src/lib/crypt_ops/crypto_dh.c

   1 /* Copyright (c) 2001, Matej Pfajfar.
   2  * Copyright (c) 2001-2004, Roger Dingledine.
   3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
   4  * Copyright (c) 2007-2021, The Tor Project, Inc. */
   5 /* See LICENSE for licensing information */
   6
   7 /**
   8  * \file crypto_dh.c
   9  * \brief Block of functions related with DH utilities and operations.
  10  *    over Z_p.  We aren't using this for any new crypto -- EC is more
  11  *    efficient.
  12  **/
  13
  14 #include "lib/crypt_ops/compat_openssl.h"
  15 #include "lib/crypt_ops/crypto_dh.h"
  16 #include "lib/crypt_ops/crypto_digest.h"
  17 #include "lib/crypt_ops/crypto_hkdf.h"
  18 #include "lib/crypt_ops/crypto_util.h"
  19 #include "lib/log/log.h"
  20 #include "lib/log/util_bug.h"
  21
  22 /** Our DH 'g' parameter */
  23 const unsigned DH_GENERATOR = 2;
  24 /** This is the 1024-bit safe prime that Apache uses for its DH stuff; see
  25  * modules/ssl/ssl_engine_dh.c; Apache also uses a generator of 2 with this
  26  * prime.
  27  */
  28 const char TLS_DH_PRIME[] =
  29   "D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
  30   "BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
  31   "467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
  32   "DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
  33   "B0E7393E0F24218EB3";
  34 /**
  35  * This is from rfc2409, section 6.2.  It's a safe prime, and
  36  * supposedly it equals:
  37  * 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
  38  */
  39 const char OAKLEY_PRIME_2[] =
  40   "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
  41   "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
  42   "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
  43   "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
  44   "49286651ECE65381FFFFFFFFFFFFFFFF";
  45
  46 void
  47 crypto_dh_init(void)
  48 {
  49 #ifdef ENABLE_OPENSSL
  50   crypto_dh_init_openssl();
  51 #endif
  52 #ifdef ENABLE_NSS
  53   crypto_dh_init_nss();
  54 #endif
  55 }
  56
  57 void
  58 crypto_dh_free_all(void)
  59 {
  60 #ifdef ENABLE_OPENSSL
  61   crypto_dh_free_all_openssl();
  62 #endif
  63 #ifdef ENABLE_NSS
  64   crypto_dh_free_all_nss();
  65 #endif
  66 }
  67
  68 /** Given a DH key exchange object, and our peer's value of g^y (as a
  69  * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
  70  * <b>secret_bytes_out</b> bytes of shared key material and write them
  71  * to <b>secret_out</b>.  Return the number of bytes generated on success,
  72  * or -1 on failure.
  73  *
  74  * (We generate key material by computing
  75  *         SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
  76  * where || is concatenation.)
  77  */
  78 ssize_t
  79 crypto_dh_compute_secret(int severity, crypto_dh_t *dh,
  80                          const char *pubkey, size_t pubkey_len,
  81                          char *secret_out, size_t secret_bytes_out)
  82 {
  83   tor_assert(secret_bytes_out/DIGEST_LEN <= 255);
  84
  85   unsigned char *secret_tmp = NULL;
  86   size_t secret_len=0, secret_tmp_len=0;
  87   secret_tmp_len = crypto_dh_get_bytes(dh);
  88   secret_tmp = tor_malloc(secret_tmp_len);
  89
  90   ssize_t result = crypto_dh_handshake(severity, dh, pubkey, pubkey_len,
  91                                    secret_tmp, secret_tmp_len);
  92   if (result < 0)
  93     goto error;
  94
  95   secret_len = result;
  96   if (crypto_expand_key_material_TAP(secret_tmp, secret_len,
  97                                      (uint8_t*)secret_out, secret_bytes_out)<0)
  98     goto error;
  99   secret_len = secret_bytes_out;
 100
 101   goto done;
 102  error:
 103   result = -1;
 104  done:
 105   if (secret_tmp) {
 106     memwipe(secret_tmp, 0, secret_tmp_len);
 107     tor_free(secret_tmp);
 108   }
 109   if (result < 0)
 110     return result;
 111   else
 112     return secret_len;
 113 }