| blob | e377b01d413149a33ad89ce67ecfb084f6e88f1f |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2011, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL.
11 **/
15 #ifdef MS_WINDOWS
16 #ifndef WIN32_WINNT
17 #define WIN32_WINNT 0x400
18 #endif
19 #ifndef _WIN32_WINNT
20 #define _WIN32_WINNT 0x400
21 #endif
22 #define WIN32_LEAN_AND_MEAN
23 #include <windows.h>
24 #include <wincrypt.h>
25 /* Windows defines this; so does OpenSSL 0.9.8h and later. We don't actually
26 * use either definition. */
27 #undef OCSP_RESPONSE
28 #endif
30 #include <openssl/err.h>
31 #include <openssl/rsa.h>
32 #include <openssl/pem.h>
33 #include <openssl/evp.h>
34 #include <openssl/engine.h>
35 #include <openssl/rand.h>
36 #include <openssl/opensslv.h>
37 #include <openssl/bn.h>
38 #include <openssl/dh.h>
39 #include <openssl/conf.h>
40 #include <openssl/hmac.h>
42 #ifdef HAVE_CTYPE_H
43 #include <ctype.h>
44 #endif
45 #ifdef HAVE_UNISTD_H
46 #include <unistd.h>
47 #endif
48 #ifdef HAVE_FCNTL_H
49 #include <fcntl.h>
50 #endif
51 #ifdef HAVE_SYS_FCNTL_H
52 #include <sys/fcntl.h>
53 #endif
55 #define CRYPTO_PRIVATE
63 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(0,9,7)
65 #endif
67 #ifdef ANDROID
68 /* Android's OpenSSL seems to have removed all of its Engine support. */
69 #define DISABLE_ENGINES
70 #endif
72 /** Longest recognized */
73 #define MAX_DNS_LABEL_SIZE 63
75 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(0,9,8)
76 /** @{ */
77 /** On OpenSSL versions before 0.9.8, there is no working SHA256
78 * implementation, so we use Tom St Denis's nice speedy one, slightly adapted
79 * to our needs. These macros make it usable by us. */
80 #define SHA256_CTX sha256_state
81 #define SHA256_Init sha256_init
82 #define SHA256_Update sha256_process
83 #define LTC_ARGCHK(x) tor_assert(x)
84 /** @} */
86 #define SHA256_Final(a,b) sha256_done(b,a)
90 {
91 SHA256_CTX ctx;
96 }
97 #endif
99 /** Macro: is k a valid RSA public or private key? */
100 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
101 /** Macro: is k a valid RSA private key? */
102 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
104 #ifdef TOR_IS_MULTITHREADED
105 /** A number of preallocated mutexes for use by OpenSSL. */
107 /** How many mutexes have we allocated for use by OpenSSL? */
109 #endif
111 /** A public key, or a public/private key-pair. */
112 struct crypto_pk_env_t
113 {
116 };
118 /** Key and stream information for a stream cipher. */
119 struct crypto_cipher_env_t
120 {
123 * encryption */
124 };
126 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
127 * while we're waiting for the second.*/
130 };
135 /** Return the number of bytes added by padding method <b>padding</b>.
136 */
139 {
141 {
146 }
147 }
149 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
150 */
153 {
155 {
160 }
161 }
163 /** Boolean: has OpenSSL's crypto been initialized? */
166 /** Log all pending crypto errors at level <b>severity</b>. Use
167 * <b>doing</b> to describe our current activities.
168 */
169 static void
171 {
186 }
187 }
188 }
190 #ifndef DISABLE_ENGINES
191 /** Log any OpenSSL engines we're using at NOTICE. */
192 static void
194 {
203 }
204 }
205 #endif
207 #ifndef DISABLE_ENGINES
208 /** Try to load an engine in a shared library via fully qualified path.
209 */
212 {
221 }
222 }
224 }
225 #endif
227 /** Initialize the crypto library. Return 0 on success, -1 on failure.
228 */
229 int
231 {
238 #ifdef DISABLE_ENGINES
242 #else
258 }
261 accelName);
264 accelName);
265 }
266 }
271 }
278 #endif
281 }
287 }
289 }
291 /** Free crypto resources held by this thread. */
292 void
294 {
296 }
298 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
299 crypto_pk_env_t *
301 {
308 }
310 /** Helper, used by tor-checkkey.c and tor-gencert.c. Return the RSA from a
311 * crypto_pk_env_t. */
312 RSA *
314 {
316 }
318 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
319 * private is set, include the private-key portion of the key. */
320 EVP_PKEY *
322 {
332 }
338 error:
344 }
346 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
347 */
348 DH *
350 {
352 }
354 /** Allocate and return storage for a public key. The key itself will not yet
355 * be set.
356 */
357 crypto_pk_env_t *
359 {
365 }
367 /** Release a reference to an asymmetric key; when all the references
368 * are released, free the key.
369 */
370 void
372 {
384 }
386 /** Create a new symmetric cipher for a given key and encryption flag
387 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
388 * on failure.
389 */
390 crypto_cipher_env_t *
392 {
399 }
405 else
412 error:
416 }
418 /** Allocate and return a new symmetric cipher.
419 */
420 crypto_cipher_env_t *
422 {
428 }
430 /** Free a symmetric cipher.
431 */
432 void
434 {
442 }
444 /* public key crypto */
446 /** Generate a <b>bits</b>-bit new public/private keypair in <b>env</b>.
447 * Return 0 on success, -1 on failure.
448 */
449 int
451 {
456 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(0,9,8)
457 /* In OpenSSL 0.9.7, RSA_generate_key is all we have. */
459 #else
460 /* In OpenSSL 0.9.8, RSA_generate_key is deprecated. */
461 {
476 done:
481 }
482 #endif
486 }
489 }
491 /** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>
492 * into <b>env</b>. Return 0 on success, -1 on failure. If len is -1,
493 * the string is nul-terminated.
494 */
495 /* Used here, and used for testing. */
496 int
499 {
506 /* Create a read-only memory BIO, backed by the string 's' */
521 }
523 }
525 /** Read a PEM-encoded private key from the file named by
526 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
527 */
528 int
531 {
535 /* Read the file into a string. */
540 }
542 /* Try to parse it. */
549 /* Make sure it's valid. */
554 }
556 /** Helper function to implement crypto_pk_write_*_key_to_string. */
557 static int
560 {
573 /* Now you can treat b as if it were a file. Just use the
574 * PEM_*_bio_* functions instead of the non-bio variants.
575 */
578 else
585 }
598 }
600 /** PEM-encode the public key portion of <b>env</b> and write it to a
601 * newly allocated string. On success, set *<b>dest</b> to the new
602 * string, *<b>len</b> to the string's length, and return 0. On
603 * failure, return -1.
604 */
605 int
608 {
610 }
612 /** PEM-encode the private key portion of <b>env</b> and write it to a
613 * newly allocated string. On success, set *<b>dest</b> to the new
614 * string, *<b>len</b> to the string's length, and return 0. On
615 * failure, return -1.
616 */
617 int
620 {
622 }
624 /** Read a PEM-encoded public key from the first <b>len</b> characters of
625 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
626 * failure.
627 */
628 int
631 {
651 }
654 }
656 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
657 * PEM-encoded. Return 0 on success, -1 on failure.
658 */
659 int
662 {
678 }
689 }
691 /** Return true iff <b>env</b> has a valid key.
692 */
693 int
695 {
703 }
705 /** Return true iff <b>key</b> contains the private-key portion of the RSA
706 * key. */
707 int
709 {
712 }
714 /** Return true iff <b>env</b> contains a public key whose public exponent
715 * equals 65537.
716 */
717 int
719 {
724 }
726 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
727 * if a==b, and 1 if a\>b.
728 */
729 int
731 {
746 }
748 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
749 size_t
751 {
756 }
758 /** Return the size of the public key modulus of <b>env</b>, in bits. */
759 int
761 {
767 }
769 /** Increase the reference count of <b>env</b>, and return it.
770 */
771 crypto_pk_env_t *
773 {
779 }
781 /** Make a real honest-to-goodness copy of <b>env</b>, and return it. */
782 crypto_pk_env_t *
784 {
795 }
804 }
807 }
809 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
810 * in <b>env</b>, using the padding method <b>padding</b>. On success,
811 * write the result to <b>to</b>, and return the number of bytes
812 * written. On failure, return -1.
813 *
814 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
815 * at least the length of the modulus of <b>env</b>.
816 */
817 int
820 {
834 }
836 }
838 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
839 * in <b>env</b>, using the padding method <b>padding</b>. On success,
840 * write the result to <b>to</b>, and return the number of bytes
841 * written. On failure, return -1.
842 *
843 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
844 * at least the length of the modulus of <b>env</b>.
845 */
846 int
851 {
860 /* Not a private key */
871 }
873 }
875 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
876 * public key in <b>env</b>, using PKCS1 padding. On success, write the
877 * signed data to <b>to</b>, and return the number of bytes written.
878 * On failure, return -1.
879 *
880 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
881 * at least the length of the modulus of <b>env</b>.
882 */
883 int
887 {
901 }
903 }
905 /** Check a siglen-byte long signature at <b>sig</b> against
906 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
907 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
908 * SHA1(data). Else return -1.
909 */
910 int
913 {
928 }
936 }
941 }
945 }
947 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
948 * <b>env</b>, using PKCS1 padding. On success, write the signature to
949 * <b>to</b>, and return the number of bytes written. On failure, return
950 * -1.
951 *
952 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
953 * at least the length of the modulus of <b>env</b>.
954 */
955 int
958 {
966 /* Not a private key */
975 }
977 }
979 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
980 * <b>from</b>; sign the data with the private key in <b>env</b>, and
981 * store it in <b>to</b>. Return the number of bytes written on
982 * success, and -1 on failure.
983 *
984 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
985 * at least the length of the modulus of <b>env</b>.
986 */
987 int
990 {
998 }
1000 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
1001 * bytes of data from <b>from</b>, with padding type 'padding',
1002 * storing the results on <b>to</b>.
1003 *
1004 * If no padding is used, the public key must be at least as large as
1005 * <b>from</b>.
1006 *
1007 * Returns the number of bytes written on success, -1 on failure.
1008 *
1009 * The encrypted data consists of:
1010 * - The source data, padded and encrypted with the public key, if the
1011 * padded source data is no longer than the public key, and <b>force</b>
1012 * is false, OR
1013 * - The beginning of the source data prefixed with a 16-byte symmetric key,
1014 * padded and encrypted with the public key; followed by the rest of
1015 * the source data encrypted in AES-CTR mode with the symmetric key.
1016 */
1017 int
1023 {
1041 /* It all fits in a single encrypt. */
1043 tolen,
1045 }
1053 /* You can't just run around RSA-encrypting any bitstream: if it's
1054 * greater than the RSA key, then OpenSSL will happily encrypt, and
1055 * later decrypt to the wrong value. So we set the first bit of
1056 * 'cipher->key' to 0 if we aren't padding. This means that our
1057 * symmetric key is really only 127 bits.
1058 */
1067 /* Length of symmetrically encrypted data. */
1073 }
1083 err:
1087 }
1090 }
1092 /** Invert crypto_pk_public_hybrid_encrypt. */
1093 int
1100 {
1111 warnOnFailure);
1112 }
1116 warnOnFailure);
1121 }
1126 }
1130 }
1142 err:
1147 }
1149 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1150 * Return -1 on error, or the number of characters used on success.
1151 */
1152 int
1154 {
1166 }
1167 /* We don't encode directly into 'dest', because that would be illegal
1168 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1169 */
1173 }
1175 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1176 * success and NULL on failure.
1177 */
1178 crypto_pk_env_t *
1180 {
1191 }
1193 }
1195 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1196 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1197 * Return 0 on success, -1 on failure.
1198 */
1199 int
1201 {
1214 }
1218 }
1221 }
1223 /** Compute all digests of the DER encoding of <b>pk</b>, and store them
1224 * in <b>digests_out</b>. Return 0 on success, -1 on failure. */
1225 int
1227 {
1240 }
1244 }
1247 }
1249 /** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
1250 * every four spaces. */
1253 {
1263 }
1264 }
1267 }
1269 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1270 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1271 * space). Return 0 on success, -1 on failure.
1272 *
1273 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1274 * of the public key, converted to hexadecimal, in upper case, with a
1275 * space after every four digits.
1276 *
1277 * If <b>add_space</b> is false, omit the spaces.
1278 */
1279 int
1281 {
1286 }
1292 }
1294 }
1296 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1297 */
1298 int
1300 {
1307 }
1308 }
1311 }
1313 /* symmetric crypto */
1315 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1316 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1317 */
1318 int
1320 {
1324 }
1326 /** Set the symmetric key for the cipher in <b>env</b> to the first
1327 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1328 */
1329 void
1331 {
1336 }
1338 /** Generate an initialization vector for our AES-CTR cipher; store it
1339 * in the first CIPHER_IV_LEN bytes of <b>iv_out</b>. */
1340 void
1342 {
1344 }
1346 /** Adjust the counter of <b>env</b> to point to the first byte of the block
1347 * corresponding to the encryption of the CIPHER_IV_LEN bytes at
1348 * <b>iv</b>. */
1349 int
1351 {
1356 }
1358 /** Return a pointer to the key set for the cipher in <b>env</b>.
1359 */
1362 {
1364 }
1366 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1367 * success, -1 on failure.
1368 */
1369 int
1371 {
1376 }
1378 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1379 * success, -1 on failure.
1380 */
1381 int
1383 {
1388 }
1390 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1391 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1392 * On failure, return -1.
1393 */
1394 int
1397 {
1407 }
1409 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1410 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1411 * On failure, return -1.
1412 */
1413 int
1416 {
1424 }
1426 /** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
1427 * on success, return 0. On failure, return -1.
1428 */
1429 int
1431 {
1435 }
1437 /** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
1438 * <b>cipher</b> to the buffer in <b>to</b> of length
1439 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
1440 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1441 * number of bytes written, on failure, return -1.
1442 *
1443 * This function adjusts the current position of the counter in <b>cipher</b>
1444 * to immediately after the encrypted data.
1445 */
1446 int
1450 {
1466 }
1468 /** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
1469 * with the key in <b>cipher</b> to the buffer in <b>to</b> of length
1470 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
1471 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1472 * number of bytes written, on failure, return -1.
1473 *
1474 * This function adjusts the current position of the counter in <b>cipher</b>
1475 * to immediately after the decrypted data.
1476 */
1477 int
1481 {
1496 }
1498 /* SHA-1 */
1500 /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
1501 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1502 * Return 0 on success, -1 on failure.
1503 */
1504 int
1506 {
1510 }
1512 /** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
1513 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
1514 * into <b>digest</b>. Return 0 on success, -1 on failure. */
1515 int
1517 digest_algorithm_t algorithm)
1518 {
1523 }
1525 /** Set the digests_t in <b>ds_out</b> to contain every digest on the
1526 * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
1527 * success, -1 on failure. */
1528 int
1530 {
1531 digest_algorithm_t i;
1539 }
1541 }
1543 /** Return the name of an algorithm, as used in directory documents. */
1546 {
1555 }
1556 }
1558 /** Given the name of a digest algorithm, return its integer value, or -1 if
1559 * the name is not recognized. */
1560 int
1562 {
1567 else
1569 }
1571 /** Intermediate information about the digest of a stream of data. */
1577 * union is usable, depending on the value of <b>algorithm</b>. */
1579 };
1581 /** Allocate and return a new digest object to compute SHA1 digests.
1582 */
1583 crypto_digest_env_t *
1585 {
1591 }
1593 /** Allocate and return a new digest object to compute 256-bit digests
1594 * using <b>algorithm</b>. */
1595 crypto_digest_env_t *
1597 {
1604 }
1606 /** Deallocate a digest object.
1607 */
1608 void
1610 {
1615 }
1617 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1618 */
1619 void
1622 {
1625 /* Using the SHA*_*() calls directly means we don't support doing
1626 * SHA in hardware. But so far the delay of getting the question
1627 * to the hardware, and hearing the answer, is likely higher than
1628 * just doing it ourselves. Hashes are fast.
1629 */
1640 }
1641 }
1643 /** Compute the hash of the data that has been passed to the digest
1644 * object; write the first out_len bytes of the result to <b>out</b>.
1645 * <b>out_len</b> must be \<= DIGEST256_LEN.
1646 */
1647 void
1650 {
1652 crypto_digest_env_t tmpenv;
1655 /* memcpy into a temporary ctx, since SHA*_Final clears the context */
1668 /* If fragile_assert is not enabled, then we should at least not
1669 * leak anything. */
1673 }
1676 }
1678 /** Allocate and return a new digest object with the same state as
1679 * <b>digest</b>
1680 */
1681 crypto_digest_env_t *
1683 {
1689 }
1691 /** Replace the state of the digest object <b>into</b> with the state
1692 * of the digest object <b>from</b>.
1693 */
1694 void
1697 {
1701 }
1703 /** Compute the HMAC-SHA-1 of the <b>msg_len</b> bytes in <b>msg</b>, using
1704 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST_LEN-byte result
1705 * in <b>hmac_out</b>.
1706 */
1707 void
1711 {
1716 }
1718 /** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
1719 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST_LEN-byte result
1720 * in <b>hmac_out</b>.
1721 */
1722 void
1726 {
1727 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(0,9,8)
1728 /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
1733 #else
1734 /* OpenSSL doesn't have an EVP implementation for SHA256. We'll need
1735 to do HMAC on our own.
1737 HMAC isn't so hard: To compute HMAC(key, msg):
1738 1. If len(key) > blocksize, key = H(key).
1739 2. If len(key) < blocksize, right-pad key up to blocksize with 0 bytes.
1740 3. let ipad = key xor 0x363636363636....36
1741 let opad = key xor 0x5c5c5c5c5c5c....5c
1742 The result is H(opad | H( ipad | msg ) )
1743 */
1744 #define BLOCKSIZE 64
1745 #define DIGESTSIZE 32
1750 SHA256_CTX st;
1761 }
1776 /* Now clear everything. */
1781 #undef BLOCKSIZE
1782 #undef DIGESTSIZE
1783 #endif
1784 }
1786 /* DH */
1788 /** Our DH 'g' parameter */
1789 #define DH_GENERATOR 2
1791 /** Shared P parameter for our circuit-crypto DH key exchanges. */
1793 /** Shared P parameter for our TLS DH key exchanges. */
1795 /** Shared G parameter for our DH key exchanges. */
1798 /** Generate and return a reasonable and safe DH parameter p. */
1801 {
1826 }
1829 }
1831 /** Store our dynamic DH modulus (and its group parameters) to
1832 <b>fname</b> for future use. */
1833 static int
1835 {
1851 }
1866 }
1873 }
1881 }
1883 /* concatenate file header and the dh parameters blob */
1886 /* write to file */
1890 }
1894 done:
1902 }
1904 /** Return the dynamic DH modulus stored in <b>fname</b>. If there is no
1905 dynamic DH modulus stored in <b>fname</b>, return NULL. */
1908 {
1926 }
1928 /* skip the file header */
1934 }
1936 /* 'fname' contains the DH parameters stored in base64-ed DER
1937 * format. We are only interested in the DH modulus.
1938 * NOTE: We allocate more storage here than we need. Since we're already
1939 * doing that, we can also add 1 byte extra to appease Coverity's
1940 * scanner. */
1948 }
1954 }
1961 }
1968 }
1974 }
1975 }
1982 }
1986 err:
1991 /* no can do if these functions return error */
2002 }
2007 }
2009 done:
2016 }
2019 }
2021 /** Set the global TLS Diffie-Hellman modulus.
2022 * If <b>dynamic_dh_modulus_fname</b> is set, try to read a dynamic DH modulus
2023 * off it and use it as the DH modulus. If that's not possible,
2024 * generate a new dynamic DH modulus.
2025 * If <b>dynamic_dh_modulus_fname</b> is NULL, use the Apache mod_ssl DH
2026 * modulus. */
2027 void
2029 {
2034 /* If the space is occupied, free the previous TLS DH prime */
2038 }
2049 store_dh_prime_afterwards++;
2050 }
2055 /* This is the 1024-bit safe prime that Apache uses for its DH stuff; see
2056 * modules/ssl/ssl_engine_dh.c; Apache also uses a generator of 2 with this
2057 * prime.
2058 */
2060 "D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
2061 "BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
2062 "467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
2063 "DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
2066 }
2073 /* save the new dynamic DH modulus to disk. */
2077 }
2078 }
2080 /** Initialize dh_param_p and dh_param_g if they are not already
2081 * set. */
2082 static void
2084 {
2094 /* Set our generator for all DH parameters */
2098 /* This is from rfc2409, section 6.2. It's a safe prime, and
2099 supposedly it equals:
2100 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
2101 */
2103 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
2104 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
2105 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
2106 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
2110 /* Set the new values as the global DH parameters. */
2114 /* Ensure that we have TLS DH parameters set up, too, even if we're
2115 going to change them soon. */
2118 }
2119 }
2121 /** Number of bits to use when choosing the x or y value in a Diffie-Hellman
2122 * handshake. Since we exponentiate by this value, choosing a smaller one
2123 * lets our handhake go faster.
2124 */
2125 #define DH_PRIVATE_KEY_BITS 320
2127 /** Allocate and return a new DH object for a key exchange.
2128 */
2129 crypto_dh_env_t *
2131 {
2149 }
2157 err:
2162 }
2164 /** Return the length of the DH key in <b>dh</b>, in bytes.
2165 */
2166 int
2168 {
2171 }
2173 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
2174 * success, -1 on failure.
2175 */
2176 int
2178 {
2179 again:
2183 }
2187 /* Free and clear the keys, so OpenSSL will actually try again. */
2192 }
2194 }
2196 /** Generate g^x as necessary, and write the g^x for the key exchange
2197 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
2198 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
2199 */
2200 int
2202 {
2208 }
2218 }
2224 }
2226 /** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
2227 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
2228 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
2229 */
2230 static int
2232 {
2244 }
2250 }
2253 err:
2259 }
2261 #undef MIN
2262 #define MIN(a,b) ((a)<(b)?(a):(b))
2263 /** Given a DH key exchange object, and our peer's value of g^y (as a
2264 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
2265 * <b>secret_bytes_out</b> bytes of shared key material and write them
2266 * to <b>secret_out</b>. Return the number of bytes generated on success,
2267 * or -1 on failure.
2268 *
2269 * (We generate key material by computing
2270 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
2271 * where || is concatenation.)
2272 */
2273 ssize_t
2277 {
2290 /* Check for invalid public keys. */
2293 }
2300 }
2308 error:
2310 done:
2317 }
2320 else
2322 }
2324 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
2325 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
2326 * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
2327 * H(K | [00]) | H(K | [01]) | ....
2328 *
2329 * Return 0 on success, -1 on failure.
2330 */
2331 int
2334 {
2339 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
2349 }
2355 err:
2360 }
2362 /** Free a DH key exchange object.
2363 */
2364 void
2366 {
2372 }
2374 /* random numbers */
2376 /** How many bytes of entropy we add at once.
2377 *
2378 * This is how much entropy OpenSSL likes to add right now, so maybe it will
2379 * work for us too. */
2380 #define ADD_ENTROPY 32
2382 /** True iff it's safe to use RAND_poll after setup.
2383 *
2384 * Versions of OpenSSL prior to 0.9.7k and 0.9.8c had a bug where RAND_poll
2385 * would allocate an fd_set on the stack, open a new file, and try to FD_SET
2386 * that fd without checking whether it fit in the fd_set. Thus, if the
2387 * system has not just been started up, it is unsafe to call */
2388 #define RAND_POLL_IS_SAFE \
2390 OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(0,9,8)) || \
2393 /** Set the seed of the weak RNG to a random value. */
2394 static void
2396 {
2400 }
2402 /** Seed OpenSSL's random number generator with bytes from the operating
2403 * system. <b>startup</b> should be true iff we have just started Tor and
2404 * have not yet allocated a bunch of fds. Return 0 on success, -1 on failure.
2405 */
2406 int
2408 {
2411 /* local variables */
2412 #ifdef MS_WINDOWS
2416 #else
2420 };
2423 #endif
2425 /* OpenSSL has a RAND_poll function that knows about more kinds of
2426 * entropy than we do. We'll try calling that, *and* calling our own entropy
2427 * functions. If one succeeds, we'll accept the RNG as seeded. */
2432 }
2434 #ifdef MS_WINDOWS
2437 CRYPT_VERIFYCONTEXT)) {
2441 }
2442 }
2444 }
2448 }
2453 #else
2465 }
2470 }
2474 #endif
2475 }
2477 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Return 0 on
2478 * success, -1 on failure.
2479 */
2480 int
2482 {
2490 }
2492 /** Return a pseudorandom integer, chosen uniformly from the values
2493 * between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
2494 * INT_MAX+1, inclusive. */
2495 int
2497 {
2503 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2504 * distribution with clipping at the upper end of unsigned int's
2505 * range.
2506 */
2512 }
2513 }
2515 /** Return a pseudorandom 64-bit integer, chosen uniformly from the values
2516 * between 0 and <b>max</b>-1. */
2517 uint64_t
2519 {
2525 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2526 * distribution with clipping at the upper end of unsigned int's
2527 * range.
2528 */
2534 }
2535 }
2537 /** Return a pseudorandom double d, chosen uniformly from the range
2538 * 0.0 <= d < 1.0.
2539 */
2540 double
2542 {
2543 /* We just use an unsigned int here; we don't really care about getting
2544 * more than 32 bits of resolution */
2547 #if SIZEOF_INT == 4
2548 #define UINT_MAX_AS_DOUBLE 4294967296.0
2549 #elif SIZEOF_INT == 8
2550 #define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
2551 #else
2552 #error SIZEOF_INT is neither 4 nor 8
2553 #endif
2555 }
2557 /** Generate and return a new random hostname starting with <b>prefix</b>,
2558 * ending with <b>suffix</b>, and containing no fewer than
2559 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
2560 * characters between.
2561 *
2562 * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
2563 **/
2567 {
2596 }
2598 /** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
2599 * is empty. */
2602 {
2607 }
2609 /** Scramble the elements of <b>sl</b> into a random order. */
2610 void
2612 {
2614 /* From the end of the list to the front, choose at random from the
2615 positions we haven't looked at yet, and swap that position into the
2616 current position. Remember to give "no swap" the same probability as
2617 any other swap. */
2621 }
2622 }
2624 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
2625 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2626 * bytes. Return the number of bytes written on success; -1 if
2627 * destlen is too short, or other failure.
2628 */
2629 int
2631 {
2632 /* FFFF we might want to rewrite this along the lines of base64_decode, if
2633 * it ever shows up in the profile. */
2634 EVP_ENCODE_CTX ctx;
2638 /* 48 bytes of input -> 64 bytes of output plus newline.
2639 Plus one more byte, in case I'm wrong.
2640 */
2652 }
2654 /** @{ */
2655 /** Special values used for the base64_decode_table */
2656 #define X 255
2657 #define SP 64
2658 #define PAD 65
2659 /** @} */
2660 /** Internal table mapping byte values to what they represent in base64.
2661 * Numbers 0..63 are 6-bit integers. SPs are spaces, and should be
2662 * skipped. Xs are invalid and must not appear in base64. PAD indicates
2663 * end-of-string. */
2681 };
2683 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
2684 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2685 * bytes. Return the number of bytes written on success; -1 if
2686 * destlen is too short, or other failure.
2687 *
2688 * NOTE 1: destlen is checked conservatively, as though srclen contained no
2689 * spaces or padding.
2690 *
2691 * NOTE 2: This implementation does not check for the correct number of
2692 * padding "=" characters at the end of the string, and does not check
2693 * for internal padding characters.
2694 */
2695 int
2697 {
2698 #ifdef USE_OPENSSL_BASE64
2699 EVP_ENCODE_CTX ctx;
2701 /* 64 bytes of input -> *up to* 48 bytes of output.
2702 Plus one more byte, in case I'm wrong.
2703 */
2715 #else
2721 /* Max number of bits == srclen*6.
2722 * Number of bytes required to hold all bits == (srclen*6)/8.
2723 * Yes, we want to round down: anything that hangs over the end of a
2724 * byte is padding. */
2730 /* Iterate over all the bytes in src. Each one will add 0 or 6 bits to the
2731 * value we're decoding. Accumulate bits in <b>n</b>, and whenever we have
2732 * 24 bits, batch them into 3 bytes and flush those bytes to dest.
2733 */
2739 /* This character isn't allowed in base64. */
2742 /* This character is whitespace, and has no effect. */
2745 /* We've hit an = character: the data is over. */
2748 /* We have an actual 6-bit value. Append it to the bits in n. */
2751 /* We've accumulated 24 bits in n. Flush them. */
2757 }
2758 }
2759 }
2760 end_of_loop:
2761 /* If we have leftover bits, we need to cope. */
2765 /* No leftover bits. We win. */
2768 /* 6 leftover bits. That's invalid; we can't form a byte out of that. */
2771 /* 12 leftover bits: The last 4 are padding and the first 8 are data. */
2775 /* 18 leftover bits: The last 2 are padding and the first 16 are data. */
2778 }
2784 #endif
2785 }
2786 #undef X
2787 #undef SP
2788 #undef PAD
2790 /** Base-64 encode DIGEST_LINE bytes from <b>digest</b>, remove the trailing =
2791 * and newline characters, and store the nul-terminated result in the first
2792 * BASE64_DIGEST_LEN+1 bytes of <b>d64</b>. */
2793 int
2795 {
2801 }
2803 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
2804 * trailing newline or = characters), decode it and store the result in the
2805 * first DIGEST_LEN bytes at <b>digest</b>. */
2806 int
2808 {
2809 #ifdef USE_OPENSSL_BASE64
2820 #else
2823 else
2825 #endif
2826 }
2828 /** Base-64 encode DIGEST256_LINE bytes from <b>digest</b>, remove the
2829 * trailing = and newline characters, and store the nul-terminated result in
2830 * the first BASE64_DIGEST256_LEN+1 bytes of <b>d64</b>. */
2831 int
2833 {
2839 }
2841 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
2842 * trailing newline or = characters), decode it and store the result in the
2843 * first DIGEST256_LEN bytes at <b>digest</b>. */
2844 int
2846 {
2847 #ifdef USE_OPENSSL_BASE64
2858 #else
2861 else
2863 #endif
2864 }
2866 /** Implements base32 encoding as in rfc3548. Limitation: Requires
2867 * that srclen*8 is a multiple of 5.
2868 */
2869 void
2871 {
2881 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
2884 /* set u to the 5-bit value at the bit'th bit of src. */
2887 }
2889 }
2891 /** Implements base32 decoding as in rfc3548. Limitation: Requires
2892 * that srclen*5 is a multiple of 8. Returns 0 if successful, -1 otherwise.
2893 */
2894 int
2896 {
2897 /* XXXX we might want to rewrite this along the lines of base64_decode, if
2898 * it ever shows up in the profile. */
2909 /* Convert base32 encoded chars to the 5-bit values that they represent. */
2919 }
2920 }
2922 /* Assemble result byte-wise by applying five possible cases. */
2947 }
2948 }
2954 }
2956 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
2957 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
2958 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
2959 * are a salt; the 9th byte describes how much iteration to do.
2960 * Does not support <b>key_out_len</b> > DIGEST_LEN.
2961 */
2962 void
2965 {
2972 #define EXPBIAS 6
2975 #undef EXPBIAS
2992 }
2993 }
2998 }
3000 #ifdef TOR_IS_MULTITHREADED
3001 /** Helper: OpenSSL uses this callback to manipulate mutexes. */
3002 static void
3004 {
3008 /* This is not a really good fix for the
3009 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
3010 * it can't hurt. */
3014 else
3016 }
3018 /** OpenSSL helper type: wraps a Tor mutex so that OpenSSL can use it
3019 * as a lock. */
3022 };
3024 /** OpenSSL callback function to allocate a lock: see CRYPTO_set_dynlock_*
3025 * documentation in OpenSSL's docs for more info. */
3028 {
3035 }
3037 /** OpenSSL callback function to acquire or release a lock: see
3038 * CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
3039 static void
3042 {
3047 else
3049 }
3051 /** OpenSSL callback function to free a lock: see CRYPTO_set_dynlock_*
3052 * documentation in OpenSSL's docs for more info. */
3053 static void
3056 {
3061 }
3063 /** @{ */
3064 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
3065 * multithreaded. */
3066 static int
3068 {
3081 }
3082 #else
3083 static int
3085 {
3087 }
3088 #endif
3090 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
3091 */
3092 int
3094 {
3106 #ifndef DISABLE_ENGINES
3108 #endif
3112 #ifdef TOR_IS_MULTITHREADED
3121 }
3123 }
3124 #endif
3126 }
3128 /** @} */