| blob | f0d4fbbf21ec9947865f6081b15a8c7236d4cba2 |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2015, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL.
11 **/
15 #ifdef _WIN32
16 #ifndef _WIN32_WINNT
17 #define _WIN32_WINNT 0x0501
18 #endif
19 #define WIN32_LEAN_AND_MEAN
20 #include <windows.h>
21 #include <wincrypt.h>
22 /* Windows defines this; so does OpenSSL 0.9.8h and later. We don't actually
23 * use either definition. */
24 #undef OCSP_RESPONSE
25 #endif
27 #include <openssl/err.h>
28 #include <openssl/rsa.h>
29 #include <openssl/pem.h>
30 #include <openssl/evp.h>
31 #include <openssl/engine.h>
32 #include <openssl/rand.h>
33 #include <openssl/opensslv.h>
34 #include <openssl/bn.h>
35 #include <openssl/dh.h>
36 #include <openssl/conf.h>
37 #include <openssl/hmac.h>
39 #ifdef HAVE_CTYPE_H
40 #include <ctype.h>
41 #endif
42 #ifdef HAVE_UNISTD_H
43 #include <unistd.h>
44 #endif
45 #ifdef HAVE_FCNTL_H
46 #include <fcntl.h>
47 #endif
48 #ifdef HAVE_SYS_FCNTL_H
49 #include <sys/fcntl.h>
50 #endif
52 #define CRYPTO_PRIVATE
61 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(0,9,8)
63 #endif
65 #ifdef ANDROID
66 /* Android's OpenSSL seems to have removed all of its Engine support. */
67 #define DISABLE_ENGINES
68 #endif
70 /** Longest recognized */
71 #define MAX_DNS_LABEL_SIZE 63
73 /** Macro: is k a valid RSA public or private key? */
74 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
75 /** Macro: is k a valid RSA private key? */
76 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
78 /** A number of preallocated mutexes for use by OpenSSL. */
80 /** How many mutexes have we allocated for use by OpenSSL? */
83 /** A public key, or a public/private key-pair. */
84 struct crypto_pk_t
85 {
88 };
90 /** Key and stream information for a stream cipher. */
91 struct crypto_cipher_t
92 {
96 * encryption */
97 };
99 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
100 * while we're waiting for the second.*/
103 };
108 /** Return the number of bytes added by padding method <b>padding</b>.
109 */
112 {
114 {
117 }
118 }
120 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
121 */
124 {
126 {
129 }
130 }
132 /** Boolean: has OpenSSL's crypto been initialized? */
135 /** Boolean: has OpenSSL's crypto been initialized? */
138 /** Log all pending crypto errors at level <b>severity</b>. Use
139 * <b>doing</b> to describe our current activities.
140 */
141 static void
143 {
159 }
160 }
161 }
163 #ifndef DISABLE_ENGINES
164 /** Log any OpenSSL engines we're using at NOTICE. */
165 static void
167 {
176 }
177 }
178 #endif
180 #ifndef DISABLE_ENGINES
181 /** Try to load an engine in a shared library via fully qualified path.
182 */
185 {
194 }
195 }
197 }
198 #endif
200 /* Returns a trimmed and human-readable version of an openssl version string
201 * <b>raw_version</b>. They are usually in the form of 'OpenSSL 1.0.0b 10
202 * May 2012' and this will parse them into a form similar to '1.0.0b' */
205 {
207 /* The output should be something like "OpenSSL 1.0.0b 10 May 2012. Let's
208 trim that down. */
212 }
217 else
219 }
222 /* Return a human-readable version of the run-time openssl version number. */
225 {
229 }
231 }
234 /* Return a human-readable version of the compile-time openssl version
235 * number. */
238 {
240 crypto_openssl_header_version_str =
242 }
244 }
246 /** Make sure that openssl is using its default PRNG. Return 1 if we had to
247 * adjust it; 0 otherwise. */
248 static int
250 {
253 "a replacement the OpenSSL RNG. Resetting it to the default "
257 }
259 }
261 /** Set up the siphash key if we haven't already done so. */
262 int
264 {
275 }
277 /** Initialize the crypto library. Return 0 on success, -1 on failure.
278 */
279 int
281 {
297 "version we're running with. If you get weird crashes, that "
301 }
305 "Your OpenSSL version seems to be %s. We recommend 1.0.0 "
308 }
316 }
318 }
320 /** Initialize the crypto library. Return 0 on success, -1 on failure.
321 */
322 int
324 {
331 #ifdef DISABLE_ENGINES
335 #else
351 }
354 accelName);
357 accelName);
358 }
359 }
364 }
365 /* Log, if available, the intersection of the set of algorithms
366 used by Tor and the set of algorithms available in the engine */
377 #ifdef NID_aes_128_ctr
379 #endif
380 #ifdef NID_aes_128_gcm
382 #endif
384 #ifdef NID_aes_256_gcm
386 #endif
388 #endif
391 }
396 }
400 }
402 }
404 /** Free crypto resources held by this thread. */
405 void
407 {
409 }
411 /** used by tortls.c: wrap an RSA* in a crypto_pk_t. */
412 crypto_pk_t *
414 {
421 }
423 /** Helper, used by tor-checkkey.c and tor-gencert.c. Return the RSA from a
424 * crypto_pk_t. */
425 RSA *
427 {
429 }
431 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_t. Iff
432 * private is set, include the private-key portion of the key. */
433 EVP_PKEY *
435 {
445 }
451 error:
457 }
459 /** Used by tortls.c: Get the DH* from a crypto_dh_t.
460 */
461 DH *
463 {
465 }
467 /** Allocate and return storage for a public key. The key itself will not yet
468 * be set.
469 */
470 crypto_pk_t *
472 {
478 }
480 /** Release a reference to an asymmetric key; when all the references
481 * are released, free the key.
482 */
483 void
485 {
497 }
499 /** Allocate and return a new symmetric cipher using the provided key and iv.
500 * The key is CIPHER_KEY_LEN bytes; the IV is CIPHER_IV_LEN bytes. If you
501 * provide NULL in place of either one, it is generated at random.
502 */
503 crypto_cipher_t *
505 {
512 else
516 else
522 }
524 /** Return a new crypto_cipher_t with the provided <b>key</b> and an IV of all
525 * zero bytes. */
526 crypto_cipher_t *
528 {
532 }
534 /** Free a symmetric cipher.
535 */
536 void
538 {
546 }
548 /* public key crypto */
550 /** Generate a <b>bits</b>-bit new public/private keypair in <b>env</b>.
551 * Return 0 on success, -1 on failure.
552 */
553 int
555 {
561 {
576 done:
581 }
586 }
589 }
591 /** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>
592 * into <b>env</b>. Return 0 on success, -1 on failure. If len is -1,
593 * the string is nul-terminated.
594 */
595 /* Used here, and used for testing. */
596 int
599 {
606 /* Create a read-only memory BIO, backed by the string 's' */
621 }
623 }
625 /** Read a PEM-encoded private key from the file named by
626 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
627 */
628 int
631 {
635 /* Read the file into a string. */
640 }
642 /* Try to parse it. */
649 /* Make sure it's valid. */
654 }
656 /** Helper function to implement crypto_pk_write_*_key_to_string. */
657 static int
660 {
673 /* Now you can treat b as if it were a file. Just use the
674 * PEM_*_bio_* functions instead of the non-bio variants.
675 */
678 else
685 }
698 }
700 /** PEM-encode the public key portion of <b>env</b> and write it to a
701 * newly allocated string. On success, set *<b>dest</b> to the new
702 * string, *<b>len</b> to the string's length, and return 0. On
703 * failure, return -1.
704 */
705 int
708 {
710 }
712 /** PEM-encode the private key portion of <b>env</b> and write it to a
713 * newly allocated string. On success, set *<b>dest</b> to the new
714 * string, *<b>len</b> to the string's length, and return 0. On
715 * failure, return -1.
716 */
717 int
720 {
722 }
724 /** Read a PEM-encoded public key from the first <b>len</b> characters of
725 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
726 * failure.
727 */
728 int
731 {
751 }
754 }
756 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
757 * PEM-encoded. Return 0 on success, -1 on failure.
758 */
759 int
762 {
778 }
789 }
791 /** Return true iff <b>env</b> has a valid key.
792 */
793 int
795 {
803 }
805 /** Return true iff <b>key</b> contains the private-key portion of the RSA
806 * key. */
807 int
809 {
812 }
814 /** Return true iff <b>env</b> contains a public key whose public exponent
815 * equals 65537.
816 */
817 int
819 {
824 }
826 /** Compare the public-key components of a and b. Return less than 0
827 * if a\<b, 0 if a==b, and greater than 0 if a\>b. A NULL key is
828 * considered to be less than all non-NULL keys, and equal to itself.
829 *
830 * Note that this may leak information about the keys through timing.
831 */
832 int
834 {
850 }
852 /** Compare the public-key components of a and b. Return non-zero iff
853 * a==b. A NULL key is considered to be distinct from all non-NULL
854 * keys, and equal to itself.
855 *
856 * Note that this may leak information about the keys through timing.
857 */
858 int
860 {
862 }
864 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
865 size_t
867 {
872 }
874 /** Return the size of the public key modulus of <b>env</b>, in bits. */
875 int
877 {
883 }
885 /** Increase the reference count of <b>env</b>, and return it.
886 */
887 crypto_pk_t *
889 {
895 }
897 /** Make a real honest-to-goodness copy of <b>env</b>, and return it. */
898 crypto_pk_t *
900 {
911 }
920 }
923 }
925 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
926 * in <b>env</b>, using the padding method <b>padding</b>. On success,
927 * write the result to <b>to</b>, and return the number of bytes
928 * written. On failure, return -1.
929 *
930 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
931 * at least the length of the modulus of <b>env</b>.
932 */
933 int
936 {
950 }
952 }
954 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
955 * in <b>env</b>, using the padding method <b>padding</b>. On success,
956 * write the result to <b>to</b>, and return the number of bytes
957 * written. On failure, return -1.
958 *
959 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
960 * at least the length of the modulus of <b>env</b>.
961 */
962 int
967 {
976 /* Not a private key */
987 }
989 }
991 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
992 * public key in <b>env</b>, using PKCS1 padding. On success, write the
993 * signed data to <b>to</b>, and return the number of bytes written.
994 * On failure, return -1.
995 *
996 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
997 * at least the length of the modulus of <b>env</b>.
998 */
999 int
1003 {
1017 }
1019 }
1021 /** Check a siglen-byte long signature at <b>sig</b> against
1022 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
1023 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
1024 * SHA1(data). Else return -1.
1025 */
1026 int
1029 {
1044 }
1052 }
1057 }
1061 }
1063 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
1064 * <b>env</b>, using PKCS1 padding. On success, write the signature to
1065 * <b>to</b>, and return the number of bytes written. On failure, return
1066 * -1.
1067 *
1068 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
1069 * at least the length of the modulus of <b>env</b>.
1070 */
1071 int
1074 {
1082 /* Not a private key */
1091 }
1093 }
1095 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
1096 * <b>from</b>; sign the data with the private key in <b>env</b>, and
1097 * store it in <b>to</b>. Return the number of bytes written on
1098 * success, and -1 on failure.
1099 *
1100 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
1101 * at least the length of the modulus of <b>env</b>.
1102 */
1103 int
1106 {
1114 }
1116 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
1117 * bytes of data from <b>from</b>, with padding type 'padding',
1118 * storing the results on <b>to</b>.
1119 *
1120 * Returns the number of bytes written on success, -1 on failure.
1121 *
1122 * The encrypted data consists of:
1123 * - The source data, padded and encrypted with the public key, if the
1124 * padded source data is no longer than the public key, and <b>force</b>
1125 * is false, OR
1126 * - The beginning of the source data prefixed with a 16-byte symmetric key,
1127 * padded and encrypted with the public key; followed by the rest of
1128 * the source data encrypted in AES-CTR mode with the symmetric key.
1129 */
1130 int
1136 {
1151 /* It all fits in a single encrypt. */
1153 tolen,
1155 }
1165 /* Length of symmetrically encrypted data. */
1171 }
1181 err:
1187 }
1189 /** Invert crypto_pk_public_hybrid_encrypt. */
1190 int
1197 {
1208 warnOnFailure);
1209 }
1213 warnOnFailure);
1218 }
1223 }
1227 }
1239 err:
1244 }
1246 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1247 * Return -1 on error, or the number of characters used on success.
1248 */
1249 int
1251 {
1262 }
1263 /* We don't encode directly into 'dest', because that would be illegal
1264 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1265 */
1269 }
1271 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1272 * success and NULL on failure.
1273 */
1274 crypto_pk_t *
1276 {
1287 }
1289 }
1291 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1292 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1293 * Return 0 on success, -1 on failure.
1294 */
1295 int
1297 {
1307 }
1310 }
1312 /** Compute all digests of the DER encoding of <b>pk</b>, and store them
1313 * in <b>digests_out</b>. Return 0 on success, -1 on failure. */
1314 int
1316 {
1326 }
1329 }
1331 /** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
1332 * every four spaces. */
1333 void
1335 {
1345 }
1346 }
1349 }
1351 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1352 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1353 * space). Return 0 on success, -1 on failure.
1354 *
1355 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1356 * of the public key, converted to hexadecimal, in upper case, with a
1357 * space after every four digits.
1358 *
1359 * If <b>add_space</b> is false, omit the spaces.
1360 */
1361 int
1363 {
1368 }
1374 }
1376 }
1378 /** Given a private or public key <b>pk</b>, put a hashed fingerprint of
1379 * the public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1
1380 * bytes of space). Return 0 on success, -1 on failure.
1381 *
1382 * Hashed fingerprints are computed as the SHA1 digest of the SHA1 digest
1383 * of the ASN.1 encoding of the public key, converted to hexadecimal, in
1384 * upper case.
1385 */
1386 int
1388 {
1392 }
1395 }
1398 }
1400 /* symmetric crypto */
1402 /** Return a pointer to the key set for the cipher in <b>env</b>.
1403 */
1406 {
1408 }
1410 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1411 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1412 * On failure, return -1.
1413 */
1414 int
1417 {
1427 }
1429 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1430 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1431 * On failure, return -1.
1432 */
1433 int
1436 {
1444 }
1446 /** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
1447 * on success, return 0. On failure, return -1.
1448 */
1449 int
1451 {
1455 }
1457 /** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
1458 * <b>key</b> to the buffer in <b>to</b> of length
1459 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
1460 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1461 * number of bytes written, on failure, return -1.
1462 */
1463 int
1467 {
1484 }
1486 /** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
1487 * with the key in <b>key</b> to the buffer in <b>to</b> of length
1488 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
1489 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1490 * number of bytes written, on failure, return -1.
1491 */
1492 int
1496 {
1513 }
1515 /* SHA-1 */
1517 /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
1518 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1519 * Return 0 on success, -1 on failure.
1520 */
1521 int
1523 {
1527 }
1529 /** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
1530 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
1531 * into <b>digest</b>. Return 0 on success, -1 on failure. */
1532 int
1534 digest_algorithm_t algorithm)
1535 {
1540 }
1542 /** Set the digests_t in <b>ds_out</b> to contain every digest on the
1543 * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
1544 * success, -1 on failure. */
1545 int
1547 {
1556 }
1558 }
1560 /** Return the name of an algorithm, as used in directory documents. */
1563 {
1572 }
1573 }
1575 /** Given the name of a digest algorithm, return its integer value, or -1 if
1576 * the name is not recognized. */
1577 int
1579 {
1584 else
1586 }
1588 /** Intermediate information about the digest of a stream of data. */
1594 * union is usable, depending on the value of <b>algorithm</b>. */
1596 };
1598 /** Allocate and return a new digest object to compute SHA1 digests.
1599 */
1600 crypto_digest_t *
1602 {
1608 }
1610 /** Allocate and return a new digest object to compute 256-bit digests
1611 * using <b>algorithm</b>. */
1612 crypto_digest_t *
1614 {
1621 }
1623 /** Deallocate a digest object.
1624 */
1625 void
1627 {
1632 }
1634 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1635 */
1636 void
1639 {
1642 /* Using the SHA*_*() calls directly means we don't support doing
1643 * SHA in hardware. But so far the delay of getting the question
1644 * to the hardware, and hearing the answer, is likely higher than
1645 * just doing it ourselves. Hashes are fast.
1646 */
1657 }
1658 }
1660 /** Compute the hash of the data that has been passed to the digest
1661 * object; write the first out_len bytes of the result to <b>out</b>.
1662 * <b>out_len</b> must be \<= DIGEST256_LEN.
1663 */
1664 void
1667 {
1669 crypto_digest_t tmpenv;
1672 /* memcpy into a temporary ctx, since SHA*_Final clears the context */
1685 /* If fragile_assert is not enabled, then we should at least not
1686 * leak anything. */
1690 }
1693 }
1695 /** Allocate and return a new digest object with the same state as
1696 * <b>digest</b>
1697 */
1698 crypto_digest_t *
1700 {
1706 }
1708 /** Replace the state of the digest object <b>into</b> with the state
1709 * of the digest object <b>from</b>.
1710 */
1711 void
1714 {
1718 }
1720 /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
1721 * at <b>digest_out</b> to the hash of the concatenation of those strings,
1722 * plus the optional string <b>append</b>, computed with the algorithm
1723 * <b>alg</b>.
1724 * <b>out_len</b> must be \<= DIGEST256_LEN. */
1725 void
1728 digest_algorithm_t alg)
1729 {
1733 else
1741 }
1743 /** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
1744 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte
1745 * result in <b>hmac_out</b>.
1746 */
1747 void
1751 {
1752 /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
1757 }
1759 /* DH */
1761 /** Our DH 'g' parameter */
1762 #define DH_GENERATOR 2
1764 /** Shared P parameter for our circuit-crypto DH key exchanges. */
1766 /** Shared P parameter for our TLS DH key exchanges. */
1768 /** Shared G parameter for our DH key exchanges. */
1771 /** Set the global TLS Diffie-Hellman modulus. Use the Apache mod_ssl DH
1772 * modulus. */
1773 void
1775 {
1779 /* If the space is occupied, free the previous TLS DH prime */
1783 }
1788 /* This is the 1024-bit safe prime that Apache uses for its DH stuff; see
1789 * modules/ssl/ssl_engine_dh.c; Apache also uses a generator of 2 with this
1790 * prime.
1791 */
1793 "D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
1794 "BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
1795 "467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
1796 "DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
1803 }
1805 /** Initialize dh_param_p and dh_param_g if they are not already
1806 * set. */
1807 static void
1809 {
1819 /* Set our generator for all DH parameters */
1823 /* This is from rfc2409, section 6.2. It's a safe prime, and
1824 supposedly it equals:
1825 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1826 */
1828 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1829 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1830 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1831 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1835 /* Set the new values as the global DH parameters. */
1841 }
1842 }
1844 /** Number of bits to use when choosing the x or y value in a Diffie-Hellman
1845 * handshake. Since we exponentiate by this value, choosing a smaller one
1846 * lets our handhake go faster.
1847 */
1848 #define DH_PRIVATE_KEY_BITS 320
1850 /** Allocate and return a new DH object for a key exchange.
1851 */
1852 crypto_dh_t *
1854 {
1872 }
1880 err:
1885 }
1887 /** Return a copy of <b>dh</b>, sharing its internal state. */
1888 crypto_dh_t *
1890 {
1895 }
1897 /** Return the length of the DH key in <b>dh</b>, in bytes.
1898 */
1899 int
1901 {
1904 }
1906 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1907 * success, -1 on failure.
1908 */
1909 int
1911 {
1912 again:
1916 }
1920 /* Free and clear the keys, so OpenSSL will actually try again. */
1925 }
1927 }
1929 /** Generate g^x as necessary, and write the g^x for the key exchange
1930 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1931 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1932 */
1933 int
1935 {
1941 }
1951 }
1957 }
1959 /** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
1960 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
1961 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
1962 */
1963 static int
1965 {
1977 }
1983 }
1986 err:
1992 }
1994 #undef MIN
1995 #define MIN(a,b) ((a)<(b)?(a):(b))
1996 /** Given a DH key exchange object, and our peer's value of g^y (as a
1997 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
1998 * <b>secret_bytes_out</b> bytes of shared key material and write them
1999 * to <b>secret_out</b>. Return the number of bytes generated on success,
2000 * or -1 on failure.
2001 *
2002 * (We generate key material by computing
2003 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
2004 * where || is concatenation.)
2005 */
2006 ssize_t
2010 {
2023 /* Check for invalid public keys. */
2026 }
2033 }
2041 error:
2043 done:
2050 }
2053 else
2055 }
2057 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
2058 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
2059 * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
2060 * H(K | [00]) | H(K | [01]) | ....
2061 *
2062 * This is the key expansion algorithm used in the "TAP" circuit extension
2063 * mechanism; it shouldn't be used for new protocols.
2064 *
2065 * Return 0 on success, -1 on failure.
2066 */
2067 int
2070 {
2075 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
2085 }
2091 err:
2096 }
2098 /** Expand some secret key material according to RFC5869, using SHA256 as the
2099 * underlying hash. The <b>key_in_len</b> bytes at <b>key_in</b> are the
2100 * secret key material; the <b>salt_in_len</b> bytes at <b>salt_in</b> and the
2101 * <b>info_in_len</b> bytes in <b>info_in_len</b> are the algorithm's "salt"
2102 * and "info" parameters respectively. On success, write <b>key_out_len</b>
2103 * bytes to <b>key_out</b> and return 0. On failure, return -1.
2104 */
2105 int
2111 {
2123 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
2141 }
2150 }
2155 }
2157 /** Free a DH key exchange object.
2158 */
2159 void
2161 {
2167 }
2169 /* random numbers */
2171 /** How many bytes of entropy we add at once.
2172 *
2173 * This is how much entropy OpenSSL likes to add right now, so maybe it will
2174 * work for us too. */
2175 #define ADD_ENTROPY 32
2177 /** True iff it's safe to use RAND_poll after setup.
2178 *
2179 * Versions of OpenSSL prior to 0.9.7k and 0.9.8c had a bug where RAND_poll
2180 * would allocate an fd_set on the stack, open a new file, and try to FD_SET
2181 * that fd without checking whether it fit in the fd_set. Thus, if the
2182 * system has not just been started up, it is unsafe to call */
2183 #define RAND_POLL_IS_SAFE \
2186 /** Set the seed of the weak RNG to a random value. */
2187 void
2189 {
2193 }
2195 /** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
2196 * storing it into <b>out</b>.
2197 */
2198 int
2200 {
2201 #ifdef _WIN32
2204 #else
2207 };
2210 #endif
2212 #ifdef _WIN32
2215 CRYPT_VERIFYCONTEXT)) {
2218 }
2220 }
2224 }
2227 #else
2240 }
2243 }
2247 #endif
2248 }
2250 /** Seed OpenSSL's random number generator with bytes from the operating
2251 * system. <b>startup</b> should be true iff we have just started Tor and
2252 * have not yet allocated a bunch of fds. Return 0 on success, -1 on failure.
2253 */
2254 int
2256 {
2260 /* OpenSSL has a RAND_poll function that knows about more kinds of
2261 * entropy than we do. We'll try calling that, *and* calling our own entropy
2262 * functions. If one succeeds, we'll accept the RNG as seeded. */
2267 }
2272 }
2278 else
2280 }
2282 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Return 0 on
2283 * success, -1 on failure.
2284 */
2287 {
2295 }
2297 /** Return a pseudorandom integer, chosen uniformly from the values
2298 * between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
2299 * INT_MAX+1, inclusive. */
2300 int
2302 {
2308 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2309 * distribution with clipping at the upper end of unsigned int's
2310 * range.
2311 */
2317 }
2318 }
2320 /** Return a pseudorandom integer, chosen uniformly from the values <i>i</i>
2321 * such that <b>min</b> <= <i>i</i> < <b>max</b>.
2322 *
2323 * <b>min</b> MUST be in range [0, <b>max</b>).
2324 * <b>max</b> MUST be in range (min, INT_MAX].
2325 */
2326 int
2328 {
2332 /* The overflow is avoided here because crypto_rand_int() returns a value
2333 * between 0 and (max - min - 1) with max being <= INT_MAX and min <= max.
2334 * This is why we add 1 to the maximum value so we can actually get max as
2335 * a return value. */
2337 }
2339 /** As crypto_rand_int_range, but supports uint64_t. */
2340 uint64_t
2342 {
2345 }
2347 /** As crypto_rand_int_range, but supports time_t. */
2348 time_t
2350 {
2352 }
2354 /** Return a pseudorandom 64-bit integer, chosen uniformly from the values
2355 * between 0 and <b>max</b>-1. */
2356 uint64_t
2358 {
2364 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2365 * distribution with clipping at the upper end of unsigned int's
2366 * range.
2367 */
2373 }
2374 }
2376 /** Return a pseudorandom double d, chosen uniformly from the range
2377 * 0.0 <= d < 1.0.
2378 */
2379 double
2381 {
2382 /* We just use an unsigned int here; we don't really care about getting
2383 * more than 32 bits of resolution */
2386 #if SIZEOF_INT == 4
2387 #define UINT_MAX_AS_DOUBLE 4294967296.0
2388 #elif SIZEOF_INT == 8
2389 #define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
2390 #else
2391 #error SIZEOF_INT is neither 4 nor 8
2392 #endif
2394 }
2396 /** Generate and return a new random hostname starting with <b>prefix</b>,
2397 * ending with <b>suffix</b>, and containing no fewer than
2398 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
2399 * characters between.
2400 *
2401 * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
2402 **/
2406 {
2435 }
2437 /** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
2438 * is empty. */
2441 {
2446 }
2448 /** Scramble the elements of <b>sl</b> into a random order. */
2449 void
2451 {
2453 /* From the end of the list to the front, choose at random from the
2454 positions we haven't looked at yet, and swap that position into the
2455 current position. Remember to give "no swap" the same probability as
2456 any other swap. */
2460 }
2461 }
2463 #define BASE64_OPENSSL_LINELEN 64
2465 /** Return the Base64 encoded size of <b>srclen</b> bytes of data in
2466 * bytes.
2467 *
2468 * If <b>flags</b>&BASE64_ENCODE_MULTILINE is true, return the size
2469 * of the encoded output as multiline output (64 character, `\n' terminated
2470 * lines).
2471 */
2472 size_t
2474 {
2486 enclen++;
2487 }
2490 }
2492 /** Internal table mapping 6 bit values to the Base64 alphabet. */
2502 };
2504 /** Base64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
2505 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2506 * bytes. Return the number of bytes written on success; -1 if
2507 * destlen is too short, or other failure.
2508 *
2509 * If <b>flags</b>&BASE64_ENCODE_MULTILINE is true, return encoded
2510 * output in multiline format (64 character, `\n' terminated lines).
2511 */
2512 int
2515 {
2527 /* Ensure that there is sufficient space, including the NUL. */
2538 /* XXX/Yawning: If this ends up being too slow, this can be sped up
2539 * by separating the multiline format case and the normal case, and
2540 * processing 48 bytes of input at a time when newlines are desired.
2541 */
2542 #define ENCODE_CHAR(ch) \
2543 STMT_BEGIN \
2544 *d++ = ch; \
2545 if (flags & BASE64_ENCODE_MULTILINE) { \
2546 if (++linelen % BASE64_OPENSSL_LINELEN == 0) { \
2547 linelen = 0; \
2549 } \
2550 } \
2551 STMT_END
2553 #define ENCODE_N(idx) \
2554 ENCODE_CHAR(base64_encode_table[(n >> ((3 - idx) * 6)) & 0x3f])
2558 /* Iterate over all the bytes in src. Each one will add 8 bits to the
2559 * value we're encoding. Accumulate bits in <b>n</b>, and whenever we
2560 * have 24 bits, batch them into 4 bytes and flush those bytes to dest.
2561 */
2571 }
2572 }
2575 /* 0 leftover bits, no pading to add. */
2578 /* 8 leftover bits, pad to 12 bits, write the 2 6-bit values followed
2579 * by 2 padding characters.
2580 */
2588 /* 16 leftover bits, pad to 18 bits, write the 3 6-bit values followed
2589 * by 1 padding character.
2590 */
2598 /* Something went catastrophically wrong. */
2601 }
2603 #undef ENCODE_N
2604 #undef ENCODE_PAD
2605 #undef ENCODE_CHAR
2607 /* Multiline output always includes at least one newline. */
2616 }
2618 #undef BASE64_OPENSSL_LINELEN
2620 /** @{ */
2621 /** Special values used for the base64_decode_table */
2622 #define X 255
2623 #define SP 64
2624 #define PAD 65
2625 /** @} */
2626 /** Internal table mapping byte values to what they represent in base64.
2627 * Numbers 0..63 are 6-bit integers. SPs are spaces, and should be
2628 * skipped. Xs are invalid and must not appear in base64. PAD indicates
2629 * end-of-string. */
2647 };
2649 /** Base64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
2650 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2651 * bytes. Return the number of bytes written on success; -1 if
2652 * destlen is too short, or other failure.
2653 *
2654 * NOTE 1: destlen is checked conservatively, as though srclen contained no
2655 * spaces or padding.
2656 *
2657 * NOTE 2: This implementation does not check for the correct number of
2658 * padding "=" characters at the end of the string, and does not check
2659 * for internal padding characters.
2660 */
2661 int
2663 {
2669 /* Max number of bits == srclen*6.
2670 * Number of bytes required to hold all bits == (srclen*6)/8.
2671 * Yes, we want to round down: anything that hangs over the end of a
2672 * byte is padding. */
2680 /* Iterate over all the bytes in src. Each one will add 0 or 6 bits to the
2681 * value we're decoding. Accumulate bits in <b>n</b>, and whenever we have
2682 * 24 bits, batch them into 3 bytes and flush those bytes to dest.
2683 */
2689 /* This character isn't allowed in base64. */
2692 /* This character is whitespace, and has no effect. */
2695 /* We've hit an = character: the data is over. */
2698 /* We have an actual 6-bit value. Append it to the bits in n. */
2701 /* We've accumulated 24 bits in n. Flush them. */
2707 }
2708 }
2709 }
2710 end_of_loop:
2711 /* If we have leftover bits, we need to cope. */
2715 /* No leftover bits. We win. */
2718 /* 6 leftover bits. That's invalid; we can't form a byte out of that. */
2721 /* 12 leftover bits: The last 4 are padding and the first 8 are data. */
2725 /* 18 leftover bits: The last 2 are padding and the first 16 are data. */
2728 }
2734 }
2735 #undef X
2736 #undef SP
2737 #undef PAD
2739 /** Base64 encode DIGEST_LINE bytes from <b>digest</b>, remove the trailing =
2740 * characters, and store the nul-terminated result in the first
2741 * BASE64_DIGEST_LEN+1 bytes of <b>d64</b>. */
2742 int
2744 {
2750 }
2752 /** Given a base64 encoded, nul-terminated digest in <b>d64</b> (without
2753 * trailing newline or = characters), decode it and store the result in the
2754 * first DIGEST_LEN bytes at <b>digest</b>. */
2755 int
2757 {
2760 else
2762 }
2764 /** Base64 encode DIGEST256_LINE bytes from <b>digest</b>, remove the
2765 * trailing = characters, and store the nul-terminated result in the first
2766 * BASE64_DIGEST256_LEN+1 bytes of <b>d64</b>. */
2767 int
2769 {
2775 }
2777 /** Given a base64 encoded, nul-terminated digest in <b>d64</b> (without
2778 * trailing newline or = characters), decode it and store the result in the
2779 * first DIGEST256_LEN bytes at <b>digest</b>. */
2780 int
2782 {
2785 else
2787 }
2789 /** Implements base32 encoding as in RFC 4648. Limitation: Requires
2790 * that srclen*8 is a multiple of 5.
2791 */
2792 void
2794 {
2804 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
2807 /* set u to the 5-bit value at the bit'th bit of src. */
2810 }
2812 }
2814 /** Implements base32 decoding as in RFC 4648. Limitation: Requires
2815 * that srclen*5 is a multiple of 8. Returns 0 if successful, -1 otherwise.
2816 */
2817 int
2819 {
2820 /* XXXX we might want to rewrite this along the lines of base64_decode, if
2821 * it ever shows up in the profile. */
2834 /* Convert base32 encoded chars to the 5-bit values that they represent. */
2844 }
2845 }
2847 /* Assemble result byte-wise by applying five possible cases. */
2872 }
2873 }
2879 }
2881 /**
2882 * Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
2883 * the value <b>byte</b>.
2884 *
2885 * This function is preferable to memset, since many compilers will happily
2886 * optimize out memset() when they can convince themselves that the data being
2887 * cleared will never be read.
2888 *
2889 * Right now, our convention is to use this function when we are wiping data
2890 * that's about to become inaccessible, such as stack buffers that are about
2891 * to go out of scope or structures that are about to get freed. (In
2892 * practice, it appears that the compilers we're currently using will optimize
2893 * out the memset()s for stack-allocated buffers, but not those for
2894 * about-to-be-freed structures. That could change, though, so we're being
2895 * wary.) If there are live reads for the data, then you can just use
2896 * memset().
2897 */
2898 void
2900 {
2901 /* Because whole-program-optimization exists, we may not be able to just
2902 * have this function call "memset". A smart compiler could inline it, then
2903 * eliminate dead memsets, and declare itself to be clever. */
2905 /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
2906 * based on the pointer value, then uses that junk to update a global
2907 * variable. It's an elaborate ruse to trick the compiler into not
2908 * optimizing out the "wipe this memory" code. Read it if you like zany
2909 * programming tricks! In later versions of Tor, we should look for better
2910 * not-optimized-out memory wiping stuff. */
2912 /* Just in case some caller of memwipe() is relying on getting a buffer
2913 * filled with a particular value, fill the buffer.
2914 *
2915 * If this function gets inlined, this memset might get eliminated, but
2916 * that's okay: We only care about this particular memset in the case where
2917 * the caller should have been using memset(), and the memset() wouldn't get
2918 * eliminated. In other words, this is here so that we won't break anything
2919 * if somebody accidentally calls memwipe() instead of memset().
2920 **/
2922 }
2924 #ifndef OPENSSL_THREADS
2925 #error OpenSSL has been built without thread support. Tor requires an \
2926 OpenSSL library with thread support enabled.
2927 #endif
2929 /** Helper: OpenSSL uses this callback to manipulate mutexes. */
2930 static void
2932 {
2936 /* This is not a really good fix for the
2937 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
2938 * it can't hurt. */
2942 else
2944 }
2946 /** OpenSSL helper type: wraps a Tor mutex so that OpenSSL can use it
2947 * as a lock. */
2950 };
2952 /** OpenSSL callback function to allocate a lock: see CRYPTO_set_dynlock_*
2953 * documentation in OpenSSL's docs for more info. */
2956 {
2963 }
2965 /** OpenSSL callback function to acquire or release a lock: see
2966 * CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
2967 static void
2970 {
2975 else
2977 }
2979 /** OpenSSL callback function to free a lock: see CRYPTO_set_dynlock_*
2980 * documentation in OpenSSL's docs for more info. */
2981 static void
2984 {
2989 }
2991 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,0)
2992 static void
2994 {
2996 }
2997 #endif
2999 /** @{ */
3000 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
3001 * multithreaded. */
3002 static int
3004 {
3012 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
3014 #else
3016 #endif
3021 }
3023 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
3024 */
3025 int
3027 {
3039 #ifndef DISABLE_ENGINES
3041 #endif
3054 }
3056 }
3061 }
3063 /** @} */