commit 0eed0899cdeadd84dc5323f8ca0a3a13cd3779de Merge: d96dc2060 7759ac8df Author: Nick Mathewson nickm@torproject.org Date: Mon Mar 26 19:52:58 2018 -0400
Merge branch 'bug24658-rm-curve25519-header' into bug24658-merge
src/common/container.c | 2 +- src/common/crypto.c | 803 +--------------------------- src/common/crypto.h | 129 ----- src/common/crypto_curve25519.c | 1 + src/common/crypto_curve25519.h | 1 + src/common/crypto_digest.c | 569 ++++++++++++++++++++ src/common/crypto_digest.h | 136 +++++ src/common/crypto_ed25519.c | 1 + src/common/crypto_format.c | 1 + src/common/crypto_pwbox.c | 1 + src/common/crypto_rsa.c | 260 ++++++++- src/common/crypto_rsa.h | 17 +- src/common/crypto_s2k.c | 1 + src/common/include.am | 2 + src/common/tortls.c | 2 +- src/common/tortls.h | 2 +- src/common/util.c | 2 +- src/ext/ed25519/donna/ed25519-hash-custom.h | 2 +- src/ext/ed25519/ref10/crypto_hash_sha512.h | 2 +- src/or/keypin.c | 2 +- src/or/onion_ntor.c | 1 + src/test/test_hs_descriptor.c | 1 + src/tools/tor-gencert.c | 1 + 23 files changed, 999 insertions(+), 940 deletions(-)
diff --cc src/common/crypto_digest.c index 000000000,417789341..cdcc1828c mode 000000,100644..100644 --- a/src/common/crypto_digest.c +++ b/src/common/crypto_digest.c @@@ -1,0 -1,546 +1,569 @@@ + /* Copyright (c) 2001, Matej Pfajfar. + * Copyright (c) 2001-2004, Roger Dingledine. + * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. + * Copyright (c) 2007-2017, The Tor Project, Inc. */ + /* See LICENSE for licensing information */ + + /** + * \file crypto_digest.c + * \brief Block of functions related with digest and xof utilities and + * operations. + **/ + + #include "crypto_digest.h" + + #include "crypto.h" /* common functions */ + #include "crypto_openssl_mgt.h" + + DISABLE_GCC_WARNING(redundant-decls) + + #include <openssl/hmac.h> + #include <openssl/sha.h> + + ENABLE_GCC_WARNING(redundant-decls) + + #include "container.h" + + /* Crypto digest functions */ + + /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in + * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>. + * Return 0 on success, -1 on failure. + */ + int + crypto_digest(char *digest, const char *m, size_t len) + { + tor_assert(m); + tor_assert(digest); + if (SHA1((const unsigned char*)m,len,(unsigned char*)digest) == NULL) + return -1; + return 0; + } + + /** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>, + * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result + * into <b>digest</b>. Return 0 on success, -1 on failure. */ + int + crypto_digest256(char *digest, const char *m, size_t len, + digest_algorithm_t algorithm) + { + tor_assert(m); + tor_assert(digest); + tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256); + + int ret = 0; + if (algorithm == DIGEST_SHA256) + ret = (SHA256((const uint8_t*)m,len,(uint8_t*)digest) != NULL); + else + ret = (sha3_256((uint8_t *)digest, DIGEST256_LEN,(const uint8_t *)m, len) + > -1); + + if (!ret) + return -1; + return 0; + } + + /** Compute a 512-bit digest of <b>len</b> bytes in data stored in <b>m</b>, + * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN512-byte result + * into <b>digest</b>. Return 0 on success, -1 on failure. */ + int + crypto_digest512(char *digest, const char *m, size_t len, + digest_algorithm_t algorithm) + { + tor_assert(m); + tor_assert(digest); + tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512); + + int ret = 0; + if (algorithm == DIGEST_SHA512) + ret = (SHA512((const unsigned char*)m,len,(unsigned char*)digest) + != NULL); + else + ret = (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len) + > -1); + + if (!ret) + return -1; + return 0; + } + + /** Set the common_digests_t in <b>ds_out</b> to contain every digest on the + * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on + * success, -1 on failure. */ + int + crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len) + { + tor_assert(ds_out); + memset(ds_out, 0, sizeof(*ds_out)); + if (crypto_digest(ds_out->d[DIGEST_SHA1], m, len) < 0) + return -1; + if (crypto_digest256(ds_out->d[DIGEST_SHA256], m, len, DIGEST_SHA256) < 0) + return -1; + + return 0; + } + + /** Return the name of an algorithm, as used in directory documents. */ + const char * + crypto_digest_algorithm_get_name(digest_algorithm_t alg) + { + switch (alg) { + case DIGEST_SHA1: + return "sha1"; + case DIGEST_SHA256: + return "sha256"; + case DIGEST_SHA512: + return "sha512"; + case DIGEST_SHA3_256: + return "sha3-256"; + case DIGEST_SHA3_512: + return "sha3-512"; + // LCOV_EXCL_START + default: + tor_fragile_assert(); + return "??unknown_digest??"; + // LCOV_EXCL_STOP + } + } + + /** Given the name of a digest algorithm, return its integer value, or -1 if + * the name is not recognized. */ + int + crypto_digest_algorithm_parse_name(const char *name) + { + if (!strcmp(name, "sha1")) + return DIGEST_SHA1; + else if (!strcmp(name, "sha256")) + return DIGEST_SHA256; + else if (!strcmp(name, "sha512")) + return DIGEST_SHA512; + else if (!strcmp(name, "sha3-256")) + return DIGEST_SHA3_256; + else if (!strcmp(name, "sha3-512")) + return DIGEST_SHA3_512; + else + return -1; + } + + /** Given an algorithm, return the digest length in bytes. */ + size_t + crypto_digest_algorithm_get_length(digest_algorithm_t alg) + { + switch (alg) { + case DIGEST_SHA1: + return DIGEST_LEN; + case DIGEST_SHA256: + return DIGEST256_LEN; + case DIGEST_SHA512: + return DIGEST512_LEN; + case DIGEST_SHA3_256: + return DIGEST256_LEN; + case DIGEST_SHA3_512: + return DIGEST512_LEN; + default: + tor_assert(0); // LCOV_EXCL_LINE + return 0; /* Unreachable */ // LCOV_EXCL_LINE + } + } + + /** Intermediate information about the digest of a stream of data. */ + struct crypto_digest_t { + digest_algorithm_t algorithm; /**< Which algorithm is in use? */ + /** State for the digest we're using. Only one member of the + * union is usable, depending on the value of <b>algorithm</b>. Note also + * that space for other members might not even be allocated! + */ + union { + SHA_CTX sha1; /**< state for SHA1 */ + SHA256_CTX sha2; /**< state for SHA256 */ + SHA512_CTX sha512; /**< state for SHA512 */ + keccak_state sha3; /**< state for SHA3-[256,512] */ + } d; + }; + + #ifdef TOR_UNIT_TESTS + + digest_algorithm_t + crypto_digest_get_algorithm(crypto_digest_t *digest) + { + tor_assert(digest); + + return digest->algorithm; + } + + #endif /* defined(TOR_UNIT_TESTS) */ + + /** + * Return the number of bytes we need to malloc in order to get a + * crypto_digest_t for <b>alg</b>, or the number of bytes we need to wipe + * when we free one. + */ + static size_t + crypto_digest_alloc_bytes(digest_algorithm_t alg) + { + /* Helper: returns the number of bytes in the 'f' field of 'st' */ + #define STRUCT_FIELD_SIZE(st, f) (sizeof( ((st*)0)->f )) + /* Gives the length of crypto_digest_t through the end of the field 'd' */ + #define END_OF_FIELD(f) (offsetof(crypto_digest_t, f) + \ + STRUCT_FIELD_SIZE(crypto_digest_t, f)) + switch (alg) { + case DIGEST_SHA1: + return END_OF_FIELD(d.sha1); + case DIGEST_SHA256: + return END_OF_FIELD(d.sha2); + case DIGEST_SHA512: + return END_OF_FIELD(d.sha512); + case DIGEST_SHA3_256: + case DIGEST_SHA3_512: + return END_OF_FIELD(d.sha3); + default: + tor_assert(0); // LCOV_EXCL_LINE + return 0; // LCOV_EXCL_LINE + } + #undef END_OF_FIELD + #undef STRUCT_FIELD_SIZE + } + + /** + * Internal function: create and return a new digest object for 'algorithm'. + * Does not typecheck the algorithm. + */ + static crypto_digest_t * + crypto_digest_new_internal(digest_algorithm_t algorithm) + { + crypto_digest_t *r = tor_malloc(crypto_digest_alloc_bytes(algorithm)); + r->algorithm = algorithm; + + switch (algorithm) + { + case DIGEST_SHA1: + SHA1_Init(&r->d.sha1); + break; + case DIGEST_SHA256: + SHA256_Init(&r->d.sha2); + break; + case DIGEST_SHA512: + SHA512_Init(&r->d.sha512); + break; + case DIGEST_SHA3_256: + keccak_digest_init(&r->d.sha3, 256); + break; + case DIGEST_SHA3_512: + keccak_digest_init(&r->d.sha3, 512); + break; + default: + tor_assert_unreached(); + } + + return r; + } + + /** Allocate and return a new digest object to compute SHA1 digests. + */ + crypto_digest_t * + crypto_digest_new(void) + { + return crypto_digest_new_internal(DIGEST_SHA1); + } + + /** Allocate and return a new digest object to compute 256-bit digests + * using <b>algorithm</b>. */ + crypto_digest_t * + crypto_digest256_new(digest_algorithm_t algorithm) + { + tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256); + return crypto_digest_new_internal(algorithm); + } + + /** Allocate and return a new digest object to compute 512-bit digests + * using <b>algorithm</b>. */ + crypto_digest_t * + crypto_digest512_new(digest_algorithm_t algorithm) + { + tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512); + return crypto_digest_new_internal(algorithm); + } + + /** Deallocate a digest object. + */ + void + crypto_digest_free_(crypto_digest_t *digest) + { + if (!digest) + return; + size_t bytes = crypto_digest_alloc_bytes(digest->algorithm); + memwipe(digest, 0, bytes); + tor_free(digest); + } + + /** Add <b>len</b> bytes from <b>data</b> to the digest object. + */ + void + crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, + size_t len) + { + tor_assert(digest); + tor_assert(data); + /* Using the SHA*_*() calls directly means we don't support doing + * SHA in hardware. But so far the delay of getting the question + * to the hardware, and hearing the answer, is likely higher than + * just doing it ourselves. Hashes are fast. + */ + switch (digest->algorithm) { + case DIGEST_SHA1: + SHA1_Update(&digest->d.sha1, (void*)data, len); + break; + case DIGEST_SHA256: + SHA256_Update(&digest->d.sha2, (void*)data, len); + break; + case DIGEST_SHA512: + SHA512_Update(&digest->d.sha512, (void*)data, len); + break; + case DIGEST_SHA3_256: /* FALLSTHROUGH */ + case DIGEST_SHA3_512: + keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len); + break; + default: + /* LCOV_EXCL_START */ + tor_fragile_assert(); + break; + /* LCOV_EXCL_STOP */ + } + } + + /** Compute the hash of the data that has been passed to the digest + * object; write the first out_len bytes of the result to <b>out</b>. + * <b>out_len</b> must be <= DIGEST512_LEN. + */ + void + crypto_digest_get_digest(crypto_digest_t *digest, + char *out, size_t out_len) + { + unsigned char r[DIGEST512_LEN]; + crypto_digest_t tmpenv; + tor_assert(digest); + tor_assert(out); + tor_assert(out_len <= crypto_digest_algorithm_get_length(digest->algorithm)); + + /* The SHA-3 code handles copying into a temporary ctx, and also can handle + * short output buffers by truncating appropriately. */ + if (digest->algorithm == DIGEST_SHA3_256 || + digest->algorithm == DIGEST_SHA3_512) { + keccak_digest_sum(&digest->d.sha3, (uint8_t *)out, out_len); + return; + } + + const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm); + /* memcpy into a temporary ctx, since SHA*_Final clears the context */ + memcpy(&tmpenv, digest, alloc_bytes); + switch (digest->algorithm) { + case DIGEST_SHA1: + SHA1_Final(r, &tmpenv.d.sha1); + break; + case DIGEST_SHA256: + SHA256_Final(r, &tmpenv.d.sha2); + break; + case DIGEST_SHA512: + SHA512_Final(r, &tmpenv.d.sha512); + break; + //LCOV_EXCL_START + case DIGEST_SHA3_256: /* FALLSTHROUGH */ + case DIGEST_SHA3_512: + default: + log_warn(LD_BUG, "Handling unexpected algorithm %d", digest->algorithm); + /* This is fatal, because it should never happen. */ + tor_assert_unreached(); + break; + //LCOV_EXCL_STOP + } + memcpy(out, r, out_len); + memwipe(r, 0, sizeof(r)); + } + + /** Allocate and return a new digest object with the same state as + * <b>digest</b> + */ + crypto_digest_t * + crypto_digest_dup(const crypto_digest_t *digest) + { + tor_assert(digest); + const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm); + return tor_memdup(digest, alloc_bytes); + } + ++/** Temporarily save the state of <b>digest</b> in <b>checkpoint</b>. ++ * Asserts that <b>digest</b> is a SHA1 digest object. ++ */ ++void ++crypto_digest_checkpoint(crypto_digest_checkpoint_t *checkpoint, ++ const crypto_digest_t *digest) ++{ ++ const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm); ++ tor_assert(bytes <= sizeof(checkpoint->mem)); ++ memcpy(checkpoint->mem, digest, bytes); ++} ++ ++/** Restore the state of <b>digest</b> from <b>checkpoint</b>. ++ * Asserts that <b>digest</b> is a SHA1 digest object. Requires that the ++ * state was previously stored with crypto_digest_checkpoint() */ ++void ++crypto_digest_restore(crypto_digest_t *digest, ++ const crypto_digest_checkpoint_t *checkpoint) ++{ ++ const size_t bytes = crypto_digest_alloc_bytes(digest->algorithm); ++ memcpy(digest, checkpoint->mem, bytes); ++} ++ + /** Replace the state of the digest object <b>into</b> with the state + * of the digest object <b>from</b>. Requires that 'into' and 'from' + * have the same digest type. + */ + void + crypto_digest_assign(crypto_digest_t *into, + const crypto_digest_t *from) + { + tor_assert(into); + tor_assert(from); + tor_assert(into->algorithm == from->algorithm); + const size_t alloc_bytes = crypto_digest_alloc_bytes(from->algorithm); + memcpy(into,from,alloc_bytes); + } + + /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest + * at <b>digest_out</b> to the hash of the concatenation of those strings, + * plus the optional string <b>append</b>, computed with the algorithm + * <b>alg</b>. + * <b>out_len</b> must be <= DIGEST512_LEN. */ + void + crypto_digest_smartlist(char *digest_out, size_t len_out, + const smartlist_t *lst, + const char *append, + digest_algorithm_t alg) + { + crypto_digest_smartlist_prefix(digest_out, len_out, NULL, lst, append, alg); + } + + /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest + * at <b>digest_out</b> to the hash of the concatenation of: the + * optional string <b>prepend</b>, those strings, + * and the optional string <b>append</b>, computed with the algorithm + * <b>alg</b>. + * <b>len_out</b> must be <= DIGEST512_LEN. */ + void + crypto_digest_smartlist_prefix(char *digest_out, size_t len_out, + const char *prepend, + const smartlist_t *lst, + const char *append, + digest_algorithm_t alg) + { + crypto_digest_t *d = crypto_digest_new_internal(alg); + if (prepend) + crypto_digest_add_bytes(d, prepend, strlen(prepend)); + SMARTLIST_FOREACH(lst, const char *, cp, + crypto_digest_add_bytes(d, cp, strlen(cp))); + if (append) + crypto_digest_add_bytes(d, append, strlen(append)); + crypto_digest_get_digest(d, digest_out, len_out); + crypto_digest_free(d); + } + + /** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using + * the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte + * result in <b>hmac_out</b>. Asserts on failure. + */ + void + crypto_hmac_sha256(char *hmac_out, + const char *key, size_t key_len, + const char *msg, size_t msg_len) + { + unsigned char *rv = NULL; + /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */ + tor_assert(key_len < INT_MAX); + tor_assert(msg_len < INT_MAX); + tor_assert(hmac_out); + rv = HMAC(EVP_sha256(), key, (int)key_len, (unsigned char*)msg, (int)msg_len, + (unsigned char*)hmac_out, NULL); + tor_assert(rv); + } + + /** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a + * <b>key</b> of length <b>key_len</b> and a <b>salt</b> of length + * <b>salt_len</b>. Store the result of <b>len_out</b> bytes in in + * <b>mac_out</b>. This function can't fail. */ + void + crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, + const uint8_t *key, size_t key_len, + const uint8_t *msg, size_t msg_len) + { + crypto_digest_t *digest; + + const uint64_t key_len_netorder = tor_htonll(key_len); + + tor_assert(mac_out); + tor_assert(key); + tor_assert(msg); + + digest = crypto_digest256_new(DIGEST_SHA3_256); + + /* Order matters here that is any subsystem using this function should + * expect this very precise ordering in the MAC construction. */ + crypto_digest_add_bytes(digest, (const char *) &key_len_netorder, + sizeof(key_len_netorder)); + crypto_digest_add_bytes(digest, (const char *) key, key_len); + crypto_digest_add_bytes(digest, (const char *) msg, msg_len); + crypto_digest_get_digest(digest, (char *) mac_out, len_out); + crypto_digest_free(digest); + } + + /* xof functions */ + + /** Internal state for a eXtendable-Output Function (XOF). */ + struct crypto_xof_t { + keccak_state s; + }; + + /** Allocate a new XOF object backed by SHAKE-256. The security level + * provided is a function of the length of the output used. Read and + * understand FIPS-202 A.2 "Additional Consideration for Extendable-Output + * Functions" before using this construct. + */ + crypto_xof_t * + crypto_xof_new(void) + { + crypto_xof_t *xof; + xof = tor_malloc(sizeof(crypto_xof_t)); + keccak_xof_init(&xof->s, 256); + return xof; + } + + /** Absorb bytes into a XOF object. Must not be called after a call to + * crypto_xof_squeeze_bytes() for the same instance, and will assert + * if attempted. + */ + void + crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len) + { + int i = keccak_xof_absorb(&xof->s, data, len); + tor_assert(i == 0); + } + + /** Squeeze bytes out of a XOF object. Calling this routine will render + * the XOF instance ineligible to absorb further data. + */ + void + crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len) + { + int i = keccak_xof_squeeze(&xof->s, out, len); + tor_assert(i == 0); + } + + /** Cleanse and deallocate a XOF object. */ + void + crypto_xof_free_(crypto_xof_t *xof) + { + if (!xof) + return; + memwipe(xof, 0, sizeof(crypto_xof_t)); + tor_free(xof); + } + diff --cc src/common/crypto_digest.h index 000000000,f8cd44a03..3bd74acdf mode 000000,100644..100644 --- a/src/common/crypto_digest.h +++ b/src/common/crypto_digest.h @@@ -1,0 -1,125 +1,136 @@@ + /* Copyright (c) 2001, Matej Pfajfar. + * Copyright (c) 2001-2004, Roger Dingledine. + * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. + * Copyright (c) 2007-2017, The Tor Project, Inc. */ + /* See LICENSE for licensing information */ + + /** + * \file crypto_digest.h + * + * \brief Headers for crypto_digest.c + **/ + + #ifndef TOR_CRYPTO_DIGEST_H + #define TOR_CRYPTO_DIGEST_H + + #include <stdio.h> + + #include "container.h" + #include "torint.h" + + /** Length of the output of our message digest. */ + #define DIGEST_LEN 20 + /** Length of the output of our second (improved) message digests. (For now + * this is just sha256, but it could be any other 256-bit digest.) */ + #define DIGEST256_LEN 32 + /** Length of the output of our 64-bit optimized message digests (SHA512). */ + #define DIGEST512_LEN 64 + + /** Length of a sha1 message digest when encoded in base32 with trailing = + * signs removed. */ + #define BASE32_DIGEST_LEN 32 + /** Length of a sha1 message digest when encoded in base64 with trailing = + * signs removed. */ + #define BASE64_DIGEST_LEN 27 + /** Length of a sha256 message digest when encoded in base64 with trailing = + * signs removed. */ + #define BASE64_DIGEST256_LEN 43 + /** Length of a sha512 message digest when encoded in base64 with trailing = + * signs removed. */ + #define BASE64_DIGEST512_LEN 86 + + /** Length of hex encoding of SHA1 digest, not including final NUL. */ + #define HEX_DIGEST_LEN 40 + /** Length of hex encoding of SHA256 digest, not including final NUL. */ + #define HEX_DIGEST256_LEN 64 + /** Length of hex encoding of SHA512 digest, not including final NUL. */ + #define HEX_DIGEST512_LEN 128 + + typedef enum { + DIGEST_SHA1 = 0, + DIGEST_SHA256 = 1, + DIGEST_SHA512 = 2, + DIGEST_SHA3_256 = 3, + DIGEST_SHA3_512 = 4, + } digest_algorithm_t; + #define N_DIGEST_ALGORITHMS (DIGEST_SHA3_512+1) + #define N_COMMON_DIGEST_ALGORITHMS (DIGEST_SHA256+1) + ++#define DIGEST_CHECKPOINT_BYTES (SIZEOF_VOID_P + 512) ++/** Structure used to temporarily save the a digest object. Only implemented ++ * for SHA1 digest for now. */ ++typedef struct crypto_digest_checkpoint_t { ++ uint8_t mem[DIGEST_CHECKPOINT_BYTES]; ++} crypto_digest_checkpoint_t; ++ + /** A set of all the digests we commonly compute, taken on a single + * string. Any digests that are shorter than 512 bits are right-padded + * with 0 bits. + * + * Note that this representation wastes 44 bytes for the SHA1 case, so + * don't use it for anything where we need to allocate a whole bunch at + * once. + **/ + typedef struct { + char d[N_COMMON_DIGEST_ALGORITHMS][DIGEST256_LEN]; + } common_digests_t; + + typedef struct crypto_digest_t crypto_digest_t; + typedef struct crypto_xof_t crypto_xof_t; + + /* SHA-1 and other digests */ + int crypto_digest(char *digest, const char *m, size_t len); + int crypto_digest256(char *digest, const char *m, size_t len, + digest_algorithm_t algorithm); + int crypto_digest512(char *digest, const char *m, size_t len, + digest_algorithm_t algorithm); + int crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len); + void crypto_digest_smartlist_prefix(char *digest_out, size_t len_out, + const char *prepend, + const struct smartlist_t *lst, + const char *append, + digest_algorithm_t alg); + void crypto_digest_smartlist(char *digest_out, size_t len_out, + const struct smartlist_t *lst, const char *append, + digest_algorithm_t alg); + const char *crypto_digest_algorithm_get_name(digest_algorithm_t alg); + size_t crypto_digest_algorithm_get_length(digest_algorithm_t alg); + int crypto_digest_algorithm_parse_name(const char *name); + crypto_digest_t *crypto_digest_new(void); + crypto_digest_t *crypto_digest256_new(digest_algorithm_t algorithm); + crypto_digest_t *crypto_digest512_new(digest_algorithm_t algorithm); + void crypto_digest_free_(crypto_digest_t *digest); + #define crypto_digest_free(d) \ + FREE_AND_NULL(crypto_digest_t, crypto_digest_free_, (d)) + void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, + size_t len); + void crypto_digest_get_digest(crypto_digest_t *digest, + char *out, size_t out_len); + crypto_digest_t *crypto_digest_dup(const crypto_digest_t *digest); ++void crypto_digest_checkpoint(crypto_digest_checkpoint_t *checkpoint, ++ const crypto_digest_t *digest); ++void crypto_digest_restore(crypto_digest_t *digest, ++ const crypto_digest_checkpoint_t *checkpoint); + void crypto_digest_assign(crypto_digest_t *into, + const crypto_digest_t *from); + void crypto_hmac_sha256(char *hmac_out, + const char *key, size_t key_len, + const char *msg, size_t msg_len); + void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, + const uint8_t *key, size_t key_len, + const uint8_t *msg, size_t msg_len); + + /* xof functions*/ + crypto_xof_t *crypto_xof_new(void); + void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len); + void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len); + void crypto_xof_free_(crypto_xof_t *xof); + #define crypto_xof_free(xof) \ + FREE_AND_NULL(crypto_xof_t, crypto_xof_free_, (xof)) + + #ifdef TOR_UNIT_TESTS + digest_algorithm_t crypto_digest_get_algorithm(crypto_digest_t *digest); + #endif + + #endif /* !defined(TOR_CRYPTO_DIGEST_H) */ +