| blob | 5264fd808544259af5e69cad302211d7a6bbb52c |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2011, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL.
11 **/
15 #ifdef MS_WINDOWS
16 #define WIN32_WINNT 0x400
17 #define _WIN32_WINNT 0x400
18 #define WIN32_LEAN_AND_MEAN
19 #include <windows.h>
20 #include <wincrypt.h>
21 /* Windows defines this; so does OpenSSL 0.9.8h and later. We don't actually
22 * use either definition. */
23 #undef OCSP_RESPONSE
24 #endif
26 #include <openssl/err.h>
27 #include <openssl/rsa.h>
28 #include <openssl/pem.h>
29 #include <openssl/evp.h>
30 #include <openssl/engine.h>
31 #include <openssl/rand.h>
32 #include <openssl/opensslv.h>
33 #include <openssl/bn.h>
34 #include <openssl/dh.h>
35 #include <openssl/conf.h>
36 #include <openssl/hmac.h>
38 #ifdef HAVE_CTYPE_H
39 #include <ctype.h>
40 #endif
41 #ifdef HAVE_UNISTD_H
42 #include <unistd.h>
43 #endif
44 #ifdef HAVE_FCNTL_H
45 #include <fcntl.h>
46 #endif
47 #ifdef HAVE_SYS_FCNTL_H
48 #include <sys/fcntl.h>
49 #endif
51 #define CRYPTO_PRIVATE
59 #if OPENSSL_VERSION_NUMBER < 0x00907000l
61 #endif
63 #include <openssl/engine.h>
65 #ifdef ANDROID
66 /* Android's OpenSSL seems to have removed all of its Engine support. */
67 #define DISABLE_ENGINES
68 #endif
70 #if OPENSSL_VERSION_NUMBER < 0x00908000l
71 /* On OpenSSL versions before 0.9.8, there is no working SHA256
72 * implementation, so we use Tom St Denis's nice speedy one, slightly adapted
73 * to our needs */
74 #define SHA256_CTX sha256_state
75 #define SHA256_Init sha256_init
76 #define SHA256_Update sha256_process
77 #define LTC_ARGCHK(x) tor_assert(x)
79 #define SHA256_Final(a,b) sha256_done(b,a)
83 {
84 SHA256_CTX ctx;
89 }
90 #endif
92 /** Macro: is k a valid RSA public or private key? */
93 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
94 /** Macro: is k a valid RSA private key? */
95 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
97 #ifdef TOR_IS_MULTITHREADED
98 /** A number of preallocated mutexes for use by OpenSSL. */
100 /** How many mutexes have we allocated for use by OpenSSL? */
102 #endif
104 /** A public key, or a public/private key-pair. */
105 struct crypto_pk_env_t
106 {
109 };
111 /** Key and stream information for a stream cipher. */
112 struct crypto_cipher_env_t
113 {
116 };
118 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
119 * while we're waiting for the second.*/
122 };
127 /** Return the number of bytes added by padding method <b>padding</b>.
128 */
131 {
133 {
138 }
139 }
141 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
142 */
145 {
147 {
152 }
153 }
155 /** Boolean: has OpenSSL's crypto been initialized? */
158 /** Log all pending crypto errors at level <b>severity</b>. Use
159 * <b>doing</b> to describe our current activities.
160 */
161 static void
163 {
178 }
179 }
180 }
182 #ifndef DISABLE_ENGINES
183 /** Log any OpenSSL engines we're using at NOTICE. */
184 static void
186 {
195 }
196 }
197 #endif
199 #ifndef DISABLE_ENGINES
200 /** Try to load an engine in a shared library via fully qualified path.
201 */
204 {
213 }
214 }
216 }
217 #endif
219 /** Initialize the crypto library. Return 0 on success, -1 on failure.
220 */
221 int
223 {
230 #ifdef DISABLE_ENGINES
234 #else
250 }
253 accelName);
256 accelName);
257 }
258 }
263 }
270 #endif
273 }
275 }
277 }
279 /** Free crypto resources held by this thread. */
280 void
282 {
284 }
286 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
287 */
288 int
290 {
295 #ifndef DISABLE_ENGINES
297 #endif
301 #ifdef TOR_IS_MULTITHREADED
310 }
312 }
313 #endif
315 }
317 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
318 crypto_pk_env_t *
320 {
327 }
329 /** used by tortls.c: wrap the RSA from an evp_pkey in a crypto_pk_env_t.
330 * returns NULL if this isn't an RSA key. */
331 crypto_pk_env_t *
333 {
338 }
340 /** Helper, used by tor-checkkey.c and tor-gencert.c. Return the RSA from a
341 * crypto_pk_env_t. */
342 RSA *
344 {
346 }
348 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
349 * private is set, include the private-key portion of the key. */
350 EVP_PKEY *
352 {
362 }
368 error:
374 }
376 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
377 */
378 DH *
380 {
382 }
384 /** Allocate and return storage for a public key. The key itself will not yet
385 * be set.
386 */
387 crypto_pk_env_t *
389 {
395 }
397 /** Release a reference to an asymmetric key; when all the references
398 * are released, free the key.
399 */
400 void
402 {
414 }
416 /** Create a new symmetric cipher for a given key and encryption flag
417 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
418 * on failure.
419 */
420 crypto_cipher_env_t *
422 {
429 }
435 else
442 error:
446 }
448 /** Allocate and return a new symmetric cipher.
449 */
450 crypto_cipher_env_t *
452 {
458 }
460 /** Free a symmetric cipher.
461 */
462 void
464 {
472 }
474 /* public key crypto */
476 /** Generate a <b>bits</b>-bit new public/private keypair in <b>env</b>.
477 * Return 0 on success, -1 on failure.
478 */
479 int
481 {
486 #if OPENSSL_VERSION_NUMBER < 0x00908000l
487 /* In OpenSSL 0.9.7, RSA_generate_key is all we have. */
489 #else
490 /* In OpenSSL 0.9.8, RSA_generate_key is deprecated. */
491 {
506 done:
511 }
512 #endif
516 }
519 }
521 /** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>
522 * into <b>env</b>. Return 0 on success, -1 on failure. If len is -1,
523 * the string is nul-terminated.
524 */
525 /* Used here, and used for testing. */
526 int
529 {
536 /* Create a read-only memory BIO, backed by the string 's' */
549 }
551 }
553 /** Read a PEM-encoded private key from the file named by
554 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
555 */
556 int
559 {
563 /* Read the file into a string. */
568 }
570 /* Try to parse it. */
577 /* Make sure it's valid. */
582 }
584 /** Helper function to implement crypto_pk_write_*_key_to_string. */
585 static int
588 {
599 /* Now you can treat b as if it were a file. Just use the
600 * PEM_*_bio_* functions instead of the non-bio variants.
601 */
604 else
611 }
624 }
626 /** PEM-encode the public key portion of <b>env</b> and write it to a
627 * newly allocated string. On success, set *<b>dest</b> to the new
628 * string, *<b>len</b> to the string's length, and return 0. On
629 * failure, return -1.
630 */
631 int
634 {
636 }
638 /** PEM-encode the private key portion of <b>env</b> and write it to a
639 * newly allocated string. On success, set *<b>dest</b> to the new
640 * string, *<b>len</b> to the string's length, and return 0. On
641 * failure, return -1.
642 */
643 int
646 {
648 }
650 /** Read a PEM-encoded public key from the first <b>len</b> characters of
651 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
652 * failure.
653 */
654 int
657 {
675 }
678 }
680 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
681 * PEM-encoded. Return 0 on success, -1 on failure.
682 */
683 int
686 {
702 }
713 }
715 /** Return true iff <b>env</b> has a valid key.
716 */
717 int
719 {
727 }
729 /** Return true iff <b>key</b> contains the private-key portion of the RSA
730 * key. */
731 int
733 {
736 }
738 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
739 * if a==b, and 1 if a\>b.
740 */
741 int
743 {
758 }
760 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
761 size_t
763 {
768 }
770 /** Increase the reference count of <b>env</b>, and return it.
771 */
772 crypto_pk_env_t *
774 {
780 }
782 /** Make a real honest-to-goodness copy of <b>env</b>, and return it. */
783 crypto_pk_env_t *
785 {
796 }
805 }
808 }
810 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
811 * in <b>env</b>, using the padding method <b>padding</b>. On success,
812 * write the result to <b>to</b>, and return the number of bytes
813 * written. On failure, return -1.
814 *
815 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
816 * at least the length of the modulus of <b>env</b>.
817 */
818 int
821 {
835 }
837 }
839 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
840 * in <b>env</b>, using the padding method <b>padding</b>. On success,
841 * write the result to <b>to</b>, and return the number of bytes
842 * written. On failure, return -1.
843 *
844 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
845 * at least the length of the modulus of <b>env</b>.
846 */
847 int
852 {
861 /* Not a private key */
872 }
874 }
876 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
877 * public key in <b>env</b>, using PKCS1 padding. On success, write the
878 * signed data to <b>to</b>, and return the number of bytes written.
879 * On failure, return -1.
880 *
881 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
882 * at least the length of the modulus of <b>env</b>.
883 */
884 int
888 {
902 }
904 }
906 /** Check a siglen-byte long signature at <b>sig</b> against
907 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
908 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
909 * SHA1(data). Else return -1.
910 */
911 int
914 {
929 }
937 }
942 }
946 }
948 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
949 * <b>env</b>, using PKCS1 padding. On success, write the signature to
950 * <b>to</b>, and return the number of bytes written. On failure, return
951 * -1.
952 *
953 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
954 * at least the length of the modulus of <b>env</b>.
955 */
956 int
959 {
967 /* Not a private key */
976 }
978 }
980 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
981 * <b>from</b>; sign the data with the private key in <b>env</b>, and
982 * store it in <b>to</b>. Return the number of bytes written on
983 * success, and -1 on failure.
984 *
985 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
986 * at least the length of the modulus of <b>env</b>.
987 */
988 int
991 {
999 }
1001 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
1002 * bytes of data from <b>from</b>, with padding type 'padding',
1003 * storing the results on <b>to</b>.
1004 *
1005 * If no padding is used, the public key must be at least as large as
1006 * <b>from</b>.
1007 *
1008 * Returns the number of bytes written on success, -1 on failure.
1009 *
1010 * The encrypted data consists of:
1011 * - The source data, padded and encrypted with the public key, if the
1012 * padded source data is no longer than the public key, and <b>force</b>
1013 * is false, OR
1014 * - The beginning of the source data prefixed with a 16-byte symmetric key,
1015 * padded and encrypted with the public key; followed by the rest of
1016 * the source data encrypted in AES-CTR mode with the symmetric key.
1017 */
1018 int
1024 {
1042 /* It all fits in a single encrypt. */
1044 tolen,
1046 }
1054 /* You can't just run around RSA-encrypting any bitstream: if it's
1055 * greater than the RSA key, then OpenSSL will happily encrypt, and
1056 * later decrypt to the wrong value. So we set the first bit of
1057 * 'cipher->key' to 0 if we aren't padding. This means that our
1058 * symmetric key is really only 127 bits.
1059 */
1068 /* Length of symmetrically encrypted data. */
1074 }
1084 err:
1088 }
1091 }
1093 /** Invert crypto_pk_public_hybrid_encrypt. */
1094 int
1101 {
1112 warnOnFailure);
1113 }
1117 warnOnFailure);
1122 }
1127 }
1131 }
1143 err:
1148 }
1150 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1151 * Return -1 on error, or the number of characters used on success.
1152 */
1153 int
1155 {
1167 }
1168 /* We don't encode directly into 'dest', because that would be illegal
1169 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1170 */
1174 }
1176 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1177 * success and NULL on failure.
1178 */
1179 crypto_pk_env_t *
1181 {
1184 /* This ifdef suppresses a type warning. Take out the first case once
1185 * everybody is using OpenSSL 0.9.7 or later.
1186 */
1195 }
1197 }
1199 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1200 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1201 * Return 0 on success, -1 on failure.
1202 */
1203 int
1205 {
1218 }
1222 }
1225 }
1227 /** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
1228 * every four spaces. */
1231 {
1241 }
1242 }
1245 }
1247 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1248 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1249 * space). Return 0 on success, -1 on failure.
1250 *
1251 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1252 * of the public key, converted to hexadecimal, in upper case, with a
1253 * space after every four digits.
1254 *
1255 * If <b>add_space</b> is false, omit the spaces.
1256 */
1257 int
1259 {
1264 }
1270 }
1272 }
1274 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1275 */
1276 int
1278 {
1285 }
1286 }
1289 }
1291 /* symmetric crypto */
1293 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1294 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1295 */
1296 int
1298 {
1302 }
1304 /** Set the symmetric key for the cipher in <b>env</b> to the first
1305 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1306 */
1307 void
1309 {
1314 }
1316 /** Generate an initialization vector for our AES-CTR cipher; store it
1317 * in the first CIPHER_IV_LEN bytes of <b>iv_out</b>. */
1318 void
1320 {
1322 }
1324 /** Adjust the counter of <b>env</b> to point to the first byte of the block
1325 * corresponding to the encryption of the CIPHER_IV_LEN bytes at
1326 * <b>iv</b>. */
1327 int
1329 {
1334 }
1336 /** Return a pointer to the key set for the cipher in <b>env</b>.
1337 */
1340 {
1342 }
1344 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1345 * success, -1 on failure.
1346 */
1347 int
1349 {
1354 }
1356 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1357 * success, -1 on failure.
1358 */
1359 int
1361 {
1366 }
1368 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1369 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1370 * On failure, return -1.
1371 */
1372 int
1375 {
1385 }
1387 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1388 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1389 * On failure, return -1.
1390 */
1391 int
1394 {
1402 }
1404 /** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
1405 * on success, return 0. On failure, return -1.
1406 */
1407 int
1409 {
1413 }
1415 /** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
1416 * <b>cipher</b> to the buffer in <b>to</b> of length
1417 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
1418 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1419 * number of bytes written, on failure, return -1.
1420 *
1421 * This function adjusts the current position of the counter in <b>cipher</b>
1422 * to immediately after the encrypted data.
1423 */
1424 int
1428 {
1444 }
1446 /** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
1447 * with the key in <b>cipher</b> to the buffer in <b>to</b> of length
1448 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
1449 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1450 * number of bytes written, on failure, return -1.
1451 *
1452 * This function adjusts the current position of the counter in <b>cipher</b>
1453 * to immediately after the decrypted data.
1454 */
1455 int
1459 {
1474 }
1476 /* SHA-1 */
1478 /** Compute the SHA1 digest of <b>len</b> bytes in data stored in
1479 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1480 * Return 0 on success, -1 on failure.
1481 */
1482 int
1484 {
1488 }
1490 int
1492 digest_algorithm_t algorithm)
1493 {
1498 }
1500 /** Set the digests_t in <b>ds_out</b> to contain every digest on the
1501 * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
1502 * success, -1 on failure. */
1503 int
1505 {
1506 digest_algorithm_t i;
1514 }
1516 }
1518 /** Return the name of an algorithm, as used in directory documents. */
1521 {
1530 }
1531 }
1533 /** Given the name of a digest algorithm, return its integer value, or -1 if
1534 * the name is not recognized. */
1535 int
1537 {
1542 else
1544 }
1546 /** Intermediate information about the digest of a stream of data. */
1549 SHA_CTX sha1;
1550 SHA256_CTX sha2;
1553 };
1555 /** Allocate and return a new digest object.
1556 */
1557 crypto_digest_env_t *
1559 {
1565 }
1567 crypto_digest_env_t *
1569 {
1576 }
1578 /** Deallocate a digest object.
1579 */
1580 void
1582 {
1587 }
1589 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1590 */
1591 void
1594 {
1597 /* Using the SHA*_*() calls directly means we don't support doing
1598 * SHA in hardware. But so far the delay of getting the question
1599 * to the hardware, and hearing the answer, is likely higher than
1600 * just doing it ourselves. Hashes are fast.
1601 */
1612 }
1613 }
1615 /** Compute the hash of the data that has been passed to the digest
1616 * object; write the first out_len bytes of the result to <b>out</b>.
1617 * <b>out_len</b> must be \<= DIGEST256_LEN.
1618 */
1619 void
1622 {
1624 crypto_digest_env_t tmpenv;
1627 /* memcpy into a temporary ctx, since SHA*_Final clears the context */
1641 }
1644 }
1646 /** Allocate and return a new digest object with the same state as
1647 * <b>digest</b>
1648 */
1649 crypto_digest_env_t *
1651 {
1657 }
1659 /** Replace the state of the digest object <b>into</b> with the state
1660 * of the digest object <b>from</b>.
1661 */
1662 void
1665 {
1669 }
1671 /** Compute the HMAC-SHA-1 of the <b>msg_len</b> bytes in <b>msg</b>, using
1672 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST_LEN-byte result
1673 * in <b>hmac_out</b>.
1674 */
1675 void
1679 {
1684 }
1686 /* DH */
1688 /** Shared P parameter for our circuit-crypto DH key exchanges. */
1690 /** Shared P parameter for our TLS DH key exchanges. */
1692 /** Shared G parameter for our DH key exchanges. */
1695 /** Initialize dh_param_p and dh_param_g if they are not already
1696 * set. */
1697 static void
1699 {
1712 /* This is from rfc2409, section 6.2. It's a safe prime, and
1713 supposedly it equals:
1714 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1715 */
1717 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1718 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1719 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1720 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1723 /* This is the 1024-bit safe prime that Apache uses for its DH stuff; see
1724 * modules/ssl/ssl_engine_dh.c */
1726 "D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
1727 "BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
1728 "467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
1729 "DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
1738 }
1740 #define DH_PRIVATE_KEY_BITS 320
1742 /** Allocate and return a new DH object for a key exchange.
1743 */
1744 crypto_dh_env_t *
1746 {
1764 }
1772 err:
1777 }
1779 /** Return the length of the DH key in <b>dh</b>, in bytes.
1780 */
1781 int
1783 {
1786 }
1788 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1789 * success, -1 on failure.
1790 */
1791 int
1793 {
1794 again:
1798 }
1802 /* Free and clear the keys, so OpenSSL will actually try again. */
1807 }
1809 }
1811 /** Generate g^x as necessary, and write the g^x for the key exchange
1812 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1813 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1814 */
1815 int
1817 {
1823 }
1833 }
1839 }
1841 /** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
1842 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
1843 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
1844 */
1845 static int
1847 {
1859 }
1865 }
1868 err:
1874 }
1876 #undef MIN
1877 #define MIN(a,b) ((a)<(b)?(a):(b))
1878 /** Given a DH key exchange object, and our peer's value of g^y (as a
1879 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
1880 * <b>secret_bytes_out</b> bytes of shared key material and write them
1881 * to <b>secret_out</b>. Return the number of bytes generated on success,
1882 * or -1 on failure.
1883 *
1884 * (We generate key material by computing
1885 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
1886 * where || is concatenation.)
1887 */
1888 ssize_t
1892 {
1905 /* Check for invalid public keys. */
1908 }
1915 }
1923 error:
1925 done:
1932 }
1935 else
1937 }
1939 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
1940 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
1941 * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
1942 * H(K | [00]) | H(K | [01]) | ....
1943 *
1944 * Return 0 on success, -1 on failure.
1945 */
1946 int
1949 {
1954 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
1964 }
1970 err:
1975 }
1977 /** Free a DH key exchange object.
1978 */
1979 void
1981 {
1987 }
1989 /* random numbers */
1991 /* This is how much entropy OpenSSL likes to add right now, so maybe it will
1992 * work for us too. */
1993 #define ADD_ENTROPY 32
1995 /* Use RAND_poll if OpenSSL is 0.9.6 release or later. (The "f" means
1996 "release".) */
1997 #define HAVE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
1999 /* Versions of OpenSSL prior to 0.9.7k and 0.9.8c had a bug where RAND_poll
2000 * would allocate an fd_set on the stack, open a new file, and try to FD_SET
2001 * that fd without checking whether it fit in the fd_set. Thus, if the
2002 * system has not just been started up, it is unsafe to call */
2003 #define RAND_POLL_IS_SAFE \
2004 ((OPENSSL_VERSION_NUMBER >= 0x009070afl && \
2005 OPENSSL_VERSION_NUMBER <= 0x00907fffl) || \
2006 (OPENSSL_VERSION_NUMBER >= 0x0090803fl))
2008 static void
2010 {
2014 }
2016 /** Seed OpenSSL's random number generator with bytes from the operating
2017 * system. <b>startup</b> should be true iff we have just started Tor and
2018 * have not yet allocated a bunch of fds. Return 0 on success, -1 on failure.
2019 */
2020 int
2022 {
2025 /* local variables */
2026 #ifdef MS_WINDOWS
2030 #else
2034 };
2037 #endif
2039 #if HAVE_RAND_POLL
2040 /* OpenSSL 0.9.6 adds a RAND_poll function that knows about more kinds of
2041 * entropy than we do. We'll try calling that, *and* calling our own entropy
2042 * functions. If one succeeds, we'll accept the RNG as seeded. */
2047 }
2048 #endif
2050 #ifdef MS_WINDOWS
2053 CRYPT_VERIFYCONTEXT)) {
2057 }
2058 }
2060 }
2064 }
2069 #else
2081 }
2086 }
2090 #endif
2091 }
2093 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Return 0 on
2094 * success, -1 on failure.
2095 */
2096 int
2098 {
2106 }
2108 /** Return a pseudorandom integer, chosen uniformly from the values
2109 * between 0 and <b>max</b>-1. */
2110 int
2112 {
2118 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2119 * distribution with clipping at the upper end of unsigned int's
2120 * range.
2121 */
2127 }
2128 }
2130 /** Return a pseudorandom 64-bit integer, chosen uniformly from the values
2131 * between 0 and <b>max</b>-1. */
2132 uint64_t
2134 {
2140 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2141 * distribution with clipping at the upper end of unsigned int's
2142 * range.
2143 */
2149 }
2150 }
2152 /** Return a pseudorandom double d, chosen uniformly from the range
2153 * 0.0 <= d < 1.0.
2154 */
2155 double
2157 {
2158 /* We just use an unsigned int here; we don't really care about getting
2159 * more than 32 bits of resolution */
2162 #if SIZEOF_INT == 4
2163 #define UINT_MAX_AS_DOUBLE 4294967296.0
2164 #elif SIZEOF_INT == 8
2165 #define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
2166 #else
2167 #error SIZEOF_INT is neither 4 nor 8
2168 #endif
2170 }
2172 /** Generate and return a new random hostname starting with <b>prefix</b>,
2173 * ending with <b>suffix</b>, and containing no less than
2174 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
2175 * characters between. */
2179 {
2203 }
2205 /** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
2206 * is empty. */
2209 {
2214 }
2216 /** Scramble the elements of <b>sl</b> into a random order. */
2217 void
2219 {
2221 /* From the end of the list to the front, choose at random from the
2222 positions we haven't looked at yet, and swap that position into the
2223 current position. Remember to give "no swap" the same probability as
2224 any other swap. */
2228 }
2229 }
2231 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
2232 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2233 * bytes. Return the number of bytes written on success; -1 if
2234 * destlen is too short, or other failure.
2235 */
2236 int
2238 {
2239 /* FFFF we might want to rewrite this along the lines of base64_decode, if
2240 * it ever shows up in the profile. */
2241 EVP_ENCODE_CTX ctx;
2245 /* 48 bytes of input -> 64 bytes of output plus newline.
2246 Plus one more byte, in case I'm wrong.
2247 */
2259 }
2261 #define X 255
2262 #define SP 64
2263 #define PAD 65
2264 /** Internal table mapping byte values to what they represent in base64.
2265 * Numbers 0..63 are 6-bit integers. SPs are spaces, and should be
2266 * skipped. Xs are invalid and must not appear in base64. PAD indicates
2267 * end-of-string. */
2285 };
2287 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
2288 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2289 * bytes. Return the number of bytes written on success; -1 if
2290 * destlen is too short, or other failure.
2291 *
2292 * NOTE 1: destlen is checked conservatively, as though srclen contained no
2293 * spaces or padding.
2294 *
2295 * NOTE 2: This implementation does not check for the correct number of
2296 * padding "=" characters at the end of the string, and does not check
2297 * for internal padding characters.
2298 */
2299 int
2301 {
2302 #ifdef USE_OPENSSL_BASE64
2303 EVP_ENCODE_CTX ctx;
2305 /* 64 bytes of input -> *up to* 48 bytes of output.
2306 Plus one more byte, in case I'm wrong.
2307 */
2319 #else
2325 /* Max number of bits == srclen*6.
2326 * Number of bytes required to hold all bits == (srclen*6)/8.
2327 * Yes, we want to round down: anything that hangs over the end of a
2328 * byte is padding. */
2334 /* Iterate over all the bytes in src. Each one will add 0 or 6 bits to the
2335 * value we're decoding. Accumulate bits in <b>n</b>, and whenever we have
2336 * 24 bits, batch them into 3 bytes and flush those bytes to dest.
2337 */
2343 /* This character isn't allowed in base64. */
2346 /* This character is whitespace, and has no effect. */
2349 /* We've hit an = character: the data is over. */
2352 /* We have an actual 6-bit value. Append it to the bits in n. */
2355 /* We've accumulated 24 bits in n. Flush them. */
2361 }
2362 }
2363 }
2364 end_of_loop:
2365 /* If we have leftover bits, we need to cope. */
2369 /* No leftover bits. We win. */
2372 /* 6 leftover bits. That's invalid; we can't form a byte out of that. */
2375 /* 12 leftover bits: The last 4 are padding and the first 8 are data. */
2379 /* 18 leftover bits: The last 2 are padding and the first 16 are data. */
2382 }
2388 #endif
2389 }
2390 #undef X
2391 #undef SP
2392 #undef PAD
2394 /** Base-64 encode DIGEST_LINE bytes from <b>digest</b>, remove the trailing =
2395 * and newline characters, and store the nul-terminated result in the first
2396 * BASE64_DIGEST_LEN+1 bytes of <b>d64</b>. */
2397 int
2399 {
2405 }
2407 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
2408 * trailing newline or = characters), decode it and store the result in the
2409 * first DIGEST_LEN bytes at <b>digest</b>. */
2410 int
2412 {
2413 #ifdef USE_OPENSSL_BASE64
2424 #else
2427 else
2429 #endif
2430 }
2432 /** Base-64 encode DIGEST256_LINE bytes from <b>digest</b>, remove the
2433 * trailing = and newline characters, and store the nul-terminated result in
2434 * the first BASE64_DIGEST256_LEN+1 bytes of <b>d64</b>. */
2435 int
2437 {
2443 }
2445 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
2446 * trailing newline or = characters), decode it and store the result in the
2447 * first DIGEST256_LEN bytes at <b>digest</b>. */
2448 int
2450 {
2451 #ifdef USE_OPENSSL_BASE64
2462 #else
2465 else
2467 #endif
2468 }
2470 /** Implements base32 encoding as in rfc3548. Limitation: Requires
2471 * that srclen*8 is a multiple of 5.
2472 */
2473 void
2475 {
2485 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
2488 /* set u to the 5-bit value at the bit'th bit of src. */
2491 }
2493 }
2495 /** Implements base32 decoding as in rfc3548. Limitation: Requires
2496 * that srclen*5 is a multiple of 8. Returns 0 if successful, -1 otherwise.
2497 */
2498 int
2500 {
2501 /* XXXX we might want to rewrite this along the lines of base64_decode, if
2502 * it ever shows up in the profile. */
2513 /* Convert base32 encoded chars to the 5-bit values that they represent. */
2523 }
2524 }
2526 /* Assemble result byte-wise by applying five possible cases. */
2551 }
2552 }
2558 }
2560 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
2561 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
2562 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
2563 * are a salt; the 9th byte describes how much iteration to do.
2564 * Does not support <b>key_out_len</b> > DIGEST_LEN.
2565 */
2566 void
2569 {
2576 #define EXPBIAS 6
2579 #undef EXPBIAS
2596 }
2597 }
2602 }
2604 #ifdef TOR_IS_MULTITHREADED
2605 /** Helper: OpenSSL uses this callback to manipulate mutexes. */
2606 static void
2608 {
2612 /* This is not a really good fix for the
2613 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
2614 * it can't hurt. */
2618 else
2620 }
2622 /** OpenSSL helper type: wraps a Tor mutex so that OpenSSL can use it
2623 * as a lock. */
2626 };
2628 /** OpenSSL callback function to allocate a lock: see CRYPTO_set_dynlock_*
2629 * documentation in OpenSSL's docs for more info. */
2632 {
2639 }
2641 /** OpenSSL callback function to acquire or release a lock: see
2642 * CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
2643 static void
2646 {
2651 else
2653 }
2655 /** OpenSSL callback function to free a lock: see CRYPTO_set_dynlock_*
2656 * documentation in OpenSSL's docs for more info. */
2657 static void
2660 {
2665 }
2667 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
2668 * multithreaded. */
2669 static int
2671 {
2684 }
2685 #else
2686 static int
2688 {
2690 }
2691 #endif