Tor 0.4.9.1-alpha-dev
crypto_digest_openssl.c
Go to the documentation of this file.
1/* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5/* See LICENSE for licensing information */
6
7/**
8 * \file crypto_digest_openssl.c
9 * \brief Block of functions related with digest and xof utilities and
10 * operations (OpenSSL specific implementations).
11 **/
12
16#include "lib/log/log.h"
17#include "lib/log/util_bug.h"
18
19#include "keccak-tiny/keccak-tiny.h"
20
21#include <stdlib.h>
22#include <string.h>
23
24#include "lib/arch/bytes.h"
25
27
28DISABLE_GCC_WARNING("-Wredundant-decls")
29
30#include <openssl/hmac.h>
31#include <openssl/sha.h>
32
33ENABLE_GCC_WARNING("-Wredundant-decls")
34
35/* Crypto digest functions */
36
37/** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
38 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
39 * Return 0 on success, -1 on failure.
40 */
41MOCK_IMPL(int,
42crypto_digest,(char *digest, const char *m, size_t len))
43{
44 tor_assert(m);
45 tor_assert(digest);
46 if (SHA1((const unsigned char*)m,len,(unsigned char*)digest) == NULL) {
47 return -1;
48 }
49 return 0;
50}
51
52/** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
53 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
54 * into <b>digest</b>. Return 0 on success, -1 on failure. */
55int
56crypto_digest256(char *digest, const char *m, size_t len,
57 digest_algorithm_t algorithm)
58{
59 tor_assert(m);
60 tor_assert(digest);
61 tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
62
63 int ret = 0;
64 if (algorithm == DIGEST_SHA256) {
65 ret = (SHA256((const uint8_t*)m,len,(uint8_t*)digest) != NULL);
66 } else {
67#ifdef OPENSSL_HAS_SHA3
68 unsigned int dlen = DIGEST256_LEN;
69 ret = EVP_Digest(m, len, (uint8_t*)digest, &dlen, EVP_sha3_256(), NULL);
70#else
71 ret = (sha3_256((uint8_t *)digest, DIGEST256_LEN,(const uint8_t *)m, len)
72 > -1);
73#endif /* defined(OPENSSL_HAS_SHA3) */
74 }
75
76 if (!ret)
77 return -1;
78 return 0;
79}
80
81/** Compute a 512-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
82 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN512-byte result
83 * into <b>digest</b>. Return 0 on success, -1 on failure. */
84int
85crypto_digest512(char *digest, const char *m, size_t len,
86 digest_algorithm_t algorithm)
87{
88 tor_assert(m);
89 tor_assert(digest);
90 tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
91
92 int ret = 0;
93 if (algorithm == DIGEST_SHA512) {
94 ret = (SHA512((const unsigned char*)m,len,(unsigned char*)digest)
95 != NULL);
96 } else {
97#ifdef OPENSSL_HAS_SHA3
98 unsigned int dlen = DIGEST512_LEN;
99 ret = EVP_Digest(m, len, (uint8_t*)digest, &dlen, EVP_sha3_512(), NULL);
100#else
101 ret = (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len)
102 > -1);
103#endif /* defined(OPENSSL_HAS_SHA3) */
104 }
105
106 if (!ret)
107 return -1;
108 return 0;
109}
110
111/** Intermediate information about the digest of a stream of data. */
112struct crypto_digest_t {
113 digest_algorithm_t algorithm; /**< Which algorithm is in use? */
114 /** State for the digest we're using. Only one member of the
115 * union is usable, depending on the value of <b>algorithm</b>. Note also
116 * that space for other members might not even be allocated!
117 */
118 union {
119 SHA_CTX sha1; /**< state for SHA1 */
120 SHA256_CTX sha2; /**< state for SHA256 */
121 SHA512_CTX sha512; /**< state for SHA512 */
122#ifdef OPENSSL_HAS_SHA3
123 EVP_MD_CTX *md;
124#else
125 keccak_state sha3; /**< state for SHA3-[256,512] */
126#endif
127 } d;
128};
129
130#ifdef TOR_UNIT_TESTS
131
133crypto_digest_get_algorithm(crypto_digest_t *digest)
134{
135 tor_assert(digest);
136
137 return digest->algorithm;
138}
139
140#endif /* defined(TOR_UNIT_TESTS) */
141
142/**
143 * Return the number of bytes we need to malloc in order to get a
144 * crypto_digest_t for <b>alg</b>, or the number of bytes we need to wipe
145 * when we free one.
146 */
147static size_t
149{
150 /** Helper: returns the number of bytes in the 'f' field of 'st' */
151#define STRUCT_FIELD_SIZE(st, f) (sizeof( ((st*)0)->f ))
152 /** Gives the length of crypto_digest_t through the end of the field 'd' */
153#define END_OF_FIELD(f) (offsetof(crypto_digest_t, f) + \
154 STRUCT_FIELD_SIZE(crypto_digest_t, f))
155 switch (alg) {
156 case DIGEST_SHA1:
157 return END_OF_FIELD(d.sha1);
158 case DIGEST_SHA256:
159 return END_OF_FIELD(d.sha2);
160 case DIGEST_SHA512:
161 return END_OF_FIELD(d.sha512);
162#ifdef OPENSSL_HAS_SHA3
163 case DIGEST_SHA3_256: FALLTHROUGH;
164 case DIGEST_SHA3_512:
165 return END_OF_FIELD(d.md);
166#else
167 case DIGEST_SHA3_256: FALLTHROUGH;
168 case DIGEST_SHA3_512:
169 return END_OF_FIELD(d.sha3);
170#endif /* defined(OPENSSL_HAS_SHA3) */
171 default:
172 tor_assert(0); // LCOV_EXCL_LINE
173 return 0; // LCOV_EXCL_LINE
174 }
175#undef END_OF_FIELD
176#undef STRUCT_FIELD_SIZE
177}
178
179/**
180 * Internal function: create and return a new digest object for 'algorithm'.
181 * Does not typecheck the algorithm.
182 */
183static crypto_digest_t *
185{
186 crypto_digest_t *r = tor_malloc(crypto_digest_alloc_bytes(algorithm));
187 r->algorithm = algorithm;
188
189 switch (algorithm)
190 {
191 case DIGEST_SHA1:
192 SHA1_Init(&r->d.sha1);
193 break;
194 case DIGEST_SHA256:
195 SHA256_Init(&r->d.sha2);
196 break;
197 case DIGEST_SHA512:
198 SHA512_Init(&r->d.sha512);
199 break;
200#ifdef OPENSSL_HAS_SHA3
201 case DIGEST_SHA3_256:
202 r->d.md = EVP_MD_CTX_new();
203 if (!EVP_DigestInit(r->d.md, EVP_sha3_256())) {
205 return NULL;
206 }
207 break;
208 case DIGEST_SHA3_512:
209 r->d.md = EVP_MD_CTX_new();
210 if (!EVP_DigestInit(r->d.md, EVP_sha3_512())) {
212 return NULL;
213 }
214 break;
215#else /* !defined(OPENSSL_HAS_SHA3) */
216 case DIGEST_SHA3_256:
217 keccak_digest_init(&r->d.sha3, 256);
218 break;
219 case DIGEST_SHA3_512:
220 keccak_digest_init(&r->d.sha3, 512);
221 break;
222#endif /* defined(OPENSSL_HAS_SHA3) */
223 default:
224 tor_assert_unreached();
225 }
226
227 return r;
228}
229
230/** Allocate and return a new digest object to compute SHA1 digests.
231 */
234{
235 return crypto_digest_new_internal(DIGEST_SHA1);
236}
237
238/** Allocate and return a new digest object to compute 256-bit digests
239 * using <b>algorithm</b>.
240 *
241 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest256_new`
242 * C_RUST_COUPLED: `crypto::digest::Sha256::default`
243 */
246{
247 tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
248 return crypto_digest_new_internal(algorithm);
249}
250
251/** Allocate and return a new digest object to compute 512-bit digests
252 * using <b>algorithm</b>. */
255{
256 tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
257 return crypto_digest_new_internal(algorithm);
258}
259
260/** Deallocate a digest object.
261 */
262void
264{
265 if (!digest)
266 return;
267#ifdef OPENSSL_HAS_SHA3
268 if (digest->algorithm == DIGEST_SHA3_256 ||
269 digest->algorithm == DIGEST_SHA3_512) {
270 if (digest->d.md) {
271 EVP_MD_CTX_free(digest->d.md);
272 }
273 }
274#endif /* defined(OPENSSL_HAS_SHA3) */
275 size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
276 memwipe(digest, 0, bytes);
277 tor_free(digest);
278}
279
280/** Add <b>len</b> bytes from <b>data</b> to the digest object.
281 *
282 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_add_bytess`
283 * C_RUST_COUPLED: `crypto::digest::Sha256::process`
284 */
285void
286crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
287 size_t len)
288{
289 tor_assert(digest);
290 tor_assert(data);
291 /* Using the SHA*_*() calls directly means we don't support doing
292 * SHA in hardware. But so far the delay of getting the question
293 * to the hardware, and hearing the answer, is likely higher than
294 * just doing it ourselves. Hashes are fast.
295 */
296 switch (digest->algorithm) {
297 case DIGEST_SHA1:
298 SHA1_Update(&digest->d.sha1, (void*)data, len);
299 break;
300 case DIGEST_SHA256:
301 SHA256_Update(&digest->d.sha2, (void*)data, len);
302 break;
303 case DIGEST_SHA512:
304 SHA512_Update(&digest->d.sha512, (void*)data, len);
305 break;
306#ifdef OPENSSL_HAS_SHA3
307 case DIGEST_SHA3_256: FALLTHROUGH;
308 case DIGEST_SHA3_512: {
309 int r = EVP_DigestUpdate(digest->d.md, data, len);
310 tor_assert(r);
311 }
312 break;
313#else /* !defined(OPENSSL_HAS_SHA3) */
314 case DIGEST_SHA3_256: FALLTHROUGH;
315 case DIGEST_SHA3_512:
316 keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len);
317 break;
318#endif /* defined(OPENSSL_HAS_SHA3) */
319 default:
320 /* LCOV_EXCL_START */
322 break;
323 /* LCOV_EXCL_STOP */
324 }
325}
326
327/** Compute the hash of the data that has been passed to the digest
328 * object; write the first out_len bytes of the result to <b>out</b>.
329 * <b>out_len</b> must be <= DIGEST512_LEN.
330 *
331 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_get_digest`
332 * C_RUST_COUPLED: `impl digest::FixedOutput for Sha256`
333 */
334void
336 char *out, size_t out_len)
337{
338 unsigned char r[DIGEST512_LEN];
339 tor_assert(digest);
340 tor_assert(out);
342
343 /* The SHA-3 code handles copying into a temporary ctx, and also can handle
344 * short output buffers by truncating appropriately. */
345 if (digest->algorithm == DIGEST_SHA3_256 ||
346 digest->algorithm == DIGEST_SHA3_512) {
347#ifdef OPENSSL_HAS_SHA3
348 unsigned dlen = (unsigned)
350 EVP_MD_CTX *tmp = EVP_MD_CTX_new();
351 EVP_MD_CTX_copy(tmp, digest->d.md);
352 memset(r, 0xff, sizeof(r));
353 int res = EVP_DigestFinal(tmp, r, &dlen);
354 EVP_MD_CTX_free(tmp);
355 tor_assert(res == 1);
356 goto done;
357#else /* !defined(OPENSSL_HAS_SHA3) */
358 /* Tiny-Keccak handles copying into a temporary ctx, and also can handle
359 * short output buffers by truncating appropriately. */
360 keccak_digest_sum(&digest->d.sha3, (uint8_t *)out, out_len);
361 return;
362#endif /* defined(OPENSSL_HAS_SHA3) */
363 }
364
365 const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
366 crypto_digest_t tmpenv;
367 /* memcpy into a temporary ctx, since SHA*_Final clears the context */
368 memcpy(&tmpenv, digest, alloc_bytes);
369 switch (digest->algorithm) {
370 case DIGEST_SHA1:
371 SHA1_Final(r, &tmpenv.d.sha1);
372 break;
373 case DIGEST_SHA256:
374 SHA256_Final(r, &tmpenv.d.sha2);
375 break;
376 case DIGEST_SHA512:
377 SHA512_Final(r, &tmpenv.d.sha512);
378 break;
379//LCOV_EXCL_START
380 case DIGEST_SHA3_256: FALLTHROUGH;
381 case DIGEST_SHA3_512:
382 default:
383 log_warn(LD_BUG, "Handling unexpected algorithm %d", digest->algorithm);
384 /* This is fatal, because it should never happen. */
385 tor_assert_unreached();
386 break;
387//LCOV_EXCL_STOP
388 }
389#ifdef OPENSSL_HAS_SHA3
390 done:
391#endif
392 memcpy(out, r, out_len);
393 memwipe(r, 0, sizeof(r));
394}
395
396/** Allocate and return a new digest object with the same state as
397 * <b>digest</b>
398 *
399 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_dup`
400 * C_RUST_COUPLED: `impl Clone for crypto::digest::Sha256`
401 */
404{
405 tor_assert(digest);
406 const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
407 crypto_digest_t *result = tor_memdup(digest, alloc_bytes);
408
409#ifdef OPENSSL_HAS_SHA3
410 if (digest->algorithm == DIGEST_SHA3_256 ||
411 digest->algorithm == DIGEST_SHA3_512) {
412 result->d.md = EVP_MD_CTX_new();
413 EVP_MD_CTX_copy(result->d.md, digest->d.md);
414 }
415#endif /* defined(OPENSSL_HAS_SHA3) */
416 return result;
417}
418
419/** Temporarily save the state of <b>digest</b> in <b>checkpoint</b>.
420 * Asserts that <b>digest</b> is a SHA1 digest object.
421 */
422void
424 const crypto_digest_t *digest)
425{
426 const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
427 tor_assert(bytes <= sizeof(checkpoint->mem));
428 memcpy(checkpoint->mem, digest, bytes);
429}
430
431/** Restore the state of <b>digest</b> from <b>checkpoint</b>.
432 * Asserts that <b>digest</b> is a SHA1 digest object. Requires that the
433 * state was previously stored with crypto_digest_checkpoint() */
434void
436 const crypto_digest_checkpoint_t *checkpoint)
437{
438 const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
439 memcpy(digest, checkpoint->mem, bytes);
440}
441
442/** Replace the state of the digest object <b>into</b> with the state
443 * of the digest object <b>from</b>. Requires that 'into' and 'from'
444 * have the same digest type.
445 */
446void
448 const crypto_digest_t *from)
449{
450 tor_assert(into);
451 tor_assert(from);
452 tor_assert(into->algorithm == from->algorithm);
453 const size_t alloc_bytes = crypto_digest_alloc_bytes(from->algorithm);
454
455#ifdef OPENSSL_HAS_SHA3
456 if (from->algorithm == DIGEST_SHA3_256 ||
457 from->algorithm == DIGEST_SHA3_512) {
458 EVP_MD_CTX_copy(into->d.md, from->d.md);
459 return;
460 }
461#endif /* defined(OPENSSL_HAS_SHA3) */
462
463 memcpy(into,from,alloc_bytes);
464}
465
466/** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
467 * at <b>digest_out</b> to the hash of the concatenation of those strings,
468 * plus the optional string <b>append</b>, computed with the algorithm
469 * <b>alg</b>.
470 * <b>out_len</b> must be <= DIGEST512_LEN. */
471void
472crypto_digest_smartlist(char *digest_out, size_t len_out,
473 const smartlist_t *lst,
474 const char *append,
476{
477 crypto_digest_smartlist_prefix(digest_out, len_out, NULL, lst, append, alg);
478}
479
480/** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
481 * at <b>digest_out</b> to the hash of the concatenation of: the
482 * optional string <b>prepend</b>, those strings,
483 * and the optional string <b>append</b>, computed with the algorithm
484 * <b>alg</b>.
485 * <b>len_out</b> must be <= DIGEST512_LEN. */
486void
487crypto_digest_smartlist_prefix(char *digest_out, size_t len_out,
488 const char *prepend,
489 const smartlist_t *lst,
490 const char *append,
492{
494 if (prepend)
495 crypto_digest_add_bytes(d, prepend, strlen(prepend));
496 SMARTLIST_FOREACH(lst, const char *, cp,
497 crypto_digest_add_bytes(d, cp, strlen(cp)));
498 if (append)
499 crypto_digest_add_bytes(d, append, strlen(append));
500 crypto_digest_get_digest(d, digest_out, len_out);
502}
503
504/** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
505 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte
506 * result in <b>hmac_out</b>. Asserts on failure.
507 */
508void
509crypto_hmac_sha256(char *hmac_out,
510 const char *key, size_t key_len,
511 const char *msg, size_t msg_len)
512{
513 /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
514 tor_assert(key_len < INT_MAX);
515 tor_assert(msg_len < INT_MAX);
516 tor_assert(hmac_out);
517 unsigned char *rv = NULL;
518 rv = HMAC(EVP_sha256(), key, (int)key_len, (unsigned char*)msg, (int)msg_len,
519 (unsigned char*)hmac_out, NULL);
520 tor_assert(rv);
521}
Inline functions for reading and writing multibyte values from the middle of strings,...
size_t crypto_digest_algorithm_get_length(digest_algorithm_t alg)
Definition: crypto_digest.c:86
Headers for crypto_digest.c.
digest_algorithm_t
Definition: crypto_digest.h:44
#define crypto_digest_free(d)
void crypto_digest_checkpoint(crypto_digest_checkpoint_t *checkpoint, const crypto_digest_t *digest)
int crypto_digest512(char *digest, const char *m, size_t len, digest_algorithm_t algorithm)
static crypto_digest_t * crypto_digest_new_internal(digest_algorithm_t algorithm)
int crypto_digest256(char *digest, const char *m, size_t len, digest_algorithm_t algorithm)
crypto_digest_t * crypto_digest512_new(digest_algorithm_t algorithm)
void crypto_hmac_sha256(char *hmac_out, const char *key, size_t key_len, const char *msg, size_t msg_len)
void crypto_digest_restore(crypto_digest_t *digest, const crypto_digest_checkpoint_t *checkpoint)
crypto_digest_t * crypto_digest_dup(const crypto_digest_t *digest)
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
void crypto_digest_assign(crypto_digest_t *into, const crypto_digest_t *from)
void crypto_digest_smartlist(char *digest_out, size_t len_out, const smartlist_t *lst, const char *append, digest_algorithm_t alg)
static size_t crypto_digest_alloc_bytes(digest_algorithm_t alg)
int crypto_digest(char *digest, const char *m, size_t len)
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)
void crypto_digest_free_(crypto_digest_t *digest)
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
void crypto_digest_smartlist_prefix(char *digest_out, size_t len_out, const char *prepend, const smartlist_t *lst, const char *append, digest_algorithm_t alg)
crypto_digest_t * crypto_digest_new(void)
Headers for crypto_openssl_mgt.c.
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55
Common functions for cryptographic routines.
#define DIGEST256_LEN
Definition: digest_sizes.h:23
#define DIGEST512_LEN
Definition: digest_sizes.h:25
Headers for log.c.
#define LD_BUG
Definition: log.h:86
#define tor_free(p)
Definition: malloc.h:56
Header for smartlist.c.
#define SMARTLIST_FOREACH(sl, type, var, cmd)
uint8_t mem[DIGEST_CHECKPOINT_BYTES]
Definition: crypto_digest.h:76
digest_algorithm_t algorithm
union crypto_digest_t::@30 d
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
Macros to manage assertions, fatal and non-fatal.
#define tor_assert(expr)
Definition: util_bug.h:103
#define tor_fragile_assert()
Definition: util_bug.h:278