| blob | 15b58188ed68fa1b81c339b880840a61ff58e6d3 |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2011, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL.
11 **/
15 #ifdef MS_WINDOWS
16 #define WIN32_WINNT 0x400
17 #define _WIN32_WINNT 0x400
18 #define WIN32_LEAN_AND_MEAN
19 #include <windows.h>
20 #include <wincrypt.h>
21 /* Windows defines this; so does OpenSSL 0.9.8h and later. We don't actually
22 * use either definition. */
23 #undef OCSP_RESPONSE
24 #endif
26 #include <openssl/err.h>
27 #include <openssl/rsa.h>
28 #include <openssl/pem.h>
29 #include <openssl/evp.h>
30 #include <openssl/engine.h>
31 #include <openssl/rand.h>
32 #include <openssl/opensslv.h>
33 #include <openssl/bn.h>
34 #include <openssl/dh.h>
35 #include <openssl/conf.h>
36 #include <openssl/hmac.h>
38 #ifdef HAVE_CTYPE_H
39 #include <ctype.h>
40 #endif
41 #ifdef HAVE_UNISTD_H
42 #include <unistd.h>
43 #endif
44 #ifdef HAVE_FCNTL_H
45 #include <fcntl.h>
46 #endif
47 #ifdef HAVE_SYS_FCNTL_H
48 #include <sys/fcntl.h>
49 #endif
51 #define CRYPTO_PRIVATE
59 #if OPENSSL_VERSION_NUMBER < 0x00907000l
61 #endif
63 #include <openssl/engine.h>
65 #ifdef ANDROID
66 /* Android's OpenSSL seems to have removed all of its Engine support. */
67 #define DISABLE_ENGINES
68 #endif
70 #if OPENSSL_VERSION_NUMBER < 0x00908000l
71 /* On OpenSSL versions before 0.9.8, there is no working SHA256
72 * implementation, so we use Tom St Denis's nice speedy one, slightly adapted
73 * to our needs */
74 #define SHA256_CTX sha256_state
75 #define SHA256_Init sha256_init
76 #define SHA256_Update sha256_process
77 #define LTC_ARGCHK(x) tor_assert(x)
79 #define SHA256_Final(a,b) sha256_done(b,a)
83 {
84 SHA256_CTX ctx;
89 }
90 #endif
92 /** Macro: is k a valid RSA public or private key? */
93 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
94 /** Macro: is k a valid RSA private key? */
95 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
97 #ifdef TOR_IS_MULTITHREADED
98 /** A number of preallocated mutexes for use by OpenSSL. */
100 /** How many mutexes have we allocated for use by OpenSSL? */
102 #endif
104 /** A public key, or a public/private key-pair. */
105 struct crypto_pk_env_t
106 {
109 };
111 /** Key and stream information for a stream cipher. */
112 struct crypto_cipher_env_t
113 {
116 };
118 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
119 * while we're waiting for the second.*/
122 };
127 /** Return the number of bytes added by padding method <b>padding</b>.
128 */
131 {
133 {
138 }
139 }
141 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
142 */
145 {
147 {
152 }
153 }
155 /** Boolean: has OpenSSL's crypto been initialized? */
158 /** Log all pending crypto errors at level <b>severity</b>. Use
159 * <b>doing</b> to describe our current activities.
160 */
161 static void
163 {
178 }
179 }
180 }
182 #ifndef DISABLE_ENGINES
183 /** Log any OpenSSL engines we're using at NOTICE. */
184 static void
186 {
195 }
196 }
197 #endif
199 #ifndef DISABLE_ENGINES
200 /** Try to load an engine in a shared library via fully qualified path.
201 */
204 {
213 }
214 }
216 }
217 #endif
219 /** Initialize the crypto library. Return 0 on success, -1 on failure.
220 */
221 int
223 {
230 #ifdef DISABLE_ENGINES
234 #else
250 }
253 accelName);
256 accelName);
257 }
258 }
263 }
270 #endif
273 }
275 }
277 }
279 /** Free crypto resources held by this thread. */
280 void
282 {
284 }
286 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
287 */
288 int
290 {
295 #ifndef DISABLE_ENGINES
297 #endif
301 #ifdef TOR_IS_MULTITHREADED
310 }
312 }
313 #endif
315 }
317 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
318 crypto_pk_env_t *
320 {
327 }
329 /** used by tortls.c: wrap the RSA from an evp_pkey in a crypto_pk_env_t.
330 * returns NULL if this isn't an RSA key. */
331 crypto_pk_env_t *
333 {
338 }
340 /** Helper, used by tor-checkkey.c and tor-gencert.c. Return the RSA from a
341 * crypto_pk_env_t. */
342 RSA *
344 {
346 }
348 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
349 * private is set, include the private-key portion of the key. */
350 EVP_PKEY *
352 {
362 }
368 error:
374 }
376 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
377 */
378 DH *
380 {
382 }
384 /** Allocate and return storage for a public key. The key itself will not yet
385 * be set.
386 */
387 crypto_pk_env_t *
389 {
395 }
397 /** Release a reference to an asymmetric key; when all the references
398 * are released, free the key.
399 */
400 void
402 {
414 }
416 /** Create a new symmetric cipher for a given key and encryption flag
417 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
418 * on failure.
419 */
420 crypto_cipher_env_t *
422 {
429 }
435 else
442 error:
446 }
448 /** Allocate and return a new symmetric cipher.
449 */
450 crypto_cipher_env_t *
452 {
458 }
460 /** Free a symmetric cipher.
461 */
462 void
464 {
472 }
474 /* public key crypto */
476 /** Generate a <b>bits</b>-bit new public/private keypair in <b>env</b>.
477 * Return 0 on success, -1 on failure.
478 */
479 int
481 {
486 #if OPENSSL_VERSION_NUMBER < 0x00908000l
487 /* In OpenSSL 0.9.7, RSA_generate_key is all we have. */
489 #else
490 /* In OpenSSL 0.9.8, RSA_generate_key is deprecated. */
491 {
506 done:
511 }
512 #endif
516 }
519 }
521 /** Read a PEM-encoded private key from the string <b>s</b> into <b>env</b>.
522 * Return 0 on success, -1 on failure.
523 */
524 /* Used here, and used for testing. */
525 int
528 {
534 /* Create a read-only memory BIO, backed by the NUL-terminated string 's' */
547 }
549 }
551 /** Read a PEM-encoded private key from the file named by
552 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
553 */
554 int
557 {
561 /* Read the file into a string. */
566 }
568 /* Try to parse it. */
574 /* Make sure it's valid. */
579 }
581 /** Helper function to implement crypto_pk_write_*_key_to_string. */
582 static int
585 {
596 /* Now you can treat b as if it were a file. Just use the
597 * PEM_*_bio_* functions instead of the non-bio variants.
598 */
601 else
608 }
621 }
623 /** PEM-encode the public key portion of <b>env</b> and write it to a
624 * newly allocated string. On success, set *<b>dest</b> to the new
625 * string, *<b>len</b> to the string's length, and return 0. On
626 * failure, return -1.
627 */
628 int
631 {
633 }
635 /** PEM-encode the private key portion of <b>env</b> and write it to a
636 * newly allocated string. On success, set *<b>dest</b> to the new
637 * string, *<b>len</b> to the string's length, and return 0. On
638 * failure, return -1.
639 */
640 int
643 {
645 }
647 /** Read a PEM-encoded public key from the first <b>len</b> characters of
648 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
649 * failure.
650 */
651 int
654 {
672 }
675 }
677 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
678 * PEM-encoded. Return 0 on success, -1 on failure.
679 */
680 int
683 {
699 }
709 }
711 /** Return true iff <b>env</b> has a valid key.
712 */
713 int
715 {
723 }
725 /** Return true iff <b>key</b> contains the private-key portion of the RSA
726 * key. */
727 int
729 {
732 }
734 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
735 * if a==b, and 1 if a\>b.
736 */
737 int
739 {
754 }
756 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
757 size_t
759 {
764 }
766 /** Increase the reference count of <b>env</b>, and return it.
767 */
768 crypto_pk_env_t *
770 {
776 }
778 /** Make a real honest-to-goodness copy of <b>env</b>, and return it. */
779 crypto_pk_env_t *
781 {
792 }
801 }
804 }
806 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
807 * in <b>env</b>, using the padding method <b>padding</b>. On success,
808 * write the result to <b>to</b>, and return the number of bytes
809 * written. On failure, return -1.
810 *
811 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
812 * at least the length of the modulus of <b>env</b>.
813 */
814 int
817 {
831 }
833 }
835 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
836 * in <b>env</b>, using the padding method <b>padding</b>. On success,
837 * write the result to <b>to</b>, and return the number of bytes
838 * written. On failure, return -1.
839 *
840 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
841 * at least the length of the modulus of <b>env</b>.
842 */
843 int
848 {
857 /* Not a private key */
868 }
870 }
872 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
873 * public key in <b>env</b>, using PKCS1 padding. On success, write the
874 * signed data to <b>to</b>, and return the number of bytes written.
875 * On failure, return -1.
876 *
877 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
878 * at least the length of the modulus of <b>env</b>.
879 */
880 int
884 {
898 }
900 }
902 /** Check a siglen-byte long signature at <b>sig</b> against
903 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
904 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
905 * SHA1(data). Else return -1.
906 */
907 int
910 {
925 }
933 }
938 }
942 }
944 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
945 * <b>env</b>, using PKCS1 padding. On success, write the signature to
946 * <b>to</b>, and return the number of bytes written. On failure, return
947 * -1.
948 *
949 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
950 * at least the length of the modulus of <b>env</b>.
951 */
952 int
955 {
963 /* Not a private key */
972 }
974 }
976 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
977 * <b>from</b>; sign the data with the private key in <b>env</b>, and
978 * store it in <b>to</b>. Return the number of bytes written on
979 * success, and -1 on failure.
980 *
981 * <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
982 * at least the length of the modulus of <b>env</b>.
983 */
984 int
987 {
995 }
997 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
998 * bytes of data from <b>from</b>, with padding type 'padding',
999 * storing the results on <b>to</b>.
1000 *
1001 * If no padding is used, the public key must be at least as large as
1002 * <b>from</b>.
1003 *
1004 * Returns the number of bytes written on success, -1 on failure.
1005 *
1006 * The encrypted data consists of:
1007 * - The source data, padded and encrypted with the public key, if the
1008 * padded source data is no longer than the public key, and <b>force</b>
1009 * is false, OR
1010 * - The beginning of the source data prefixed with a 16-byte symmetric key,
1011 * padded and encrypted with the public key; followed by the rest of
1012 * the source data encrypted in AES-CTR mode with the symmetric key.
1013 */
1014 int
1020 {
1038 /* It all fits in a single encrypt. */
1040 tolen,
1042 }
1050 /* You can't just run around RSA-encrypting any bitstream: if it's
1051 * greater than the RSA key, then OpenSSL will happily encrypt, and
1052 * later decrypt to the wrong value. So we set the first bit of
1053 * 'cipher->key' to 0 if we aren't padding. This means that our
1054 * symmetric key is really only 127 bits.
1055 */
1064 /* Length of symmetrically encrypted data. */
1070 }
1080 err:
1084 }
1087 }
1089 /** Invert crypto_pk_public_hybrid_encrypt. */
1090 int
1097 {
1108 warnOnFailure);
1109 }
1113 warnOnFailure);
1118 }
1123 }
1127 }
1139 err:
1144 }
1146 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1147 * Return -1 on error, or the number of characters used on success.
1148 */
1149 int
1151 {
1163 }
1164 /* We don't encode directly into 'dest', because that would be illegal
1165 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1166 */
1170 }
1172 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1173 * success and NULL on failure.
1174 */
1175 crypto_pk_env_t *
1177 {
1180 /* This ifdef suppresses a type warning. Take out the first case once
1181 * everybody is using OpenSSL 0.9.7 or later.
1182 */
1191 }
1193 }
1195 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1196 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1197 * Return 0 on success, -1 on failure.
1198 */
1199 int
1201 {
1214 }
1218 }
1221 }
1223 /** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
1224 * every four spaces. */
1227 {
1237 }
1238 }
1241 }
1243 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1244 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1245 * space). Return 0 on success, -1 on failure.
1246 *
1247 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1248 * of the public key, converted to hexadecimal, in upper case, with a
1249 * space after every four digits.
1250 *
1251 * If <b>add_space</b> is false, omit the spaces.
1252 */
1253 int
1255 {
1260 }
1266 }
1268 }
1270 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1271 */
1272 int
1274 {
1281 }
1282 }
1285 }
1287 /* symmetric crypto */
1289 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1290 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1291 */
1292 int
1294 {
1298 }
1300 /** Set the symmetric key for the cipher in <b>env</b> to the first
1301 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1302 */
1303 void
1305 {
1310 }
1312 /** Generate an initialization vector for our AES-CTR cipher; store it
1313 * in the first CIPHER_IV_LEN bytes of <b>iv_out</b>. */
1314 void
1316 {
1318 }
1320 /** Adjust the counter of <b>env</b> to point to the first byte of the block
1321 * corresponding to the encryption of the CIPHER_IV_LEN bytes at
1322 * <b>iv</b>. */
1323 int
1325 {
1330 }
1332 /** Return a pointer to the key set for the cipher in <b>env</b>.
1333 */
1336 {
1338 }
1340 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1341 * success, -1 on failure.
1342 */
1343 int
1345 {
1350 }
1352 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1353 * success, -1 on failure.
1354 */
1355 int
1357 {
1362 }
1364 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1365 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1366 * On failure, return -1.
1367 */
1368 int
1371 {
1381 }
1383 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1384 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1385 * On failure, return -1.
1386 */
1387 int
1390 {
1398 }
1400 /** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
1401 * on success, return 0. On failure, return -1.
1402 */
1403 int
1405 {
1409 }
1411 /** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
1412 * <b>cipher</b> to the buffer in <b>to</b> of length
1413 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
1414 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1415 * number of bytes written, on failure, return -1.
1416 *
1417 * This function adjusts the current position of the counter in <b>cipher</b>
1418 * to immediately after the encrypted data.
1419 */
1420 int
1424 {
1440 }
1442 /** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
1443 * with the key in <b>cipher</b> to the buffer in <b>to</b> of length
1444 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
1445 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1446 * number of bytes written, on failure, return -1.
1447 *
1448 * This function adjusts the current position of the counter in <b>cipher</b>
1449 * to immediately after the decrypted data.
1450 */
1451 int
1455 {
1470 }
1472 /* SHA-1 */
1474 /** Compute the SHA1 digest of <b>len</b> bytes in data stored in
1475 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1476 * Return 0 on success, -1 on failure.
1477 */
1478 int
1480 {
1484 }
1486 int
1488 digest_algorithm_t algorithm)
1489 {
1494 }
1496 /** Set the digests_t in <b>ds_out</b> to contain every digest on the
1497 * <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
1498 * success, -1 on failure. */
1499 int
1501 {
1502 digest_algorithm_t i;
1510 }
1512 }
1514 /** Return the name of an algorithm, as used in directory documents. */
1517 {
1526 }
1527 }
1529 /** Given the name of a digest algorithm, return its integer value, or -1 if
1530 * the name is not recognized. */
1531 int
1533 {
1538 else
1540 }
1542 /** Intermediate information about the digest of a stream of data. */
1545 SHA_CTX sha1;
1546 SHA256_CTX sha2;
1549 };
1551 /** Allocate and return a new digest object.
1552 */
1553 crypto_digest_env_t *
1555 {
1561 }
1563 crypto_digest_env_t *
1565 {
1572 }
1574 /** Deallocate a digest object.
1575 */
1576 void
1578 {
1583 }
1585 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1586 */
1587 void
1590 {
1593 /* Using the SHA*_*() calls directly means we don't support doing
1594 * SHA in hardware. But so far the delay of getting the question
1595 * to the hardware, and hearing the answer, is likely higher than
1596 * just doing it ourselves. Hashes are fast.
1597 */
1608 }
1609 }
1611 /** Compute the hash of the data that has been passed to the digest
1612 * object; write the first out_len bytes of the result to <b>out</b>.
1613 * <b>out_len</b> must be \<= DIGEST256_LEN.
1614 */
1615 void
1618 {
1620 crypto_digest_env_t tmpenv;
1623 /* memcpy into a temporary ctx, since SHA*_Final clears the context */
1637 }
1640 }
1642 /** Allocate and return a new digest object with the same state as
1643 * <b>digest</b>
1644 */
1645 crypto_digest_env_t *
1647 {
1653 }
1655 /** Replace the state of the digest object <b>into</b> with the state
1656 * of the digest object <b>from</b>.
1657 */
1658 void
1661 {
1665 }
1667 /** Compute the HMAC-SHA-1 of the <b>msg_len</b> bytes in <b>msg</b>, using
1668 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST_LEN-byte result
1669 * in <b>hmac_out</b>.
1670 */
1671 void
1675 {
1680 }
1682 /* DH */
1684 /** Shared P parameter for our DH key exchanged. */
1686 /** Shared G parameter for our DH key exchanges. */
1689 /** Initialize dh_param_p and dh_param_g if they are not already
1690 * set. */
1691 static void
1693 {
1704 /* This is from rfc2409, section 6.2. It's a safe prime, and
1705 supposedly it equals:
1706 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1707 */
1709 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1710 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1711 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1712 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1720 }
1722 #define DH_PRIVATE_KEY_BITS 320
1724 /** Allocate and return a new DH object for a key exchange.
1725 */
1726 crypto_dh_env_t *
1728 {
1746 err:
1751 }
1753 /** Return the length of the DH key in <b>dh</b>, in bytes.
1754 */
1755 int
1757 {
1760 }
1762 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1763 * success, -1 on failure.
1764 */
1765 int
1767 {
1768 again:
1772 }
1776 /* Free and clear the keys, so OpenSSL will actually try again. */
1781 }
1783 }
1785 /** Generate g^x as necessary, and write the g^x for the key exchange
1786 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1787 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1788 */
1789 int
1791 {
1797 }
1807 }
1813 }
1815 /** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
1816 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
1817 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
1818 */
1819 static int
1821 {
1833 }
1839 }
1842 err:
1848 }
1850 #undef MIN
1851 #define MIN(a,b) ((a)<(b)?(a):(b))
1852 /** Given a DH key exchange object, and our peer's value of g^y (as a
1853 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
1854 * <b>secret_bytes_out</b> bytes of shared key material and write them
1855 * to <b>secret_out</b>. Return the number of bytes generated on success,
1856 * or -1 on failure.
1857 *
1858 * (We generate key material by computing
1859 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
1860 * where || is concatenation.)
1861 */
1862 ssize_t
1866 {
1879 /* Check for invalid public keys. */
1882 }
1888 }
1896 error:
1898 done:
1905 else
1907 }
1909 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
1910 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
1911 * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
1912 * H(K | [00]) | H(K | [01]) | ....
1913 *
1914 * Return 0 on success, -1 on failure.
1915 */
1916 int
1919 {
1924 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
1934 }
1940 err:
1945 }
1947 /** Free a DH key exchange object.
1948 */
1949 void
1951 {
1957 }
1959 /* random numbers */
1961 /* This is how much entropy OpenSSL likes to add right now, so maybe it will
1962 * work for us too. */
1963 #define ADD_ENTROPY 32
1965 /* Use RAND_poll if OpenSSL is 0.9.6 release or later. (The "f" means
1966 "release".) */
1967 #define HAVE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
1969 /* Versions of OpenSSL prior to 0.9.7k and 0.9.8c had a bug where RAND_poll
1970 * would allocate an fd_set on the stack, open a new file, and try to FD_SET
1971 * that fd without checking whether it fit in the fd_set. Thus, if the
1972 * system has not just been started up, it is unsafe to call */
1973 #define RAND_POLL_IS_SAFE \
1974 ((OPENSSL_VERSION_NUMBER >= 0x009070afl && \
1975 OPENSSL_VERSION_NUMBER <= 0x00907fffl) || \
1976 (OPENSSL_VERSION_NUMBER >= 0x0090803fl))
1978 static void
1980 {
1984 }
1986 /** Seed OpenSSL's random number generator with bytes from the operating
1987 * system. <b>startup</b> should be true iff we have just started Tor and
1988 * have not yet allocated a bunch of fds. Return 0 on success, -1 on failure.
1989 */
1990 int
1992 {
1995 /* local variables */
1996 #ifdef MS_WINDOWS
2000 #else
2004 };
2007 #endif
2009 #if HAVE_RAND_POLL
2010 /* OpenSSL 0.9.6 adds a RAND_poll function that knows about more kinds of
2011 * entropy than we do. We'll try calling that, *and* calling our own entropy
2012 * functions. If one succeeds, we'll accept the RNG as seeded. */
2017 }
2018 #endif
2020 #ifdef MS_WINDOWS
2023 CRYPT_VERIFYCONTEXT)) {
2027 }
2028 }
2030 }
2034 }
2039 #else
2051 }
2056 }
2060 #endif
2061 }
2063 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Return 0 on
2064 * success, -1 on failure.
2065 */
2066 int
2068 {
2076 }
2078 /** Return a pseudorandom integer, chosen uniformly from the values
2079 * between 0 and <b>max</b>-1. */
2080 int
2082 {
2088 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2089 * distribution with clipping at the upper end of unsigned int's
2090 * range.
2091 */
2097 }
2098 }
2100 /** Return a pseudorandom 64-bit integer, chosen uniformly from the values
2101 * between 0 and <b>max</b>-1. */
2102 uint64_t
2104 {
2110 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
2111 * distribution with clipping at the upper end of unsigned int's
2112 * range.
2113 */
2119 }
2120 }
2122 /** Return a pseudorandom double d, chosen uniformly from the range
2123 * 0.0 <= d < 1.0.
2124 */
2125 double
2127 {
2128 /* We just use an unsigned int here; we don't really care about getting
2129 * more than 32 bits of resolution */
2132 #if SIZEOF_INT == 4
2133 #define UINT_MAX_AS_DOUBLE 4294967296.0
2134 #elif SIZEOF_INT == 8
2135 #define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
2136 #else
2137 #error SIZEOF_INT is neither 4 nor 8
2138 #endif
2140 }
2142 /** Generate and return a new random hostname starting with <b>prefix</b>,
2143 * ending with <b>suffix</b>, and containing no less than
2144 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
2145 * characters between. */
2149 {
2173 }
2175 /** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
2176 * is empty. */
2179 {
2184 }
2186 /** Scramble the elements of <b>sl</b> into a random order. */
2187 void
2189 {
2191 /* From the end of the list to the front, choose at random from the
2192 positions we haven't looked at yet, and swap that position into the
2193 current position. Remember to give "no swap" the same probability as
2194 any other swap. */
2198 }
2199 }
2201 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
2202 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2203 * bytes. Return the number of bytes written on success; -1 if
2204 * destlen is too short, or other failure.
2205 */
2206 int
2208 {
2209 /* FFFF we might want to rewrite this along the lines of base64_decode, if
2210 * it ever shows up in the profile. */
2211 EVP_ENCODE_CTX ctx;
2215 /* 48 bytes of input -> 64 bytes of output plus newline.
2216 Plus one more byte, in case I'm wrong.
2217 */
2229 }
2231 #define X 255
2232 #define SP 64
2233 #define PAD 65
2234 /** Internal table mapping byte values to what they represent in base64.
2235 * Numbers 0..63 are 6-bit integers. SPs are spaces, and should be
2236 * skipped. Xs are invalid and must not appear in base64. PAD indicates
2237 * end-of-string. */
2255 };
2257 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
2258 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2259 * bytes. Return the number of bytes written on success; -1 if
2260 * destlen is too short, or other failure.
2261 *
2262 * NOTE 1: destlen is checked conservatively, as though srclen contained no
2263 * spaces or padding.
2264 *
2265 * NOTE 2: This implementation does not check for the correct number of
2266 * padding "=" characters at the end of the string, and does not check
2267 * for internal padding characters.
2268 */
2269 int
2271 {
2272 #ifdef USE_OPENSSL_BASE64
2273 EVP_ENCODE_CTX ctx;
2275 /* 64 bytes of input -> *up to* 48 bytes of output.
2276 Plus one more byte, in case I'm wrong.
2277 */
2289 #else
2295 /* Max number of bits == srclen*6.
2296 * Number of bytes required to hold all bits == (srclen*6)/8.
2297 * Yes, we want to round down: anything that hangs over the end of a
2298 * byte is padding. */
2304 /* Iterate over all the bytes in src. Each one will add 0 or 6 bits to the
2305 * value we're decoding. Accumulate bits in <b>n</b>, and whenever we have
2306 * 24 bits, batch them into 3 bytes and flush those bytes to dest.
2307 */
2313 /* This character isn't allowed in base64. */
2316 /* This character is whitespace, and has no effect. */
2319 /* We've hit an = character: the data is over. */
2322 /* We have an actual 6-bit value. Append it to the bits in n. */
2325 /* We've accumulated 24 bits in n. Flush them. */
2331 }
2332 }
2333 }
2334 end_of_loop:
2335 /* If we have leftover bits, we need to cope. */
2339 /* No leftover bits. We win. */
2342 /* 6 leftover bits. That's invalid; we can't form a byte out of that. */
2345 /* 12 leftover bits: The last 4 are padding and the first 8 are data. */
2349 /* 18 leftover bits: The last 2 are padding and the first 16 are data. */
2352 }
2358 #endif
2359 }
2360 #undef X
2361 #undef SP
2362 #undef PAD
2364 /** Base-64 encode DIGEST_LINE bytes from <b>digest</b>, remove the trailing =
2365 * and newline characters, and store the nul-terminated result in the first
2366 * BASE64_DIGEST_LEN+1 bytes of <b>d64</b>. */
2367 int
2369 {
2375 }
2377 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
2378 * trailing newline or = characters), decode it and store the result in the
2379 * first DIGEST_LEN bytes at <b>digest</b>. */
2380 int
2382 {
2383 #ifdef USE_OPENSSL_BASE64
2394 #else
2397 else
2399 #endif
2400 }
2402 /** Base-64 encode DIGEST256_LINE bytes from <b>digest</b>, remove the
2403 * trailing = and newline characters, and store the nul-terminated result in
2404 * the first BASE64_DIGEST256_LEN+1 bytes of <b>d64</b>. */
2405 int
2407 {
2413 }
2415 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
2416 * trailing newline or = characters), decode it and store the result in the
2417 * first DIGEST256_LEN bytes at <b>digest</b>. */
2418 int
2420 {
2421 #ifdef USE_OPENSSL_BASE64
2432 #else
2435 else
2437 #endif
2438 }
2440 /** Implements base32 encoding as in rfc3548. Limitation: Requires
2441 * that srclen*8 is a multiple of 5.
2442 */
2443 void
2445 {
2455 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
2458 /* set u to the 5-bit value at the bit'th bit of src. */
2461 }
2463 }
2465 /** Implements base32 decoding as in rfc3548. Limitation: Requires
2466 * that srclen*5 is a multiple of 8. Returns 0 if successful, -1 otherwise.
2467 */
2468 int
2470 {
2471 /* XXXX we might want to rewrite this along the lines of base64_decode, if
2472 * it ever shows up in the profile. */
2483 /* Convert base32 encoded chars to the 5-bit values that they represent. */
2493 }
2494 }
2496 /* Assemble result byte-wise by applying five possible cases. */
2521 }
2522 }
2528 }
2530 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
2531 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
2532 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
2533 * are a salt; the 9th byte describes how much iteration to do.
2534 * Does not support <b>key_out_len</b> > DIGEST_LEN.
2535 */
2536 void
2539 {
2546 #define EXPBIAS 6
2549 #undef EXPBIAS
2566 }
2567 }
2572 }
2574 #ifdef TOR_IS_MULTITHREADED
2575 /** Helper: OpenSSL uses this callback to manipulate mutexes. */
2576 static void
2578 {
2582 /* This is not a really good fix for the
2583 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
2584 * it can't hurt. */
2588 else
2590 }
2592 /** OpenSSL helper type: wraps a Tor mutex so that OpenSSL can use it
2593 * as a lock. */
2596 };
2598 /** OpenSSL callback function to allocate a lock: see CRYPTO_set_dynlock_*
2599 * documentation in OpenSSL's docs for more info. */
2602 {
2609 }
2611 /** OpenSSL callback function to acquire or release a lock: see
2612 * CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
2613 static void
2616 {
2621 else
2623 }
2625 /** OpenSSL callback function to free a lock: see CRYPTO_set_dynlock_*
2626 * documentation in OpenSSL's docs for more info. */
2627 static void
2630 {
2635 }
2637 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
2638 * multithreaded. */
2639 static int
2641 {
2654 }
2655 #else
2656 static int
2658 {
2660 }
2661 #endif