| blob | a247a87d480d20c131f87b1f00cd6e19ece9fa4a |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2013, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL.
11 **/
15 #ifdef _WIN32
16 #ifndef _WIN32_WINNT
17 #define _WIN32_WINNT 0x0501
18 #endif
19 #define WIN32_LEAN_AND_MEAN
20 #include <windows.h>
21 #include <wincrypt.h>
22 /* Windows defines this; so does OpenSSL 0.9.8h and later. We don't actually
23 * use either definition. */
24 #undef OCSP_RESPONSE
25 #endif
27 #include <openssl/err.h>
28 #include <openssl/rsa.h>
29 #include <openssl/pem.h>
30 #include <openssl/evp.h>
31 #include <openssl/engine.h>
32 #include <openssl/rand.h>
33 #include <openssl/opensslv.h>
34 #include <openssl/bn.h>
35 #include <openssl/dh.h>
36 #include <openssl/conf.h>
37 #include <openssl/hmac.h>
39 #ifdef HAVE_CTYPE_H
40 #include <ctype.h>
41 #endif
42 #ifdef HAVE_UNISTD_H
43 #include <unistd.h>
44 #endif
45 #ifdef HAVE_FCNTL_H
46 #include <fcntl.h>
47 #endif
48 #ifdef HAVE_SYS_FCNTL_H
49 #include <sys/fcntl.h>
50 #endif
52 #define CRYPTO_PRIVATE
61 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(0,9,8)
63 #endif
65 #ifdef ANDROID
66 /* Android's OpenSSL seems to have removed all of its Engine support. */
67 #define DISABLE_ENGINES
68 #endif
70 /** Longest recognized */
71 #define MAX_DNS_LABEL_SIZE 63
73 /** Macro: is k a valid RSA public or private key? */
74 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
75 /** Macro: is k a valid RSA private key? */
76 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
78 #ifdef TOR_IS_MULTITHREADED
79 /** A number of preallocated mutexes for use by OpenSSL. */
81 /** How many mutexes have we allocated for use by OpenSSL? */
83 #endif
85 /** A public key, or a public/private key-pair. */
86 struct crypto_pk_t
87 {
90 };
92 /** Key and stream information for a stream cipher. */
93 struct crypto_cipher_t
94 {
98 * encryption */
99 };
101 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
102 * while we're waiting for the second.*/
105 };
110 /** Return the number of bytes added by padding method <b>padding</b>.
111 */
114 {
116 {
119 }
120 }
122 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
123 */
126 {
128 {
131 }
132 }
134 /** Boolean: has OpenSSL's crypto been initialized? */
137 /** Boolean: has OpenSSL's crypto been initialized? */
140 /** Log all pending crypto errors at level <b>severity</b>. Use
141 * <b>doing</b> to describe our current activities.
142 */
143 static void
145 {
161 }
162 }
163 }
165 #ifndef DISABLE_ENGINES
166 /** Log any OpenSSL engines we're using at NOTICE. */
167 static void
169 {
178 }
179 }
180 #endif
182 #ifndef DISABLE_ENGINES
183 /** Try to load an engine in a shared library via fully qualified path.
184 */
187 {
196 }
197 }
199 }
200 #endif
202 /* Returns a trimmed and human-readable version of an openssl version string
203 * <b>raw_version</b>. They are usually in the form of 'OpenSSL 1.0.0b 10
204 * May 2012' and this will parse them into a form similar to '1.0.0b' */
207 {
209 /* The output should be something like "OpenSSL 1.0.0b 10 May 2012. Let's
210 trim that down. */
214 }
219 else
221 }
224 /* Return a human-readable version of the run-time openssl version number. */
227 {
231 }
233 }
236 /* Return a human-readable version of the compile-time openssl version
237 * number. */
240 {
242 crypto_openssl_header_version_str =
244 }
246 }
248 /** Make sure that openssl is using its default PRNG. Return 1 if we had to
249 * adjust it; 0 otherwise. */
250 static int
252 {
255 "a replacement the OpenSSL RNG. Resetting it to the default "
259 }
261 }
263 /** Set up the siphash key if we haven't already done so. */
264 int
266 {
277 }
279 /** Initialize the crypto library. Return 0 on success, -1 on failure.
280 */
281 int
283 {
299 "version we're running with. If you get weird crashes, that "
303 }
307 "Your OpenSSL version seems to be %s. We recommend 1.0.0 "
310 }
318 }
320 }
322 /** Initialize the crypto library. Return 0 on success, -1 on failure.
323 */
324 int
326 {
333 #ifdef DISABLE_ENGINES
337 #else
353 }
356 accelName);
359 accelName);
360 }
361 }
366 }
367 /* Log, if available, the intersection of the set of algorithms
368 used by Tor and the set of algorithms available in the engine */
379 #ifdef NID_aes_128_ctr
381 #endif
382 #ifdef NID_aes_128_gcm
384 #endif
386 #ifdef NID_aes_256_gcm
388 #endif
390 #endif
393 }
398 }
402 }
404 }
406 /** Free crypto resources held by this thread. */
407 void
409 {
411 }
413 /** used by tortls.c: wrap an RSA* in a crypto_pk_t. */
414 crypto_pk_t *
416 {
423 }
425 /** Helper, used by tor-checkkey.c and tor-gencert.c. Return the RSA from a
426 * crypto_pk_t. */
427 RSA *
429 {
431 }
433 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_t. Iff
434 * private is set, include the private-key portion of the key. */
435 EVP_PKEY *
437 {
447 }
453 error:
459 }
461 /** Used by tortls.c: Get the DH* from a crypto_dh_t.
462 */
463 DH *
465 {
467 }
469 /** Allocate and return storage for a public key. The key itself will not yet
470 * be set.
471 */
472 crypto_pk_t *
474 {
480 }
482 /** Release a reference to an asymmetric key; when all the references
483 * are released, free the key.
484 */
485 void
487 {
499 }
501 /** Allocate and return a new symmetric cipher using the provided key and iv.
502 * The key is CIPHER_KEY_LEN bytes; the IV is CIPHER_IV_LEN bytes. If you
503 * provide NULL in place of either one, it is generated at random.
504 */
505 crypto_cipher_t *
507 {
514 else
518 else
524 }
526 /** Return a new crypto_cipher_t with the provided <b>key</b> and an IV of all
527 * zero bytes. */
528 crypto_cipher_t *
530 {
534 }
536 /** Free a symmetric cipher.
537 */
538 void
540 {
548 }
550 /* public key crypto */
552 /** Generate a <b>bits</b>-bit new public/private keypair in <b>env</b>.
553 * Return 0 on success, -1 on failure.
554 */
555 int
557 {
563 {
578 done:
583 }
588 }
591 }
593 /** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>
594 * into <b>env</b>. Return 0 on success, -1 on failure. If len is -1,
595 * the string is nul-terminated.
596 */
597 /* Used here, and used for testing. */
598 int
601 {
608 /* Create a read-only memory BIO, backed by the string 's' */
623 }
625 }
627 /** Read a PEM-encoded private key from the file named by
628 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
629 */
630 int
633 {
637 /* Read the file into a string. */
642 }
644 /* Try to parse it. */
651 /* Make sure it's valid. */
656 }
658 /** Helper function to implement crypto_pk_write_*_key_to_string. */
659 static int
662 {
675 /* Now you can treat b as if it were a file. Just use the
676 * PEM_*_bio_* functions instead of the non-bio variants.
677 */
680 else
687 }
700 }
702 /** PEM-encode the public key portion of <b>env</b> and write it to a
703 * newly allocated string. On success, set *<b>dest</b> to the new
704 * string, *<b>len</b> to the string's length, and return 0. On
705 * failure, return -1.
706 */
707 int
710 {
712 }
714 /** PEM-encode the private key portion of <b>env</b> and write it to a
715 * newly allocated string. On success, set *<b>dest</b> to the new
716 * string, *<b>len</b> to the string's length, and return 0. On
717 * failure, return -1.
718 */
719 int
722 {
724 }
726 /** Read a PEM-encoded public key from the first <b>len</b> characters of
727 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
728 * failure.
729 */
730 int
733 {
753 }
756 }
758 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
759 * PEM-encoded. Return 0 on success, -1 on failure.
760 */
761 int
764 {
780 }
791 }
793 /** Return true iff <b>env</b> has a valid key.
794 */
795 int
797 {
805 }
807 /** Return true iff <b>key</b> contains the private-key portion of the RSA
808 * key. */
809 int
811 {
814 }
816 /** Return true iff <b>env</b> contains a public key whose public exponent
817 * equals 65537.
818 */
819 int
821 {
826 }
828 /** Compare the public-key components of a and b. Return less than 0
829 * if a\<b, 0 if a==b, and greater than 0 if a\>b. A NULL key is
830 * considered to be less than all non-NULL keys, and equal to itself.
831 *
832 * Note that this may leak information about the keys through timing.
833 */
834 int
836 {
852 }
854 /** Compare the public-key components of a and b. Return non-zero iff
855 * a==b. A NULL key is considered to be distinct from all non-NULL
856 * keys, and equal to itself.
857 *
858 * Note that this may leak information about the keys through timing.
859 */
860 int
862 {
864 }
866 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
867 size_t
869 {
874 }
876 /** Return the size of the public key modulus of <b>env</b>, in bits. */
877 int
879 {
885 }
887 /** Increase the reference count of <b>env</b>, and return it.
888 */
889 crypto_pk_t *
891 {
897 }
899 /** Make a real honest-to-goodness copy of <b>env</b>, and return it. */
900 crypto_pk_t *
902 {
913 }
922 }
925 }
927 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
928 * in <b>env</b>, using the padding method <b>padding</b>. On success,
929 * write the result to <b>to</b>, and return the number of bytes
930 * written. On failure, return -1.
931 *
932 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
933 * at least the length of the modulus of <b>env</b>.
934 */
935 int
938 {
952 }
954 }
956 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
957 * in <b>env</b>, using the padding method <b>padding</b>. On success,
958 * write the result to <b>to</b>, and return the number of bytes
959 * written. On failure, return -1.
960 *
961 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
962 * at least the length of the modulus of <b>env</b>.
963 */
964 int
969 {
978 /* Not a private key */
989 }
991 }
993 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
994 * public key in <b>env</b>, using PKCS1 padding. On success, write the
995 * signed data to <b>to</b>, and return the number of bytes written.
996 * On failure, return -1.
997 *
998 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
999 * at least the length of the modulus of <b>env</b>.
1000 */
1001 int
1005 {
1019 }
1021 }
1023 /** Check a siglen-byte long signature at <b>sig</b> against
1024 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
1025 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
1026 * SHA1(data). Else return -1.
1027 */
1028 int
1031 {
1046 }
1054 }
1059 }
1063 }
1065 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
1066 * <b>env</b>, using PKCS1 padding. On success, write the signature to
1067 * <b>to</b>, and return the number of bytes written. On failure, return
1068 * -1.
1069 *
1070 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
1071 * at least the length of the modulus of <b>env</b>.
1072 */
1073 int
1076 {
1084 /* Not a private key */
1093 }
1095 }
1097 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
1098 * <b>from</b>; sign the data with the private key in <b>env</b>, and
1099 * store it in <b>to</b>. Return the number of bytes written on
1100 * success, and -1 on failure.
1101 *
1102 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
1103 * at least the length of the modulus of <b>env</b>.
1104 */
1105 int
1108 {
1116 }
1118 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
1119 * bytes of data from <b>from</b>, with padding type 'padding',
1120 * storing the results on <b>to</b>.
1121 *
1122 * Returns the number of bytes written on success, -1 on failure.
1123 *
1124 * The encrypted data consists of:
1125 * - The source data, padded and encrypted with the public key, if the
1126 * padded source data is no longer than the public key, and <b>force</b>
1127 * is false, OR
1128 * - The beginning of the source data prefixed with a 16-byte symmetric key,
1129 * padded and encrypted with the public key; followed by the rest of
1130 * the source data encrypted in AES-CTR mode with the symmetric key.
1131 */
1132 int
1138 {
1153 /* It all fits in a single encrypt. */
1155 tolen,
1157 }
1167 /* Length of symmetrically encrypted data. */
1173 }
1183 err:
1189 }
1191 /** Invert crypto_pk_public_hybrid_encrypt. */
1192 int
1199 {
1210 warnOnFailure);
1211 }
1215 warnOnFailure);
1220 }
1225 }
1229 }
1241 err:
1246 }
1248 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1249 * Return -1 on error, or the number of characters used on success.
1250 */
1251 int
1253 {
1264 }
1265 /* We don't encode directly into 'dest', because that would be illegal
1266 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1267 */
1271 }
1273 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1274 * success and NULL on failure.
1275 */
1276 crypto_pk_t *
1278 {
1289 }
1291 }
1293 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1294 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1295 * Return 0 on success, -1 on failure.
1296 */
1297 int
1299 {
1309 }
1312 }
1314 /** Compute all digests of the DER encoding of <b>pk</b>, and store them
1315 * in <b>digests_out</b>. Return 0 on success, -1 on failure. */
1316 int
1318 {
1328 }
1331 }
1333 /** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
1334 * every four spaces. */
1335 void
1337 {
1347 }
1348 }
1351 }
1353 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1354 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1355 * space). Return 0 on success, -1 on failure.
1356 *
1357 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1358 * of the public key, converted to hexadecimal, in upper case, with a
1359 * space after every four digits.
1360 *
1361 * If <b>add_space</b> is false, omit the spaces.
1362 */
1363 int
1365 {
1370 }
1376 }
1378 }
1380 /** Given a private or public key <b>pk</b>, put a hashed fingerprint of
1381 * the public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1
1382 * bytes of space). Return 0 on success, -1 on failure.
1383 *
1384 * Hashed fingerprints are computed as the SHA1 digest of the SHA1 digest
1385 * of the ASN.1 encoding of the public key, converted to hexadecimal, in
1386 * upper case.
1387 */
1388 int
1390 {
1394 }
1397 }
1400 }
1402 /* symmetric crypto */
1404 /** Return a pointer to the key set for the cipher in <b>env</b>.
1405 */
1408 {
1410 }
1412 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1413 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1414 * On failure, return -1.
1415 */
1416 int
1419 {
1429 }
1431 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1432 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1433 * On failure, return -1.
1434 */
1435 int
1438 {
1446 }
1448 /** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
1449 * on success, return 0. On failure, return -1.
1450 */
1451 int
1453 {
1457 }
1459 /** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
1460 * <b>key</b> to the buffer in <b>to</b> of length
1461 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
1462 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1463 * number of bytes written, on failure, return -1.
1464 */
1465 int
1469 {
1486 }
1488 /** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
1489 * with the key in <b>key</b> to the buffer in <b>to</b> of length
1490 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
1491 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1492 * number of bytes written, on failure, return -1.
1493 */
1494 int
1498 {
1515 }
1517 /* SHA-1 */
1519 /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
1520 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1521 * Return 0 on success, -1 on failure.
1522 */
1523 int
1525 {
1529 }
1531 /** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
1532 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
1533 * into <b>digest</b>. Return 0 on success, -1 on failure. */
1534 int
1536 digest_algorithm_t algorithm)
1537 {
1542 }
1544 /** Set the digests_t in <b>ds_out</b> to contain every digest on the
1545 * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
1546 * success, -1 on failure. */
1547 int
1549 {
1558 }
1560 }
1562 /** Return the name of an algorithm, as used in directory documents. */
1565 {
1574 }
1575 }
1577 /** Given the name of a digest algorithm, return its integer value, or -1 if
1578 * the name is not recognized. */
1579 int
1581 {
1586 else
1588 }
1590 /** Intermediate information about the digest of a stream of data. */
1596 * union is usable, depending on the value of <b>algorithm</b>. */
1598 };
1600 /** Allocate and return a new digest object to compute SHA1 digests.
1601 */
1602 crypto_digest_t *
1604 {
1610 }
1612 /** Allocate and return a new digest object to compute 256-bit digests
1613 * using <b>algorithm</b>. */
1614 crypto_digest_t *
1616 {
1623 }
1625 /** Deallocate a digest object.
1626 */
1627 void
1629 {
1634 }
1636 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1637 */
1638 void
1641 {
1644 /* Using the SHA*_*() calls directly means we don't support doing
1645 * SHA in hardware. But so far the delay of getting the question
1646 * to the hardware, and hearing the answer, is likely higher than
1647 * just doing it ourselves. Hashes are fast.
1648 */
1659 }
1660 }
1662 /** Compute the hash of the data that has been passed to the digest
1663 * object; write the first out_len bytes of the result to <b>out</b>.
1664 * <b>out_len</b> must be \<= DIGEST256_LEN.
1665 */
1666 void
1669 {
1671 crypto_digest_t tmpenv;
1674 /* memcpy into a temporary ctx, since SHA*_Final clears the context */
1687 /* If fragile_assert is not enabled, then we should at least not
1688 * leak anything. */
1692 }
1695 }
1697 /** Allocate and return a new digest object with the same state as
1698 * <b>digest</b>
1699 */
1700 crypto_digest_t *
1702 {
1708 }
1710 /** Replace the state of the digest object <b>into</b> with the state
1711 * of the digest object <b>from</b>.
1712 */
1713 void
1716 {
1720 }
1722 /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
1723 * at <b>digest_out</b> to the hash of the concatenation of those strings,
1724 * plus the optional string <b>append</b>, computed with the algorithm
1725 * <b>alg</b>.
1726 * <b>out_len</b> must be \<= DIGEST256_LEN. */
1727 void
1730 digest_algorithm_t alg)
1731 {
1735 else
1743 }
1745 /** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
1746 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte
1747 * result in <b>hmac_out</b>.
1748 */
1749 void
1753 {
1754 /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
1759 }
1761 /* DH */
1763 /** Our DH 'g' parameter */
1764 #define DH_GENERATOR 2
1766 /** Shared P parameter for our circuit-crypto DH key exchanges. */
1768 /** Shared P parameter for our TLS DH key exchanges. */
1770 /** Shared G parameter for our DH key exchanges. */
1773 /** Generate and return a reasonable and safe DH parameter p. */
1776 {
1801 }
1804 }
1806 /** Store our dynamic DH modulus (and its group parameters) to
1807 <b>fname</b> for future use. */
1808 static int
1810 {
1826 }
1841 }
1849 }
1851 /* concatenate file header and the dh parameters blob */
1854 /* write to file */
1858 }
1862 done:
1871 }
1873 /** Return the dynamic DH modulus stored in <b>fname</b>. If there is no
1874 dynamic DH modulus stored in <b>fname</b>, return NULL. */
1877 {
1894 }
1896 /* skip the file header */
1902 }
1904 /* 'fname' contains the DH parameters stored in base64-ed DER
1905 * format. We are only interested in the DH modulus.
1906 * NOTE: We allocate more storage here than we need. Since we're already
1907 * doing that, we can also add 1 byte extra to appease Coverity's
1908 * scanner. */
1916 }
1922 }
1929 }
1936 }
1942 }
1943 }
1950 }
1954 err:
1956 {
1957 /* move broken prime to $filename.broken */
1968 }
1973 }
1975 done:
1982 }
1985 }
1987 /** Set the global TLS Diffie-Hellman modulus.
1988 * If <b>dynamic_dh_modulus_fname</b> is set, try to read a dynamic DH modulus
1989 * off it and use it as the DH modulus. If that's not possible,
1990 * generate a new dynamic DH modulus.
1991 * If <b>dynamic_dh_modulus_fname</b> is NULL, use the Apache mod_ssl DH
1992 * modulus. */
1993 void
1995 {
2000 /* If the space is occupied, free the previous TLS DH prime */
2004 }
2015 store_dh_prime_afterwards++;
2016 }
2021 /* This is the 1024-bit safe prime that Apache uses for its DH stuff; see
2022 * modules/ssl/ssl_engine_dh.c; Apache also uses a generator of 2 with this
2023 * prime.
2024 */
2026 "D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
2027 "BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
2028 "467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
2029 "DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
2032 }
2039 /* save the new dynamic DH modulus to disk. */
2043 }
2044 }
2046 /** Initialize dh_param_p and dh_param_g if they are not already
2047 * set. */
2048 static void
2050 {
2060 /* Set our generator for all DH parameters */
2064 /* This is from rfc2409, section 6.2. It's a safe prime, and
2065 supposedly it equals:
2066 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
2067 */
2069 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
2070 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
2071 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
2072 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
2076 /* Set the new values as the global DH parameters. */
2080 /* Ensure that we have TLS DH parameters set up, too, even if we're
2081 going to change them soon. */
2084 }
2085 }
2087 /** Number of bits to use when choosing the x or y value in a Diffie-Hellman
2088 * handshake. Since we exponentiate by this value, choosing a smaller one
2089 * lets our handhake go faster.
2090 */
2091 #define DH_PRIVATE_KEY_BITS 320
2093 /** Allocate and return a new DH object for a key exchange.
2094 */
2095 crypto_dh_t *
2097 {
2115 }
2123 err:
2128 }
2130 /** Return a copy of <b>dh</b>, sharing its internal state. */
2131 crypto_dh_t *
2133 {
2138 }
2140 /** Return the length of the DH key in <b>dh</b>, in bytes.
2141 */
2142 int
2144 {
2147 }
2149 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
2150 * success, -1 on failure.
2151 */
2152 int
2154 {
2155 again:
2159 }
2163 /* Free and clear the keys, so OpenSSL will actually try again. */
2168 }
2170 }
2172 /** Generate g^x as necessary, and write the g^x for the key exchange
2173 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
2174 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
2175 */
2176 int
2178 {
2184 }
2194 }
2200 }
2202 /** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
2203 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
2204 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
2205 */
2206 static int
2208 {
2220 }
2226 }
2229 err:
2235 }
2237 #undef MIN
2238 #define MIN(a,b) ((a)<(b)?(a):(b))
2239 /** Given a DH key exchange object, and our peer's value of g^y (as a
2240 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
2241 * <b>secret_bytes_out</b> bytes of shared key material and write them
2242 * to <b>secret_out</b>. Return the number of bytes generated on success,
2243 * or -1 on failure.
2244 *
2245 * (We generate key material by computing
2246 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
2247 * where || is concatenation.)
2248 */
2249 ssize_t
2253 {
2266 /* Check for invalid public keys. */
2269 }
2276 }
2284 error:
2286 done:
2293 }
2296 else
2298 }
2300 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
2301 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
2302 * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
2303 * H(K | [00]) | H(K | [01]) | ....
2304 *
2305 * This is the key expansion algorithm used in the "TAP" circuit extension
2306 * mechanism; it shouldn't be used for new protocols.
2307 *
2308 * Return 0 on success, -1 on failure.
2309 */
2310 int
2313 {
2318 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
2328 }
2334 err:
2339 }
2341 /** Expand some secret key material according to RFC5869, using SHA256 as the
2342 * underlying hash. The <b>key_in_len</b> bytes at <b>key_in</b> are the
2343 * secret key material; the <b>salt_in_len</b> bytes at <b>salt_in</b> and the
2344 * <b>info_in_len</b> bytes in <b>info_in_len</b> are the algorithm's "salt"
2345 * and "info" parameters respectively. On success, write <b>key_out_len</b>
2346 * bytes to <b>key_out</b> and return 0. On failure, return -1.
2347 */
2348 int
2354 {
2366 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
2384 }
2393 }
2398 }
2400 /** Free a DH key exchange object.
2401 */
2402 void
2404 {
2410 }
2412 /* random numbers */
2414 /** How many bytes of entropy we add at once.
2415 *
2416 * This is how much entropy OpenSSL likes to add right now, so maybe it will
2417 * work for us too. */
2418 #define ADD_ENTROPY 32
2420 /** True iff it's safe to use RAND_poll after setup.
2421 *
2422 * Versions of OpenSSL prior to 0.9.7k and 0.9.8c had a bug where RAND_poll
2423 * would allocate an fd_set on the stack, open a new file, and try to FD_SET
2424 * that fd without checking whether it fit in the fd_set. Thus, if the
2425 * system has not just been started up, it is unsafe to call */
2426 #define RAND_POLL_IS_SAFE \
2429 /** Set the seed of the weak RNG to a random value. */
2430 void
2432 {
2436 }
2438 /** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
2439 * storing it into <b>out</b>.
2440 */
2441 int
2443 {
2444 #ifdef _WIN32
2447 #else
2450 };
2453 #endif
2455 #ifdef _WIN32
2458 CRYPT_VERIFYCONTEXT)) {
2462 }
2463 }
2465 }
2469 }
2472 #else
2485 }
2488 }
2492 #endif
2493 }
2495 /** Seed OpenSSL's random number generator with bytes from the operating
2496 * system. <b>startup</b> should be true iff we have just started Tor and
2497 * have not yet allocated a bunch of fds. Return 0 on success, -1 on failure.
2498 */
2499 int
2501 {
2505 /* OpenSSL has a RAND_poll function that knows about more kinds of
2506 * entropy than we do. We'll try calling that, *and* calling our own entropy
2507 * functions. If one succeeds, we'll accept the RNG as seeded. */
2512 }
2517 }
2523 else
2525 }
2527 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Return 0 on
2528 * success, -1 on failure.
2529 */
2532 {
2540 }
2542 /** Return a pseudorandom integer, chosen uniformly from the values
2543 * between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
2544 * INT_MAX+1, inclusive. */
2545 int
2547 {
2553 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2554 * distribution with clipping at the upper end of unsigned int's
2555 * range.
2556 */
2562 }
2563 }
2565 /** Return a pseudorandom 64-bit integer, chosen uniformly from the values
2566 * between 0 and <b>max</b>-1. */
2567 uint64_t
2569 {
2575 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2576 * distribution with clipping at the upper end of unsigned int's
2577 * range.
2578 */
2584 }
2585 }
2587 /** Return a pseudorandom double d, chosen uniformly from the range
2588 * 0.0 <= d < 1.0.
2589 */
2590 double
2592 {
2593 /* We just use an unsigned int here; we don't really care about getting
2594 * more than 32 bits of resolution */
2597 #if SIZEOF_INT == 4
2598 #define UINT_MAX_AS_DOUBLE 4294967296.0
2599 #elif SIZEOF_INT == 8
2600 #define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
2601 #else
2602 #error SIZEOF_INT is neither 4 nor 8
2603 #endif
2605 }
2607 /** Generate and return a new random hostname starting with <b>prefix</b>,
2608 * ending with <b>suffix</b>, and containing no fewer than
2609 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
2610 * characters between.
2611 *
2612 * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
2613 **/
2617 {
2646 }
2648 /** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
2649 * is empty. */
2652 {
2657 }
2659 /** Scramble the elements of <b>sl</b> into a random order. */
2660 void
2662 {
2664 /* From the end of the list to the front, choose at random from the
2665 positions we haven't looked at yet, and swap that position into the
2666 current position. Remember to give "no swap" the same probability as
2667 any other swap. */
2671 }
2672 }
2674 /** Base64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
2675 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2676 * bytes. Return the number of bytes written on success; -1 if
2677 * destlen is too short, or other failure.
2678 */
2679 int
2681 {
2682 /* FFFF we might want to rewrite this along the lines of base64_decode, if
2683 * it ever shows up in the profile. */
2684 EVP_ENCODE_CTX ctx;
2688 /* 48 bytes of input -> 64 bytes of output plus newline.
2689 Plus one more byte, in case I'm wrong.
2690 */
2702 }
2704 /** @{ */
2705 /** Special values used for the base64_decode_table */
2706 #define X 255
2707 #define SP 64
2708 #define PAD 65
2709 /** @} */
2710 /** Internal table mapping byte values to what they represent in base64.
2711 * Numbers 0..63 are 6-bit integers. SPs are spaces, and should be
2712 * skipped. Xs are invalid and must not appear in base64. PAD indicates
2713 * end-of-string. */
2731 };
2733 /** Base64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
2734 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2735 * bytes. Return the number of bytes written on success; -1 if
2736 * destlen is too short, or other failure.
2737 *
2738 * NOTE 1: destlen is checked conservatively, as though srclen contained no
2739 * spaces or padding.
2740 *
2741 * NOTE 2: This implementation does not check for the correct number of
2742 * padding "=" characters at the end of the string, and does not check
2743 * for internal padding characters.
2744 */
2745 int
2747 {
2748 #ifdef USE_OPENSSL_BASE64
2749 EVP_ENCODE_CTX ctx;
2751 /* 64 bytes of input -> *up to* 48 bytes of output.
2752 Plus one more byte, in case I'm wrong.
2753 */
2765 #else
2771 /* Max number of bits == srclen*6.
2772 * Number of bytes required to hold all bits == (srclen*6)/8.
2773 * Yes, we want to round down: anything that hangs over the end of a
2774 * byte is padding. */
2780 /* Iterate over all the bytes in src. Each one will add 0 or 6 bits to the
2781 * value we're decoding. Accumulate bits in <b>n</b>, and whenever we have
2782 * 24 bits, batch them into 3 bytes and flush those bytes to dest.
2783 */
2789 /* This character isn't allowed in base64. */
2792 /* This character is whitespace, and has no effect. */
2795 /* We've hit an = character: the data is over. */
2798 /* We have an actual 6-bit value. Append it to the bits in n. */
2801 /* We've accumulated 24 bits in n. Flush them. */
2807 }
2808 }
2809 }
2810 end_of_loop:
2811 /* If we have leftover bits, we need to cope. */
2815 /* No leftover bits. We win. */
2818 /* 6 leftover bits. That's invalid; we can't form a byte out of that. */
2821 /* 12 leftover bits: The last 4 are padding and the first 8 are data. */
2825 /* 18 leftover bits: The last 2 are padding and the first 16 are data. */
2828 }
2834 #endif
2835 }
2836 #undef X
2837 #undef SP
2838 #undef PAD
2840 /** Base64 encode DIGEST_LINE bytes from <b>digest</b>, remove the trailing =
2841 * and newline characters, and store the nul-terminated result in the first
2842 * BASE64_DIGEST_LEN+1 bytes of <b>d64</b>. */
2843 int
2845 {
2851 }
2853 /** Given a base64 encoded, nul-terminated digest in <b>d64</b> (without
2854 * trailing newline or = characters), decode it and store the result in the
2855 * first DIGEST_LEN bytes at <b>digest</b>. */
2856 int
2858 {
2859 #ifdef USE_OPENSSL_BASE64
2870 #else
2873 else
2875 #endif
2876 }
2878 /** Base64 encode DIGEST256_LINE bytes from <b>digest</b>, remove the
2879 * trailing = and newline characters, and store the nul-terminated result in
2880 * the first BASE64_DIGEST256_LEN+1 bytes of <b>d64</b>. */
2881 int
2883 {
2889 }
2891 /** Given a base64 encoded, nul-terminated digest in <b>d64</b> (without
2892 * trailing newline or = characters), decode it and store the result in the
2893 * first DIGEST256_LEN bytes at <b>digest</b>. */
2894 int
2896 {
2897 #ifdef USE_OPENSSL_BASE64
2908 #else
2911 else
2913 #endif
2914 }
2916 /** Implements base32 encoding as in RFC 4648. Limitation: Requires
2917 * that srclen*8 is a multiple of 5.
2918 */
2919 void
2921 {
2931 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
2934 /* set u to the 5-bit value at the bit'th bit of src. */
2937 }
2939 }
2941 /** Implements base32 decoding as in RFC 4648. Limitation: Requires
2942 * that srclen*5 is a multiple of 8. Returns 0 if successful, -1 otherwise.
2943 */
2944 int
2946 {
2947 /* XXXX we might want to rewrite this along the lines of base64_decode, if
2948 * it ever shows up in the profile. */
2959 /* Convert base32 encoded chars to the 5-bit values that they represent. */
2969 }
2970 }
2972 /* Assemble result byte-wise by applying five possible cases. */
2997 }
2998 }
3004 }
3006 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
3007 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
3008 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
3009 * are a salt; the 9th byte describes how much iteration to do.
3010 * Does not support <b>key_out_len</b> > DIGEST_LEN.
3011 */
3012 void
3015 {
3022 #define EXPBIAS 6
3025 #undef EXPBIAS
3042 }
3043 }
3048 }
3050 /**
3051 * Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
3052 * the value <b>byte</b>.
3053 *
3054 * This function is preferable to memset, since many compilers will happily
3055 * optimize out memset() when they can convince themselves that the data being
3056 * cleared will never be read.
3057 *
3058 * Right now, our convention is to use this function when we are wiping data
3059 * that's about to become inaccessible, such as stack buffers that are about
3060 * to go out of scope or structures that are about to get freed. (In
3061 * practice, it appears that the compilers we're currently using will optimize
3062 * out the memset()s for stack-allocated buffers, but not those for
3063 * about-to-be-freed structures. That could change, though, so we're being
3064 * wary.) If there are live reads for the data, then you can just use
3065 * memset().
3066 */
3067 void
3069 {
3070 /* Because whole-program-optimization exists, we may not be able to just
3071 * have this function call "memset". A smart compiler could inline it, then
3072 * eliminate dead memsets, and declare itself to be clever. */
3074 /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
3075 * based on the pointer value, then uses that junk to update a global
3076 * variable. It's an elaborate ruse to trick the compiler into not
3077 * optimizing out the "wipe this memory" code. Read it if you like zany
3078 * programming tricks! In later versions of Tor, we should look for better
3079 * not-optimized-out memory wiping stuff. */
3081 /* Just in case some caller of memwipe() is relying on getting a buffer
3082 * filled with a particular value, fill the buffer.
3083 *
3084 * If this function gets inlined, this memset might get eliminated, but
3085 * that's okay: We only care about this particular memset in the case where
3086 * the caller should have been using memset(), and the memset() wouldn't get
3087 * eliminated. In other words, this is here so that we won't break anything
3088 * if somebody accidentally calls memwipe() instead of memset().
3089 **/
3091 }
3093 #ifdef TOR_IS_MULTITHREADED
3095 #ifndef OPENSSL_THREADS
3096 #error OpenSSL has been built without thread support. Tor requires an \
3097 OpenSSL library with thread support enabled.
3098 #endif
3100 /** Helper: OpenSSL uses this callback to manipulate mutexes. */
3101 static void
3103 {
3107 /* This is not a really good fix for the
3108 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
3109 * it can't hurt. */
3113 else
3115 }
3117 /** OpenSSL helper type: wraps a Tor mutex so that OpenSSL can use it
3118 * as a lock. */
3121 };
3123 /** OpenSSL callback function to allocate a lock: see CRYPTO_set_dynlock_*
3124 * documentation in OpenSSL's docs for more info. */
3127 {
3134 }
3136 /** OpenSSL callback function to acquire or release a lock: see
3137 * CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
3138 static void
3141 {
3146 else
3148 }
3150 /** OpenSSL callback function to free a lock: see CRYPTO_set_dynlock_*
3151 * documentation in OpenSSL's docs for more info. */
3152 static void
3155 {
3160 }
3162 /** @{ */
3163 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
3164 * multithreaded. */
3165 static int
3167 {
3180 }
3181 #else
3182 static int
3184 {
3186 }
3187 #endif
3189 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
3190 */
3191 int
3193 {
3205 #ifndef DISABLE_ENGINES
3207 #endif
3211 #ifdef TOR_IS_MULTITHREADED
3220 }
3222 }
3223 #endif
3227 }
3229 /** @} */