| blob | 91af2d58d672146a00f246b1162929adfcbff607 |
1 /* Copyright 2001,2002,2003 Roger Dingledine, Matej Pfajfar.
2 * Copyright 2004-2005 Roger Dingledine, Nick Mathewson */
3 /* See LICENSE for licensing information */
4 /* $Id$ */
7 /**
8 * \file crypto.c
9 *
10 * \brief Low-level cryptographic functions.
11 **/
15 #ifdef MS_WINDOWS
16 #define WIN32_WINNT 0x400
17 #define _WIN32_WINNT 0x400
18 #define WIN32_LEAN_AND_MEAN
19 #include <windows.h>
20 #include <wincrypt.h>
21 #endif
23 #include <string.h>
25 #include <openssl/err.h>
26 #include <openssl/rsa.h>
27 #include <openssl/pem.h>
28 #include <openssl/evp.h>
29 #include <openssl/rand.h>
30 #include <openssl/opensslv.h>
31 #include <openssl/bn.h>
32 #include <openssl/dh.h>
33 #include <openssl/rsa.h>
34 #include <openssl/dh.h>
36 #include <stdlib.h>
37 #include <assert.h>
38 #include <stdio.h>
39 #include <limits.h>
41 #ifdef HAVE_CTYPE_H
42 #include <ctype.h>
43 #endif
44 #ifdef HAVE_UNISTD_H
45 #include <unistd.h>
46 #endif
47 #ifdef HAVE_FCNTL_H
48 #include <fcntl.h>
49 #endif
50 #ifdef HAVE_SYS_FCNTL_H
51 #include <sys/fcntl.h>
52 #endif
61 #if OPENSSL_VERSION_NUMBER < 0x00905000l
63 #elif OPENSSL_VERSION_NUMBER < 0x00906000l
64 #define OPENSSL_095
65 #endif
67 /* Certain functions that return a success code in OpenSSL 0.9.6 return void
68 * (and don't indicate errors) in OpenSSL version 0.9.5.
69 *
70 * [OpenSSL 0.9.5 matters, because it ships with Redhat 6.2.]
71 */
72 #ifdef OPENSSL_095
73 #define RETURN_SSL_OUTCOME(exp) (exp); return 0
74 #else
75 #define RETURN_SSL_OUTCOME(exp) return !(exp)
76 #endif
78 /** Macro: is k a valid RSA public or private key? */
79 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
80 /** Macro: is k a valid RSA private key? */
81 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
83 #ifdef TOR_IS_MULTITHREADED
86 #endif
88 struct crypto_pk_env_t
89 {
92 };
94 struct crypto_cipher_env_t
95 {
98 };
102 };
104 /* Prototypes for functions only used by tortls.c */
112 /** Return the number of bytes added by padding method <b>padding</b>.
113 */
117 {
122 }
123 }
125 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
126 */
130 {
135 }
136 }
138 /** Boolean: has OpenSSL's crypto been initialized? */
141 /** Log all pending crypto errors at level <b>severity</b>. Use
142 * <b>doing</b> to describe our current activities.
143 */
144 static void
146 {
158 }
159 }
160 }
162 /** Initialize the crypto library. Return 0 on success, -1 on failure.
163 */
165 {
170 }
172 }
174 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
175 */
177 {
179 #ifdef TOR_IS_MULTITHREADED
188 }
190 }
191 #endif
193 }
195 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
197 {
204 }
206 /** used by tortls.c: return the RSA* from a crypto_pk_env_t. */
208 {
210 }
212 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
213 * private is set, include the private-key portion of the key. */
215 {
225 }
231 error:
237 }
239 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
240 */
242 {
244 }
246 /** Allocate and return storage for a public key. The key itself will not yet
247 * be set.
248 */
250 {
256 }
258 /** Release a reference to an asymmetric key; when all the references
259 * are released, free the key.
260 */
262 {
272 }
274 /** Create a new symmetric cipher for a given key and encryption flag
275 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
276 * on failure.
277 */
278 crypto_cipher_env_t *
280 {
287 }
292 }
296 else
303 error:
307 }
309 /** Allocate and return a new symmetric cipher.
310 */
312 {
318 }
320 /** Free a symmetric cipher.
321 */
323 {
329 }
331 /* public key crypto */
333 /** Generate a new public/private keypair in <b>env</b>. Return 0 on
334 * success, -1 on failure.
335 */
337 {
346 }
349 }
351 /** Read a PEM-encoded private key from the string <b>s</b> into <b>env</b>.
352 * Return 0 on success, -1 on failure.
353 */
356 {
362 /* Create a read-only memory BIO, backed by the nul-terminated string 's' */
375 }
377 }
379 /** Read a PEM-encoded private key from the file named by
380 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
381 */
383 {
387 /* Read the file into a string. */
392 }
394 /* Try to parse it. */
400 /* Make sure it's valid. */
405 }
407 /** PEM-encode the public key portion of <b>env</b> and write it to a
408 * newly allocated string. On success, set *<b>dest</b> to the new
409 * string, *<b>len</b> to the string's length, and return 0. On
410 * failure, return -1.
411 */
422 /* Now you can treat b as if it were a file. Just use the
423 * PEM_*_bio_* functions instead of the non-bio variants.
424 */
428 }
442 }
444 /** Read a PEM-encoded public key from the first <b>len</b> characters of
445 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
446 * failure.
447 */
465 }
468 }
470 /* Write the private key from 'env' into the file named by 'fname',
471 * PEM-encoded. Return 0 on success, -1 on failure.
472 */
473 int
476 {
492 }
502 }
504 /** Allocate a new string in *<b>out</b>, containing the public portion of the
505 * RSA key in <b>env</b>, encoded first with DER, then in base-64. Return the
506 * length of the encoded representation on success, and -1 on failure.
507 *
508 * <i>This function is for temporary use only. We need a simple
509 * one-line representation for keys to work around a bug in parsing
510 * directories containing "opt keyword\n-----BEGIN OBJECT----" entries
511 * in versions of Tor up to 0.0.9pre2.</i>
512 */
514 {
522 }
528 }
529 /* Remove spaces */
532 }
534 /** Decode a base-64 encoded DER representation of an RSA key from <b>in</b>,
535 * and store the result in <b>env</b>. Return 0 on success, -1 on failure.
536 *
537 * <i>This function is for temporary use only. We need a simple
538 * one-line representation for keys to work around a bug in parsing
539 * directories containing "opt keyword\n-----BEGIN OBJECT----" entries
540 * in versions of Tor up to 0.0.9pre2.</i>
541 */
543 {
552 }
553 /* base64_decode doesn't work unless we insert linebreaks every 64
554 * characters. how dumb. */
556 ALWAYS_TERMINATE))
562 }
564 }
566 /** Return true iff <b>env</b> has a valid key.
567 */
569 {
577 }
579 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
580 * if a==b, and 1 if a\>b.
581 */
597 }
599 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
601 {
606 }
608 /** Increase the reference count of <b>env</b>, and return it.
609 */
616 }
618 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
619 * in <b>env</b>, using the padding method <b>padding</b>. On success,
620 * write the result to <b>to</b>, and return the number of bytes
621 * written. On failure, return -1.
622 */
623 int
626 {
637 }
639 }
641 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
642 * in <b>env</b>, using the padding method <b>padding</b>. On success,
643 * write the result to <b>to</b>, and return the number of bytes
644 * written. On failure, return -1.
645 */
646 int
650 {
657 /* Not a private key */
666 }
668 }
670 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
671 * public key in <b>env</b>, using PKCS1 padding. On success, write the
672 * signed data to <b>to</b>, and return the number of bytes written.
673 * On failure, return -1.
674 */
675 int
678 {
688 }
690 }
692 /** Check a siglen-byte long signature at <b>sig</b> against
693 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
694 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
695 * SHA1(data). Else return -1.
696 */
697 int
700 {
712 }
717 }
721 }
724 }
726 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
727 * <b>env</b>, using PKCS1 padding. On success, write the signature to
728 * <b>to</b>, and return the number of bytes written. On failure, return
729 * -1.
730 */
731 int
734 {
740 /* Not a private key */
747 }
749 }
751 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
752 * <b>from</b>; sign the data with the private key in <b>env</b>, and
753 * store it in <b>to</b>. Return the number of bytes written on
754 * success, and -1 on failure.
755 */
756 int
759 {
764 }
766 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
767 * bytes of data from <b>from</b>, with padding type 'padding',
768 * storing the results on <b>to</b>.
769 *
770 * If no padding is used, the public key must be at least as large as
771 * <b>from</b>.
772 *
773 * Returns the number of bytes written on success, -1 on failure.
774 *
775 * The encrypted data consists of:
776 * - The source data, padded and encrypted with the public key, if the
777 * padded source data is no longer than the public key, and <b>force</b>
778 * is false, OR
779 * - The beginning of the source data prefixed with a 16-byte symmetric key,
780 * padded and encrypted with the public key; followed by the rest of
781 * the source data encrypted in AES-CTR mode with the symmetric key.
782 */
788 {
804 /* It all fits in a single encrypt. */
806 }
811 /* You can't just run around RSA-encrypting any bitstream: if it's
812 * greater than the RSA key, then OpenSSL will happily encrypt, and
813 * later decrypt to the wrong value. So we set the first bit of
814 * 'cipher->key' to 0 if we aren't padding. This means that our
815 * symmetric key is really only 127 bits.
816 */
824 /* Length of symmetrically encrypted data. */
830 }
838 err:
842 }
844 /** Invert crypto_pk_public_hybrid_encrypt. */
850 {
860 }
865 }
869 }
873 }
882 err:
886 }
888 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
889 * Return -1 on error, or the number of characters used on success.
890 */
892 {
904 }
905 /* We don't encode directly into 'dest', because that would be illegal
906 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
907 */
911 }
913 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
914 * success and NULL on failure.
915 */
917 {
920 /* This ifdef suppresses a type warning. Take out the first case once
921 * everybody is using openssl 0.9.7 or later.
922 */
923 #if OPENSSL_VERSION_NUMBER < 0x00907000l
925 #else
927 #endif
935 }
937 }
939 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
940 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
941 * Return 0 on success, -1 on failure.
942 */
944 {
957 }
961 }
964 }
966 /** Given a private or public key <b>pk</b>, put a fingerprint of the
967 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
968 * space). Return 0 on success, -1 on failure.
969 *
970 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
971 * of the public key, converted to hexadecimal, in upper case, with a
972 * space after every four digits.
973 *
974 * If <b>add_space</b> is false, omit the spaces.
975 */
976 int
978 {
983 }
991 }
993 }
995 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
996 */
997 int
999 {
1006 }
1007 }
1010 }
1012 /* symmetric crypto */
1014 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1015 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1016 */
1018 {
1022 }
1024 /** Set the symmetric key for the cipher in <b>env</b> to the first
1025 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1026 * Return 0 on success, -1 on failure.
1027 */
1029 {
1039 }
1041 /** Return a pointer to the key set for the cipher in <b>env</b>.
1042 */
1044 {
1046 }
1048 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1049 * success, -1 on failure.
1050 */
1052 {
1057 }
1059 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1060 * success, -1 on failure.
1061 */
1063 {
1068 }
1070 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1071 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1072 * On failure, return -1.
1073 */
1074 int
1077 {
1086 }
1088 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1089 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1090 * On failure, return -1.
1091 */
1092 int
1095 {
1102 }
1104 /** Move the position of the cipher stream backwards by <b>delta</b> bytes.
1105 * Return 0 on success, -1 on failure.
1106 */
1107 int
1109 {
1111 }
1113 /** Move the position of the cipher stream forwards by <b>delta</b> bytes.
1114 * Return 0 on success, -1 on failure.
1115 */
1116 int
1118 {
1121 }
1123 /* SHA-1 */
1125 /** Compute the SHA1 digest of <b>len</b> bytes in data stored in
1126 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1127 * Return 0 on success, -1 on failure.
1128 */
1130 {
1134 }
1137 SHA_CTX d;
1138 };
1140 /** Allocate and return a new digest object.
1141 */
1142 crypto_digest_env_t *
1144 {
1149 }
1151 /** Deallocate a digest object.
1152 */
1153 void
1156 }
1158 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1159 */
1160 void
1163 {
1166 /* Using the SHA1_*() calls directly means we don't support doing
1167 * sha1 in hardware. But so far the delay of getting the question
1168 * to the hardware, and hearing the answer, is likely higher than
1169 * just doing it ourselves. Hashes are fast.
1170 */
1172 }
1174 /** Compute the hash of the data that has been passed to the digest
1175 * object; write the first out_len bytes of the result to <b>out</b>.
1176 * <b>out_len</b> must be \<= DIGEST_LEN.
1177 */
1180 {
1182 SHA_CTX tmpctx;
1186 /* memcpy into a temporary ctx, since SHA1_Final clears the context */
1190 }
1192 /** Allocate and return a new digest object with the same state as
1193 * <b>digest</b>
1194 */
1195 crypto_digest_env_t *
1197 {
1203 }
1205 /** Replace the state of the digest object <b>into</b> with the state
1206 * of the digest object <b>from</b>.
1207 */
1208 void
1211 {
1215 }
1217 /* DH */
1219 /** Shared P parameter for our DH key exchanged. */
1221 /** Shared G parameter for our DH key exchanges. */
1224 /** Initialize dh_param_p and dh_param_g if they are not already
1225 * set. */
1237 #if 0
1238 /* This is from draft-ietf-ipsec-ike-modp-groups-05.txt. It's a safe
1239 prime, and supposedly it equals:
1240 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }
1241 */
1243 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
1244 "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
1245 "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"
1246 "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"
1247 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"
1248 "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"
1249 "83655D23DCA3AD961C62F356208552BB9ED529077096966D"
1251 #endif
1253 /* This is from rfc2409, section 6.2. It's a safe prime, and
1254 supposedly it equals:
1255 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1256 */
1257 /* See also rfc 3536 */
1259 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1260 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1261 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1262 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1270 }
1272 /** Allocate and return a new DH object for a key exchange.
1273 */
1275 {
1293 err:
1298 }
1300 /** Return the length of the DH key in <b>dh</b>, in bytes.
1301 */
1303 {
1306 }
1308 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1309 * success, -1 on failure.
1310 */
1312 {
1316 }
1318 }
1320 /** Generate g^x as necessary, and write the g^x for the key exchange
1321 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1322 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1323 */
1325 {
1331 }
1343 }
1345 #undef MIN
1346 #define MIN(a,b) ((a)<(b)?(a):(b))
1347 /** Given a DH key exchange object, and our peer's value of g^y (as a
1348 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
1349 * <b>secret_bytes_out</b> bytes of shared key material and write them
1350 * to <b>secret_out</b>. Return the number of bytes generated on success,
1351 * or -1 on failure.
1352 *
1353 * (We generate key material by computing
1354 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
1355 * where || is concatenation.)
1356 */
1360 {
1377 }
1379 /* sometimes secret_len might be less than 128, e.g., 127. that's ok. */
1385 }
1389 error:
1391 done:
1398 else
1400 }
1402 /** Free a DH key exchange object.
1403 */
1405 {
1410 }
1412 /* random numbers */
1414 /** Seed OpenSSL's random number generator with DIGEST_LEN bytes from the
1415 * operating system. Return 0 on success, -1 on failure.
1416 */
1418 {
1419 #ifdef MS_WINDOWS
1429 }
1430 /* Yes, we need to try it twice. */
1435 }
1436 }
1438 }
1442 }
1444 /* And add the current screen state to the entropy pool for
1445 * good measure. */
1448 #else
1451 };
1465 }
1468 }
1472 #endif
1473 }
1475 /** Write n bytes of strong random data to <b>to</b>. Return 0 on
1476 * success, -1 on failure.
1477 */
1479 {
1486 }
1488 /** Write n bytes of pseudorandom data to <b>to</b>. Return 0 on
1489 * success, -1 on failure.
1490 */
1492 {
1498 }
1499 }
1501 /** Return a pseudorandom integer, chosen uniformly from the values
1502 * between 0 and max-1. */
1509 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1510 * distribution with clipping at the upper end of unsigned int's
1511 * range.
1512 */
1518 }
1519 }
1521 /** Return a randomly chosen element of sl; or NULL if sl is empty.
1522 */
1529 }
1531 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
1532 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1533 * bytes. Return the number of bytes written on success; -1 if
1534 * destlen is too short, or other failure.
1535 */
1536 int
1538 {
1539 EVP_ENCODE_CTX ctx;
1542 /* 48 bytes of input -> 64 bytes of output plus newline.
1543 Plus one more byte, in case I'm wrong.
1544 */
1555 }
1557 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
1558 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1559 * bytes. Return the number of bytes written on success; -1 if
1560 * destlen is too short, or other failure.
1561 *
1562 * NOTE: destlen should be a little longer than the amount of data it
1563 * will contain, since we check for sufficient space conservatively.
1564 * Here, "a little" is around 64-ish bytes.
1565 */
1566 int
1568 {
1569 EVP_ENCODE_CTX ctx;
1571 /* 64 bytes of input -> *up to* 48 bytes of output.
1572 Plus one more byte, in case I'm wrong.
1573 */
1584 }
1586 /** Implements base32 encoding as in rfc3548. Limitation: Requires
1587 * that srclen*8 is a multiple of 5.
1588 */
1589 void
1591 {
1600 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
1603 /* set u to the 5-bit value at the bit'th bit of src. */
1606 }
1608 }
1610 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
1611 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
1612 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
1613 * are a salt; the 9th byte describes how much iteration to do.
1614 * Does not support <b>key_out_len</b> > DIGEST_LEN.
1615 */
1616 void
1619 {
1626 #define EXPBIAS 6
1629 #undef EXPBIAS
1645 }
1646 }
1650 }
1652 #ifdef TOR_IS_MULTITHREADED
1653 static void
1655 {
1657 /* This is not a really good fix for the
1658 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
1659 * it can't hurt. */
1663 else
1665 }
1666 static int
1677 }
1678 #else
1680 #endif