 471 crypto_digest_smartlist(char *digest_out, size_t len_out, 472 const smartlist_t *lst, 473 const char *append, 474 digest_algorithm_t alg) 475 { 476 crypto_digest_smartlist_prefix(digest_out, len_out, NULL, lst, append, alg); 477 } 478 479 /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest 480 * at <b>digest_out</b> to the hash of the concatenation of: the 481 * optional string <b>prepend</b>, those strings, 482 * and the optional string <b>append</b>, computed with the algorithm 483 * <b>alg</b>. 484 * <b>len_out</b> must be \<= DIGEST512_LEN. */ 485 void 486 crypto_digest_smartlist_prefix(char *digest_out, size_t len_out, 487 const char *prepend, 488 const smartlist_t *lst, 489 const char *append, 490 digest_algorithm_t alg) 491 { 492 crypto_digest_t *d = crypto_digest_new_internal(alg); 493 if (prepend) 494 crypto_digest_add_bytes(d, prepend, strlen(prepend)); 495 SMARTLIST_FOREACH(lst, const char *, cp, 496 crypto_digest_add_bytes(d, cp, strlen(cp))); 497 if (append) 498 crypto_digest_add_bytes(d, append, strlen(append)); 499 crypto_digest_get_digest(d, digest_out, len_out); 500 crypto_digest_free(d); 501 } 502 503 /** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using 504 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte 505 * result in <b>hmac_out</b>. Asserts on failure. 506 */ 507 void 508 crypto_hmac_sha256(char *hmac_out, 509 const char *key, size_t key_len, 510 const char *msg, size_t msg_len) 511 { 512 /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */ 513 tor_assert(key_len < INT_MAX); 514 tor_assert(msg_len < INT_MAX); 515 tor_assert(hmac_out); 516 517 PK11SlotInfo *slot = NULL; 518 PK11SymKey *symKey = NULL; 519 PK11Context *hmac = NULL; 520 521 int ok = 0; 522 SECStatus s; 523 SECItem keyItem, paramItem; 524 keyItem.data = (unsigned char *)key; 525 keyItem.len = (unsigned)key_len; 526 paramItem.type = siBuffer; 527 paramItem.data = NULL; 528 paramItem.len = 0; 529 530 slot = PK11_GetBestSlot(CKM_SHA256_HMAC, NULL); 531 if (!slot) 532 goto done; 533 symKey = PK11_ImportSymKey(slot, CKM_SHA256_HMAC, 534 PK11_OriginUnwrap, CKA_SIGN, &keyItem, NULL); 535 if (!symKey) 536 goto done; 537 538 hmac = PK11_CreateContextBySymKey(CKM_SHA256_HMAC, CKA_SIGN, symKey, 539 ¶mItem); 540 if (!hmac) 541 goto done; 542 s = PK11_DigestBegin(hmac); 543 if (s != SECSuccess) 544 goto done; 545 s = PK11_DigestOp(hmac, (const unsigned char *)msg, (unsigned int)msg_len); 546 if (s != SECSuccess) 547 goto done; 548 unsigned int len=0; 549 s = PK11_DigestFinal(hmac, (unsigned char *)hmac_out, &len, DIGEST256_LEN); 550 if (s != SECSuccess || len != DIGEST256_LEN) 551 goto done; 552 ok = 1; 553 554 done: 555 if (hmac) 556 PK11_DestroyContext(hmac, PR_TRUE); 557 if (symKey) 558 PK11_FreeSymKey(symKey); 559 if (slot) 560 PK11_FreeSlot(slot); 561 562 tor_assert(ok); 563 }