Tor  0.4.8.0-alpha-dev
crypto_digest_nss.c
Go to the documentation of this file.
1 /* Copyright (c) 2001, Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
7 /**
8  * \file crypto_digest_nss.c
9  * \brief Block of functions related with digest and xof utilities and
10  * operations (NSS specific implementations).
11  **/
12 
16 #include "lib/log/log.h"
17 #include "lib/log/util_bug.h"
18 
19 #include "keccak-tiny/keccak-tiny.h"
20 
21 #include <stdlib.h>
22 #include <string.h>
23 
24 #include "lib/arch/bytes.h"
25 
26 DISABLE_GCC_WARNING("-Wstrict-prototypes")
27 #include <pk11pub.h>
28 ENABLE_GCC_WARNING("-Wstrict-prototypes")
29 
30 /**
31  * Convert a digest_algorithm_t (used by tor) to a HashType (used by NSS).
32  * On failure, return SEC_OID_UNKNOWN. */
33 static SECOidTag
35 {
36  switch (alg) {
37  case DIGEST_SHA1: return SEC_OID_SHA1;
38  case DIGEST_SHA256: return SEC_OID_SHA256;
39  case DIGEST_SHA512: return SEC_OID_SHA512;
40  case DIGEST_SHA3_256: FALLTHROUGH;
41  case DIGEST_SHA3_512: FALLTHROUGH;
42  default:
43  return SEC_OID_UNKNOWN;
44  }
45 }
46 
47 /** Helper: Compute an unkeyed digest of the <b>msg_len</b> bytes at
48  * <b>msg</b>, using the digest algorithm specified by <b>alg</b>.
49  * Store the result in the <b>len_out</b>-byte buffer at <b>digest</b>.
50  * Return the number of bytes written on success, and -1 on failure.
51  **/
52 static int
53 digest_nss_internal(SECOidTag alg,
54  char *digest, unsigned len_out,
55  const char *msg, size_t msg_len)
56 {
57  if (alg == SEC_OID_UNKNOWN)
58  return -1;
59  tor_assert(msg_len <= UINT_MAX);
60 
61  int rv = -1;
62  SECStatus s;
63  PK11Context *ctx = PK11_CreateDigestContext(alg);
64  if (!ctx)
65  return -1;
66 
67  s = PK11_DigestBegin(ctx);
68  if (s != SECSuccess)
69  goto done;
70 
71  s = PK11_DigestOp(ctx, (const unsigned char *)msg, (unsigned int)msg_len);
72  if (s != SECSuccess)
73  goto done;
74 
75  unsigned int len = 0;
76  s = PK11_DigestFinal(ctx, (unsigned char *)digest, &len, len_out);
77  if (s != SECSuccess)
78  goto done;
79 
80  rv = 0;
81  done:
82  PK11_DestroyContext(ctx, PR_TRUE);
83  return rv;
84 }
85 
86 /** True iff alg is implemented in our crypto library, and we want to use that
87  * implementation */
88 static bool
90 {
91  switch (alg) {
92  case DIGEST_SHA1: FALLTHROUGH;
93  case DIGEST_SHA256: FALLTHROUGH;
94  case DIGEST_SHA512:
95  return true;
96  case DIGEST_SHA3_256: FALLTHROUGH;
97  case DIGEST_SHA3_512: FALLTHROUGH;
98  default:
99  return false;
100  }
101 }
102 
103 /* Crypto digest functions */
104 
105 /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
106  * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
107  * Return 0 on success, -1 on failure.
108  */
109 MOCK_IMPL(int,
110 crypto_digest,(char *digest, const char *m, size_t len))
111 {
112  tor_assert(m);
113  tor_assert(digest);
114  return digest_nss_internal(SEC_OID_SHA1, digest, DIGEST_LEN, m, len);
115 }
116 
117 /** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
118  * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
119  * into <b>digest</b>. Return 0 on success, -1 on failure. */
120 int
121 crypto_digest256(char *digest, const char *m, size_t len,
122  digest_algorithm_t algorithm)
123 {
124  tor_assert(m);
125  tor_assert(digest);
126  tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
127 
128  int ret = 0;
129  if (algorithm == DIGEST_SHA256) {
130  return digest_nss_internal(SEC_OID_SHA256, digest, DIGEST256_LEN, m, len);
131  } else {
132  ret = (sha3_256((uint8_t *)digest, DIGEST256_LEN,(const uint8_t *)m, len)
133  > -1);
134  }
135 
136  if (!ret)
137  return -1;
138  return 0;
139 }
140 
141 /** Compute a 512-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
142  * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN512-byte result
143  * into <b>digest</b>. Return 0 on success, -1 on failure. */
144 int
145 crypto_digest512(char *digest, const char *m, size_t len,
146  digest_algorithm_t algorithm)
147 {
148  tor_assert(m);
149  tor_assert(digest);
150  tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
151 
152  int ret = 0;
153  if (algorithm == DIGEST_SHA512) {
154  return digest_nss_internal(SEC_OID_SHA512, digest, DIGEST512_LEN, m, len);
155  } else {
156  ret = (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len)
157  > -1);
158  }
159 
160  if (!ret)
161  return -1;
162  return 0;
163 }
164 
165 /** Intermediate information about the digest of a stream of data. */
167  digest_algorithm_t algorithm; /**< Which algorithm is in use? */
168  /** State for the digest we're using. Only one member of the
169  * union is usable, depending on the value of <b>algorithm</b>. Note also
170  * that space for other members might not even be allocated!
171  */
172  union {
173  PK11Context *ctx;
174  keccak_state sha3; /**< state for SHA3-[256,512] */
175  } d;
176 };
177 
178 #ifdef TOR_UNIT_TESTS
179 
181 crypto_digest_get_algorithm(crypto_digest_t *digest)
182 {
183  tor_assert(digest);
184 
185  return digest->algorithm;
186 }
187 
188 #endif /* defined(TOR_UNIT_TESTS) */
189 
190 /**
191  * Return the number of bytes we need to malloc in order to get a
192  * crypto_digest_t for <b>alg</b>, or the number of bytes we need to wipe
193  * when we free one.
194  */
195 static size_t
197 {
198  /* Helper: returns the number of bytes in the 'f' field of 'st' */
199 #define STRUCT_FIELD_SIZE(st, f) (sizeof( ((st*)0)->f ))
200  /* Gives the length of crypto_digest_t through the end of the field 'd' */
201 #define END_OF_FIELD(f) (offsetof(crypto_digest_t, f) + \
202  STRUCT_FIELD_SIZE(crypto_digest_t, f))
203  switch (alg) {
204  case DIGEST_SHA1: FALLTHROUGH;
205  case DIGEST_SHA256: FALLTHROUGH;
206  case DIGEST_SHA512:
207  return END_OF_FIELD(d.ctx);
208  case DIGEST_SHA3_256:
209  case DIGEST_SHA3_512:
210  return END_OF_FIELD(d.sha3);
211  default:
212  tor_assert(0); // LCOV_EXCL_LINE
213  return 0; // LCOV_EXCL_LINE
214  }
215 #undef END_OF_FIELD
216 #undef STRUCT_FIELD_SIZE
217 }
218 
219 /**
220  * Internal function: create and return a new digest object for 'algorithm'.
221  * Does not typecheck the algorithm.
222  */
223 static crypto_digest_t *
225 {
226  crypto_digest_t *r = tor_malloc(crypto_digest_alloc_bytes(algorithm));
227  r->algorithm = algorithm;
228 
229  switch (algorithm)
230  {
231  case DIGEST_SHA1: FALLTHROUGH;
232  case DIGEST_SHA256: FALLTHROUGH;
233  case DIGEST_SHA512:
234  r->d.ctx = PK11_CreateDigestContext(digest_alg_to_nss_oid(algorithm));
235  if (BUG(!r->d.ctx)) {
236  tor_free(r);
237  return NULL;
238  }
239  if (BUG(SECSuccess != PK11_DigestBegin(r->d.ctx))) {
241  return NULL;
242  }
243  break;
244  case DIGEST_SHA3_256:
245  keccak_digest_init(&r->d.sha3, 256);
246  break;
247  case DIGEST_SHA3_512:
248  keccak_digest_init(&r->d.sha3, 512);
249  break;
250  default:
251  tor_assert_unreached();
252  }
253 
254  return r;
255 }
256 
257 /** Allocate and return a new digest object to compute SHA1 digests.
258  */
261 {
262  return crypto_digest_new_internal(DIGEST_SHA1);
263 }
264 
265 /** Allocate and return a new digest object to compute 256-bit digests
266  * using <b>algorithm</b>.
267  *
268  * C_RUST_COUPLED: `external::crypto_digest::crypto_digest256_new`
269  * C_RUST_COUPLED: `crypto::digest::Sha256::default`
270  */
273 {
274  tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
275  return crypto_digest_new_internal(algorithm);
276 }
277 
278 /** Allocate and return a new digest object to compute 512-bit digests
279  * using <b>algorithm</b>. */
282 {
283  tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
284  return crypto_digest_new_internal(algorithm);
285 }
286 
287 /** Deallocate a digest object.
288  */
289 void
291 {
292  if (!digest)
293  return;
294  if (library_supports_digest(digest->algorithm)) {
295  PK11_DestroyContext(digest->d.ctx, PR_TRUE);
296  }
297  size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
298  memwipe(digest, 0, bytes);
299  tor_free(digest);
300 }
301 
302 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
303  *
304  * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_add_bytess`
305  * C_RUST_COUPLED: `crypto::digest::Sha256::process`
306  */
307 void
308 crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
309  size_t len)
310 {
311  tor_assert(digest);
312  tor_assert(data);
313  /* Using the SHA*_*() calls directly means we don't support doing
314  * SHA in hardware. But so far the delay of getting the question
315  * to the hardware, and hearing the answer, is likely higher than
316  * just doing it ourselves. Hashes are fast.
317  */
318  switch (digest->algorithm) {
319  case DIGEST_SHA1: FALLTHROUGH;
320  case DIGEST_SHA256: FALLTHROUGH;
321  case DIGEST_SHA512:
322  tor_assert(len <= UINT_MAX);
323  SECStatus s = PK11_DigestOp(digest->d.ctx,
324  (const unsigned char *)data,
325  (unsigned int)len);
326  tor_assert(s == SECSuccess);
327  break;
328  case DIGEST_SHA3_256: FALLTHROUGH;
329  case DIGEST_SHA3_512:
330  keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len);
331  break;
332  default:
333  /* LCOV_EXCL_START */
335  break;
336  /* LCOV_EXCL_STOP */
337  }
338 }
339 
340 /** Compute the hash of the data that has been passed to the digest
341  * object; write the first out_len bytes of the result to <b>out</b>.
342  * <b>out_len</b> must be <= DIGEST512_LEN.
343  *
344  * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_get_digest`
345  * C_RUST_COUPLED: `impl digest::FixedOutput for Sha256`
346  */
347 void
349  char *out, size_t out_len)
350 {
351  unsigned char r[DIGEST512_LEN];
352  tor_assert(digest);
353  tor_assert(out);
355 
356  /* The SHA-3 code handles copying into a temporary ctx, and also can handle
357  * short output buffers by truncating appropriately. */
358  if (digest->algorithm == DIGEST_SHA3_256 ||
359  digest->algorithm == DIGEST_SHA3_512) {
360  keccak_digest_sum(&digest->d.sha3, (uint8_t *)out, out_len);
361  return;
362  }
363 
364  /* Copy into a temporary buffer since DigestFinal (alters) the context */
365  unsigned char buf[1024];
366  unsigned int saved_len = 0;
367  unsigned rlen;
368  unsigned char *saved = PK11_SaveContextAlloc(digest->d.ctx,
369  buf, sizeof(buf),
370  &saved_len);
371  tor_assert(saved);
372  SECStatus s = PK11_DigestFinal(digest->d.ctx, r, &rlen, sizeof(r));
373  tor_assert(s == SECSuccess);
374  tor_assert(rlen >= out_len);
375  s = PK11_RestoreContext(digest->d.ctx, saved, saved_len);
376  tor_assert(s == SECSuccess);
377 
378  if (saved != buf) {
379  PORT_ZFree(saved, saved_len);
380  }
381  memcpy(out, r, out_len);
382  memwipe(r, 0, sizeof(r));
383 }
384 
385 /** Allocate and return a new digest object with the same state as
386  * <b>digest</b>
387  *
388  * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_dup`
389  * C_RUST_COUPLED: `impl Clone for crypto::digest::Sha256`
390  */
393 {
394  tor_assert(digest);
395  const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
396  crypto_digest_t *result = tor_memdup(digest, alloc_bytes);
397 
398  if (library_supports_digest(digest->algorithm)) {
399  result->d.ctx = PK11_CloneContext(digest->d.ctx);
400  }
401 
402  return result;
403 }
404 
405 /** Temporarily save the state of <b>digest</b> in <b>checkpoint</b>.
406  * Asserts that <b>digest</b> is a SHA1 digest object.
407  */
408 void
410  const crypto_digest_t *digest)
411 {
412  const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
413  tor_assert(bytes <= sizeof(checkpoint->mem));
414  if (library_supports_digest(digest->algorithm)) {
415  unsigned char *allocated;
416  allocated = PK11_SaveContextAlloc(digest->d.ctx,
417  (unsigned char *)checkpoint->mem,
418  sizeof(checkpoint->mem),
419  &checkpoint->bytes_used);
420  /* No allocation is allowed here. */
421  tor_assert(allocated == checkpoint->mem);
422  return;
423  }
424  memcpy(checkpoint->mem, digest, bytes);
425 }
426 
427 /** Restore the state of <b>digest</b> from <b>checkpoint</b>.
428  * Asserts that <b>digest</b> is a SHA1 digest object. Requires that the
429  * state was previously stored with crypto_digest_checkpoint() */
430 void
432  const crypto_digest_checkpoint_t *checkpoint)
433 {
434  const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
435  if (library_supports_digest(digest->algorithm)) {
436  SECStatus s = PK11_RestoreContext(digest->d.ctx,
437  (unsigned char *)checkpoint->mem,
438  checkpoint->bytes_used);
439  tor_assert(s == SECSuccess);
440  return;
441  }
442  memcpy(digest, checkpoint->mem, bytes);
443 }
444 
445 /** Replace the state of the digest object <b>into</b> with the state
446  * of the digest object <b>from</b>. Requires that 'into' and 'from'
447  * have the same digest type.
448  */
449 void
451  const crypto_digest_t *from)
452 {
453  tor_assert(into);
454  tor_assert(from);
455  tor_assert(into->algorithm == from->algorithm);
456  const size_t alloc_bytes = crypto_digest_alloc_bytes(from->algorithm);
457  if (library_supports_digest(from->algorithm)) {
458  PK11_DestroyContext(into->d.ctx, PR_TRUE);
459  into->d.ctx = PK11_CloneContext(from->d.ctx);
460  return;
461  }
462  memcpy(into,from,alloc_bytes);
463 }
464 
465 /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
466  * at <b>digest_out</b> to the hash of the concatenation of those strings,
467  * plus the optional string <b>append</b>, computed with the algorithm
468  * <b>alg</b>.
469  * <b>out_len</b> must be <= DIGEST512_LEN. */
470 void
471 crypto_digest_smartlist(char *digest_out, size_t len_out,
472  const smartlist_t *lst,
473  const char *append,
474  digest_algorithm_t alg)
475 {
476  crypto_digest_smartlist_prefix(digest_out, len_out, NULL, lst, append, alg);
477 }
478 
479 /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
480  * at <b>digest_out</b> to the hash of the concatenation of: the
481  * optional string <b>prepend</b>, those strings,
482  * and the optional string <b>append</b>, computed with the algorithm
483  * <b>alg</b>.
484  * <b>len_out</b> must be <= DIGEST512_LEN. */
485 void
486 crypto_digest_smartlist_prefix(char *digest_out, size_t len_out,
487  const char *prepend,
488  const smartlist_t *lst,
489  const char *append,
490  digest_algorithm_t alg)
491 {
493  if (prepend)
494  crypto_digest_add_bytes(d, prepend, strlen(prepend));
495  SMARTLIST_FOREACH(lst, const char *, cp,
496  crypto_digest_add_bytes(d, cp, strlen(cp)));
497  if (append)
498  crypto_digest_add_bytes(d, append, strlen(append));
499  crypto_digest_get_digest(d, digest_out, len_out);
501 }
502 
503 /** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
504  * the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte
505  * result in <b>hmac_out</b>. Asserts on failure.
506  */
507 void
508 crypto_hmac_sha256(char *hmac_out,
509  const char *key, size_t key_len,
510  const char *msg, size_t msg_len)
511 {
512  /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
513  tor_assert(key_len < INT_MAX);
514  tor_assert(msg_len < INT_MAX);
515  tor_assert(hmac_out);
516 
517  PK11SlotInfo *slot = NULL;
518  PK11SymKey *symKey = NULL;
519  PK11Context *hmac = NULL;
520 
521  int ok = 0;
522  SECStatus s;
523  SECItem keyItem, paramItem;
524  keyItem.data = (unsigned char *)key;
525  keyItem.len = (unsigned)key_len;
526  paramItem.type = siBuffer;
527  paramItem.data = NULL;
528  paramItem.len = 0;
529 
530  slot = PK11_GetBestSlot(CKM_SHA256_HMAC, NULL);
531  if (!slot)
532  goto done;
533  symKey = PK11_ImportSymKey(slot, CKM_SHA256_HMAC,
534  PK11_OriginUnwrap, CKA_SIGN, &keyItem, NULL);
535  if (!symKey)
536  goto done;
537 
538  hmac = PK11_CreateContextBySymKey(CKM_SHA256_HMAC, CKA_SIGN, symKey,
539  &paramItem);
540  if (!hmac)
541  goto done;
542  s = PK11_DigestBegin(hmac);
543  if (s != SECSuccess)
544  goto done;
545  s = PK11_DigestOp(hmac, (const unsigned char *)msg, (unsigned int)msg_len);
546  if (s != SECSuccess)
547  goto done;
548  unsigned int len=0;
549  s = PK11_DigestFinal(hmac, (unsigned char *)hmac_out, &len, DIGEST256_LEN);
550  if (s != SECSuccess || len != DIGEST256_LEN)
551  goto done;
552  ok = 1;
553 
554  done:
555  if (hmac)
556  PK11_DestroyContext(hmac, PR_TRUE);
557  if (symKey)
558  PK11_FreeSymKey(symKey);
559  if (slot)
560  PK11_FreeSlot(slot);
561 
562  tor_assert(ok);
563 }
Inline functions for reading and writing multibyte values from the middle of strings,...
size_t crypto_digest_algorithm_get_length(digest_algorithm_t alg)
Definition: crypto_digest.c:86
Headers for crypto_digest.c.
digest_algorithm_t
Definition: crypto_digest.h:44
#define crypto_digest_free(d)
static bool library_supports_digest(digest_algorithm_t alg)
void crypto_digest_checkpoint(crypto_digest_checkpoint_t *checkpoint, const crypto_digest_t *digest)
int crypto_digest512(char *digest, const char *m, size_t len, digest_algorithm_t algorithm)
static crypto_digest_t * crypto_digest_new_internal(digest_algorithm_t algorithm)
int crypto_digest256(char *digest, const char *m, size_t len, digest_algorithm_t algorithm)
void crypto_hmac_sha256(char *hmac_out, const char *key, size_t key_len, const char *msg, size_t msg_len)
void crypto_digest_restore(crypto_digest_t *digest, const crypto_digest_checkpoint_t *checkpoint)
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
void crypto_digest_assign(crypto_digest_t *into, const crypto_digest_t *from)
static SECOidTag digest_alg_to_nss_oid(digest_algorithm_t alg)
void crypto_digest_smartlist(char *digest_out, size_t len_out, const smartlist_t *lst, const char *append, digest_algorithm_t alg)
static int digest_nss_internal(SECOidTag alg, char *digest, unsigned len_out, const char *msg, size_t msg_len)
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)
static size_t crypto_digest_alloc_bytes(digest_algorithm_t alg)
crypto_digest_t * crypto_digest_dup(const crypto_digest_t *digest)
int crypto_digest(char *digest, const char *m, size_t len)
crypto_digest_t * crypto_digest_new(void)
void crypto_digest_free_(crypto_digest_t *digest)
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
void crypto_digest_smartlist_prefix(char *digest_out, size_t len_out, const char *prepend, const smartlist_t *lst, const char *append, digest_algorithm_t alg)
crypto_digest_t * crypto_digest512_new(digest_algorithm_t algorithm)
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55
Common functions for cryptographic routines.
#define DIGEST_LEN
Definition: digest_sizes.h:20
#define DIGEST256_LEN
Definition: digest_sizes.h:23
#define DIGEST512_LEN
Definition: digest_sizes.h:25
Headers for log.c.
#define tor_free(p)
Definition: malloc.h:56
Header for smartlist.c.
#define SMARTLIST_FOREACH(sl, type, var, cmd)
uint8_t mem[DIGEST_CHECKPOINT_BYTES]
Definition: crypto_digest.h:76
digest_algorithm_t algorithm
union crypto_digest_t::@26 d
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
Macros to manage assertions, fatal and non-fatal.
#define tor_assert(expr)
Definition: util_bug.h:102
#define tor_fragile_assert()
Definition: util_bug.h:270