mirrors/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2025-02-25 23:21:38 +01:00
Code Issues Projects Releases Wiki Activity

Use NSS's digest code in Tor.

Browse source 
This was a fairly straightforward port, once I realized which layer
I should be calling into.
This commit is contained in:
Nick Mathewson 2018-07-11 16:54:05 -04:00
parent 27dd2b1f1f
commit f64c9dccde
4 changed files with 262 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

258
src/lib/crypt_ops/crypto_digest.c
View file

@ -12,7 +12,6 @@
#include "lib/container/smartlist.h" #include "lib/container/smartlist.h"
#include "lib/crypt_ops/crypto_digest.h" #include "lib/crypt_ops/crypto_digest.h"
#include "lib/crypt_ops/crypto_openssl_mgt.h"
#include "lib/crypt_ops/crypto_util.h" #include "lib/crypt_ops/crypto_util.h"
#include "lib/log/log.h" #include "lib/log/log.h"
#include "lib/log/util_bug.h" #include "lib/log/util_bug.h"
@ -24,12 +23,92 @@
#include "lib/arch/bytes.h" #include "lib/arch/bytes.h"
#ifdef ENABLE_NSS
DISABLE_GCC_WARNING(strict-prototypes)
#include <pk11pub.h>
ENABLE_GCC_WARNING(strict-prototypes)
#else
#include "lib/crypt_ops/crypto_openssl_mgt.h"
DISABLE_GCC_WARNING(redundant-decls) DISABLE_GCC_WARNING(redundant-decls)
#include <openssl/hmac.h> #include <openssl/hmac.h>
#include <openssl/sha.h> #include <openssl/sha.h>
ENABLE_GCC_WARNING(redundant-decls) ENABLE_GCC_WARNING(redundant-decls)
#endif
#ifdef ENABLE_NSS
/**
* Convert a digest_algorithm_t (used by tor) to a HashType (used by NSS).
* On failure, return SEC_OID_UNKNOWN. */
static SECOidTag
digest_alg_to_nss_oid(digest_algorithm_t alg)
{
switch (alg) {
case DIGEST_SHA1: return SEC_OID_SHA1;
case DIGEST_SHA256: return SEC_OID_SHA256;
case DIGEST_SHA512: return SEC_OID_SHA512;
case DIGEST_SHA3_256: /* Fall through */
case DIGEST_SHA3_512: /* Fall through */
default:
return SEC_OID_UNKNOWN;
}
}
/* Helper: get an unkeyed digest via pk11wrap */
static int
digest_nss_internal(SECOidTag alg,
char *digest, unsigned len_out,
const char *msg, size_t msg_len)
{
if (alg == SEC_OID_UNKNOWN)
return -1;
tor_assert(msg_len <= UINT_MAX);
int rv = -1;
SECStatus s;
PK11Context *ctx = PK11_CreateDigestContext(alg);
if (!ctx)
return -1;
s = PK11_DigestBegin(ctx);
if (s != SECSuccess)
goto done;
s = PK11_DigestOp(ctx, (const unsigned char *)msg, (unsigned int)msg_len);
if (s != SECSuccess)
goto done;
unsigned int len = 0;
s = PK11_DigestFinal(ctx, (unsigned char *)digest, &len, len_out);
if (s != SECSuccess)
goto done;
rv = 0;
done:
PK11_DestroyContext(ctx, PR_TRUE);
return rv;
}
/** True iff alg is implemented in our crypto library, and we want to use that
* implementation */
static bool
library_supports_digest(digest_algorithm_t alg)
{
switch (alg) {
case DIGEST_SHA1: /* Fall through */
case DIGEST_SHA256: /* Fall through */
case DIGEST_SHA512: /* Fall through */
return true;
case DIGEST_SHA3_256: /* Fall through */
case DIGEST_SHA3_512: /* Fall through */
default:
return false;
}
}
#endif
/* Crypto digest functions */ /* Crypto digest functions */
@ -42,8 +121,13 @@ crypto_digest(char *digest, const char *m, size_t len)
{ {
tor_assert(m); tor_assert(m);
tor_assert(digest); tor_assert(digest);
if (SHA1((const unsigned char*)m,len,(unsigned char*)digest) == NULL) #ifdef ENABLE_NSS
return digest_nss_internal(SEC_OID_SHA1, digest, DIGEST_LEN, m, len);
#else
if (SHA1((const unsigned char*)m,len,(unsigned char*)digest) == NULL) {
return -1; return -1;
}
#endif
return 0; return 0;
} }
@ -59,11 +143,16 @@ crypto_digest256(char *digest, const char *m, size_t len,
tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256); tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
int ret = 0; int ret = 0;
if (algorithm == DIGEST_SHA256) if (algorithm == DIGEST_SHA256) {
#ifdef ENABLE_NSS
return digest_nss_internal(SEC_OID_SHA256, digest, DIGEST256_LEN, m, len);
#else
ret = (SHA256((const uint8_t*)m,len,(uint8_t*)digest) != NULL); ret = (SHA256((const uint8_t*)m,len,(uint8_t*)digest) != NULL);
else #endif
} else {
ret = (sha3_256((uint8_t *)digest, DIGEST256_LEN,(const uint8_t *)m, len) ret = (sha3_256((uint8_t *)digest, DIGEST256_LEN,(const uint8_t *)m, len)
> -1); > -1);
}
if (!ret) if (!ret)
return -1; return -1;
@ -82,12 +171,17 @@ crypto_digest512(char *digest, const char *m, size_t len,
tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512); tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
int ret = 0; int ret = 0;
if (algorithm == DIGEST_SHA512) if (algorithm == DIGEST_SHA512) {
#ifdef ENABLE_NSS
return digest_nss_internal(SEC_OID_SHA512, digest, DIGEST512_LEN, m, len);
#else
ret = (SHA512((const unsigned char*)m,len,(unsigned char*)digest) ret = (SHA512((const unsigned char*)m,len,(unsigned char*)digest)
!= NULL); != NULL);
else #endif
} else {
ret = (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len) ret = (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len)
> -1); > -1);
}
if (!ret) if (!ret)
return -1; return -1;
@ -181,9 +275,13 @@ struct crypto_digest_t {
* that space for other members might not even be allocated! * that space for other members might not even be allocated!
*/ */
union { union {
#ifdef ENABLE_NSS
PK11Context *ctx;
#else
SHA_CTX sha1; /**< state for SHA1 */ SHA_CTX sha1; /**< state for SHA1 */
SHA256_CTX sha2; /**< state for SHA256 */ SHA256_CTX sha2; /**< state for SHA256 */
SHA512_CTX sha512; /**< state for SHA512 */ SHA512_CTX sha512; /**< state for SHA512 */
#endif
keccak_state sha3; /**< state for SHA3-[256,512] */ keccak_state sha3; /**< state for SHA3-[256,512] */
} d; } d;
}; };
@ -214,12 +312,19 @@ crypto_digest_alloc_bytes(digest_algorithm_t alg)
#define END_OF_FIELD(f) (offsetof(crypto_digest_t, f) + \ #define END_OF_FIELD(f) (offsetof(crypto_digest_t, f) + \
STRUCT_FIELD_SIZE(crypto_digest_t, f)) STRUCT_FIELD_SIZE(crypto_digest_t, f))
switch (alg) { switch (alg) {
#ifdef ENABLE_NSS
case DIGEST_SHA1: /* Fall through */
case DIGEST_SHA256: /* Fall through */
case DIGEST_SHA512:
return END_OF_FIELD(d.ctx);
#else
case DIGEST_SHA1: case DIGEST_SHA1:
return END_OF_FIELD(d.sha1); return END_OF_FIELD(d.sha1);
case DIGEST_SHA256: case DIGEST_SHA256:
return END_OF_FIELD(d.sha2); return END_OF_FIELD(d.sha2);
case DIGEST_SHA512: case DIGEST_SHA512:
return END_OF_FIELD(d.sha512); return END_OF_FIELD(d.sha512);
#endif
case DIGEST_SHA3_256: case DIGEST_SHA3_256:
case DIGEST_SHA3_512: case DIGEST_SHA3_512:
return END_OF_FIELD(d.sha3); return END_OF_FIELD(d.sha3);
@ -243,6 +348,21 @@ crypto_digest_new_internal(digest_algorithm_t algorithm)
switch (algorithm) switch (algorithm)
{ {
#ifdef ENABLE_NSS
case DIGEST_SHA1: /* fall through */
case DIGEST_SHA256: /* fall through */
case DIGEST_SHA512:
r->d.ctx = PK11_CreateDigestContext(digest_alg_to_nss_oid(algorithm));
if (BUG(!r->d.ctx)) {
tor_free(r);
return NULL;
}
if (BUG(SECSuccess != PK11_DigestBegin(r->d.ctx))) {
crypto_digest_free(r);
return NULL;
}
break;
#else
case DIGEST_SHA1: case DIGEST_SHA1:
SHA1_Init(&r->d.sha1); SHA1_Init(&r->d.sha1);
break; break;
@ -252,6 +372,7 @@ crypto_digest_new_internal(digest_algorithm_t algorithm)
case DIGEST_SHA512: case DIGEST_SHA512:
SHA512_Init(&r->d.sha512); SHA512_Init(&r->d.sha512);
break; break;
#endif
case DIGEST_SHA3_256: case DIGEST_SHA3_256:
keccak_digest_init(&r->d.sha3, 256); keccak_digest_init(&r->d.sha3, 256);
break; break;
@ -302,6 +423,11 @@ crypto_digest_free_(crypto_digest_t *digest)
{ {
if (!digest) if (!digest)
return; return;
#ifdef ENABLE_NSS
if (library_supports_digest(digest->algorithm)) {
PK11_DestroyContext(digest->d.ctx, PR_TRUE);
}
#endif
size_t bytes = crypto_digest_alloc_bytes(digest->algorithm); size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
memwipe(digest, 0, bytes); memwipe(digest, 0, bytes);
tor_free(digest); tor_free(digest);
@ -324,6 +450,17 @@ crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
* just doing it ourselves. Hashes are fast. * just doing it ourselves. Hashes are fast.
*/ */
switch (digest->algorithm) { switch (digest->algorithm) {
#ifdef ENABLE_NSS
case DIGEST_SHA1: /* fall through */
case DIGEST_SHA256: /* fall through */
case DIGEST_SHA512:
tor_assert(len <= UINT_MAX);
SECStatus s = PK11_DigestOp(digest->d.ctx,
(const unsigned char *)data,
(unsigned int)len);
tor_assert(s == SECSuccess);
break;
#else
case DIGEST_SHA1: case DIGEST_SHA1:
SHA1_Update(&digest->d.sha1, (void*)data, len); SHA1_Update(&digest->d.sha1, (void*)data, len);
break; break;
@ -333,6 +470,7 @@ crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
case DIGEST_SHA512: case DIGEST_SHA512:
SHA512_Update(&digest->d.sha512, (void*)data, len); SHA512_Update(&digest->d.sha512, (void*)data, len);
break; break;
#endif
case DIGEST_SHA3_256: /* FALLSTHROUGH */ case DIGEST_SHA3_256: /* FALLSTHROUGH */
case DIGEST_SHA3_512: case DIGEST_SHA3_512:
keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len); keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len);
@ -357,7 +495,6 @@ crypto_digest_get_digest(crypto_digest_t *digest,
char *out, size_t out_len) char *out, size_t out_len)
{ {
unsigned char r[DIGEST512_LEN]; unsigned char r[DIGEST512_LEN];
crypto_digest_t tmpenv;
tor_assert(digest); tor_assert(digest);
tor_assert(out); tor_assert(out);
tor_assert(out_len <= crypto_digest_algorithm_get_length(digest->algorithm)); tor_assert(out_len <= crypto_digest_algorithm_get_length(digest->algorithm));
@ -370,7 +507,26 @@ crypto_digest_get_digest(crypto_digest_t *digest,
return; return;
} }
#ifdef ENABLE_NSS
/* Copy into a temporary buffer since DigestFinal (alters) the context */
unsigned char buf[1024];
unsigned int saved_len = 0;
unsigned rlen;
unsigned char *saved = PK11_SaveContextAlloc(digest->d.ctx,
buf, sizeof(buf),
&saved_len);
tor_assert(saved);
SECStatus s = PK11_DigestFinal(digest->d.ctx, r, &rlen, sizeof(r));
tor_assert(s == SECSuccess);
tor_assert(rlen >= out_len);
s = PK11_RestoreContext(digest->d.ctx, saved, saved_len);
tor_assert(s == SECSuccess);
if (saved != buf) {
PORT_ZFree(saved, saved_len);
}
#else
const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm); const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
crypto_digest_t tmpenv;
/* memcpy into a temporary ctx, since SHA*_Final clears the context */ /* memcpy into a temporary ctx, since SHA*_Final clears the context */
memcpy(&tmpenv, digest, alloc_bytes); memcpy(&tmpenv, digest, alloc_bytes);
switch (digest->algorithm) { switch (digest->algorithm) {
@ -393,6 +549,7 @@ crypto_digest_get_digest(crypto_digest_t *digest,
break; break;
//LCOV_EXCL_STOP //LCOV_EXCL_STOP
} }
#endif
memcpy(out, r, out_len); memcpy(out, r, out_len);
memwipe(r, 0, sizeof(r)); memwipe(r, 0, sizeof(r));
} }
@ -408,7 +565,13 @@ crypto_digest_dup(const crypto_digest_t *digest)
{ {
tor_assert(digest); tor_assert(digest);
const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm); const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
return tor_memdup(digest, alloc_bytes); crypto_digest_t *result = tor_memdup(digest, alloc_bytes);
#ifdef ENABLE_NSS
if (library_supports_digest(digest->algorithm)) {
result->d.ctx = PK11_CloneContext(digest->d.ctx);
}
#endif
return result;
} }
/** Temporarily save the state of <b>digest</b> in <b>checkpoint</b>. /** Temporarily save the state of <b>digest</b> in <b>checkpoint</b>.
@ -420,6 +583,18 @@ crypto_digest_checkpoint(crypto_digest_checkpoint_t *checkpoint,
{ {
const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm); const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
tor_assert(bytes <= sizeof(checkpoint->mem)); tor_assert(bytes <= sizeof(checkpoint->mem));
#ifdef ENABLE_NSS
if (library_supports_digest(digest->algorithm)) {
unsigned char *allocated;
allocated = PK11_SaveContextAlloc(digest->d.ctx,
(unsigned char *)checkpoint->mem,
sizeof(checkpoint->mem),
&checkpoint->bytes_used);
/* No allocation is allowed here. */
tor_assert(allocated == checkpoint->mem);
return;
}
#endif
memcpy(checkpoint->mem, digest, bytes); memcpy(checkpoint->mem, digest, bytes);
} }
@ -431,6 +606,15 @@ crypto_digest_restore(crypto_digest_t *digest,
const crypto_digest_checkpoint_t *checkpoint) const crypto_digest_checkpoint_t *checkpoint)
{ {
const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm); const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
#ifdef ENABLE_NSS
if (library_supports_digest(digest->algorithm)) {
SECStatus s = PK11_RestoreContext(digest->d.ctx,
(unsigned char *)checkpoint->mem,
checkpoint->bytes_used);
tor_assert(s == SECSuccess);
return;
}
#endif
memcpy(digest, checkpoint->mem, bytes); memcpy(digest, checkpoint->mem, bytes);
} }
@ -446,6 +630,13 @@ crypto_digest_assign(crypto_digest_t *into,
tor_assert(from); tor_assert(from);
tor_assert(into->algorithm == from->algorithm); tor_assert(into->algorithm == from->algorithm);
const size_t alloc_bytes = crypto_digest_alloc_bytes(from->algorithm); const size_t alloc_bytes = crypto_digest_alloc_bytes(from->algorithm);
#ifdef ENABLE_NSS
if (library_supports_digest(from->algorithm)) {
PK11_DestroyContext(into->d.ctx, PR_TRUE);
into->d.ctx = PK11_CloneContext(from->d.ctx);
return;
}
#endif
memcpy(into,from,alloc_bytes); memcpy(into,from,alloc_bytes);
} }
@ -496,14 +687,63 @@ crypto_hmac_sha256(char *hmac_out,
const char *key, size_t key_len, const char *key, size_t key_len,
const char *msg, size_t msg_len) const char *msg, size_t msg_len)
{ {
unsigned char *rv = NULL;
/* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */ /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
tor_assert(key_len < INT_MAX); tor_assert(key_len < INT_MAX);
tor_assert(msg_len < INT_MAX); tor_assert(msg_len < INT_MAX);
tor_assert(hmac_out); tor_assert(hmac_out);
#ifdef ENABLE_NSS
PK11SlotInfo *slot = NULL;
PK11SymKey *symKey = NULL;
PK11Context *hmac = NULL;
int ok = 0;
SECStatus s;
SECItem keyItem, paramItem;
keyItem.data = (unsigned char *)key;
keyItem.len = (unsigned)key_len;
paramItem.type = siBuffer;
paramItem.data = NULL;
paramItem.len = 0;
slot = PK11_GetBestSlot(CKM_SHA256_HMAC, NULL);
if (!slot)
goto done;
symKey = PK11_ImportSymKey(slot, CKM_SHA256_HMAC,
PK11_OriginUnwrap, CKA_SIGN, &keyItem, NULL);
if (!symKey)
goto done;
hmac = PK11_CreateContextBySymKey(CKM_SHA256_HMAC, CKA_SIGN, symKey,
&paramItem);
if (!hmac)
goto done;
s = PK11_DigestBegin(hmac);
if (s != SECSuccess)
goto done;
s = PK11_DigestOp(hmac, (const unsigned char *)msg, (unsigned int)msg_len);
if (s != SECSuccess)
goto done;
unsigned int len=0;
s = PK11_DigestFinal(hmac, (unsigned char *)hmac_out, &len, DIGEST256_LEN);
if (s != SECSuccess || len != DIGEST256_LEN)
goto done;
ok = 1;
done:
if (hmac)
PK11_DestroyContext(hmac, PR_TRUE);
if (symKey)
PK11_FreeSymKey(symKey);
if (slot)
PK11_FreeSlot(slot);
tor_assert(ok);
#else
unsigned char *rv = NULL;
rv = HMAC(EVP_sha256(), key, (int)key_len, (unsigned char*)msg, (int)msg_len, rv = HMAC(EVP_sha256(), key, (int)key_len, (unsigned char*)msg, (int)msg_len,
(unsigned char*)hmac_out, NULL); (unsigned char*)hmac_out, NULL);
tor_assert(rv); tor_assert(rv);
#endif
} }
/** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a /** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a

3
src/lib/crypt_ops/crypto_digest.h
View file

@ -51,6 +51,9 @@ typedef enum {
/** Structure used to temporarily save the a digest object. Only implemented /** Structure used to temporarily save the a digest object. Only implemented
* for SHA1 digest for now. */ * for SHA1 digest for now. */
typedef struct crypto_digest_checkpoint_t { typedef struct crypto_digest_checkpoint_t {
#ifdef ENABLE_NSS
unsigned int bytes_used;
#endif
uint8_t mem[DIGEST_CHECKPOINT_BYTES]; uint8_t mem[DIGEST_CHECKPOINT_BYTES];
} crypto_digest_checkpoint_t; } crypto_digest_checkpoint_t;

5
src/test/test_hs_ntor_cl.c
View file

@ -18,6 +18,7 @@
#include "lib/crypt_ops/crypto_curve25519.h" #include "lib/crypt_ops/crypto_curve25519.h"
#include "lib/crypt_ops/crypto_ed25519.h" #include "lib/crypt_ops/crypto_ed25519.h"
#include "lib/crypt_ops/crypto_format.h" #include "lib/crypt_ops/crypto_format.h"
#include "lib/crypt_ops/crypto_init.h"
#include "core/crypto/hs_ntor.h" #include "core/crypto/hs_ntor.h"
#include "core/crypto/onion_ntor.h" #include "core/crypto/onion_ntor.h"
@ -240,7 +241,11 @@ main(int argc, char **argv)
return 1; return 1;
} }
init_logging(1);
curve25519_init(); curve25519_init();
if (crypto_global_init(0, NULL, NULL) < 0)
return 1;
if (!strcmp(argv[1], "client1")) { if (!strcmp(argv[1], "client1")) {
return client1(argc, argv); return client1(argc, argv);
} else if (!strcmp(argv[1], "server1")) { } else if (!strcmp(argv[1], "server1")) {

6
src/test/test_ntor_cl.c
View file

@ -9,6 +9,7 @@
#include "core/or/or.h" #include "core/or/or.h"
#include "lib/crypt_ops/crypto_cipher.h" #include "lib/crypt_ops/crypto_cipher.h"
#include "lib/crypt_ops/crypto_curve25519.h" #include "lib/crypt_ops/crypto_curve25519.h"
#include "lib/crypt_ops/crypto_init.h"
#include "core/crypto/onion_ntor.h" #include "core/crypto/onion_ntor.h"
#define N_ARGS(n) STMT_BEGIN { \ #define N_ARGS(n) STMT_BEGIN { \
@ -153,7 +154,11 @@ main(int argc, char **argv)
return 1; return 1;
} }
init_logging(1);
curve25519_init(); curve25519_init();
if (crypto_global_init(0, NULL, NULL) < 0)
return 1;
if (!strcmp(argv[1], "client1")) { if (!strcmp(argv[1], "client1")) {
return client1(argc, argv); return client1(argc, argv);
} else if (!strcmp(argv[1], "server1")) { } else if (!strcmp(argv[1], "server1")) {
@ -165,4 +170,3 @@ main(int argc, char **argv)
return 1; return 1;
} }
} }