| blob | 3d8b1ba4ff3e7afeb59c523e17b1e72740c9ecec |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2013, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL.
11 **/
15 #ifdef _WIN32
16 #ifndef _WIN32_WINNT
17 #define _WIN32_WINNT 0x0501
18 #endif
19 #define WIN32_LEAN_AND_MEAN
20 #include <windows.h>
21 #include <wincrypt.h>
22 /* Windows defines this; so does OpenSSL 0.9.8h and later. We don't actually
23 * use either definition. */
24 #undef OCSP_RESPONSE
25 #endif
27 #include <openssl/err.h>
28 #include <openssl/rsa.h>
29 #include <openssl/pem.h>
30 #include <openssl/evp.h>
31 #include <openssl/engine.h>
32 #include <openssl/rand.h>
33 #include <openssl/opensslv.h>
34 #include <openssl/bn.h>
35 #include <openssl/dh.h>
36 #include <openssl/conf.h>
37 #include <openssl/hmac.h>
39 #ifdef HAVE_CTYPE_H
40 #include <ctype.h>
41 #endif
42 #ifdef HAVE_UNISTD_H
43 #include <unistd.h>
44 #endif
45 #ifdef HAVE_FCNTL_H
46 #include <fcntl.h>
47 #endif
48 #ifdef HAVE_SYS_FCNTL_H
49 #include <sys/fcntl.h>
50 #endif
52 #define CRYPTO_PRIVATE
60 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(0,9,8)
62 #endif
64 #ifdef ANDROID
65 /* Android's OpenSSL seems to have removed all of its Engine support. */
66 #define DISABLE_ENGINES
67 #endif
69 /** Longest recognized */
70 #define MAX_DNS_LABEL_SIZE 63
72 /** Macro: is k a valid RSA public or private key? */
73 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
74 /** Macro: is k a valid RSA private key? */
75 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
77 #ifdef TOR_IS_MULTITHREADED
78 /** A number of preallocated mutexes for use by OpenSSL. */
80 /** How many mutexes have we allocated for use by OpenSSL? */
82 #endif
84 /** A public key, or a public/private key-pair. */
85 struct crypto_pk_t
86 {
89 };
91 /** Key and stream information for a stream cipher. */
92 struct crypto_cipher_t
93 {
97 * encryption */
98 };
100 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
101 * while we're waiting for the second.*/
104 };
109 /** Return the number of bytes added by padding method <b>padding</b>.
110 */
113 {
115 {
119 }
120 }
122 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
123 */
126 {
128 {
132 }
133 }
135 /** Boolean: has OpenSSL's crypto been initialized? */
138 /** Log all pending crypto errors at level <b>severity</b>. Use
139 * <b>doing</b> to describe our current activities.
140 */
141 static void
143 {
159 }
160 }
161 }
163 #ifndef DISABLE_ENGINES
164 /** Log any OpenSSL engines we're using at NOTICE. */
165 static void
167 {
176 }
177 }
178 #endif
180 #ifndef DISABLE_ENGINES
181 /** Try to load an engine in a shared library via fully qualified path.
182 */
185 {
194 }
195 }
197 }
198 #endif
201 /* Return a human-readable version of the run-time openssl version number. */
204 {
208 /* The output should be something like "OpenSSL 1.0.0b 10 May 2012. Let's
209 trim that down. */
213 }
218 else
220 }
222 }
224 /** Initialize the crypto library. Return 0 on success, -1 on failure.
225 */
226 int
228 {
241 "version we're running with. If you get weird crashes, that "
245 }
249 "Your OpenSSL version seems to be %s. We recommend 1.0.0 "
252 }
255 #ifdef DISABLE_ENGINES
259 #else
275 }
278 accelName);
281 accelName);
282 }
283 }
288 }
295 #endif
298 }
304 }
306 }
308 /** Free crypto resources held by this thread. */
309 void
311 {
313 }
315 /** used by tortls.c: wrap an RSA* in a crypto_pk_t. */
316 crypto_pk_t *
318 {
325 }
327 /** Helper, used by tor-checkkey.c and tor-gencert.c. Return the RSA from a
328 * crypto_pk_t. */
329 RSA *
331 {
333 }
335 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_t. Iff
336 * private is set, include the private-key portion of the key. */
337 EVP_PKEY *
339 {
349 }
355 error:
361 }
363 /** Used by tortls.c: Get the DH* from a crypto_dh_t.
364 */
365 DH *
367 {
369 }
371 /** Allocate and return storage for a public key. The key itself will not yet
372 * be set.
373 */
374 crypto_pk_t *
376 {
382 }
384 /** Release a reference to an asymmetric key; when all the references
385 * are released, free the key.
386 */
387 void
389 {
401 }
403 /** Allocate and return a new symmetric cipher using the provided key and iv.
404 * The key is CIPHER_KEY_LEN bytes; the IV is CIPHER_IV_LEN bytes. If you
405 * provide NULL in place of either one, it is generated at random.
406 */
407 crypto_cipher_t *
409 {
416 else
420 else
426 }
428 /** Return a new crypto_cipher_t with the provided <b>key</b> and an IV of all
429 * zero bytes. */
430 crypto_cipher_t *
432 {
436 }
438 /** Free a symmetric cipher.
439 */
440 void
442 {
450 }
452 /* public key crypto */
454 /** Generate a <b>bits</b>-bit new public/private keypair in <b>env</b>.
455 * Return 0 on success, -1 on failure.
456 */
457 int
459 {
465 {
480 done:
485 }
490 }
493 }
495 /** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>
496 * into <b>env</b>. Return 0 on success, -1 on failure. If len is -1,
497 * the string is nul-terminated.
498 */
499 /* Used here, and used for testing. */
500 int
503 {
510 /* Create a read-only memory BIO, backed by the string 's' */
525 }
527 }
529 /** Read a PEM-encoded private key from the file named by
530 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
531 */
532 int
535 {
539 /* Read the file into a string. */
544 }
546 /* Try to parse it. */
553 /* Make sure it's valid. */
558 }
560 /** Helper function to implement crypto_pk_write_*_key_to_string. */
561 static int
564 {
577 /* Now you can treat b as if it were a file. Just use the
578 * PEM_*_bio_* functions instead of the non-bio variants.
579 */
582 else
589 }
602 }
604 /** PEM-encode the public key portion of <b>env</b> and write it to a
605 * newly allocated string. On success, set *<b>dest</b> to the new
606 * string, *<b>len</b> to the string's length, and return 0. On
607 * failure, return -1.
608 */
609 int
612 {
614 }
616 /** PEM-encode the private key portion of <b>env</b> and write it to a
617 * newly allocated string. On success, set *<b>dest</b> to the new
618 * string, *<b>len</b> to the string's length, and return 0. On
619 * failure, return -1.
620 */
621 int
624 {
626 }
628 /** Read a PEM-encoded public key from the first <b>len</b> characters of
629 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
630 * failure.
631 */
632 int
635 {
655 }
658 }
660 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
661 * PEM-encoded. Return 0 on success, -1 on failure.
662 */
663 int
666 {
682 }
693 }
695 /** Return true iff <b>env</b> has a valid key.
696 */
697 int
699 {
707 }
709 /** Return true iff <b>key</b> contains the private-key portion of the RSA
710 * key. */
711 int
713 {
716 }
718 /** Return true iff <b>env</b> contains a public key whose public exponent
719 * equals 65537.
720 */
721 int
723 {
728 }
730 /** Compare the public-key components of a and b. Return less than 0
731 * if a\<b, 0 if a==b, and greater than 0 if a\>b. A NULL key is
732 * considered to be less than all non-NULL keys, and equal to itself.
733 *
734 * Note that this may leak information about the keys through timing.
735 */
736 int
738 {
754 }
756 /** Compare the public-key components of a and b. Return non-zero iff
757 * a==b. A NULL key is considered to be distinct from all non-NULL
758 * keys, and equal to itself.
759 *
760 * Note that this may leak information about the keys through timing.
761 */
762 int
764 {
766 }
768 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
769 size_t
771 {
776 }
778 /** Return the size of the public key modulus of <b>env</b>, in bits. */
779 int
781 {
787 }
789 /** Increase the reference count of <b>env</b>, and return it.
790 */
791 crypto_pk_t *
793 {
799 }
801 /** Make a real honest-to-goodness copy of <b>env</b>, and return it. */
802 crypto_pk_t *
804 {
815 }
824 }
827 }
829 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
830 * in <b>env</b>, using the padding method <b>padding</b>. On success,
831 * write the result to <b>to</b>, and return the number of bytes
832 * written. On failure, return -1.
833 *
834 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
835 * at least the length of the modulus of <b>env</b>.
836 */
837 int
840 {
854 }
856 }
858 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
859 * in <b>env</b>, using the padding method <b>padding</b>. On success,
860 * write the result to <b>to</b>, and return the number of bytes
861 * written. On failure, return -1.
862 *
863 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
864 * at least the length of the modulus of <b>env</b>.
865 */
866 int
871 {
880 /* Not a private key */
891 }
893 }
895 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
896 * public key in <b>env</b>, using PKCS1 padding. On success, write the
897 * signed data to <b>to</b>, and return the number of bytes written.
898 * On failure, return -1.
899 *
900 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
901 * at least the length of the modulus of <b>env</b>.
902 */
903 int
907 {
921 }
923 }
925 /** Check a siglen-byte long signature at <b>sig</b> against
926 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
927 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
928 * SHA1(data). Else return -1.
929 */
930 int
933 {
948 }
956 }
961 }
965 }
967 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
968 * <b>env</b>, using PKCS1 padding. On success, write the signature to
969 * <b>to</b>, and return the number of bytes written. On failure, return
970 * -1.
971 *
972 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
973 * at least the length of the modulus of <b>env</b>.
974 */
975 int
978 {
986 /* Not a private key */
995 }
997 }
999 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
1000 * <b>from</b>; sign the data with the private key in <b>env</b>, and
1001 * store it in <b>to</b>. Return the number of bytes written on
1002 * success, and -1 on failure.
1003 *
1004 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
1005 * at least the length of the modulus of <b>env</b>.
1006 */
1007 int
1010 {
1018 }
1020 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
1021 * bytes of data from <b>from</b>, with padding type 'padding',
1022 * storing the results on <b>to</b>.
1023 *
1024 * Returns the number of bytes written on success, -1 on failure.
1025 *
1026 * The encrypted data consists of:
1027 * - The source data, padded and encrypted with the public key, if the
1028 * padded source data is no longer than the public key, and <b>force</b>
1029 * is false, OR
1030 * - The beginning of the source data prefixed with a 16-byte symmetric key,
1031 * padded and encrypted with the public key; followed by the rest of
1032 * the source data encrypted in AES-CTR mode with the symmetric key.
1033 */
1034 int
1040 {
1055 /* It all fits in a single encrypt. */
1057 tolen,
1059 }
1069 /* Length of symmetrically encrypted data. */
1075 }
1085 err:
1091 }
1093 /** Invert crypto_pk_public_hybrid_encrypt. */
1094 int
1101 {
1112 warnOnFailure);
1113 }
1117 warnOnFailure);
1122 }
1127 }
1131 }
1143 err:
1148 }
1150 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1151 * Return -1 on error, or the number of characters used on success.
1152 */
1153 int
1155 {
1167 }
1168 /* We don't encode directly into 'dest', because that would be illegal
1169 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1170 */
1174 }
1176 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1177 * success and NULL on failure.
1178 */
1179 crypto_pk_t *
1181 {
1192 }
1194 }
1196 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1197 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1198 * Return 0 on success, -1 on failure.
1199 */
1200 int
1202 {
1215 }
1219 }
1222 }
1224 /** Compute all digests of the DER encoding of <b>pk</b>, and store them
1225 * in <b>digests_out</b>. Return 0 on success, -1 on failure. */
1226 int
1228 {
1241 }
1245 }
1248 }
1250 /** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
1251 * every four spaces. */
1254 {
1264 }
1265 }
1268 }
1270 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1271 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1272 * space). Return 0 on success, -1 on failure.
1273 *
1274 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1275 * of the public key, converted to hexadecimal, in upper case, with a
1276 * space after every four digits.
1277 *
1278 * If <b>add_space</b> is false, omit the spaces.
1279 */
1280 int
1282 {
1287 }
1293 }
1295 }
1297 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1298 */
1299 int
1301 {
1308 }
1309 }
1312 }
1314 /* symmetric crypto */
1316 /** Return a pointer to the key set for the cipher in <b>env</b>.
1317 */
1320 {
1322 }
1324 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1325 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1326 * On failure, return -1.
1327 */
1328 int
1331 {
1341 }
1343 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1344 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1345 * On failure, return -1.
1346 */
1347 int
1350 {
1358 }
1360 /** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
1361 * on success, return 0. On failure, return -1.
1362 */
1363 int
1365 {
1369 }
1371 /** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
1372 * <b>key</b> to the buffer in <b>to</b> of length
1373 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
1374 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1375 * number of bytes written, on failure, return -1.
1376 */
1377 int
1381 {
1398 }
1400 /** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
1401 * with the key in <b>key</b> to the buffer in <b>to</b> of length
1402 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
1403 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1404 * number of bytes written, on failure, return -1.
1405 */
1406 int
1410 {
1427 }
1429 /* SHA-1 */
1431 /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
1432 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1433 * Return 0 on success, -1 on failure.
1434 */
1435 int
1437 {
1441 }
1443 /** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
1444 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
1445 * into <b>digest</b>. Return 0 on success, -1 on failure. */
1446 int
1448 digest_algorithm_t algorithm)
1449 {
1454 }
1456 /** Set the digests_t in <b>ds_out</b> to contain every digest on the
1457 * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
1458 * success, -1 on failure. */
1459 int
1461 {
1470 }
1472 }
1474 /** Return the name of an algorithm, as used in directory documents. */
1477 {
1486 }
1487 }
1489 /** Given the name of a digest algorithm, return its integer value, or -1 if
1490 * the name is not recognized. */
1491 int
1493 {
1498 else
1500 }
1502 /** Intermediate information about the digest of a stream of data. */
1508 * union is usable, depending on the value of <b>algorithm</b>. */
1510 };
1512 /** Allocate and return a new digest object to compute SHA1 digests.
1513 */
1514 crypto_digest_t *
1516 {
1522 }
1524 /** Allocate and return a new digest object to compute 256-bit digests
1525 * using <b>algorithm</b>. */
1526 crypto_digest_t *
1528 {
1535 }
1537 /** Deallocate a digest object.
1538 */
1539 void
1541 {
1546 }
1548 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1549 */
1550 void
1553 {
1556 /* Using the SHA*_*() calls directly means we don't support doing
1557 * SHA in hardware. But so far the delay of getting the question
1558 * to the hardware, and hearing the answer, is likely higher than
1559 * just doing it ourselves. Hashes are fast.
1560 */
1571 }
1572 }
1574 /** Compute the hash of the data that has been passed to the digest
1575 * object; write the first out_len bytes of the result to <b>out</b>.
1576 * <b>out_len</b> must be \<= DIGEST256_LEN.
1577 */
1578 void
1581 {
1583 crypto_digest_t tmpenv;
1586 /* memcpy into a temporary ctx, since SHA*_Final clears the context */
1599 /* If fragile_assert is not enabled, then we should at least not
1600 * leak anything. */
1604 }
1607 }
1609 /** Allocate and return a new digest object with the same state as
1610 * <b>digest</b>
1611 */
1612 crypto_digest_t *
1614 {
1620 }
1622 /** Replace the state of the digest object <b>into</b> with the state
1623 * of the digest object <b>from</b>.
1624 */
1625 void
1628 {
1632 }
1634 /** Compute the HMAC-SHA-1 of the <b>msg_len</b> bytes in <b>msg</b>, using
1635 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST_LEN-byte result
1636 * in <b>hmac_out</b>.
1637 */
1638 void
1642 {
1647 }
1649 /** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
1650 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte
1651 * result in <b>hmac_out</b>.
1652 */
1653 void
1657 {
1658 /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
1663 }
1665 /* DH */
1667 /** Our DH 'g' parameter */
1668 #define DH_GENERATOR 2
1670 /** Shared P parameter for our circuit-crypto DH key exchanges. */
1672 /** Shared P parameter for our TLS DH key exchanges. */
1674 /** Shared G parameter for our DH key exchanges. */
1677 /** Generate and return a reasonable and safe DH parameter p. */
1680 {
1705 }
1708 }
1710 /** Store our dynamic DH modulus (and its group parameters) to
1711 <b>fname</b> for future use. */
1712 static int
1714 {
1730 }
1745 }
1752 }
1760 }
1762 /* concatenate file header and the dh parameters blob */
1765 /* write to file */
1769 }
1773 done:
1781 }
1783 /** Return the dynamic DH modulus stored in <b>fname</b>. If there is no
1784 dynamic DH modulus stored in <b>fname</b>, return NULL. */
1787 {
1804 }
1806 /* skip the file header */
1812 }
1814 /* 'fname' contains the DH parameters stored in base64-ed DER
1815 * format. We are only interested in the DH modulus.
1816 * NOTE: We allocate more storage here than we need. Since we're already
1817 * doing that, we can also add 1 byte extra to appease Coverity's
1818 * scanner. */
1826 }
1832 }
1839 }
1846 }
1852 }
1853 }
1860 }
1864 err:
1866 {
1867 /* move broken prime to $filename.broken */
1878 }
1883 }
1885 done:
1892 }
1895 }
1897 /** Set the global TLS Diffie-Hellman modulus.
1898 * If <b>dynamic_dh_modulus_fname</b> is set, try to read a dynamic DH modulus
1899 * off it and use it as the DH modulus. If that's not possible,
1900 * generate a new dynamic DH modulus.
1901 * If <b>dynamic_dh_modulus_fname</b> is NULL, use the Apache mod_ssl DH
1902 * modulus. */
1903 void
1905 {
1910 /* If the space is occupied, free the previous TLS DH prime */
1914 }
1925 store_dh_prime_afterwards++;
1926 }
1931 /* This is the 1024-bit safe prime that Apache uses for its DH stuff; see
1932 * modules/ssl/ssl_engine_dh.c; Apache also uses a generator of 2 with this
1933 * prime.
1934 */
1936 "D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
1937 "BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
1938 "467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
1939 "DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
1942 }
1949 /* save the new dynamic DH modulus to disk. */
1953 }
1954 }
1956 /** Initialize dh_param_p and dh_param_g if they are not already
1957 * set. */
1958 static void
1960 {
1970 /* Set our generator for all DH parameters */
1974 /* This is from rfc2409, section 6.2. It's a safe prime, and
1975 supposedly it equals:
1976 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1977 */
1979 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1980 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1981 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1982 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1986 /* Set the new values as the global DH parameters. */
1990 /* Ensure that we have TLS DH parameters set up, too, even if we're
1991 going to change them soon. */
1994 }
1995 }
1997 /** Number of bits to use when choosing the x or y value in a Diffie-Hellman
1998 * handshake. Since we exponentiate by this value, choosing a smaller one
1999 * lets our handhake go faster.
2000 */
2001 #define DH_PRIVATE_KEY_BITS 320
2003 /** Allocate and return a new DH object for a key exchange.
2004 */
2005 crypto_dh_t *
2007 {
2025 }
2033 err:
2038 }
2040 /** Return a copy of <b>dh</b>, sharing its internal state. */
2041 crypto_dh_t *
2043 {
2048 }
2050 /** Return the length of the DH key in <b>dh</b>, in bytes.
2051 */
2052 int
2054 {
2057 }
2059 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
2060 * success, -1 on failure.
2061 */
2062 int
2064 {
2065 again:
2069 }
2073 /* Free and clear the keys, so OpenSSL will actually try again. */
2078 }
2080 }
2082 /** Generate g^x as necessary, and write the g^x for the key exchange
2083 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
2084 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
2085 */
2086 int
2088 {
2094 }
2104 }
2110 }
2112 /** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
2113 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
2114 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
2115 */
2116 static int
2118 {
2130 }
2136 }
2139 err:
2145 }
2147 #undef MIN
2148 #define MIN(a,b) ((a)<(b)?(a):(b))
2149 /** Given a DH key exchange object, and our peer's value of g^y (as a
2150 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
2151 * <b>secret_bytes_out</b> bytes of shared key material and write them
2152 * to <b>secret_out</b>. Return the number of bytes generated on success,
2153 * or -1 on failure.
2154 *
2155 * (We generate key material by computing
2156 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
2157 * where || is concatenation.)
2158 */
2159 ssize_t
2163 {
2176 /* Check for invalid public keys. */
2179 }
2186 }
2194 error:
2196 done:
2203 }
2206 else
2208 }
2210 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
2211 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
2212 * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
2213 * H(K | [00]) | H(K | [01]) | ....
2214 *
2215 * This is the key expansion algorithm used in the "TAP" circuit extension
2216 * mechanism; it shouldn't be used for new protocols.
2217 *
2218 * Return 0 on success, -1 on failure.
2219 */
2220 int
2223 {
2228 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
2238 }
2244 err:
2249 }
2251 /** Expand some secret key material according to RFC5869, using SHA256 as the
2252 * underlying hash. The <b>key_in_len</b> bytes at <b>key_in</b> are the
2253 * secret key material; the <b>salt_in_len</b> bytes at <b>salt_in</b> and the
2254 * <b>info_in_len</b> bytes in <b>info_in_len</b> are the algorithm's "salt"
2255 * and "info" parameters respectively. On success, write <b>key_out_len</b>
2256 * bytes to <b>key_out</b> and return 0. On failure, return -1.
2257 */
2258 int
2264 {
2276 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
2294 }
2303 }
2308 }
2310 /** Free a DH key exchange object.
2311 */
2312 void
2314 {
2320 }
2322 /* random numbers */
2324 /** How many bytes of entropy we add at once.
2325 *
2326 * This is how much entropy OpenSSL likes to add right now, so maybe it will
2327 * work for us too. */
2328 #define ADD_ENTROPY 32
2330 /** True iff it's safe to use RAND_poll after setup.
2331 *
2332 * Versions of OpenSSL prior to 0.9.7k and 0.9.8c had a bug where RAND_poll
2333 * would allocate an fd_set on the stack, open a new file, and try to FD_SET
2334 * that fd without checking whether it fit in the fd_set. Thus, if the
2335 * system has not just been started up, it is unsafe to call */
2336 #define RAND_POLL_IS_SAFE \
2339 /** Set the seed of the weak RNG to a random value. */
2340 void
2342 {
2346 }
2348 /** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
2349 * storing it into <b>out</b>.
2350 */
2351 int
2353 {
2354 #ifdef _WIN32
2357 #else
2360 };
2363 #endif
2365 #ifdef _WIN32
2368 CRYPT_VERIFYCONTEXT)) {
2372 }
2373 }
2375 }
2379 }
2382 #else
2394 }
2397 }
2401 #endif
2402 }
2404 /** Seed OpenSSL's random number generator with bytes from the operating
2405 * system. <b>startup</b> should be true iff we have just started Tor and
2406 * have not yet allocated a bunch of fds. Return 0 on success, -1 on failure.
2407 */
2408 int
2410 {
2414 /* OpenSSL has a RAND_poll function that knows about more kinds of
2415 * entropy than we do. We'll try calling that, *and* calling our own entropy
2416 * functions. If one succeeds, we'll accept the RNG as seeded. */
2421 }
2426 }
2432 else
2434 }
2436 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Return 0 on
2437 * success, -1 on failure.
2438 */
2439 int
2441 {
2449 }
2451 /** Return a pseudorandom integer, chosen uniformly from the values
2452 * between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
2453 * INT_MAX+1, inclusive. */
2454 int
2456 {
2462 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2463 * distribution with clipping at the upper end of unsigned int's
2464 * range.
2465 */
2471 }
2472 }
2474 /** Return a pseudorandom 64-bit integer, chosen uniformly from the values
2475 * between 0 and <b>max</b>-1. */
2476 uint64_t
2478 {
2484 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2485 * distribution with clipping at the upper end of unsigned int's
2486 * range.
2487 */
2493 }
2494 }
2496 /** Return a pseudorandom double d, chosen uniformly from the range
2497 * 0.0 <= d < 1.0.
2498 */
2499 double
2501 {
2502 /* We just use an unsigned int here; we don't really care about getting
2503 * more than 32 bits of resolution */
2506 #if SIZEOF_INT == 4
2507 #define UINT_MAX_AS_DOUBLE 4294967296.0
2508 #elif SIZEOF_INT == 8
2509 #define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
2510 #else
2511 #error SIZEOF_INT is neither 4 nor 8
2512 #endif
2514 }
2516 /** Generate and return a new random hostname starting with <b>prefix</b>,
2517 * ending with <b>suffix</b>, and containing no fewer than
2518 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
2519 * characters between.
2520 *
2521 * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
2522 **/
2526 {
2555 }
2557 /** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
2558 * is empty. */
2561 {
2566 }
2568 /** Scramble the elements of <b>sl</b> into a random order. */
2569 void
2571 {
2573 /* From the end of the list to the front, choose at random from the
2574 positions we haven't looked at yet, and swap that position into the
2575 current position. Remember to give "no swap" the same probability as
2576 any other swap. */
2580 }
2581 }
2583 /** Base64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
2584 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2585 * bytes. Return the number of bytes written on success; -1 if
2586 * destlen is too short, or other failure.
2587 */
2588 int
2590 {
2591 /* FFFF we might want to rewrite this along the lines of base64_decode, if
2592 * it ever shows up in the profile. */
2593 EVP_ENCODE_CTX ctx;
2597 /* 48 bytes of input -> 64 bytes of output plus newline.
2598 Plus one more byte, in case I'm wrong.
2599 */
2611 }
2613 /** @{ */
2614 /** Special values used for the base64_decode_table */
2615 #define X 255
2616 #define SP 64
2617 #define PAD 65
2618 /** @} */
2619 /** Internal table mapping byte values to what they represent in base64.
2620 * Numbers 0..63 are 6-bit integers. SPs are spaces, and should be
2621 * skipped. Xs are invalid and must not appear in base64. PAD indicates
2622 * end-of-string. */
2640 };
2642 /** Base64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
2643 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2644 * bytes. Return the number of bytes written on success; -1 if
2645 * destlen is too short, or other failure.
2646 *
2647 * NOTE 1: destlen is checked conservatively, as though srclen contained no
2648 * spaces or padding.
2649 *
2650 * NOTE 2: This implementation does not check for the correct number of
2651 * padding "=" characters at the end of the string, and does not check
2652 * for internal padding characters.
2653 */
2654 int
2656 {
2657 #ifdef USE_OPENSSL_BASE64
2658 EVP_ENCODE_CTX ctx;
2660 /* 64 bytes of input -> *up to* 48 bytes of output.
2661 Plus one more byte, in case I'm wrong.
2662 */
2674 #else
2680 /* Max number of bits == srclen*6.
2681 * Number of bytes required to hold all bits == (srclen*6)/8.
2682 * Yes, we want to round down: anything that hangs over the end of a
2683 * byte is padding. */
2689 /* Iterate over all the bytes in src. Each one will add 0 or 6 bits to the
2690 * value we're decoding. Accumulate bits in <b>n</b>, and whenever we have
2691 * 24 bits, batch them into 3 bytes and flush those bytes to dest.
2692 */
2698 /* This character isn't allowed in base64. */
2701 /* This character is whitespace, and has no effect. */
2704 /* We've hit an = character: the data is over. */
2707 /* We have an actual 6-bit value. Append it to the bits in n. */
2710 /* We've accumulated 24 bits in n. Flush them. */
2716 }
2717 }
2718 }
2719 end_of_loop:
2720 /* If we have leftover bits, we need to cope. */
2724 /* No leftover bits. We win. */
2727 /* 6 leftover bits. That's invalid; we can't form a byte out of that. */
2730 /* 12 leftover bits: The last 4 are padding and the first 8 are data. */
2734 /* 18 leftover bits: The last 2 are padding and the first 16 are data. */
2737 }
2743 #endif
2744 }
2745 #undef X
2746 #undef SP
2747 #undef PAD
2749 /** Base64 encode DIGEST_LINE bytes from <b>digest</b>, remove the trailing =
2750 * and newline characters, and store the nul-terminated result in the first
2751 * BASE64_DIGEST_LEN+1 bytes of <b>d64</b>. */
2752 int
2754 {
2760 }
2762 /** Given a base64 encoded, nul-terminated digest in <b>d64</b> (without
2763 * trailing newline or = characters), decode it and store the result in the
2764 * first DIGEST_LEN bytes at <b>digest</b>. */
2765 int
2767 {
2768 #ifdef USE_OPENSSL_BASE64
2779 #else
2782 else
2784 #endif
2785 }
2787 /** Base64 encode DIGEST256_LINE bytes from <b>digest</b>, remove the
2788 * trailing = and newline characters, and store the nul-terminated result in
2789 * the first BASE64_DIGEST256_LEN+1 bytes of <b>d64</b>. */
2790 int
2792 {
2798 }
2800 /** Given a base64 encoded, nul-terminated digest in <b>d64</b> (without
2801 * trailing newline or = characters), decode it and store the result in the
2802 * first DIGEST256_LEN bytes at <b>digest</b>. */
2803 int
2805 {
2806 #ifdef USE_OPENSSL_BASE64
2817 #else
2820 else
2822 #endif
2823 }
2825 /** Implements base32 encoding as in RFC 4648. Limitation: Requires
2826 * that srclen*8 is a multiple of 5.
2827 */
2828 void
2830 {
2840 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
2843 /* set u to the 5-bit value at the bit'th bit of src. */
2846 }
2848 }
2850 /** Implements base32 decoding as in RFC 4648. Limitation: Requires
2851 * that srclen*5 is a multiple of 8. Returns 0 if successful, -1 otherwise.
2852 */
2853 int
2855 {
2856 /* XXXX we might want to rewrite this along the lines of base64_decode, if
2857 * it ever shows up in the profile. */
2868 /* Convert base32 encoded chars to the 5-bit values that they represent. */
2878 }
2879 }
2881 /* Assemble result byte-wise by applying five possible cases. */
2906 }
2907 }
2913 }
2915 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
2916 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
2917 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
2918 * are a salt; the 9th byte describes how much iteration to do.
2919 * Does not support <b>key_out_len</b> > DIGEST_LEN.
2920 */
2921 void
2924 {
2931 #define EXPBIAS 6
2934 #undef EXPBIAS
2951 }
2952 }
2957 }
2959 /**
2960 * Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
2961 * the value <b>byte</b>.
2962 *
2963 * This function is preferable to memset, since many compilers will happily
2964 * optimize out memset() when they can convince themselves that the data being
2965 * cleared will never be read.
2966 *
2967 * Right now, our convention is to use this function when we are wiping data
2968 * that's about to become inaccessible, such as stack buffers that are about
2969 * to go out of scope or structures that are about to get freed. (In
2970 * practice, it appears that the compilers we're currently using will optimize
2971 * out the memset()s for stack-allocated buffers, but not those for
2972 * about-to-be-freed structures. That could change, though, so we're being
2973 * wary.) If there are live reads for the data, then you can just use
2974 * memset().
2975 */
2976 void
2978 {
2979 /* Because whole-program-optimization exists, we may not be able to just
2980 * have this function call "memset". A smart compiler could inline it, then
2981 * eliminate dead memsets, and declare itself to be clever. */
2983 /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
2984 * based on the pointer value, then uses that junk to update a global
2985 * variable. It's an elaborate ruse to trick the compiler into not
2986 * optimizing out the "wipe this memory" code. Read it if you like zany
2987 * programming tricks! In later versions of Tor, we should look for better
2988 * not-optimized-out memory wiping stuff. */
2990 /* Just in case some caller of memwipe() is relying on getting a buffer
2991 * filled with a particular value, fill the buffer.
2992 *
2993 * If this function gets inlined, this memset might get eliminated, but
2994 * that's okay: We only care about this particular memset in the case where
2995 * the caller should have been using memset(), and the memset() wouldn't get
2996 * eliminated. In other words, this is here so that we won't break anything
2997 * if somebody accidentally calls memwipe() instead of memset().
2998 **/
3000 }
3002 #ifdef TOR_IS_MULTITHREADED
3004 #ifndef OPENSSL_THREADS
3005 #error OpenSSL has been built without thread support. Tor requires an \
3006 OpenSSL library with thread support enabled.
3007 #endif
3009 /** Helper: OpenSSL uses this callback to manipulate mutexes. */
3010 static void
3012 {
3016 /* This is not a really good fix for the
3017 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
3018 * it can't hurt. */
3022 else
3024 }
3026 /** OpenSSL helper type: wraps a Tor mutex so that OpenSSL can use it
3027 * as a lock. */
3030 };
3032 /** OpenSSL callback function to allocate a lock: see CRYPTO_set_dynlock_*
3033 * documentation in OpenSSL's docs for more info. */
3036 {
3043 }
3045 /** OpenSSL callback function to acquire or release a lock: see
3046 * CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
3047 static void
3050 {
3055 else
3057 }
3059 /** OpenSSL callback function to free a lock: see CRYPTO_set_dynlock_*
3060 * documentation in OpenSSL's docs for more info. */
3061 static void
3064 {
3069 }
3071 /** @{ */
3072 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
3073 * multithreaded. */
3074 static int
3076 {
3089 }
3090 #else
3091 static int
3093 {
3095 }
3096 #endif
3098 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
3099 */
3100 int
3102 {
3114 #ifndef DISABLE_ENGINES
3116 #endif
3120 #ifdef TOR_IS_MULTITHREADED
3129 }
3131 }
3132 #endif
3135 }
3137 /** @} */