| blob | 790ea1646cc73a0d3339d3921c828e726f9b92a1 |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2011, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL.
11 **/
15 #ifdef MS_WINDOWS
16 #ifndef WIN32_WINNT
17 #define WIN32_WINNT 0x400
18 #endif
19 #ifndef _WIN32_WINNT
20 #define _WIN32_WINNT 0x400
21 #endif
22 #define WIN32_LEAN_AND_MEAN
23 #include <windows.h>
24 #include <wincrypt.h>
25 /* Windows defines this; so does OpenSSL 0.9.8h and later. We don't actually
26 * use either definition. */
27 #undef OCSP_RESPONSE
28 #endif
30 #include <openssl/err.h>
31 #include <openssl/rsa.h>
32 #include <openssl/pem.h>
33 #include <openssl/evp.h>
34 #include <openssl/engine.h>
35 #include <openssl/rand.h>
36 #include <openssl/opensslv.h>
37 #include <openssl/bn.h>
38 #include <openssl/dh.h>
39 #include <openssl/conf.h>
40 #include <openssl/hmac.h>
42 #ifdef HAVE_CTYPE_H
43 #include <ctype.h>
44 #endif
45 #ifdef HAVE_UNISTD_H
46 #include <unistd.h>
47 #endif
48 #ifdef HAVE_FCNTL_H
49 #include <fcntl.h>
50 #endif
51 #ifdef HAVE_SYS_FCNTL_H
52 #include <sys/fcntl.h>
53 #endif
55 #define CRYPTO_PRIVATE
63 #if OPENSSL_VERSION_NUMBER < 0x00907000l
65 #endif
67 #ifdef ANDROID
68 /* Android's OpenSSL seems to have removed all of its Engine support. */
69 #define DISABLE_ENGINES
70 #endif
72 #if OPENSSL_VERSION_NUMBER < 0x00908000l
73 /** @{ */
74 /** On OpenSSL versions before 0.9.8, there is no working SHA256
75 * implementation, so we use Tom St Denis's nice speedy one, slightly adapted
76 * to our needs. These macros make it usable by us. */
77 #define SHA256_CTX sha256_state
78 #define SHA256_Init sha256_init
79 #define SHA256_Update sha256_process
80 #define LTC_ARGCHK(x) tor_assert(x)
81 /** @} */
83 #define SHA256_Final(a,b) sha256_done(b,a)
87 {
88 SHA256_CTX ctx;
93 }
94 #endif
96 /** Macro: is k a valid RSA public or private key? */
97 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
98 /** Macro: is k a valid RSA private key? */
99 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
101 #ifdef TOR_IS_MULTITHREADED
102 /** A number of preallocated mutexes for use by OpenSSL. */
104 /** How many mutexes have we allocated for use by OpenSSL? */
106 #endif
108 /** A public key, or a public/private key-pair. */
109 struct crypto_pk_env_t
110 {
113 };
115 /** Key and stream information for a stream cipher. */
116 struct crypto_cipher_env_t
117 {
120 * encryption */
121 };
123 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
124 * while we're waiting for the second.*/
127 };
132 /** Return the number of bytes added by padding method <b>padding</b>.
133 */
136 {
138 {
143 }
144 }
146 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
147 */
150 {
152 {
157 }
158 }
160 /** Boolean: has OpenSSL's crypto been initialized? */
163 /** Log all pending crypto errors at level <b>severity</b>. Use
164 * <b>doing</b> to describe our current activities.
165 */
166 static void
168 {
183 }
184 }
185 }
187 #ifndef DISABLE_ENGINES
188 /** Log any OpenSSL engines we're using at NOTICE. */
189 static void
191 {
200 }
201 }
202 #endif
204 #ifndef DISABLE_ENGINES
205 /** Try to load an engine in a shared library via fully qualified path.
206 */
209 {
218 }
219 }
221 }
222 #endif
224 /** Initialize the crypto library. Return 0 on success, -1 on failure.
225 */
226 int
229 {
237 #ifdef DISABLE_ENGINES
241 #else
257 }
260 accelName);
263 accelName);
264 }
265 }
270 }
277 #endif
280 }
282 }
284 }
286 /** Free crypto resources held by this thread. */
287 void
289 {
291 }
293 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
294 */
295 int
297 {
302 #ifndef DISABLE_ENGINES
304 #endif
308 #ifdef TOR_IS_MULTITHREADED
317 }
319 }
320 #endif
322 }
324 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
325 crypto_pk_env_t *
327 {
334 }
336 /** Helper, used by tor-checkkey.c and tor-gencert.c. Return the RSA from a
337 * crypto_pk_env_t. */
338 RSA *
340 {
342 }
344 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
345 * private is set, include the private-key portion of the key. */
346 EVP_PKEY *
348 {
358 }
364 error:
370 }
372 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
373 */
374 DH *
376 {
378 }
380 /** Allocate and return storage for a public key. The key itself will not yet
381 * be set.
382 */
383 crypto_pk_env_t *
385 {
391 }
393 /** Release a reference to an asymmetric key; when all the references
394 * are released, free the key.
395 */
396 void
398 {
410 }
412 /** Create a new symmetric cipher for a given key and encryption flag
413 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
414 * on failure.
415 */
416 crypto_cipher_env_t *
418 {
425 }
431 else
438 error:
442 }
444 /** Allocate and return a new symmetric cipher.
445 */
446 crypto_cipher_env_t *
448 {
454 }
456 /** Free a symmetric cipher.
457 */
458 void
460 {
468 }
470 /* public key crypto */
472 /** Generate a <b>bits</b>-bit new public/private keypair in <b>env</b>.
473 * Return 0 on success, -1 on failure.
474 */
475 int
477 {
482 #if OPENSSL_VERSION_NUMBER < 0x00908000l
483 /* In OpenSSL 0.9.7, RSA_generate_key is all we have. */
485 #else
486 /* In OpenSSL 0.9.8, RSA_generate_key is deprecated. */
487 {
502 done:
507 }
508 #endif
512 }
515 }
517 /** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>
518 * into <b>env</b>. Return 0 on success, -1 on failure. If len is -1,
519 * the string is nul-terminated.
520 */
521 /* Used here, and used for testing. */
522 int
525 {
532 /* Create a read-only memory BIO, backed by the string 's' */
547 }
549 }
551 /** Read a PEM-encoded private key from the file named by
552 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
553 */
554 int
557 {
561 /* Read the file into a string. */
566 }
568 /* Try to parse it. */
575 /* Make sure it's valid. */
580 }
582 /** Helper function to implement crypto_pk_write_*_key_to_string. */
583 static int
586 {
599 /* Now you can treat b as if it were a file. Just use the
600 * PEM_*_bio_* functions instead of the non-bio variants.
601 */
604 else
611 }
624 }
626 /** PEM-encode the public key portion of <b>env</b> and write it to a
627 * newly allocated string. On success, set *<b>dest</b> to the new
628 * string, *<b>len</b> to the string's length, and return 0. On
629 * failure, return -1.
630 */
631 int
634 {
636 }
638 /** PEM-encode the private key portion of <b>env</b> and write it to a
639 * newly allocated string. On success, set *<b>dest</b> to the new
640 * string, *<b>len</b> to the string's length, and return 0. On
641 * failure, return -1.
642 */
643 int
646 {
648 }
650 /** Read a PEM-encoded public key from the first <b>len</b> characters of
651 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
652 * failure.
653 */
654 int
657 {
677 }
680 }
682 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
683 * PEM-encoded. Return 0 on success, -1 on failure.
684 */
685 int
688 {
704 }
715 }
717 /** Return true iff <b>env</b> has a valid key.
718 */
719 int
721 {
729 }
731 /** Return true iff <b>key</b> contains the private-key portion of the RSA
732 * key. */
733 int
735 {
738 }
740 /** Return true iff <b>env</b> contains a public key whose public exponent
741 * equals 65537.
742 */
743 int
745 {
750 }
752 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
753 * if a==b, and 1 if a\>b.
754 */
755 int
757 {
772 }
774 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
775 size_t
777 {
782 }
784 /** Return the size of the public key modulus of <b>env</b>, in bits. */
785 int
787 {
793 }
795 /** Increase the reference count of <b>env</b>, and return it.
796 */
797 crypto_pk_env_t *
799 {
805 }
807 /** Make a real honest-to-goodness copy of <b>env</b>, and return it. */
808 crypto_pk_env_t *
810 {
821 }
830 }
833 }
835 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
836 * in <b>env</b>, using the padding method <b>padding</b>. On success,
837 * write the result to <b>to</b>, and return the number of bytes
838 * written. On failure, return -1.
839 *
840 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
841 * at least the length of the modulus of <b>env</b>.
842 */
843 int
846 {
860 }
862 }
864 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
865 * in <b>env</b>, using the padding method <b>padding</b>. On success,
866 * write the result to <b>to</b>, and return the number of bytes
867 * written. On failure, return -1.
868 *
869 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
870 * at least the length of the modulus of <b>env</b>.
871 */
872 int
877 {
886 /* Not a private key */
897 }
899 }
901 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
902 * public key in <b>env</b>, using PKCS1 padding. On success, write the
903 * signed data to <b>to</b>, and return the number of bytes written.
904 * On failure, return -1.
905 *
906 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
907 * at least the length of the modulus of <b>env</b>.
908 */
909 int
913 {
927 }
929 }
931 /** Check a siglen-byte long signature at <b>sig</b> against
932 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
933 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
934 * SHA1(data). Else return -1.
935 */
936 int
939 {
954 }
962 }
967 }
971 }
973 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
974 * <b>env</b>, using PKCS1 padding. On success, write the signature to
975 * <b>to</b>, and return the number of bytes written. On failure, return
976 * -1.
977 *
978 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
979 * at least the length of the modulus of <b>env</b>.
980 */
981 int
984 {
992 /* Not a private key */
1001 }
1003 }
1005 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
1006 * <b>from</b>; sign the data with the private key in <b>env</b>, and
1007 * store it in <b>to</b>. Return the number of bytes written on
1008 * success, and -1 on failure.
1009 *
1010 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
1011 * at least the length of the modulus of <b>env</b>.
1012 */
1013 int
1016 {
1024 }
1026 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
1027 * bytes of data from <b>from</b>, with padding type 'padding',
1028 * storing the results on <b>to</b>.
1029 *
1030 * If no padding is used, the public key must be at least as large as
1031 * <b>from</b>.
1032 *
1033 * Returns the number of bytes written on success, -1 on failure.
1034 *
1035 * The encrypted data consists of:
1036 * - The source data, padded and encrypted with the public key, if the
1037 * padded source data is no longer than the public key, and <b>force</b>
1038 * is false, OR
1039 * - The beginning of the source data prefixed with a 16-byte symmetric key,
1040 * padded and encrypted with the public key; followed by the rest of
1041 * the source data encrypted in AES-CTR mode with the symmetric key.
1042 */
1043 int
1049 {
1067 /* It all fits in a single encrypt. */
1069 tolen,
1071 }
1079 /* You can't just run around RSA-encrypting any bitstream: if it's
1080 * greater than the RSA key, then OpenSSL will happily encrypt, and
1081 * later decrypt to the wrong value. So we set the first bit of
1082 * 'cipher->key' to 0 if we aren't padding. This means that our
1083 * symmetric key is really only 127 bits.
1084 */
1093 /* Length of symmetrically encrypted data. */
1099 }
1109 err:
1113 }
1116 }
1118 /** Invert crypto_pk_public_hybrid_encrypt. */
1119 int
1126 {
1137 warnOnFailure);
1138 }
1142 warnOnFailure);
1147 }
1152 }
1156 }
1168 err:
1173 }
1175 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1176 * Return -1 on error, or the number of characters used on success.
1177 */
1178 int
1180 {
1192 }
1193 /* We don't encode directly into 'dest', because that would be illegal
1194 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1195 */
1199 }
1201 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1202 * success and NULL on failure.
1203 */
1204 crypto_pk_env_t *
1206 {
1217 }
1219 }
1221 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1222 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1223 * Return 0 on success, -1 on failure.
1224 */
1225 int
1227 {
1240 }
1244 }
1247 }
1249 /** Compute all digests of the DER encoding of <b>pk</b>, and store them
1250 * in <b>digests_out</b>. Return 0 on success, -1 on failure. */
1251 int
1253 {
1266 }
1270 }
1273 }
1275 /** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
1276 * every four spaces. */
1279 {
1289 }
1290 }
1293 }
1295 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1296 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1297 * space). Return 0 on success, -1 on failure.
1298 *
1299 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1300 * of the public key, converted to hexadecimal, in upper case, with a
1301 * space after every four digits.
1302 *
1303 * If <b>add_space</b> is false, omit the spaces.
1304 */
1305 int
1307 {
1312 }
1318 }
1320 }
1322 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1323 */
1324 int
1326 {
1333 }
1334 }
1337 }
1339 /* symmetric crypto */
1341 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1342 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1343 */
1344 int
1346 {
1350 }
1352 /** Set the symmetric key for the cipher in <b>env</b> to the first
1353 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1354 */
1355 void
1357 {
1362 }
1364 /** Generate an initialization vector for our AES-CTR cipher; store it
1365 * in the first CIPHER_IV_LEN bytes of <b>iv_out</b>. */
1366 void
1368 {
1370 }
1372 /** Adjust the counter of <b>env</b> to point to the first byte of the block
1373 * corresponding to the encryption of the CIPHER_IV_LEN bytes at
1374 * <b>iv</b>. */
1375 int
1377 {
1382 }
1384 /** Return a pointer to the key set for the cipher in <b>env</b>.
1385 */
1388 {
1390 }
1392 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1393 * success, -1 on failure.
1394 */
1395 int
1397 {
1402 }
1404 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1405 * success, -1 on failure.
1406 */
1407 int
1409 {
1414 }
1416 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1417 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1418 * On failure, return -1.
1419 */
1420 int
1423 {
1433 }
1435 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1436 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1437 * On failure, return -1.
1438 */
1439 int
1442 {
1450 }
1452 /** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
1453 * on success, return 0. On failure, return -1.
1454 */
1455 int
1457 {
1461 }
1463 /** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
1464 * <b>cipher</b> to the buffer in <b>to</b> of length
1465 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
1466 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1467 * number of bytes written, on failure, return -1.
1468 *
1469 * This function adjusts the current position of the counter in <b>cipher</b>
1470 * to immediately after the encrypted data.
1471 */
1472 int
1476 {
1492 }
1494 /** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
1495 * with the key in <b>cipher</b> to the buffer in <b>to</b> of length
1496 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
1497 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1498 * number of bytes written, on failure, return -1.
1499 *
1500 * This function adjusts the current position of the counter in <b>cipher</b>
1501 * to immediately after the decrypted data.
1502 */
1503 int
1507 {
1522 }
1524 /* SHA-1 */
1526 /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
1527 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1528 * Return 0 on success, -1 on failure.
1529 */
1530 int
1532 {
1536 }
1538 /** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
1539 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
1540 * into <b>digest</b>. Return 0 on success, -1 on failure. */
1541 int
1543 digest_algorithm_t algorithm)
1544 {
1549 }
1551 /** Set the digests_t in <b>ds_out</b> to contain every digest on the
1552 * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
1553 * success, -1 on failure. */
1554 int
1556 {
1557 digest_algorithm_t i;
1565 }
1567 }
1569 /** Return the name of an algorithm, as used in directory documents. */
1572 {
1581 }
1582 }
1584 /** Given the name of a digest algorithm, return its integer value, or -1 if
1585 * the name is not recognized. */
1586 int
1588 {
1593 else
1595 }
1597 /** Intermediate information about the digest of a stream of data. */
1603 * union is usable, depending on the value of <b>algorithm</b>. */
1605 };
1607 /** Allocate and return a new digest object to compute SHA1 digests.
1608 */
1609 crypto_digest_env_t *
1611 {
1617 }
1619 /** Allocate and return a new digest object to compute 256-bit digests
1620 * using <b>algorithm</b>. */
1621 crypto_digest_env_t *
1623 {
1630 }
1632 /** Deallocate a digest object.
1633 */
1634 void
1636 {
1641 }
1643 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1644 */
1645 void
1648 {
1651 /* Using the SHA*_*() calls directly means we don't support doing
1652 * SHA in hardware. But so far the delay of getting the question
1653 * to the hardware, and hearing the answer, is likely higher than
1654 * just doing it ourselves. Hashes are fast.
1655 */
1666 }
1667 }
1669 /** Compute the hash of the data that has been passed to the digest
1670 * object; write the first out_len bytes of the result to <b>out</b>.
1671 * <b>out_len</b> must be \<= DIGEST256_LEN.
1672 */
1673 void
1676 {
1678 crypto_digest_env_t tmpenv;
1681 /* memcpy into a temporary ctx, since SHA*_Final clears the context */
1694 /* If fragile_assert is not enabled, then we should at least not
1695 * leak anything. */
1699 }
1702 }
1704 /** Allocate and return a new digest object with the same state as
1705 * <b>digest</b>
1706 */
1707 crypto_digest_env_t *
1709 {
1715 }
1717 /** Replace the state of the digest object <b>into</b> with the state
1718 * of the digest object <b>from</b>.
1719 */
1720 void
1723 {
1727 }
1729 /** Compute the HMAC-SHA-1 of the <b>msg_len</b> bytes in <b>msg</b>, using
1730 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST_LEN-byte result
1731 * in <b>hmac_out</b>.
1732 */
1733 void
1737 {
1742 }
1744 /** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
1745 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST_LEN-byte result
1746 * in <b>hmac_out</b>.
1747 */
1748 void
1752 {
1753 #if (OPENSSL_VERSION_NUMBER >= 0x00908000l)
1754 /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
1759 #else
1760 /* OpenSSL doesn't have an EVP implementation for SHA256. We'll need
1761 to do HMAC on our own.
1763 HMAC isn't so hard: To compute HMAC(key, msg):
1764 1. If len(key) > blocksize, key = H(key).
1765 2. If len(key) < blocksize, right-pad key up to blocksize with 0 bytes.
1766 3. let ipad = key xor 0x363636363636....36
1767 let opad = key xor 0x5c5c5c5c5c5c....5c
1768 The result is H(opad | H( ipad | msg ) )
1769 */
1770 #define BLOCKSIZE 64
1771 #define DIGESTSIZE 32
1776 SHA256_CTX st;
1787 }
1802 /* Now clear everything. */
1807 #undef BLOCKSIZE
1808 #undef DIGESTSIZE
1809 #endif
1810 }
1812 /* DH */
1814 /** Shared P parameter for our circuit-crypto DH key exchanges. */
1816 /** Shared P parameter for our TLS DH key exchanges. */
1818 /** Shared G parameter for our DH key exchanges. */
1820 /** True if we use dynamic primes. */
1823 /** Generate and return a reasonable and safe DH parameter p. */
1825 {
1837 /** XXX - do we want to cache the result in a file? Or perhaps load from a file? */
1838 /* This implements the prime number strategy outlined in prop 179 */
1841 dh_parameters = DH_generate_parameters(rakshasa_bits, generator, NULL, NULL); // XXX Do we want a pretty call back?
1853 }
1855 /** Initialize dh_param_p and dh_param_g if they are not already
1856 * set. */
1857 static void
1859 {
1874 /* Set our generator for all DH parameters */
1878 /* This implements the prime number strategy outlined in prop 179 */
1881 }
1883 /* This is from rfc2409, section 6.2. It's a safe prime, and
1884 supposedly it equals:
1885 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1886 */
1888 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1889 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1890 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1891 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1894 /* This is the 1024-bit safe prime that Apache uses for its DH stuff; see
1895 * modules/ssl/ssl_engine_dh.c; Apache also uses a generator of 2 with this
1896 * prime.
1897 */
1899 "D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
1900 "BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
1901 "467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
1902 "DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
1913 }
1915 }
1917 /** Number of bits to use when choosing the x or y value in a Diffie-Hellman
1918 * handshake. Since we exponentiate by this value, choosing a smaller one
1919 * lets our handhake go faster.
1920 */
1921 #define DH_PRIVATE_KEY_BITS 320
1923 /** Allocate and return a new DH object for a key exchange.
1924 */
1925 crypto_dh_env_t *
1927 {
1945 }
1953 err:
1958 }
1960 /** Return the length of the DH key in <b>dh</b>, in bytes.
1961 */
1962 int
1964 {
1967 }
1969 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1970 * success, -1 on failure.
1971 */
1972 int
1974 {
1975 again:
1979 }
1983 /* Free and clear the keys, so OpenSSL will actually try again. */
1988 }
1990 }
1992 /** Generate g^x as necessary, and write the g^x for the key exchange
1993 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1994 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1995 */
1996 int
1998 {
2004 }
2014 }
2020 }
2022 /** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
2023 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
2024 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
2025 */
2026 static int
2028 {
2040 }
2046 }
2049 err:
2055 }
2057 #undef MIN
2058 #define MIN(a,b) ((a)<(b)?(a):(b))
2059 /** Given a DH key exchange object, and our peer's value of g^y (as a
2060 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
2061 * <b>secret_bytes_out</b> bytes of shared key material and write them
2062 * to <b>secret_out</b>. Return the number of bytes generated on success,
2063 * or -1 on failure.
2064 *
2065 * (We generate key material by computing
2066 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
2067 * where || is concatenation.)
2068 */
2069 ssize_t
2073 {
2086 /* Check for invalid public keys. */
2089 }
2096 }
2104 error:
2106 done:
2113 }
2116 else
2118 }
2120 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
2121 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
2122 * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
2123 * H(K | [00]) | H(K | [01]) | ....
2124 *
2125 * Return 0 on success, -1 on failure.
2126 */
2127 int
2130 {
2135 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
2145 }
2151 err:
2156 }
2158 /** Free a DH key exchange object.
2159 */
2160 void
2162 {
2168 }
2170 /* random numbers */
2172 /** How many bytes of entropy we add at once.
2173 *
2174 * This is how much entropy OpenSSL likes to add right now, so maybe it will
2175 * work for us too. */
2176 #define ADD_ENTROPY 32
2178 /** True iff we should use OpenSSL's RAND_poll function to add entropy to its
2179 * pool.
2180 *
2181 * Use RAND_poll if OpenSSL is 0.9.6 release or later. (The "f" means
2182 *"release".) */
2183 #define HAVE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
2185 /** True iff it's safe to use RAND_poll after setup.
2186 *
2187 * Versions of OpenSSL prior to 0.9.7k and 0.9.8c had a bug where RAND_poll
2188 * would allocate an fd_set on the stack, open a new file, and try to FD_SET
2189 * that fd without checking whether it fit in the fd_set. Thus, if the
2190 * system has not just been started up, it is unsafe to call */
2191 #define RAND_POLL_IS_SAFE \
2192 ((OPENSSL_VERSION_NUMBER >= 0x009070afl && \
2193 OPENSSL_VERSION_NUMBER <= 0x00907fffl) || \
2194 (OPENSSL_VERSION_NUMBER >= 0x0090803fl))
2196 /** Set the seed of the weak RNG to a random value. */
2197 static void
2199 {
2203 }
2205 /** Seed OpenSSL's random number generator with bytes from the operating
2206 * system. <b>startup</b> should be true iff we have just started Tor and
2207 * have not yet allocated a bunch of fds. Return 0 on success, -1 on failure.
2208 */
2209 int
2211 {
2214 /* local variables */
2215 #ifdef MS_WINDOWS
2219 #else
2223 };
2226 #endif
2228 #if HAVE_RAND_POLL
2229 /* OpenSSL 0.9.6 adds a RAND_poll function that knows about more kinds of
2230 * entropy than we do. We'll try calling that, *and* calling our own entropy
2231 * functions. If one succeeds, we'll accept the RNG as seeded. */
2236 }
2237 #endif
2239 #ifdef MS_WINDOWS
2242 CRYPT_VERIFYCONTEXT)) {
2246 }
2247 }
2249 }
2253 }
2258 #else
2270 }
2275 }
2279 #endif
2280 }
2282 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Return 0 on
2283 * success, -1 on failure.
2284 */
2285 int
2287 {
2295 }
2297 /** Return a pseudorandom integer, chosen uniformly from the values
2298 * between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
2299 * INT_MAX+1, inclusive. */
2300 int
2302 {
2308 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2309 * distribution with clipping at the upper end of unsigned int's
2310 * range.
2311 */
2317 }
2318 }
2320 /** Return a pseudorandom 64-bit integer, chosen uniformly from the values
2321 * between 0 and <b>max</b>-1. */
2322 uint64_t
2324 {
2330 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2331 * distribution with clipping at the upper end of unsigned int's
2332 * range.
2333 */
2339 }
2340 }
2342 /** Return a pseudorandom double d, chosen uniformly from the range
2343 * 0.0 <= d < 1.0.
2344 */
2345 double
2347 {
2348 /* We just use an unsigned int here; we don't really care about getting
2349 * more than 32 bits of resolution */
2352 #if SIZEOF_INT == 4
2353 #define UINT_MAX_AS_DOUBLE 4294967296.0
2354 #elif SIZEOF_INT == 8
2355 #define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
2356 #else
2357 #error SIZEOF_INT is neither 4 nor 8
2358 #endif
2360 }
2362 /** Generate and return a new random hostname starting with <b>prefix</b>,
2363 * ending with <b>suffix</b>, and containing no less than
2364 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
2365 * characters between. */
2369 {
2393 }
2395 /** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
2396 * is empty. */
2399 {
2404 }
2406 /** Scramble the elements of <b>sl</b> into a random order. */
2407 void
2409 {
2411 /* From the end of the list to the front, choose at random from the
2412 positions we haven't looked at yet, and swap that position into the
2413 current position. Remember to give "no swap" the same probability as
2414 any other swap. */
2418 }
2419 }
2421 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
2422 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2423 * bytes. Return the number of bytes written on success; -1 if
2424 * destlen is too short, or other failure.
2425 */
2426 int
2428 {
2429 /* FFFF we might want to rewrite this along the lines of base64_decode, if
2430 * it ever shows up in the profile. */
2431 EVP_ENCODE_CTX ctx;
2435 /* 48 bytes of input -> 64 bytes of output plus newline.
2436 Plus one more byte, in case I'm wrong.
2437 */
2449 }
2451 /** @{ */
2452 /** Special values used for the base64_decode_table */
2453 #define X 255
2454 #define SP 64
2455 #define PAD 65
2456 /** @} */
2457 /** Internal table mapping byte values to what they represent in base64.
2458 * Numbers 0..63 are 6-bit integers. SPs are spaces, and should be
2459 * skipped. Xs are invalid and must not appear in base64. PAD indicates
2460 * end-of-string. */
2478 };
2480 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
2481 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2482 * bytes. Return the number of bytes written on success; -1 if
2483 * destlen is too short, or other failure.
2484 *
2485 * NOTE 1: destlen is checked conservatively, as though srclen contained no
2486 * spaces or padding.
2487 *
2488 * NOTE 2: This implementation does not check for the correct number of
2489 * padding "=" characters at the end of the string, and does not check
2490 * for internal padding characters.
2491 */
2492 int
2494 {
2495 #ifdef USE_OPENSSL_BASE64
2496 EVP_ENCODE_CTX ctx;
2498 /* 64 bytes of input -> *up to* 48 bytes of output.
2499 Plus one more byte, in case I'm wrong.
2500 */
2512 #else
2518 /* Max number of bits == srclen*6.
2519 * Number of bytes required to hold all bits == (srclen*6)/8.
2520 * Yes, we want to round down: anything that hangs over the end of a
2521 * byte is padding. */
2527 /* Iterate over all the bytes in src. Each one will add 0 or 6 bits to the
2528 * value we're decoding. Accumulate bits in <b>n</b>, and whenever we have
2529 * 24 bits, batch them into 3 bytes and flush those bytes to dest.
2530 */
2536 /* This character isn't allowed in base64. */
2539 /* This character is whitespace, and has no effect. */
2542 /* We've hit an = character: the data is over. */
2545 /* We have an actual 6-bit value. Append it to the bits in n. */
2548 /* We've accumulated 24 bits in n. Flush them. */
2554 }
2555 }
2556 }
2557 end_of_loop:
2558 /* If we have leftover bits, we need to cope. */
2562 /* No leftover bits. We win. */
2565 /* 6 leftover bits. That's invalid; we can't form a byte out of that. */
2568 /* 12 leftover bits: The last 4 are padding and the first 8 are data. */
2572 /* 18 leftover bits: The last 2 are padding and the first 16 are data. */
2575 }
2581 #endif
2582 }
2583 #undef X
2584 #undef SP
2585 #undef PAD
2587 /** Base-64 encode DIGEST_LINE bytes from <b>digest</b>, remove the trailing =
2588 * and newline characters, and store the nul-terminated result in the first
2589 * BASE64_DIGEST_LEN+1 bytes of <b>d64</b>. */
2590 int
2592 {
2598 }
2600 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
2601 * trailing newline or = characters), decode it and store the result in the
2602 * first DIGEST_LEN bytes at <b>digest</b>. */
2603 int
2605 {
2606 #ifdef USE_OPENSSL_BASE64
2617 #else
2620 else
2622 #endif
2623 }
2625 /** Base-64 encode DIGEST256_LINE bytes from <b>digest</b>, remove the
2626 * trailing = and newline characters, and store the nul-terminated result in
2627 * the first BASE64_DIGEST256_LEN+1 bytes of <b>d64</b>. */
2628 int
2630 {
2636 }
2638 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
2639 * trailing newline or = characters), decode it and store the result in the
2640 * first DIGEST256_LEN bytes at <b>digest</b>. */
2641 int
2643 {
2644 #ifdef USE_OPENSSL_BASE64
2655 #else
2658 else
2660 #endif
2661 }
2663 /** Implements base32 encoding as in rfc3548. Limitation: Requires
2664 * that srclen*8 is a multiple of 5.
2665 */
2666 void
2668 {
2678 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
2681 /* set u to the 5-bit value at the bit'th bit of src. */
2684 }
2686 }
2688 /** Implements base32 decoding as in rfc3548. Limitation: Requires
2689 * that srclen*5 is a multiple of 8. Returns 0 if successful, -1 otherwise.
2690 */
2691 int
2693 {
2694 /* XXXX we might want to rewrite this along the lines of base64_decode, if
2695 * it ever shows up in the profile. */
2706 /* Convert base32 encoded chars to the 5-bit values that they represent. */
2716 }
2717 }
2719 /* Assemble result byte-wise by applying five possible cases. */
2744 }
2745 }
2751 }
2753 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
2754 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
2755 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
2756 * are a salt; the 9th byte describes how much iteration to do.
2757 * Does not support <b>key_out_len</b> > DIGEST_LEN.
2758 */
2759 void
2762 {
2769 #define EXPBIAS 6
2772 #undef EXPBIAS
2789 }
2790 }
2795 }
2797 #ifdef TOR_IS_MULTITHREADED
2798 /** Helper: OpenSSL uses this callback to manipulate mutexes. */
2799 static void
2801 {
2805 /* This is not a really good fix for the
2806 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
2807 * it can't hurt. */
2811 else
2813 }
2815 /** OpenSSL helper type: wraps a Tor mutex so that OpenSSL can use it
2816 * as a lock. */
2819 };
2821 /** OpenSSL callback function to allocate a lock: see CRYPTO_set_dynlock_*
2822 * documentation in OpenSSL's docs for more info. */
2825 {
2832 }
2834 /** OpenSSL callback function to acquire or release a lock: see
2835 * CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
2836 static void
2839 {
2844 else
2846 }
2848 /** OpenSSL callback function to free a lock: see CRYPTO_set_dynlock_*
2849 * documentation in OpenSSL's docs for more info. */
2850 static void
2853 {
2858 }
2860 /** @{ */
2861 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
2862 * multithreaded. */
2863 static int
2865 {
2878 }
2879 #else
2880 static int
2882 {
2884 }
2885 #endif
2886 /** @} */