From 118691cd47e53521319cdcbf994f29ecca3db4d1 Mon Sep 17 00:00:00 2001
From: David Goulet <dgoulet@torproject.org>
Date: Mon, 12 Dec 2016 16:45:28 -0500
Subject: crypto: Change crypto_mac_sha3_256 to use the key length in the
 construction

Signed-off-by: David Goulet <dgoulet@torproject.org>
---
 src/common/crypto.c | 25 ++++++++++++++++---------
 src/common/crypto.h |  7 ++++---
 2 files changed, 20 insertions(+), 12 deletions(-)

(limited to 'src/common')

diff --git a/src/common/crypto.c b/src/common/crypto.c
index e4ef52d510..1b1f1f9aef 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -2109,25 +2109,32 @@ crypto_hmac_sha256(char *hmac_out,
   tor_assert(rv);
 }
 
-/** Compute an SHA3 MAC of <b>msg</b> using <b>key</b> as the key. The format
- * used for our MAC is SHA3(k | m). Write the DIGEST256_LEN-byte result into
- * <b>mac_out</b> of size <b>mac_out_len</b>. */
+/** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a
+ * <b>key</b> of length <b>key_len</b> and a <b>salt</b> of length
+ * <b>salt_len</b>. Store the result of <b>len_out</b> bytes in in
+ * <b>mac_out</b>. This function can't fail. */
 void
-crypto_mac_sha3_256(char *mac_out, size_t mac_out_len,
-                    const char *key, size_t key_len,
-                    const char *msg, size_t msg_len)
+crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
+                    const uint8_t *key, size_t key_len,
+                    const uint8_t *msg, size_t msg_len)
 {
   crypto_digest_t *digest;
 
+  const uint64_t key_len_netorder = tor_htonll(key_len);
+
   tor_assert(mac_out);
   tor_assert(key);
   tor_assert(msg);
 
   digest = crypto_digest256_new(DIGEST_SHA3_256);
 
-  crypto_digest_add_bytes(digest, key, key_len);
-  crypto_digest_add_bytes(digest, msg, msg_len);
-  crypto_digest_get_digest(digest, mac_out, mac_out_len);
+  /* Order matters here that is any subsystem using this function should
+   * expect this very precise ordering in the MAC construction. */
+  crypto_digest_add_bytes(digest, (const char *) &key_len_netorder,
+                          sizeof(key_len_netorder));
+  crypto_digest_add_bytes(digest, (const char *) key, key_len);
+  crypto_digest_add_bytes(digest, (const char *) msg, msg_len);
+  crypto_digest_get_digest(digest, (char *) mac_out, len_out);
   crypto_digest_free(digest);
 }
 
diff --git a/src/common/crypto.h b/src/common/crypto.h
index 32b6531456..bf2fa06aaa 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -255,9 +255,10 @@ void crypto_digest_assign(crypto_digest_t *into,
 void crypto_hmac_sha256(char *hmac_out,
                         const char *key, size_t key_len,
                         const char *msg, size_t msg_len);
-void crypto_mac_sha3_256(char *mac_out, size_t mac_out_len,
-                         const char *key, size_t key_len,
-                         const char *msg, size_t msg_len);
+void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
+                         const uint8_t *key, size_t key_len,
+                         const uint8_t *msg, size_t msg_len);
+
 crypto_xof_t *crypto_xof_new(void);
 void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len);
 void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len);
-- 
cgit v1.2.3-54-g00ecf