mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Merge branch 'bug24658-rm-curve25519-header' into bug24658-merge
This commit is contained in:
commit
0eed0899cd
@ -15,7 +15,7 @@
|
||||
#include "util.h"
|
||||
#include "torlog.h"
|
||||
#include "container.h"
|
||||
#include "crypto.h"
|
||||
#include "crypto_digest.h"
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
@ -29,6 +29,7 @@
|
||||
#include "crypto_ed25519.h"
|
||||
#include "crypto_format.h"
|
||||
#include "crypto_rsa.h"
|
||||
#include "crypto_digest.h"
|
||||
|
||||
DISABLE_GCC_WARNING(redundant-decls)
|
||||
|
||||
@ -397,266 +398,6 @@ crypto_cipher_free_(crypto_cipher_t *env)
|
||||
aes_cipher_free(env);
|
||||
}
|
||||
|
||||
/* public key crypto */
|
||||
|
||||
/** Check a siglen-byte long signature at <b>sig</b> against
|
||||
* <b>datalen</b> bytes of data at <b>data</b>, using the public key
|
||||
* in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
|
||||
* SHA1(data). Else return -1.
|
||||
*/
|
||||
MOCK_IMPL(int,
|
||||
crypto_pk_public_checksig_digest,(crypto_pk_t *env, const char *data,
|
||||
size_t datalen, const char *sig,
|
||||
size_t siglen))
|
||||
{
|
||||
char digest[DIGEST_LEN];
|
||||
char *buf;
|
||||
size_t buflen;
|
||||
int r;
|
||||
|
||||
tor_assert(env);
|
||||
tor_assert(data);
|
||||
tor_assert(sig);
|
||||
tor_assert(datalen < SIZE_T_CEILING);
|
||||
tor_assert(siglen < SIZE_T_CEILING);
|
||||
|
||||
if (crypto_digest(digest,data,datalen)<0) {
|
||||
log_warn(LD_BUG, "couldn't compute digest");
|
||||
return -1;
|
||||
}
|
||||
buflen = crypto_pk_keysize(env);
|
||||
buf = tor_malloc(buflen);
|
||||
r = crypto_pk_public_checksig(env,buf,buflen,sig,siglen);
|
||||
if (r != DIGEST_LEN) {
|
||||
log_warn(LD_CRYPTO, "Invalid signature");
|
||||
tor_free(buf);
|
||||
return -1;
|
||||
}
|
||||
if (tor_memneq(buf, digest, DIGEST_LEN)) {
|
||||
log_warn(LD_CRYPTO, "Signature mismatched with digest.");
|
||||
tor_free(buf);
|
||||
return -1;
|
||||
}
|
||||
tor_free(buf);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
|
||||
* <b>from</b>; sign the data with the private key in <b>env</b>, and
|
||||
* store it in <b>to</b>. Return the number of bytes written on
|
||||
* success, and -1 on failure.
|
||||
*
|
||||
* <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
|
||||
* at least the length of the modulus of <b>env</b>.
|
||||
*/
|
||||
int
|
||||
crypto_pk_private_sign_digest(crypto_pk_t *env, char *to, size_t tolen,
|
||||
const char *from, size_t fromlen)
|
||||
{
|
||||
int r;
|
||||
char digest[DIGEST_LEN];
|
||||
if (crypto_digest(digest,from,fromlen)<0)
|
||||
return -1;
|
||||
r = crypto_pk_private_sign(env,to,tolen,digest,DIGEST_LEN);
|
||||
memwipe(digest, 0, sizeof(digest));
|
||||
return r;
|
||||
}
|
||||
|
||||
/** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
|
||||
* bytes of data from <b>from</b>, with padding type 'padding',
|
||||
* storing the results on <b>to</b>.
|
||||
*
|
||||
* Returns the number of bytes written on success, -1 on failure.
|
||||
*
|
||||
* The encrypted data consists of:
|
||||
* - The source data, padded and encrypted with the public key, if the
|
||||
* padded source data is no longer than the public key, and <b>force</b>
|
||||
* is false, OR
|
||||
* - The beginning of the source data prefixed with a 16-byte symmetric key,
|
||||
* padded and encrypted with the public key; followed by the rest of
|
||||
* the source data encrypted in AES-CTR mode with the symmetric key.
|
||||
*
|
||||
* NOTE that this format does not authenticate the symmetrically encrypted
|
||||
* part of the data, and SHOULD NOT BE USED for new protocols.
|
||||
*/
|
||||
int
|
||||
crypto_pk_obsolete_public_hybrid_encrypt(crypto_pk_t *env,
|
||||
char *to, size_t tolen,
|
||||
const char *from,
|
||||
size_t fromlen,
|
||||
int padding, int force)
|
||||
{
|
||||
int overhead, outlen, r;
|
||||
size_t pkeylen, symlen;
|
||||
crypto_cipher_t *cipher = NULL;
|
||||
char *buf = NULL;
|
||||
|
||||
tor_assert(env);
|
||||
tor_assert(from);
|
||||
tor_assert(to);
|
||||
tor_assert(fromlen < SIZE_T_CEILING);
|
||||
|
||||
overhead = crypto_get_rsa_padding_overhead(crypto_get_rsa_padding(padding));
|
||||
pkeylen = crypto_pk_keysize(env);
|
||||
|
||||
if (!force && fromlen+overhead <= pkeylen) {
|
||||
/* It all fits in a single encrypt. */
|
||||
return crypto_pk_public_encrypt(env,to,
|
||||
tolen,
|
||||
from,fromlen,padding);
|
||||
}
|
||||
tor_assert(tolen >= fromlen + overhead + CIPHER_KEY_LEN);
|
||||
tor_assert(tolen >= pkeylen);
|
||||
|
||||
char key[CIPHER_KEY_LEN];
|
||||
crypto_rand(key, sizeof(key)); /* generate a new key. */
|
||||
cipher = crypto_cipher_new(key);
|
||||
|
||||
buf = tor_malloc(pkeylen+1);
|
||||
memcpy(buf, key, CIPHER_KEY_LEN);
|
||||
memcpy(buf+CIPHER_KEY_LEN, from, pkeylen-overhead-CIPHER_KEY_LEN);
|
||||
|
||||
/* Length of symmetrically encrypted data. */
|
||||
symlen = fromlen-(pkeylen-overhead-CIPHER_KEY_LEN);
|
||||
|
||||
outlen = crypto_pk_public_encrypt(env,to,tolen,buf,pkeylen-overhead,padding);
|
||||
if (outlen!=(int)pkeylen) {
|
||||
goto err;
|
||||
}
|
||||
r = crypto_cipher_encrypt(cipher, to+outlen,
|
||||
from+pkeylen-overhead-CIPHER_KEY_LEN, symlen);
|
||||
|
||||
if (r<0) goto err;
|
||||
memwipe(buf, 0, pkeylen);
|
||||
memwipe(key, 0, sizeof(key));
|
||||
tor_free(buf);
|
||||
crypto_cipher_free(cipher);
|
||||
tor_assert(outlen+symlen < INT_MAX);
|
||||
return (int)(outlen + symlen);
|
||||
err:
|
||||
|
||||
memwipe(buf, 0, pkeylen);
|
||||
memwipe(key, 0, sizeof(key));
|
||||
tor_free(buf);
|
||||
crypto_cipher_free(cipher);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/** Invert crypto_pk_obsolete_public_hybrid_encrypt. Returns the number of
|
||||
* bytes written on success, -1 on failure.
|
||||
*
|
||||
* NOTE that this format does not authenticate the symmetrically encrypted
|
||||
* part of the data, and SHOULD NOT BE USED for new protocols.
|
||||
*/
|
||||
int
|
||||
crypto_pk_obsolete_private_hybrid_decrypt(crypto_pk_t *env,
|
||||
char *to,
|
||||
size_t tolen,
|
||||
const char *from,
|
||||
size_t fromlen,
|
||||
int padding, int warnOnFailure)
|
||||
{
|
||||
int outlen, r;
|
||||
size_t pkeylen;
|
||||
crypto_cipher_t *cipher = NULL;
|
||||
char *buf = NULL;
|
||||
|
||||
tor_assert(fromlen < SIZE_T_CEILING);
|
||||
pkeylen = crypto_pk_keysize(env);
|
||||
|
||||
if (fromlen <= pkeylen) {
|
||||
return crypto_pk_private_decrypt(env,to,tolen,from,fromlen,padding,
|
||||
warnOnFailure);
|
||||
}
|
||||
|
||||
buf = tor_malloc(pkeylen);
|
||||
outlen = crypto_pk_private_decrypt(env,buf,pkeylen,from,pkeylen,padding,
|
||||
warnOnFailure);
|
||||
if (outlen<0) {
|
||||
log_fn(warnOnFailure?LOG_WARN:LOG_DEBUG, LD_CRYPTO,
|
||||
"Error decrypting public-key data");
|
||||
goto err;
|
||||
}
|
||||
if (outlen < CIPHER_KEY_LEN) {
|
||||
log_fn(warnOnFailure?LOG_WARN:LOG_INFO, LD_CRYPTO,
|
||||
"No room for a symmetric key");
|
||||
goto err;
|
||||
}
|
||||
cipher = crypto_cipher_new(buf);
|
||||
if (!cipher) {
|
||||
goto err;
|
||||
}
|
||||
memcpy(to,buf+CIPHER_KEY_LEN,outlen-CIPHER_KEY_LEN);
|
||||
outlen -= CIPHER_KEY_LEN;
|
||||
tor_assert(tolen - outlen >= fromlen - pkeylen);
|
||||
r = crypto_cipher_decrypt(cipher, to+outlen, from+pkeylen, fromlen-pkeylen);
|
||||
if (r<0)
|
||||
goto err;
|
||||
memwipe(buf,0,pkeylen);
|
||||
tor_free(buf);
|
||||
crypto_cipher_free(cipher);
|
||||
tor_assert(outlen + fromlen < INT_MAX);
|
||||
return (int)(outlen + (fromlen-pkeylen));
|
||||
err:
|
||||
memwipe(buf,0,pkeylen);
|
||||
tor_free(buf);
|
||||
crypto_cipher_free(cipher);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/** Given a private or public key <b>pk</b>, put a SHA1 hash of the
|
||||
* public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
|
||||
* Return 0 on success, -1 on failure.
|
||||
*/
|
||||
int
|
||||
crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
|
||||
{
|
||||
char *buf;
|
||||
size_t buflen;
|
||||
int len;
|
||||
int rv = -1;
|
||||
|
||||
buflen = crypto_pk_keysize(pk)*2;
|
||||
buf = tor_malloc(buflen);
|
||||
len = crypto_pk_asn1_encode(pk, buf, buflen);
|
||||
if (len < 0)
|
||||
goto done;
|
||||
|
||||
if (crypto_digest(digest_out, buf, len) < 0)
|
||||
goto done;
|
||||
|
||||
rv = 0;
|
||||
done:
|
||||
tor_free(buf);
|
||||
return rv;
|
||||
}
|
||||
|
||||
/** Compute all digests of the DER encoding of <b>pk</b>, and store them
|
||||
* in <b>digests_out</b>. Return 0 on success, -1 on failure. */
|
||||
int
|
||||
crypto_pk_get_common_digests(crypto_pk_t *pk, common_digests_t *digests_out)
|
||||
{
|
||||
char *buf;
|
||||
size_t buflen;
|
||||
int len;
|
||||
int rv = -1;
|
||||
|
||||
buflen = crypto_pk_keysize(pk)*2;
|
||||
buf = tor_malloc(buflen);
|
||||
len = crypto_pk_asn1_encode(pk, buf, buflen);
|
||||
if (len < 0)
|
||||
goto done;
|
||||
|
||||
if (crypto_common_digests(digests_out, (char*)buf, len) < 0)
|
||||
goto done;
|
||||
|
||||
rv = 0;
|
||||
done:
|
||||
tor_free(buf);
|
||||
return rv;
|
||||
}
|
||||
|
||||
/** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
|
||||
* every four characters. */
|
||||
void
|
||||
@ -788,548 +529,6 @@ crypto_cipher_decrypt_with_iv(const char *key,
|
||||
return (int)(fromlen - CIPHER_IV_LEN);
|
||||
}
|
||||
|
||||
/* SHA-1 */
|
||||
|
||||
/** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
|
||||
* <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
|
||||
* Return 0 on success, -1 on failure.
|
||||
*/
|
||||
int
|
||||
crypto_digest(char *digest, const char *m, size_t len)
|
||||
{
|
||||
tor_assert(m);
|
||||
tor_assert(digest);
|
||||
if (SHA1((const unsigned char*)m,len,(unsigned char*)digest) == NULL)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
|
||||
* using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
|
||||
* into <b>digest</b>. Return 0 on success, -1 on failure. */
|
||||
int
|
||||
crypto_digest256(char *digest, const char *m, size_t len,
|
||||
digest_algorithm_t algorithm)
|
||||
{
|
||||
tor_assert(m);
|
||||
tor_assert(digest);
|
||||
tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
|
||||
|
||||
int ret = 0;
|
||||
if (algorithm == DIGEST_SHA256)
|
||||
ret = (SHA256((const uint8_t*)m,len,(uint8_t*)digest) != NULL);
|
||||
else
|
||||
ret = (sha3_256((uint8_t *)digest, DIGEST256_LEN,(const uint8_t *)m, len)
|
||||
> -1);
|
||||
|
||||
if (!ret)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Compute a 512-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
|
||||
* using the algorithm <b>algorithm</b>. Write the DIGEST_LEN512-byte result
|
||||
* into <b>digest</b>. Return 0 on success, -1 on failure. */
|
||||
int
|
||||
crypto_digest512(char *digest, const char *m, size_t len,
|
||||
digest_algorithm_t algorithm)
|
||||
{
|
||||
tor_assert(m);
|
||||
tor_assert(digest);
|
||||
tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
|
||||
|
||||
int ret = 0;
|
||||
if (algorithm == DIGEST_SHA512)
|
||||
ret = (SHA512((const unsigned char*)m,len,(unsigned char*)digest)
|
||||
!= NULL);
|
||||
else
|
||||
ret = (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len)
|
||||
> -1);
|
||||
|
||||
if (!ret)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Set the common_digests_t in <b>ds_out</b> to contain every digest on the
|
||||
* <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
|
||||
* success, -1 on failure. */
|
||||
int
|
||||
crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len)
|
||||
{
|
||||
tor_assert(ds_out);
|
||||
memset(ds_out, 0, sizeof(*ds_out));
|
||||
if (crypto_digest(ds_out->d[DIGEST_SHA1], m, len) < 0)
|
||||
return -1;
|
||||
if (crypto_digest256(ds_out->d[DIGEST_SHA256], m, len, DIGEST_SHA256) < 0)
|
||||
return -1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Return the name of an algorithm, as used in directory documents. */
|
||||
const char *
|
||||
crypto_digest_algorithm_get_name(digest_algorithm_t alg)
|
||||
{
|
||||
switch (alg) {
|
||||
case DIGEST_SHA1:
|
||||
return "sha1";
|
||||
case DIGEST_SHA256:
|
||||
return "sha256";
|
||||
case DIGEST_SHA512:
|
||||
return "sha512";
|
||||
case DIGEST_SHA3_256:
|
||||
return "sha3-256";
|
||||
case DIGEST_SHA3_512:
|
||||
return "sha3-512";
|
||||
// LCOV_EXCL_START
|
||||
default:
|
||||
tor_fragile_assert();
|
||||
return "??unknown_digest??";
|
||||
// LCOV_EXCL_STOP
|
||||
}
|
||||
}
|
||||
|
||||
/** Given the name of a digest algorithm, return its integer value, or -1 if
|
||||
* the name is not recognized. */
|
||||
int
|
||||
crypto_digest_algorithm_parse_name(const char *name)
|
||||
{
|
||||
if (!strcmp(name, "sha1"))
|
||||
return DIGEST_SHA1;
|
||||
else if (!strcmp(name, "sha256"))
|
||||
return DIGEST_SHA256;
|
||||
else if (!strcmp(name, "sha512"))
|
||||
return DIGEST_SHA512;
|
||||
else if (!strcmp(name, "sha3-256"))
|
||||
return DIGEST_SHA3_256;
|
||||
else if (!strcmp(name, "sha3-512"))
|
||||
return DIGEST_SHA3_512;
|
||||
else
|
||||
return -1;
|
||||
}
|
||||
|
||||
/** Given an algorithm, return the digest length in bytes. */
|
||||
size_t
|
||||
crypto_digest_algorithm_get_length(digest_algorithm_t alg)
|
||||
{
|
||||
switch (alg) {
|
||||
case DIGEST_SHA1:
|
||||
return DIGEST_LEN;
|
||||
case DIGEST_SHA256:
|
||||
return DIGEST256_LEN;
|
||||
case DIGEST_SHA512:
|
||||
return DIGEST512_LEN;
|
||||
case DIGEST_SHA3_256:
|
||||
return DIGEST256_LEN;
|
||||
case DIGEST_SHA3_512:
|
||||
return DIGEST512_LEN;
|
||||
default:
|
||||
tor_assert(0); // LCOV_EXCL_LINE
|
||||
return 0; /* Unreachable */ // LCOV_EXCL_LINE
|
||||
}
|
||||
}
|
||||
|
||||
/** Intermediate information about the digest of a stream of data. */
|
||||
struct crypto_digest_t {
|
||||
digest_algorithm_t algorithm; /**< Which algorithm is in use? */
|
||||
/** State for the digest we're using. Only one member of the
|
||||
* union is usable, depending on the value of <b>algorithm</b>. Note also
|
||||
* that space for other members might not even be allocated!
|
||||
*/
|
||||
union {
|
||||
SHA_CTX sha1; /**< state for SHA1 */
|
||||
SHA256_CTX sha2; /**< state for SHA256 */
|
||||
SHA512_CTX sha512; /**< state for SHA512 */
|
||||
keccak_state sha3; /**< state for SHA3-[256,512] */
|
||||
} d;
|
||||
};
|
||||
|
||||
#ifdef TOR_UNIT_TESTS
|
||||
|
||||
digest_algorithm_t
|
||||
crypto_digest_get_algorithm(crypto_digest_t *digest)
|
||||
{
|
||||
tor_assert(digest);
|
||||
|
||||
return digest->algorithm;
|
||||
}
|
||||
|
||||
#endif /* defined(TOR_UNIT_TESTS) */
|
||||
|
||||
/**
|
||||
* Return the number of bytes we need to malloc in order to get a
|
||||
* crypto_digest_t for <b>alg</b>, or the number of bytes we need to wipe
|
||||
* when we free one.
|
||||
*/
|
||||
static size_t
|
||||
crypto_digest_alloc_bytes(digest_algorithm_t alg)
|
||||
{
|
||||
/* Helper: returns the number of bytes in the 'f' field of 'st' */
|
||||
#define STRUCT_FIELD_SIZE(st, f) (sizeof( ((st*)0)->f ))
|
||||
/* Gives the length of crypto_digest_t through the end of the field 'd' */
|
||||
#define END_OF_FIELD(f) (offsetof(crypto_digest_t, f) + \
|
||||
STRUCT_FIELD_SIZE(crypto_digest_t, f))
|
||||
|
||||
switch (alg) {
|
||||
case DIGEST_SHA1:
|
||||
return END_OF_FIELD(d.sha1);
|
||||
case DIGEST_SHA256:
|
||||
return END_OF_FIELD(d.sha2);
|
||||
case DIGEST_SHA512:
|
||||
return END_OF_FIELD(d.sha512);
|
||||
case DIGEST_SHA3_256:
|
||||
case DIGEST_SHA3_512:
|
||||
return END_OF_FIELD(d.sha3);
|
||||
default:
|
||||
tor_assert(0); // LCOV_EXCL_LINE
|
||||
return 0; // LCOV_EXCL_LINE
|
||||
}
|
||||
#undef END_OF_FIELD
|
||||
#undef STRUCT_FIELD_SIZE
|
||||
}
|
||||
|
||||
/**
|
||||
* Internal function: create and return a new digest object for 'algorithm'.
|
||||
* Does not typecheck the algorithm.
|
||||
*/
|
||||
static crypto_digest_t *
|
||||
crypto_digest_new_internal(digest_algorithm_t algorithm)
|
||||
{
|
||||
crypto_digest_t *r = tor_malloc(crypto_digest_alloc_bytes(algorithm));
|
||||
r->algorithm = algorithm;
|
||||
|
||||
switch (algorithm)
|
||||
{
|
||||
case DIGEST_SHA1:
|
||||
SHA1_Init(&r->d.sha1);
|
||||
break;
|
||||
case DIGEST_SHA256:
|
||||
SHA256_Init(&r->d.sha2);
|
||||
break;
|
||||
case DIGEST_SHA512:
|
||||
SHA512_Init(&r->d.sha512);
|
||||
break;
|
||||
case DIGEST_SHA3_256:
|
||||
keccak_digest_init(&r->d.sha3, 256);
|
||||
break;
|
||||
case DIGEST_SHA3_512:
|
||||
keccak_digest_init(&r->d.sha3, 512);
|
||||
break;
|
||||
default:
|
||||
tor_assert_unreached();
|
||||
}
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
/** Allocate and return a new digest object to compute SHA1 digests.
|
||||
*/
|
||||
crypto_digest_t *
|
||||
crypto_digest_new(void)
|
||||
{
|
||||
return crypto_digest_new_internal(DIGEST_SHA1);
|
||||
}
|
||||
|
||||
/** Allocate and return a new digest object to compute 256-bit digests
|
||||
* using <b>algorithm</b>. */
|
||||
crypto_digest_t *
|
||||
crypto_digest256_new(digest_algorithm_t algorithm)
|
||||
{
|
||||
tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
|
||||
return crypto_digest_new_internal(algorithm);
|
||||
}
|
||||
|
||||
/** Allocate and return a new digest object to compute 512-bit digests
|
||||
* using <b>algorithm</b>. */
|
||||
crypto_digest_t *
|
||||
crypto_digest512_new(digest_algorithm_t algorithm)
|
||||
{
|
||||
tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
|
||||
return crypto_digest_new_internal(algorithm);
|
||||
}
|
||||
|
||||
/** Deallocate a digest object.
|
||||
*/
|
||||
void
|
||||
crypto_digest_free_(crypto_digest_t *digest)
|
||||
{
|
||||
if (!digest)
|
||||
return;
|
||||
size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
||||
memwipe(digest, 0, bytes);
|
||||
tor_free(digest);
|
||||
}
|
||||
|
||||
/** Add <b>len</b> bytes from <b>data</b> to the digest object.
|
||||
*/
|
||||
void
|
||||
crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
|
||||
size_t len)
|
||||
{
|
||||
tor_assert(digest);
|
||||
tor_assert(data);
|
||||
/* Using the SHA*_*() calls directly means we don't support doing
|
||||
* SHA in hardware. But so far the delay of getting the question
|
||||
* to the hardware, and hearing the answer, is likely higher than
|
||||
* just doing it ourselves. Hashes are fast.
|
||||
*/
|
||||
switch (digest->algorithm) {
|
||||
case DIGEST_SHA1:
|
||||
SHA1_Update(&digest->d.sha1, (void*)data, len);
|
||||
break;
|
||||
case DIGEST_SHA256:
|
||||
SHA256_Update(&digest->d.sha2, (void*)data, len);
|
||||
break;
|
||||
case DIGEST_SHA512:
|
||||
SHA512_Update(&digest->d.sha512, (void*)data, len);
|
||||
break;
|
||||
case DIGEST_SHA3_256: /* FALLSTHROUGH */
|
||||
case DIGEST_SHA3_512:
|
||||
keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len);
|
||||
break;
|
||||
default:
|
||||
/* LCOV_EXCL_START */
|
||||
tor_fragile_assert();
|
||||
break;
|
||||
/* LCOV_EXCL_STOP */
|
||||
}
|
||||
}
|
||||
|
||||
/** Compute the hash of the data that has been passed to the digest
|
||||
* object; write the first out_len bytes of the result to <b>out</b>.
|
||||
* <b>out_len</b> must be \<= DIGEST512_LEN.
|
||||
*/
|
||||
void
|
||||
crypto_digest_get_digest(crypto_digest_t *digest,
|
||||
char *out, size_t out_len)
|
||||
{
|
||||
unsigned char r[DIGEST512_LEN];
|
||||
crypto_digest_t tmpenv;
|
||||
tor_assert(digest);
|
||||
tor_assert(out);
|
||||
tor_assert(out_len <= crypto_digest_algorithm_get_length(digest->algorithm));
|
||||
|
||||
/* The SHA-3 code handles copying into a temporary ctx, and also can handle
|
||||
* short output buffers by truncating appropriately. */
|
||||
if (digest->algorithm == DIGEST_SHA3_256 ||
|
||||
digest->algorithm == DIGEST_SHA3_512) {
|
||||
keccak_digest_sum(&digest->d.sha3, (uint8_t *)out, out_len);
|
||||
return;
|
||||
}
|
||||
|
||||
const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
||||
/* memcpy into a temporary ctx, since SHA*_Final clears the context */
|
||||
memcpy(&tmpenv, digest, alloc_bytes);
|
||||
switch (digest->algorithm) {
|
||||
case DIGEST_SHA1:
|
||||
SHA1_Final(r, &tmpenv.d.sha1);
|
||||
break;
|
||||
case DIGEST_SHA256:
|
||||
SHA256_Final(r, &tmpenv.d.sha2);
|
||||
break;
|
||||
case DIGEST_SHA512:
|
||||
SHA512_Final(r, &tmpenv.d.sha512);
|
||||
break;
|
||||
//LCOV_EXCL_START
|
||||
case DIGEST_SHA3_256: /* FALLSTHROUGH */
|
||||
case DIGEST_SHA3_512:
|
||||
default:
|
||||
log_warn(LD_BUG, "Handling unexpected algorithm %d", digest->algorithm);
|
||||
/* This is fatal, because it should never happen. */
|
||||
tor_assert_unreached();
|
||||
break;
|
||||
//LCOV_EXCL_STOP
|
||||
}
|
||||
memcpy(out, r, out_len);
|
||||
memwipe(r, 0, sizeof(r));
|
||||
}
|
||||
|
||||
/** Allocate and return a new digest object with the same state as
|
||||
* <b>digest</b>
|
||||
*/
|
||||
crypto_digest_t *
|
||||
crypto_digest_dup(const crypto_digest_t *digest)
|
||||
{
|
||||
tor_assert(digest);
|
||||
const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
||||
return tor_memdup(digest, alloc_bytes);
|
||||
}
|
||||
|
||||
/** Temporarily save the state of <b>digest</b> in <b>checkpoint</b>.
|
||||
* Asserts that <b>digest</b> is a SHA1 digest object.
|
||||
*/
|
||||
void
|
||||
crypto_digest_checkpoint(crypto_digest_checkpoint_t *checkpoint,
|
||||
const crypto_digest_t *digest)
|
||||
{
|
||||
const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
||||
tor_assert(bytes <= sizeof(checkpoint->mem));
|
||||
memcpy(checkpoint->mem, digest, bytes);
|
||||
}
|
||||
|
||||
/** Restore the state of <b>digest</b> from <b>checkpoint</b>.
|
||||
* Asserts that <b>digest</b> is a SHA1 digest object. Requires that the
|
||||
* state was previously stored with crypto_digest_checkpoint() */
|
||||
void
|
||||
crypto_digest_restore(crypto_digest_t *digest,
|
||||
const crypto_digest_checkpoint_t *checkpoint)
|
||||
{
|
||||
const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
||||
memcpy(digest, checkpoint->mem, bytes);
|
||||
}
|
||||
|
||||
/** Replace the state of the digest object <b>into</b> with the state
|
||||
* of the digest object <b>from</b>. Requires that 'into' and 'from'
|
||||
* have the same digest type.
|
||||
*/
|
||||
void
|
||||
crypto_digest_assign(crypto_digest_t *into,
|
||||
const crypto_digest_t *from)
|
||||
{
|
||||
tor_assert(into);
|
||||
tor_assert(from);
|
||||
tor_assert(into->algorithm == from->algorithm);
|
||||
const size_t alloc_bytes = crypto_digest_alloc_bytes(from->algorithm);
|
||||
memcpy(into,from,alloc_bytes);
|
||||
}
|
||||
|
||||
/** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
|
||||
* at <b>digest_out</b> to the hash of the concatenation of those strings,
|
||||
* plus the optional string <b>append</b>, computed with the algorithm
|
||||
* <b>alg</b>.
|
||||
* <b>out_len</b> must be \<= DIGEST512_LEN. */
|
||||
void
|
||||
crypto_digest_smartlist(char *digest_out, size_t len_out,
|
||||
const smartlist_t *lst,
|
||||
const char *append,
|
||||
digest_algorithm_t alg)
|
||||
{
|
||||
crypto_digest_smartlist_prefix(digest_out, len_out, NULL, lst, append, alg);
|
||||
}
|
||||
|
||||
/** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
|
||||
* at <b>digest_out</b> to the hash of the concatenation of: the
|
||||
* optional string <b>prepend</b>, those strings,
|
||||
* and the optional string <b>append</b>, computed with the algorithm
|
||||
* <b>alg</b>.
|
||||
* <b>len_out</b> must be \<= DIGEST512_LEN. */
|
||||
void
|
||||
crypto_digest_smartlist_prefix(char *digest_out, size_t len_out,
|
||||
const char *prepend,
|
||||
const smartlist_t *lst,
|
||||
const char *append,
|
||||
digest_algorithm_t alg)
|
||||
{
|
||||
crypto_digest_t *d = crypto_digest_new_internal(alg);
|
||||
if (prepend)
|
||||
crypto_digest_add_bytes(d, prepend, strlen(prepend));
|
||||
SMARTLIST_FOREACH(lst, const char *, cp,
|
||||
crypto_digest_add_bytes(d, cp, strlen(cp)));
|
||||
if (append)
|
||||
crypto_digest_add_bytes(d, append, strlen(append));
|
||||
crypto_digest_get_digest(d, digest_out, len_out);
|
||||
crypto_digest_free(d);
|
||||
}
|
||||
|
||||
/** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
|
||||
* the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte
|
||||
* result in <b>hmac_out</b>. Asserts on failure.
|
||||
*/
|
||||
void
|
||||
crypto_hmac_sha256(char *hmac_out,
|
||||
const char *key, size_t key_len,
|
||||
const char *msg, size_t msg_len)
|
||||
{
|
||||
unsigned char *rv = NULL;
|
||||
/* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
|
||||
tor_assert(key_len < INT_MAX);
|
||||
tor_assert(msg_len < INT_MAX);
|
||||
tor_assert(hmac_out);
|
||||
rv = HMAC(EVP_sha256(), key, (int)key_len, (unsigned char*)msg, (int)msg_len,
|
||||
(unsigned char*)hmac_out, NULL);
|
||||
tor_assert(rv);
|
||||
}
|
||||
|
||||
/** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a
|
||||
* <b>key</b> of length <b>key_len</b> and a <b>salt</b> of length
|
||||
* <b>salt_len</b>. Store the result of <b>len_out</b> bytes in in
|
||||
* <b>mac_out</b>. This function can't fail. */
|
||||
void
|
||||
crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
|
||||
const uint8_t *key, size_t key_len,
|
||||
const uint8_t *msg, size_t msg_len)
|
||||
{
|
||||
crypto_digest_t *digest;
|
||||
|
||||
const uint64_t key_len_netorder = tor_htonll(key_len);
|
||||
|
||||
tor_assert(mac_out);
|
||||
tor_assert(key);
|
||||
tor_assert(msg);
|
||||
|
||||
digest = crypto_digest256_new(DIGEST_SHA3_256);
|
||||
|
||||
/* Order matters here that is any subsystem using this function should
|
||||
* expect this very precise ordering in the MAC construction. */
|
||||
crypto_digest_add_bytes(digest, (const char *) &key_len_netorder,
|
||||
sizeof(key_len_netorder));
|
||||
crypto_digest_add_bytes(digest, (const char *) key, key_len);
|
||||
crypto_digest_add_bytes(digest, (const char *) msg, msg_len);
|
||||
crypto_digest_get_digest(digest, (char *) mac_out, len_out);
|
||||
crypto_digest_free(digest);
|
||||
}
|
||||
|
||||
/** Internal state for a eXtendable-Output Function (XOF). */
|
||||
struct crypto_xof_t {
|
||||
keccak_state s;
|
||||
};
|
||||
|
||||
/** Allocate a new XOF object backed by SHAKE-256. The security level
|
||||
* provided is a function of the length of the output used. Read and
|
||||
* understand FIPS-202 A.2 "Additional Consideration for Extendable-Output
|
||||
* Functions" before using this construct.
|
||||
*/
|
||||
crypto_xof_t *
|
||||
crypto_xof_new(void)
|
||||
{
|
||||
crypto_xof_t *xof;
|
||||
xof = tor_malloc(sizeof(crypto_xof_t));
|
||||
keccak_xof_init(&xof->s, 256);
|
||||
return xof;
|
||||
}
|
||||
|
||||
/** Absorb bytes into a XOF object. Must not be called after a call to
|
||||
* crypto_xof_squeeze_bytes() for the same instance, and will assert
|
||||
* if attempted.
|
||||
*/
|
||||
void
|
||||
crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
|
||||
{
|
||||
int i = keccak_xof_absorb(&xof->s, data, len);
|
||||
tor_assert(i == 0);
|
||||
}
|
||||
|
||||
/** Squeeze bytes out of a XOF object. Calling this routine will render
|
||||
* the XOF instance ineligible to absorb further data.
|
||||
*/
|
||||
void
|
||||
crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
|
||||
{
|
||||
int i = keccak_xof_squeeze(&xof->s, out, len);
|
||||
tor_assert(i == 0);
|
||||
}
|
||||
|
||||
/** Cleanse and deallocate a XOF object. */
|
||||
void
|
||||
crypto_xof_free_(crypto_xof_t *xof)
|
||||
{
|
||||
if (!xof)
|
||||
return;
|
||||
memwipe(xof, 0, sizeof(crypto_xof_t));
|
||||
tor_free(xof);
|
||||
}
|
||||
|
||||
/* DH */
|
||||
|
||||
/** Our DH 'g' parameter */
|
||||
|
@ -24,13 +24,6 @@
|
||||
|
||||
#include "keccak-tiny/keccak-tiny.h"
|
||||
|
||||
/** Length of the output of our message digest. */
|
||||
#define DIGEST_LEN 20
|
||||
/** Length of the output of our second (improved) message digests. (For now
|
||||
* this is just sha256, but it could be any other 256-bit digest.) */
|
||||
#define DIGEST256_LEN 32
|
||||
/** Length of the output of our 64-bit optimized message digests (SHA512). */
|
||||
#define DIGEST512_LEN 64
|
||||
/** Length of our symmetric cipher's keys of 128-bit. */
|
||||
#define CIPHER_KEY_LEN 16
|
||||
/** Length of our symmetric cipher's IV of 128-bit. */
|
||||
@ -40,63 +33,13 @@
|
||||
/** Length of our DH keys. */
|
||||
#define DH_BYTES (1024/8)
|
||||
|
||||
/** Length of a sha1 message digest when encoded in base32 with trailing =
|
||||
* signs removed. */
|
||||
#define BASE32_DIGEST_LEN 32
|
||||
/** Length of a sha1 message digest when encoded in base64 with trailing =
|
||||
* signs removed. */
|
||||
#define BASE64_DIGEST_LEN 27
|
||||
/** Length of a sha256 message digest when encoded in base64 with trailing =
|
||||
* signs removed. */
|
||||
#define BASE64_DIGEST256_LEN 43
|
||||
/** Length of a sha512 message digest when encoded in base64 with trailing =
|
||||
* signs removed. */
|
||||
#define BASE64_DIGEST512_LEN 86
|
||||
|
||||
/** Length of encoded public key fingerprints, including space; but not
|
||||
* including terminating NUL. */
|
||||
#define FINGERPRINT_LEN 49
|
||||
/** Length of hex encoding of SHA1 digest, not including final NUL. */
|
||||
#define HEX_DIGEST_LEN 40
|
||||
/** Length of hex encoding of SHA256 digest, not including final NUL. */
|
||||
#define HEX_DIGEST256_LEN 64
|
||||
/** Length of hex encoding of SHA512 digest, not including final NUL. */
|
||||
#define HEX_DIGEST512_LEN 128
|
||||
|
||||
typedef enum {
|
||||
DIGEST_SHA1 = 0,
|
||||
DIGEST_SHA256 = 1,
|
||||
DIGEST_SHA512 = 2,
|
||||
DIGEST_SHA3_256 = 3,
|
||||
DIGEST_SHA3_512 = 4,
|
||||
} digest_algorithm_t;
|
||||
#define N_DIGEST_ALGORITHMS (DIGEST_SHA3_512+1)
|
||||
#define N_COMMON_DIGEST_ALGORITHMS (DIGEST_SHA256+1)
|
||||
|
||||
/** A set of all the digests we commonly compute, taken on a single
|
||||
* string. Any digests that are shorter than 512 bits are right-padded
|
||||
* with 0 bits.
|
||||
*
|
||||
* Note that this representation wastes 44 bytes for the SHA1 case, so
|
||||
* don't use it for anything where we need to allocate a whole bunch at
|
||||
* once.
|
||||
**/
|
||||
typedef struct {
|
||||
char d[N_COMMON_DIGEST_ALGORITHMS][DIGEST256_LEN];
|
||||
} common_digests_t;
|
||||
|
||||
typedef struct aes_cnt_cipher crypto_cipher_t;
|
||||
typedef struct crypto_digest_t crypto_digest_t;
|
||||
typedef struct crypto_xof_t crypto_xof_t;
|
||||
typedef struct crypto_dh_t crypto_dh_t;
|
||||
|
||||
#define DIGEST_CHECKPOINT_BYTES (SIZEOF_VOID_P + 512)
|
||||
/** Structure used to temporarily save the a digest object. Only implemented
|
||||
* for SHA1 digest for now. */
|
||||
typedef struct crypto_digest_checkpoint_t {
|
||||
uint8_t mem[DIGEST_CHECKPOINT_BYTES];
|
||||
} crypto_digest_checkpoint_t;
|
||||
|
||||
/* global state */
|
||||
int crypto_early_init(void) ATTR_WUR;
|
||||
int crypto_global_init(int hardwareAccel,
|
||||
@ -121,24 +64,6 @@ void crypto_cipher_free_(crypto_cipher_t *env);
|
||||
#define crypto_cipher_free(c) \
|
||||
FREE_AND_NULL(crypto_cipher_t, crypto_cipher_free_, (c))
|
||||
|
||||
/* public key crypto */
|
||||
MOCK_DECL(int, crypto_pk_public_checksig_digest,(crypto_pk_t *env,
|
||||
const char *data, size_t datalen,
|
||||
const char *sig, size_t siglen));
|
||||
int crypto_pk_private_sign_digest(crypto_pk_t *env, char *to, size_t tolen,
|
||||
const char *from, size_t fromlen);
|
||||
int crypto_pk_obsolete_public_hybrid_encrypt(crypto_pk_t *env, char *to,
|
||||
size_t tolen,
|
||||
const char *from, size_t fromlen,
|
||||
int padding, int force);
|
||||
int crypto_pk_obsolete_private_hybrid_decrypt(crypto_pk_t *env, char *to,
|
||||
size_t tolen,
|
||||
const char *from, size_t fromlen,
|
||||
int padding, int warnOnFailure);
|
||||
int crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out);
|
||||
int crypto_pk_get_common_digests(crypto_pk_t *pk,
|
||||
common_digests_t *digests_out);
|
||||
|
||||
/* symmetric crypto */
|
||||
const char *crypto_cipher_get_key(crypto_cipher_t *env);
|
||||
|
||||
@ -155,56 +80,6 @@ int crypto_cipher_decrypt_with_iv(const char *key,
|
||||
char *to, size_t tolen,
|
||||
const char *from, size_t fromlen);
|
||||
|
||||
/* SHA-1 and other digests. */
|
||||
int crypto_digest(char *digest, const char *m, size_t len);
|
||||
int crypto_digest256(char *digest, const char *m, size_t len,
|
||||
digest_algorithm_t algorithm);
|
||||
int crypto_digest512(char *digest, const char *m, size_t len,
|
||||
digest_algorithm_t algorithm);
|
||||
int crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len);
|
||||
struct smartlist_t;
|
||||
void crypto_digest_smartlist_prefix(char *digest_out, size_t len_out,
|
||||
const char *prepend,
|
||||
const struct smartlist_t *lst,
|
||||
const char *append,
|
||||
digest_algorithm_t alg);
|
||||
void crypto_digest_smartlist(char *digest_out, size_t len_out,
|
||||
const struct smartlist_t *lst, const char *append,
|
||||
digest_algorithm_t alg);
|
||||
const char *crypto_digest_algorithm_get_name(digest_algorithm_t alg);
|
||||
size_t crypto_digest_algorithm_get_length(digest_algorithm_t alg);
|
||||
int crypto_digest_algorithm_parse_name(const char *name);
|
||||
crypto_digest_t *crypto_digest_new(void);
|
||||
crypto_digest_t *crypto_digest256_new(digest_algorithm_t algorithm);
|
||||
crypto_digest_t *crypto_digest512_new(digest_algorithm_t algorithm);
|
||||
void crypto_digest_free_(crypto_digest_t *digest);
|
||||
#define crypto_digest_free(d) \
|
||||
FREE_AND_NULL(crypto_digest_t, crypto_digest_free_, (d))
|
||||
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
|
||||
size_t len);
|
||||
void crypto_digest_get_digest(crypto_digest_t *digest,
|
||||
char *out, size_t out_len);
|
||||
crypto_digest_t *crypto_digest_dup(const crypto_digest_t *digest);
|
||||
void crypto_digest_checkpoint(crypto_digest_checkpoint_t *checkpoint,
|
||||
const crypto_digest_t *digest);
|
||||
void crypto_digest_restore(crypto_digest_t *digest,
|
||||
const crypto_digest_checkpoint_t *checkpoint);
|
||||
void crypto_digest_assign(crypto_digest_t *into,
|
||||
const crypto_digest_t *from);
|
||||
void crypto_hmac_sha256(char *hmac_out,
|
||||
const char *key, size_t key_len,
|
||||
const char *msg, size_t msg_len);
|
||||
void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
|
||||
const uint8_t *key, size_t key_len,
|
||||
const uint8_t *msg, size_t msg_len);
|
||||
|
||||
crypto_xof_t *crypto_xof_new(void);
|
||||
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len);
|
||||
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len);
|
||||
void crypto_xof_free_(crypto_xof_t *xof);
|
||||
#define crypto_xof_free(xof) \
|
||||
FREE_AND_NULL(crypto_xof_t, crypto_xof_free_, (xof))
|
||||
|
||||
/* Key negotiation */
|
||||
#define DH_TYPE_CIRCUIT 1
|
||||
#define DH_TYPE_REND 2
|
||||
@ -273,9 +148,5 @@ extern int break_strongest_rng_fallback;
|
||||
#endif
|
||||
#endif /* defined(CRYPTO_PRIVATE) */
|
||||
|
||||
#ifdef TOR_UNIT_TESTS
|
||||
digest_algorithm_t crypto_digest_get_algorithm(crypto_digest_t *digest);
|
||||
#endif
|
||||
|
||||
#endif /* !defined(TOR_CRYPTO_H) */
|
||||
|
||||
|
@ -24,6 +24,7 @@
|
||||
#include "crypto.h"
|
||||
#include "crypto_curve25519.h"
|
||||
#include "crypto_format.h"
|
||||
#include "crypto_digest.h"
|
||||
#include "util.h"
|
||||
#include "torlog.h"
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
#include "testsupport.h"
|
||||
#include "torint.h"
|
||||
#include "crypto_digest.h"
|
||||
#include "crypto_openssl_mgt.h"
|
||||
|
||||
/** Length of a curve25519 public key when encoded. */
|
||||
|
569
src/common/crypto_digest.c
Normal file
569
src/common/crypto_digest.c
Normal file
@ -0,0 +1,569 @@
|
||||
/* Copyright (c) 2001, Matej Pfajfar.
|
||||
* Copyright (c) 2001-2004, Roger Dingledine.
|
||||
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
||||
* Copyright (c) 2007-2017, The Tor Project, Inc. */
|
||||
/* See LICENSE for licensing information */
|
||||
|
||||
/**
|
||||
* \file crypto_digest.c
|
||||
* \brief Block of functions related with digest and xof utilities and
|
||||
* operations.
|
||||
**/
|
||||
|
||||
#include "crypto_digest.h"
|
||||
|
||||
#include "crypto.h" /* common functions */
|
||||
#include "crypto_openssl_mgt.h"
|
||||
|
||||
DISABLE_GCC_WARNING(redundant-decls)
|
||||
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/sha.h>
|
||||
|
||||
ENABLE_GCC_WARNING(redundant-decls)
|
||||
|
||||
#include "container.h"
|
||||
|
||||
/* Crypto digest functions */
|
||||
|
||||
/** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
|
||||
* <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
|
||||
* Return 0 on success, -1 on failure.
|
||||
*/
|
||||
int
|
||||
crypto_digest(char *digest, const char *m, size_t len)
|
||||
{
|
||||
tor_assert(m);
|
||||
tor_assert(digest);
|
||||
if (SHA1((const unsigned char*)m,len,(unsigned char*)digest) == NULL)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
|
||||
* using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
|
||||
* into <b>digest</b>. Return 0 on success, -1 on failure. */
|
||||
int
|
||||
crypto_digest256(char *digest, const char *m, size_t len,
|
||||
digest_algorithm_t algorithm)
|
||||
{
|
||||
tor_assert(m);
|
||||
tor_assert(digest);
|
||||
tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
|
||||
|
||||
int ret = 0;
|
||||
if (algorithm == DIGEST_SHA256)
|
||||
ret = (SHA256((const uint8_t*)m,len,(uint8_t*)digest) != NULL);
|
||||
else
|
||||
ret = (sha3_256((uint8_t *)digest, DIGEST256_LEN,(const uint8_t *)m, len)
|
||||
> -1);
|
||||
|
||||
if (!ret)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Compute a 512-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
|
||||
* using the algorithm <b>algorithm</b>. Write the DIGEST_LEN512-byte result
|
||||
* into <b>digest</b>. Return 0 on success, -1 on failure. */
|
||||
int
|
||||
crypto_digest512(char *digest, const char *m, size_t len,
|
||||
digest_algorithm_t algorithm)
|
||||
{
|
||||
tor_assert(m);
|
||||
tor_assert(digest);
|
||||
tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
|
||||
|
||||
int ret = 0;
|
||||
if (algorithm == DIGEST_SHA512)
|
||||
ret = (SHA512((const unsigned char*)m,len,(unsigned char*)digest)
|
||||
!= NULL);
|
||||
else
|
||||
ret = (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len)
|
||||
> -1);
|
||||
|
||||
if (!ret)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Set the common_digests_t in <b>ds_out</b> to contain every digest on the
|
||||
* <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
|
||||
* success, -1 on failure. */
|
||||
int
|
||||
crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len)
|
||||
{
|
||||
tor_assert(ds_out);
|
||||
memset(ds_out, 0, sizeof(*ds_out));
|
||||
if (crypto_digest(ds_out->d[DIGEST_SHA1], m, len) < 0)
|
||||
return -1;
|
||||
if (crypto_digest256(ds_out->d[DIGEST_SHA256], m, len, DIGEST_SHA256) < 0)
|
||||
return -1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Return the name of an algorithm, as used in directory documents. */
|
||||
const char *
|
||||
crypto_digest_algorithm_get_name(digest_algorithm_t alg)
|
||||
{
|
||||
switch (alg) {
|
||||
case DIGEST_SHA1:
|
||||
return "sha1";
|
||||
case DIGEST_SHA256:
|
||||
return "sha256";
|
||||
case DIGEST_SHA512:
|
||||
return "sha512";
|
||||
case DIGEST_SHA3_256:
|
||||
return "sha3-256";
|
||||
case DIGEST_SHA3_512:
|
||||
return "sha3-512";
|
||||
// LCOV_EXCL_START
|
||||
default:
|
||||
tor_fragile_assert();
|
||||
return "??unknown_digest??";
|
||||
// LCOV_EXCL_STOP
|
||||
}
|
||||
}
|
||||
|
||||
/** Given the name of a digest algorithm, return its integer value, or -1 if
|
||||
* the name is not recognized. */
|
||||
int
|
||||
crypto_digest_algorithm_parse_name(const char *name)
|
||||
{
|
||||
if (!strcmp(name, "sha1"))
|
||||
return DIGEST_SHA1;
|
||||
else if (!strcmp(name, "sha256"))
|
||||
return DIGEST_SHA256;
|
||||
else if (!strcmp(name, "sha512"))
|
||||
return DIGEST_SHA512;
|
||||
else if (!strcmp(name, "sha3-256"))
|
||||
return DIGEST_SHA3_256;
|
||||
else if (!strcmp(name, "sha3-512"))
|
||||
return DIGEST_SHA3_512;
|
||||
else
|
||||
return -1;
|
||||
}
|
||||
|
||||
/** Given an algorithm, return the digest length in bytes. */
|
||||
size_t
|
||||
crypto_digest_algorithm_get_length(digest_algorithm_t alg)
|
||||
{
|
||||
switch (alg) {
|
||||
case DIGEST_SHA1:
|
||||
return DIGEST_LEN;
|
||||
case DIGEST_SHA256:
|
||||
return DIGEST256_LEN;
|
||||
case DIGEST_SHA512:
|
||||
return DIGEST512_LEN;
|
||||
case DIGEST_SHA3_256:
|
||||
return DIGEST256_LEN;
|
||||
case DIGEST_SHA3_512:
|
||||
return DIGEST512_LEN;
|
||||
default:
|
||||
tor_assert(0); // LCOV_EXCL_LINE
|
||||
return 0; /* Unreachable */ // LCOV_EXCL_LINE
|
||||
}
|
||||
}
|
||||
|
||||
/** Intermediate information about the digest of a stream of data. */
|
||||
struct crypto_digest_t {
|
||||
digest_algorithm_t algorithm; /**< Which algorithm is in use? */
|
||||
/** State for the digest we're using. Only one member of the
|
||||
* union is usable, depending on the value of <b>algorithm</b>. Note also
|
||||
* that space for other members might not even be allocated!
|
||||
*/
|
||||
union {
|
||||
SHA_CTX sha1; /**< state for SHA1 */
|
||||
SHA256_CTX sha2; /**< state for SHA256 */
|
||||
SHA512_CTX sha512; /**< state for SHA512 */
|
||||
keccak_state sha3; /**< state for SHA3-[256,512] */
|
||||
} d;
|
||||
};
|
||||
|
||||
#ifdef TOR_UNIT_TESTS
|
||||
|
||||
digest_algorithm_t
|
||||
crypto_digest_get_algorithm(crypto_digest_t *digest)
|
||||
{
|
||||
tor_assert(digest);
|
||||
|
||||
return digest->algorithm;
|
||||
}
|
||||
|
||||
#endif /* defined(TOR_UNIT_TESTS) */
|
||||
|
||||
/**
|
||||
* Return the number of bytes we need to malloc in order to get a
|
||||
* crypto_digest_t for <b>alg</b>, or the number of bytes we need to wipe
|
||||
* when we free one.
|
||||
*/
|
||||
static size_t
|
||||
crypto_digest_alloc_bytes(digest_algorithm_t alg)
|
||||
{
|
||||
/* Helper: returns the number of bytes in the 'f' field of 'st' */
|
||||
#define STRUCT_FIELD_SIZE(st, f) (sizeof( ((st*)0)->f ))
|
||||
/* Gives the length of crypto_digest_t through the end of the field 'd' */
|
||||
#define END_OF_FIELD(f) (offsetof(crypto_digest_t, f) + \
|
||||
STRUCT_FIELD_SIZE(crypto_digest_t, f))
|
||||
switch (alg) {
|
||||
case DIGEST_SHA1:
|
||||
return END_OF_FIELD(d.sha1);
|
||||
case DIGEST_SHA256:
|
||||
return END_OF_FIELD(d.sha2);
|
||||
case DIGEST_SHA512:
|
||||
return END_OF_FIELD(d.sha512);
|
||||
case DIGEST_SHA3_256:
|
||||
case DIGEST_SHA3_512:
|
||||
return END_OF_FIELD(d.sha3);
|
||||
default:
|
||||
tor_assert(0); // LCOV_EXCL_LINE
|
||||
return 0; // LCOV_EXCL_LINE
|
||||
}
|
||||
#undef END_OF_FIELD
|
||||
#undef STRUCT_FIELD_SIZE
|
||||
}
|
||||
|
||||
/**
|
||||
* Internal function: create and return a new digest object for 'algorithm'.
|
||||
* Does not typecheck the algorithm.
|
||||
*/
|
||||
static crypto_digest_t *
|
||||
crypto_digest_new_internal(digest_algorithm_t algorithm)
|
||||
{
|
||||
crypto_digest_t *r = tor_malloc(crypto_digest_alloc_bytes(algorithm));
|
||||
r->algorithm = algorithm;
|
||||
|
||||
switch (algorithm)
|
||||
{
|
||||
case DIGEST_SHA1:
|
||||
SHA1_Init(&r->d.sha1);
|
||||
break;
|
||||
case DIGEST_SHA256:
|
||||
SHA256_Init(&r->d.sha2);
|
||||
break;
|
||||
case DIGEST_SHA512:
|
||||
SHA512_Init(&r->d.sha512);
|
||||
break;
|
||||
case DIGEST_SHA3_256:
|
||||
keccak_digest_init(&r->d.sha3, 256);
|
||||
break;
|
||||
case DIGEST_SHA3_512:
|
||||
keccak_digest_init(&r->d.sha3, 512);
|
||||
break;
|
||||
default:
|
||||
tor_assert_unreached();
|
||||
}
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
/** Allocate and return a new digest object to compute SHA1 digests.
|
||||
*/
|
||||
crypto_digest_t *
|
||||
crypto_digest_new(void)
|
||||
{
|
||||
return crypto_digest_new_internal(DIGEST_SHA1);
|
||||
}
|
||||
|
||||
/** Allocate and return a new digest object to compute 256-bit digests
|
||||
* using <b>algorithm</b>. */
|
||||
crypto_digest_t *
|
||||
crypto_digest256_new(digest_algorithm_t algorithm)
|
||||
{
|
||||
tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
|
||||
return crypto_digest_new_internal(algorithm);
|
||||
}
|
||||
|
||||
/** Allocate and return a new digest object to compute 512-bit digests
|
||||
* using <b>algorithm</b>. */
|
||||
crypto_digest_t *
|
||||
crypto_digest512_new(digest_algorithm_t algorithm)
|
||||
{
|
||||
tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
|
||||
return crypto_digest_new_internal(algorithm);
|
||||
}
|
||||
|
||||
/** Deallocate a digest object.
|
||||
*/
|
||||
void
|
||||
crypto_digest_free_(crypto_digest_t *digest)
|
||||
{
|
||||
if (!digest)
|
||||
return;
|
||||
size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
||||
memwipe(digest, 0, bytes);
|
||||
tor_free(digest);
|
||||
}
|
||||
|
||||
/** Add <b>len</b> bytes from <b>data</b> to the digest object.
|
||||
*/
|
||||
void
|
||||
crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
|
||||
size_t len)
|
||||
{
|
||||
tor_assert(digest);
|
||||
tor_assert(data);
|
||||
/* Using the SHA*_*() calls directly means we don't support doing
|
||||
* SHA in hardware. But so far the delay of getting the question
|
||||
* to the hardware, and hearing the answer, is likely higher than
|
||||
* just doing it ourselves. Hashes are fast.
|
||||
*/
|
||||
switch (digest->algorithm) {
|
||||
case DIGEST_SHA1:
|
||||
SHA1_Update(&digest->d.sha1, (void*)data, len);
|
||||
break;
|
||||
case DIGEST_SHA256:
|
||||
SHA256_Update(&digest->d.sha2, (void*)data, len);
|
||||
break;
|
||||
case DIGEST_SHA512:
|
||||
SHA512_Update(&digest->d.sha512, (void*)data, len);
|
||||
break;
|
||||
case DIGEST_SHA3_256: /* FALLSTHROUGH */
|
||||
case DIGEST_SHA3_512:
|
||||
keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len);
|
||||
break;
|
||||
default:
|
||||
/* LCOV_EXCL_START */
|
||||
tor_fragile_assert();
|
||||
break;
|
||||
/* LCOV_EXCL_STOP */
|
||||
}
|
||||
}
|
||||
|
||||
/** Compute the hash of the data that has been passed to the digest
|
||||
* object; write the first out_len bytes of the result to <b>out</b>.
|
||||
* <b>out_len</b> must be \<= DIGEST512_LEN.
|
||||
*/
|
||||
void
|
||||
crypto_digest_get_digest(crypto_digest_t *digest,
|
||||
char *out, size_t out_len)
|
||||
{
|
||||
unsigned char r[DIGEST512_LEN];
|
||||
crypto_digest_t tmpenv;
|
||||
tor_assert(digest);
|
||||
tor_assert(out);
|
||||
tor_assert(out_len <= crypto_digest_algorithm_get_length(digest->algorithm));
|
||||
|
||||
/* The SHA-3 code handles copying into a temporary ctx, and also can handle
|
||||
* short output buffers by truncating appropriately. */
|
||||
if (digest->algorithm == DIGEST_SHA3_256 ||
|
||||
digest->algorithm == DIGEST_SHA3_512) {
|
||||
keccak_digest_sum(&digest->d.sha3, (uint8_t *)out, out_len);
|
||||
return;
|
||||
}
|
||||
|
||||
const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
||||
/* memcpy into a temporary ctx, since SHA*_Final clears the context */
|
||||
memcpy(&tmpenv, digest, alloc_bytes);
|
||||
switch (digest->algorithm) {
|
||||
case DIGEST_SHA1:
|
||||
SHA1_Final(r, &tmpenv.d.sha1);
|
||||
break;
|
||||
case DIGEST_SHA256:
|
||||
SHA256_Final(r, &tmpenv.d.sha2);
|
||||
break;
|
||||
case DIGEST_SHA512:
|
||||
SHA512_Final(r, &tmpenv.d.sha512);
|
||||
break;
|
||||
//LCOV_EXCL_START
|
||||
case DIGEST_SHA3_256: /* FALLSTHROUGH */
|
||||
case DIGEST_SHA3_512:
|
||||
default:
|
||||
log_warn(LD_BUG, "Handling unexpected algorithm %d", digest->algorithm);
|
||||
/* This is fatal, because it should never happen. */
|
||||
tor_assert_unreached();
|
||||
break;
|
||||
//LCOV_EXCL_STOP
|
||||
}
|
||||
memcpy(out, r, out_len);
|
||||
memwipe(r, 0, sizeof(r));
|
||||
}
|
||||
|
||||
/** Allocate and return a new digest object with the same state as
|
||||
* <b>digest</b>
|
||||
*/
|
||||
crypto_digest_t *
|
||||
crypto_digest_dup(const crypto_digest_t *digest)
|
||||
{
|
||||
tor_assert(digest);
|
||||
const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
||||
return tor_memdup(digest, alloc_bytes);
|
||||
}
|
||||
|
||||
/** Temporarily save the state of <b>digest</b> in <b>checkpoint</b>.
|
||||
* Asserts that <b>digest</b> is a SHA1 digest object.
|
||||
*/
|
||||
void
|
||||
crypto_digest_checkpoint(crypto_digest_checkpoint_t *checkpoint,
|
||||
const crypto_digest_t *digest)
|
||||
{
|
||||
const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
||||
tor_assert(bytes <= sizeof(checkpoint->mem));
|
||||
memcpy(checkpoint->mem, digest, bytes);
|
||||
}
|
||||
|
||||
/** Restore the state of <b>digest</b> from <b>checkpoint</b>.
|
||||
* Asserts that <b>digest</b> is a SHA1 digest object. Requires that the
|
||||
* state was previously stored with crypto_digest_checkpoint() */
|
||||
void
|
||||
crypto_digest_restore(crypto_digest_t *digest,
|
||||
const crypto_digest_checkpoint_t *checkpoint)
|
||||
{
|
||||
const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
||||
memcpy(digest, checkpoint->mem, bytes);
|
||||
}
|
||||
|
||||
/** Replace the state of the digest object <b>into</b> with the state
|
||||
* of the digest object <b>from</b>. Requires that 'into' and 'from'
|
||||
* have the same digest type.
|
||||
*/
|
||||
void
|
||||
crypto_digest_assign(crypto_digest_t *into,
|
||||
const crypto_digest_t *from)
|
||||
{
|
||||
tor_assert(into);
|
||||
tor_assert(from);
|
||||
tor_assert(into->algorithm == from->algorithm);
|
||||
const size_t alloc_bytes = crypto_digest_alloc_bytes(from->algorithm);
|
||||
memcpy(into,from,alloc_bytes);
|
||||
}
|
||||
|
||||
/** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
|
||||
* at <b>digest_out</b> to the hash of the concatenation of those strings,
|
||||
* plus the optional string <b>append</b>, computed with the algorithm
|
||||
* <b>alg</b>.
|
||||
* <b>out_len</b> must be \<= DIGEST512_LEN. */
|
||||
void
|
||||
crypto_digest_smartlist(char *digest_out, size_t len_out,
|
||||
const smartlist_t *lst,
|
||||
const char *append,
|
||||
digest_algorithm_t alg)
|
||||
{
|
||||
crypto_digest_smartlist_prefix(digest_out, len_out, NULL, lst, append, alg);
|
||||
}
|
||||
|
||||
/** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
|
||||
* at <b>digest_out</b> to the hash of the concatenation of: the
|
||||
* optional string <b>prepend</b>, those strings,
|
||||
* and the optional string <b>append</b>, computed with the algorithm
|
||||
* <b>alg</b>.
|
||||
* <b>len_out</b> must be \<= DIGEST512_LEN. */
|
||||
void
|
||||
crypto_digest_smartlist_prefix(char *digest_out, size_t len_out,
|
||||
const char *prepend,
|
||||
const smartlist_t *lst,
|
||||
const char *append,
|
||||
digest_algorithm_t alg)
|
||||
{
|
||||
crypto_digest_t *d = crypto_digest_new_internal(alg);
|
||||
if (prepend)
|
||||
crypto_digest_add_bytes(d, prepend, strlen(prepend));
|
||||
SMARTLIST_FOREACH(lst, const char *, cp,
|
||||
crypto_digest_add_bytes(d, cp, strlen(cp)));
|
||||
if (append)
|
||||
crypto_digest_add_bytes(d, append, strlen(append));
|
||||
crypto_digest_get_digest(d, digest_out, len_out);
|
||||
crypto_digest_free(d);
|
||||
}
|
||||
|
||||
/** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
|
||||
* the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte
|
||||
* result in <b>hmac_out</b>. Asserts on failure.
|
||||
*/
|
||||
void
|
||||
crypto_hmac_sha256(char *hmac_out,
|
||||
const char *key, size_t key_len,
|
||||
const char *msg, size_t msg_len)
|
||||
{
|
||||
unsigned char *rv = NULL;
|
||||
/* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
|
||||
tor_assert(key_len < INT_MAX);
|
||||
tor_assert(msg_len < INT_MAX);
|
||||
tor_assert(hmac_out);
|
||||
rv = HMAC(EVP_sha256(), key, (int)key_len, (unsigned char*)msg, (int)msg_len,
|
||||
(unsigned char*)hmac_out, NULL);
|
||||
tor_assert(rv);
|
||||
}
|
||||
|
||||
/** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a
|
||||
* <b>key</b> of length <b>key_len</b> and a <b>salt</b> of length
|
||||
* <b>salt_len</b>. Store the result of <b>len_out</b> bytes in in
|
||||
* <b>mac_out</b>. This function can't fail. */
|
||||
void
|
||||
crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
|
||||
const uint8_t *key, size_t key_len,
|
||||
const uint8_t *msg, size_t msg_len)
|
||||
{
|
||||
crypto_digest_t *digest;
|
||||
|
||||
const uint64_t key_len_netorder = tor_htonll(key_len);
|
||||
|
||||
tor_assert(mac_out);
|
||||
tor_assert(key);
|
||||
tor_assert(msg);
|
||||
|
||||
digest = crypto_digest256_new(DIGEST_SHA3_256);
|
||||
|
||||
/* Order matters here that is any subsystem using this function should
|
||||
* expect this very precise ordering in the MAC construction. */
|
||||
crypto_digest_add_bytes(digest, (const char *) &key_len_netorder,
|
||||
sizeof(key_len_netorder));
|
||||
crypto_digest_add_bytes(digest, (const char *) key, key_len);
|
||||
crypto_digest_add_bytes(digest, (const char *) msg, msg_len);
|
||||
crypto_digest_get_digest(digest, (char *) mac_out, len_out);
|
||||
crypto_digest_free(digest);
|
||||
}
|
||||
|
||||
/* xof functions */
|
||||
|
||||
/** Internal state for a eXtendable-Output Function (XOF). */
|
||||
struct crypto_xof_t {
|
||||
keccak_state s;
|
||||
};
|
||||
|
||||
/** Allocate a new XOF object backed by SHAKE-256. The security level
|
||||
* provided is a function of the length of the output used. Read and
|
||||
* understand FIPS-202 A.2 "Additional Consideration for Extendable-Output
|
||||
* Functions" before using this construct.
|
||||
*/
|
||||
crypto_xof_t *
|
||||
crypto_xof_new(void)
|
||||
{
|
||||
crypto_xof_t *xof;
|
||||
xof = tor_malloc(sizeof(crypto_xof_t));
|
||||
keccak_xof_init(&xof->s, 256);
|
||||
return xof;
|
||||
}
|
||||
|
||||
/** Absorb bytes into a XOF object. Must not be called after a call to
|
||||
* crypto_xof_squeeze_bytes() for the same instance, and will assert
|
||||
* if attempted.
|
||||
*/
|
||||
void
|
||||
crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
|
||||
{
|
||||
int i = keccak_xof_absorb(&xof->s, data, len);
|
||||
tor_assert(i == 0);
|
||||
}
|
||||
|
||||
/** Squeeze bytes out of a XOF object. Calling this routine will render
|
||||
* the XOF instance ineligible to absorb further data.
|
||||
*/
|
||||
void
|
||||
crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
|
||||
{
|
||||
int i = keccak_xof_squeeze(&xof->s, out, len);
|
||||
tor_assert(i == 0);
|
||||
}
|
||||
|
||||
/** Cleanse and deallocate a XOF object. */
|
||||
void
|
||||
crypto_xof_free_(crypto_xof_t *xof)
|
||||
{
|
||||
if (!xof)
|
||||
return;
|
||||
memwipe(xof, 0, sizeof(crypto_xof_t));
|
||||
tor_free(xof);
|
||||
}
|
||||
|
136
src/common/crypto_digest.h
Normal file
136
src/common/crypto_digest.h
Normal file
@ -0,0 +1,136 @@
|
||||
/* Copyright (c) 2001, Matej Pfajfar.
|
||||
* Copyright (c) 2001-2004, Roger Dingledine.
|
||||
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
||||
* Copyright (c) 2007-2017, The Tor Project, Inc. */
|
||||
/* See LICENSE for licensing information */
|
||||
|
||||
/**
|
||||
* \file crypto_digest.h
|
||||
*
|
||||
* \brief Headers for crypto_digest.c
|
||||
**/
|
||||
|
||||
#ifndef TOR_CRYPTO_DIGEST_H
|
||||
#define TOR_CRYPTO_DIGEST_H
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#include "container.h"
|
||||
#include "torint.h"
|
||||
|
||||
/** Length of the output of our message digest. */
|
||||
#define DIGEST_LEN 20
|
||||
/** Length of the output of our second (improved) message digests. (For now
|
||||
* this is just sha256, but it could be any other 256-bit digest.) */
|
||||
#define DIGEST256_LEN 32
|
||||
/** Length of the output of our 64-bit optimized message digests (SHA512). */
|
||||
#define DIGEST512_LEN 64
|
||||
|
||||
/** Length of a sha1 message digest when encoded in base32 with trailing =
|
||||
* signs removed. */
|
||||
#define BASE32_DIGEST_LEN 32
|
||||
/** Length of a sha1 message digest when encoded in base64 with trailing =
|
||||
* signs removed. */
|
||||
#define BASE64_DIGEST_LEN 27
|
||||
/** Length of a sha256 message digest when encoded in base64 with trailing =
|
||||
* signs removed. */
|
||||
#define BASE64_DIGEST256_LEN 43
|
||||
/** Length of a sha512 message digest when encoded in base64 with trailing =
|
||||
* signs removed. */
|
||||
#define BASE64_DIGEST512_LEN 86
|
||||
|
||||
/** Length of hex encoding of SHA1 digest, not including final NUL. */
|
||||
#define HEX_DIGEST_LEN 40
|
||||
/** Length of hex encoding of SHA256 digest, not including final NUL. */
|
||||
#define HEX_DIGEST256_LEN 64
|
||||
/** Length of hex encoding of SHA512 digest, not including final NUL. */
|
||||
#define HEX_DIGEST512_LEN 128
|
||||
|
||||
typedef enum {
|
||||
DIGEST_SHA1 = 0,
|
||||
DIGEST_SHA256 = 1,
|
||||
DIGEST_SHA512 = 2,
|
||||
DIGEST_SHA3_256 = 3,
|
||||
DIGEST_SHA3_512 = 4,
|
||||
} digest_algorithm_t;
|
||||
#define N_DIGEST_ALGORITHMS (DIGEST_SHA3_512+1)
|
||||
#define N_COMMON_DIGEST_ALGORITHMS (DIGEST_SHA256+1)
|
||||
|
||||
#define DIGEST_CHECKPOINT_BYTES (SIZEOF_VOID_P + 512)
|
||||
/** Structure used to temporarily save the a digest object. Only implemented
|
||||
* for SHA1 digest for now. */
|
||||
typedef struct crypto_digest_checkpoint_t {
|
||||
uint8_t mem[DIGEST_CHECKPOINT_BYTES];
|
||||
} crypto_digest_checkpoint_t;
|
||||
|
||||
/** A set of all the digests we commonly compute, taken on a single
|
||||
* string. Any digests that are shorter than 512 bits are right-padded
|
||||
* with 0 bits.
|
||||
*
|
||||
* Note that this representation wastes 44 bytes for the SHA1 case, so
|
||||
* don't use it for anything where we need to allocate a whole bunch at
|
||||
* once.
|
||||
**/
|
||||
typedef struct {
|
||||
char d[N_COMMON_DIGEST_ALGORITHMS][DIGEST256_LEN];
|
||||
} common_digests_t;
|
||||
|
||||
typedef struct crypto_digest_t crypto_digest_t;
|
||||
typedef struct crypto_xof_t crypto_xof_t;
|
||||
|
||||
/* SHA-1 and other digests */
|
||||
int crypto_digest(char *digest, const char *m, size_t len);
|
||||
int crypto_digest256(char *digest, const char *m, size_t len,
|
||||
digest_algorithm_t algorithm);
|
||||
int crypto_digest512(char *digest, const char *m, size_t len,
|
||||
digest_algorithm_t algorithm);
|
||||
int crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len);
|
||||
void crypto_digest_smartlist_prefix(char *digest_out, size_t len_out,
|
||||
const char *prepend,
|
||||
const struct smartlist_t *lst,
|
||||
const char *append,
|
||||
digest_algorithm_t alg);
|
||||
void crypto_digest_smartlist(char *digest_out, size_t len_out,
|
||||
const struct smartlist_t *lst, const char *append,
|
||||
digest_algorithm_t alg);
|
||||
const char *crypto_digest_algorithm_get_name(digest_algorithm_t alg);
|
||||
size_t crypto_digest_algorithm_get_length(digest_algorithm_t alg);
|
||||
int crypto_digest_algorithm_parse_name(const char *name);
|
||||
crypto_digest_t *crypto_digest_new(void);
|
||||
crypto_digest_t *crypto_digest256_new(digest_algorithm_t algorithm);
|
||||
crypto_digest_t *crypto_digest512_new(digest_algorithm_t algorithm);
|
||||
void crypto_digest_free_(crypto_digest_t *digest);
|
||||
#define crypto_digest_free(d) \
|
||||
FREE_AND_NULL(crypto_digest_t, crypto_digest_free_, (d))
|
||||
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
|
||||
size_t len);
|
||||
void crypto_digest_get_digest(crypto_digest_t *digest,
|
||||
char *out, size_t out_len);
|
||||
crypto_digest_t *crypto_digest_dup(const crypto_digest_t *digest);
|
||||
void crypto_digest_checkpoint(crypto_digest_checkpoint_t *checkpoint,
|
||||
const crypto_digest_t *digest);
|
||||
void crypto_digest_restore(crypto_digest_t *digest,
|
||||
const crypto_digest_checkpoint_t *checkpoint);
|
||||
void crypto_digest_assign(crypto_digest_t *into,
|
||||
const crypto_digest_t *from);
|
||||
void crypto_hmac_sha256(char *hmac_out,
|
||||
const char *key, size_t key_len,
|
||||
const char *msg, size_t msg_len);
|
||||
void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
|
||||
const uint8_t *key, size_t key_len,
|
||||
const uint8_t *msg, size_t msg_len);
|
||||
|
||||
/* xof functions*/
|
||||
crypto_xof_t *crypto_xof_new(void);
|
||||
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len);
|
||||
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len);
|
||||
void crypto_xof_free_(crypto_xof_t *xof);
|
||||
#define crypto_xof_free(xof) \
|
||||
FREE_AND_NULL(crypto_xof_t, crypto_xof_free_, (xof))
|
||||
|
||||
#ifdef TOR_UNIT_TESTS
|
||||
digest_algorithm_t crypto_digest_get_algorithm(crypto_digest_t *digest);
|
||||
#endif
|
||||
|
||||
#endif /* !defined(TOR_CRYPTO_DIGEST_H) */
|
||||
|
@ -23,6 +23,7 @@
|
||||
|
||||
#include "crypto.h"
|
||||
|
||||
#include "crypto_digest.h"
|
||||
#include "crypto_curve25519.h"
|
||||
#include "crypto_ed25519.h"
|
||||
#include "crypto_format.h"
|
||||
|
@ -19,6 +19,7 @@
|
||||
#include "crypto_curve25519.h"
|
||||
#include "crypto_ed25519.h"
|
||||
#include "crypto_format.h"
|
||||
#include "crypto_digest.h"
|
||||
#include "util.h"
|
||||
#include "util_format.h"
|
||||
#include "torlog.h"
|
||||
|
@ -11,6 +11,7 @@
|
||||
#include "crypto.h"
|
||||
#include "crypto_s2k.h"
|
||||
#include "crypto_pwbox.h"
|
||||
#include "crypto_digest.h"
|
||||
#include "di_ops.h"
|
||||
#include "util.h"
|
||||
#include "pwbox.h"
|
||||
|
@ -13,8 +13,8 @@
|
||||
#include "crypto.h"
|
||||
#include "compat_openssl.h"
|
||||
#include "crypto_curve25519.h"
|
||||
#include "crypto_ed25519.h"
|
||||
#include "crypto_format.h"
|
||||
#include "crypto_digest.h"
|
||||
|
||||
DISABLE_GCC_WARNING(redundant-decls)
|
||||
|
||||
@ -627,6 +627,148 @@ crypto_pk_copy_full(crypto_pk_t *env)
|
||||
return crypto_new_pk_from_rsa_(new_key);
|
||||
}
|
||||
|
||||
/** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
|
||||
* bytes of data from <b>from</b>, with padding type 'padding',
|
||||
* storing the results on <b>to</b>.
|
||||
*
|
||||
* Returns the number of bytes written on success, -1 on failure.
|
||||
*
|
||||
* The encrypted data consists of:
|
||||
* - The source data, padded and encrypted with the public key, if the
|
||||
* padded source data is no longer than the public key, and <b>force</b>
|
||||
* is false, OR
|
||||
* - The beginning of the source data prefixed with a 16-byte symmetric key,
|
||||
* padded and encrypted with the public key; followed by the rest of
|
||||
* the source data encrypted in AES-CTR mode with the symmetric key.
|
||||
*
|
||||
* NOTE that this format does not authenticate the symmetrically encrypted
|
||||
* part of the data, and SHOULD NOT BE USED for new protocols.
|
||||
*/
|
||||
int
|
||||
crypto_pk_obsolete_public_hybrid_encrypt(crypto_pk_t *env,
|
||||
char *to, size_t tolen,
|
||||
const char *from,
|
||||
size_t fromlen,
|
||||
int padding, int force)
|
||||
{
|
||||
int overhead, outlen, r;
|
||||
size_t pkeylen, symlen;
|
||||
crypto_cipher_t *cipher = NULL;
|
||||
char *buf = NULL;
|
||||
|
||||
tor_assert(env);
|
||||
tor_assert(from);
|
||||
tor_assert(to);
|
||||
tor_assert(fromlen < SIZE_T_CEILING);
|
||||
|
||||
overhead = crypto_get_rsa_padding_overhead(crypto_get_rsa_padding(padding));
|
||||
pkeylen = crypto_pk_keysize(env);
|
||||
|
||||
if (!force && fromlen+overhead <= pkeylen) {
|
||||
/* It all fits in a single encrypt. */
|
||||
return crypto_pk_public_encrypt(env,to,
|
||||
tolen,
|
||||
from,fromlen,padding);
|
||||
}
|
||||
tor_assert(tolen >= fromlen + overhead + CIPHER_KEY_LEN);
|
||||
tor_assert(tolen >= pkeylen);
|
||||
|
||||
char key[CIPHER_KEY_LEN];
|
||||
crypto_rand(key, sizeof(key)); /* generate a new key. */
|
||||
cipher = crypto_cipher_new(key);
|
||||
|
||||
buf = tor_malloc(pkeylen+1);
|
||||
memcpy(buf, key, CIPHER_KEY_LEN);
|
||||
memcpy(buf+CIPHER_KEY_LEN, from, pkeylen-overhead-CIPHER_KEY_LEN);
|
||||
|
||||
/* Length of symmetrically encrypted data. */
|
||||
symlen = fromlen-(pkeylen-overhead-CIPHER_KEY_LEN);
|
||||
|
||||
outlen = crypto_pk_public_encrypt(env,to,tolen,buf,pkeylen-overhead,padding);
|
||||
if (outlen!=(int)pkeylen) {
|
||||
goto err;
|
||||
}
|
||||
r = crypto_cipher_encrypt(cipher, to+outlen,
|
||||
from+pkeylen-overhead-CIPHER_KEY_LEN, symlen);
|
||||
|
||||
if (r<0) goto err;
|
||||
memwipe(buf, 0, pkeylen);
|
||||
memwipe(key, 0, sizeof(key));
|
||||
tor_free(buf);
|
||||
crypto_cipher_free(cipher);
|
||||
tor_assert(outlen+symlen < INT_MAX);
|
||||
return (int)(outlen + symlen);
|
||||
err:
|
||||
|
||||
memwipe(buf, 0, pkeylen);
|
||||
memwipe(key, 0, sizeof(key));
|
||||
tor_free(buf);
|
||||
crypto_cipher_free(cipher);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/** Invert crypto_pk_obsolete_public_hybrid_encrypt. Returns the number of
|
||||
* bytes written on success, -1 on failure.
|
||||
*
|
||||
* NOTE that this format does not authenticate the symmetrically encrypted
|
||||
* part of the data, and SHOULD NOT BE USED for new protocols.
|
||||
*/
|
||||
int
|
||||
crypto_pk_obsolete_private_hybrid_decrypt(crypto_pk_t *env,
|
||||
char *to,
|
||||
size_t tolen,
|
||||
const char *from,
|
||||
size_t fromlen,
|
||||
int padding, int warnOnFailure)
|
||||
{
|
||||
int outlen, r;
|
||||
size_t pkeylen;
|
||||
crypto_cipher_t *cipher = NULL;
|
||||
char *buf = NULL;
|
||||
|
||||
tor_assert(fromlen < SIZE_T_CEILING);
|
||||
pkeylen = crypto_pk_keysize(env);
|
||||
|
||||
if (fromlen <= pkeylen) {
|
||||
return crypto_pk_private_decrypt(env,to,tolen,from,fromlen,padding,
|
||||
warnOnFailure);
|
||||
}
|
||||
|
||||
buf = tor_malloc(pkeylen);
|
||||
outlen = crypto_pk_private_decrypt(env,buf,pkeylen,from,pkeylen,padding,
|
||||
warnOnFailure);
|
||||
if (outlen<0) {
|
||||
log_fn(warnOnFailure?LOG_WARN:LOG_DEBUG, LD_CRYPTO,
|
||||
"Error decrypting public-key data");
|
||||
goto err;
|
||||
}
|
||||
if (outlen < CIPHER_KEY_LEN) {
|
||||
log_fn(warnOnFailure?LOG_WARN:LOG_INFO, LD_CRYPTO,
|
||||
"No room for a symmetric key");
|
||||
goto err;
|
||||
}
|
||||
cipher = crypto_cipher_new(buf);
|
||||
if (!cipher) {
|
||||
goto err;
|
||||
}
|
||||
memcpy(to,buf+CIPHER_KEY_LEN,outlen-CIPHER_KEY_LEN);
|
||||
outlen -= CIPHER_KEY_LEN;
|
||||
tor_assert(tolen - outlen >= fromlen - pkeylen);
|
||||
r = crypto_cipher_decrypt(cipher, to+outlen, from+pkeylen, fromlen-pkeylen);
|
||||
if (r<0)
|
||||
goto err;
|
||||
memwipe(buf,0,pkeylen);
|
||||
tor_free(buf);
|
||||
crypto_cipher_free(cipher);
|
||||
tor_assert(outlen + fromlen < INT_MAX);
|
||||
return (int)(outlen + (fromlen-pkeylen));
|
||||
err:
|
||||
memwipe(buf,0,pkeylen);
|
||||
tor_free(buf);
|
||||
crypto_cipher_free(cipher);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
|
||||
* in <b>env</b>, using the padding method <b>padding</b>. On success,
|
||||
* write the result to <b>to</b>, and return the number of bytes
|
||||
@ -849,6 +991,122 @@ crypto_pk_get_hashed_fingerprint(crypto_pk_t *pk, char *fp_out)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Check a siglen-byte long signature at <b>sig</b> against
|
||||
* <b>datalen</b> bytes of data at <b>data</b>, using the public key
|
||||
* in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
|
||||
* SHA1(data). Else return -1.
|
||||
*/
|
||||
MOCK_IMPL(int,
|
||||
crypto_pk_public_checksig_digest,(crypto_pk_t *env, const char *data,
|
||||
size_t datalen, const char *sig,
|
||||
size_t siglen))
|
||||
{
|
||||
char digest[DIGEST_LEN];
|
||||
char *buf;
|
||||
size_t buflen;
|
||||
int r;
|
||||
|
||||
tor_assert(env);
|
||||
tor_assert(data);
|
||||
tor_assert(sig);
|
||||
tor_assert(datalen < SIZE_T_CEILING);
|
||||
tor_assert(siglen < SIZE_T_CEILING);
|
||||
|
||||
if (crypto_digest(digest,data,datalen)<0) {
|
||||
log_warn(LD_BUG, "couldn't compute digest");
|
||||
return -1;
|
||||
}
|
||||
buflen = crypto_pk_keysize(env);
|
||||
buf = tor_malloc(buflen);
|
||||
r = crypto_pk_public_checksig(env,buf,buflen,sig,siglen);
|
||||
if (r != DIGEST_LEN) {
|
||||
log_warn(LD_CRYPTO, "Invalid signature");
|
||||
tor_free(buf);
|
||||
return -1;
|
||||
}
|
||||
if (tor_memneq(buf, digest, DIGEST_LEN)) {
|
||||
log_warn(LD_CRYPTO, "Signature mismatched with digest.");
|
||||
tor_free(buf);
|
||||
return -1;
|
||||
}
|
||||
tor_free(buf);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
|
||||
* <b>from</b>; sign the data with the private key in <b>env</b>, and
|
||||
* store it in <b>to</b>. Return the number of bytes written on
|
||||
* success, and -1 on failure.
|
||||
*
|
||||
* <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
|
||||
* at least the length of the modulus of <b>env</b>.
|
||||
*/
|
||||
int
|
||||
crypto_pk_private_sign_digest(crypto_pk_t *env, char *to, size_t tolen,
|
||||
const char *from, size_t fromlen)
|
||||
{
|
||||
int r;
|
||||
char digest[DIGEST_LEN];
|
||||
if (crypto_digest(digest,from,fromlen)<0)
|
||||
return -1;
|
||||
r = crypto_pk_private_sign(env,to,tolen,digest,DIGEST_LEN);
|
||||
memwipe(digest, 0, sizeof(digest));
|
||||
return r;
|
||||
}
|
||||
|
||||
/** Given a private or public key <b>pk</b>, put a SHA1 hash of the
|
||||
* public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
|
||||
* Return 0 on success, -1 on failure.
|
||||
*/
|
||||
int
|
||||
crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
|
||||
{
|
||||
char *buf;
|
||||
size_t buflen;
|
||||
int len;
|
||||
int rv = -1;
|
||||
|
||||
buflen = crypto_pk_keysize(pk)*2;
|
||||
buf = tor_malloc(buflen);
|
||||
len = crypto_pk_asn1_encode(pk, buf, buflen);
|
||||
if (len < 0)
|
||||
goto done;
|
||||
|
||||
if (crypto_digest(digest_out, buf, len) < 0)
|
||||
goto done;
|
||||
|
||||
rv = 0;
|
||||
done:
|
||||
tor_free(buf);
|
||||
return rv;
|
||||
}
|
||||
|
||||
/** Compute all digests of the DER encoding of <b>pk</b>, and store them
|
||||
* in <b>digests_out</b>. Return 0 on success, -1 on failure. */
|
||||
int
|
||||
crypto_pk_get_common_digests(crypto_pk_t *pk, common_digests_t *digests_out)
|
||||
{
|
||||
char *buf;
|
||||
size_t buflen;
|
||||
int len;
|
||||
int rv = -1;
|
||||
|
||||
buflen = crypto_pk_keysize(pk)*2;
|
||||
buf = tor_malloc(buflen);
|
||||
len = crypto_pk_asn1_encode(pk, buf, buflen);
|
||||
if (len < 0)
|
||||
goto done;
|
||||
|
||||
if (crypto_common_digests(digests_out, (char*)buf, len) < 0)
|
||||
goto done;
|
||||
|
||||
rv = 0;
|
||||
done:
|
||||
tor_free(buf);
|
||||
return rv;
|
||||
}
|
||||
|
||||
/** Given a crypto_pk_t <b>pk</b>, allocate a new buffer containing the
|
||||
* Base64 encoding of the DER representation of the private key as a NUL
|
||||
* terminated string, and return it via <b>priv_out</b>. Return 0 on
|
||||
|
@ -15,13 +15,13 @@
|
||||
|
||||
#include "orconfig.h"
|
||||
|
||||
#include "crypto_digest.h"
|
||||
#include <stdio.h>
|
||||
#include "torint.h"
|
||||
#include "testsupport.h"
|
||||
#include "compat.h"
|
||||
#include "util.h"
|
||||
#include "torlog.h"
|
||||
#include "crypto_curve25519.h"
|
||||
|
||||
/** Length of our public keys. */
|
||||
#define PK_BYTES (1024/8)
|
||||
@ -69,6 +69,14 @@ crypto_pk_t *crypto_pk_dup_key(crypto_pk_t *orig);
|
||||
crypto_pk_t *crypto_pk_copy_full(crypto_pk_t *orig);
|
||||
int crypto_pk_key_is_private(const crypto_pk_t *key);
|
||||
int crypto_pk_public_exponent_ok(crypto_pk_t *env);
|
||||
int crypto_pk_obsolete_public_hybrid_encrypt(crypto_pk_t *env, char *to,
|
||||
size_t tolen,
|
||||
const char *from, size_t fromlen,
|
||||
int padding, int force);
|
||||
int crypto_pk_obsolete_private_hybrid_decrypt(crypto_pk_t *env, char *to,
|
||||
size_t tolen,
|
||||
const char *from, size_t fromlen,
|
||||
int padding, int warnOnFailure);
|
||||
int crypto_pk_public_encrypt(crypto_pk_t *env, char *to, size_t tolen,
|
||||
const char *from, size_t fromlen, int padding);
|
||||
int crypto_pk_private_decrypt(crypto_pk_t *env, char *to, size_t tolen,
|
||||
@ -84,6 +92,13 @@ crypto_pk_t *crypto_pk_asn1_decode(const char *str, size_t len);
|
||||
int crypto_pk_get_fingerprint(crypto_pk_t *pk, char *fp_out,int add_space);
|
||||
int crypto_pk_get_hashed_fingerprint(crypto_pk_t *pk, char *fp_out);
|
||||
|
||||
MOCK_DECL(int, crypto_pk_public_checksig_digest,(crypto_pk_t *env,
|
||||
const char *data, size_t datalen, const char *sig, size_t siglen));
|
||||
int crypto_pk_private_sign_digest(crypto_pk_t *env, char *to, size_t tolen,
|
||||
const char *from, size_t fromlen);
|
||||
int crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out);
|
||||
int crypto_pk_get_common_digests(crypto_pk_t *pk,
|
||||
common_digests_t *digests_out);
|
||||
int crypto_pk_base64_encode(const crypto_pk_t *pk, char **priv_out);
|
||||
crypto_pk_t *crypto_pk_base64_decode(const char *str, size_t len);
|
||||
|
||||
|
@ -16,6 +16,7 @@
|
||||
#include "util.h"
|
||||
#include "compat.h"
|
||||
#include "crypto_s2k.h"
|
||||
#include "crypto_digest.h"
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
|
@ -114,6 +114,7 @@ LIBOR_CRYPTO_A_SRC = \
|
||||
src/common/compress_zlib.c \
|
||||
src/common/compress_zstd.c \
|
||||
src/common/crypto.c \
|
||||
src/common/crypto_digest.c \
|
||||
src/common/crypto_rsa.c \
|
||||
src/common/crypto_openssl_mgt.c \
|
||||
src/common/crypto_pwbox.c \
|
||||
@ -165,6 +166,7 @@ COMMONHEADERS = \
|
||||
src/common/confline.h \
|
||||
src/common/container.h \
|
||||
src/common/crypto.h \
|
||||
src/common/crypto_digest.h \
|
||||
src/common/crypto_curve25519.h \
|
||||
src/common/crypto_ed25519.h \
|
||||
src/common/crypto_format.h \
|
||||
|
@ -25,6 +25,7 @@
|
||||
#include <ws2tcpip.h>
|
||||
#endif
|
||||
|
||||
#include "crypto.h"
|
||||
#include "compat.h"
|
||||
|
||||
/* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
|
||||
@ -32,7 +33,6 @@
|
||||
DISABLE_GCC_WARNING(redundant-decls)
|
||||
|
||||
#include <openssl/opensslv.h>
|
||||
#include "crypto.h"
|
||||
|
||||
#ifdef OPENSSL_NO_EC
|
||||
#error "We require OpenSSL with ECC support"
|
||||
|
@ -11,7 +11,7 @@
|
||||
* \brief Headers for tortls.c
|
||||
**/
|
||||
|
||||
#include "crypto.h"
|
||||
#include "crypto_rsa.h"
|
||||
#include "compat_openssl.h"
|
||||
#include "compat.h"
|
||||
#include "testsupport.h"
|
||||
|
@ -16,7 +16,7 @@
|
||||
#define UTIL_PRIVATE
|
||||
#include "util.h"
|
||||
#include "torlog.h"
|
||||
#include "crypto.h"
|
||||
#include "crypto_digest.h"
|
||||
#include "torint.h"
|
||||
#include "container.h"
|
||||
#include "address.h"
|
||||
|
@ -9,7 +9,7 @@
|
||||
void ed25519_hash(uint8_t *hash, const uint8_t *in, size_t inlen);
|
||||
*/
|
||||
|
||||
#include "crypto.h"
|
||||
#include "crypto_digest.h"
|
||||
|
||||
typedef struct ed25519_hash_context {
|
||||
crypto_digest_t *ctx;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/* Added for Tor. */
|
||||
#include "crypto.h"
|
||||
#include "crypto_digest.h"
|
||||
|
||||
/* Set 'out' to the 512-bit SHA512 hash of the 'len'-byte string in 'inp' */
|
||||
#define crypto_hash_sha512(out, inp, len) \
|
||||
|
@ -12,7 +12,7 @@
|
||||
|
||||
#include "orconfig.h"
|
||||
#include "compat.h"
|
||||
#include "crypto.h"
|
||||
#include "crypto_digest.h"
|
||||
#include "crypto_format.h"
|
||||
#include "di_ops.h"
|
||||
#include "ht.h"
|
||||
|
@ -22,6 +22,7 @@
|
||||
|
||||
#define ONION_NTOR_PRIVATE
|
||||
#include "crypto.h"
|
||||
#include "crypto_digest.h"
|
||||
#include "onion_ntor.h"
|
||||
#include "torlog.h"
|
||||
#include "util.h"
|
||||
|
@ -9,6 +9,7 @@
|
||||
#define HS_DESCRIPTOR_PRIVATE
|
||||
|
||||
#include "crypto_ed25519.h"
|
||||
#include "crypto_digest.h"
|
||||
#include "ed25519_cert.h"
|
||||
#include "or.h"
|
||||
#include "hs_descriptor.h"
|
||||
|
@ -39,6 +39,7 @@ ENABLE_GCC_WARNING(redundant-decls)
|
||||
#include "util.h"
|
||||
#include "torlog.h"
|
||||
#include "crypto.h"
|
||||
#include "crypto_digest.h"
|
||||
#include "address.h"
|
||||
#include "util_format.h"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user