| blob | 933f1033f79d7195f4ac430703baefe2a5418fc0 |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2016, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL and
11 * other places.
12 **/
16 #ifdef _WIN32
17 #include <winsock2.h>
18 #include <windows.h>
19 #include <wincrypt.h>
20 /* Windows defines this; so does OpenSSL 0.9.8h and later. We don't actually
21 * use either definition. */
22 #undef OCSP_RESPONSE
23 #endif
25 #define CRYPTO_PRIVATE
32 #include <openssl/err.h>
33 #include <openssl/rsa.h>
34 #include <openssl/pem.h>
35 #include <openssl/evp.h>
36 #include <openssl/engine.h>
37 #include <openssl/rand.h>
38 #include <openssl/bn.h>
39 #include <openssl/dh.h>
40 #include <openssl/conf.h>
41 #include <openssl/hmac.h>
43 #ifdef HAVE_CTYPE_H
44 #include <ctype.h>
45 #endif
46 #ifdef HAVE_UNISTD_H
47 #define _GNU_SOURCE
48 #include <unistd.h>
49 #endif
50 #ifdef HAVE_FCNTL_H
51 #include <fcntl.h>
52 #endif
53 #ifdef HAVE_SYS_FCNTL_H
54 #include <sys/fcntl.h>
55 #endif
56 #ifdef HAVE_SYS_SYSCALL_H
57 #include <sys/syscall.h>
58 #endif
70 #ifdef ANDROID
71 /* Android's OpenSSL seems to have removed all of its Engine support. */
72 #define DISABLE_ENGINES
73 #endif
75 #if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,4) && \
76 !defined(LIBRESSL_VERSION_NUMBER)
77 /* OpenSSL as of 1.1.0-pre4 has an "new" thread API, which doesn't require
78 * seting up various callbacks.
79 *
80 * Note: Yes, using OPENSSL_VER is naughty, but this was introduced in the
81 * pre-release series.
82 */
83 #define NEW_THREAD_API
84 #endif
86 /** Longest recognized */
87 #define MAX_DNS_LABEL_SIZE 63
89 /** Largest strong entropy request */
90 #define MAX_STRONGEST_RAND_SIZE 256
92 /** Macro: is k a valid RSA public or private key? */
93 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
94 /** Macro: is k a valid RSA private key? */
95 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
97 #ifndef NEW_THREAD_API
98 /** A number of preallocated mutexes for use by OpenSSL. */
100 /** How many mutexes have we allocated for use by OpenSSL? */
102 #endif
104 /** A public key, or a public/private key-pair. */
105 struct crypto_pk_t
106 {
109 };
111 /** Key and stream information for a stream cipher. */
112 struct crypto_cipher_t
113 {
117 * encryption */
118 };
120 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
121 * while we're waiting for the second.*/
124 };
129 /** Return the number of bytes added by padding method <b>padding</b>.
130 */
133 {
135 {
138 }
139 }
141 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
142 */
145 {
147 {
150 }
151 }
153 /** Boolean: has OpenSSL's crypto been initialized? */
156 /** Boolean: has OpenSSL's crypto been initialized? */
159 /** Log all pending crypto errors at level <b>severity</b>. Use
160 * <b>doing</b> to describe our current activities.
161 */
162 static void
164 {
180 }
181 }
182 }
184 #ifndef DISABLE_ENGINES
185 /** Log any OpenSSL engines we're using at NOTICE. */
186 static void
188 {
197 }
198 }
199 #endif
201 #ifndef DISABLE_ENGINES
202 /** Try to load an engine in a shared library via fully qualified path.
203 */
206 {
215 }
216 }
218 }
219 #endif
221 /* Returns a trimmed and human-readable version of an openssl version string
222 * <b>raw_version</b>. They are usually in the form of 'OpenSSL 1.0.0b 10
223 * May 2012' and this will parse them into a form similar to '1.0.0b' */
226 {
228 /* The output should be something like "OpenSSL 1.0.0b 10 May 2012. Let's
229 trim that down. */
233 }
238 else
240 }
243 /* Return a human-readable version of the run-time openssl version number. */
246 {
250 }
252 }
255 /* Return a human-readable version of the compile-time openssl version
256 * number. */
259 {
261 crypto_openssl_header_version_str =
263 }
265 }
267 /** Make sure that openssl is using its default PRNG. Return 1 if we had to
268 * adjust it; 0 otherwise. */
269 STATIC int
271 {
276 "a replacement the OpenSSL RNG. Resetting it to the default "
280 }
282 }
284 /** Set up the siphash key if we haven't already done so. */
285 int
287 {
297 }
299 /** Initialize the crypto library. Return 0 on success, -1 on failure.
300 */
301 int
303 {
321 "version we're running with. If you get weird crashes, that "
325 }
336 }
338 }
340 /** Initialize the crypto library. Return 0 on success, -1 on failure.
341 */
342 int
344 {
352 #ifdef DISABLE_ENGINES
356 #else
372 }
375 accelName);
378 accelName);
379 }
380 }
385 }
386 /* Log, if available, the intersection of the set of algorithms
387 used by Tor and the set of algorithms available in the engine */
390 #ifdef OPENSSL_1_1_API
392 #else
395 #endif
402 #ifdef NID_aes_128_ctr
404 #endif
405 #ifdef NID_aes_128_gcm
407 #endif
409 #ifdef NID_aes_256_gcm
411 #endif
413 #endif
416 }
421 }
425 }
427 }
429 /** Free crypto resources held by this thread. */
430 void
432 {
433 #ifdef NEW_THREAD_API
435 #else
437 #endif
438 }
440 /** used by tortls.c: wrap an RSA* in a crypto_pk_t. */
441 crypto_pk_t *
443 {
450 }
452 /** Helper, used by tor-checkkey.c and tor-gencert.c. Return the RSA from a
453 * crypto_pk_t. */
454 RSA *
456 {
458 }
460 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_t. Iff
461 * private is set, include the private-key portion of the key. Return a valid
462 * pointer on success, and NULL on failure. */
465 {
475 }
481 error:
487 }
489 /** Used by tortls.c: Get the DH* from a crypto_dh_t.
490 */
491 DH *
493 {
495 }
497 /** Allocate and return storage for a public key. The key itself will not yet
498 * be set.
499 */
502 {
508 }
510 /** Release a reference to an asymmetric key; when all the references
511 * are released, free the key.
512 */
513 void
515 {
527 }
529 /** Allocate and return a new symmetric cipher using the provided key and iv.
530 * The key is CIPHER_KEY_LEN bytes; the IV is CIPHER_IV_LEN bytes. If you
531 * provide NULL in place of either one, it is generated at random.
532 */
533 crypto_cipher_t *
535 {
542 else
546 else
552 }
554 /** Return a new crypto_cipher_t with the provided <b>key</b> and an IV of all
555 * zero bytes. */
556 crypto_cipher_t *
558 {
562 }
564 /** Free a symmetric cipher.
565 */
566 void
568 {
576 }
578 /* public key crypto */
580 /** Generate a <b>bits</b>-bit new public/private keypair in <b>env</b>.
581 * Return 0 on success, -1 on failure.
582 */
585 {
591 }
593 {
608 done:
613 }
618 }
621 }
623 /** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>
624 * into <b>env</b>. Return 0 on success, -1 on failure. If len is -1,
625 * the string is nul-terminated.
626 */
627 /* Used here, and used for testing. */
628 int
631 {
638 /* Create a read-only memory BIO, backed by the string 's' */
653 }
655 }
657 /** Read a PEM-encoded private key from the file named by
658 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
659 */
660 int
663 {
667 /* Read the file into a string. */
672 }
674 /* Try to parse it. */
681 /* Make sure it's valid. */
686 }
688 /** Helper function to implement crypto_pk_write_*_key_to_string. Return 0 on
689 * success, -1 on failure. */
690 static int
693 {
706 /* Now you can treat b as if it were a file. Just use the
707 * PEM_*_bio_* functions instead of the non-bio variants.
708 */
711 else
718 }
731 }
733 /** PEM-encode the public key portion of <b>env</b> and write it to a
734 * newly allocated string. On success, set *<b>dest</b> to the new
735 * string, *<b>len</b> to the string's length, and return 0. On
736 * failure, return -1.
737 */
738 int
741 {
743 }
745 /** PEM-encode the private key portion of <b>env</b> and write it to a
746 * newly allocated string. On success, set *<b>dest</b> to the new
747 * string, *<b>len</b> to the string's length, and return 0. On
748 * failure, return -1.
749 */
750 int
753 {
755 }
757 /** Read a PEM-encoded public key from the first <b>len</b> characters of
758 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
759 * failure.
760 */
761 int
764 {
784 }
787 }
789 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
790 * PEM-encoded. Return 0 on success, -1 on failure.
791 */
792 int
795 {
811 }
822 }
824 /** Return true iff <b>env</b> has a valid key.
825 */
826 int
828 {
836 }
838 /** Return true iff <b>key</b> contains the private-key portion of the RSA
839 * key. */
840 int
842 {
845 }
847 /** Return true iff <b>env</b> contains a public key whose public exponent
848 * equals 65537.
849 */
850 int
852 {
857 }
859 /** Compare the public-key components of a and b. Return less than 0
860 * if a\<b, 0 if a==b, and greater than 0 if a\>b. A NULL key is
861 * considered to be less than all non-NULL keys, and equal to itself.
862 *
863 * Note that this may leak information about the keys through timing.
864 */
865 int
867 {
883 }
885 /** Compare the public-key components of a and b. Return non-zero iff
886 * a==b. A NULL key is considered to be distinct from all non-NULL
887 * keys, and equal to itself.
888 *
889 * Note that this may leak information about the keys through timing.
890 */
891 int
893 {
895 }
897 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
898 size_t
900 {
905 }
907 /** Return the size of the public key modulus of <b>env</b>, in bits. */
908 int
910 {
916 }
918 /** Increase the reference count of <b>env</b>, and return it.
919 */
920 crypto_pk_t *
922 {
928 }
930 /** Make a real honest-to-goodness copy of <b>env</b>, and return it.
931 * Returns NULL on failure. */
932 crypto_pk_t *
934 {
945 }
954 }
957 }
959 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
960 * in <b>env</b>, using the padding method <b>padding</b>. On success,
961 * write the result to <b>to</b>, and return the number of bytes
962 * written. On failure, return -1.
963 *
964 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
965 * at least the length of the modulus of <b>env</b>.
966 */
967 int
970 {
984 }
986 }
988 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
989 * in <b>env</b>, using the padding method <b>padding</b>. On success,
990 * write the result to <b>to</b>, and return the number of bytes
991 * written. On failure, return -1.
992 *
993 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
994 * at least the length of the modulus of <b>env</b>.
995 */
996 int
1001 {
1010 /* Not a private key */
1021 }
1023 }
1025 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
1026 * public key in <b>env</b>, using PKCS1 padding. On success, write the
1027 * signed data to <b>to</b>, and return the number of bytes written.
1028 * On failure, return -1.
1029 *
1030 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
1031 * at least the length of the modulus of <b>env</b>.
1032 */
1033 int
1037 {
1051 }
1053 }
1055 /** Check a siglen-byte long signature at <b>sig</b> against
1056 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
1057 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
1058 * SHA1(data). Else return -1.
1059 */
1060 int
1063 {
1078 }
1086 }
1091 }
1095 }
1097 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
1098 * <b>env</b>, using PKCS1 padding. On success, write the signature to
1099 * <b>to</b>, and return the number of bytes written. On failure, return
1100 * -1.
1101 *
1102 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
1103 * at least the length of the modulus of <b>env</b>.
1104 */
1105 int
1108 {
1116 /* Not a private key */
1125 }
1127 }
1129 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
1130 * <b>from</b>; sign the data with the private key in <b>env</b>, and
1131 * store it in <b>to</b>. Return the number of bytes written on
1132 * success, and -1 on failure.
1133 *
1134 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
1135 * at least the length of the modulus of <b>env</b>.
1136 */
1137 int
1140 {
1148 }
1150 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
1151 * bytes of data from <b>from</b>, with padding type 'padding',
1152 * storing the results on <b>to</b>.
1153 *
1154 * Returns the number of bytes written on success, -1 on failure.
1155 *
1156 * The encrypted data consists of:
1157 * - The source data, padded and encrypted with the public key, if the
1158 * padded source data is no longer than the public key, and <b>force</b>
1159 * is false, OR
1160 * - The beginning of the source data prefixed with a 16-byte symmetric key,
1161 * padded and encrypted with the public key; followed by the rest of
1162 * the source data encrypted in AES-CTR mode with the symmetric key.
1163 */
1164 int
1170 {
1185 /* It all fits in a single encrypt. */
1187 tolen,
1189 }
1199 /* Length of symmetrically encrypted data. */
1205 }
1215 err:
1221 }
1223 /** Invert crypto_pk_public_hybrid_encrypt. Returns the number of bytes
1224 * written on success, -1 on failure. */
1225 int
1232 {
1243 warnOnFailure);
1244 }
1248 warnOnFailure);
1253 }
1258 }
1262 }
1274 err:
1279 }
1281 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1282 * Return -1 on error, or the number of characters used on success.
1283 */
1284 int
1286 {
1297 }
1298 /* We don't encode directly into 'dest', because that would be illegal
1299 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1300 */
1304 }
1306 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1307 * success and NULL on failure.
1308 */
1309 crypto_pk_t *
1311 {
1322 }
1324 }
1326 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1327 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1328 * Return 0 on success, -1 on failure.
1329 */
1330 int
1332 {
1342 }
1345 }
1347 /** Compute all digests of the DER encoding of <b>pk</b>, and store them
1348 * in <b>digests_out</b>. Return 0 on success, -1 on failure. */
1349 int
1351 {
1361 }
1364 }
1366 /** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
1367 * every four characters. */
1368 void
1370 {
1380 }
1381 }
1384 }
1386 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1387 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1388 * space). Return 0 on success, -1 on failure.
1389 *
1390 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1391 * of the public key, converted to hexadecimal, in upper case, with a
1392 * space after every four digits.
1393 *
1394 * If <b>add_space</b> is false, omit the spaces.
1395 */
1396 int
1398 {
1403 }
1409 }
1411 }
1413 /** Given a private or public key <b>pk</b>, put a hashed fingerprint of
1414 * the public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1
1415 * bytes of space). Return 0 on success, -1 on failure.
1416 *
1417 * Hashed fingerprints are computed as the SHA1 digest of the SHA1 digest
1418 * of the ASN.1 encoding of the public key, converted to hexadecimal, in
1419 * upper case.
1420 */
1421 int
1423 {
1427 }
1430 }
1433 }
1435 /** Given a crypto_pk_t <b>pk</b>, allocate a new buffer containing the
1436 * Base64 encoding of the DER representation of the private key as a NUL
1437 * terminated string, and return it via <b>priv_out</b>. Return 0 on
1438 * sucess, -1 on failure.
1439 *
1440 * It is the caller's responsibility to sanitize and free the resulting buffer.
1441 */
1442 int
1444 {
1462 }
1467 }
1469 /** Given a string containing the Base64 encoded DER representation of the
1470 * private key <b>str</b>, decode and return the result on success, or NULL
1471 * on failure.
1472 */
1473 crypto_pk_t *
1475 {
1483 }
1490 }
1494 /* Make sure it's valid. */
1499 }
1501 out:
1505 }
1507 /* symmetric crypto */
1509 /** Return a pointer to the key set for the cipher in <b>env</b>.
1510 */
1513 {
1515 }
1517 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1518 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1519 * Does not check for failure.
1520 */
1521 int
1524 {
1535 }
1537 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1538 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1539 * Does not check for failure.
1540 */
1541 int
1544 {
1553 }
1555 /** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
1556 * on success. Does not check for failure.
1557 */
1558 void
1560 {
1563 }
1565 /** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
1566 * <b>key</b> to the buffer in <b>to</b> of length
1567 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
1568 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1569 * number of bytes written, on failure, return -1.
1570 */
1571 int
1575 {
1592 }
1594 /** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
1595 * with the key in <b>key</b> to the buffer in <b>to</b> of length
1596 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
1597 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1598 * number of bytes written, on failure, return -1.
1599 */
1600 int
1604 {
1621 }
1623 /* SHA-1 */
1625 /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
1626 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1627 * Return 0 on success, 1 on failure.
1628 */
1629 int
1631 {
1635 }
1637 /** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
1638 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
1639 * into <b>digest</b>. Return 0 on success, 1 on failure. */
1640 int
1642 digest_algorithm_t algorithm)
1643 {
1649 else
1652 }
1654 /** Compute a 512-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
1655 * using the algorithm <b>algorithm</b>. Write the DIGEST_LEN512-byte result
1656 * into <b>digest</b>. Return 0 on success, 1 on failure. */
1657 int
1659 digest_algorithm_t algorithm)
1660 {
1667 else
1670 }
1672 /** Set the common_digests_t in <b>ds_out</b> to contain every digest on the
1673 * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
1674 * success, -1 on failure. */
1675 int
1677 {
1686 }
1688 /** Return the name of an algorithm, as used in directory documents. */
1691 {
1706 }
1707 }
1709 /** Given the name of a digest algorithm, return its integer value, or -1 if
1710 * the name is not recognized. */
1711 int
1713 {
1724 else
1726 }
1728 /** Given an algorithm, return the digest length in bytes. */
1731 {
1746 }
1747 }
1749 /** Intermediate information about the digest of a stream of data. */
1752 /** State for the digest we're using. Only one member of the
1753 * union is usable, depending on the value of <b>algorithm</b>. Note also
1754 * that space for other members might not even be allocated!
1755 */
1762 };
1764 /**
1765 * Return the number of bytes we need to malloc in order to get a
1766 * crypto_digest_t for <b>alg</b>, or the number of bytes we need to wipe
1767 * when we free one.
1768 */
1769 static size_t
1771 {
1772 /* Helper: returns the number of bytes in the 'f' field of 'st' */
1773 #define STRUCT_FIELD_SIZE(st, f) (sizeof( ((st*)0)->f ))
1774 /* Gives the length of crypto_digest_t through the end of the field 'd' */
1775 #define END_OF_FIELD(f) (STRUCT_OFFSET(crypto_digest_t, f) + \
1776 STRUCT_FIELD_SIZE(crypto_digest_t, f))
1790 }
1791 #undef END_OF_FIELD
1792 #undef STRUCT_FIELD_SIZE
1793 }
1795 /** Allocate and return a new digest object to compute SHA1 digests.
1796 */
1797 crypto_digest_t *
1799 {
1805 }
1807 /** Allocate and return a new digest object to compute 256-bit digests
1808 * using <b>algorithm</b>. */
1809 crypto_digest_t *
1811 {
1817 else
1821 }
1823 /** Allocate and return a new digest object to compute 512-bit digests
1824 * using <b>algorithm</b>. */
1825 crypto_digest_t *
1827 {
1833 else
1837 }
1839 /** Deallocate a digest object.
1840 */
1841 void
1843 {
1849 }
1851 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1852 */
1853 void
1856 {
1859 /* Using the SHA*_*() calls directly means we don't support doing
1860 * SHA in hardware. But so far the delay of getting the question
1861 * to the hardware, and hearing the answer, is likely higher than
1862 * just doing it ourselves. Hashes are fast.
1863 */
1881 }
1882 }
1884 /** Compute the hash of the data that has been passed to the digest
1885 * object; write the first out_len bytes of the result to <b>out</b>.
1886 * <b>out_len</b> must be \<= DIGEST512_LEN.
1887 */
1888 void
1891 {
1893 crypto_digest_t tmpenv;
1898 /* The SHA-3 code handles copying into a temporary ctx, and also can handle
1899 * short output buffers by truncating appropriately. */
1904 }
1907 /* memcpy into a temporary ctx, since SHA*_Final clears the context */
1926 }
1929 }
1931 /** Allocate and return a new digest object with the same state as
1932 * <b>digest</b>
1933 */
1934 crypto_digest_t *
1936 {
1940 }
1942 /** Replace the state of the digest object <b>into</b> with the state
1943 * of the digest object <b>from</b>. Requires that 'into' and 'from'
1944 * have the same digest type.
1945 */
1946 void
1949 {
1955 }
1957 /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
1958 * at <b>digest_out</b> to the hash of the concatenation of those strings,
1959 * plus the optional string <b>append</b>, computed with the algorithm
1960 * <b>alg</b>.
1961 * <b>out_len</b> must be \<= DIGEST512_LEN. */
1962 void
1966 digest_algorithm_t alg)
1967 {
1969 }
1971 /** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
1972 * at <b>digest_out</b> to the hash of the concatenation of: the
1973 * optional string <b>prepend</b>, those strings,
1974 * and the optional string <b>append</b>, computed with the algorithm
1975 * <b>alg</b>.
1976 * <b>len_out</b> must be \<= DIGEST512_LEN. */
1977 void
1982 digest_algorithm_t alg)
1983 {
1999 /* If fragile_assert is not enabled, wipe output and return
2000 * without running any calculations */
2004 }
2013 free:
2015 }
2017 /** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
2018 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte
2019 * result in <b>hmac_out</b>. Asserts on failure.
2020 */
2021 void
2025 {
2027 /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
2034 }
2036 /** Internal state for a eXtendable-Output Function (XOF). */
2038 keccak_state s;
2039 };
2041 /** Allocate a new XOF object backed by SHAKE-256. The security level
2042 * provided is a function of the length of the output used. Read and
2043 * understand FIPS-202 A.2 "Additional Consideration for Extendable-Output
2044 * Functions" before using this construct.
2045 */
2046 crypto_xof_t *
2048 {
2053 }
2055 /** Absorb bytes into a XOF object. Must not be called after a call to
2056 * crypto_xof_squeeze_bytes() for the same instance, and will assert
2057 * if attempted.
2058 */
2059 void
2061 {
2064 }
2066 /** Squeeze bytes out of a XOF object. Calling this routine will render
2067 * the XOF instance ineligible to absorb further data.
2068 */
2069 void
2071 {
2074 }
2076 /** Cleanse and deallocate a XOF object. */
2077 void
2079 {
2084 }
2086 /* DH */
2088 /** Our DH 'g' parameter */
2089 #define DH_GENERATOR 2
2091 /** Shared P parameter for our circuit-crypto DH key exchanges. */
2093 /** Shared P parameter for our TLS DH key exchanges. */
2095 /** Shared G parameter for our DH key exchanges. */
2098 /** Validate a given set of Diffie-Hellman parameters. This is moderately
2099 * computationally expensive (milliseconds), so should only be called when
2100 * the DH parameters change. Returns 0 on success, * -1 on failure.
2101 */
2102 static int
2104 {
2108 /* Copy into a temporary DH object. */
2116 /* Perform the validation. */
2121 /* Per https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
2122 *
2123 * OpenSSL checks the prime is congruent to 11 when g = 2; while the
2124 * IETF's primes are congruent to 23 when g = 2.
2125 */
2129 }
2133 /* Things are probably not evil. */
2136 out:
2140 }
2142 /** Set the global Diffie-Hellman generator, used for both TLS and internal
2143 * DH stuff.
2144 */
2145 static void
2147 {
2161 }
2163 /** Set the global TLS Diffie-Hellman modulus. Use the Apache mod_ssl DH
2164 * modulus. */
2165 void
2167 {
2171 /* If the space is occupied, free the previous TLS DH prime */
2175 }
2180 /* This is the 1024-bit safe prime that Apache uses for its DH stuff; see
2181 * modules/ssl/ssl_engine_dh.c; Apache also uses a generator of 2 with this
2182 * prime.
2183 */
2185 "D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
2186 "BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
2187 "467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
2188 "DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
2197 }
2199 /** Initialize dh_param_p and dh_param_g if they are not already
2200 * set. */
2201 static void
2203 {
2212 /* This is from rfc2409, section 6.2. It's a safe prime, and
2213 supposedly it equals:
2214 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
2215 */
2217 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
2218 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
2219 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
2220 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
2224 /* Set the new values as the global DH parameters. */
2231 }
2232 }
2234 /** Number of bits to use when choosing the x or y value in a Diffie-Hellman
2235 * handshake. Since we exponentiate by this value, choosing a smaller one
2236 * lets our handhake go faster.
2237 */
2238 #define DH_PRIVATE_KEY_BITS 320
2240 /** Allocate and return a new DH object for a key exchange. Returns NULL on
2241 * failure.
2242 */
2243 crypto_dh_t *
2245 {
2263 }
2271 err:
2276 }
2278 /** Return a copy of <b>dh</b>, sharing its internal state. */
2279 crypto_dh_t *
2281 {
2288 }
2290 /** Return the length of the DH key in <b>dh</b>, in bytes.
2291 */
2292 int
2294 {
2297 }
2299 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
2300 * success, -1 on failure.
2301 */
2302 int
2304 {
2305 again:
2309 }
2313 /* Free and clear the keys, so OpenSSL will actually try again. */
2318 }
2320 }
2322 /** Generate g^x as necessary, and write the g^x for the key exchange
2323 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
2324 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
2325 */
2326 int
2328 {
2334 }
2344 }
2350 }
2352 /** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
2353 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
2354 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
2355 */
2356 static int
2358 {
2370 }
2376 }
2379 err:
2385 }
2387 #undef MIN
2388 #define MIN(a,b) ((a)<(b)?(a):(b))
2389 /** Given a DH key exchange object, and our peer's value of g^y (as a
2390 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
2391 * <b>secret_bytes_out</b> bytes of shared key material and write them
2392 * to <b>secret_out</b>. Return the number of bytes generated on success,
2393 * or -1 on failure.
2394 *
2395 * (We generate key material by computing
2396 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
2397 * where || is concatenation.)
2398 */
2399 ssize_t
2403 {
2416 /* Check for invalid public keys. */
2419 }
2426 }
2434 error:
2436 done:
2443 }
2446 else
2448 }
2450 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
2451 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
2452 * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
2453 * H(K | [00]) | H(K | [01]) | ....
2454 *
2455 * This is the key expansion algorithm used in the "TAP" circuit extension
2456 * mechanism; it shouldn't be used for new protocols.
2457 *
2458 * Return 0 on success, -1 on failure.
2459 */
2460 int
2463 {
2468 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
2478 }
2481 exit:
2486 }
2488 /** Expand some secret key material according to RFC5869, using SHA256 as the
2489 * underlying hash. The <b>key_in_len</b> bytes at <b>key_in</b> are the
2490 * secret key material; the <b>salt_in_len</b> bytes at <b>salt_in</b> and the
2491 * <b>info_in_len</b> bytes in <b>info_in_len</b> are the algorithm's "salt"
2492 * and "info" parameters respectively. On success, write <b>key_out_len</b>
2493 * bytes to <b>key_out</b> and return 0. Assert on failure.
2494 */
2495 int
2501 {
2513 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
2531 }
2540 }
2545 }
2547 /** Free a DH key exchange object.
2548 */
2549 void
2551 {
2557 }
2559 /* random numbers */
2561 /** How many bytes of entropy we add at once.
2562 *
2563 * This is how much entropy OpenSSL likes to add right now, so maybe it will
2564 * work for us too. */
2565 #define ADD_ENTROPY 32
2567 /** Set the seed of the weak RNG to a random value. */
2568 void
2570 {
2574 }
2576 /** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
2577 * via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
2578 * failure. A maximum request size of 256 bytes is imposed.
2579 */
2580 static int
2582 {
2585 #if defined(_WIN32)
2591 CRYPT_VERIFYCONTEXT)) {
2594 }
2596 }
2600 }
2603 #elif defined(__linux__) && defined(SYS_getrandom)
2606 /* getrandom() isn't as straight foward as getentropy(), and has
2607 * no glibc wrapper.
2608 *
2609 * As far as I can tell from getrandom(2) and the source code, the
2610 * requests we issue will always succeed (though it will block on the
2611 * call if /dev/urandom isn't seeded yet), since we are NOT specifying
2612 * GRND_NONBLOCK and the request is <= 256 bytes.
2613 *
2614 * The manpage is unclear on what happens if a signal interrupts the call
2615 * while the request is blocked due to lack of entropy....
2616 *
2617 * We optimistically assume that getrandom() is available and functional
2618 * because it is the way of the future, and 2 branch mispredicts pale in
2619 * comparision to the overheads involved with failing to open
2620 * /dev/srandom followed by opening and reading from /dev/urandom.
2621 */
2624 /* A flag of '0' here means to read from '/dev/urandom', and to
2625 * block if insufficient entropy is available to service the
2626 * request.
2627 */
2637 /* Probably ENOSYS. */
2641 }
2645 }
2648 #elif defined(HAVE_GETENTROPY)
2649 /* getentropy() is what Linux's getrandom() wants to be when it grows up.
2650 * the only gotcha is that requests are limited to 256 bytes.
2651 */
2653 #else
2655 #endif
2657 /* This platform doesn't have a supported syscall based random. */
2659 }
2661 /** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
2662 * via the per-platform fallback mechanism, storing it into <b>out</b>.
2663 * Return 0 on success, -1 on failure. A maximum request size of 256 bytes
2664 * is imposed.
2665 */
2666 static int
2668 {
2669 #ifdef _WIN32
2670 /* Windows exclusively uses crypto_strongest_rand_syscall(). */
2674 #else
2677 };
2693 }
2696 }
2699 #endif
2700 }
2702 /** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
2703 * storing it into <b>out</b>. Return 0 on success, -1 on failure. A maximum
2704 * request size of 256 bytes is imposed.
2705 */
2706 static int
2708 {
2713 /* For buffers >= 16 bytes (128 bits), we sanity check the output by
2714 * zero filling the buffer and ensuring that it actually was at least
2715 * partially modified.
2716 *
2717 * Checking that any individual byte is non-zero seems like it would
2718 * fail too often (p = out_len * 1/256) for comfort, but this is an
2719 * "adjust according to taste" sort of check.
2720 */
2723 /* Try to use the syscall/OS favored mechanism to get strong entropy. */
2725 /* Try to use the less-favored mechanism to get strong entropy. */
2727 /* Welp, we tried. Hopefully the calling code terminates the process
2728 * since we're basically boned without good entropy.
2729 */
2733 }
2734 }
2738 }
2740 /* We tried max_attempts times to fill a buffer >= 128 bits long,
2741 * and each time it returned all '0's. Either the system entropy
2742 * source is busted, or the user should go out and buy a ticket to
2743 * every lottery on the planet.
2744 */
2747 }
2749 /** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
2750 * storing it into <b>out</b>.
2751 */
2752 void
2754 {
2755 #define DLEN SHA512_DIGEST_LENGTH
2756 /* We're going to hash DLEN bytes from the system RNG together with some
2757 * bytes from the openssl PRNG, in order to yield DLEN bytes.
2758 */
2767 /* Die with an assertion so we get a stack trace. */
2769 }
2778 }
2779 }
2782 #undef DLEN
2783 }
2785 /** Seed OpenSSL's random number generator with bytes from the operating
2786 * system. Return 0 on success, -1 on failure.
2787 */
2788 int
2790 {
2794 /* OpenSSL has a RAND_poll function that knows about more kinds of
2795 * entropy than we do. We'll try calling that, *and* calling our own entropy
2796 * functions. If one succeeds, we'll accept the RNG as seeded. */
2804 }
2810 else
2812 }
2814 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
2815 * for unit tests.
2816 *
2817 * This function is not allowed to fail; if it would fail to generate strong
2818 * entropy, it must terminate the process instead.
2819 */
2822 {
2824 }
2826 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Most callers
2827 * will want crypto_rand instead.
2828 *
2829 * This function is not allowed to fail; if it would fail to generate strong
2830 * entropy, it must terminate the process instead.
2831 */
2832 void
2834 {
2842 /* We consider a PRNG failure non-survivable. Let's assert so that we get a
2843 * stack trace about where it happened.
2844 */
2846 }
2848 /** Return a pseudorandom integer, chosen uniformly from the values
2849 * between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
2850 * INT_MAX+1, inclusive. */
2851 int
2853 {
2859 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2860 * distribution with clipping at the upper end of unsigned int's
2861 * range.
2862 */
2868 }
2869 }
2871 /** Return a pseudorandom integer, chosen uniformly from the values i such
2872 * that min <= i < max.
2873 *
2874 * <b>min</b> MUST be in range [0, <b>max</b>).
2875 * <b>max</b> MUST be in range (min, INT_MAX].
2876 */
2877 int
2879 {
2883 /* The overflow is avoided here because crypto_rand_int() returns a value
2884 * between 0 and (max - min) inclusive. */
2886 }
2888 /** As crypto_rand_int_range, but supports uint64_t. */
2889 uint64_t
2891 {
2894 }
2896 /** As crypto_rand_int_range, but supports time_t. */
2897 time_t
2899 {
2902 }
2904 /** Return a pseudorandom 64-bit integer, chosen uniformly from the values
2905 * between 0 and <b>max</b>-1 inclusive. */
2906 uint64_t
2908 {
2914 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2915 * distribution with clipping at the upper end of unsigned int's
2916 * range.
2917 */
2923 }
2924 }
2926 /** Return a pseudorandom double d, chosen uniformly from the range
2927 * 0.0 <= d < 1.0.
2928 */
2929 double
2931 {
2932 /* We just use an unsigned int here; we don't really care about getting
2933 * more than 32 bits of resolution */
2936 #if SIZEOF_INT == 4
2937 #define UINT_MAX_AS_DOUBLE 4294967296.0
2938 #elif SIZEOF_INT == 8
2939 #define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
2940 #else
2941 #error SIZEOF_INT is neither 4 nor 8
2942 #endif
2944 }
2946 /** Generate and return a new random hostname starting with <b>prefix</b>,
2947 * ending with <b>suffix</b>, and containing no fewer than
2948 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
2949 * characters. Does not check for failure.
2950 *
2951 * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
2952 **/
2956 {
2985 }
2987 /** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
2988 * is empty. */
2991 {
2996 }
2998 /** Scramble the elements of <b>sl</b> into a random order. */
2999 void
3001 {
3003 /* From the end of the list to the front, choose at random from the
3004 positions we haven't looked at yet, and swap that position into the
3005 current position. Remember to give "no swap" the same probability as
3006 any other swap. */
3010 }
3011 }
3013 /**
3014 * Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
3015 * the value <b>byte</b>.
3016 * If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
3017 *
3018 * This function is preferable to memset, since many compilers will happily
3019 * optimize out memset() when they can convince themselves that the data being
3020 * cleared will never be read.
3021 *
3022 * Right now, our convention is to use this function when we are wiping data
3023 * that's about to become inaccessible, such as stack buffers that are about
3024 * to go out of scope or structures that are about to get freed. (In
3025 * practice, it appears that the compilers we're currently using will optimize
3026 * out the memset()s for stack-allocated buffers, but not those for
3027 * about-to-be-freed structures. That could change, though, so we're being
3028 * wary.) If there are live reads for the data, then you can just use
3029 * memset().
3030 */
3031 void
3033 {
3036 }
3037 /* If sz is nonzero, then mem must not be NULL. */
3040 /* Data this large is likely to be an underflow. */
3043 /* Because whole-program-optimization exists, we may not be able to just
3044 * have this function call "memset". A smart compiler could inline it, then
3045 * eliminate dead memsets, and declare itself to be clever. */
3047 #if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
3048 /* Here's what you do on windows. */
3050 #elif defined(HAVE_RTLSECUREZEROMEMORY)
3052 #elif defined(HAVE_EXPLICIT_BZERO)
3053 /* The BSDs provide this. */
3055 #elif defined(HAVE_MEMSET_S)
3056 /* This is in the C99 standard. */
3058 #else
3059 /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
3060 * based on the pointer value, then uses that junk to update a global
3061 * variable. It's an elaborate ruse to trick the compiler into not
3062 * optimizing out the "wipe this memory" code. Read it if you like zany
3063 * programming tricks! In later versions of Tor, we should look for better
3064 * not-optimized-out memory wiping stuff...
3065 *
3066 * ...or maybe not. In practice, there are pure-asm implementations of
3067 * OPENSSL_cleanse() on most platforms, which ought to do the job.
3068 **/
3071 #endif
3073 /* Just in case some caller of memwipe() is relying on getting a buffer
3074 * filled with a particular value, fill the buffer.
3075 *
3076 * If this function gets inlined, this memset might get eliminated, but
3077 * that's okay: We only care about this particular memset in the case where
3078 * the caller should have been using memset(), and the memset() wouldn't get
3079 * eliminated. In other words, this is here so that we won't break anything
3080 * if somebody accidentally calls memwipe() instead of memset().
3081 **/
3083 }
3085 #ifndef OPENSSL_THREADS
3086 #error OpenSSL has been built without thread support. Tor requires an \
3087 OpenSSL library with thread support enabled.
3088 #endif
3090 #ifndef NEW_THREAD_API
3091 /** Helper: OpenSSL uses this callback to manipulate mutexes. */
3092 static void
3094 {
3098 /* This is not a really good fix for the
3099 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
3100 * it can't hurt. */
3104 else
3106 }
3108 static void
3110 {
3112 }
3113 #endif
3115 #if 0
3116 /* This code is disabled, because OpenSSL never actually uses these callbacks.
3117 */
3119 /** OpenSSL helper type: wraps a Tor mutex so that OpenSSL can use it
3120 * as a lock. */
3123 };
3125 /** OpenSSL callback function to allocate a lock: see CRYPTO_set_dynlock_*
3126 * documentation in OpenSSL's docs for more info. */
3129 {
3136 }
3138 /** OpenSSL callback function to acquire or release a lock: see
3139 * CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
3140 static void
3143 {
3148 else
3150 }
3152 /** OpenSSL callback function to free a lock: see CRYPTO_set_dynlock_*
3153 * documentation in OpenSSL's docs for more info. */
3154 static void
3157 {
3162 }
3163 #endif
3165 /** @{ */
3166 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
3167 * multithreaded. Returns 0. */
3168 static int
3170 {
3171 #ifndef NEW_THREAD_API
3180 #endif
3181 #if 0
3185 #endif
3187 }
3189 /** Uninitialize the crypto library. Return 0 on success. Does not detect
3190 * failure.
3191 */
3192 int
3194 {
3196 #ifdef NEW_THREAD_API
3198 #else
3200 #endif
3210 #ifndef DISABLE_ENGINES
3212 #endif
3217 #ifndef NEW_THREAD_API
3226 }
3228 }
3229 #endif
3234 }
3236 /** @} */