Commit 118691cd authored by David Goulet's avatar David Goulet 🐼 Committed by Nick Mathewson
Browse files

crypto: Change crypto_mac_sha3_256 to use the key length in the construction

parent 7a204ae8
Loading
Loading
Loading
Loading
+16 −9
Original line number Diff line number Diff line
@@ -2109,25 +2109,32 @@ crypto_hmac_sha256(char *hmac_out,
  tor_assert(rv);
}

/** Compute an SHA3 MAC of <b>msg</b> using <b>key</b> as the key. The format
 * used for our MAC is SHA3(k | m). Write the DIGEST256_LEN-byte result into
 * <b>mac_out</b> of size <b>mac_out_len</b>. */
/** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a
 * <b>key</b> of length <b>key_len</b> and a <b>salt</b> of length
 * <b>salt_len</b>. Store the result of <b>len_out</b> bytes in in
 * <b>mac_out</b>. This function can't fail. */
void
crypto_mac_sha3_256(char *mac_out, size_t mac_out_len,
                    const char *key, size_t key_len,
                    const char *msg, size_t msg_len)
crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
                    const uint8_t *key, size_t key_len,
                    const uint8_t *msg, size_t msg_len)
{
  crypto_digest_t *digest;

  const uint64_t key_len_netorder = tor_htonll(key_len);

  tor_assert(mac_out);
  tor_assert(key);
  tor_assert(msg);

  digest = crypto_digest256_new(DIGEST_SHA3_256);

  crypto_digest_add_bytes(digest, key, key_len);
  crypto_digest_add_bytes(digest, msg, msg_len);
  crypto_digest_get_digest(digest, mac_out, mac_out_len);
  /* Order matters here that is any subsystem using this function should
   * expect this very precise ordering in the MAC construction. */
  crypto_digest_add_bytes(digest, (const char *) &key_len_netorder,
                          sizeof(key_len_netorder));
  crypto_digest_add_bytes(digest, (const char *) key, key_len);
  crypto_digest_add_bytes(digest, (const char *) msg, msg_len);
  crypto_digest_get_digest(digest, (char *) mac_out, len_out);
  crypto_digest_free(digest);
}

+4 −3
Original line number Diff line number Diff line
@@ -255,9 +255,10 @@ void crypto_digest_assign(crypto_digest_t *into,
void crypto_hmac_sha256(char *hmac_out,
                        const char *key, size_t key_len,
                        const char *msg, size_t msg_len);
void crypto_mac_sha3_256(char *mac_out, size_t mac_out_len,
                         const char *key, size_t key_len,
                         const char *msg, size_t msg_len);
void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
                         const uint8_t *key, size_t key_len,
                         const uint8_t *msg, size_t msg_len);

crypto_xof_t *crypto_xof_new(void);
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len);
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len);
+9 −9
Original line number Diff line number Diff line
@@ -42,7 +42,7 @@ get_auth_key_from_establish_intro_cell(ed25519_public_key_t *auth_key_out,
 *  given <b>circuit_key_material</b>. Return 0 on success else -1 on error. */
STATIC int
verify_establish_intro_cell(const hs_cell_establish_intro_t *cell,
                            const char *circuit_key_material,
                            const uint8_t *circuit_key_material,
                            size_t circuit_key_material_len)
{
  /* We only reach this function if the first byte of the cell is 0x02 which
@@ -62,7 +62,7 @@ verify_establish_intro_cell(const hs_cell_establish_intro_t *cell,
    return -1;
  }

  const char *msg = (char*) cell->start_cell;
  const uint8_t *msg = cell->start_cell;

  /* Verify the sig */
  {
@@ -79,7 +79,7 @@ verify_establish_intro_cell(const hs_cell_establish_intro_t *cell,
    ed25519_public_key_t auth_key;
    get_auth_key_from_establish_intro_cell(&auth_key, cell);

    const size_t sig_msg_len = (char*) (cell->end_sig_fields) - msg;
    const size_t sig_msg_len = cell->end_sig_fields - msg;
    int sig_mismatch = ed25519_checksig_prefixed(&sig_struct,
                                                 (uint8_t*) msg, sig_msg_len,
                                                 ESTABLISH_INTRO_SIG_PREFIX,
@@ -92,8 +92,8 @@ verify_establish_intro_cell(const hs_cell_establish_intro_t *cell,

  /* Verify the MAC */
  {
    const size_t auth_msg_len = (char*) (cell->end_mac_fields) - msg;
    char mac[DIGEST256_LEN];
    const size_t auth_msg_len = cell->end_mac_fields - msg;
    uint8_t mac[DIGEST256_LEN];
    crypto_mac_sha3_256(mac, sizeof(mac),
                        circuit_key_material, circuit_key_material_len,
                        msg, auth_msg_len);
@@ -198,7 +198,7 @@ handle_establish_intro(or_circuit_t *circ, const uint8_t *request,
  }

  cell_ok = verify_establish_intro_cell(parsed_cell,
                                       circ->rend_circ_nonce,
                                        (uint8_t *) circ->rend_circ_nonce,
                                        sizeof(circ->rend_circ_nonce));
  if (cell_ok < 0) {
    log_warn(LD_PROTOCOL, "Failed to verify ESTABLISH_INTRO cell.");
+1 −1
Original line number Diff line number Diff line
@@ -28,7 +28,7 @@ int hs_intro_circuit_is_suitable(const or_circuit_t *circ);

STATIC int
verify_establish_intro_cell(const hs_cell_establish_intro_t *out,
                            const char *circuit_key_material,
                            const uint8_t *circuit_key_material,
                            size_t circuit_key_material_len);

STATIC void
+3 −3
Original line number Diff line number Diff line
@@ -60,7 +60,7 @@ set_cell_extensions(hs_cell_establish_intro_t *cell)
 *  returned cell is allocated on the heap and it's the responsibility of the
 *  caller to free it. */
STATIC hs_cell_establish_intro_t *
generate_establish_intro_cell(const char *circuit_key_material,
generate_establish_intro_cell(const uint8_t *circuit_key_material,
                              size_t circuit_key_material_len)
{
  hs_cell_establish_intro_t *cell = NULL;
@@ -109,7 +109,7 @@ generate_establish_intro_cell(const char *circuit_key_material,
    /* To calculate HANDSHAKE_AUTH, we dump the cell in bytes, and then derive
       the MAC from it. */
    uint8_t cell_bytes_tmp[RELAY_PAYLOAD_SIZE] = {0};
    char mac[TRUNNEL_SHA3_256_LEN];
    uint8_t mac[TRUNNEL_SHA3_256_LEN];

    encoded_len = hs_cell_establish_intro_encode(cell_bytes_tmp,
                                                 sizeof(cell_bytes_tmp),
@@ -125,7 +125,7 @@ generate_establish_intro_cell(const char *circuit_key_material,
    /* Calculate MAC of all fields before HANDSHAKE_AUTH */
    crypto_mac_sha3_256(mac, sizeof(mac),
                        circuit_key_material, circuit_key_material_len,
                        (const char*)cell_bytes_tmp,
                        cell_bytes_tmp,
                        encoded_len - (ED25519_SIG_LEN + 2 + TRUNNEL_SHA3_256_LEN));
    /* Write the MAC to the cell */
    uint8_t *handshake_ptr =
Loading