| blob | 7cb849a64ba2a99e1eb0633cf2b33a05e5fb6977 |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2011, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL.
11 **/
15 #ifdef MS_WINDOWS
16 #define WIN32_WINNT 0x400
17 #define _WIN32_WINNT 0x400
18 #define WIN32_LEAN_AND_MEAN
19 #include <windows.h>
20 #include <wincrypt.h>
21 /* Windows defines this; so does OpenSSL 0.9.8h and later. We don't actually
22 * use either definition. */
23 #undef OCSP_RESPONSE
24 #endif
26 #include <openssl/err.h>
27 #include <openssl/rsa.h>
28 #include <openssl/pem.h>
29 #include <openssl/evp.h>
30 #include <openssl/rand.h>
31 #include <openssl/opensslv.h>
32 #include <openssl/bn.h>
33 #include <openssl/dh.h>
34 #include <openssl/conf.h>
35 #include <openssl/hmac.h>
37 #ifdef HAVE_CTYPE_H
38 #include <ctype.h>
39 #endif
40 #ifdef HAVE_UNISTD_H
41 #include <unistd.h>
42 #endif
43 #ifdef HAVE_FCNTL_H
44 #include <fcntl.h>
45 #endif
46 #ifdef HAVE_SYS_FCNTL_H
47 #include <sys/fcntl.h>
48 #endif
50 #define CRYPTO_PRIVATE
58 #if OPENSSL_VERSION_NUMBER < 0x00907000l
60 #endif
62 #include <openssl/engine.h>
64 /** Macro: is k a valid RSA public or private key? */
65 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
66 /** Macro: is k a valid RSA private key? */
67 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
69 #ifdef TOR_IS_MULTITHREADED
70 /** A number of preallocated mutexes for use by OpenSSL. */
72 /** How many mutexes have we allocated for use by OpenSSL? */
74 #endif
76 /** A public key, or a public/private key-pair. */
77 struct crypto_pk_env_t
78 {
81 };
83 /** Key and stream information for a stream cipher. */
84 struct crypto_cipher_env_t
85 {
88 };
90 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
91 * while we're waiting for the second.*/
94 };
99 /** Return the number of bytes added by padding method <b>padding</b>.
100 */
103 {
105 {
110 }
111 }
113 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
114 */
117 {
119 {
124 }
125 }
127 /** Boolean: has OpenSSL's crypto been initialized? */
130 /** Log all pending crypto errors at level <b>severity</b>. Use
131 * <b>doing</b> to describe our current activities.
132 */
133 static void
135 {
150 }
151 }
152 }
154 /** Log any OpenSSL engines we're using at NOTICE. */
155 static void
157 {
166 }
167 }
169 /** Initialize the crypto library. Return 0 on success, -1 on failure.
170 */
171 int
173 {
179 /* XXX the below is a bug, since we can't know if we're supposed
180 * to be using hardware acceleration or not. we should arrange
181 * for this function to be called before init_keys. But make it
182 * not complain loudly, at least until we make acceleration work. */
185 }
192 /* XXXX make sure this isn't leaking. */
199 }
201 }
203 }
205 /** Free crypto resources held by this thread. */
206 void
208 {
210 }
212 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
213 */
214 int
216 {
223 #ifdef TOR_IS_MULTITHREADED
232 }
234 }
235 #endif
237 }
239 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
240 crypto_pk_env_t *
242 {
249 }
251 /** used by tortls.c: wrap the RSA from an evp_pkey in a crypto_pk_env_t.
252 * returns NULL if this isn't an RSA key. */
253 crypto_pk_env_t *
255 {
260 }
262 /** Helper, used by tor-checkkey.c. Return the RSA from a crypto_pk_env_t. */
263 RSA *
265 {
267 }
269 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
270 * private is set, include the private-key portion of the key. */
271 EVP_PKEY *
273 {
283 }
289 error:
295 }
297 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
298 */
299 DH *
301 {
303 }
305 /** Allocate and return storage for a public key. The key itself will not yet
306 * be set.
307 */
308 crypto_pk_env_t *
310 {
316 }
318 /** Release a reference to an asymmetric key; when all the references
319 * are released, free the key.
320 */
321 void
323 {
333 }
335 /** Create a new symmetric cipher for a given key and encryption flag
336 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
337 * on failure.
338 */
339 crypto_cipher_env_t *
341 {
348 }
353 }
357 else
364 error:
368 }
370 /** Allocate and return a new symmetric cipher.
371 */
372 crypto_cipher_env_t *
374 {
380 }
382 /** Free a symmetric cipher.
383 */
384 void
386 {
393 }
395 /* public key crypto */
397 /** Generate a new public/private keypair in <b>env</b>. Return 0 on
398 * success, -1 on failure.
399 */
400 int
402 {
407 #if OPENSSL_VERSION_NUMBER < 0x00908000l
408 /* In OpenSSL 0.9.7, RSA_generate_key is all we have. */
410 #else
411 /* In OpenSSL 0.9.8, RSA_generate_key is deprecated. */
412 {
427 done:
432 }
433 #endif
437 }
440 }
442 /** Read a PEM-encoded private key from the string <b>s</b> into <b>env</b>.
443 * Return 0 on success, -1 on failure.
444 */
445 /* Used here, and used for testing. */
446 int
449 {
455 /* Create a read-only memory BIO, backed by the NUL-terminated string 's' */
468 }
470 }
472 /** Read a PEM-encoded private key from the file named by
473 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
474 */
475 int
478 {
482 /* Read the file into a string. */
487 }
489 /* Try to parse it. */
495 /* Make sure it's valid. */
500 }
502 /** Helper function to implement crypto_pk_write_*_key_to_string. */
503 static int
506 {
517 /* Now you can treat b as if it were a file. Just use the
518 * PEM_*_bio_* functions instead of the non-bio variants.
519 */
522 else
529 }
542 }
544 /** PEM-encode the public key portion of <b>env</b> and write it to a
545 * newly allocated string. On success, set *<b>dest</b> to the new
546 * string, *<b>len</b> to the string's length, and return 0. On
547 * failure, return -1.
548 */
549 int
552 {
554 }
556 /** PEM-encode the private key portion of <b>env</b> and write it to a
557 * newly allocated string. On success, set *<b>dest</b> to the new
558 * string, *<b>len</b> to the string's length, and return 0. On
559 * failure, return -1.
560 */
561 int
564 {
566 }
568 /** Read a PEM-encoded public key from the first <b>len</b> characters of
569 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
570 * failure.
571 */
572 int
575 {
593 }
596 }
598 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
599 * PEM-encoded. Return 0 on success, -1 on failure.
600 */
601 int
604 {
620 }
630 }
632 /** Return true iff <b>env</b> has a valid key.
633 */
634 int
636 {
644 }
646 /** Return true iff <b>key</b> contains the private-key portion of the RSA
647 * key. */
648 int
650 {
653 }
655 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
656 * if a==b, and 1 if a\>b.
657 */
658 int
660 {
675 }
677 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
678 size_t
680 {
685 }
687 /** Increase the reference count of <b>env</b>, and return it.
688 */
689 crypto_pk_env_t *
691 {
697 }
699 /** Make a real honest-to-goodness copy of <b>env</b>, and return it. */
700 crypto_pk_env_t *
702 {
711 }
714 }
716 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
717 * in <b>env</b>, using the padding method <b>padding</b>. On success,
718 * write the result to <b>to</b>, and return the number of bytes
719 * written. On failure, return -1.
720 *
721 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
722 * at least the length of the modulus of <b>env</b>.
723 */
724 int
727 {
741 }
743 }
745 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
746 * in <b>env</b>, using the padding method <b>padding</b>. On success,
747 * write the result to <b>to</b>, and return the number of bytes
748 * written. On failure, return -1.
749 *
750 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
751 * at least the length of the modulus of <b>env</b>.
752 */
753 int
758 {
767 /* Not a private key */
778 }
780 }
782 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
783 * public key in <b>env</b>, using PKCS1 padding. On success, write the
784 * signed data to <b>to</b>, and return the number of bytes written.
785 * On failure, return -1.
786 *
787 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
788 * at least the length of the modulus of <b>env</b>.
789 */
790 int
794 {
808 }
810 }
812 /** Check a siglen-byte long signature at <b>sig</b> against
813 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
814 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
815 * SHA1(data). Else return -1.
816 */
817 int
820 {
835 }
843 }
848 }
852 }
854 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
855 * <b>env</b>, using PKCS1 padding. On success, write the signature to
856 * <b>to</b>, and return the number of bytes written. On failure, return
857 * -1.
858 *
859 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
860 * at least the length of the modulus of <b>env</b>.
861 */
862 int
865 {
873 /* Not a private key */
882 }
884 }
886 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
887 * <b>from</b>; sign the data with the private key in <b>env</b>, and
888 * store it in <b>to</b>. Return the number of bytes written on
889 * success, and -1 on failure.
890 *
891 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
892 * at least the length of the modulus of <b>env</b>.
893 */
894 int
897 {
905 }
907 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
908 * bytes of data from <b>from</b>, with padding type 'padding',
909 * storing the results on <b>to</b>.
910 *
911 * If no padding is used, the public key must be at least as large as
912 * <b>from</b>.
913 *
914 * Returns the number of bytes written on success, -1 on failure.
915 *
916 * The encrypted data consists of:
917 * - The source data, padded and encrypted with the public key, if the
918 * padded source data is no longer than the public key, and <b>force</b>
919 * is false, OR
920 * - The beginning of the source data prefixed with a 16-byte symmetric key,
921 * padded and encrypted with the public key; followed by the rest of
922 * the source data encrypted in AES-CTR mode with the symmetric key.
923 */
924 int
930 {
948 /* It all fits in a single encrypt. */
950 tolen,
952 }
960 /* You can't just run around RSA-encrypting any bitstream: if it's
961 * greater than the RSA key, then OpenSSL will happily encrypt, and
962 * later decrypt to the wrong value. So we set the first bit of
963 * 'cipher->key' to 0 if we aren't padding. This means that our
964 * symmetric key is really only 127 bits.
965 */
974 /* Length of symmetrically encrypted data. */
980 }
990 err:
994 }
997 }
999 /** Invert crypto_pk_public_hybrid_encrypt. */
1000 int
1007 {
1018 warnOnFailure);
1019 }
1023 warnOnFailure);
1028 }
1033 }
1037 }
1049 err:
1054 }
1056 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1057 * Return -1 on error, or the number of characters used on success.
1058 */
1059 int
1061 {
1073 }
1074 /* We don't encode directly into 'dest', because that would be illegal
1075 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1076 */
1080 }
1082 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1083 * success and NULL on failure.
1084 */
1085 crypto_pk_env_t *
1087 {
1090 /* This ifdef suppresses a type warning. Take out the first case once
1091 * everybody is using OpenSSL 0.9.7 or later.
1092 */
1101 }
1103 }
1105 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1106 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1107 * Return 0 on success, -1 on failure.
1108 */
1109 int
1111 {
1124 }
1128 }
1131 }
1133 /** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
1134 * every four spaces. */
1137 {
1147 }
1148 }
1151 }
1153 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1154 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1155 * space). Return 0 on success, -1 on failure.
1156 *
1157 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1158 * of the public key, converted to hexadecimal, in upper case, with a
1159 * space after every four digits.
1160 *
1161 * If <b>add_space</b> is false, omit the spaces.
1162 */
1163 int
1165 {
1170 }
1176 }
1178 }
1180 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1181 */
1182 int
1184 {
1191 }
1192 }
1195 }
1197 /* symmetric crypto */
1199 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1200 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1201 */
1202 int
1204 {
1208 }
1210 /** Set the symmetric key for the cipher in <b>env</b> to the first
1211 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1212 * Return 0 on success, -1 on failure.
1213 */
1214 int
1216 {
1225 }
1227 /** Generate an initialization vector for our AES-CTR cipher; store it
1228 * in the first CIPHER_IV_LEN bytes of <b>iv_out</b>. */
1229 void
1231 {
1233 }
1235 /** Adjust the counter of <b>env</b> to point to the first byte of the block
1236 * corresponding to the encryption of the CIPHER_IV_LEN bytes at
1237 * <b>iv</b>. */
1238 int
1240 {
1245 }
1247 /** Return a pointer to the key set for the cipher in <b>env</b>.
1248 */
1251 {
1253 }
1255 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1256 * success, -1 on failure.
1257 */
1258 int
1260 {
1265 }
1267 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1268 * success, -1 on failure.
1269 */
1270 int
1272 {
1277 }
1279 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1280 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1281 * On failure, return -1.
1282 */
1283 int
1286 {
1296 }
1298 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1299 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1300 * On failure, return -1.
1301 */
1302 int
1305 {
1313 }
1315 /** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
1316 * on success, return 0. On failure, return -1.
1317 */
1318 int
1320 {
1324 }
1326 /** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
1327 * <b>cipher</b> to the buffer in <b>to</b> of length
1328 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
1329 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1330 * number of bytes written, on failure, return -1.
1331 *
1332 * This function adjusts the current position of the counter in <b>cipher</b>
1333 * to immediately after the encrypted data.
1334 */
1335 int
1339 {
1355 }
1357 /** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
1358 * with the key in <b>cipher</b> to the buffer in <b>to</b> of length
1359 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
1360 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1361 * number of bytes written, on failure, return -1.
1362 *
1363 * This function adjusts the current position of the counter in <b>cipher</b>
1364 * to immediately after the decrypted data.
1365 */
1366 int
1370 {
1385 }
1387 /* SHA-1 */
1389 /** Compute the SHA1 digest of <b>len</b> bytes in data stored in
1390 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1391 * Return 0 on success, -1 on failure.
1392 */
1393 int
1395 {
1399 }
1401 /** Intermediate information about the digest of a stream of data. */
1403 SHA_CTX d;
1404 };
1406 /** Allocate and return a new digest object.
1407 */
1408 crypto_digest_env_t *
1410 {
1415 }
1417 /** Deallocate a digest object.
1418 */
1419 void
1421 {
1424 }
1426 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1427 */
1428 void
1431 {
1434 /* Using the SHA1_*() calls directly means we don't support doing
1435 * SHA1 in hardware. But so far the delay of getting the question
1436 * to the hardware, and hearing the answer, is likely higher than
1437 * just doing it ourselves. Hashes are fast.
1438 */
1440 }
1442 /** Compute the hash of the data that has been passed to the digest
1443 * object; write the first out_len bytes of the result to <b>out</b>.
1444 * <b>out_len</b> must be \<= DIGEST_LEN.
1445 */
1446 void
1449 {
1451 SHA_CTX tmpctx;
1455 /* memcpy into a temporary ctx, since SHA1_Final clears the context */
1460 }
1462 /** Allocate and return a new digest object with the same state as
1463 * <b>digest</b>
1464 */
1465 crypto_digest_env_t *
1467 {
1473 }
1475 /** Replace the state of the digest object <b>into</b> with the state
1476 * of the digest object <b>from</b>.
1477 */
1478 void
1481 {
1485 }
1487 /** Compute the HMAC-SHA-1 of the <b>msg_len</b> bytes in <b>msg</b>, using
1488 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST_LEN-byte result
1489 * in <b>hmac_out</b>.
1490 */
1491 void
1495 {
1500 }
1502 /* DH */
1504 /** Shared P parameter for our DH key exchanged. */
1506 /** Shared G parameter for our DH key exchanges. */
1509 /** Initialize dh_param_p and dh_param_g if they are not already
1510 * set. */
1511 static void
1513 {
1524 /* This is from rfc2409, section 6.2. It's a safe prime, and
1525 supposedly it equals:
1526 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1527 */
1529 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1530 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1531 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1532 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1540 }
1542 #define DH_PRIVATE_KEY_BITS 320
1544 /** Allocate and return a new DH object for a key exchange.
1545 */
1546 crypto_dh_env_t *
1548 {
1566 err:
1571 }
1573 /** Return the length of the DH key in <b>dh</b>, in bytes.
1574 */
1575 int
1577 {
1580 }
1582 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1583 * success, -1 on failure.
1584 */
1585 int
1587 {
1588 again:
1592 }
1596 /* Free and clear the keys, so OpenSSL will actually try again. */
1601 }
1603 }
1605 /** Generate g^x as necessary, and write the g^x for the key exchange
1606 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1607 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1608 */
1609 int
1611 {
1617 }
1627 }
1633 }
1635 /** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
1636 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
1637 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
1638 */
1639 static int
1641 {
1653 }
1659 }
1662 err:
1668 }
1670 #undef MIN
1671 #define MIN(a,b) ((a)<(b)?(a):(b))
1672 /** Given a DH key exchange object, and our peer's value of g^y (as a
1673 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
1674 * <b>secret_bytes_out</b> bytes of shared key material and write them
1675 * to <b>secret_out</b>. Return the number of bytes generated on success,
1676 * or -1 on failure.
1677 *
1678 * (We generate key material by computing
1679 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
1680 * where || is concatenation.)
1681 */
1682 ssize_t
1686 {
1699 /* Check for invalid public keys. */
1702 }
1708 }
1716 error:
1718 done:
1725 else
1727 }
1729 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
1730 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
1731 * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
1732 * H(K | [00]) | H(K | [01]) | ....
1733 *
1734 * Return 0 on success, -1 on failure.
1735 */
1736 int
1739 {
1744 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
1754 }
1760 err:
1765 }
1767 /** Free a DH key exchange object.
1768 */
1769 void
1771 {
1776 }
1778 /* random numbers */
1780 /* This is how much entropy OpenSSL likes to add right now, so maybe it will
1781 * work for us too. */
1782 #define ADD_ENTROPY 32
1784 /* Use RAND_poll if OpenSSL is 0.9.6 release or later. (The "f" means
1785 "release".) */
1786 #define HAVE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
1788 /* Versions of OpenSSL prior to 0.9.7k and 0.9.8c had a bug where RAND_poll
1789 * would allocate an fd_set on the stack, open a new file, and try to FD_SET
1790 * that fd without checking whether it fit in the fd_set. Thus, if the
1791 * system has not just been started up, it is unsafe to call */
1792 #define RAND_POLL_IS_SAFE \
1793 ((OPENSSL_VERSION_NUMBER >= 0x009070afl && \
1794 OPENSSL_VERSION_NUMBER <= 0x00907fffl) || \
1795 (OPENSSL_VERSION_NUMBER >= 0x0090803fl))
1797 /** Seed OpenSSL's random number generator with bytes from the operating
1798 * system. <b>startup</b> should be true iff we have just started Tor and
1799 * have not yet allocated a bunch of fds. Return 0 on success, -1 on failure.
1800 */
1801 int
1803 {
1807 /* local variables */
1808 #ifdef MS_WINDOWS
1811 #else
1814 };
1817 #endif
1819 #if HAVE_RAND_POLL
1820 /* OpenSSL 0.9.6 adds a RAND_poll function that knows about more kinds of
1821 * entropy than we do. We'll try calling that, *and* calling our own entropy
1822 * functions. If one succeeds, we'll accept the RNG as seeded. */
1827 }
1828 #endif
1830 #ifdef MS_WINDOWS
1833 CRYPT_VERIFYCONTEXT)) {
1837 }
1838 }
1840 }
1844 }
1848 #else
1860 }
1864 }
1868 #endif
1869 }
1871 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Return 0 on
1872 * success, -1 on failure.
1873 */
1874 int
1876 {
1884 }
1886 /** Return a pseudorandom integer, chosen uniformly from the values
1887 * between 0 and <b>max</b>-1. */
1888 int
1890 {
1896 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1897 * distribution with clipping at the upper end of unsigned int's
1898 * range.
1899 */
1905 }
1906 }
1908 /** Return a pseudorandom 64-bit integer, chosen uniformly from the values
1909 * between 0 and <b>max</b>-1. */
1910 uint64_t
1912 {
1918 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1919 * distribution with clipping at the upper end of unsigned int's
1920 * range.
1921 */
1927 }
1928 }
1930 /** Generate and return a new random hostname starting with <b>prefix</b>,
1931 * ending with <b>suffix</b>, and containing no less than
1932 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
1933 * characters between. */
1937 {
1961 }
1963 /** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
1964 * is empty. */
1967 {
1972 }
1974 /** Scramble the elements of <b>sl</b> into a random order. */
1975 void
1977 {
1979 /* From the end of the list to the front, choose at random from the
1980 positions we haven't looked at yet, and swap that position into the
1981 current position. Remember to give "no swap" the same probability as
1982 any other swap. */
1986 }
1987 }
1989 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
1990 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1991 * bytes. Return the number of bytes written on success; -1 if
1992 * destlen is too short, or other failure.
1993 */
1994 int
1996 {
1997 /* FFFF we might want to rewrite this along the lines of base64_decode, if
1998 * it ever shows up in the profile. */
1999 EVP_ENCODE_CTX ctx;
2003 /* 48 bytes of input -> 64 bytes of output plus newline.
2004 Plus one more byte, in case I'm wrong.
2005 */
2017 }
2019 #define X 255
2020 #define SP 64
2021 #define PAD 65
2022 /** Internal table mapping byte values to what they represent in base64.
2023 * Numbers 0..63 are 6-bit integers. SPs are spaces, and should be
2024 * skipped. Xs are invalid and must not appear in base64. PAD indicates
2025 * end-of-string. */
2043 };
2045 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
2046 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2047 * bytes. Return the number of bytes written on success; -1 if
2048 * destlen is too short, or other failure.
2049 *
2050 * NOTE 1: destlen is checked conservatively, as though srclen contained no
2051 * spaces or padding.
2052 *
2053 * NOTE 2: This implementation does not check for the correct number of
2054 * padding "=" characters at the end of the string, and does not check
2055 * for internal padding characters.
2056 */
2057 int
2059 {
2060 #ifdef USE_OPENSSL_BASE64
2061 EVP_ENCODE_CTX ctx;
2063 /* 64 bytes of input -> *up to* 48 bytes of output.
2064 Plus one more byte, in case I'm wrong.
2065 */
2077 #else
2083 /* Max number of bits == srclen*6.
2084 * Number of bytes required to hold all bits == (srclen*6)/8.
2085 * Yes, we want to round down: anything that hangs over the end of a
2086 * byte is padding. */
2092 /* Iterate over all the bytes in src. Each one will add 0 or 6 bits to the
2093 * value we're decoding. Accumulate bits in <b>n</b>, and whenever we have
2094 * 24 bits, batch them into 3 bytes and flush those bytes to dest.
2095 */
2101 /* This character isn't allowed in base64. */
2104 /* This character is whitespace, and has no effect. */
2107 /* We've hit an = character: the data is over. */
2110 /* We have an actual 6-bit value. Append it to the bits in n. */
2113 /* We've accumulated 24 bits in n. Flush them. */
2119 }
2120 }
2121 }
2122 end_of_loop:
2123 /* If we have leftover bits, we need to cope. */
2127 /* No leftover bits. We win. */
2130 /* 6 leftover bits. That's invalid; we can't form a byte out of that. */
2133 /* 12 leftover bits: The last 4 are padding and the first 8 are data. */
2137 /* 18 leftover bits: The last 2 are padding and the first 16 are data. */
2140 }
2146 #endif
2147 }
2148 #undef X
2149 #undef SP
2150 #undef PAD
2152 /** Base-64 encode DIGEST_LINE bytes from <b>digest</b>, remove the trailing =
2153 * and newline characters, and store the nul-terminated result in the first
2154 * BASE64_DIGEST_LEN+1 bytes of <b>d64</b>. */
2155 int
2157 {
2163 }
2165 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
2166 * trailing newline or = characters), decode it and store the result in the
2167 * first DIGEST_LEN bytes at <b>digest</b>. */
2168 int
2170 {
2171 #ifdef USE_OPENSSL_BASE64
2182 #else
2185 else
2187 #endif
2188 }
2190 /** Implements base32 encoding as in rfc3548. Limitation: Requires
2191 * that srclen*8 is a multiple of 5.
2192 */
2193 void
2195 {
2204 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
2207 /* set u to the 5-bit value at the bit'th bit of src. */
2210 }
2212 }
2214 /** Implements base32 decoding as in rfc3548. Limitation: Requires
2215 * that srclen*5 is a multiple of 8. Returns 0 if successful, -1 otherwise.
2216 */
2217 int
2219 {
2220 /* XXXX we might want to rewrite this along the lines of base64_decode, if
2221 * it ever shows up in the profile. */
2231 /* Convert base32 encoded chars to the 5-bit values that they represent. */
2241 }
2242 }
2244 /* Assemble result byte-wise by applying five possible cases. */
2269 }
2270 }
2276 }
2278 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
2279 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
2280 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
2281 * are a salt; the 9th byte describes how much iteration to do.
2282 * Does not support <b>key_out_len</b> > DIGEST_LEN.
2283 */
2284 void
2287 {
2294 #define EXPBIAS 6
2297 #undef EXPBIAS
2314 }
2315 }
2320 }
2322 #ifdef TOR_IS_MULTITHREADED
2323 /** Helper: OpenSSL uses this callback to manipulate mutexes. */
2324 static void
2326 {
2330 /* This is not a really good fix for the
2331 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
2332 * it can't hurt. */
2336 else
2338 }
2340 /** OpenSSL helper type: wraps a Tor mutex so that OpenSSL can use it
2341 * as a lock. */
2344 };
2346 /** OpenSSL callback function to allocate a lock: see CRYPTO_set_dynlock_*
2347 * documentation in OpenSSL's docs for more info. */
2350 {
2357 }
2359 /** OpenSSL callback function to acquire or release a lock: see
2360 * CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
2361 static void
2364 {
2369 else
2371 }
2373 /** OpenSSL callback function to free a lock: see CRYPTO_set_dynlock_*
2374 * documentation in OpenSSL's docs for more info. */
2375 static void
2378 {
2383 }
2385 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
2386 * multithreaded. */
2387 static int
2389 {
2402 }
2403 #else
2404 static int
2406 {
2408 }
2409 #endif