1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
8 * \file crypto_digest_openssl.c
9 * \brief Block of functions related with digest and xof utilities and
10 * operations (OpenSSL specific implementations).
13 #include "lib/container/smartlist.h"
14 #include "lib/crypt_ops/crypto_digest.h"
15 #include "lib/crypt_ops/crypto_util.h"
16 #include "lib/log/log.h"
17 #include "lib/log/util_bug.h"
19 #include "keccak-tiny/keccak-tiny.h"
24 #include "lib/arch/bytes.h"
26 #include "lib/crypt_ops/crypto_openssl_mgt.h"
28 DISABLE_GCC_WARNING("-Wredundant-decls")
30 #include <openssl/hmac.h>
31 #include <openssl/sha.h>
33 ENABLE_GCC_WARNING("-Wredundant-decls")
35 /* Crypto digest functions */
37 /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
38 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
39 * Return 0 on success, -1 on failure.
42 crypto_digest
,(char *digest
, const char *m
, size_t len
))
46 if (SHA1((const unsigned char*)m
,len
,(unsigned char*)digest
) == NULL
) {
52 /** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
53 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
54 * into <b>digest</b>. Return 0 on success, -1 on failure. */
56 crypto_digest256(char *digest
, const char *m
, size_t len
,
57 digest_algorithm_t algorithm
)
61 tor_assert(algorithm
== DIGEST_SHA256
|| algorithm
== DIGEST_SHA3_256
);
64 if (algorithm
== DIGEST_SHA256
) {
65 ret
= (SHA256((const uint8_t*)m
,len
,(uint8_t*)digest
) != NULL
);
67 #ifdef OPENSSL_HAS_SHA3
68 unsigned int dlen
= DIGEST256_LEN
;
69 ret
= EVP_Digest(m
, len
, (uint8_t*)digest
, &dlen
, EVP_sha3_256(), NULL
);
71 ret
= (sha3_256((uint8_t *)digest
, DIGEST256_LEN
,(const uint8_t *)m
, len
)
73 #endif /* defined(OPENSSL_HAS_SHA3) */
81 /** Compute a 512-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
82 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN512-byte result
83 * into <b>digest</b>. Return 0 on success, -1 on failure. */
85 crypto_digest512(char *digest
, const char *m
, size_t len
,
86 digest_algorithm_t algorithm
)
90 tor_assert(algorithm
== DIGEST_SHA512
|| algorithm
== DIGEST_SHA3_512
);
93 if (algorithm
== DIGEST_SHA512
) {
94 ret
= (SHA512((const unsigned char*)m
,len
,(unsigned char*)digest
)
97 #ifdef OPENSSL_HAS_SHA3
98 unsigned int dlen
= DIGEST512_LEN
;
99 ret
= EVP_Digest(m
, len
, (uint8_t*)digest
, &dlen
, EVP_sha3_512(), NULL
);
101 ret
= (sha3_512((uint8_t*)digest
, DIGEST512_LEN
, (const uint8_t*)m
, len
)
103 #endif /* defined(OPENSSL_HAS_SHA3) */
111 /** Intermediate information about the digest of a stream of data. */
112 struct crypto_digest_t
{
113 digest_algorithm_t algorithm
; /**< Which algorithm is in use? */
114 /** State for the digest we're using. Only one member of the
115 * union is usable, depending on the value of <b>algorithm</b>. Note also
116 * that space for other members might not even be allocated!
119 SHA_CTX sha1
; /**< state for SHA1 */
120 SHA256_CTX sha2
; /**< state for SHA256 */
121 SHA512_CTX sha512
; /**< state for SHA512 */
122 #ifdef OPENSSL_HAS_SHA3
125 keccak_state sha3
; /**< state for SHA3-[256,512] */
130 #ifdef TOR_UNIT_TESTS
133 crypto_digest_get_algorithm(crypto_digest_t
*digest
)
137 return digest
->algorithm
;
140 #endif /* defined(TOR_UNIT_TESTS) */
143 * Return the number of bytes we need to malloc in order to get a
144 * crypto_digest_t for <b>alg</b>, or the number of bytes we need to wipe
148 crypto_digest_alloc_bytes(digest_algorithm_t alg
)
150 /** Helper: returns the number of bytes in the 'f' field of 'st' */
151 #define STRUCT_FIELD_SIZE(st, f) (sizeof( ((st*)0)->f ))
152 /** Gives the length of crypto_digest_t through the end of the field 'd' */
153 #define END_OF_FIELD(f) (offsetof(crypto_digest_t, f) + \
154 STRUCT_FIELD_SIZE(crypto_digest_t, f))
157 return END_OF_FIELD(d
.sha1
);
159 return END_OF_FIELD(d
.sha2
);
161 return END_OF_FIELD(d
.sha512
);
162 #ifdef OPENSSL_HAS_SHA3
163 case DIGEST_SHA3_256
: FALLTHROUGH
;
164 case DIGEST_SHA3_512
:
165 return END_OF_FIELD(d
.md
);
167 case DIGEST_SHA3_256
: FALLTHROUGH
;
168 case DIGEST_SHA3_512
:
169 return END_OF_FIELD(d
.sha3
);
170 #endif /* defined(OPENSSL_HAS_SHA3) */
172 tor_assert(0); // LCOV_EXCL_LINE
173 return 0; // LCOV_EXCL_LINE
176 #undef STRUCT_FIELD_SIZE
180 * Internal function: create and return a new digest object for 'algorithm'.
181 * Does not typecheck the algorithm.
183 static crypto_digest_t
*
184 crypto_digest_new_internal(digest_algorithm_t algorithm
)
186 crypto_digest_t
*r
= tor_malloc(crypto_digest_alloc_bytes(algorithm
));
187 r
->algorithm
= algorithm
;
192 SHA1_Init(&r
->d
.sha1
);
195 SHA256_Init(&r
->d
.sha2
);
198 SHA512_Init(&r
->d
.sha512
);
200 #ifdef OPENSSL_HAS_SHA3
201 case DIGEST_SHA3_256
:
202 r
->d
.md
= EVP_MD_CTX_new();
203 if (!EVP_DigestInit(r
->d
.md
, EVP_sha3_256())) {
204 crypto_digest_free(r
);
208 case DIGEST_SHA3_512
:
209 r
->d
.md
= EVP_MD_CTX_new();
210 if (!EVP_DigestInit(r
->d
.md
, EVP_sha3_512())) {
211 crypto_digest_free(r
);
215 #else /* !defined(OPENSSL_HAS_SHA3) */
216 case DIGEST_SHA3_256
:
217 keccak_digest_init(&r
->d
.sha3
, 256);
219 case DIGEST_SHA3_512
:
220 keccak_digest_init(&r
->d
.sha3
, 512);
222 #endif /* defined(OPENSSL_HAS_SHA3) */
224 tor_assert_unreached();
230 /** Allocate and return a new digest object to compute SHA1 digests.
233 crypto_digest_new(void)
235 return crypto_digest_new_internal(DIGEST_SHA1
);
238 /** Allocate and return a new digest object to compute 256-bit digests
239 * using <b>algorithm</b>.
241 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest256_new`
242 * C_RUST_COUPLED: `crypto::digest::Sha256::default`
245 crypto_digest256_new(digest_algorithm_t algorithm
)
247 tor_assert(algorithm
== DIGEST_SHA256
|| algorithm
== DIGEST_SHA3_256
);
248 return crypto_digest_new_internal(algorithm
);
251 /** Allocate and return a new digest object to compute 512-bit digests
252 * using <b>algorithm</b>. */
254 crypto_digest512_new(digest_algorithm_t algorithm
)
256 tor_assert(algorithm
== DIGEST_SHA512
|| algorithm
== DIGEST_SHA3_512
);
257 return crypto_digest_new_internal(algorithm
);
260 /** Deallocate a digest object.
263 crypto_digest_free_(crypto_digest_t
*digest
)
267 #ifdef OPENSSL_HAS_SHA3
268 if (digest
->algorithm
== DIGEST_SHA3_256
||
269 digest
->algorithm
== DIGEST_SHA3_512
) {
271 EVP_MD_CTX_free(digest
->d
.md
);
274 #endif /* defined(OPENSSL_HAS_SHA3) */
275 size_t bytes
= crypto_digest_alloc_bytes(digest
->algorithm
);
276 memwipe(digest
, 0, bytes
);
280 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
282 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_add_bytess`
283 * C_RUST_COUPLED: `crypto::digest::Sha256::process`
286 crypto_digest_add_bytes(crypto_digest_t
*digest
, const char *data
,
291 /* Using the SHA*_*() calls directly means we don't support doing
292 * SHA in hardware. But so far the delay of getting the question
293 * to the hardware, and hearing the answer, is likely higher than
294 * just doing it ourselves. Hashes are fast.
296 switch (digest
->algorithm
) {
298 SHA1_Update(&digest
->d
.sha1
, (void*)data
, len
);
301 SHA256_Update(&digest
->d
.sha2
, (void*)data
, len
);
304 SHA512_Update(&digest
->d
.sha512
, (void*)data
, len
);
306 #ifdef OPENSSL_HAS_SHA3
307 case DIGEST_SHA3_256
: FALLTHROUGH
;
308 case DIGEST_SHA3_512
: {
309 int r
= EVP_DigestUpdate(digest
->d
.md
, data
, len
);
313 #else /* !defined(OPENSSL_HAS_SHA3) */
314 case DIGEST_SHA3_256
: FALLTHROUGH
;
315 case DIGEST_SHA3_512
:
316 keccak_digest_update(&digest
->d
.sha3
, (const uint8_t *)data
, len
);
318 #endif /* defined(OPENSSL_HAS_SHA3) */
320 /* LCOV_EXCL_START */
321 tor_fragile_assert();
327 /** Compute the hash of the data that has been passed to the digest
328 * object; write the first out_len bytes of the result to <b>out</b>.
329 * <b>out_len</b> must be \<= DIGEST512_LEN.
331 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_get_digest`
332 * C_RUST_COUPLED: `impl digest::FixedOutput for Sha256`
335 crypto_digest_get_digest(crypto_digest_t
*digest
,
336 char *out
, size_t out_len
)
338 unsigned char r
[DIGEST512_LEN
];
341 tor_assert(out_len
<= crypto_digest_algorithm_get_length(digest
->algorithm
));
343 /* The SHA-3 code handles copying into a temporary ctx, and also can handle
344 * short output buffers by truncating appropriately. */
345 if (digest
->algorithm
== DIGEST_SHA3_256
||
346 digest
->algorithm
== DIGEST_SHA3_512
) {
347 #ifdef OPENSSL_HAS_SHA3
348 unsigned dlen
= (unsigned)
349 crypto_digest_algorithm_get_length(digest
->algorithm
);
350 EVP_MD_CTX
*tmp
= EVP_MD_CTX_new();
351 EVP_MD_CTX_copy(tmp
, digest
->d
.md
);
352 memset(r
, 0xff, sizeof(r
));
353 int res
= EVP_DigestFinal(tmp
, r
, &dlen
);
354 EVP_MD_CTX_free(tmp
);
355 tor_assert(res
== 1);
357 #else /* !defined(OPENSSL_HAS_SHA3) */
358 /* Tiny-Keccak handles copying into a temporary ctx, and also can handle
359 * short output buffers by truncating appropriately. */
360 keccak_digest_sum(&digest
->d
.sha3
, (uint8_t *)out
, out_len
);
362 #endif /* defined(OPENSSL_HAS_SHA3) */
365 const size_t alloc_bytes
= crypto_digest_alloc_bytes(digest
->algorithm
);
366 crypto_digest_t tmpenv
;
367 /* memcpy into a temporary ctx, since SHA*_Final clears the context */
368 memcpy(&tmpenv
, digest
, alloc_bytes
);
369 switch (digest
->algorithm
) {
371 SHA1_Final(r
, &tmpenv
.d
.sha1
);
374 SHA256_Final(r
, &tmpenv
.d
.sha2
);
377 SHA512_Final(r
, &tmpenv
.d
.sha512
);
380 case DIGEST_SHA3_256
: FALLTHROUGH
;
381 case DIGEST_SHA3_512
:
383 log_warn(LD_BUG
, "Handling unexpected algorithm %d", digest
->algorithm
);
384 /* This is fatal, because it should never happen. */
385 tor_assert_unreached();
389 #ifdef OPENSSL_HAS_SHA3
392 memcpy(out
, r
, out_len
);
393 memwipe(r
, 0, sizeof(r
));
396 /** Allocate and return a new digest object with the same state as
399 * C_RUST_COUPLED: `external::crypto_digest::crypto_digest_dup`
400 * C_RUST_COUPLED: `impl Clone for crypto::digest::Sha256`
403 crypto_digest_dup(const crypto_digest_t
*digest
)
406 const size_t alloc_bytes
= crypto_digest_alloc_bytes(digest
->algorithm
);
407 crypto_digest_t
*result
= tor_memdup(digest
, alloc_bytes
);
409 #ifdef OPENSSL_HAS_SHA3
410 if (digest
->algorithm
== DIGEST_SHA3_256
||
411 digest
->algorithm
== DIGEST_SHA3_512
) {
412 result
->d
.md
= EVP_MD_CTX_new();
413 EVP_MD_CTX_copy(result
->d
.md
, digest
->d
.md
);
415 #endif /* defined(OPENSSL_HAS_SHA3) */
419 /** Temporarily save the state of <b>digest</b> in <b>checkpoint</b>.
420 * Asserts that <b>digest</b> is a SHA1 digest object.
423 crypto_digest_checkpoint(crypto_digest_checkpoint_t
*checkpoint
,
424 const crypto_digest_t
*digest
)
426 const size_t bytes
= crypto_digest_alloc_bytes(digest
->algorithm
);
427 tor_assert(bytes
<= sizeof(checkpoint
->mem
));
428 memcpy(checkpoint
->mem
, digest
, bytes
);
431 /** Restore the state of <b>digest</b> from <b>checkpoint</b>.
432 * Asserts that <b>digest</b> is a SHA1 digest object. Requires that the
433 * state was previously stored with crypto_digest_checkpoint() */
435 crypto_digest_restore(crypto_digest_t
*digest
,
436 const crypto_digest_checkpoint_t
*checkpoint
)
438 const size_t bytes
= crypto_digest_alloc_bytes(digest
->algorithm
);
439 memcpy(digest
, checkpoint
->mem
, bytes
);
442 /** Replace the state of the digest object <b>into</b> with the state
443 * of the digest object <b>from</b>. Requires that 'into' and 'from'
444 * have the same digest type.
447 crypto_digest_assign(crypto_digest_t
*into
,
448 const crypto_digest_t
*from
)
452 tor_assert(into
->algorithm
== from
->algorithm
);
453 const size_t alloc_bytes
= crypto_digest_alloc_bytes(from
->algorithm
);
455 #ifdef OPENSSL_HAS_SHA3
456 if (from
->algorithm
== DIGEST_SHA3_256
||
457 from
->algorithm
== DIGEST_SHA3_512
) {
458 EVP_MD_CTX_copy(into
->d
.md
, from
->d
.md
);
461 #endif /* defined(OPENSSL_HAS_SHA3) */
463 memcpy(into
,from
,alloc_bytes
);
466 /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
467 * at <b>digest_out</b> to the hash of the concatenation of those strings,
468 * plus the optional string <b>append</b>, computed with the algorithm
470 * <b>out_len</b> must be \<= DIGEST512_LEN. */
472 crypto_digest_smartlist(char *digest_out
, size_t len_out
,
473 const smartlist_t
*lst
,
475 digest_algorithm_t alg
)
477 crypto_digest_smartlist_prefix(digest_out
, len_out
, NULL
, lst
, append
, alg
);
480 /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
481 * at <b>digest_out</b> to the hash of the concatenation of: the
482 * optional string <b>prepend</b>, those strings,
483 * and the optional string <b>append</b>, computed with the algorithm
485 * <b>len_out</b> must be \<= DIGEST512_LEN. */
487 crypto_digest_smartlist_prefix(char *digest_out
, size_t len_out
,
489 const smartlist_t
*lst
,
491 digest_algorithm_t alg
)
493 crypto_digest_t
*d
= crypto_digest_new_internal(alg
);
495 crypto_digest_add_bytes(d
, prepend
, strlen(prepend
));
496 SMARTLIST_FOREACH(lst
, const char *, cp
,
497 crypto_digest_add_bytes(d
, cp
, strlen(cp
)));
499 crypto_digest_add_bytes(d
, append
, strlen(append
));
500 crypto_digest_get_digest(d
, digest_out
, len_out
);
501 crypto_digest_free(d
);
504 /** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
505 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte
506 * result in <b>hmac_out</b>. Asserts on failure.
509 crypto_hmac_sha256(char *hmac_out
,
510 const char *key
, size_t key_len
,
511 const char *msg
, size_t msg_len
)
513 /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
514 tor_assert(key_len
< INT_MAX
);
515 tor_assert(msg_len
< INT_MAX
);
516 tor_assert(hmac_out
);
517 unsigned char *rv
= NULL
;
518 rv
= HMAC(EVP_sha256(), key
, (int)key_len
, (unsigned char*)msg
, (int)msg_len
,
519 (unsigned char*)hmac_out
, NULL
);