| blob | 2c892fbc1ea8661d2cd5e428e9a301d3cb9a6cac |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2008, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 /* $Id$ */
10 /**
11 * \file crypto.c
12 * \brief Wrapper functions to present a consistent interface to
13 * public-key and symmetric cryptography operations from OpenSSL.
14 **/
18 #ifdef MS_WINDOWS
19 #define WIN32_WINNT 0x400
20 #define _WIN32_WINNT 0x400
21 #define WIN32_LEAN_AND_MEAN
22 #include <windows.h>
23 #include <wincrypt.h>
24 /* Windows defines this; so does openssl 0.9.8h and later. We don't actually
25 * use either definition. */
26 #undef OCSP_RESPONSE
27 #endif
29 #include <openssl/err.h>
30 #include <openssl/rsa.h>
31 #include <openssl/pem.h>
32 #include <openssl/evp.h>
33 #include <openssl/rand.h>
34 #include <openssl/opensslv.h>
35 #include <openssl/bn.h>
36 #include <openssl/dh.h>
37 #include <openssl/conf.h>
38 #include <openssl/hmac.h>
40 #ifdef HAVE_CTYPE_H
41 #include <ctype.h>
42 #endif
43 #ifdef HAVE_UNISTD_H
44 #include <unistd.h>
45 #endif
46 #ifdef HAVE_FCNTL_H
47 #include <fcntl.h>
48 #endif
49 #ifdef HAVE_SYS_FCNTL_H
50 #include <sys/fcntl.h>
51 #endif
53 #define CRYPTO_PRIVATE
61 #if OPENSSL_VERSION_NUMBER < 0x00907000l
63 #endif
65 #include <openssl/engine.h>
67 /** Macro: is k a valid RSA public or private key? */
68 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
69 /** Macro: is k a valid RSA private key? */
70 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
72 #ifdef TOR_IS_MULTITHREADED
73 /** A number of prealloced mutexes for use by openssl. */
75 /** How many mutexes have we allocated for use by openssl? */
77 #endif
79 /** A public key, or a public/private keypair. */
80 struct crypto_pk_env_t
81 {
84 };
86 /** Key and stream information for a stream cipher. */
87 struct crypto_cipher_env_t
88 {
91 };
93 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
94 * while we're waiting for the second.*/
97 };
102 /** Return the number of bytes added by padding method <b>padding</b>.
103 */
106 {
108 {
113 }
114 }
116 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
117 */
120 {
122 {
127 }
128 }
130 /** Boolean: has OpenSSL's crypto been initialized? */
133 /** Log all pending crypto errors at level <b>severity</b>. Use
134 * <b>doing</b> to describe our current activities.
135 */
136 static void
138 {
153 }
154 }
155 }
157 /** Log any OpenSSL engines we're using at NOTICE. */
158 static void
160 {
169 }
170 }
172 /** Initialize the crypto library. Return 0 on success, -1 on failure.
173 */
174 int
176 {
182 /* XXX the below is a bug, since we can't know if we're supposed
183 * to be using hardware acceleration or not. we should arrange
184 * for this function to be called before init_keys. But make it
185 * not complain loudly, at least until we make acceleration work. */
188 }
195 /* XXXX make sure this isn't leaking. */
202 }
203 }
205 }
207 /** Free crypto resources held by this thread. */
208 void
210 {
212 }
214 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
215 */
216 int
218 {
225 #ifdef TOR_IS_MULTITHREADED
234 }
236 }
237 #endif
239 }
241 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
242 crypto_pk_env_t *
244 {
251 }
253 /** used by tortls.c: wrap the RSA from an evp_pkey in a crypto_pk_env_t.
254 * returns NULL if this isn't an RSA key. */
255 crypto_pk_env_t *
257 {
262 }
264 /** Helper, used by tor-checkkey.c. Return the RSA from a crypto_pk_env_t. */
265 RSA *
267 {
269 }
271 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
272 * private is set, include the private-key portion of the key. */
273 EVP_PKEY *
275 {
285 }
291 error:
297 }
299 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
300 */
301 DH *
303 {
305 }
307 /** Allocate and return storage for a public key. The key itself will not yet
308 * be set.
309 */
310 crypto_pk_env_t *
312 {
318 }
320 /** Release a reference to an asymmetric key; when all the references
321 * are released, free the key.
322 */
323 void
325 {
335 }
337 /** Create a new symmetric cipher for a given key and encryption flag
338 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
339 * on failure.
340 */
341 crypto_cipher_env_t *
343 {
350 }
355 }
359 else
366 error:
370 }
372 /** Allocate and return a new symmetric cipher.
373 */
374 crypto_cipher_env_t *
376 {
382 }
384 /** Free a symmetric cipher.
385 */
386 void
388 {
395 }
397 /* public key crypto */
399 /** Generate a new public/private keypair in <b>env</b>. Return 0 on
400 * success, -1 on failure.
401 */
402 int
404 {
409 #if OPENSSL_VERSION_NUMBER < 0x00908000l
410 /* In openssl 0.9.7, RSA_generate_key is all we have. */
412 #else
413 /* In openssl 0.9.8, RSA_generate_key is deprecated. */
414 {
429 done:
434 }
435 #endif
439 }
442 }
444 /** Read a PEM-encoded private key from the string <b>s</b> into <b>env</b>.
445 * Return 0 on success, -1 on failure.
446 */
447 /* Used here, and used for testing. */
448 int
451 {
457 /* Create a read-only memory BIO, backed by the nul-terminated string 's' */
470 }
472 }
474 /** Read a PEM-encoded private key from the file named by
475 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
476 */
477 int
480 {
484 /* Read the file into a string. */
489 }
491 /* Try to parse it. */
497 /* Make sure it's valid. */
502 }
504 /** Helper function to implement crypto_pk_write_*_key_to_string. */
505 static int
508 {
519 /* Now you can treat b as if it were a file. Just use the
520 * PEM_*_bio_* functions instead of the non-bio variants.
521 */
524 else
531 }
545 }
547 /** PEM-encode the public key portion of <b>env</b> and write it to a
548 * newly allocated string. On success, set *<b>dest</b> to the new
549 * string, *<b>len</b> to the string's length, and return 0. On
550 * failure, return -1.
551 */
552 int
555 {
557 }
559 /** PEM-encode the private key portion of <b>env</b> and write it to a
560 * newly allocated string. On success, set *<b>dest</b> to the new
561 * string, *<b>len</b> to the string's length, and return 0. On
562 * failure, return -1.
563 */
564 int
567 {
569 }
571 /** Read a PEM-encoded public key from the first <b>len</b> characters of
572 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
573 * failure.
574 */
575 int
578 {
596 }
599 }
601 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
602 * PEM-encoded. Return 0 on success, -1 on failure.
603 */
604 int
607 {
623 }
633 }
635 /** Return true iff <b>env</b> has a valid key.
636 */
637 int
639 {
647 }
649 /** Return true iff <b>key</b> contains the private-key portion of the RSA
650 * key. */
651 int
653 {
656 }
658 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
659 * if a==b, and 1 if a\>b.
660 */
661 int
663 {
678 }
680 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
681 size_t
683 {
688 }
690 /** Increase the reference count of <b>env</b>, and return it.
691 */
692 crypto_pk_env_t *
694 {
700 }
702 /** Make a real honest-to-goodness copy of <b>env</b>, and return it. */
703 crypto_pk_env_t *
705 {
714 }
717 }
719 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
720 * in <b>env</b>, using the padding method <b>padding</b>. On success,
721 * write the result to <b>to</b>, and return the number of bytes
722 * written. On failure, return -1.
723 */
724 int
727 {
740 }
742 }
744 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
745 * in <b>env</b>, using the padding method <b>padding</b>. On success,
746 * write the result to <b>to</b>, and return the number of bytes
747 * written. On failure, return -1.
748 */
749 int
753 {
761 /* Not a private key */
772 }
774 }
776 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
777 * public key in <b>env</b>, using PKCS1 padding. On success, write the
778 * signed data to <b>to</b>, and return the number of bytes written.
779 * On failure, return -1.
780 */
781 int
784 {
797 }
799 }
801 /** Check a siglen-byte long signature at <b>sig</b> against
802 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
803 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
804 * SHA1(data). Else return -1.
805 */
806 int
809 {
821 }
828 }
833 }
837 }
839 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
840 * <b>env</b>, using PKCS1 padding. On success, write the signature to
841 * <b>to</b>, and return the number of bytes written. On failure, return
842 * -1.
843 */
844 int
847 {
854 /* Not a private key */
863 }
865 }
867 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
868 * <b>from</b>; sign the data with the private key in <b>env</b>, and
869 * store it in <b>to</b>. Return the number of bytes written on
870 * success, and -1 on failure.
871 */
872 int
875 {
883 }
885 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
886 * bytes of data from <b>from</b>, with padding type 'padding',
887 * storing the results on <b>to</b>.
888 *
889 * If no padding is used, the public key must be at least as large as
890 * <b>from</b>.
891 *
892 * Returns the number of bytes written on success, -1 on failure.
893 *
894 * The encrypted data consists of:
895 * - The source data, padded and encrypted with the public key, if the
896 * padded source data is no longer than the public key, and <b>force</b>
897 * is false, OR
898 * - The beginning of the source data prefixed with a 16-byte symmetric key,
899 * padded and encrypted with the public key; followed by the rest of
900 * the source data encrypted in AES-CTR mode with the symmetric key.
901 */
902 int
908 {
925 /* It all fits in a single encrypt. */
927 }
932 /* You can't just run around RSA-encrypting any bitstream: if it's
933 * greater than the RSA key, then OpenSSL will happily encrypt, and
934 * later decrypt to the wrong value. So we set the first bit of
935 * 'cipher->key' to 0 if we aren't padding. This means that our
936 * symmetric key is really only 127 bits.
937 */
946 /* Length of symmetrically encrypted data. */
952 }
962 err:
966 }
969 }
971 /** Invert crypto_pk_public_hybrid_encrypt. */
972 int
978 {
988 warnOnFailure);
989 }
992 warnOnFailure);
997 }
1002 }
1006 }
1017 err:
1022 }
1024 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1025 * Return -1 on error, or the number of characters used on success.
1026 */
1027 int
1029 {
1041 }
1042 /* We don't encode directly into 'dest', because that would be illegal
1043 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1044 */
1048 }
1050 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1051 * success and NULL on failure.
1052 */
1053 crypto_pk_env_t *
1055 {
1058 /* This ifdef suppresses a type warning. Take out the first case once
1059 * everybody is using openssl 0.9.7 or later.
1060 */
1069 }
1071 }
1073 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1074 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1075 * Return 0 on success, -1 on failure.
1076 */
1077 int
1079 {
1092 }
1096 }
1099 }
1101 /** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
1102 * every four spaces. */
1105 {
1113 }
1114 }
1117 }
1119 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1120 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1121 * space). Return 0 on success, -1 on failure.
1122 *
1123 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1124 * of the public key, converted to hexadecimal, in upper case, with a
1125 * space after every four digits.
1126 *
1127 * If <b>add_space</b> is false, omit the spaces.
1128 */
1129 int
1131 {
1136 }
1142 }
1144 }
1146 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1147 */
1148 int
1150 {
1157 }
1158 }
1161 }
1163 /* symmetric crypto */
1165 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1166 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1167 */
1168 int
1170 {
1174 }
1176 /** Set the symmetric key for the cipher in <b>env</b> to the first
1177 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1178 * Return 0 on success, -1 on failure.
1179 */
1180 int
1182 {
1191 }
1193 /** Generate an initialization vector for our AES-CTR cipher; store it
1194 * in the first CIPHER_IV_LEN bytes of <b>iv_out</b>. */
1195 void
1197 {
1199 }
1201 /** Adjust the counter of <b>env</b> to point to the first byte of the block
1202 * corresponding to the encryption of the CIPHER_IV_LEN bytes at
1203 * <b>iv</b>. */
1204 int
1206 {
1211 }
1213 /** Return a pointer to the key set for the cipher in <b>env</b>.
1214 */
1217 {
1219 }
1221 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1222 * success, -1 on failure.
1223 */
1224 int
1226 {
1231 }
1233 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1234 * success, -1 on failure.
1235 */
1236 int
1238 {
1243 }
1245 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1246 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1247 * On failure, return -1.
1248 */
1249 int
1252 {
1261 }
1263 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1264 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1265 * On failure, return -1.
1266 */
1267 int
1270 {
1277 }
1279 /** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
1280 * on success, return 0. On failure, return -1.
1281 */
1282 int
1284 {
1287 }
1289 /** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
1290 * <b>cipher</b> to the buffer in <b>to</b> of length
1291 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
1292 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1293 * number of bytes written, on failure, return -1.
1294 *
1295 * This function adjusts the current position of the counter in <b>cipher</b>
1296 * to immediately after the encrypted data.
1297 */
1298 int
1302 {
1318 }
1320 /** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
1321 * with the key in <b>cipher</b> to the buffer in <b>to</b> of length
1322 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
1323 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1324 * number of bytes written, on failure, return -1.
1325 *
1326 * This function adjusts the current position of the counter in <b>cipher</b>
1327 * to immediately after the decrypted data.
1328 */
1329 int
1333 {
1348 }
1350 /* SHA-1 */
1352 /** Compute the SHA1 digest of <b>len</b> bytes in data stored in
1353 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1354 * Return 0 on success, -1 on failure.
1355 */
1356 int
1358 {
1362 }
1364 /** Intermediate information about the digest of a stream of data. */
1366 SHA_CTX d;
1367 };
1369 /** Allocate and return a new digest object.
1370 */
1371 crypto_digest_env_t *
1373 {
1378 }
1380 /** Deallocate a digest object.
1381 */
1382 void
1384 {
1387 }
1389 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1390 */
1391 void
1394 {
1397 /* Using the SHA1_*() calls directly means we don't support doing
1398 * sha1 in hardware. But so far the delay of getting the question
1399 * to the hardware, and hearing the answer, is likely higher than
1400 * just doing it ourselves. Hashes are fast.
1401 */
1403 }
1405 /** Compute the hash of the data that has been passed to the digest
1406 * object; write the first out_len bytes of the result to <b>out</b>.
1407 * <b>out_len</b> must be \<= DIGEST_LEN.
1408 */
1409 void
1412 {
1414 SHA_CTX tmpctx;
1418 /* memcpy into a temporary ctx, since SHA1_Final clears the context */
1423 }
1425 /** Allocate and return a new digest object with the same state as
1426 * <b>digest</b>
1427 */
1428 crypto_digest_env_t *
1430 {
1436 }
1438 /** Replace the state of the digest object <b>into</b> with the state
1439 * of the digest object <b>from</b>.
1440 */
1441 void
1444 {
1448 }
1450 /** Compute the HMAC-SHA-1 of the <b>msg_len</b> bytes in <b>msg</b>, using
1451 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST_LEN-byte result
1452 * in <b>hmac_out</b>.
1453 */
1454 void
1458 {
1463 }
1465 /* DH */
1467 /** Shared P parameter for our DH key exchanged. */
1469 /** Shared G parameter for our DH key exchanges. */
1472 /** Initialize dh_param_p and dh_param_g if they are not already
1473 * set. */
1474 static void
1476 {
1487 /* This is from rfc2409, section 6.2. It's a safe prime, and
1488 supposedly it equals:
1489 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1490 */
1492 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1493 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1494 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1495 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1503 }
1505 #define DH_PRIVATE_KEY_BITS 320
1507 /** Allocate and return a new DH object for a key exchange.
1508 */
1509 crypto_dh_env_t *
1511 {
1529 err:
1534 }
1536 /** Return the length of the DH key in <b>dh</b>, in bytes.
1537 */
1538 int
1540 {
1543 }
1545 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1546 * success, -1 on failure.
1547 */
1548 int
1550 {
1551 again:
1555 }
1559 /* Free and clear the keys, so openssl will actually try again. */
1564 }
1566 }
1568 /** Generate g^x as necessary, and write the g^x for the key exchange
1569 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1570 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1571 */
1572 int
1574 {
1580 }
1590 }
1596 }
1598 /** Check for bad diffie-hellman public keys (g^x). Return 0 if the key is
1599 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
1600 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
1601 */
1602 static int
1604 {
1616 }
1622 }
1625 err:
1631 }
1633 #undef MIN
1634 #define MIN(a,b) ((a)<(b)?(a):(b))
1635 /** Given a DH key exchange object, and our peer's value of g^y (as a
1636 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
1637 * <b>secret_bytes_out</b> bytes of shared key material and write them
1638 * to <b>secret_out</b>. Return the number of bytes generated on success,
1639 * or -1 on failure.
1640 *
1641 * (We generate key material by computing
1642 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
1643 * where || is concatenation.)
1644 */
1645 ssize_t
1649 {
1662 /* Check for invalid public keys. */
1665 }
1671 }
1679 error:
1681 done:
1688 else
1690 }
1692 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
1693 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
1694 * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
1695 * H(K | [00]) | H(K | [01]) | ....
1696 *
1697 * Return 0 on success, -1 on failure.
1698 */
1699 int
1702 {
1707 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
1717 }
1723 err:
1728 }
1730 /** Free a DH key exchange object.
1731 */
1732 void
1734 {
1739 }
1741 /* random numbers */
1743 /* This is how much entropy OpenSSL likes to add right now, so maybe it will
1744 * work for us too. */
1745 #define ADD_ENTROPY 32
1747 /* Use RAND_poll if openssl is 0.9.6 release or later. (The "f" means
1748 "release".) */
1749 #define HAVE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
1751 /* Versions of openssl prior to 0.9.7k and 0.9.8c had a bug where RAND_poll
1752 * would allocate an fd_set on the stack, open a new file, and try to FD_SET
1753 * that fd without checking whether it fit in the fd_set. Thus, if the
1754 * system has not just been started up, it is unsafe to call */
1755 #define RAND_POLL_IS_SAFE \
1756 ((OPENSSL_VERSION_NUMBER >= 0x009070afl && \
1757 OPENSSL_VERSION_NUMBER <= 0x00907fffl) || \
1758 (OPENSSL_VERSION_NUMBER >= 0x0090803fl))
1760 /** Seed OpenSSL's random number generator with bytes from the operating
1761 * system. <b>startup</b> should be true iff we have just started Tor and
1762 * have not yet allocated a bunch of fds. Return 0 on success, -1 on failure.
1763 */
1764 int
1766 {
1770 /* local variables */
1771 #ifdef MS_WINDOWS
1774 #else
1777 };
1780 #endif
1782 #if HAVE_RAND_POLL
1783 /* OpenSSL 0.9.6 adds a RAND_poll function that knows about more kinds of
1784 * entropy than we do. We'll try calling that, *and* calling our own entropy
1785 * functions. If one succeeds, we'll accept the RNG as seeded. */
1790 }
1791 #endif
1793 #ifdef MS_WINDOWS
1796 CRYPT_VERIFYCONTEXT)) {
1800 }
1801 }
1803 }
1807 }
1811 #else
1823 }
1827 }
1831 #endif
1832 }
1834 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Return 0 on
1835 * success, -1 on failure.
1836 */
1837 int
1839 {
1847 }
1849 /** Return a pseudorandom integer, chosen uniformly from the values
1850 * between 0 and <b>max</b>-1. */
1851 int
1853 {
1859 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1860 * distribution with clipping at the upper end of unsigned int's
1861 * range.
1862 */
1868 }
1869 }
1871 /** Return a pseudorandom 64-bit integer, chosen uniformly from the values
1872 * between 0 and <b>max</b>-1. */
1873 uint64_t
1875 {
1881 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1882 * distribution with clipping at the upper end of unsigned int's
1883 * range.
1884 */
1890 }
1891 }
1893 /** Generate and return a new random hostname starting with <b>prefix</b>,
1894 * ending with <b>suffix</b>, and containing no less than
1895 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
1896 * characters between. */
1900 {
1924 }
1926 /** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
1927 * is empty. */
1930 {
1935 }
1937 /** Scramble the elements of <b>sl</b> into a random order. */
1938 void
1940 {
1942 /* From the end of the list to the front, choose at random from the
1943 positions we haven't looked at yet, and swap that position into the
1944 current position. Remember to give "no swap" the same probability as
1945 any other swap. */
1949 }
1950 }
1952 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
1953 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1954 * bytes. Return the number of bytes written on success; -1 if
1955 * destlen is too short, or other failure.
1956 */
1957 int
1959 {
1960 /* FFFF we might want to rewrite this along the lines of base64_decode, if
1961 * it ever shows up in the profile. */
1962 EVP_ENCODE_CTX ctx;
1966 /* 48 bytes of input -> 64 bytes of output plus newline.
1967 Plus one more byte, in case I'm wrong.
1968 */
1980 }
1982 #define X 255
1983 #define SP 64
1984 #define PAD 65
1985 /** Internal table mapping byte values to what they represent in base64.
1986 * Numbers 0..63 are 6-bit integers. SPs are spaces, and should be
1987 * skipped. Xs are invalid and must not appear in base64. PAD indicates
1988 * end-of-string. */
2006 };
2008 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
2009 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2010 * bytes. Return the number of bytes written on success; -1 if
2011 * destlen is too short, or other failure.
2012 *
2013 * NOTE 1: destlen is checked conservatively, as though srclen contained no
2014 * spaces or padding.
2015 *
2016 * NOTE 2: This implementation does not check for the correct number of
2017 * padding "=" characters at the end of the string, and does not check
2018 * for internal padding characters.
2019 */
2020 int
2022 {
2023 #ifdef USE_OPENSSL_BASE64
2024 EVP_ENCODE_CTX ctx;
2026 /* 64 bytes of input -> *up to* 48 bytes of output.
2027 Plus one more byte, in case I'm wrong.
2028 */
2040 #else
2046 /* Max number of bits == srclen*6.
2047 * Number of bytes required to hold all bits == (srclen*6)/8.
2048 * Yes, we want to round down: anything that hangs over the end of a
2049 * byte is padding. */
2055 /* Iterate over all the bytes in src. Each one will add 0 or 6 bits to the
2056 * value we're decoding. Accumulate bits in <b>n</b>, and whenever we have
2057 * 24 bits, batch them into 3 bytes and flush those bytes to dest.
2058 */
2064 /* This character isn't allowed in base64. */
2067 /* This character is whitespace, and has no effect. */
2070 /* We've hit an = character: the data is over. */
2073 /* We have an actual 6-bit value. Append it to the bits in n. */
2076 /* We've accumulated 24 bits in n. Flush them. */
2082 }
2083 }
2084 }
2085 end_of_loop:
2086 /* If we have leftover bits, we need to cope. */
2090 /* No leftover bits. We win. */
2093 /* 6 leftover bits. That's invalid; we can't form a byte out of that. */
2096 /* 12 leftover bits: The last 4 are padding and the first 8 are data. */
2100 /* 18 leftover bits: The last 2 are padding and the first 16 are data. */
2103 }
2109 #endif
2110 }
2111 #undef X
2112 #undef SP
2113 #undef PAD
2115 /** Base-64 encode DIGEST_LINE bytes from <b>digest</b>, remove the trailing =
2116 * and newline characters, and store the nul-terminated result in the first
2117 * BASE64_DIGEST_LEN+1 bytes of <b>d64</b>. */
2118 int
2120 {
2126 }
2128 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
2129 * trailing newline or = characters), decode it and store the result in the
2130 * first DIGEST_LEN bytes at <b>digest</b>. */
2131 int
2133 {
2134 #ifdef USE_OPENSSL_BASE64
2145 #else
2148 else
2150 #endif
2151 }
2153 /** Implements base32 encoding as in rfc3548. Limitation: Requires
2154 * that srclen*8 is a multiple of 5.
2155 */
2156 void
2158 {
2167 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
2170 /* set u to the 5-bit value at the bit'th bit of src. */
2173 }
2175 }
2177 /** Implements base32 decoding as in rfc3548. Limitation: Requires
2178 * that srclen*5 is a multiple of 8. Returns 0 if successful, -1 otherwise.
2179 */
2180 int
2182 {
2183 /* XXXX we might want to rewrite this along the lines of base64_decode, if
2184 * it ever shows up in the profile. */
2194 /* Convert base32 encoded chars to the 5-bit values that they represent. */
2204 }
2205 }
2207 /* Assemble result byte-wise by applying five possible cases. */
2232 }
2233 }
2239 }
2241 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
2242 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
2243 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
2244 * are a salt; the 9th byte describes how much iteration to do.
2245 * Does not support <b>key_out_len</b> > DIGEST_LEN.
2246 */
2247 void
2250 {
2257 #define EXPBIAS 6
2260 #undef EXPBIAS
2277 }
2278 }
2283 }
2285 #ifdef TOR_IS_MULTITHREADED
2286 /** Helper: openssl uses this callback to manipulate mutexes. */
2287 static void
2289 {
2293 /* This is not a really good fix for the
2294 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
2295 * it can't hurt. */
2299 else
2301 }
2303 /** OpenSSL helper type: wraps a Tor mutex so that openssl can */
2306 };
2308 /** Openssl callback function to allocate a lock: see CRYPTO_set_dynlock_*
2309 * documentation in OpenSSL's docs for more info. */
2312 {
2319 }
2321 /** Openssl callback function to acquire or release a lock: see
2322 * CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
2323 static void
2326 {
2331 else
2333 }
2335 /** Openssl callback function to free a lock: see CRYPTO_set_dynlock_*
2336 * documentation in OpenSSL's docs for more info. */
2337 static void
2340 {
2345 }
2347 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
2348 * multithreaded. */
2349 static int
2351 {
2364 }
2365 #else
2366 static int
2368 {
2370 }
2371 #endif