Tor 0.4.9.0-alpha-dev
crypto_digest.c
Go to the documentation of this file.
1/* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5/* See LICENSE for licensing information */
6
7/**
8 * \file crypto_digest.c
9 * \brief Block of functions related with digest and xof utilities and
10 * operations.
11 **/
12
16#include "lib/log/log.h"
17#include "lib/log/util_bug.h"
18
19#include "keccak-tiny/keccak-tiny.h"
20
21#include <stdlib.h>
22#include <string.h>
23
24#include "lib/arch/bytes.h"
25
26/** Set the common_digests_t in <b>ds_out</b> to contain every digest on the
27 * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
28 * success, -1 on failure. */
29int
30crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len)
31{
32 tor_assert(ds_out);
33 memset(ds_out, 0, sizeof(*ds_out));
34 if (crypto_digest(ds_out->d[DIGEST_SHA1], m, len) < 0)
35 return -1;
36 if (crypto_digest256(ds_out->d[DIGEST_SHA256], m, len, DIGEST_SHA256) < 0)
37 return -1;
38
39 return 0;
40}
41
42/** Return the name of an algorithm, as used in directory documents. */
43const char *
45{
46 switch (alg) {
47 case DIGEST_SHA1:
48 return "sha1";
49 case DIGEST_SHA256:
50 return "sha256";
51 case DIGEST_SHA512:
52 return "sha512";
53 case DIGEST_SHA3_256:
54 return "sha3-256";
55 case DIGEST_SHA3_512:
56 return "sha3-512";
57 // LCOV_EXCL_START
58 default:
60 return "??unknown_digest??";
61 // LCOV_EXCL_STOP
62 }
63}
64
65/** Given the name of a digest algorithm, return its integer value, or -1 if
66 * the name is not recognized. */
67int
69{
70 if (!strcmp(name, "sha1"))
71 return DIGEST_SHA1;
72 else if (!strcmp(name, "sha256"))
73 return DIGEST_SHA256;
74 else if (!strcmp(name, "sha512"))
75 return DIGEST_SHA512;
76 else if (!strcmp(name, "sha3-256"))
77 return DIGEST_SHA3_256;
78 else if (!strcmp(name, "sha3-512"))
79 return DIGEST_SHA3_512;
80 else
81 return -1;
82}
83
84/** Given an algorithm, return the digest length in bytes. */
85size_t
87{
88 switch (alg) {
89 case DIGEST_SHA1:
90 return DIGEST_LEN;
91 case DIGEST_SHA256:
92 return DIGEST256_LEN;
93 case DIGEST_SHA512:
94 return DIGEST512_LEN;
95 case DIGEST_SHA3_256:
96 return DIGEST256_LEN;
97 case DIGEST_SHA3_512:
98 return DIGEST512_LEN;
99 default:
100 tor_assert(0); // LCOV_EXCL_LINE
101 return 0; /* Unreachable */ // LCOV_EXCL_LINE
102 }
103}
104
105/** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a
106 * <b>key</b> of length <b>key_len</b> and a <b>salt</b> of length
107 * <b>salt_len</b>. Store the result of <b>len_out</b> bytes in in
108 * <b>mac_out</b>. This function can't fail. */
109void
110crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
111 const uint8_t *key, size_t key_len,
112 const uint8_t *msg, size_t msg_len)
113{
114 crypto_digest_t *digest;
115
116 const uint64_t key_len_netorder = tor_htonll(key_len);
117
118 tor_assert(mac_out);
119 tor_assert(key);
120 tor_assert(msg);
121
122 digest = crypto_digest256_new(DIGEST_SHA3_256);
123
124 /* Order matters here that is any subsystem using this function should
125 * expect this very precise ordering in the MAC construction. */
126 crypto_digest_add_bytes(digest, (const char *) &key_len_netorder,
127 sizeof(key_len_netorder));
128 crypto_digest_add_bytes(digest, (const char *) key, key_len);
129 crypto_digest_add_bytes(digest, (const char *) msg, msg_len);
130 crypto_digest_get_digest(digest, (char *) mac_out, len_out);
131 crypto_digest_free(digest);
132}
133
134/* xof functions */
135
136/** Internal state for a eXtendable-Output Function (XOF). */
138#ifdef OPENSSL_HAS_SHAKE3_EVP
139 /* XXXX We can't enable this yet, because OpenSSL's
140 * DigestFinalXOF function can't be called repeatedly on the same
141 * XOF.
142 *
143 * We could in theory use the undocumented SHA3_absorb and SHA3_squeeze
144 * functions, but let's not mess with undocumented OpenSSL internals any
145 * more than we have to.
146 *
147 * We could also revise our XOF code so that it only allows a single
148 * squeeze operation; we don't require streaming squeeze operations
149 * outside the tests yet.
150 */
151 EVP_MD_CTX *ctx;
152#else /* !defined(OPENSSL_HAS_SHAKE3_EVP) */
153 /**
154 * State of the Keccak sponge for the SHAKE-256 computation.
155 **/
157#endif /* defined(OPENSSL_HAS_SHAKE3_EVP) */
158};
159
160/** Allocate a new XOF object backed by SHAKE-256. The security level
161 * provided is a function of the length of the output used. Read and
162 * understand FIPS-202 A.2 "Additional Consideration for Extendable-Output
163 * Functions" before using this construct.
164 */
167{
168 crypto_xof_t *xof;
169 xof = tor_malloc(sizeof(crypto_xof_t));
170#ifdef OPENSSL_HAS_SHAKE256
171 xof->ctx = EVP_MD_CTX_new();
172 tor_assert(xof->ctx);
173 int r = EVP_DigestInit(xof->ctx, EVP_shake256());
174 tor_assert(r == 1);
175#else /* !defined(OPENSSL_HAS_SHAKE256) */
176 keccak_xof_init(&xof->s, 256);
177#endif /* defined(OPENSSL_HAS_SHAKE256) */
178 return xof;
179}
180
181/** Absorb bytes into a XOF object. Must not be called after a call to
182 * crypto_xof_squeeze_bytes() for the same instance, and will assert
183 * if attempted.
184 */
185void
186crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
187{
188#ifdef OPENSSL_HAS_SHAKE256
189 int r = EVP_DigestUpdate(xof->ctx, data, len);
190 tor_assert(r == 1);
191#else
192 int i = keccak_xof_absorb(&xof->s, data, len);
193 tor_assert(i == 0);
194#endif /* defined(OPENSSL_HAS_SHAKE256) */
195}
196
197/** Squeeze bytes out of a XOF object. Calling this routine will render
198 * the XOF instance ineligible to absorb further data.
199 */
200void
201crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
202{
203#ifdef OPENSSL_HAS_SHAKE256
204 int r = EVP_DigestFinalXOF(xof->ctx, out, len);
205 tor_assert(r == 1);
206#else
207 int i = keccak_xof_squeeze(&xof->s, out, len);
208 tor_assert(i == 0);
209#endif /* defined(OPENSSL_HAS_SHAKE256) */
210}
211
212/** Cleanse and deallocate a XOF object. */
213void
215{
216 if (!xof)
217 return;
218#ifdef OPENSSL_HAS_SHAKE256
219 if (xof->ctx)
220 EVP_MD_CTX_free(xof->ctx);
221#endif
222 memwipe(xof, 0, sizeof(crypto_xof_t));
223 tor_free(xof);
224}
225
226/** Compute the XOF (SHAKE256) of a <b>input_len</b> bytes at <b>input</b>,
227 * putting <b>output_len</b> bytes at <b>output</b>. */
228void
229crypto_xof(uint8_t *output, size_t output_len,
230 const uint8_t *input, size_t input_len)
231{
232#ifdef OPENSSL_HAS_SHA3
233 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
234 tor_assert(ctx);
235 int r = EVP_DigestInit(ctx, EVP_shake256());
236 tor_assert(r == 1);
237 r = EVP_DigestUpdate(ctx, input, input_len);
238 tor_assert(r == 1);
239 r = EVP_DigestFinalXOF(ctx, output, output_len);
240 tor_assert(r == 1);
241 EVP_MD_CTX_free(ctx);
242#else /* !defined(OPENSSL_HAS_SHA3) */
244 crypto_xof_add_bytes(xof, input, input_len);
245 crypto_xof_squeeze_bytes(xof, output, output_len);
246 crypto_xof_free(xof);
247#endif /* defined(OPENSSL_HAS_SHA3) */
248}
Inline functions for reading and writing multibyte values from the middle of strings,...
static uint64_t tor_htonll(uint64_t a)
Definition: bytes.h:184
const char * name
Definition: config.c:2462
void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, const uint8_t *key, size_t key_len, const uint8_t *msg, size_t msg_len)
size_t crypto_digest_algorithm_get_length(digest_algorithm_t alg)
Definition: crypto_digest.c:86
void crypto_xof(uint8_t *output, size_t output_len, const uint8_t *input, size_t input_len)
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
crypto_xof_t * crypto_xof_new(void)
int crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len)
Definition: crypto_digest.c:30
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
const char * crypto_digest_algorithm_get_name(digest_algorithm_t alg)
Definition: crypto_digest.c:44
void crypto_xof_free_(crypto_xof_t *xof)
int crypto_digest_algorithm_parse_name(const char *name)
Definition: crypto_digest.c:68
Headers for crypto_digest.c.
digest_algorithm_t
Definition: crypto_digest.h:44
int crypto_digest256(char *digest, const char *m, size_t len, digest_algorithm_t algorithm)
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
#define crypto_xof_free(xof)
#define crypto_digest_free(d)
int crypto_digest(char *digest, const char *m, size_t len)
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55
Common functions for cryptographic routines.
#define DIGEST_LEN
Definition: digest_sizes.h:20
#define DIGEST256_LEN
Definition: digest_sizes.h:23
#define DIGEST512_LEN
Definition: digest_sizes.h:25
Headers for log.c.
#define tor_free(p)
Definition: malloc.h:56
Header for smartlist.c.
char d[N_COMMON_DIGEST_ALGORITHMS][DIGEST256_LEN]
Definition: crypto_digest.h:89
keccak_state s
Macros to manage assertions, fatal and non-fatal.
#define tor_assert(expr)
Definition: util_bug.h:103
#define tor_fragile_assert()
Definition: util_bug.h:278