| blob | 57c636db68e517c90f1822788f136370e83bfdf5 |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2009, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL.
11 **/
15 #ifdef MS_WINDOWS
16 #define WIN32_WINNT 0x400
17 #define _WIN32_WINNT 0x400
18 #define WIN32_LEAN_AND_MEAN
19 #include <windows.h>
20 #include <wincrypt.h>
21 /* Windows defines this; so does OpenSSL 0.9.8h and later. We don't actually
22 * use either definition. */
23 #undef OCSP_RESPONSE
24 #endif
26 #include <openssl/err.h>
27 #include <openssl/rsa.h>
28 #include <openssl/pem.h>
29 #include <openssl/evp.h>
30 #include <openssl/engine.h>
31 #include <openssl/rand.h>
32 #include <openssl/opensslv.h>
33 #include <openssl/bn.h>
34 #include <openssl/dh.h>
35 #include <openssl/conf.h>
36 #include <openssl/hmac.h>
38 #ifdef HAVE_CTYPE_H
39 #include <ctype.h>
40 #endif
41 #ifdef HAVE_UNISTD_H
42 #include <unistd.h>
43 #endif
44 #ifdef HAVE_FCNTL_H
45 #include <fcntl.h>
46 #endif
47 #ifdef HAVE_SYS_FCNTL_H
48 #include <sys/fcntl.h>
49 #endif
51 #define CRYPTO_PRIVATE
59 #if OPENSSL_VERSION_NUMBER < 0x00907000l
61 #endif
63 #include <openssl/engine.h>
65 /** Macro: is k a valid RSA public or private key? */
66 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
67 /** Macro: is k a valid RSA private key? */
68 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
70 #ifdef TOR_IS_MULTITHREADED
71 /** A number of preallocated mutexes for use by OpenSSL. */
73 /** How many mutexes have we allocated for use by OpenSSL? */
75 #endif
77 /** A public key, or a public/private key-pair. */
78 struct crypto_pk_env_t
79 {
82 };
84 /** Key and stream information for a stream cipher. */
85 struct crypto_cipher_env_t
86 {
89 };
91 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
92 * while we're waiting for the second.*/
95 };
100 /** Return the number of bytes added by padding method <b>padding</b>.
101 */
104 {
106 {
111 }
112 }
114 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
115 */
118 {
120 {
125 }
126 }
128 /** Boolean: has OpenSSL's crypto been initialized? */
131 /** Log all pending crypto errors at level <b>severity</b>. Use
132 * <b>doing</b> to describe our current activities.
133 */
134 static void
136 {
151 }
152 }
153 }
155 /** Log any OpenSSL engines we're using at NOTICE. */
156 static void
158 {
167 }
168 }
170 /** Try to load an engine in a shared library via fully qualified path.
171 */
174 {
183 }
184 }
186 }
188 /** Initialize the crypto library. Return 0 on success, -1 on failure.
189 */
190 int
192 {
212 }
215 accelName);
218 accelName);
219 }
220 }
225 }
234 }
236 }
238 }
240 /** Free crypto resources held by this thread. */
241 void
243 {
245 }
247 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
248 */
249 int
251 {
258 #ifdef TOR_IS_MULTITHREADED
267 }
269 }
270 #endif
272 }
274 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
275 crypto_pk_env_t *
277 {
284 }
286 /** used by tortls.c: wrap the RSA from an evp_pkey in a crypto_pk_env_t.
287 * returns NULL if this isn't an RSA key. */
288 crypto_pk_env_t *
290 {
295 }
297 /** Helper, used by tor-checkkey.c. Return the RSA from a crypto_pk_env_t. */
298 RSA *
300 {
302 }
304 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
305 * private is set, include the private-key portion of the key. */
306 EVP_PKEY *
308 {
318 }
324 error:
330 }
332 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
333 */
334 DH *
336 {
338 }
340 /** Allocate and return storage for a public key. The key itself will not yet
341 * be set.
342 */
343 crypto_pk_env_t *
345 {
351 }
353 /** Release a reference to an asymmetric key; when all the references
354 * are released, free the key.
355 */
356 void
358 {
368 }
370 /** Create a new symmetric cipher for a given key and encryption flag
371 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
372 * on failure.
373 */
374 crypto_cipher_env_t *
376 {
383 }
388 }
392 else
399 error:
403 }
405 /** Allocate and return a new symmetric cipher.
406 */
407 crypto_cipher_env_t *
409 {
415 }
417 /** Free a symmetric cipher.
418 */
419 void
421 {
428 }
430 /* public key crypto */
432 /** Generate a new public/private keypair in <b>env</b>. Return 0 on
433 * success, -1 on failure.
434 */
435 int
437 {
442 #if OPENSSL_VERSION_NUMBER < 0x00908000l
443 /* In OpenSSL 0.9.7, RSA_generate_key is all we have. */
445 #else
446 /* In OpenSSL 0.9.8, RSA_generate_key is deprecated. */
447 {
462 done:
467 }
468 #endif
472 }
475 }
477 /** Read a PEM-encoded private key from the string <b>s</b> into <b>env</b>.
478 * Return 0 on success, -1 on failure.
479 */
480 /* Used here, and used for testing. */
481 int
484 {
490 /* Create a read-only memory BIO, backed by the NUL-terminated string 's' */
503 }
505 }
507 /** Read a PEM-encoded private key from the file named by
508 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
509 */
510 int
513 {
517 /* Read the file into a string. */
522 }
524 /* Try to parse it. */
530 /* Make sure it's valid. */
535 }
537 /** Helper function to implement crypto_pk_write_*_key_to_string. */
538 static int
541 {
552 /* Now you can treat b as if it were a file. Just use the
553 * PEM_*_bio_* functions instead of the non-bio variants.
554 */
557 else
564 }
578 }
580 /** PEM-encode the public key portion of <b>env</b> and write it to a
581 * newly allocated string. On success, set *<b>dest</b> to the new
582 * string, *<b>len</b> to the string's length, and return 0. On
583 * failure, return -1.
584 */
585 int
588 {
590 }
592 /** PEM-encode the private key portion of <b>env</b> and write it to a
593 * newly allocated string. On success, set *<b>dest</b> to the new
594 * string, *<b>len</b> to the string's length, and return 0. On
595 * failure, return -1.
596 */
597 int
600 {
602 }
604 /** Read a PEM-encoded public key from the first <b>len</b> characters of
605 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
606 * failure.
607 */
608 int
611 {
629 }
632 }
634 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
635 * PEM-encoded. Return 0 on success, -1 on failure.
636 */
637 int
640 {
656 }
666 }
668 /** Return true iff <b>env</b> has a valid key.
669 */
670 int
672 {
680 }
682 /** Return true iff <b>key</b> contains the private-key portion of the RSA
683 * key. */
684 int
686 {
689 }
691 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
692 * if a==b, and 1 if a\>b.
693 */
694 int
696 {
711 }
713 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
714 size_t
716 {
721 }
723 /** Increase the reference count of <b>env</b>, and return it.
724 */
725 crypto_pk_env_t *
727 {
733 }
735 /** Make a real honest-to-goodness copy of <b>env</b>, and return it. */
736 crypto_pk_env_t *
738 {
747 }
750 }
752 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
753 * in <b>env</b>, using the padding method <b>padding</b>. On success,
754 * write the result to <b>to</b>, and return the number of bytes
755 * written. On failure, return -1.
756 */
757 int
760 {
773 }
775 }
777 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
778 * in <b>env</b>, using the padding method <b>padding</b>. On success,
779 * write the result to <b>to</b>, and return the number of bytes
780 * written. On failure, return -1.
781 */
782 int
786 {
794 /* Not a private key */
805 }
807 }
809 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
810 * public key in <b>env</b>, using PKCS1 padding. On success, write the
811 * signed data to <b>to</b>, and return the number of bytes written.
812 * On failure, return -1.
813 */
814 int
817 {
830 }
832 }
834 /** Check a siglen-byte long signature at <b>sig</b> against
835 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
836 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
837 * SHA1(data). Else return -1.
838 */
839 int
842 {
854 }
861 }
866 }
870 }
872 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
873 * <b>env</b>, using PKCS1 padding. On success, write the signature to
874 * <b>to</b>, and return the number of bytes written. On failure, return
875 * -1.
876 */
877 int
880 {
887 /* Not a private key */
896 }
898 }
900 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
901 * <b>from</b>; sign the data with the private key in <b>env</b>, and
902 * store it in <b>to</b>. Return the number of bytes written on
903 * success, and -1 on failure.
904 */
905 int
908 {
916 }
918 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
919 * bytes of data from <b>from</b>, with padding type 'padding',
920 * storing the results on <b>to</b>.
921 *
922 * If no padding is used, the public key must be at least as large as
923 * <b>from</b>.
924 *
925 * Returns the number of bytes written on success, -1 on failure.
926 *
927 * The encrypted data consists of:
928 * - The source data, padded and encrypted with the public key, if the
929 * padded source data is no longer than the public key, and <b>force</b>
930 * is false, OR
931 * - The beginning of the source data prefixed with a 16-byte symmetric key,
932 * padded and encrypted with the public key; followed by the rest of
933 * the source data encrypted in AES-CTR mode with the symmetric key.
934 */
935 int
941 {
958 /* It all fits in a single encrypt. */
960 }
965 /* You can't just run around RSA-encrypting any bitstream: if it's
966 * greater than the RSA key, then OpenSSL will happily encrypt, and
967 * later decrypt to the wrong value. So we set the first bit of
968 * 'cipher->key' to 0 if we aren't padding. This means that our
969 * symmetric key is really only 127 bits.
970 */
979 /* Length of symmetrically encrypted data. */
985 }
995 err:
999 }
1002 }
1004 /** Invert crypto_pk_public_hybrid_encrypt. */
1005 int
1011 {
1021 warnOnFailure);
1022 }
1025 warnOnFailure);
1030 }
1035 }
1039 }
1050 err:
1055 }
1057 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1058 * Return -1 on error, or the number of characters used on success.
1059 */
1060 int
1062 {
1074 }
1075 /* We don't encode directly into 'dest', because that would be illegal
1076 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1077 */
1081 }
1083 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1084 * success and NULL on failure.
1085 */
1086 crypto_pk_env_t *
1088 {
1091 /* This ifdef suppresses a type warning. Take out the first case once
1092 * everybody is using OpenSSL 0.9.7 or later.
1093 */
1102 }
1104 }
1106 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1107 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1108 * Return 0 on success, -1 on failure.
1109 */
1110 int
1112 {
1125 }
1129 }
1132 }
1134 /** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
1135 * every four spaces. */
1138 {
1146 }
1147 }
1150 }
1152 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1153 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1154 * space). Return 0 on success, -1 on failure.
1155 *
1156 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1157 * of the public key, converted to hexadecimal, in upper case, with a
1158 * space after every four digits.
1159 *
1160 * If <b>add_space</b> is false, omit the spaces.
1161 */
1162 int
1164 {
1169 }
1175 }
1177 }
1179 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1180 */
1181 int
1183 {
1190 }
1191 }
1194 }
1196 /* symmetric crypto */
1198 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1199 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1200 */
1201 int
1203 {
1207 }
1209 /** Set the symmetric key for the cipher in <b>env</b> to the first
1210 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1211 * Return 0 on success, -1 on failure.
1212 */
1213 int
1215 {
1224 }
1226 /** Generate an initialization vector for our AES-CTR cipher; store it
1227 * in the first CIPHER_IV_LEN bytes of <b>iv_out</b>. */
1228 void
1230 {
1232 }
1234 /** Adjust the counter of <b>env</b> to point to the first byte of the block
1235 * corresponding to the encryption of the CIPHER_IV_LEN bytes at
1236 * <b>iv</b>. */
1237 int
1239 {
1244 }
1246 /** Return a pointer to the key set for the cipher in <b>env</b>.
1247 */
1250 {
1252 }
1254 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1255 * success, -1 on failure.
1256 */
1257 int
1259 {
1264 }
1266 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1267 * success, -1 on failure.
1268 */
1269 int
1271 {
1276 }
1278 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1279 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1280 * On failure, return -1.
1281 */
1282 int
1285 {
1294 }
1296 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1297 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1298 * On failure, return -1.
1299 */
1300 int
1303 {
1310 }
1312 /** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
1313 * on success, return 0. On failure, return -1.
1314 */
1315 int
1317 {
1320 }
1322 /** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
1323 * <b>cipher</b> to the buffer in <b>to</b> of length
1324 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
1325 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1326 * number of bytes written, on failure, return -1.
1327 *
1328 * This function adjusts the current position of the counter in <b>cipher</b>
1329 * to immediately after the encrypted data.
1330 */
1331 int
1335 {
1351 }
1353 /** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
1354 * with the key in <b>cipher</b> to the buffer in <b>to</b> of length
1355 * <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
1356 * CIPHER_IV_LEN bytes for the initialization vector. On success, return the
1357 * number of bytes written, on failure, return -1.
1358 *
1359 * This function adjusts the current position of the counter in <b>cipher</b>
1360 * to immediately after the decrypted data.
1361 */
1362 int
1366 {
1381 }
1383 /* SHA-1 */
1385 /** Compute the SHA1 digest of <b>len</b> bytes in data stored in
1386 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1387 * Return 0 on success, -1 on failure.
1388 */
1389 int
1391 {
1395 }
1397 /** Intermediate information about the digest of a stream of data. */
1399 SHA_CTX d;
1400 };
1402 /** Allocate and return a new digest object.
1403 */
1404 crypto_digest_env_t *
1406 {
1411 }
1413 /** Deallocate a digest object.
1414 */
1415 void
1417 {
1420 }
1422 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1423 */
1424 void
1427 {
1430 /* Using the SHA1_*() calls directly means we don't support doing
1431 * SHA1 in hardware. But so far the delay of getting the question
1432 * to the hardware, and hearing the answer, is likely higher than
1433 * just doing it ourselves. Hashes are fast.
1434 */
1436 }
1438 /** Compute the hash of the data that has been passed to the digest
1439 * object; write the first out_len bytes of the result to <b>out</b>.
1440 * <b>out_len</b> must be \<= DIGEST_LEN.
1441 */
1442 void
1445 {
1447 SHA_CTX tmpctx;
1451 /* memcpy into a temporary ctx, since SHA1_Final clears the context */
1456 }
1458 /** Allocate and return a new digest object with the same state as
1459 * <b>digest</b>
1460 */
1461 crypto_digest_env_t *
1463 {
1469 }
1471 /** Replace the state of the digest object <b>into</b> with the state
1472 * of the digest object <b>from</b>.
1473 */
1474 void
1477 {
1481 }
1483 /** Compute the HMAC-SHA-1 of the <b>msg_len</b> bytes in <b>msg</b>, using
1484 * the <b>key</b> of length <b>key_len</b>. Store the DIGEST_LEN-byte result
1485 * in <b>hmac_out</b>.
1486 */
1487 void
1491 {
1496 }
1498 /* DH */
1500 /** Shared P parameter for our DH key exchanged. */
1502 /** Shared G parameter for our DH key exchanges. */
1505 /** Initialize dh_param_p and dh_param_g if they are not already
1506 * set. */
1507 static void
1509 {
1520 /* This is from rfc2409, section 6.2. It's a safe prime, and
1521 supposedly it equals:
1522 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1523 */
1525 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1526 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1527 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1528 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1536 }
1538 #define DH_PRIVATE_KEY_BITS 320
1540 /** Allocate and return a new DH object for a key exchange.
1541 */
1542 crypto_dh_env_t *
1544 {
1562 err:
1567 }
1569 /** Return the length of the DH key in <b>dh</b>, in bytes.
1570 */
1571 int
1573 {
1576 }
1578 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1579 * success, -1 on failure.
1580 */
1581 int
1583 {
1584 again:
1588 }
1592 /* Free and clear the keys, so OpenSSL will actually try again. */
1597 }
1599 }
1601 /** Generate g^x as necessary, and write the g^x for the key exchange
1602 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1603 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1604 */
1605 int
1607 {
1613 }
1623 }
1629 }
1631 /** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
1632 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
1633 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
1634 */
1635 static int
1637 {
1649 }
1655 }
1658 err:
1664 }
1666 #undef MIN
1667 #define MIN(a,b) ((a)<(b)?(a):(b))
1668 /** Given a DH key exchange object, and our peer's value of g^y (as a
1669 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
1670 * <b>secret_bytes_out</b> bytes of shared key material and write them
1671 * to <b>secret_out</b>. Return the number of bytes generated on success,
1672 * or -1 on failure.
1673 *
1674 * (We generate key material by computing
1675 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
1676 * where || is concatenation.)
1677 */
1678 ssize_t
1682 {
1695 /* Check for invalid public keys. */
1698 }
1704 }
1712 error:
1714 done:
1721 else
1723 }
1725 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
1726 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
1727 * <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
1728 * H(K | [00]) | H(K | [01]) | ....
1729 *
1730 * Return 0 on success, -1 on failure.
1731 */
1732 int
1735 {
1740 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
1750 }
1756 err:
1761 }
1763 /** Free a DH key exchange object.
1764 */
1765 void
1767 {
1772 }
1774 /* random numbers */
1776 /* This is how much entropy OpenSSL likes to add right now, so maybe it will
1777 * work for us too. */
1778 #define ADD_ENTROPY 32
1780 /* Use RAND_poll if OpenSSL is 0.9.6 release or later. (The "f" means
1781 "release".) */
1782 #define HAVE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
1784 /* Versions of OpenSSL prior to 0.9.7k and 0.9.8c had a bug where RAND_poll
1785 * would allocate an fd_set on the stack, open a new file, and try to FD_SET
1786 * that fd without checking whether it fit in the fd_set. Thus, if the
1787 * system has not just been started up, it is unsafe to call */
1788 #define RAND_POLL_IS_SAFE \
1789 ((OPENSSL_VERSION_NUMBER >= 0x009070afl && \
1790 OPENSSL_VERSION_NUMBER <= 0x00907fffl) || \
1791 (OPENSSL_VERSION_NUMBER >= 0x0090803fl))
1793 /** Seed OpenSSL's random number generator with bytes from the operating
1794 * system. <b>startup</b> should be true iff we have just started Tor and
1795 * have not yet allocated a bunch of fds. Return 0 on success, -1 on failure.
1796 */
1797 int
1799 {
1803 /* local variables */
1804 #ifdef MS_WINDOWS
1807 #else
1810 };
1813 #endif
1815 #if HAVE_RAND_POLL
1816 /* OpenSSL 0.9.6 adds a RAND_poll function that knows about more kinds of
1817 * entropy than we do. We'll try calling that, *and* calling our own entropy
1818 * functions. If one succeeds, we'll accept the RNG as seeded. */
1823 }
1824 #endif
1826 #ifdef MS_WINDOWS
1829 CRYPT_VERIFYCONTEXT)) {
1833 }
1834 }
1836 }
1840 }
1844 #else
1856 }
1860 }
1864 #endif
1865 }
1867 /** Write <b>n</b> bytes of strong random data to <b>to</b>. Return 0 on
1868 * success, -1 on failure.
1869 */
1870 int
1872 {
1880 }
1882 /** Return a pseudorandom integer, chosen uniformly from the values
1883 * between 0 and <b>max</b>-1. */
1884 int
1886 {
1892 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1893 * distribution with clipping at the upper end of unsigned int's
1894 * range.
1895 */
1901 }
1902 }
1904 /** Return a pseudorandom 64-bit integer, chosen uniformly from the values
1905 * between 0 and <b>max</b>-1. */
1906 uint64_t
1908 {
1914 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1915 * distribution with clipping at the upper end of unsigned int's
1916 * range.
1917 */
1923 }
1924 }
1926 /** Generate and return a new random hostname starting with <b>prefix</b>,
1927 * ending with <b>suffix</b>, and containing no less than
1928 * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
1929 * characters between. */
1933 {
1957 }
1959 /** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
1960 * is empty. */
1963 {
1968 }
1970 /** Scramble the elements of <b>sl</b> into a random order. */
1971 void
1973 {
1975 /* From the end of the list to the front, choose at random from the
1976 positions we haven't looked at yet, and swap that position into the
1977 current position. Remember to give "no swap" the same probability as
1978 any other swap. */
1982 }
1983 }
1985 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
1986 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1987 * bytes. Return the number of bytes written on success; -1 if
1988 * destlen is too short, or other failure.
1989 */
1990 int
1992 {
1993 /* FFFF we might want to rewrite this along the lines of base64_decode, if
1994 * it ever shows up in the profile. */
1995 EVP_ENCODE_CTX ctx;
1999 /* 48 bytes of input -> 64 bytes of output plus newline.
2000 Plus one more byte, in case I'm wrong.
2001 */
2013 }
2015 #define X 255
2016 #define SP 64
2017 #define PAD 65
2018 /** Internal table mapping byte values to what they represent in base64.
2019 * Numbers 0..63 are 6-bit integers. SPs are spaces, and should be
2020 * skipped. Xs are invalid and must not appear in base64. PAD indicates
2021 * end-of-string. */
2039 };
2041 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
2042 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
2043 * bytes. Return the number of bytes written on success; -1 if
2044 * destlen is too short, or other failure.
2045 *
2046 * NOTE 1: destlen is checked conservatively, as though srclen contained no
2047 * spaces or padding.
2048 *
2049 * NOTE 2: This implementation does not check for the correct number of
2050 * padding "=" characters at the end of the string, and does not check
2051 * for internal padding characters.
2052 */
2053 int
2055 {
2056 #ifdef USE_OPENSSL_BASE64
2057 EVP_ENCODE_CTX ctx;
2059 /* 64 bytes of input -> *up to* 48 bytes of output.
2060 Plus one more byte, in case I'm wrong.
2061 */
2073 #else
2079 /* Max number of bits == srclen*6.
2080 * Number of bytes required to hold all bits == (srclen*6)/8.
2081 * Yes, we want to round down: anything that hangs over the end of a
2082 * byte is padding. */
2088 /* Iterate over all the bytes in src. Each one will add 0 or 6 bits to the
2089 * value we're decoding. Accumulate bits in <b>n</b>, and whenever we have
2090 * 24 bits, batch them into 3 bytes and flush those bytes to dest.
2091 */
2097 /* This character isn't allowed in base64. */
2100 /* This character is whitespace, and has no effect. */
2103 /* We've hit an = character: the data is over. */
2106 /* We have an actual 6-bit value. Append it to the bits in n. */
2109 /* We've accumulated 24 bits in n. Flush them. */
2115 }
2116 }
2117 }
2118 end_of_loop:
2119 /* If we have leftover bits, we need to cope. */
2123 /* No leftover bits. We win. */
2126 /* 6 leftover bits. That's invalid; we can't form a byte out of that. */
2129 /* 12 leftover bits: The last 4 are padding and the first 8 are data. */
2133 /* 18 leftover bits: The last 2 are padding and the first 16 are data. */
2136 }
2142 #endif
2143 }
2144 #undef X
2145 #undef SP
2146 #undef PAD
2148 /** Base-64 encode DIGEST_LINE bytes from <b>digest</b>, remove the trailing =
2149 * and newline characters, and store the nul-terminated result in the first
2150 * BASE64_DIGEST_LEN+1 bytes of <b>d64</b>. */
2151 int
2153 {
2159 }
2161 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
2162 * trailing newline or = characters), decode it and store the result in the
2163 * first DIGEST_LEN bytes at <b>digest</b>. */
2164 int
2166 {
2167 #ifdef USE_OPENSSL_BASE64
2178 #else
2181 else
2183 #endif
2184 }
2186 /** Implements base32 encoding as in rfc3548. Limitation: Requires
2187 * that srclen*8 is a multiple of 5.
2188 */
2189 void
2191 {
2200 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
2203 /* set u to the 5-bit value at the bit'th bit of src. */
2206 }
2208 }
2210 /** Implements base32 decoding as in rfc3548. Limitation: Requires
2211 * that srclen*5 is a multiple of 8. Returns 0 if successful, -1 otherwise.
2212 */
2213 int
2215 {
2216 /* XXXX we might want to rewrite this along the lines of base64_decode, if
2217 * it ever shows up in the profile. */
2227 /* Convert base32 encoded chars to the 5-bit values that they represent. */
2237 }
2238 }
2240 /* Assemble result byte-wise by applying five possible cases. */
2265 }
2266 }
2272 }
2274 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
2275 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
2276 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
2277 * are a salt; the 9th byte describes how much iteration to do.
2278 * Does not support <b>key_out_len</b> > DIGEST_LEN.
2279 */
2280 void
2283 {
2290 #define EXPBIAS 6
2293 #undef EXPBIAS
2310 }
2311 }
2316 }
2318 #ifdef TOR_IS_MULTITHREADED
2319 /** Helper: OpenSSL uses this callback to manipulate mutexes. */
2320 static void
2322 {
2326 /* This is not a really good fix for the
2327 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
2328 * it can't hurt. */
2332 else
2334 }
2336 /** OpenSSL helper type: wraps a Tor mutex so that OpenSSL can use it
2337 * as a lock. */
2340 };
2342 /** OpenSSL callback function to allocate a lock: see CRYPTO_set_dynlock_*
2343 * documentation in OpenSSL's docs for more info. */
2346 {
2353 }
2355 /** OpenSSL callback function to acquire or release a lock: see
2356 * CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
2357 static void
2360 {
2365 else
2367 }
2369 /** OpenSSL callback function to free a lock: see CRYPTO_set_dynlock_*
2370 * documentation in OpenSSL's docs for more info. */
2371 static void
2374 {
2379 }
2381 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
2382 * multithreaded. */
2383 static int
2385 {
2398 }
2399 #else
2400 static int
2402 {
2404 }
2405 #endif