2007-12-12 22:09:01 +01:00
|
|
|
/* Copyright (c) 2001, Matej Pfajfar.
|
2006-02-09 06:46:49 +01:00
|
|
|
* Copyright (c) 2001-2004, Roger Dingledine.
|
2007-12-12 22:09:01 +01:00
|
|
|
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
2017-03-15 21:13:17 +01:00
|
|
|
* Copyright (c) 2007-2017, The Tor Project, Inc. */
|
2002-07-24 16:02:39 +02:00
|
|
|
/* See LICENSE for licensing information */
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/**
|
|
|
|
* \file crypto.c
|
2005-06-11 07:31:17 +02:00
|
|
|
* \brief Wrapper functions to present a consistent interface to
|
2016-02-28 17:57:47 +01:00
|
|
|
* public-key and symmetric cryptography operations from OpenSSL and
|
|
|
|
* other places.
|
2004-05-10 05:53:24 +02:00
|
|
|
**/
|
|
|
|
|
2004-04-03 06:05:12 +02:00
|
|
|
#include "orconfig.h"
|
2004-03-11 07:19:08 +01:00
|
|
|
|
2012-01-31 16:59:42 +01:00
|
|
|
#ifdef _WIN32
|
2015-06-29 19:47:44 +02:00
|
|
|
#include <winsock2.h>
|
2004-04-28 22:13:21 +02:00
|
|
|
#include <windows.h>
|
|
|
|
#include <wincrypt.h>
|
2009-05-27 23:55:51 +02:00
|
|
|
/* Windows defines this; so does OpenSSL 0.9.8h and later. We don't actually
|
2008-06-28 06:16:17 +02:00
|
|
|
* use either definition. */
|
|
|
|
#undef OCSP_RESPONSE
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(_WIN32) */
|
2004-04-28 22:13:21 +02:00
|
|
|
|
2015-05-21 17:54:13 +02:00
|
|
|
#define CRYPTO_PRIVATE
|
|
|
|
#include "crypto.h"
|
2015-11-10 16:02:21 +01:00
|
|
|
#include "compat_openssl.h"
|
2015-07-06 11:57:23 +02:00
|
|
|
#include "crypto_curve25519.h"
|
2015-07-06 12:11:10 +02:00
|
|
|
#include "crypto_ed25519.h"
|
2015-07-31 17:21:34 +02:00
|
|
|
#include "crypto_format.h"
|
2015-05-21 17:54:13 +02:00
|
|
|
|
2016-06-15 02:14:53 +02:00
|
|
|
#if __GNUC__ && GCC_VERSION >= 402
|
|
|
|
#if GCC_VERSION >= 406
|
|
|
|
#pragma GCC diagnostic pop
|
|
|
|
#else
|
|
|
|
#pragma GCC diagnostic warning "-Wredundant-decls"
|
|
|
|
#endif
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* __GNUC__ && GCC_VERSION >= 402 */
|
2016-06-15 02:14:53 +02:00
|
|
|
|
2004-04-03 06:05:12 +02:00
|
|
|
#ifdef HAVE_CTYPE_H
|
|
|
|
#include <ctype.h>
|
|
|
|
#endif
|
2004-04-26 20:09:50 +02:00
|
|
|
#ifdef HAVE_UNISTD_H
|
|
|
|
#include <unistd.h>
|
|
|
|
#endif
|
|
|
|
#ifdef HAVE_FCNTL_H
|
|
|
|
#include <fcntl.h>
|
|
|
|
#endif
|
|
|
|
#ifdef HAVE_SYS_FCNTL_H
|
|
|
|
#include <sys/fcntl.h>
|
|
|
|
#endif
|
2015-11-26 16:21:50 +01:00
|
|
|
#ifdef HAVE_SYS_SYSCALL_H
|
|
|
|
#include <sys/syscall.h>
|
|
|
|
#endif
|
2016-09-24 17:48:47 +02:00
|
|
|
#ifdef HAVE_SYS_RANDOM_H
|
|
|
|
#include <sys/random.h>
|
|
|
|
#endif
|
2004-04-03 06:05:12 +02:00
|
|
|
|
2015-02-27 15:24:21 +01:00
|
|
|
#include "torlog.h"
|
2016-09-16 15:51:51 +02:00
|
|
|
#include "torint.h"
|
2003-06-30 21:18:32 +02:00
|
|
|
#include "aes.h"
|
2015-02-27 15:24:21 +01:00
|
|
|
#include "util.h"
|
2004-11-01 21:41:47 +01:00
|
|
|
#include "container.h"
|
2005-02-13 23:32:25 +01:00
|
|
|
#include "compat.h"
|
2013-08-09 18:07:20 +02:00
|
|
|
#include "sandbox.h"
|
2015-07-31 17:21:34 +02:00
|
|
|
#include "util_format.h"
|
2002-08-22 09:30:03 +02:00
|
|
|
|
2015-12-18 23:15:01 +01:00
|
|
|
#include "keccak-tiny/keccak-tiny.h"
|
|
|
|
|
2012-01-10 06:14:35 +01:00
|
|
|
/** Longest recognized */
|
|
|
|
#define MAX_DNS_LABEL_SIZE 63
|
|
|
|
|
2015-11-26 16:21:50 +01:00
|
|
|
/** Largest strong entropy request */
|
|
|
|
#define MAX_STRONGEST_RAND_SIZE 256
|
|
|
|
|
2009-05-27 23:55:51 +02:00
|
|
|
/** A public key, or a public/private key-pair. */
|
2012-01-18 21:53:30 +01:00
|
|
|
struct crypto_pk_t
|
2003-09-10 02:47:24 +02:00
|
|
|
{
|
2011-03-16 22:05:37 +01:00
|
|
|
int refs; /**< reference count, so we don't have to copy keys */
|
|
|
|
RSA *key; /**< The key itself */
|
2003-09-10 02:47:24 +02:00
|
|
|
};
|
|
|
|
|
2005-10-06 06:33:40 +02:00
|
|
|
/** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
|
|
|
|
* while we're waiting for the second.*/
|
2012-01-18 21:53:30 +01:00
|
|
|
struct crypto_dh_t {
|
2011-03-16 22:05:37 +01:00
|
|
|
DH *dh; /**< The openssl DH object */
|
2004-04-03 04:40:30 +02:00
|
|
|
};
|
2003-06-13 23:13:37 +02:00
|
|
|
|
2016-06-25 00:20:41 +02:00
|
|
|
static int tor_check_dh_key(int severity, const BIGNUM *bn);
|
2005-02-13 23:32:25 +01:00
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Return the number of bytes added by padding method <b>padding</b>.
|
2004-05-01 22:46:28 +02:00
|
|
|
*/
|
2015-12-10 16:19:43 +01:00
|
|
|
static inline int
|
2005-09-30 03:09:52 +02:00
|
|
|
crypto_get_rsa_padding_overhead(int padding)
|
|
|
|
{
|
2004-11-28 10:05:49 +01:00
|
|
|
switch (padding)
|
2003-03-19 21:41:15 +01:00
|
|
|
{
|
2013-02-24 05:03:24 +01:00
|
|
|
case RSA_PKCS1_OAEP_PADDING: return PKCS1_OAEP_PADDING_OVERHEAD;
|
2016-04-13 03:13:33 +02:00
|
|
|
default: tor_assert(0); return -1; // LCOV_EXCL_LINE
|
2003-03-19 21:41:15 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
|
2004-05-01 22:46:28 +02:00
|
|
|
*/
|
2015-12-10 16:19:43 +01:00
|
|
|
static inline int
|
2005-09-30 03:09:52 +02:00
|
|
|
crypto_get_rsa_padding(int padding)
|
|
|
|
{
|
2004-11-28 10:05:49 +01:00
|
|
|
switch (padding)
|
2004-04-01 05:08:35 +02:00
|
|
|
{
|
2004-04-03 04:40:30 +02:00
|
|
|
case PK_PKCS1_OAEP_PADDING: return RSA_PKCS1_OAEP_PADDING;
|
2016-04-13 03:13:33 +02:00
|
|
|
default: tor_assert(0); return -1; // LCOV_EXCL_LINE
|
2004-04-01 05:08:35 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-02-12 17:56:29 +01:00
|
|
|
/** Boolean: has OpenSSL's crypto been initialized? */
|
|
|
|
static int crypto_early_initialized_ = 0;
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Boolean: has OpenSSL's crypto been initialized? */
|
2012-10-12 18:22:13 +02:00
|
|
|
static int crypto_global_initialized_ = 0;
|
2003-09-15 21:38:52 +02:00
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Log all pending crypto errors at level <b>severity</b>. Use
|
|
|
|
* <b>doing</b> to describe our current activities.
|
2004-05-01 22:46:28 +02:00
|
|
|
*/
|
2004-04-26 20:09:50 +02:00
|
|
|
static void
|
|
|
|
crypto_log_errors(int severity, const char *doing)
|
|
|
|
{
|
2008-02-21 22:57:42 +01:00
|
|
|
unsigned long err;
|
2004-04-26 20:09:50 +02:00
|
|
|
const char *msg, *lib, *func;
|
|
|
|
while ((err = ERR_get_error()) != 0) {
|
|
|
|
msg = (const char*)ERR_reason_error_string(err);
|
|
|
|
lib = (const char*)ERR_lib_error_string(err);
|
|
|
|
func = (const char*)ERR_func_error_string(err);
|
|
|
|
if (!msg) msg = "(null)";
|
2006-10-20 02:12:02 +02:00
|
|
|
if (!lib) lib = "(null)";
|
|
|
|
if (!func) func = "(null)";
|
2016-05-03 20:16:14 +02:00
|
|
|
if (BUG(!doing)) doing = "(null)";
|
|
|
|
tor_log(severity, LD_CRYPTO, "crypto error while %s: %s (in %s:%s)",
|
2013-02-01 22:19:02 +01:00
|
|
|
doing, msg, lib, func);
|
2004-04-26 20:09:50 +02:00
|
|
|
}
|
|
|
|
}
|
2004-05-10 05:53:24 +02:00
|
|
|
|
2009-09-29 06:46:53 +02:00
|
|
|
#ifndef DISABLE_ENGINES
|
2006-09-29 20:13:37 +02:00
|
|
|
/** Log any OpenSSL engines we're using at NOTICE. */
|
2005-06-20 20:56:35 +02:00
|
|
|
static void
|
|
|
|
log_engine(const char *fn, ENGINE *e)
|
|
|
|
{
|
|
|
|
if (e) {
|
|
|
|
const char *name, *id;
|
|
|
|
name = ENGINE_get_name(e);
|
|
|
|
id = ENGINE_get_id(e);
|
2013-12-18 17:49:44 +01:00
|
|
|
log_notice(LD_CRYPTO, "Default OpenSSL engine for %s is %s [%s]",
|
|
|
|
fn, name?name:"?", id?id:"?");
|
2005-06-20 20:56:35 +02:00
|
|
|
} else {
|
2013-02-01 21:43:37 +01:00
|
|
|
log_info(LD_CRYPTO, "Using default implementation for %s", fn);
|
2005-06-20 20:56:35 +02:00
|
|
|
}
|
|
|
|
}
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* !defined(DISABLE_ENGINES) */
|
2005-06-20 20:56:35 +02:00
|
|
|
|
2009-09-29 06:46:53 +02:00
|
|
|
#ifndef DISABLE_ENGINES
|
2009-05-24 01:42:44 +02:00
|
|
|
/** Try to load an engine in a shared library via fully qualified path.
|
|
|
|
*/
|
|
|
|
static ENGINE *
|
|
|
|
try_load_engine(const char *path, const char *engine)
|
|
|
|
{
|
|
|
|
ENGINE *e = ENGINE_by_id("dynamic");
|
|
|
|
if (e) {
|
|
|
|
if (!ENGINE_ctrl_cmd_string(e, "ID", engine, 0) ||
|
|
|
|
!ENGINE_ctrl_cmd_string(e, "DIR_LOAD", "2", 0) ||
|
|
|
|
!ENGINE_ctrl_cmd_string(e, "DIR_ADD", path, 0) ||
|
|
|
|
!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
|
|
|
|
ENGINE_free(e);
|
|
|
|
e = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return e;
|
|
|
|
}
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* !defined(DISABLE_ENGINES) */
|
2009-05-24 01:42:44 +02:00
|
|
|
|
2014-02-12 17:56:29 +01:00
|
|
|
/** Make sure that openssl is using its default PRNG. Return 1 if we had to
|
|
|
|
* adjust it; 0 otherwise. */
|
2015-12-23 15:58:08 +01:00
|
|
|
STATIC int
|
2014-02-12 17:56:29 +01:00
|
|
|
crypto_force_rand_ssleay(void)
|
|
|
|
{
|
2015-11-06 20:02:56 +01:00
|
|
|
RAND_METHOD *default_method;
|
|
|
|
default_method = RAND_OpenSSL();
|
|
|
|
if (RAND_get_rand_method() != default_method) {
|
2014-02-12 17:56:29 +01:00
|
|
|
log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
|
|
|
|
"a replacement the OpenSSL RNG. Resetting it to the default "
|
|
|
|
"implementation.");
|
2015-11-06 20:02:56 +01:00
|
|
|
RAND_set_rand_method(default_method);
|
2014-02-12 17:56:29 +01:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-02-12 17:46:58 +01:00
|
|
|
/** Set up the siphash key if we haven't already done so. */
|
|
|
|
int
|
|
|
|
crypto_init_siphash_key(void)
|
|
|
|
{
|
|
|
|
static int have_seeded_siphash = 0;
|
|
|
|
struct sipkey key;
|
|
|
|
if (have_seeded_siphash)
|
|
|
|
return 0;
|
|
|
|
|
2015-11-25 16:42:00 +01:00
|
|
|
crypto_rand((char*) &key, sizeof(key));
|
2014-02-12 17:46:58 +01:00
|
|
|
siphash_set_global_key(&key);
|
|
|
|
have_seeded_siphash = 1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Initialize the crypto library. Return 0 on success, -1 on failure.
|
2004-05-01 22:46:28 +02:00
|
|
|
*/
|
2005-06-20 20:56:35 +02:00
|
|
|
int
|
2014-02-12 17:56:29 +01:00
|
|
|
crypto_early_init(void)
|
2002-07-24 16:02:39 +02:00
|
|
|
{
|
2014-02-12 17:56:29 +01:00
|
|
|
if (!crypto_early_initialized_) {
|
2014-03-23 05:38:17 +01:00
|
|
|
|
|
|
|
crypto_early_initialized_ = 1;
|
|
|
|
|
2005-06-20 20:56:35 +02:00
|
|
|
ERR_load_crypto_strings();
|
|
|
|
OpenSSL_add_all_algorithms();
|
2014-02-12 17:56:29 +01:00
|
|
|
|
2005-06-20 20:56:35 +02:00
|
|
|
setup_openssl_threading();
|
2012-09-04 18:41:37 +02:00
|
|
|
|
2015-11-06 20:02:56 +01:00
|
|
|
unsigned long version_num = OpenSSL_version_num();
|
|
|
|
const char *version_str = OpenSSL_version(OPENSSL_VERSION);
|
|
|
|
if (version_num == OPENSSL_VERSION_NUMBER &&
|
|
|
|
!strcmp(version_str, OPENSSL_VERSION_TEXT)) {
|
2012-09-04 18:41:37 +02:00
|
|
|
log_info(LD_CRYPTO, "OpenSSL version matches version from headers "
|
2015-11-06 20:02:56 +01:00
|
|
|
"(%lx: %s).", version_num, version_str);
|
2012-09-04 18:41:37 +02:00
|
|
|
} else {
|
|
|
|
log_warn(LD_CRYPTO, "OpenSSL version from headers does not match the "
|
|
|
|
"version we're running with. If you get weird crashes, that "
|
|
|
|
"might be why. (Compiled with %lx: %s; running with %lx: %s).",
|
|
|
|
(unsigned long)OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT,
|
2015-11-06 20:02:56 +01:00
|
|
|
version_num, version_str);
|
2012-09-04 18:41:37 +02:00
|
|
|
}
|
|
|
|
|
2014-02-12 17:56:29 +01:00
|
|
|
crypto_force_rand_ssleay();
|
|
|
|
|
2015-05-19 22:17:03 +02:00
|
|
|
if (crypto_seed_rng() < 0)
|
2014-02-12 17:56:29 +01:00
|
|
|
return -1;
|
2014-02-12 17:46:58 +01:00
|
|
|
if (crypto_init_siphash_key() < 0)
|
|
|
|
return -1;
|
2015-07-06 11:57:23 +02:00
|
|
|
|
|
|
|
curve25519_init();
|
2015-07-06 12:11:10 +02:00
|
|
|
ed25519_init();
|
2014-02-12 17:56:29 +01:00
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Initialize the crypto library. Return 0 on success, -1 on failure.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
|
|
|
|
{
|
|
|
|
if (!crypto_global_initialized_) {
|
2015-11-25 16:36:34 +01:00
|
|
|
if (crypto_early_init() < 0)
|
|
|
|
return -1;
|
2014-02-12 17:56:29 +01:00
|
|
|
|
|
|
|
crypto_global_initialized_ = 1;
|
|
|
|
|
2006-05-24 02:37:38 +02:00
|
|
|
if (useAccel > 0) {
|
2009-09-29 06:46:53 +02:00
|
|
|
#ifdef DISABLE_ENGINES
|
|
|
|
(void)accelName;
|
|
|
|
(void)accelDir;
|
|
|
|
log_warn(LD_CRYPTO, "No OpenSSL hardware acceleration support enabled.");
|
|
|
|
#else
|
2009-05-24 01:42:44 +02:00
|
|
|
ENGINE *e = NULL;
|
2009-09-29 06:46:53 +02:00
|
|
|
|
2006-02-13 09:01:59 +01:00
|
|
|
log_info(LD_CRYPTO, "Initializing OpenSSL engine support.");
|
2005-06-20 20:56:35 +02:00
|
|
|
ENGINE_load_builtin_engines();
|
2009-05-24 01:42:44 +02:00
|
|
|
ENGINE_register_all_complete();
|
2009-09-29 06:46:53 +02:00
|
|
|
|
2009-05-24 01:42:44 +02:00
|
|
|
if (accelName) {
|
|
|
|
if (accelDir) {
|
|
|
|
log_info(LD_CRYPTO, "Trying to load dynamic OpenSSL engine \"%s\""
|
|
|
|
" via path \"%s\".", accelName, accelDir);
|
|
|
|
e = try_load_engine(accelName, accelDir);
|
|
|
|
} else {
|
|
|
|
log_info(LD_CRYPTO, "Initializing dynamic OpenSSL engine \"%s\""
|
|
|
|
" acceleration support.", accelName);
|
|
|
|
e = ENGINE_by_id(accelName);
|
|
|
|
}
|
|
|
|
if (!e) {
|
|
|
|
log_warn(LD_CRYPTO, "Unable to load dynamic OpenSSL engine \"%s\".",
|
|
|
|
accelName);
|
|
|
|
} else {
|
|
|
|
log_info(LD_CRYPTO, "Loaded dynamic OpenSSL engine \"%s\".",
|
|
|
|
accelName);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (e) {
|
|
|
|
log_info(LD_CRYPTO, "Loaded OpenSSL hardware acceleration engine,"
|
|
|
|
" setting default ciphers.");
|
|
|
|
ENGINE_set_default(e, ENGINE_METHOD_ALL);
|
|
|
|
}
|
2013-11-18 17:12:24 +01:00
|
|
|
/* Log, if available, the intersection of the set of algorithms
|
|
|
|
used by Tor and the set of algorithms available in the engine */
|
2005-06-20 20:56:35 +02:00
|
|
|
log_engine("RSA", ENGINE_get_default_RSA());
|
|
|
|
log_engine("DH", ENGINE_get_default_DH());
|
2016-02-03 17:13:12 +01:00
|
|
|
#ifdef OPENSSL_1_1_API
|
|
|
|
log_engine("EC", ENGINE_get_default_EC());
|
|
|
|
#else
|
2013-11-18 17:12:24 +01:00
|
|
|
log_engine("ECDH", ENGINE_get_default_ECDH());
|
|
|
|
log_engine("ECDSA", ENGINE_get_default_ECDSA());
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(OPENSSL_1_1_API) */
|
2005-06-20 20:56:35 +02:00
|
|
|
log_engine("RAND", ENGINE_get_default_RAND());
|
2013-12-18 17:49:44 +01:00
|
|
|
log_engine("RAND (which we will not use)", ENGINE_get_default_RAND());
|
2005-06-20 20:56:35 +02:00
|
|
|
log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));
|
2013-11-18 17:12:24 +01:00
|
|
|
log_engine("3DES-CBC", ENGINE_get_cipher_engine(NID_des_ede3_cbc));
|
|
|
|
log_engine("AES-128-ECB", ENGINE_get_cipher_engine(NID_aes_128_ecb));
|
|
|
|
log_engine("AES-128-CBC", ENGINE_get_cipher_engine(NID_aes_128_cbc));
|
2013-11-18 17:23:54 +01:00
|
|
|
#ifdef NID_aes_128_ctr
|
2013-11-18 17:12:24 +01:00
|
|
|
log_engine("AES-128-CTR", ENGINE_get_cipher_engine(NID_aes_128_ctr));
|
2013-11-18 17:23:54 +01:00
|
|
|
#endif
|
|
|
|
#ifdef NID_aes_128_gcm
|
2013-11-18 17:12:24 +01:00
|
|
|
log_engine("AES-128-GCM", ENGINE_get_cipher_engine(NID_aes_128_gcm));
|
2013-11-18 17:23:54 +01:00
|
|
|
#endif
|
2013-11-18 17:12:24 +01:00
|
|
|
log_engine("AES-256-CBC", ENGINE_get_cipher_engine(NID_aes_256_cbc));
|
2013-11-18 17:23:54 +01:00
|
|
|
#ifdef NID_aes_256_gcm
|
2013-11-18 17:12:24 +01:00
|
|
|
log_engine("AES-256-GCM", ENGINE_get_cipher_engine(NID_aes_256_gcm));
|
2013-11-18 17:23:54 +01:00
|
|
|
#endif
|
2013-11-18 17:12:24 +01:00
|
|
|
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(DISABLE_ENGINES) */
|
2009-05-24 01:42:44 +02:00
|
|
|
} else {
|
|
|
|
log_info(LD_CRYPTO, "NOT using OpenSSL engine support.");
|
2005-06-20 20:56:35 +02:00
|
|
|
}
|
2011-11-21 03:20:31 +01:00
|
|
|
|
2014-02-12 17:56:29 +01:00
|
|
|
if (crypto_force_rand_ssleay()) {
|
2015-05-19 22:17:03 +02:00
|
|
|
if (crypto_seed_rng() < 0)
|
2014-02-12 17:56:29 +01:00
|
|
|
return -1;
|
2013-12-18 17:49:44 +01:00
|
|
|
}
|
|
|
|
|
2011-11-21 03:20:31 +01:00
|
|
|
evaluate_evp_for_aes(-1);
|
2012-01-09 23:40:11 +01:00
|
|
|
evaluate_ctr_for_aes();
|
2003-09-15 21:38:52 +02:00
|
|
|
}
|
2002-07-24 16:02:39 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-10-25 21:01:48 +02:00
|
|
|
/** Free crypto resources held by this thread. */
|
|
|
|
void
|
|
|
|
crypto_thread_cleanup(void)
|
|
|
|
{
|
2016-06-14 06:40:36 +02:00
|
|
|
#ifndef NEW_THREAD_API
|
2015-11-10 16:13:04 +01:00
|
|
|
ERR_remove_thread_state(NULL);
|
2016-04-04 05:51:47 +02:00
|
|
|
#endif
|
2005-10-25 21:01:48 +02:00
|
|
|
}
|
|
|
|
|
2016-06-14 08:14:28 +02:00
|
|
|
/** used internally: quicly validate a crypto_pk_t object as a private key.
|
|
|
|
* Return 1 iff the public key is valid, 0 if obviously invalid.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
crypto_pk_private_ok(const crypto_pk_t *k)
|
|
|
|
{
|
|
|
|
#ifdef OPENSSL_1_1_API
|
|
|
|
if (!k || !k->key)
|
|
|
|
return 0;
|
|
|
|
|
2016-06-25 00:20:41 +02:00
|
|
|
const BIGNUM *p, *q;
|
2016-06-14 08:14:28 +02:00
|
|
|
RSA_get0_factors(k->key, &p, &q);
|
|
|
|
return p != NULL; /* XXX/yawning: Should we check q? */
|
2017-09-15 22:24:44 +02:00
|
|
|
#else /* !(defined(OPENSSL_1_1_API)) */
|
2016-06-14 08:14:28 +02:00
|
|
|
return k && k->key && k->key->p;
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(OPENSSL_1_1_API) */
|
2016-06-14 08:14:28 +02:00
|
|
|
}
|
|
|
|
|
2012-01-18 21:53:30 +01:00
|
|
|
/** used by tortls.c: wrap an RSA* in a crypto_pk_t. */
|
|
|
|
crypto_pk_t *
|
2012-10-12 18:22:13 +02:00
|
|
|
crypto_new_pk_from_rsa_(RSA *rsa)
|
2002-07-24 16:02:39 +02:00
|
|
|
{
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_t *env;
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(rsa);
|
2012-01-18 21:53:30 +01:00
|
|
|
env = tor_malloc(sizeof(crypto_pk_t));
|
2002-09-24 12:43:57 +02:00
|
|
|
env->refs = 1;
|
2004-04-03 04:40:30 +02:00
|
|
|
env->key = rsa;
|
2003-09-10 02:47:24 +02:00
|
|
|
return env;
|
|
|
|
}
|
|
|
|
|
2017-03-31 16:57:48 +02:00
|
|
|
/** Helper, used by tor-gencert.c. Return the RSA from a
|
2012-01-18 21:53:30 +01:00
|
|
|
* crypto_pk_t. */
|
2008-05-09 10:35:38 +02:00
|
|
|
RSA *
|
2012-10-12 18:22:13 +02:00
|
|
|
crypto_pk_get_rsa_(crypto_pk_t *env)
|
2008-05-09 10:35:38 +02:00
|
|
|
{
|
|
|
|
return env->key;
|
|
|
|
}
|
|
|
|
|
2012-01-18 21:53:30 +01:00
|
|
|
/** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_t. Iff
|
2015-11-23 10:31:57 +01:00
|
|
|
* private is set, include the private-key portion of the key. Return a valid
|
|
|
|
* pointer on success, and NULL on failure. */
|
2015-09-15 17:09:18 +02:00
|
|
|
MOCK_IMPL(EVP_PKEY *,
|
2017-05-26 20:05:50 +02:00
|
|
|
crypto_pk_get_evp_pkey_,(crypto_pk_t *env, int private))
|
2003-09-11 23:12:39 +02:00
|
|
|
{
|
|
|
|
RSA *key = NULL;
|
|
|
|
EVP_PKEY *pkey = NULL;
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(env->key);
|
2004-04-25 00:17:50 +02:00
|
|
|
if (private) {
|
|
|
|
if (!(key = RSAPrivateKey_dup(env->key)))
|
|
|
|
goto error;
|
|
|
|
} else {
|
|
|
|
if (!(key = RSAPublicKey_dup(env->key)))
|
|
|
|
goto error;
|
|
|
|
}
|
2003-09-11 23:12:39 +02:00
|
|
|
if (!(pkey = EVP_PKEY_new()))
|
|
|
|
goto error;
|
|
|
|
if (!(EVP_PKEY_assign_RSA(pkey, key)))
|
|
|
|
goto error;
|
|
|
|
return pkey;
|
|
|
|
error:
|
|
|
|
if (pkey)
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
if (key)
|
|
|
|
RSA_free(key);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2012-01-18 21:53:30 +01:00
|
|
|
/** Used by tortls.c: Get the DH* from a crypto_dh_t.
|
2004-05-01 22:46:28 +02:00
|
|
|
*/
|
2005-09-30 03:39:24 +02:00
|
|
|
DH *
|
2012-10-12 18:22:13 +02:00
|
|
|
crypto_dh_get_dh_(crypto_dh_t *dh)
|
2004-04-03 04:40:30 +02:00
|
|
|
{
|
|
|
|
return dh->dh;
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Allocate and return storage for a public key. The key itself will not yet
|
2004-05-01 22:46:28 +02:00
|
|
|
* be set.
|
|
|
|
*/
|
2015-09-15 17:09:18 +02:00
|
|
|
MOCK_IMPL(crypto_pk_t *,
|
2017-05-26 20:05:50 +02:00
|
|
|
crypto_pk_new,(void))
|
2003-09-10 02:47:24 +02:00
|
|
|
{
|
|
|
|
RSA *rsa;
|
|
|
|
|
2004-04-03 04:40:30 +02:00
|
|
|
rsa = RSA_new();
|
2011-01-26 00:19:09 +01:00
|
|
|
tor_assert(rsa);
|
2012-10-12 18:22:13 +02:00
|
|
|
return crypto_new_pk_from_rsa_(rsa);
|
2002-07-24 16:02:39 +02:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Release a reference to an asymmetric key; when all the references
|
2004-05-01 23:41:23 +02:00
|
|
|
* are released, free the key.
|
2004-05-01 22:46:28 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
void
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_free(crypto_pk_t *env)
|
2002-07-24 16:02:39 +02:00
|
|
|
{
|
2009-09-28 16:37:01 +02:00
|
|
|
if (!env)
|
|
|
|
return;
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2004-11-28 10:05:49 +01:00
|
|
|
if (--env->refs > 0)
|
2002-09-24 12:43:57 +02:00
|
|
|
return;
|
2010-10-26 18:22:04 +02:00
|
|
|
tor_assert(env->refs == 0);
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2004-04-03 04:40:30 +02:00
|
|
|
if (env->key)
|
|
|
|
RSA_free(env->key);
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2005-09-30 22:47:58 +02:00
|
|
|
tor_free(env);
|
2002-07-24 16:02:39 +02:00
|
|
|
}
|
|
|
|
|
2012-03-20 20:35:43 +01:00
|
|
|
/** Allocate and return a new symmetric cipher using the provided key and iv.
|
2016-09-16 17:21:33 +02:00
|
|
|
* The key is <b>bits</b> bits long; the IV is CIPHER_IV_LEN bytes. Both
|
|
|
|
* must be provided. Key length must be 128, 192, or 256 */
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_cipher_t *
|
2016-09-16 17:21:33 +02:00
|
|
|
crypto_cipher_new_with_iv_and_bits(const uint8_t *key,
|
|
|
|
const uint8_t *iv,
|
|
|
|
int bits)
|
2002-10-02 22:39:51 +02:00
|
|
|
{
|
2016-09-16 16:12:30 +02:00
|
|
|
tor_assert(key);
|
|
|
|
tor_assert(iv);
|
2002-10-02 22:39:51 +02:00
|
|
|
|
2016-09-16 17:21:33 +02:00
|
|
|
return aes_new_cipher((const uint8_t*)key, (const uint8_t*)iv, bits);
|
|
|
|
}
|
2002-10-02 22:39:51 +02:00
|
|
|
|
2016-09-16 17:21:33 +02:00
|
|
|
/** Allocate and return a new symmetric cipher using the provided key and iv.
|
|
|
|
* The key is CIPHER_KEY_LEN bytes; the IV is CIPHER_IV_LEN bytes. Both
|
|
|
|
* must be provided.
|
|
|
|
*/
|
|
|
|
crypto_cipher_t *
|
|
|
|
crypto_cipher_new_with_iv(const char *key, const char *iv)
|
|
|
|
{
|
|
|
|
return crypto_cipher_new_with_iv_and_bits((uint8_t*)key, (uint8_t*)iv,
|
|
|
|
128);
|
2002-10-02 22:39:51 +02:00
|
|
|
}
|
|
|
|
|
2012-06-05 01:51:00 +02:00
|
|
|
/** Return a new crypto_cipher_t with the provided <b>key</b> and an IV of all
|
2016-09-16 17:21:33 +02:00
|
|
|
* zero bytes and key length <b>bits</b>. Key length must be 128, 192, or
|
|
|
|
* 256. */
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_cipher_t *
|
2016-09-16 17:21:33 +02:00
|
|
|
crypto_cipher_new_with_bits(const char *key, int bits)
|
2002-07-24 16:02:39 +02:00
|
|
|
{
|
2012-03-20 20:35:43 +01:00
|
|
|
char zeroiv[CIPHER_IV_LEN];
|
|
|
|
memset(zeroiv, 0, sizeof(zeroiv));
|
2016-09-16 17:21:33 +02:00
|
|
|
return crypto_cipher_new_with_iv_and_bits((uint8_t*)key, (uint8_t*)zeroiv,
|
|
|
|
bits);
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Return a new crypto_cipher_t with the provided <b>key</b> (of
|
|
|
|
* CIPHER_KEY_LEN bytes) and an IV of all zero bytes. */
|
|
|
|
crypto_cipher_t *
|
|
|
|
crypto_cipher_new(const char *key)
|
|
|
|
{
|
|
|
|
return crypto_cipher_new_with_bits(key, 128);
|
2002-07-24 16:02:39 +02:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Free a symmetric cipher.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
void
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_cipher_free(crypto_cipher_t *env)
|
2002-07-24 16:02:39 +02:00
|
|
|
{
|
2009-09-28 16:37:01 +02:00
|
|
|
if (!env)
|
|
|
|
return;
|
2003-03-19 21:41:15 +01:00
|
|
|
|
2016-09-16 16:18:02 +02:00
|
|
|
aes_cipher_free(env);
|
2002-07-24 16:02:39 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* public key crypto */
|
2004-05-01 23:41:23 +02:00
|
|
|
|
2009-09-29 06:48:45 +02:00
|
|
|
/** Generate a <b>bits</b>-bit new public/private keypair in <b>env</b>.
|
|
|
|
* Return 0 on success, -1 on failure.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2015-09-15 17:09:18 +02:00
|
|
|
MOCK_IMPL(int,
|
2017-05-26 20:05:50 +02:00
|
|
|
crypto_pk_generate_key_with_bits,(crypto_pk_t *env, int bits))
|
2002-07-24 16:02:39 +02:00
|
|
|
{
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(env);
|
2003-12-16 06:29:04 +01:00
|
|
|
|
Fix a dangling pointer issue in our RSA keygen code
If OpenSSL fails to generate an RSA key, do not retain a dangling
pointer to the previous (uninitialized) key value. The impact here
should be limited to a difficult-to-trigger crash, if OpenSSL is
running an engine that makes key generation failures possible, or if
OpenSSL runs out of memory. Fixes bug 19152; bugfix on
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and Baishakhi
Ray.
This is potentially scary stuff, so let me walk through my analysis.
I think this is a bug, and a backport candidate, but not remotely
triggerable in any useful way.
Observation 1a:
Looking over the OpenSSL code here, the only way we can really fail in
the non-engine case is if malloc() fails. But if malloc() is failing,
then tor_malloc() calls should be tor_asserting -- the only way that an
attacker could do an exploit here would be to figure out some way to
make malloc() fail when openssl does it, but work whenever Tor does it.
(Also ordinary malloc() doesn't fail on platforms like Linux that
overcommit.)
Observation 1b:
Although engines are _allowed_ to fail in extra ways, I can't find much
evidence online that they actually _do_ fail in practice. More evidence
would be nice, though.
Observation 2:
We don't call crypto_pk_generate*() all that often, and we don't do it
in response to external inputs. The only way to get it to happen
remotely would be by causing a hidden service to build new introduction
points.
Observation 3a:
So, let's assume that both of the above observations are wrong, and the
attacker can make us generate a crypto_pk_env_t with a dangling pointer
in its 'key' field, and not immediately crash.
This dangling pointer will point to what used to be an RSA structure,
with the fields all set to NULL. Actually using this RSA structure,
before the memory is reused for anything else, will cause a crash.
In nearly every function where we call crypto_pk_generate*(), we quickly
use the RSA key pointer -- either to sign something, or to encode the
key, or to free the key. The only exception is when we generate an
intro key in rend_consider_services_intro_points(). In that case, we
don't actually use the key until the intro circuit is opened -- at which
point we encode it, and use it to sign an introduction request.
So in order to exploit this bug to do anything besides crash Tor, the
attacker needs to make sure that by the time the introduction circuit
completes, either:
* the e, d, and n BNs look valid, and at least one of the other BNs is
still NULL.
OR
* all 8 of the BNs must look valid.
To look like a valid BN, *they* all need to have their 'top' index plus
their 'd' pointer indicate an addressable region in memory.
So actually getting useful data of of this, rather than a crash, is
going to be pretty damn hard. You'd have to force an introduction point
to be created (or wait for one to be created), and force that particular
crypto_pk_generate*() to fail, and then arrange for the memory that the
RSA points to to in turn point to 3...8 valid BNs, all by the time the
introduction circuit completes.
Naturally, the signature won't check as valid [*], so the intro point
will reject the ESTABLISH_INTRO cell. So you need to _be_ the
introduction point, or you don't actually see this information.
[*] Okay, so if you could somehow make the 'rsa' pointer point to a
different valid RSA key, then you'd get a valid signature of an
ESTABLISH_INTRO cell using a key that was supposed to be used for
something else ... but nothing else looks like that, so you can't use
that signature elsewhere.
Observation 3b:
Your best bet as an attacker would be to make the dangling RSA pointer
actually contain a fake method, with a fake RSA_private_encrypt
function that actually pointed to code you wanted to execute. You'd
still need to transit 3 or 4 pointers deep though in order to make that
work.
Conclusion:
By 1, you probably can't trigger this without Tor crashing from OOM.
By 2, you probably can't trigger this reliably.
By 3, even if I'm wrong about 1 and 2, you have to jump through a pretty
big array of hoops in order to get any kind of data leak or code
execution.
So I'm calling it a bug, but not a security hole. Still worth
patching.
2016-05-20 19:58:52 +02:00
|
|
|
if (env->key) {
|
2004-04-03 04:40:30 +02:00
|
|
|
RSA_free(env->key);
|
Fix a dangling pointer issue in our RSA keygen code
If OpenSSL fails to generate an RSA key, do not retain a dangling
pointer to the previous (uninitialized) key value. The impact here
should be limited to a difficult-to-trigger crash, if OpenSSL is
running an engine that makes key generation failures possible, or if
OpenSSL runs out of memory. Fixes bug 19152; bugfix on
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and Baishakhi
Ray.
This is potentially scary stuff, so let me walk through my analysis.
I think this is a bug, and a backport candidate, but not remotely
triggerable in any useful way.
Observation 1a:
Looking over the OpenSSL code here, the only way we can really fail in
the non-engine case is if malloc() fails. But if malloc() is failing,
then tor_malloc() calls should be tor_asserting -- the only way that an
attacker could do an exploit here would be to figure out some way to
make malloc() fail when openssl does it, but work whenever Tor does it.
(Also ordinary malloc() doesn't fail on platforms like Linux that
overcommit.)
Observation 1b:
Although engines are _allowed_ to fail in extra ways, I can't find much
evidence online that they actually _do_ fail in practice. More evidence
would be nice, though.
Observation 2:
We don't call crypto_pk_generate*() all that often, and we don't do it
in response to external inputs. The only way to get it to happen
remotely would be by causing a hidden service to build new introduction
points.
Observation 3a:
So, let's assume that both of the above observations are wrong, and the
attacker can make us generate a crypto_pk_env_t with a dangling pointer
in its 'key' field, and not immediately crash.
This dangling pointer will point to what used to be an RSA structure,
with the fields all set to NULL. Actually using this RSA structure,
before the memory is reused for anything else, will cause a crash.
In nearly every function where we call crypto_pk_generate*(), we quickly
use the RSA key pointer -- either to sign something, or to encode the
key, or to free the key. The only exception is when we generate an
intro key in rend_consider_services_intro_points(). In that case, we
don't actually use the key until the intro circuit is opened -- at which
point we encode it, and use it to sign an introduction request.
So in order to exploit this bug to do anything besides crash Tor, the
attacker needs to make sure that by the time the introduction circuit
completes, either:
* the e, d, and n BNs look valid, and at least one of the other BNs is
still NULL.
OR
* all 8 of the BNs must look valid.
To look like a valid BN, *they* all need to have their 'top' index plus
their 'd' pointer indicate an addressable region in memory.
So actually getting useful data of of this, rather than a crash, is
going to be pretty damn hard. You'd have to force an introduction point
to be created (or wait for one to be created), and force that particular
crypto_pk_generate*() to fail, and then arrange for the memory that the
RSA points to to in turn point to 3...8 valid BNs, all by the time the
introduction circuit completes.
Naturally, the signature won't check as valid [*], so the intro point
will reject the ESTABLISH_INTRO cell. So you need to _be_ the
introduction point, or you don't actually see this information.
[*] Okay, so if you could somehow make the 'rsa' pointer point to a
different valid RSA key, then you'd get a valid signature of an
ESTABLISH_INTRO cell using a key that was supposed to be used for
something else ... but nothing else looks like that, so you can't use
that signature elsewhere.
Observation 3b:
Your best bet as an attacker would be to make the dangling RSA pointer
actually contain a fake method, with a fake RSA_private_encrypt
function that actually pointed to code you wanted to execute. You'd
still need to transit 3 or 4 pointers deep though in order to make that
work.
Conclusion:
By 1, you probably can't trigger this without Tor crashing from OOM.
By 2, you probably can't trigger this reliably.
By 3, even if I'm wrong about 1 and 2, you have to jump through a pretty
big array of hoops in order to get any kind of data leak or code
execution.
So I'm calling it a bug, but not a security hole. Still worth
patching.
2016-05-20 19:58:52 +02:00
|
|
|
env->key = NULL;
|
|
|
|
}
|
2012-09-13 01:25:58 +02:00
|
|
|
|
2008-12-29 03:20:57 +01:00
|
|
|
{
|
|
|
|
BIGNUM *e = BN_new();
|
|
|
|
RSA *r = NULL;
|
|
|
|
if (!e)
|
|
|
|
goto done;
|
|
|
|
if (! BN_set_word(e, 65537))
|
|
|
|
goto done;
|
|
|
|
r = RSA_new();
|
|
|
|
if (!r)
|
|
|
|
goto done;
|
2009-09-29 06:48:45 +02:00
|
|
|
if (RSA_generate_key_ex(r, bits, e, NULL) == -1)
|
2008-12-29 03:20:57 +01:00
|
|
|
goto done;
|
|
|
|
|
|
|
|
env->key = r;
|
|
|
|
r = NULL;
|
|
|
|
done:
|
|
|
|
if (e)
|
2014-02-02 19:40:30 +01:00
|
|
|
BN_clear_free(e);
|
2008-12-29 03:20:57 +01:00
|
|
|
if (r)
|
|
|
|
RSA_free(r);
|
2012-09-13 01:25:58 +02:00
|
|
|
}
|
|
|
|
|
2004-04-26 20:09:50 +02:00
|
|
|
if (!env->key) {
|
|
|
|
crypto_log_errors(LOG_WARN, "generating RSA key");
|
2002-07-25 10:17:22 +02:00
|
|
|
return -1;
|
2004-04-26 20:09:50 +02:00
|
|
|
}
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2002-07-24 16:02:39 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-11-11 20:21:37 +01:00
|
|
|
/** A PEM callback that always reports a failure to get a password */
|
|
|
|
static int
|
|
|
|
pem_no_password_cb(char *buf, int size, int rwflag, void *u)
|
|
|
|
{
|
|
|
|
(void)buf;
|
|
|
|
(void)size;
|
|
|
|
(void)rwflag;
|
|
|
|
(void)u;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-01-10 18:07:34 +01:00
|
|
|
/** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>
|
|
|
|
* into <b>env</b>. Return 0 on success, -1 on failure. If len is -1,
|
|
|
|
* the string is nul-terminated.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2007-06-13 20:15:53 +02:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_read_private_key_from_string(crypto_pk_t *env,
|
2011-01-10 18:07:34 +01:00
|
|
|
const char *s, ssize_t len)
|
2002-07-24 16:02:39 +02:00
|
|
|
{
|
2004-09-21 06:55:43 +02:00
|
|
|
BIO *b;
|
|
|
|
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(s);
|
2011-04-26 19:00:46 +02:00
|
|
|
tor_assert(len < INT_MAX && len < SSIZE_T_CEILING);
|
2004-09-21 06:55:43 +02:00
|
|
|
|
2011-01-10 18:07:34 +01:00
|
|
|
/* Create a read-only memory BIO, backed by the string 's' */
|
|
|
|
b = BIO_new_mem_buf((char*)s, (int)len);
|
2011-01-26 00:26:49 +01:00
|
|
|
if (!b)
|
|
|
|
return -1;
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2004-04-03 04:40:30 +02:00
|
|
|
if (env->key)
|
|
|
|
RSA_free(env->key);
|
2004-09-21 06:55:43 +02:00
|
|
|
|
2017-11-11 20:21:37 +01:00
|
|
|
env->key = PEM_read_bio_RSAPrivateKey(b,NULL,pem_no_password_cb,NULL);
|
2004-09-21 06:55:43 +02:00
|
|
|
|
|
|
|
BIO_free(b);
|
|
|
|
|
2004-04-26 20:09:50 +02:00
|
|
|
if (!env->key) {
|
2004-09-21 06:55:43 +02:00
|
|
|
crypto_log_errors(LOG_WARN, "Error parsing private key");
|
2002-07-25 10:17:22 +02:00
|
|
|
return -1;
|
2004-04-26 20:09:50 +02:00
|
|
|
}
|
2002-07-24 16:02:39 +02:00
|
|
|
return 0;
|
|
|
|
}
|
2002-08-22 09:30:03 +02:00
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Read a PEM-encoded private key from the file named by
|
|
|
|
* <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_read_private_key_from_filename(crypto_pk_t *env,
|
2005-12-14 21:40:40 +01:00
|
|
|
const char *keyfile)
|
2002-08-22 09:30:03 +02:00
|
|
|
{
|
2004-09-21 06:55:43 +02:00
|
|
|
char *contents;
|
|
|
|
int r;
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2004-09-21 06:55:43 +02:00
|
|
|
/* Read the file into a string. */
|
2006-10-20 01:05:02 +02:00
|
|
|
contents = read_file_to_str(keyfile, 0, NULL);
|
2004-09-21 06:55:43 +02:00
|
|
|
if (!contents) {
|
2006-02-13 09:01:59 +01:00
|
|
|
log_warn(LD_CRYPTO, "Error reading private key from \"%s\"", keyfile);
|
2003-09-27 00:27:24 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2004-09-21 06:55:43 +02:00
|
|
|
/* Try to parse it. */
|
2011-01-10 18:07:34 +01:00
|
|
|
r = crypto_pk_read_private_key_from_string(env, contents, -1);
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(contents, 0, strlen(contents));
|
2004-09-21 06:55:43 +02:00
|
|
|
tor_free(contents);
|
|
|
|
if (r)
|
|
|
|
return -1; /* read_private_key_from_string already warned, so we don't.*/
|
|
|
|
|
|
|
|
/* Make sure it's valid. */
|
2004-04-26 20:09:50 +02:00
|
|
|
if (crypto_pk_check_key(env) <= 0)
|
2002-07-25 10:17:22 +02:00
|
|
|
return -1;
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2002-07-24 16:02:39 +02:00
|
|
|
return 0;
|
|
|
|
}
|
2002-07-25 10:17:22 +02:00
|
|
|
|
2015-11-23 10:31:57 +01:00
|
|
|
/** Helper function to implement crypto_pk_write_*_key_to_string. Return 0 on
|
|
|
|
* success, -1 on failure. */
|
2008-08-08 16:36:11 +02:00
|
|
|
static int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_write_key_to_string_impl(crypto_pk_t *env, char **dest,
|
2008-08-08 16:36:11 +02:00
|
|
|
size_t *len, int is_public)
|
2005-09-30 03:09:52 +02:00
|
|
|
{
|
2002-09-24 12:43:57 +02:00
|
|
|
BUF_MEM *buf;
|
2003-12-16 06:29:04 +01:00
|
|
|
BIO *b;
|
2008-08-08 16:36:11 +02:00
|
|
|
int r;
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(env->key);
|
|
|
|
tor_assert(dest);
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2004-04-03 04:40:30 +02:00
|
|
|
b = BIO_new(BIO_s_mem()); /* Create a memory BIO */
|
2011-01-26 00:26:49 +01:00
|
|
|
if (!b)
|
|
|
|
return -1;
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2004-04-03 04:40:30 +02:00
|
|
|
/* Now you can treat b as if it were a file. Just use the
|
|
|
|
* PEM_*_bio_* functions instead of the non-bio variants.
|
|
|
|
*/
|
2008-08-08 16:36:11 +02:00
|
|
|
if (is_public)
|
|
|
|
r = PEM_write_bio_RSAPublicKey(b, env->key);
|
|
|
|
else
|
|
|
|
r = PEM_write_bio_RSAPrivateKey(b, env->key, NULL,NULL,0,NULL,NULL);
|
|
|
|
|
|
|
|
if (!r) {
|
|
|
|
crypto_log_errors(LOG_WARN, "writing RSA key to string");
|
2008-02-05 20:40:26 +01:00
|
|
|
BIO_free(b);
|
2004-04-03 04:40:30 +02:00
|
|
|
return -1;
|
2004-04-26 20:09:50 +02:00
|
|
|
}
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2004-04-03 04:40:30 +02:00
|
|
|
BIO_get_mem_ptr(b, &buf);
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2004-04-03 04:40:30 +02:00
|
|
|
*dest = tor_malloc(buf->length+1);
|
|
|
|
memcpy(*dest, buf->data, buf->length);
|
2006-07-15 21:21:30 +02:00
|
|
|
(*dest)[buf->length] = 0; /* nul terminate it */
|
2004-04-03 04:40:30 +02:00
|
|
|
*len = buf->length;
|
2016-11-03 15:46:27 +01:00
|
|
|
|
|
|
|
BIO_free(b);
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2002-09-24 12:43:57 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-08-08 16:36:11 +02:00
|
|
|
/** PEM-encode the public key portion of <b>env</b> and write it to a
|
|
|
|
* newly allocated string. On success, set *<b>dest</b> to the new
|
|
|
|
* string, *<b>len</b> to the string's length, and return 0. On
|
|
|
|
* failure, return -1.
|
|
|
|
*/
|
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_write_public_key_to_string(crypto_pk_t *env, char **dest,
|
2008-08-08 16:36:11 +02:00
|
|
|
size_t *len)
|
|
|
|
{
|
|
|
|
return crypto_pk_write_key_to_string_impl(env, dest, len, 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/** PEM-encode the private key portion of <b>env</b> and write it to a
|
|
|
|
* newly allocated string. On success, set *<b>dest</b> to the new
|
|
|
|
* string, *<b>len</b> to the string's length, and return 0. On
|
|
|
|
* failure, return -1.
|
|
|
|
*/
|
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_write_private_key_to_string(crypto_pk_t *env, char **dest,
|
2008-08-08 16:36:11 +02:00
|
|
|
size_t *len)
|
|
|
|
{
|
|
|
|
return crypto_pk_write_key_to_string_impl(env, dest, len, 0);
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Read a PEM-encoded public key from the first <b>len</b> characters of
|
|
|
|
* <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
|
2004-05-01 23:41:23 +02:00
|
|
|
* failure.
|
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_read_public_key_from_string(crypto_pk_t *env, const char *src,
|
2005-12-14 21:40:40 +01:00
|
|
|
size_t len)
|
2005-09-30 03:09:52 +02:00
|
|
|
{
|
2003-12-16 06:29:04 +01:00
|
|
|
BIO *b;
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(src);
|
2008-02-21 22:57:42 +01:00
|
|
|
tor_assert(len<INT_MAX);
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2004-04-03 04:40:30 +02:00
|
|
|
b = BIO_new(BIO_s_mem()); /* Create a memory BIO */
|
2011-01-26 00:26:49 +01:00
|
|
|
if (!b)
|
|
|
|
return -1;
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2008-02-21 22:57:42 +01:00
|
|
|
BIO_write(b, src, (int)len);
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2004-04-03 04:40:30 +02:00
|
|
|
if (env->key)
|
|
|
|
RSA_free(env->key);
|
2017-11-11 20:21:37 +01:00
|
|
|
env->key = PEM_read_bio_RSAPublicKey(b, NULL, pem_no_password_cb, NULL);
|
2004-04-12 07:27:38 +02:00
|
|
|
BIO_free(b);
|
2004-11-28 10:05:49 +01:00
|
|
|
if (!env->key) {
|
2004-04-26 20:09:50 +02:00
|
|
|
crypto_log_errors(LOG_WARN, "reading public key from string");
|
2004-04-03 04:40:30 +02:00
|
|
|
return -1;
|
2004-04-26 20:09:50 +02:00
|
|
|
}
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2002-09-24 12:43:57 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-02-06 03:49:07 +01:00
|
|
|
/** Write the private key from <b>env</b> into the file named by <b>fname</b>,
|
2004-05-01 23:41:23 +02:00
|
|
|
* PEM-encoded. Return 0 on success, -1 on failure.
|
|
|
|
*/
|
2003-12-16 06:29:04 +01:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_write_private_key_to_filename(crypto_pk_t *env,
|
2003-09-26 20:27:35 +02:00
|
|
|
const char *fname)
|
|
|
|
{
|
|
|
|
BIO *bio;
|
|
|
|
char *cp;
|
|
|
|
long len;
|
2003-09-26 20:44:20 +02:00
|
|
|
char *s;
|
2003-09-26 20:27:35 +02:00
|
|
|
int r;
|
2004-04-03 04:40:30 +02:00
|
|
|
|
2016-06-14 08:14:28 +02:00
|
|
|
tor_assert(crypto_pk_private_ok(env));
|
2004-04-25 21:21:44 +02:00
|
|
|
|
2003-09-26 20:27:35 +02:00
|
|
|
if (!(bio = BIO_new(BIO_s_mem())))
|
|
|
|
return -1;
|
2004-04-03 04:40:30 +02:00
|
|
|
if (PEM_write_bio_RSAPrivateKey(bio, env->key, NULL,NULL,0,NULL,NULL)
|
2003-09-26 20:44:20 +02:00
|
|
|
== 0) {
|
2004-04-26 20:09:50 +02:00
|
|
|
crypto_log_errors(LOG_WARN, "writing private key");
|
2003-09-26 20:27:35 +02:00
|
|
|
BIO_free(bio);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
len = BIO_get_mem_data(bio, &cp);
|
2004-10-13 07:54:58 +02:00
|
|
|
tor_assert(len >= 0);
|
2003-09-26 20:44:20 +02:00
|
|
|
s = tor_malloc(len+1);
|
2005-01-03 23:35:40 +01:00
|
|
|
memcpy(s, cp, len);
|
|
|
|
s[len]='\0';
|
2004-09-08 09:16:34 +02:00
|
|
|
r = write_str_to_file(fname, s, 0);
|
2003-09-26 20:27:35 +02:00
|
|
|
BIO_free(bio);
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(s, 0, strlen(s));
|
2005-09-30 22:47:58 +02:00
|
|
|
tor_free(s);
|
2003-09-26 20:27:35 +02:00
|
|
|
return r;
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Return true iff <b>env</b> has a valid key.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_check_key(crypto_pk_t *env)
|
2002-07-25 10:17:22 +02:00
|
|
|
{
|
2004-04-26 20:09:50 +02:00
|
|
|
int r;
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(env);
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2004-04-26 20:09:50 +02:00
|
|
|
r = RSA_check_key(env->key);
|
|
|
|
if (r <= 0)
|
|
|
|
crypto_log_errors(LOG_WARN,"checking RSA key");
|
|
|
|
return r;
|
2002-07-25 10:17:22 +02:00
|
|
|
}
|
|
|
|
|
2008-08-08 16:36:11 +02:00
|
|
|
/** Return true iff <b>key</b> contains the private-key portion of the RSA
|
|
|
|
* key. */
|
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_key_is_private(const crypto_pk_t *key)
|
2008-08-08 16:36:11 +02:00
|
|
|
{
|
|
|
|
tor_assert(key);
|
2016-06-14 08:14:28 +02:00
|
|
|
return crypto_pk_private_ok(key);
|
2008-08-08 16:36:11 +02:00
|
|
|
}
|
|
|
|
|
2011-04-28 21:13:03 +02:00
|
|
|
/** Return true iff <b>env</b> contains a public key whose public exponent
|
|
|
|
* equals 65537.
|
|
|
|
*/
|
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_public_exponent_ok(crypto_pk_t *env)
|
2011-04-28 21:13:03 +02:00
|
|
|
{
|
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(env->key);
|
|
|
|
|
2016-06-25 00:20:41 +02:00
|
|
|
const BIGNUM *e;
|
2016-06-14 08:14:28 +02:00
|
|
|
|
|
|
|
#ifdef OPENSSL_1_1_API
|
2016-06-25 00:20:41 +02:00
|
|
|
const BIGNUM *n, *d;
|
2016-06-14 08:14:28 +02:00
|
|
|
RSA_get0_key(env->key, &n, &e, &d);
|
|
|
|
#else
|
|
|
|
e = env->key->e;
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(OPENSSL_1_1_API) */
|
2016-06-14 08:14:28 +02:00
|
|
|
return BN_is_word(e, 65537);
|
2011-04-28 21:13:03 +02:00
|
|
|
}
|
|
|
|
|
2012-09-17 16:23:23 +02:00
|
|
|
/** Compare the public-key components of a and b. Return less than 0
|
|
|
|
* if a\<b, 0 if a==b, and greater than 0 if a\>b. A NULL key is
|
|
|
|
* considered to be less than all non-NULL keys, and equal to itself.
|
2012-09-15 11:47:14 +02:00
|
|
|
*
|
|
|
|
* Note that this may leak information about the keys through timing.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2014-10-01 17:54:07 +02:00
|
|
|
crypto_pk_cmp_keys(const crypto_pk_t *a, const crypto_pk_t *b)
|
2005-09-30 03:09:52 +02:00
|
|
|
{
|
2003-12-16 06:29:04 +01:00
|
|
|
int result;
|
2012-09-15 11:47:14 +02:00
|
|
|
char a_is_non_null = (a != NULL) && (a->key != NULL);
|
|
|
|
char b_is_non_null = (b != NULL) && (b->key != NULL);
|
|
|
|
char an_argument_is_null = !a_is_non_null | !b_is_non_null;
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2012-09-15 11:47:14 +02:00
|
|
|
result = tor_memcmp(&a_is_non_null, &b_is_non_null, sizeof(a_is_non_null));
|
|
|
|
if (an_argument_is_null)
|
|
|
|
return result;
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2016-06-25 00:20:41 +02:00
|
|
|
const BIGNUM *a_n, *a_e;
|
|
|
|
const BIGNUM *b_n, *b_e;
|
2016-06-14 08:14:28 +02:00
|
|
|
|
|
|
|
#ifdef OPENSSL_1_1_API
|
2016-06-25 00:20:41 +02:00
|
|
|
const BIGNUM *a_d, *b_d;
|
2016-06-14 08:14:28 +02:00
|
|
|
RSA_get0_key(a->key, &a_n, &a_e, &a_d);
|
|
|
|
RSA_get0_key(b->key, &b_n, &b_e, &b_d);
|
|
|
|
#else
|
|
|
|
a_n = a->key->n;
|
|
|
|
a_e = a->key->e;
|
|
|
|
b_n = b->key->n;
|
|
|
|
b_e = b->key->e;
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(OPENSSL_1_1_API) */
|
2016-06-14 08:14:28 +02:00
|
|
|
|
|
|
|
tor_assert(a_n != NULL && a_e != NULL);
|
|
|
|
tor_assert(b_n != NULL && b_e != NULL);
|
|
|
|
|
|
|
|
result = BN_cmp(a_n, b_n);
|
2004-04-03 04:40:30 +02:00
|
|
|
if (result)
|
|
|
|
return result;
|
2016-06-14 08:14:28 +02:00
|
|
|
return BN_cmp(a_e, b_e);
|
2002-08-22 09:30:03 +02:00
|
|
|
}
|
|
|
|
|
2012-09-15 12:52:13 +02:00
|
|
|
/** Compare the public-key components of a and b. Return non-zero iff
|
|
|
|
* a==b. A NULL key is considered to be distinct from all non-NULL
|
|
|
|
* keys, and equal to itself.
|
|
|
|
*
|
|
|
|
* Note that this may leak information about the keys through timing.
|
|
|
|
*/
|
|
|
|
int
|
2014-10-01 17:54:07 +02:00
|
|
|
crypto_pk_eq_keys(const crypto_pk_t *a, const crypto_pk_t *b)
|
2012-09-15 12:52:13 +02:00
|
|
|
{
|
|
|
|
return (crypto_pk_cmp_keys(a, b) == 0);
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Return the size of the public key modulus in <b>env</b>, in bytes. */
|
2005-09-30 03:09:52 +02:00
|
|
|
size_t
|
2014-10-01 17:54:07 +02:00
|
|
|
crypto_pk_keysize(const crypto_pk_t *env)
|
2002-08-22 09:30:03 +02:00
|
|
|
{
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(env->key);
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2014-10-01 17:54:07 +02:00
|
|
|
return (size_t) RSA_size((RSA*)env->key);
|
2002-08-22 09:30:03 +02:00
|
|
|
}
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2011-06-02 18:32:59 +02:00
|
|
|
/** Return the size of the public key modulus of <b>env</b>, in bits. */
|
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_num_bits(crypto_pk_t *env)
|
2011-06-02 18:32:59 +02:00
|
|
|
{
|
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(env->key);
|
|
|
|
|
2016-06-14 08:14:28 +02:00
|
|
|
#ifdef OPENSSL_1_1_API
|
|
|
|
/* It's so stupid that there's no other way to check that n is valid
|
|
|
|
* before calling RSA_bits().
|
|
|
|
*/
|
2016-06-25 00:20:41 +02:00
|
|
|
const BIGNUM *n, *e, *d;
|
2016-06-14 08:14:28 +02:00
|
|
|
RSA_get0_key(env->key, &n, &e, &d);
|
|
|
|
tor_assert(n != NULL);
|
|
|
|
|
|
|
|
return RSA_bits(env->key);
|
2017-09-15 22:24:44 +02:00
|
|
|
#else /* !(defined(OPENSSL_1_1_API)) */
|
2016-06-14 08:14:28 +02:00
|
|
|
tor_assert(env->key->n);
|
2011-06-02 18:32:59 +02:00
|
|
|
return BN_num_bits(env->key->n);
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(OPENSSL_1_1_API) */
|
2011-06-02 18:32:59 +02:00
|
|
|
}
|
|
|
|
|
2004-10-07 22:58:53 +02:00
|
|
|
/** Increase the reference count of <b>env</b>, and return it.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_t *
|
|
|
|
crypto_pk_dup_key(crypto_pk_t *env)
|
2005-09-30 03:09:52 +02:00
|
|
|
{
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(env->key);
|
2002-09-24 12:43:57 +02:00
|
|
|
|
2004-04-03 04:40:30 +02:00
|
|
|
env->refs++;
|
2002-09-24 12:43:57 +02:00
|
|
|
return env;
|
|
|
|
}
|
|
|
|
|
2016-09-09 15:44:57 +02:00
|
|
|
#ifdef TOR_UNIT_TESTS
|
|
|
|
/** For testing: replace dest with src. (Dest must have a refcount
|
|
|
|
* of 1) */
|
|
|
|
void
|
|
|
|
crypto_pk_assign_(crypto_pk_t *dest, const crypto_pk_t *src)
|
|
|
|
{
|
|
|
|
tor_assert(dest);
|
|
|
|
tor_assert(dest->refs == 1);
|
|
|
|
tor_assert(src);
|
|
|
|
RSA_free(dest->key);
|
|
|
|
dest->key = RSAPrivateKey_dup(src->key);
|
|
|
|
}
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(TOR_UNIT_TESTS) */
|
2016-09-09 15:44:57 +02:00
|
|
|
|
2015-11-23 10:31:57 +01:00
|
|
|
/** Make a real honest-to-goodness copy of <b>env</b>, and return it.
|
|
|
|
* Returns NULL on failure. */
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_t *
|
|
|
|
crypto_pk_copy_full(crypto_pk_t *env)
|
2008-12-18 06:28:27 +01:00
|
|
|
{
|
|
|
|
RSA *new_key;
|
2010-06-23 04:20:52 +02:00
|
|
|
int privatekey = 0;
|
2008-12-18 06:28:27 +01:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(env->key);
|
|
|
|
|
2016-06-14 08:14:28 +02:00
|
|
|
if (crypto_pk_private_ok(env)) {
|
2008-12-18 06:28:27 +01:00
|
|
|
new_key = RSAPrivateKey_dup(env->key);
|
2010-06-23 04:20:52 +02:00
|
|
|
privatekey = 1;
|
2008-12-18 06:28:27 +01:00
|
|
|
} else {
|
|
|
|
new_key = RSAPublicKey_dup(env->key);
|
|
|
|
}
|
2010-06-23 04:20:52 +02:00
|
|
|
if (!new_key) {
|
2016-05-04 15:59:24 +02:00
|
|
|
/* LCOV_EXCL_START
|
|
|
|
*
|
|
|
|
* We can't cause RSA*Key_dup() to fail, so we can't really test this.
|
|
|
|
*/
|
2010-06-23 04:20:52 +02:00
|
|
|
log_err(LD_CRYPTO, "Unable to duplicate a %s key: openssl failed.",
|
|
|
|
privatekey?"private":"public");
|
|
|
|
crypto_log_errors(LOG_ERR,
|
|
|
|
privatekey ? "Duplicating a private key" :
|
|
|
|
"Duplicating a public key");
|
|
|
|
tor_fragile_assert();
|
|
|
|
return NULL;
|
2016-05-04 15:59:24 +02:00
|
|
|
/* LCOV_EXCL_STOP */
|
2010-06-23 04:20:52 +02:00
|
|
|
}
|
2008-12-18 06:28:27 +01:00
|
|
|
|
2012-10-12 18:22:13 +02:00
|
|
|
return crypto_new_pk_from_rsa_(new_key);
|
2008-12-18 06:28:27 +01:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
|
|
|
|
* in <b>env</b>, using the padding method <b>padding</b>. On success,
|
|
|
|
* write the result to <b>to</b>, and return the number of bytes
|
|
|
|
* written. On failure, return -1.
|
2011-01-13 20:36:41 +01:00
|
|
|
*
|
|
|
|
* <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
|
|
|
|
* at least the length of the modulus of <b>env</b>.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2004-11-02 03:28:51 +01:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_public_encrypt(crypto_pk_t *env, char *to, size_t tolen,
|
2005-05-07 07:55:06 +02:00
|
|
|
const char *from, size_t fromlen, int padding)
|
2002-07-25 10:17:22 +02:00
|
|
|
{
|
2004-04-26 20:09:50 +02:00
|
|
|
int r;
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(from);
|
|
|
|
tor_assert(to);
|
2008-02-21 22:57:42 +01:00
|
|
|
tor_assert(fromlen<INT_MAX);
|
2011-01-13 20:36:41 +01:00
|
|
|
tor_assert(tolen >= crypto_pk_keysize(env));
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2008-02-24 23:11:18 +01:00
|
|
|
r = RSA_public_encrypt((int)fromlen,
|
|
|
|
(unsigned char*)from, (unsigned char*)to,
|
2005-05-07 07:55:06 +02:00
|
|
|
env->key, crypto_get_rsa_padding(padding));
|
2004-05-01 23:41:23 +02:00
|
|
|
if (r<0) {
|
2004-04-26 20:09:50 +02:00
|
|
|
crypto_log_errors(LOG_WARN, "performing RSA encryption");
|
2004-05-01 23:41:23 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2004-04-26 20:09:50 +02:00
|
|
|
return r;
|
2002-07-25 10:17:22 +02:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
|
|
|
|
* in <b>env</b>, using the padding method <b>padding</b>. On success,
|
|
|
|
* write the result to <b>to</b>, and return the number of bytes
|
|
|
|
* written. On failure, return -1.
|
2011-01-13 20:36:41 +01:00
|
|
|
*
|
|
|
|
* <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
|
|
|
|
* at least the length of the modulus of <b>env</b>.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2004-11-02 03:28:51 +01:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_private_decrypt(crypto_pk_t *env, char *to,
|
2011-01-13 20:36:41 +01:00
|
|
|
size_t tolen,
|
2005-05-07 07:55:06 +02:00
|
|
|
const char *from, size_t fromlen,
|
2004-11-02 03:28:51 +01:00
|
|
|
int padding, int warnOnFailure)
|
2002-07-25 10:17:22 +02:00
|
|
|
{
|
2004-04-26 20:09:50 +02:00
|
|
|
int r;
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(from);
|
|
|
|
tor_assert(to);
|
|
|
|
tor_assert(env->key);
|
2008-02-21 22:57:42 +01:00
|
|
|
tor_assert(fromlen<INT_MAX);
|
2011-01-13 20:36:41 +01:00
|
|
|
tor_assert(tolen >= crypto_pk_keysize(env));
|
2016-06-14 08:14:28 +02:00
|
|
|
if (!crypto_pk_key_is_private(env))
|
2004-04-03 04:40:30 +02:00
|
|
|
/* Not a private key */
|
|
|
|
return -1;
|
2003-04-16 17:24:09 +02:00
|
|
|
|
2008-02-21 22:57:42 +01:00
|
|
|
r = RSA_private_decrypt((int)fromlen,
|
|
|
|
(unsigned char*)from, (unsigned char*)to,
|
2005-05-07 07:55:06 +02:00
|
|
|
env->key, crypto_get_rsa_padding(padding));
|
|
|
|
|
2004-05-01 23:41:23 +02:00
|
|
|
if (r<0) {
|
2005-10-17 18:21:42 +02:00
|
|
|
crypto_log_errors(warnOnFailure?LOG_WARN:LOG_DEBUG,
|
2004-05-12 21:30:28 +02:00
|
|
|
"performing RSA decryption");
|
2004-05-01 23:41:23 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2004-04-26 20:09:50 +02:00
|
|
|
return r;
|
2002-07-25 10:17:22 +02:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
|
|
|
|
* public key in <b>env</b>, using PKCS1 padding. On success, write the
|
|
|
|
* signed data to <b>to</b>, and return the number of bytes written.
|
2004-05-02 01:29:20 +02:00
|
|
|
* On failure, return -1.
|
2011-01-13 20:36:41 +01:00
|
|
|
*
|
|
|
|
* <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
|
|
|
|
* at least the length of the modulus of <b>env</b>.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2016-12-14 02:22:34 +01:00
|
|
|
MOCK_IMPL(int,
|
|
|
|
crypto_pk_public_checksig,(const crypto_pk_t *env, char *to,
|
|
|
|
size_t tolen,
|
|
|
|
const char *from, size_t fromlen))
|
2003-05-07 04:13:23 +02:00
|
|
|
{
|
2004-04-26 20:09:50 +02:00
|
|
|
int r;
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(from);
|
|
|
|
tor_assert(to);
|
2008-02-21 22:57:42 +01:00
|
|
|
tor_assert(fromlen < INT_MAX);
|
2011-01-13 20:36:41 +01:00
|
|
|
tor_assert(tolen >= crypto_pk_keysize(env));
|
2008-02-24 23:11:18 +01:00
|
|
|
r = RSA_public_decrypt((int)fromlen,
|
|
|
|
(unsigned char*)from, (unsigned char*)to,
|
2005-12-14 21:40:40 +01:00
|
|
|
env->key, RSA_PKCS1_PADDING);
|
2004-04-26 20:09:50 +02:00
|
|
|
|
2004-05-02 01:29:20 +02:00
|
|
|
if (r<0) {
|
2014-11-09 16:39:23 +01:00
|
|
|
crypto_log_errors(LOG_INFO, "checking RSA signature");
|
2004-05-02 01:29:20 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2004-04-26 20:09:50 +02:00
|
|
|
return r;
|
2003-05-07 04:13:23 +02:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Check a siglen-byte long signature at <b>sig</b> against
|
|
|
|
* <b>datalen</b> bytes of data at <b>data</b>, using the public key
|
|
|
|
* in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
|
|
|
|
* SHA1(data). Else return -1.
|
2004-04-02 00:10:33 +02:00
|
|
|
*/
|
2016-12-14 02:22:34 +01:00
|
|
|
MOCK_IMPL(int,
|
|
|
|
crypto_pk_public_checksig_digest,(crypto_pk_t *env, const char *data,
|
|
|
|
size_t datalen, const char *sig,
|
|
|
|
size_t siglen))
|
2004-04-02 00:10:33 +02:00
|
|
|
{
|
2004-04-03 04:40:30 +02:00
|
|
|
char digest[DIGEST_LEN];
|
2007-05-02 23:37:53 +02:00
|
|
|
char *buf;
|
2011-01-13 20:36:41 +01:00
|
|
|
size_t buflen;
|
2004-04-02 00:10:33 +02:00
|
|
|
int r;
|
|
|
|
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(data);
|
|
|
|
tor_assert(sig);
|
2010-12-14 00:40:21 +01:00
|
|
|
tor_assert(datalen < SIZE_T_CEILING);
|
|
|
|
tor_assert(siglen < SIZE_T_CEILING);
|
2004-04-02 00:10:33 +02:00
|
|
|
|
2004-11-02 03:28:51 +01:00
|
|
|
if (crypto_digest(digest,data,datalen)<0) {
|
2006-09-30 00:33:40 +02:00
|
|
|
log_warn(LD_BUG, "couldn't compute digest");
|
2004-04-02 00:10:33 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2011-01-14 06:09:40 +01:00
|
|
|
buflen = crypto_pk_keysize(env);
|
2011-01-13 20:36:41 +01:00
|
|
|
buf = tor_malloc(buflen);
|
|
|
|
r = crypto_pk_public_checksig(env,buf,buflen,sig,siglen);
|
2004-04-03 04:40:30 +02:00
|
|
|
if (r != DIGEST_LEN) {
|
2006-02-13 09:01:59 +01:00
|
|
|
log_warn(LD_CRYPTO, "Invalid signature");
|
2007-05-02 23:37:53 +02:00
|
|
|
tor_free(buf);
|
2004-04-02 00:10:33 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2011-05-10 22:58:38 +02:00
|
|
|
if (tor_memneq(buf, digest, DIGEST_LEN)) {
|
2006-02-13 09:01:59 +01:00
|
|
|
log_warn(LD_CRYPTO, "Signature mismatched with digest.");
|
2007-05-02 23:37:53 +02:00
|
|
|
tor_free(buf);
|
2004-04-02 00:10:33 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2007-05-02 23:37:53 +02:00
|
|
|
tor_free(buf);
|
2004-04-02 00:10:33 +02:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2004-11-02 03:28:51 +01:00
|
|
|
/** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
|
|
|
|
* <b>env</b>, using PKCS1 padding. On success, write the signature to
|
|
|
|
* <b>to</b>, and return the number of bytes written. On failure, return
|
|
|
|
* -1.
|
2011-01-13 20:36:41 +01:00
|
|
|
*
|
|
|
|
* <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
|
|
|
|
* at least the length of the modulus of <b>env</b>.
|
2004-11-02 03:28:51 +01:00
|
|
|
*/
|
|
|
|
int
|
2014-10-01 17:54:07 +02:00
|
|
|
crypto_pk_private_sign(const crypto_pk_t *env, char *to, size_t tolen,
|
2005-05-07 07:55:06 +02:00
|
|
|
const char *from, size_t fromlen)
|
2004-11-02 03:28:51 +01:00
|
|
|
{
|
|
|
|
int r;
|
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(from);
|
|
|
|
tor_assert(to);
|
2008-02-21 22:57:42 +01:00
|
|
|
tor_assert(fromlen < INT_MAX);
|
2011-01-13 20:36:41 +01:00
|
|
|
tor_assert(tolen >= crypto_pk_keysize(env));
|
2016-06-14 08:14:28 +02:00
|
|
|
if (!crypto_pk_key_is_private(env))
|
2004-11-02 03:28:51 +01:00
|
|
|
/* Not a private key */
|
|
|
|
return -1;
|
|
|
|
|
2008-02-21 22:57:42 +01:00
|
|
|
r = RSA_private_encrypt((int)fromlen,
|
|
|
|
(unsigned char*)from, (unsigned char*)to,
|
2014-10-01 17:54:07 +02:00
|
|
|
(RSA*)env->key, RSA_PKCS1_PADDING);
|
2004-11-02 03:28:51 +01:00
|
|
|
if (r<0) {
|
|
|
|
crypto_log_errors(LOG_WARN, "generating RSA signature");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
|
|
|
|
* <b>from</b>; sign the data with the private key in <b>env</b>, and
|
|
|
|
* store it in <b>to</b>. Return the number of bytes written on
|
|
|
|
* success, and -1 on failure.
|
2011-01-13 20:36:41 +01:00
|
|
|
*
|
|
|
|
* <b>tolen</b> is the number of writable bytes in <b>to</b>, and must be
|
|
|
|
* at least the length of the modulus of <b>env</b>.
|
2004-04-02 00:10:33 +02:00
|
|
|
*/
|
2004-11-02 03:28:51 +01:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_private_sign_digest(crypto_pk_t *env, char *to, size_t tolen,
|
2005-05-07 07:55:06 +02:00
|
|
|
const char *from, size_t fromlen)
|
2004-04-02 00:10:33 +02:00
|
|
|
{
|
2008-02-07 17:10:33 +01:00
|
|
|
int r;
|
2004-04-03 04:40:30 +02:00
|
|
|
char digest[DIGEST_LEN];
|
2004-11-02 03:28:51 +01:00
|
|
|
if (crypto_digest(digest,from,fromlen)<0)
|
2004-05-01 23:41:23 +02:00
|
|
|
return -1;
|
2011-01-13 20:36:41 +01:00
|
|
|
r = crypto_pk_private_sign(env,to,tolen,digest,DIGEST_LEN);
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(digest, 0, sizeof(digest));
|
2008-02-07 17:10:33 +01:00
|
|
|
return r;
|
2004-04-02 00:10:33 +02:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
|
|
|
|
* bytes of data from <b>from</b>, with padding type 'padding',
|
|
|
|
* storing the results on <b>to</b>.
|
2004-04-01 05:08:35 +02:00
|
|
|
*
|
|
|
|
* Returns the number of bytes written on success, -1 on failure.
|
|
|
|
*
|
|
|
|
* The encrypted data consists of:
|
2004-05-10 05:53:24 +02:00
|
|
|
* - The source data, padded and encrypted with the public key, if the
|
|
|
|
* padded source data is no longer than the public key, and <b>force</b>
|
|
|
|
* is false, OR
|
|
|
|
* - The beginning of the source data prefixed with a 16-byte symmetric key,
|
|
|
|
* padded and encrypted with the public key; followed by the rest of
|
|
|
|
* the source data encrypted in AES-CTR mode with the symmetric key.
|
2017-07-24 20:32:59 +02:00
|
|
|
*
|
|
|
|
* NOTE that this format does not authenticate the symmetrically encrypted
|
|
|
|
* part of the data, and SHOULD NOT BE USED for new protocols.
|
2004-04-01 05:08:35 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2017-07-24 20:32:59 +02:00
|
|
|
crypto_pk_obsolete_public_hybrid_encrypt(crypto_pk_t *env,
|
2011-01-13 20:36:41 +01:00
|
|
|
char *to, size_t tolen,
|
2005-09-30 03:09:52 +02:00
|
|
|
const char *from,
|
|
|
|
size_t fromlen,
|
|
|
|
int padding, int force)
|
2004-04-01 05:08:35 +02:00
|
|
|
{
|
2008-02-21 22:57:47 +01:00
|
|
|
int overhead, outlen, r;
|
|
|
|
size_t pkeylen, symlen;
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_cipher_t *cipher = NULL;
|
2007-05-02 23:37:53 +02:00
|
|
|
char *buf = NULL;
|
2004-04-01 05:08:35 +02:00
|
|
|
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(from);
|
|
|
|
tor_assert(to);
|
2010-12-14 00:40:21 +01:00
|
|
|
tor_assert(fromlen < SIZE_T_CEILING);
|
2004-04-01 05:08:35 +02:00
|
|
|
|
2004-04-03 04:40:30 +02:00
|
|
|
overhead = crypto_get_rsa_padding_overhead(crypto_get_rsa_padding(padding));
|
2004-04-01 05:08:35 +02:00
|
|
|
pkeylen = crypto_pk_keysize(env);
|
|
|
|
|
2004-04-06 22:55:46 +02:00
|
|
|
if (!force && fromlen+overhead <= pkeylen) {
|
2004-04-01 05:08:35 +02:00
|
|
|
/* It all fits in a single encrypt. */
|
2011-01-13 20:36:41 +01:00
|
|
|
return crypto_pk_public_encrypt(env,to,
|
|
|
|
tolen,
|
|
|
|
from,fromlen,padding);
|
2004-04-01 05:08:35 +02:00
|
|
|
}
|
2011-01-13 20:36:41 +01:00
|
|
|
tor_assert(tolen >= fromlen + overhead + CIPHER_KEY_LEN);
|
|
|
|
tor_assert(tolen >= pkeylen);
|
|
|
|
|
2016-09-16 16:12:30 +02:00
|
|
|
char key[CIPHER_KEY_LEN];
|
|
|
|
crypto_rand(key, sizeof(key)); /* generate a new key. */
|
|
|
|
cipher = crypto_cipher_new(key);
|
2012-03-20 20:35:43 +01:00
|
|
|
|
2007-05-02 23:37:53 +02:00
|
|
|
buf = tor_malloc(pkeylen+1);
|
2016-09-16 16:12:30 +02:00
|
|
|
memcpy(buf, key, CIPHER_KEY_LEN);
|
2004-04-03 04:40:30 +02:00
|
|
|
memcpy(buf+CIPHER_KEY_LEN, from, pkeylen-overhead-CIPHER_KEY_LEN);
|
2004-04-01 05:08:35 +02:00
|
|
|
|
|
|
|
/* Length of symmetrically encrypted data. */
|
2004-04-03 04:40:30 +02:00
|
|
|
symlen = fromlen-(pkeylen-overhead-CIPHER_KEY_LEN);
|
2004-04-01 05:08:35 +02:00
|
|
|
|
2011-01-13 20:36:41 +01:00
|
|
|
outlen = crypto_pk_public_encrypt(env,to,tolen,buf,pkeylen-overhead,padding);
|
2005-05-07 07:55:06 +02:00
|
|
|
if (outlen!=(int)pkeylen) {
|
2004-04-01 05:08:35 +02:00
|
|
|
goto err;
|
|
|
|
}
|
2004-11-02 03:28:51 +01:00
|
|
|
r = crypto_cipher_encrypt(cipher, to+outlen,
|
|
|
|
from+pkeylen-overhead-CIPHER_KEY_LEN, symlen);
|
2004-04-01 05:08:35 +02:00
|
|
|
|
|
|
|
if (r<0) goto err;
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(buf, 0, pkeylen);
|
2016-09-16 16:12:30 +02:00
|
|
|
memwipe(key, 0, sizeof(key));
|
2007-05-02 23:37:53 +02:00
|
|
|
tor_free(buf);
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_cipher_free(cipher);
|
2008-02-21 22:57:47 +01:00
|
|
|
tor_assert(outlen+symlen < INT_MAX);
|
|
|
|
return (int)(outlen + symlen);
|
2004-04-01 05:08:35 +02:00
|
|
|
err:
|
2012-04-18 16:38:39 +02:00
|
|
|
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(buf, 0, pkeylen);
|
2016-09-16 16:12:30 +02:00
|
|
|
memwipe(key, 0, sizeof(key));
|
2012-04-18 16:38:39 +02:00
|
|
|
tor_free(buf);
|
2012-03-30 16:16:58 +02:00
|
|
|
crypto_cipher_free(cipher);
|
2004-04-01 05:08:35 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2017-07-24 20:32:59 +02:00
|
|
|
/** Invert crypto_pk_obsolete_public_hybrid_encrypt. Returns the number of
|
|
|
|
* bytes written on success, -1 on failure.
|
|
|
|
*
|
|
|
|
* NOTE that this format does not authenticate the symmetrically encrypted
|
|
|
|
* part of the data, and SHOULD NOT BE USED for new protocols.
|
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2017-07-24 20:32:59 +02:00
|
|
|
crypto_pk_obsolete_private_hybrid_decrypt(crypto_pk_t *env,
|
2005-09-30 03:09:52 +02:00
|
|
|
char *to,
|
2011-01-13 20:36:41 +01:00
|
|
|
size_t tolen,
|
2005-09-30 03:09:52 +02:00
|
|
|
const char *from,
|
|
|
|
size_t fromlen,
|
|
|
|
int padding, int warnOnFailure)
|
2004-04-01 05:08:35 +02:00
|
|
|
{
|
2006-10-09 04:35:51 +02:00
|
|
|
int outlen, r;
|
2005-05-07 07:55:06 +02:00
|
|
|
size_t pkeylen;
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_cipher_t *cipher = NULL;
|
2007-05-02 23:37:53 +02:00
|
|
|
char *buf = NULL;
|
2004-04-01 05:08:35 +02:00
|
|
|
|
2010-12-14 00:40:21 +01:00
|
|
|
tor_assert(fromlen < SIZE_T_CEILING);
|
2004-04-01 05:08:35 +02:00
|
|
|
pkeylen = crypto_pk_keysize(env);
|
|
|
|
|
|
|
|
if (fromlen <= pkeylen) {
|
2011-01-13 20:36:41 +01:00
|
|
|
return crypto_pk_private_decrypt(env,to,tolen,from,fromlen,padding,
|
2005-12-14 21:40:40 +01:00
|
|
|
warnOnFailure);
|
2004-04-01 05:08:35 +02:00
|
|
|
}
|
2011-01-13 20:36:41 +01:00
|
|
|
|
2011-01-14 06:09:40 +01:00
|
|
|
buf = tor_malloc(pkeylen);
|
|
|
|
outlen = crypto_pk_private_decrypt(env,buf,pkeylen,from,pkeylen,padding,
|
2005-12-14 21:40:40 +01:00
|
|
|
warnOnFailure);
|
2004-04-01 05:08:35 +02:00
|
|
|
if (outlen<0) {
|
2005-10-18 23:58:19 +02:00
|
|
|
log_fn(warnOnFailure?LOG_WARN:LOG_DEBUG, LD_CRYPTO,
|
|
|
|
"Error decrypting public-key data");
|
2007-05-02 23:37:53 +02:00
|
|
|
goto err;
|
2004-04-01 05:08:35 +02:00
|
|
|
}
|
2004-04-03 04:40:30 +02:00
|
|
|
if (outlen < CIPHER_KEY_LEN) {
|
2005-10-18 23:58:19 +02:00
|
|
|
log_fn(warnOnFailure?LOG_WARN:LOG_INFO, LD_CRYPTO,
|
|
|
|
"No room for a symmetric key");
|
2007-05-02 23:37:53 +02:00
|
|
|
goto err;
|
2004-04-01 05:08:35 +02:00
|
|
|
}
|
2012-03-20 20:35:43 +01:00
|
|
|
cipher = crypto_cipher_new(buf);
|
2004-04-01 05:08:35 +02:00
|
|
|
if (!cipher) {
|
2007-05-02 23:37:53 +02:00
|
|
|
goto err;
|
2004-04-01 05:08:35 +02:00
|
|
|
}
|
2004-04-03 04:40:30 +02:00
|
|
|
memcpy(to,buf+CIPHER_KEY_LEN,outlen-CIPHER_KEY_LEN);
|
|
|
|
outlen -= CIPHER_KEY_LEN;
|
2011-01-13 20:36:41 +01:00
|
|
|
tor_assert(tolen - outlen >= fromlen - pkeylen);
|
2004-11-02 03:28:51 +01:00
|
|
|
r = crypto_cipher_decrypt(cipher, to+outlen, from+pkeylen, fromlen-pkeylen);
|
2004-04-01 05:08:35 +02:00
|
|
|
if (r<0)
|
|
|
|
goto err;
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(buf,0,pkeylen);
|
2007-05-02 23:37:53 +02:00
|
|
|
tor_free(buf);
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_cipher_free(cipher);
|
2008-02-21 22:57:47 +01:00
|
|
|
tor_assert(outlen + fromlen < INT_MAX);
|
|
|
|
return (int)(outlen + (fromlen-pkeylen));
|
2004-04-01 05:08:35 +02:00
|
|
|
err:
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(buf,0,pkeylen);
|
2007-05-02 23:37:53 +02:00
|
|
|
tor_free(buf);
|
2012-03-30 16:16:58 +02:00
|
|
|
crypto_cipher_free(cipher);
|
2004-04-01 05:08:35 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
|
|
|
|
* Return -1 on error, or the number of characters used on success.
|
2004-03-08 01:11:37 +01:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_asn1_encode(crypto_pk_t *pk, char *dest, size_t dest_len)
|
2004-03-30 21:47:32 +02:00
|
|
|
{
|
|
|
|
int len;
|
2013-06-06 12:45:35 +02:00
|
|
|
unsigned char *buf = NULL;
|
|
|
|
|
|
|
|
len = i2d_RSAPublicKey(pk->key, &buf);
|
|
|
|
if (len < 0 || buf == NULL)
|
2004-03-30 21:47:32 +02:00
|
|
|
return -1;
|
2013-06-06 12:45:35 +02:00
|
|
|
|
|
|
|
if ((size_t)len > dest_len || dest_len > SIZE_T_CEILING) {
|
|
|
|
OPENSSL_free(buf);
|
2004-03-30 21:47:32 +02:00
|
|
|
return -1;
|
2004-03-31 00:50:49 +02:00
|
|
|
}
|
|
|
|
/* We don't encode directly into 'dest', because that would be illegal
|
|
|
|
* type-punning. (C99 is smarter than me, C99 is smarter than me...)
|
|
|
|
*/
|
|
|
|
memcpy(dest,buf,len);
|
2013-06-06 12:45:35 +02:00
|
|
|
OPENSSL_free(buf);
|
2004-03-30 21:47:32 +02:00
|
|
|
return len;
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
|
2004-05-02 01:29:20 +02:00
|
|
|
* success and NULL on failure.
|
2004-03-30 21:47:32 +02:00
|
|
|
*/
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_t *
|
2005-09-30 03:09:52 +02:00
|
|
|
crypto_pk_asn1_decode(const char *str, size_t len)
|
2004-03-30 21:47:32 +02:00
|
|
|
{
|
|
|
|
RSA *rsa;
|
2004-04-01 00:41:25 +02:00
|
|
|
unsigned char *buf;
|
2004-04-05 19:10:48 +02:00
|
|
|
const unsigned char *cp;
|
|
|
|
cp = buf = tor_malloc(len);
|
|
|
|
memcpy(buf,str,len);
|
|
|
|
rsa = d2i_RSAPublicKey(NULL, &cp, len);
|
2004-03-31 00:50:49 +02:00
|
|
|
tor_free(buf);
|
2004-04-26 20:09:50 +02:00
|
|
|
if (!rsa) {
|
|
|
|
crypto_log_errors(LOG_WARN,"decoding public key");
|
|
|
|
return NULL;
|
|
|
|
}
|
2012-10-12 18:22:13 +02:00
|
|
|
return crypto_new_pk_from_rsa_(rsa);
|
2004-03-30 21:47:32 +02:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Given a private or public key <b>pk</b>, put a SHA1 hash of the
|
|
|
|
* public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
|
2004-10-07 22:58:53 +02:00
|
|
|
* Return 0 on success, -1 on failure.
|
2004-03-30 21:47:32 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2014-12-01 17:12:05 +01:00
|
|
|
crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
|
2003-09-25 07:17:11 +02:00
|
|
|
{
|
2013-06-06 12:45:35 +02:00
|
|
|
unsigned char *buf = NULL;
|
2003-09-25 07:17:11 +02:00
|
|
|
int len;
|
2004-04-03 04:40:30 +02:00
|
|
|
|
2014-10-01 17:54:07 +02:00
|
|
|
len = i2d_RSAPublicKey((RSA*)pk->key, &buf);
|
2013-06-06 12:45:35 +02:00
|
|
|
if (len < 0 || buf == NULL)
|
2003-09-25 07:17:11 +02:00
|
|
|
return -1;
|
2005-05-07 07:55:06 +02:00
|
|
|
if (crypto_digest(digest_out, (char*)buf, len) < 0) {
|
2013-06-06 12:45:35 +02:00
|
|
|
OPENSSL_free(buf);
|
2003-09-25 07:17:11 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2013-06-06 12:45:35 +02:00
|
|
|
OPENSSL_free(buf);
|
2004-03-30 21:47:32 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-09-13 20:32:51 +02:00
|
|
|
/** Compute all digests of the DER encoding of <b>pk</b>, and store them
|
|
|
|
* in <b>digests_out</b>. Return 0 on success, -1 on failure. */
|
|
|
|
int
|
2016-02-10 21:31:43 +01:00
|
|
|
crypto_pk_get_common_digests(crypto_pk_t *pk, common_digests_t *digests_out)
|
2011-09-13 20:32:51 +02:00
|
|
|
{
|
2013-06-06 12:45:35 +02:00
|
|
|
unsigned char *buf = NULL;
|
2011-09-13 20:32:51 +02:00
|
|
|
int len;
|
|
|
|
|
2013-06-06 12:45:35 +02:00
|
|
|
len = i2d_RSAPublicKey(pk->key, &buf);
|
|
|
|
if (len < 0 || buf == NULL)
|
2011-09-13 20:32:51 +02:00
|
|
|
return -1;
|
2016-02-10 21:28:19 +01:00
|
|
|
if (crypto_common_digests(digests_out, (char*)buf, len) < 0) {
|
2013-06-06 12:45:35 +02:00
|
|
|
OPENSSL_free(buf);
|
2011-09-13 20:32:51 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2013-06-06 12:45:35 +02:00
|
|
|
OPENSSL_free(buf);
|
2011-09-13 20:32:51 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-02-16 00:39:14 +01:00
|
|
|
/** Copy <b>in</b> to the <b>outlen</b>-byte buffer <b>out</b>, adding spaces
|
2015-11-23 08:59:11 +01:00
|
|
|
* every four characters. */
|
2013-06-06 23:58:28 +02:00
|
|
|
void
|
|
|
|
crypto_add_spaces_to_fp(char *out, size_t outlen, const char *in)
|
2008-02-16 00:39:14 +01:00
|
|
|
{
|
|
|
|
int n = 0;
|
|
|
|
char *end = out+outlen;
|
2010-12-14 00:40:21 +01:00
|
|
|
tor_assert(outlen < SIZE_T_CEILING);
|
|
|
|
|
2008-02-16 00:39:14 +01:00
|
|
|
while (*in && out<end) {
|
|
|
|
*out++ = *in++;
|
|
|
|
if (++n == 4 && *in && out<end) {
|
|
|
|
n = 0;
|
|
|
|
*out++ = ' ';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
tor_assert(out<end);
|
|
|
|
*out = '\0';
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Given a private or public key <b>pk</b>, put a fingerprint of the
|
|
|
|
* public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
|
2004-10-07 22:58:53 +02:00
|
|
|
* space). Return 0 on success, -1 on failure.
|
2004-05-10 05:53:24 +02:00
|
|
|
*
|
|
|
|
* Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
|
2004-07-01 03:16:59 +02:00
|
|
|
* of the public key, converted to hexadecimal, in upper case, with a
|
|
|
|
* space after every four digits.
|
2004-10-06 15:26:10 +02:00
|
|
|
*
|
|
|
|
* If <b>add_space</b> is false, omit the spaces.
|
2004-03-30 21:47:32 +02:00
|
|
|
*/
|
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_pk_get_fingerprint(crypto_pk_t *pk, char *fp_out, int add_space)
|
2004-03-30 21:47:32 +02:00
|
|
|
{
|
2005-05-07 07:55:06 +02:00
|
|
|
char digest[DIGEST_LEN];
|
|
|
|
char hexdigest[HEX_DIGEST_LEN+1];
|
2004-03-30 21:47:32 +02:00
|
|
|
if (crypto_pk_get_digest(pk, digest)) {
|
|
|
|
return -1;
|
|
|
|
}
|
2004-10-07 22:58:53 +02:00
|
|
|
base16_encode(hexdigest,sizeof(hexdigest),digest,DIGEST_LEN);
|
2004-10-06 15:26:10 +02:00
|
|
|
if (add_space) {
|
2013-06-06 23:58:28 +02:00
|
|
|
crypto_add_spaces_to_fp(fp_out, FINGERPRINT_LEN+1, hexdigest);
|
2004-10-07 22:58:53 +02:00
|
|
|
} else {
|
2007-01-20 04:35:03 +01:00
|
|
|
strncpy(fp_out, hexdigest, HEX_DIGEST_LEN+1);
|
2004-10-06 15:26:10 +02:00
|
|
|
}
|
2003-09-25 07:17:11 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-02-26 10:44:55 +01:00
|
|
|
/** Given a private or public key <b>pk</b>, put a hashed fingerprint of
|
|
|
|
* the public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1
|
|
|
|
* bytes of space). Return 0 on success, -1 on failure.
|
|
|
|
*
|
|
|
|
* Hashed fingerprints are computed as the SHA1 digest of the SHA1 digest
|
|
|
|
* of the ASN.1 encoding of the public key, converted to hexadecimal, in
|
|
|
|
* upper case.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
crypto_pk_get_hashed_fingerprint(crypto_pk_t *pk, char *fp_out)
|
|
|
|
{
|
|
|
|
char digest[DIGEST_LEN], hashed_digest[DIGEST_LEN];
|
|
|
|
if (crypto_pk_get_digest(pk, digest)) {
|
|
|
|
return -1;
|
|
|
|
}
|
2016-11-18 04:45:24 +01:00
|
|
|
if (crypto_digest(hashed_digest, digest, DIGEST_LEN) < 0) {
|
2014-02-26 10:44:55 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
base16_encode(fp_out, FINGERPRINT_LEN + 1, hashed_digest, DIGEST_LEN);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-04-25 10:23:15 +02:00
|
|
|
/** Given a crypto_pk_t <b>pk</b>, allocate a new buffer containing the
|
|
|
|
* Base64 encoding of the DER representation of the private key as a NUL
|
|
|
|
* terminated string, and return it via <b>priv_out</b>. Return 0 on
|
|
|
|
* sucess, -1 on failure.
|
|
|
|
*
|
|
|
|
* It is the caller's responsibility to sanitize and free the resulting buffer.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
crypto_pk_base64_encode(const crypto_pk_t *pk, char **priv_out)
|
|
|
|
{
|
|
|
|
unsigned char *der = NULL;
|
|
|
|
int der_len;
|
|
|
|
int ret = -1;
|
|
|
|
|
|
|
|
*priv_out = NULL;
|
|
|
|
|
|
|
|
der_len = i2d_RSAPrivateKey(pk->key, &der);
|
|
|
|
if (der_len < 0 || der == NULL)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
size_t priv_len = base64_encode_size(der_len, 0) + 1;
|
|
|
|
char *priv = tor_malloc_zero(priv_len);
|
|
|
|
if (base64_encode(priv, priv_len, (char *)der, der_len, 0) >= 0) {
|
|
|
|
*priv_out = priv;
|
|
|
|
ret = 0;
|
|
|
|
} else {
|
|
|
|
tor_free(priv);
|
|
|
|
}
|
|
|
|
|
|
|
|
memwipe(der, 0, der_len);
|
|
|
|
OPENSSL_free(der);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Given a string containing the Base64 encoded DER representation of the
|
|
|
|
* private key <b>str</b>, decode and return the result on success, or NULL
|
|
|
|
* on failure.
|
|
|
|
*/
|
|
|
|
crypto_pk_t *
|
|
|
|
crypto_pk_base64_decode(const char *str, size_t len)
|
|
|
|
{
|
|
|
|
crypto_pk_t *pk = NULL;
|
|
|
|
|
|
|
|
char *der = tor_malloc_zero(len + 1);
|
|
|
|
int der_len = base64_decode(der, len, str, len);
|
|
|
|
if (der_len <= 0) {
|
|
|
|
log_warn(LD_CRYPTO, "Stored RSA private key seems corrupted (base64).");
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
const unsigned char *dp = (unsigned char*)der; /* Shut the compiler up. */
|
|
|
|
RSA *rsa = d2i_RSAPrivateKey(NULL, &dp, der_len);
|
|
|
|
if (!rsa) {
|
|
|
|
crypto_log_errors(LOG_WARN, "decoding private key");
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
pk = crypto_new_pk_from_rsa_(rsa);
|
|
|
|
|
|
|
|
/* Make sure it's valid. */
|
|
|
|
if (crypto_pk_check_key(pk) <= 0) {
|
|
|
|
crypto_pk_free(pk);
|
|
|
|
pk = NULL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
out:
|
|
|
|
memwipe(der, 0, len + 1);
|
|
|
|
tor_free(der);
|
|
|
|
return pk;
|
|
|
|
}
|
|
|
|
|
2002-07-24 16:02:39 +02:00
|
|
|
/* symmetric crypto */
|
2004-05-01 23:41:23 +02:00
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
|
|
|
|
* <b>env</b>; on success, store the result to <b>to</b> and return 0.
|
2015-11-23 10:31:57 +01:00
|
|
|
* Does not check for failure.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2004-11-02 03:28:51 +01:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_cipher_encrypt(crypto_cipher_t *env, char *to,
|
2005-05-07 07:55:06 +02:00
|
|
|
const char *from, size_t fromlen)
|
2002-07-24 16:02:39 +02:00
|
|
|
{
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
2016-09-16 16:18:02 +02:00
|
|
|
tor_assert(env);
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(from);
|
|
|
|
tor_assert(fromlen);
|
|
|
|
tor_assert(to);
|
2010-12-14 00:40:21 +01:00
|
|
|
tor_assert(fromlen < SIZE_T_CEILING);
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2016-02-06 18:05:32 +01:00
|
|
|
memcpy(to, from, fromlen);
|
2016-09-16 16:18:02 +02:00
|
|
|
aes_crypt_inplace(env, to, fromlen);
|
2004-04-03 04:40:30 +02:00
|
|
|
return 0;
|
2002-07-24 16:02:39 +02:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
|
|
|
|
* <b>env</b>; on success, store the result to <b>to</b> and return 0.
|
2015-11-23 10:31:57 +01:00
|
|
|
* Does not check for failure.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2004-11-02 03:28:51 +01:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_cipher_decrypt(crypto_cipher_t *env, char *to,
|
2005-05-07 07:55:06 +02:00
|
|
|
const char *from, size_t fromlen)
|
2002-07-24 16:02:39 +02:00
|
|
|
{
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(env);
|
|
|
|
tor_assert(from);
|
|
|
|
tor_assert(to);
|
2010-12-14 00:40:21 +01:00
|
|
|
tor_assert(fromlen < SIZE_T_CEILING);
|
2003-06-30 21:18:32 +02:00
|
|
|
|
2016-02-06 18:05:32 +01:00
|
|
|
memcpy(to, from, fromlen);
|
2016-09-16 16:18:02 +02:00
|
|
|
aes_crypt_inplace(env, to, fromlen);
|
2004-04-03 04:40:30 +02:00
|
|
|
return 0;
|
2003-06-30 21:18:32 +02:00
|
|
|
}
|
|
|
|
|
2008-02-07 17:10:33 +01:00
|
|
|
/** Encrypt <b>len</b> bytes on <b>from</b> using the cipher in <b>env</b>;
|
2016-02-06 18:14:39 +01:00
|
|
|
* on success. Does not check for failure.
|
2008-02-07 17:10:33 +01:00
|
|
|
*/
|
2016-02-06 18:14:39 +01:00
|
|
|
void
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_cipher_crypt_inplace(crypto_cipher_t *env, char *buf, size_t len)
|
2008-02-07 17:10:33 +01:00
|
|
|
{
|
2010-12-14 00:40:21 +01:00
|
|
|
tor_assert(len < SIZE_T_CEILING);
|
2016-09-16 16:18:02 +02:00
|
|
|
aes_crypt_inplace(env, buf, len);
|
2008-02-07 17:10:33 +01:00
|
|
|
}
|
|
|
|
|
2007-09-19 17:53:41 +02:00
|
|
|
/** Encrypt <b>fromlen</b> bytes (at least 1) from <b>from</b> with the key in
|
2012-03-20 20:35:43 +01:00
|
|
|
* <b>key</b> to the buffer in <b>to</b> of length
|
2007-09-19 17:53:41 +02:00
|
|
|
* <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> plus
|
|
|
|
* CIPHER_IV_LEN bytes for the initialization vector. On success, return the
|
|
|
|
* number of bytes written, on failure, return -1.
|
|
|
|
*/
|
|
|
|
int
|
2012-03-20 20:35:43 +01:00
|
|
|
crypto_cipher_encrypt_with_iv(const char *key,
|
2007-09-19 17:53:41 +02:00
|
|
|
char *to, size_t tolen,
|
|
|
|
const char *from, size_t fromlen)
|
|
|
|
{
|
2012-03-20 20:35:43 +01:00
|
|
|
crypto_cipher_t *cipher;
|
2007-09-19 17:53:41 +02:00
|
|
|
tor_assert(from);
|
|
|
|
tor_assert(to);
|
2008-02-21 22:57:47 +01:00
|
|
|
tor_assert(fromlen < INT_MAX);
|
2007-09-19 17:53:41 +02:00
|
|
|
|
2007-09-20 22:08:47 +02:00
|
|
|
if (fromlen < 1)
|
|
|
|
return -1;
|
2007-09-19 17:53:41 +02:00
|
|
|
if (tolen < fromlen + CIPHER_IV_LEN)
|
|
|
|
return -1;
|
|
|
|
|
2016-09-16 16:12:30 +02:00
|
|
|
char iv[CIPHER_IV_LEN];
|
|
|
|
crypto_rand(iv, sizeof(iv));
|
|
|
|
cipher = crypto_cipher_new_with_iv(key, iv);
|
2012-03-20 20:35:43 +01:00
|
|
|
|
2016-09-16 16:12:30 +02:00
|
|
|
memcpy(to, iv, CIPHER_IV_LEN);
|
2007-09-19 17:53:41 +02:00
|
|
|
crypto_cipher_encrypt(cipher, to+CIPHER_IV_LEN, from, fromlen);
|
2012-03-20 20:35:43 +01:00
|
|
|
crypto_cipher_free(cipher);
|
2016-09-16 16:12:30 +02:00
|
|
|
memwipe(iv, 0, sizeof(iv));
|
2008-02-21 22:57:47 +01:00
|
|
|
return (int)(fromlen + CIPHER_IV_LEN);
|
2007-09-19 17:53:41 +02:00
|
|
|
}
|
|
|
|
|
2007-09-20 22:08:47 +02:00
|
|
|
/** Decrypt <b>fromlen</b> bytes (at least 1+CIPHER_IV_LEN) from <b>from</b>
|
2012-03-20 20:35:43 +01:00
|
|
|
* with the key in <b>key</b> to the buffer in <b>to</b> of length
|
2007-09-19 17:53:41 +02:00
|
|
|
* <b>tolen</b>. <b>tolen</b> must be at least <b>fromlen</b> minus
|
|
|
|
* CIPHER_IV_LEN bytes for the initialization vector. On success, return the
|
|
|
|
* number of bytes written, on failure, return -1.
|
|
|
|
*/
|
|
|
|
int
|
2012-03-20 20:35:43 +01:00
|
|
|
crypto_cipher_decrypt_with_iv(const char *key,
|
2007-09-19 17:53:41 +02:00
|
|
|
char *to, size_t tolen,
|
|
|
|
const char *from, size_t fromlen)
|
|
|
|
{
|
2012-03-20 20:35:43 +01:00
|
|
|
crypto_cipher_t *cipher;
|
|
|
|
tor_assert(key);
|
2007-09-19 17:53:41 +02:00
|
|
|
tor_assert(from);
|
|
|
|
tor_assert(to);
|
2008-02-21 22:57:47 +01:00
|
|
|
tor_assert(fromlen < INT_MAX);
|
2007-09-19 17:53:41 +02:00
|
|
|
|
2007-09-20 22:08:47 +02:00
|
|
|
if (fromlen <= CIPHER_IV_LEN)
|
2007-09-19 17:53:41 +02:00
|
|
|
return -1;
|
|
|
|
if (tolen < fromlen - CIPHER_IV_LEN)
|
|
|
|
return -1;
|
|
|
|
|
2012-03-20 20:35:43 +01:00
|
|
|
cipher = crypto_cipher_new_with_iv(key, from);
|
|
|
|
|
2007-09-19 17:53:41 +02:00
|
|
|
crypto_cipher_encrypt(cipher, to, from+CIPHER_IV_LEN, fromlen-CIPHER_IV_LEN);
|
2012-03-20 20:35:43 +01:00
|
|
|
crypto_cipher_free(cipher);
|
2008-02-21 22:57:47 +01:00
|
|
|
return (int)(fromlen - CIPHER_IV_LEN);
|
2007-09-19 17:53:41 +02:00
|
|
|
}
|
|
|
|
|
2002-07-24 16:02:39 +02:00
|
|
|
/* SHA-1 */
|
2004-05-01 23:41:23 +02:00
|
|
|
|
2011-03-16 22:05:37 +01:00
|
|
|
/** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
|
2004-05-10 05:53:24 +02:00
|
|
|
* <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
|
2016-11-18 04:45:24 +01:00
|
|
|
* Return 0 on success, -1 on failure.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
|
|
|
crypto_digest(char *digest, const char *m, size_t len)
|
2002-07-24 16:02:39 +02:00
|
|
|
{
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(m);
|
|
|
|
tor_assert(digest);
|
2016-12-05 16:31:10 +01:00
|
|
|
if (SHA1((const unsigned char*)m,len,(unsigned char*)digest) == NULL)
|
2016-11-18 04:45:24 +01:00
|
|
|
return -1;
|
|
|
|
return 0;
|
2002-07-24 16:02:39 +02:00
|
|
|
}
|
|
|
|
|
2011-03-16 22:05:37 +01:00
|
|
|
/** Compute a 256-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
|
|
|
|
* using the algorithm <b>algorithm</b>. Write the DIGEST_LEN256-byte result
|
2016-11-18 04:58:36 +01:00
|
|
|
* into <b>digest</b>. Return 0 on success, -1 on failure. */
|
2009-08-20 01:21:29 +02:00
|
|
|
int
|
|
|
|
crypto_digest256(char *digest, const char *m, size_t len,
|
|
|
|
digest_algorithm_t algorithm)
|
|
|
|
{
|
|
|
|
tor_assert(m);
|
|
|
|
tor_assert(digest);
|
2015-12-18 23:15:01 +01:00
|
|
|
tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
|
2016-11-18 04:58:36 +01:00
|
|
|
|
|
|
|
int ret = 0;
|
2015-12-18 23:15:01 +01:00
|
|
|
if (algorithm == DIGEST_SHA256)
|
2016-11-18 04:58:36 +01:00
|
|
|
ret = (SHA256((const uint8_t*)m,len,(uint8_t*)digest) != NULL);
|
2015-12-18 23:15:01 +01:00
|
|
|
else
|
2016-11-18 04:58:36 +01:00
|
|
|
ret = (sha3_256((uint8_t *)digest, DIGEST256_LEN,(const uint8_t *)m, len)
|
|
|
|
> -1);
|
|
|
|
|
|
|
|
if (!ret)
|
|
|
|
return -1;
|
|
|
|
return 0;
|
2009-08-20 01:21:29 +02:00
|
|
|
}
|
|
|
|
|
2015-11-18 09:37:05 +01:00
|
|
|
/** Compute a 512-bit digest of <b>len</b> bytes in data stored in <b>m</b>,
|
|
|
|
* using the algorithm <b>algorithm</b>. Write the DIGEST_LEN512-byte result
|
2016-11-18 05:02:39 +01:00
|
|
|
* into <b>digest</b>. Return 0 on success, -1 on failure. */
|
2015-11-18 09:37:05 +01:00
|
|
|
int
|
|
|
|
crypto_digest512(char *digest, const char *m, size_t len,
|
|
|
|
digest_algorithm_t algorithm)
|
|
|
|
{
|
|
|
|
tor_assert(m);
|
|
|
|
tor_assert(digest);
|
2015-12-18 23:15:01 +01:00
|
|
|
tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
|
2016-11-18 05:02:39 +01:00
|
|
|
|
|
|
|
int ret = 0;
|
2015-12-18 23:15:01 +01:00
|
|
|
if (algorithm == DIGEST_SHA512)
|
2016-11-18 05:02:39 +01:00
|
|
|
ret = (SHA512((const unsigned char*)m,len,(unsigned char*)digest)
|
|
|
|
!= NULL);
|
2015-12-18 23:15:01 +01:00
|
|
|
else
|
2016-11-18 05:02:39 +01:00
|
|
|
ret = (sha3_512((uint8_t*)digest, DIGEST512_LEN, (const uint8_t*)m, len)
|
|
|
|
> -1);
|
|
|
|
|
|
|
|
if (!ret)
|
|
|
|
return -1;
|
|
|
|
return 0;
|
2015-11-18 09:37:05 +01:00
|
|
|
}
|
|
|
|
|
2016-02-10 21:28:19 +01:00
|
|
|
/** Set the common_digests_t in <b>ds_out</b> to contain every digest on the
|
2009-09-16 23:01:01 +02:00
|
|
|
* <b>len</b> bytes in <b>m</b> that we know how to compute. Return 0 on
|
|
|
|
* success, -1 on failure. */
|
|
|
|
int
|
2016-02-10 21:28:19 +01:00
|
|
|
crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len)
|
2009-09-16 23:01:01 +02:00
|
|
|
{
|
|
|
|
tor_assert(ds_out);
|
|
|
|
memset(ds_out, 0, sizeof(*ds_out));
|
|
|
|
if (crypto_digest(ds_out->d[DIGEST_SHA1], m, len) < 0)
|
|
|
|
return -1;
|
2016-02-10 21:31:43 +01:00
|
|
|
if (crypto_digest256(ds_out->d[DIGEST_SHA256], m, len, DIGEST_SHA256) < 0)
|
|
|
|
return -1;
|
|
|
|
|
2009-09-16 23:01:01 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Return the name of an algorithm, as used in directory documents. */
|
|
|
|
const char *
|
|
|
|
crypto_digest_algorithm_get_name(digest_algorithm_t alg)
|
|
|
|
{
|
|
|
|
switch (alg) {
|
|
|
|
case DIGEST_SHA1:
|
|
|
|
return "sha1";
|
|
|
|
case DIGEST_SHA256:
|
|
|
|
return "sha256";
|
2015-11-18 09:37:05 +01:00
|
|
|
case DIGEST_SHA512:
|
|
|
|
return "sha512";
|
2015-12-18 23:15:01 +01:00
|
|
|
case DIGEST_SHA3_256:
|
|
|
|
return "sha3-256";
|
|
|
|
case DIGEST_SHA3_512:
|
|
|
|
return "sha3-512";
|
2016-05-04 15:59:24 +02:00
|
|
|
// LCOV_EXCL_START
|
2017-09-28 15:25:17 +02:00
|
|
|
default:
|
2009-09-16 23:01:01 +02:00
|
|
|
tor_fragile_assert();
|
|
|
|
return "??unknown_digest??";
|
2016-05-04 15:59:24 +02:00
|
|
|
// LCOV_EXCL_STOP
|
2009-09-16 23:01:01 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-10-15 22:06:00 +02:00
|
|
|
/** Given the name of a digest algorithm, return its integer value, or -1 if
|
|
|
|
* the name is not recognized. */
|
2009-09-16 18:34:44 +02:00
|
|
|
int
|
|
|
|
crypto_digest_algorithm_parse_name(const char *name)
|
|
|
|
{
|
|
|
|
if (!strcmp(name, "sha1"))
|
|
|
|
return DIGEST_SHA1;
|
|
|
|
else if (!strcmp(name, "sha256"))
|
|
|
|
return DIGEST_SHA256;
|
2015-11-18 09:37:05 +01:00
|
|
|
else if (!strcmp(name, "sha512"))
|
|
|
|
return DIGEST_SHA512;
|
2015-12-18 23:15:01 +01:00
|
|
|
else if (!strcmp(name, "sha3-256"))
|
|
|
|
return DIGEST_SHA3_256;
|
|
|
|
else if (!strcmp(name, "sha3-512"))
|
|
|
|
return DIGEST_SHA3_512;
|
2009-09-16 18:34:44 +02:00
|
|
|
else
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2015-12-18 23:15:01 +01:00
|
|
|
/** Given an algorithm, return the digest length in bytes. */
|
2016-05-23 16:58:27 +02:00
|
|
|
size_t
|
2015-12-18 23:15:01 +01:00
|
|
|
crypto_digest_algorithm_get_length(digest_algorithm_t alg)
|
|
|
|
{
|
|
|
|
switch (alg) {
|
|
|
|
case DIGEST_SHA1:
|
|
|
|
return DIGEST_LEN;
|
|
|
|
case DIGEST_SHA256:
|
|
|
|
return DIGEST256_LEN;
|
|
|
|
case DIGEST_SHA512:
|
|
|
|
return DIGEST512_LEN;
|
|
|
|
case DIGEST_SHA3_256:
|
|
|
|
return DIGEST256_LEN;
|
|
|
|
case DIGEST_SHA3_512:
|
|
|
|
return DIGEST512_LEN;
|
|
|
|
default:
|
2016-04-13 03:13:33 +02:00
|
|
|
tor_assert(0); // LCOV_EXCL_LINE
|
|
|
|
return 0; /* Unreachable */ // LCOV_EXCL_LINE
|
2015-12-18 23:15:01 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-07-06 15:39:48 +02:00
|
|
|
/** Intermediate information about the digest of a stream of data. */
|
|
|
|
struct crypto_digest_t {
|
|
|
|
digest_algorithm_t algorithm; /**< Which algorithm is in use? */
|
|
|
|
/** State for the digest we're using. Only one member of the
|
|
|
|
* union is usable, depending on the value of <b>algorithm</b>. Note also
|
|
|
|
* that space for other members might not even be allocated!
|
|
|
|
*/
|
|
|
|
union {
|
|
|
|
SHA_CTX sha1; /**< state for SHA1 */
|
|
|
|
SHA256_CTX sha2; /**< state for SHA256 */
|
|
|
|
SHA512_CTX sha512; /**< state for SHA512 */
|
|
|
|
keccak_state sha3; /**< state for SHA3-[256,512] */
|
|
|
|
} d;
|
|
|
|
};
|
|
|
|
|
|
|
|
#ifdef TOR_UNIT_TESTS
|
|
|
|
|
|
|
|
digest_algorithm_t
|
|
|
|
crypto_digest_get_algorithm(crypto_digest_t *digest)
|
|
|
|
{
|
|
|
|
tor_assert(digest);
|
|
|
|
|
|
|
|
return digest->algorithm;
|
|
|
|
}
|
|
|
|
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(TOR_UNIT_TESTS) */
|
2017-07-06 15:39:48 +02:00
|
|
|
|
2015-12-20 21:15:11 +01:00
|
|
|
/**
|
|
|
|
* Return the number of bytes we need to malloc in order to get a
|
|
|
|
* crypto_digest_t for <b>alg</b>, or the number of bytes we need to wipe
|
|
|
|
* when we free one.
|
|
|
|
*/
|
|
|
|
static size_t
|
|
|
|
crypto_digest_alloc_bytes(digest_algorithm_t alg)
|
|
|
|
{
|
|
|
|
/* Helper: returns the number of bytes in the 'f' field of 'st' */
|
|
|
|
#define STRUCT_FIELD_SIZE(st, f) (sizeof( ((st*)0)->f ))
|
|
|
|
/* Gives the length of crypto_digest_t through the end of the field 'd' */
|
2017-08-01 01:30:30 +02:00
|
|
|
#define END_OF_FIELD(f) (offsetof(crypto_digest_t, f) + \
|
2015-12-20 21:15:11 +01:00
|
|
|
STRUCT_FIELD_SIZE(crypto_digest_t, f))
|
|
|
|
switch (alg) {
|
|
|
|
case DIGEST_SHA1:
|
|
|
|
return END_OF_FIELD(d.sha1);
|
|
|
|
case DIGEST_SHA256:
|
|
|
|
return END_OF_FIELD(d.sha2);
|
|
|
|
case DIGEST_SHA512:
|
|
|
|
return END_OF_FIELD(d.sha512);
|
|
|
|
case DIGEST_SHA3_256:
|
|
|
|
case DIGEST_SHA3_512:
|
|
|
|
return END_OF_FIELD(d.sha3);
|
|
|
|
default:
|
2016-04-13 03:13:33 +02:00
|
|
|
tor_assert(0); // LCOV_EXCL_LINE
|
|
|
|
return 0; // LCOV_EXCL_LINE
|
2015-12-20 21:15:11 +01:00
|
|
|
}
|
|
|
|
#undef END_OF_FIELD
|
|
|
|
#undef STRUCT_FIELD_SIZE
|
|
|
|
}
|
|
|
|
|
2016-05-04 15:53:10 +02:00
|
|
|
/**
|
|
|
|
* Internal function: create and return a new digest object for 'algorithm'.
|
|
|
|
* Does not typecheck the algorithm.
|
|
|
|
*/
|
|
|
|
static crypto_digest_t *
|
|
|
|
crypto_digest_new_internal(digest_algorithm_t algorithm)
|
|
|
|
{
|
|
|
|
crypto_digest_t *r = tor_malloc(crypto_digest_alloc_bytes(algorithm));
|
|
|
|
r->algorithm = algorithm;
|
|
|
|
|
|
|
|
switch (algorithm)
|
|
|
|
{
|
|
|
|
case DIGEST_SHA1:
|
|
|
|
SHA1_Init(&r->d.sha1);
|
|
|
|
break;
|
|
|
|
case DIGEST_SHA256:
|
|
|
|
SHA256_Init(&r->d.sha2);
|
|
|
|
break;
|
|
|
|
case DIGEST_SHA512:
|
|
|
|
SHA512_Init(&r->d.sha512);
|
|
|
|
break;
|
|
|
|
case DIGEST_SHA3_256:
|
|
|
|
keccak_digest_init(&r->d.sha3, 256);
|
|
|
|
break;
|
|
|
|
case DIGEST_SHA3_512:
|
|
|
|
keccak_digest_init(&r->d.sha3, 512);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
tor_assert_unreached();
|
|
|
|
}
|
|
|
|
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
|
2011-03-16 22:05:37 +01:00
|
|
|
/** Allocate and return a new digest object to compute SHA1 digests.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_digest_t *
|
|
|
|
crypto_digest_new(void)
|
2003-12-16 06:29:04 +01:00
|
|
|
{
|
2016-05-04 15:53:10 +02:00
|
|
|
return crypto_digest_new_internal(DIGEST_SHA1);
|
2009-08-20 01:21:29 +02:00
|
|
|
}
|
|
|
|
|
2011-03-16 22:05:37 +01:00
|
|
|
/** Allocate and return a new digest object to compute 256-bit digests
|
|
|
|
* using <b>algorithm</b>. */
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_digest_t *
|
|
|
|
crypto_digest256_new(digest_algorithm_t algorithm)
|
2009-08-20 01:21:29 +02:00
|
|
|
{
|
2015-12-18 23:15:01 +01:00
|
|
|
tor_assert(algorithm == DIGEST_SHA256 || algorithm == DIGEST_SHA3_256);
|
2016-05-04 15:53:10 +02:00
|
|
|
return crypto_digest_new_internal(algorithm);
|
2003-12-16 06:29:04 +01:00
|
|
|
}
|
|
|
|
|
2015-11-18 09:37:05 +01:00
|
|
|
/** Allocate and return a new digest object to compute 512-bit digests
|
|
|
|
* using <b>algorithm</b>. */
|
|
|
|
crypto_digest_t *
|
|
|
|
crypto_digest512_new(digest_algorithm_t algorithm)
|
|
|
|
{
|
2015-12-18 23:15:01 +01:00
|
|
|
tor_assert(algorithm == DIGEST_SHA512 || algorithm == DIGEST_SHA3_512);
|
2016-05-04 15:53:10 +02:00
|
|
|
return crypto_digest_new_internal(algorithm);
|
2015-11-18 09:37:05 +01:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Deallocate a digest object.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2003-12-16 06:29:04 +01:00
|
|
|
void
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_digest_free(crypto_digest_t *digest)
|
2005-09-30 03:09:52 +02:00
|
|
|
{
|
2009-09-28 16:37:01 +02:00
|
|
|
if (!digest)
|
|
|
|
return;
|
2015-12-20 21:15:11 +01:00
|
|
|
size_t bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
|
|
|
memwipe(digest, 0, bytes);
|
2004-04-03 04:40:30 +02:00
|
|
|
tor_free(digest);
|
2003-12-16 06:29:04 +01:00
|
|
|
}
|
2003-12-16 06:47:21 +01:00
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Add <b>len</b> bytes from <b>data</b> to the digest object.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2003-12-16 06:29:04 +01:00
|
|
|
void
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_digest_add_bytes(crypto_digest_t *digest, const char *data,
|
2003-12-16 06:47:21 +01:00
|
|
|
size_t len)
|
2003-12-16 06:29:04 +01:00
|
|
|
{
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(digest);
|
|
|
|
tor_assert(data);
|
2009-08-20 01:21:29 +02:00
|
|
|
/* Using the SHA*_*() calls directly means we don't support doing
|
|
|
|
* SHA in hardware. But so far the delay of getting the question
|
2004-06-01 18:36:56 +02:00
|
|
|
* to the hardware, and hearing the answer, is likely higher than
|
|
|
|
* just doing it ourselves. Hashes are fast.
|
|
|
|
*/
|
2009-08-20 01:21:29 +02:00
|
|
|
switch (digest->algorithm) {
|
|
|
|
case DIGEST_SHA1:
|
|
|
|
SHA1_Update(&digest->d.sha1, (void*)data, len);
|
|
|
|
break;
|
|
|
|
case DIGEST_SHA256:
|
|
|
|
SHA256_Update(&digest->d.sha2, (void*)data, len);
|
|
|
|
break;
|
2015-11-18 09:37:05 +01:00
|
|
|
case DIGEST_SHA512:
|
|
|
|
SHA512_Update(&digest->d.sha512, (void*)data, len);
|
|
|
|
break;
|
2015-12-18 23:15:01 +01:00
|
|
|
case DIGEST_SHA3_256: /* FALLSTHROUGH */
|
|
|
|
case DIGEST_SHA3_512:
|
|
|
|
keccak_digest_update(&digest->d.sha3, (const uint8_t *)data, len);
|
|
|
|
break;
|
2009-08-20 01:21:29 +02:00
|
|
|
default:
|
2016-05-04 15:59:24 +02:00
|
|
|
/* LCOV_EXCL_START */
|
2009-08-20 01:21:29 +02:00
|
|
|
tor_fragile_assert();
|
|
|
|
break;
|
2016-05-04 15:59:24 +02:00
|
|
|
/* LCOV_EXCL_STOP */
|
2009-08-20 01:21:29 +02:00
|
|
|
}
|
2003-12-16 06:29:04 +01:00
|
|
|
}
|
2003-12-16 06:47:21 +01:00
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Compute the hash of the data that has been passed to the digest
|
|
|
|
* object; write the first out_len bytes of the result to <b>out</b>.
|
2015-11-18 09:37:05 +01:00
|
|
|
* <b>out_len</b> must be \<= DIGEST512_LEN.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
void
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_digest_get_digest(crypto_digest_t *digest,
|
2005-09-30 03:09:52 +02:00
|
|
|
char *out, size_t out_len)
|
2003-12-16 06:29:04 +01:00
|
|
|
{
|
2015-11-18 09:37:05 +01:00
|
|
|
unsigned char r[DIGEST512_LEN];
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_digest_t tmpenv;
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(digest);
|
|
|
|
tor_assert(out);
|
2015-12-18 23:15:01 +01:00
|
|
|
tor_assert(out_len <= crypto_digest_algorithm_get_length(digest->algorithm));
|
|
|
|
|
|
|
|
/* The SHA-3 code handles copying into a temporary ctx, and also can handle
|
|
|
|
* short output buffers by truncating appropriately. */
|
|
|
|
if (digest->algorithm == DIGEST_SHA3_256 ||
|
|
|
|
digest->algorithm == DIGEST_SHA3_512) {
|
|
|
|
keccak_digest_sum(&digest->d.sha3, (uint8_t *)out, out_len);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2015-12-20 21:15:11 +01:00
|
|
|
const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
2009-08-20 01:21:29 +02:00
|
|
|
/* memcpy into a temporary ctx, since SHA*_Final clears the context */
|
2015-12-20 21:15:11 +01:00
|
|
|
memcpy(&tmpenv, digest, alloc_bytes);
|
2009-08-20 01:21:29 +02:00
|
|
|
switch (digest->algorithm) {
|
|
|
|
case DIGEST_SHA1:
|
2009-08-20 18:03:32 +02:00
|
|
|
SHA1_Final(r, &tmpenv.d.sha1);
|
2009-08-20 01:21:29 +02:00
|
|
|
break;
|
|
|
|
case DIGEST_SHA256:
|
2009-08-20 18:03:32 +02:00
|
|
|
SHA256_Final(r, &tmpenv.d.sha2);
|
2009-08-20 01:21:29 +02:00
|
|
|
break;
|
2015-11-18 09:37:05 +01:00
|
|
|
case DIGEST_SHA512:
|
|
|
|
SHA512_Final(r, &tmpenv.d.sha512);
|
|
|
|
break;
|
2016-04-13 03:13:33 +02:00
|
|
|
//LCOV_EXCL_START
|
2015-12-18 23:15:01 +01:00
|
|
|
case DIGEST_SHA3_256: /* FALLSTHROUGH */
|
|
|
|
case DIGEST_SHA3_512:
|
2009-08-20 01:21:29 +02:00
|
|
|
default:
|
2016-05-04 15:59:24 +02:00
|
|
|
log_warn(LD_BUG, "Handling unexpected algorithm %d", digest->algorithm);
|
|
|
|
/* This is fatal, because it should never happen. */
|
|
|
|
tor_assert_unreached();
|
2009-08-20 01:21:29 +02:00
|
|
|
break;
|
2016-04-13 03:13:33 +02:00
|
|
|
//LCOV_EXCL_STOP
|
2009-08-20 01:21:29 +02:00
|
|
|
}
|
2003-12-16 06:29:04 +01:00
|
|
|
memcpy(out, r, out_len);
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(r, 0, sizeof(r));
|
2003-12-16 06:29:04 +01:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Allocate and return a new digest object with the same state as
|
|
|
|
* <b>digest</b>
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_digest_t *
|
|
|
|
crypto_digest_dup(const crypto_digest_t *digest)
|
2003-12-16 06:29:04 +01:00
|
|
|
{
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(digest);
|
2015-12-20 21:15:11 +01:00
|
|
|
const size_t alloc_bytes = crypto_digest_alloc_bytes(digest->algorithm);
|
|
|
|
return tor_memdup(digest, alloc_bytes);
|
2003-12-16 06:29:04 +01:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Replace the state of the digest object <b>into</b> with the state
|
2015-12-20 21:15:11 +01:00
|
|
|
* of the digest object <b>from</b>. Requires that 'into' and 'from'
|
|
|
|
* have the same digest type.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2003-12-16 06:29:04 +01:00
|
|
|
void
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_digest_assign(crypto_digest_t *into,
|
|
|
|
const crypto_digest_t *from)
|
2003-12-16 06:29:04 +01:00
|
|
|
{
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(into);
|
|
|
|
tor_assert(from);
|
2015-12-20 21:15:11 +01:00
|
|
|
tor_assert(into->algorithm == from->algorithm);
|
|
|
|
const size_t alloc_bytes = crypto_digest_alloc_bytes(from->algorithm);
|
|
|
|
memcpy(into,from,alloc_bytes);
|
2003-12-16 06:29:04 +01:00
|
|
|
}
|
|
|
|
|
2013-02-22 18:53:45 +01:00
|
|
|
/** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
|
|
|
|
* at <b>digest_out</b> to the hash of the concatenation of those strings,
|
|
|
|
* plus the optional string <b>append</b>, computed with the algorithm
|
2013-03-18 20:00:52 +01:00
|
|
|
* <b>alg</b>.
|
2015-11-18 09:37:05 +01:00
|
|
|
* <b>out_len</b> must be \<= DIGEST512_LEN. */
|
2013-02-22 18:53:45 +01:00
|
|
|
void
|
|
|
|
crypto_digest_smartlist(char *digest_out, size_t len_out,
|
2014-10-01 05:36:47 +02:00
|
|
|
const smartlist_t *lst,
|
|
|
|
const char *append,
|
|
|
|
digest_algorithm_t alg)
|
|
|
|
{
|
|
|
|
crypto_digest_smartlist_prefix(digest_out, len_out, NULL, lst, append, alg);
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Given a list of strings in <b>lst</b>, set the <b>len_out</b>-byte digest
|
|
|
|
* at <b>digest_out</b> to the hash of the concatenation of: the
|
|
|
|
* optional string <b>prepend</b>, those strings,
|
|
|
|
* and the optional string <b>append</b>, computed with the algorithm
|
|
|
|
* <b>alg</b>.
|
2015-11-24 03:02:13 +01:00
|
|
|
* <b>len_out</b> must be \<= DIGEST512_LEN. */
|
2014-10-01 05:36:47 +02:00
|
|
|
void
|
|
|
|
crypto_digest_smartlist_prefix(char *digest_out, size_t len_out,
|
|
|
|
const char *prepend,
|
|
|
|
const smartlist_t *lst,
|
|
|
|
const char *append,
|
2013-02-22 18:53:45 +01:00
|
|
|
digest_algorithm_t alg)
|
|
|
|
{
|
2016-05-04 15:53:10 +02:00
|
|
|
crypto_digest_t *d = crypto_digest_new_internal(alg);
|
2014-10-01 05:36:47 +02:00
|
|
|
if (prepend)
|
|
|
|
crypto_digest_add_bytes(d, prepend, strlen(prepend));
|
2013-02-22 18:53:45 +01:00
|
|
|
SMARTLIST_FOREACH(lst, const char *, cp,
|
|
|
|
crypto_digest_add_bytes(d, cp, strlen(cp)));
|
|
|
|
if (append)
|
|
|
|
crypto_digest_add_bytes(d, append, strlen(append));
|
|
|
|
crypto_digest_get_digest(d, digest_out, len_out);
|
2015-11-25 15:04:17 +01:00
|
|
|
crypto_digest_free(d);
|
2013-02-22 18:53:45 +01:00
|
|
|
}
|
|
|
|
|
2011-09-13 17:38:13 +02:00
|
|
|
/** Compute the HMAC-SHA-256 of the <b>msg_len</b> bytes in <b>msg</b>, using
|
2012-02-06 11:29:48 +01:00
|
|
|
* the <b>key</b> of length <b>key_len</b>. Store the DIGEST256_LEN-byte
|
2015-11-23 10:31:57 +01:00
|
|
|
* result in <b>hmac_out</b>. Asserts on failure.
|
2011-09-13 17:38:13 +02:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
crypto_hmac_sha256(char *hmac_out,
|
|
|
|
const char *key, size_t key_len,
|
|
|
|
const char *msg, size_t msg_len)
|
|
|
|
{
|
2015-11-23 10:53:59 +01:00
|
|
|
unsigned char *rv = NULL;
|
2011-09-13 17:38:13 +02:00
|
|
|
/* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */
|
|
|
|
tor_assert(key_len < INT_MAX);
|
|
|
|
tor_assert(msg_len < INT_MAX);
|
2015-11-23 10:53:59 +01:00
|
|
|
tor_assert(hmac_out);
|
|
|
|
rv = HMAC(EVP_sha256(), key, (int)key_len, (unsigned char*)msg, (int)msg_len,
|
|
|
|
(unsigned char*)hmac_out, NULL);
|
|
|
|
tor_assert(rv);
|
2011-09-13 17:38:13 +02:00
|
|
|
}
|
|
|
|
|
2016-12-12 22:45:28 +01:00
|
|
|
/** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a
|
|
|
|
* <b>key</b> of length <b>key_len</b> and a <b>salt</b> of length
|
|
|
|
* <b>salt_len</b>. Store the result of <b>len_out</b> bytes in in
|
|
|
|
* <b>mac_out</b>. This function can't fail. */
|
2016-09-05 17:21:44 +02:00
|
|
|
void
|
2016-12-12 22:45:28 +01:00
|
|
|
crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out,
|
|
|
|
const uint8_t *key, size_t key_len,
|
|
|
|
const uint8_t *msg, size_t msg_len)
|
2016-09-05 17:21:44 +02:00
|
|
|
{
|
|
|
|
crypto_digest_t *digest;
|
|
|
|
|
2016-12-12 22:45:28 +01:00
|
|
|
const uint64_t key_len_netorder = tor_htonll(key_len);
|
|
|
|
|
2016-09-05 17:21:44 +02:00
|
|
|
tor_assert(mac_out);
|
|
|
|
tor_assert(key);
|
|
|
|
tor_assert(msg);
|
|
|
|
|
|
|
|
digest = crypto_digest256_new(DIGEST_SHA3_256);
|
|
|
|
|
2016-12-12 22:45:28 +01:00
|
|
|
/* Order matters here that is any subsystem using this function should
|
|
|
|
* expect this very precise ordering in the MAC construction. */
|
|
|
|
crypto_digest_add_bytes(digest, (const char *) &key_len_netorder,
|
|
|
|
sizeof(key_len_netorder));
|
|
|
|
crypto_digest_add_bytes(digest, (const char *) key, key_len);
|
|
|
|
crypto_digest_add_bytes(digest, (const char *) msg, msg_len);
|
|
|
|
crypto_digest_get_digest(digest, (char *) mac_out, len_out);
|
2016-09-05 17:21:44 +02:00
|
|
|
crypto_digest_free(digest);
|
|
|
|
}
|
|
|
|
|
2015-12-18 23:31:12 +01:00
|
|
|
/** Internal state for a eXtendable-Output Function (XOF). */
|
|
|
|
struct crypto_xof_t {
|
|
|
|
keccak_state s;
|
|
|
|
};
|
|
|
|
|
|
|
|
/** Allocate a new XOF object backed by SHAKE-256. The security level
|
|
|
|
* provided is a function of the length of the output used. Read and
|
|
|
|
* understand FIPS-202 A.2 "Additional Consideration for Extendable-Output
|
|
|
|
* Functions" before using this construct.
|
|
|
|
*/
|
|
|
|
crypto_xof_t *
|
|
|
|
crypto_xof_new(void)
|
|
|
|
{
|
|
|
|
crypto_xof_t *xof;
|
|
|
|
xof = tor_malloc(sizeof(crypto_xof_t));
|
|
|
|
keccak_xof_init(&xof->s, 256);
|
|
|
|
return xof;
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Absorb bytes into a XOF object. Must not be called after a call to
|
|
|
|
* crypto_xof_squeeze_bytes() for the same instance, and will assert
|
|
|
|
* if attempted.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
|
|
|
|
{
|
|
|
|
int i = keccak_xof_absorb(&xof->s, data, len);
|
|
|
|
tor_assert(i == 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Squeeze bytes out of a XOF object. Calling this routine will render
|
|
|
|
* the XOF instance ineligible to absorb further data.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
|
|
|
|
{
|
|
|
|
int i = keccak_xof_squeeze(&xof->s, out, len);
|
|
|
|
tor_assert(i == 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Cleanse and deallocate a XOF object. */
|
|
|
|
void
|
|
|
|
crypto_xof_free(crypto_xof_t *xof)
|
|
|
|
{
|
|
|
|
if (!xof)
|
|
|
|
return;
|
|
|
|
memwipe(xof, 0, sizeof(crypto_xof_t));
|
|
|
|
tor_free(xof);
|
|
|
|
}
|
|
|
|
|
2003-12-16 06:29:04 +01:00
|
|
|
/* DH */
|
2004-05-01 23:41:23 +02:00
|
|
|
|
2011-11-25 17:44:11 +01:00
|
|
|
/** Our DH 'g' parameter */
|
|
|
|
#define DH_GENERATOR 2
|
|
|
|
|
2011-01-24 22:03:14 +01:00
|
|
|
/** Shared P parameter for our circuit-crypto DH key exchanges. */
|
2003-05-01 02:53:46 +02:00
|
|
|
static BIGNUM *dh_param_p = NULL;
|
2011-01-24 22:03:14 +01:00
|
|
|
/** Shared P parameter for our TLS DH key exchanges. */
|
|
|
|
static BIGNUM *dh_param_p_tls = NULL;
|
2004-05-10 12:27:54 +02:00
|
|
|
/** Shared G parameter for our DH key exchanges. */
|
2003-05-01 02:53:46 +02:00
|
|
|
static BIGNUM *dh_param_g = NULL;
|
|
|
|
|
2016-02-02 23:03:48 +01:00
|
|
|
/** Validate a given set of Diffie-Hellman parameters. This is moderately
|
|
|
|
* computationally expensive (milliseconds), so should only be called when
|
|
|
|
* the DH parameters change. Returns 0 on success, * -1 on failure.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
crypto_validate_dh_params(const BIGNUM *p, const BIGNUM *g)
|
|
|
|
{
|
|
|
|
DH *dh = NULL;
|
|
|
|
int ret = -1;
|
|
|
|
|
2016-06-14 08:14:28 +02:00
|
|
|
/* Copy into a temporary DH object, just so that DH_check() can be called. */
|
2016-02-02 23:03:48 +01:00
|
|
|
if (!(dh = DH_new()))
|
|
|
|
goto out;
|
2016-06-14 08:14:28 +02:00
|
|
|
#ifdef OPENSSL_1_1_API
|
|
|
|
BIGNUM *dh_p, *dh_g;
|
|
|
|
if (!(dh_p = BN_dup(p)))
|
|
|
|
goto out;
|
|
|
|
if (!(dh_g = BN_dup(g)))
|
|
|
|
goto out;
|
|
|
|
if (!DH_set0_pqg(dh, dh_p, NULL, dh_g))
|
|
|
|
goto out;
|
2017-09-15 22:24:44 +02:00
|
|
|
#else /* !(defined(OPENSSL_1_1_API)) */
|
2016-02-02 23:03:48 +01:00
|
|
|
if (!(dh->p = BN_dup(p)))
|
|
|
|
goto out;
|
|
|
|
if (!(dh->g = BN_dup(g)))
|
|
|
|
goto out;
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(OPENSSL_1_1_API) */
|
2016-02-02 23:03:48 +01:00
|
|
|
|
|
|
|
/* Perform the validation. */
|
|
|
|
int codes = 0;
|
|
|
|
if (!DH_check(dh, &codes))
|
|
|
|
goto out;
|
2016-06-14 08:14:28 +02:00
|
|
|
if (BN_is_word(g, DH_GENERATOR_2)) {
|
2016-02-02 23:03:48 +01:00
|
|
|
/* Per https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
|
|
|
|
*
|
|
|
|
* OpenSSL checks the prime is congruent to 11 when g = 2; while the
|
|
|
|
* IETF's primes are congruent to 23 when g = 2.
|
|
|
|
*/
|
2016-06-14 08:14:28 +02:00
|
|
|
BN_ULONG residue = BN_mod_word(p, 24);
|
2016-02-02 23:03:48 +01:00
|
|
|
if (residue == 11 || residue == 23)
|
|
|
|
codes &= ~DH_NOT_SUITABLE_GENERATOR;
|
|
|
|
}
|
|
|
|
if (codes != 0) /* Specifics on why the params suck is irrelevant. */
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
/* Things are probably not evil. */
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
out:
|
|
|
|
if (dh)
|
|
|
|
DH_free(dh);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Set the global Diffie-Hellman generator, used for both TLS and internal
|
|
|
|
* DH stuff.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
crypto_set_dh_generator(void)
|
|
|
|
{
|
|
|
|
BIGNUM *generator;
|
|
|
|
int r;
|
|
|
|
|
|
|
|
if (dh_param_g)
|
|
|
|
return;
|
|
|
|
|
|
|
|
generator = BN_new();
|
|
|
|
tor_assert(generator);
|
|
|
|
|
|
|
|
r = BN_set_word(generator, DH_GENERATOR);
|
|
|
|
tor_assert(r);
|
|
|
|
|
|
|
|
dh_param_g = generator;
|
|
|
|
}
|
|
|
|
|
2015-03-14 17:40:55 +01:00
|
|
|
/** Set the global TLS Diffie-Hellman modulus. Use the Apache mod_ssl DH
|
2011-11-24 22:59:01 +01:00
|
|
|
* modulus. */
|
2011-11-23 23:39:46 +01:00
|
|
|
void
|
2015-03-14 17:40:55 +01:00
|
|
|
crypto_set_tls_dh_prime(void)
|
2011-11-23 23:39:46 +01:00
|
|
|
{
|
|
|
|
BIGNUM *tls_prime = NULL;
|
2011-11-24 00:22:31 +01:00
|
|
|
int r;
|
2011-11-23 23:39:46 +01:00
|
|
|
|
|
|
|
/* If the space is occupied, free the previous TLS DH prime */
|
2016-05-04 15:43:47 +02:00
|
|
|
if (BUG(dh_param_p_tls)) {
|
|
|
|
/* LCOV_EXCL_START
|
|
|
|
*
|
|
|
|
* We shouldn't be calling this twice.
|
|
|
|
*/
|
2014-02-02 19:40:30 +01:00
|
|
|
BN_clear_free(dh_param_p_tls);
|
2011-11-23 23:39:46 +01:00
|
|
|
dh_param_p_tls = NULL;
|
2016-05-04 15:43:47 +02:00
|
|
|
/* LCOV_EXCL_STOP */
|
2011-11-23 23:39:46 +01:00
|
|
|
}
|
|
|
|
|
2015-04-01 19:40:37 +02:00
|
|
|
tls_prime = BN_new();
|
|
|
|
tor_assert(tls_prime);
|
2011-11-25 17:39:28 +01:00
|
|
|
|
2015-04-01 19:40:37 +02:00
|
|
|
/* This is the 1024-bit safe prime that Apache uses for its DH stuff; see
|
|
|
|
* modules/ssl/ssl_engine_dh.c; Apache also uses a generator of 2 with this
|
|
|
|
* prime.
|
|
|
|
*/
|
|
|
|
r = BN_hex2bn(&tls_prime,
|
|
|
|
"D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
|
|
|
|
"BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
|
|
|
|
"467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
|
|
|
|
"DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
|
|
|
|
"B0E7393E0F24218EB3");
|
|
|
|
tor_assert(r);
|
2011-11-23 23:39:46 +01:00
|
|
|
|
|
|
|
tor_assert(tls_prime);
|
|
|
|
|
|
|
|
dh_param_p_tls = tls_prime;
|
2016-02-02 23:03:48 +01:00
|
|
|
crypto_set_dh_generator();
|
|
|
|
tor_assert(0 == crypto_validate_dh_params(dh_param_p_tls, dh_param_g));
|
2011-11-23 23:39:46 +01:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Initialize dh_param_p and dh_param_g if they are not already
|
2004-05-01 23:41:23 +02:00
|
|
|
* set. */
|
2005-09-30 03:09:52 +02:00
|
|
|
static void
|
|
|
|
init_dh_param(void)
|
|
|
|
{
|
2016-02-02 23:03:48 +01:00
|
|
|
BIGNUM *circuit_dh_prime;
|
2005-08-07 22:36:14 +02:00
|
|
|
int r;
|
2016-05-04 15:43:47 +02:00
|
|
|
if (BUG(dh_param_p && dh_param_g))
|
|
|
|
return; // LCOV_EXCL_LINE This function isn't supposed to be called twice.
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2011-11-22 15:08:27 +01:00
|
|
|
circuit_dh_prime = BN_new();
|
2016-02-02 23:03:48 +01:00
|
|
|
tor_assert(circuit_dh_prime);
|
2003-05-01 02:53:46 +02:00
|
|
|
|
2003-05-07 04:28:42 +02:00
|
|
|
/* This is from rfc2409, section 6.2. It's a safe prime, and
|
|
|
|
supposedly it equals:
|
|
|
|
2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
|
|
|
|
*/
|
2011-11-22 15:08:27 +01:00
|
|
|
r = BN_hex2bn(&circuit_dh_prime,
|
2003-12-16 09:13:26 +01:00
|
|
|
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
|
|
|
|
"8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
|
|
|
|
"302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
|
|
|
|
"A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
|
|
|
|
"49286651ECE65381FFFFFFFFFFFFFFFF");
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(r);
|
2003-05-01 02:53:46 +02:00
|
|
|
|
2011-11-22 15:08:27 +01:00
|
|
|
/* Set the new values as the global DH parameters. */
|
|
|
|
dh_param_p = circuit_dh_prime;
|
2016-02-02 23:03:48 +01:00
|
|
|
crypto_set_dh_generator();
|
|
|
|
tor_assert(0 == crypto_validate_dh_params(dh_param_p, dh_param_g));
|
2011-11-23 23:39:46 +01:00
|
|
|
|
2011-12-12 20:25:55 +01:00
|
|
|
if (!dh_param_p_tls) {
|
2015-03-14 17:40:55 +01:00
|
|
|
crypto_set_tls_dh_prime();
|
2011-12-12 20:25:55 +01:00
|
|
|
}
|
2003-05-01 02:53:46 +02:00
|
|
|
}
|
|
|
|
|
2011-03-16 22:05:37 +01:00
|
|
|
/** Number of bits to use when choosing the x or y value in a Diffie-Hellman
|
|
|
|
* handshake. Since we exponentiate by this value, choosing a smaller one
|
|
|
|
* lets our handhake go faster.
|
|
|
|
*/
|
2005-11-14 20:18:31 +01:00
|
|
|
#define DH_PRIVATE_KEY_BITS 320
|
|
|
|
|
2015-11-23 10:31:57 +01:00
|
|
|
/** Allocate and return a new DH object for a key exchange. Returns NULL on
|
|
|
|
* failure.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_dh_t *
|
2011-01-24 22:03:14 +01:00
|
|
|
crypto_dh_new(int dh_type)
|
2003-05-01 02:53:46 +02:00
|
|
|
{
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_dh_t *res = tor_malloc_zero(sizeof(crypto_dh_t));
|
2003-05-01 02:53:46 +02:00
|
|
|
|
2011-01-24 22:03:14 +01:00
|
|
|
tor_assert(dh_type == DH_TYPE_CIRCUIT || dh_type == DH_TYPE_TLS ||
|
|
|
|
dh_type == DH_TYPE_REND);
|
|
|
|
|
2003-05-01 02:53:46 +02:00
|
|
|
if (!dh_param_p)
|
|
|
|
init_dh_param();
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2003-05-01 02:53:46 +02:00
|
|
|
if (!(res->dh = DH_new()))
|
|
|
|
goto err;
|
|
|
|
|
2016-06-14 08:14:28 +02:00
|
|
|
#ifdef OPENSSL_1_1_API
|
|
|
|
BIGNUM *dh_p = NULL, *dh_g = NULL;
|
|
|
|
|
|
|
|
if (dh_type == DH_TYPE_TLS) {
|
|
|
|
dh_p = BN_dup(dh_param_p_tls);
|
|
|
|
} else {
|
|
|
|
dh_p = BN_dup(dh_param_p);
|
|
|
|
}
|
|
|
|
if (!dh_p)
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
dh_g = BN_dup(dh_param_g);
|
|
|
|
if (!dh_g) {
|
|
|
|
BN_free(dh_p);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!DH_set0_pqg(res->dh, dh_p, NULL, dh_g)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!DH_set_length(res->dh, DH_PRIVATE_KEY_BITS))
|
|
|
|
goto err;
|
2017-09-15 22:24:44 +02:00
|
|
|
#else /* !(defined(OPENSSL_1_1_API)) */
|
2011-01-24 22:03:14 +01:00
|
|
|
if (dh_type == DH_TYPE_TLS) {
|
|
|
|
if (!(res->dh->p = BN_dup(dh_param_p_tls)))
|
|
|
|
goto err;
|
|
|
|
} else {
|
|
|
|
if (!(res->dh->p = BN_dup(dh_param_p)))
|
|
|
|
goto err;
|
|
|
|
}
|
2003-05-01 02:53:46 +02:00
|
|
|
|
|
|
|
if (!(res->dh->g = BN_dup(dh_param_g)))
|
|
|
|
goto err;
|
|
|
|
|
2005-11-14 20:18:31 +01:00
|
|
|
res->dh->length = DH_PRIVATE_KEY_BITS;
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(OPENSSL_1_1_API) */
|
2005-11-14 20:18:31 +01:00
|
|
|
|
2003-05-01 02:53:46 +02:00
|
|
|
return res;
|
2017-09-28 15:25:17 +02:00
|
|
|
|
2016-05-03 20:15:00 +02:00
|
|
|
/* LCOV_EXCL_START
|
|
|
|
* This error condition is only reached when an allocation fails */
|
2017-09-28 15:25:17 +02:00
|
|
|
err:
|
2004-04-26 20:09:50 +02:00
|
|
|
crypto_log_errors(LOG_WARN, "creating DH object");
|
2008-09-05 22:18:22 +02:00
|
|
|
if (res->dh) DH_free(res->dh); /* frees p and g too */
|
|
|
|
tor_free(res);
|
2003-05-01 02:53:46 +02:00
|
|
|
return NULL;
|
2016-05-03 20:15:00 +02:00
|
|
|
/* LCOV_EXCL_STOP */
|
2003-05-01 02:53:46 +02:00
|
|
|
}
|
2004-05-01 23:41:23 +02:00
|
|
|
|
2012-11-28 21:38:37 +01:00
|
|
|
/** Return a copy of <b>dh</b>, sharing its internal state. */
|
|
|
|
crypto_dh_t *
|
|
|
|
crypto_dh_dup(const crypto_dh_t *dh)
|
|
|
|
{
|
|
|
|
crypto_dh_t *dh_new = tor_malloc_zero(sizeof(crypto_dh_t));
|
2015-05-28 18:27:22 +02:00
|
|
|
tor_assert(dh);
|
|
|
|
tor_assert(dh->dh);
|
2012-11-28 21:38:37 +01:00
|
|
|
dh_new->dh = dh->dh;
|
|
|
|
DH_up_ref(dh->dh);
|
|
|
|
return dh_new;
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Return the length of the DH key in <b>dh</b>, in bytes.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_dh_get_bytes(crypto_dh_t *dh)
|
2003-05-01 02:53:46 +02:00
|
|
|
{
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(dh);
|
2003-05-01 02:53:46 +02:00
|
|
|
return DH_size(dh->dh);
|
|
|
|
}
|
2004-05-01 23:41:23 +02:00
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
|
2004-05-01 23:41:23 +02:00
|
|
|
* success, -1 on failure.
|
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_dh_generate_public(crypto_dh_t *dh)
|
2004-04-01 22:04:54 +02:00
|
|
|
{
|
2016-06-14 08:14:28 +02:00
|
|
|
#ifndef OPENSSL_1_1_API
|
2005-08-07 22:36:14 +02:00
|
|
|
again:
|
2016-06-14 08:14:28 +02:00
|
|
|
#endif
|
2004-04-26 20:09:50 +02:00
|
|
|
if (!DH_generate_key(dh->dh)) {
|
2016-05-03 20:15:00 +02:00
|
|
|
/* LCOV_EXCL_START
|
|
|
|
* To test this we would need some way to tell openssl to break DH. */
|
2004-04-26 20:09:50 +02:00
|
|
|
crypto_log_errors(LOG_WARN, "generating DH key");
|
2004-04-01 22:04:54 +02:00
|
|
|
return -1;
|
2016-05-03 20:15:00 +02:00
|
|
|
/* LCOV_EXCL_STOP */
|
2004-04-26 20:09:50 +02:00
|
|
|
}
|
2016-06-14 08:14:28 +02:00
|
|
|
#ifdef OPENSSL_1_1_API
|
|
|
|
/* OpenSSL 1.1.x doesn't appear to let you regenerate a DH key, without
|
|
|
|
* recreating the DH object. I have no idea what sort of aliasing madness
|
|
|
|
* can occur here, so do the check, and just bail on failure.
|
|
|
|
*/
|
2016-06-25 00:20:41 +02:00
|
|
|
const BIGNUM *pub_key, *priv_key;
|
2016-06-14 08:14:28 +02:00
|
|
|
DH_get0_key(dh->dh, &pub_key, &priv_key);
|
|
|
|
if (tor_check_dh_key(LOG_WARN, pub_key)<0) {
|
|
|
|
log_warn(LD_CRYPTO, "Weird! Our own DH key was invalid. I guess once-in-"
|
|
|
|
"the-universe chances really do happen. Treating as a failure.");
|
|
|
|
return -1;
|
|
|
|
}
|
2017-09-15 22:24:44 +02:00
|
|
|
#else /* !(defined(OPENSSL_1_1_API)) */
|
2009-10-26 07:47:05 +01:00
|
|
|
if (tor_check_dh_key(LOG_WARN, dh->dh->pub_key)<0) {
|
2016-05-03 20:15:00 +02:00
|
|
|
/* LCOV_EXCL_START
|
|
|
|
* If this happens, then openssl's DH implementation is busted. */
|
2006-02-13 09:01:59 +01:00
|
|
|
log_warn(LD_CRYPTO, "Weird! Our own DH key was invalid. I guess once-in-"
|
|
|
|
"the-universe chances really do happen. Trying again.");
|
2009-05-27 23:55:51 +02:00
|
|
|
/* Free and clear the keys, so OpenSSL will actually try again. */
|
2014-02-02 19:40:30 +01:00
|
|
|
BN_clear_free(dh->dh->pub_key);
|
|
|
|
BN_clear_free(dh->dh->priv_key);
|
2005-08-07 22:36:14 +02:00
|
|
|
dh->dh->pub_key = dh->dh->priv_key = NULL;
|
|
|
|
goto again;
|
2016-05-03 20:15:00 +02:00
|
|
|
/* LCOV_EXCL_STOP */
|
2005-08-07 22:36:14 +02:00
|
|
|
}
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(OPENSSL_1_1_API) */
|
2004-04-01 22:04:54 +02:00
|
|
|
return 0;
|
|
|
|
}
|
2004-05-01 23:41:23 +02:00
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Generate g^x as necessary, and write the g^x for the key exchange
|
|
|
|
* as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
|
|
|
|
* success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, size_t pubkey_len)
|
2003-05-01 02:53:46 +02:00
|
|
|
{
|
|
|
|
int bytes;
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(dh);
|
2016-06-14 08:14:28 +02:00
|
|
|
|
2016-06-25 00:20:41 +02:00
|
|
|
const BIGNUM *dh_pub;
|
2016-06-14 08:14:28 +02:00
|
|
|
|
|
|
|
#ifdef OPENSSL_1_1_API
|
2016-06-25 00:20:41 +02:00
|
|
|
const BIGNUM *dh_priv;
|
2016-06-14 08:14:28 +02:00
|
|
|
DH_get0_key(dh->dh, &dh_pub, &dh_priv);
|
|
|
|
#else
|
|
|
|
dh_pub = dh->dh->pub_key;
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(OPENSSL_1_1_API) */
|
2016-06-14 08:14:28 +02:00
|
|
|
|
|
|
|
if (!dh_pub) {
|
2004-04-26 20:09:50 +02:00
|
|
|
if (crypto_dh_generate_public(dh)<0)
|
2004-04-01 22:04:54 +02:00
|
|
|
return -1;
|
2016-06-14 08:14:28 +02:00
|
|
|
else {
|
|
|
|
#ifdef OPENSSL_1_1_API
|
|
|
|
DH_get0_key(dh->dh, &dh_pub, &dh_priv);
|
|
|
|
#else
|
|
|
|
dh_pub = dh->dh->pub_key;
|
|
|
|
#endif
|
|
|
|
}
|
2004-04-01 22:04:54 +02:00
|
|
|
}
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2016-06-14 08:14:28 +02:00
|
|
|
tor_assert(dh_pub);
|
|
|
|
bytes = BN_num_bytes(dh_pub);
|
2004-10-12 22:20:19 +02:00
|
|
|
tor_assert(bytes >= 0);
|
2005-10-17 18:21:42 +02:00
|
|
|
if (pubkey_len < (size_t)bytes) {
|
2006-02-13 09:01:59 +01:00
|
|
|
log_warn(LD_CRYPTO,
|
|
|
|
"Weird! pubkey_len (%d) was smaller than DH_BYTES (%d)",
|
|
|
|
(int) pubkey_len, bytes);
|
2003-05-01 02:53:46 +02:00
|
|
|
return -1;
|
2005-10-17 18:21:42 +02:00
|
|
|
}
|
2003-12-16 06:29:04 +01:00
|
|
|
|
2003-05-01 02:53:46 +02:00
|
|
|
memset(pubkey, 0, pubkey_len);
|
2016-06-14 08:14:28 +02:00
|
|
|
BN_bn2bin(dh_pub, (unsigned char*)(pubkey+(pubkey_len-bytes)));
|
2003-05-01 02:53:46 +02:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2003-07-30 21:10:20 +02:00
|
|
|
|
2009-05-27 23:55:51 +02:00
|
|
|
/** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
|
2005-12-07 00:09:44 +01:00
|
|
|
* okay (in the subgroup [2,p-2]), or -1 if it's bad.
|
2005-08-15 03:03:50 +02:00
|
|
|
* See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
|
2005-08-07 22:36:14 +02:00
|
|
|
*/
|
2005-08-05 01:14:42 +02:00
|
|
|
static int
|
2016-06-25 00:20:41 +02:00
|
|
|
tor_check_dh_key(int severity, const BIGNUM *bn)
|
2005-08-05 01:14:42 +02:00
|
|
|
{
|
2005-12-07 00:09:44 +01:00
|
|
|
BIGNUM *x;
|
2005-08-07 22:36:14 +02:00
|
|
|
char *s;
|
2005-08-05 01:14:42 +02:00
|
|
|
tor_assert(bn);
|
2005-08-07 22:36:14 +02:00
|
|
|
x = BN_new();
|
2005-12-07 00:09:44 +01:00
|
|
|
tor_assert(x);
|
2016-05-04 15:43:47 +02:00
|
|
|
if (BUG(!dh_param_p))
|
|
|
|
init_dh_param(); //LCOV_EXCL_LINE we already checked whether we did this.
|
2005-12-07 00:09:44 +01:00
|
|
|
BN_set_word(x, 1);
|
2005-08-07 22:36:14 +02:00
|
|
|
if (BN_cmp(bn,x)<=0) {
|
2009-10-26 07:47:05 +01:00
|
|
|
log_fn(severity, LD_CRYPTO, "DH key must be at least 2.");
|
2005-08-07 22:36:14 +02:00
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
BN_copy(x,dh_param_p);
|
2005-12-07 00:09:44 +01:00
|
|
|
BN_sub_word(x, 1);
|
2005-08-07 22:36:14 +02:00
|
|
|
if (BN_cmp(bn,x)>=0) {
|
2009-10-26 07:47:05 +01:00
|
|
|
log_fn(severity, LD_CRYPTO, "DH key must be at most p-2.");
|
2005-08-07 22:36:14 +02:00
|
|
|
goto err;
|
|
|
|
}
|
2014-02-02 19:40:30 +01:00
|
|
|
BN_clear_free(x);
|
2005-08-05 01:14:42 +02:00
|
|
|
return 0;
|
2005-08-07 22:36:14 +02:00
|
|
|
err:
|
2014-02-02 19:40:30 +01:00
|
|
|
BN_clear_free(x);
|
2005-08-07 22:36:14 +02:00
|
|
|
s = BN_bn2hex(bn);
|
2009-10-26 07:47:05 +01:00
|
|
|
log_fn(severity, LD_CRYPTO, "Rejecting insecure DH key [%s]", s);
|
2005-08-07 22:36:14 +02:00
|
|
|
OPENSSL_free(s);
|
|
|
|
return -1;
|
2005-08-05 01:14:42 +02:00
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Given a DH key exchange object, and our peer's value of g^y (as a
|
2004-10-07 22:58:53 +02:00
|
|
|
* <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
|
2004-05-10 05:53:24 +02:00
|
|
|
* <b>secret_bytes_out</b> bytes of shared key material and write them
|
2004-11-02 03:28:51 +01:00
|
|
|
* to <b>secret_out</b>. Return the number of bytes generated on success,
|
2004-10-07 22:58:53 +02:00
|
|
|
* or -1 on failure.
|
2004-05-01 23:41:23 +02:00
|
|
|
*
|
|
|
|
* (We generate key material by computing
|
2004-05-02 01:29:20 +02:00
|
|
|
* SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
|
2004-05-01 23:41:23 +02:00
|
|
|
* where || is concatenation.)
|
|
|
|
*/
|
2008-02-21 22:57:47 +01:00
|
|
|
ssize_t
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_dh_compute_secret(int severity, crypto_dh_t *dh,
|
2005-09-30 03:09:52 +02:00
|
|
|
const char *pubkey, size_t pubkey_len,
|
|
|
|
char *secret_out, size_t secret_bytes_out)
|
2003-05-01 02:53:46 +02:00
|
|
|
{
|
2005-05-07 07:55:06 +02:00
|
|
|
char *secret_tmp = NULL;
|
2003-07-30 21:10:20 +02:00
|
|
|
BIGNUM *pubkey_bn = NULL;
|
2011-01-15 17:22:25 +01:00
|
|
|
size_t secret_len=0, secret_tmp_len=0;
|
2004-10-12 22:20:19 +02:00
|
|
|
int result=0;
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(dh);
|
|
|
|
tor_assert(secret_bytes_out/DIGEST_LEN <= 255);
|
2008-02-21 22:57:47 +01:00
|
|
|
tor_assert(pubkey_len < INT_MAX);
|
2003-07-30 21:10:20 +02:00
|
|
|
|
2008-02-21 22:57:47 +01:00
|
|
|
if (!(pubkey_bn = BN_bin2bn((const unsigned char*)pubkey,
|
|
|
|
(int)pubkey_len, NULL)))
|
2003-07-30 21:10:20 +02:00
|
|
|
goto error;
|
2009-10-26 07:47:05 +01:00
|
|
|
if (tor_check_dh_key(severity, pubkey_bn)<0) {
|
2005-08-05 01:14:42 +02:00
|
|
|
/* Check for invalid public keys. */
|
2009-10-26 07:47:05 +01:00
|
|
|
log_fn(severity, LD_CRYPTO,"Rejected invalid g^x");
|
2005-08-05 01:14:42 +02:00
|
|
|
goto error;
|
|
|
|
}
|
2011-01-15 17:22:25 +01:00
|
|
|
secret_tmp_len = crypto_dh_get_bytes(dh);
|
|
|
|
secret_tmp = tor_malloc(secret_tmp_len);
|
2005-05-07 07:55:06 +02:00
|
|
|
result = DH_compute_key((unsigned char*)secret_tmp, pubkey_bn, dh->dh);
|
2004-11-28 10:05:49 +01:00
|
|
|
if (result < 0) {
|
2006-02-13 09:01:59 +01:00
|
|
|
log_warn(LD_CRYPTO,"DH_compute_key() failed.");
|
2004-10-12 22:20:19 +02:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
secret_len = result;
|
2012-12-03 18:20:05 +01:00
|
|
|
if (crypto_expand_key_material_TAP((uint8_t*)secret_tmp, secret_len,
|
|
|
|
(uint8_t*)secret_out, secret_bytes_out)<0)
|
2005-12-08 18:38:32 +01:00
|
|
|
goto error;
|
2003-07-30 21:10:20 +02:00
|
|
|
secret_len = secret_bytes_out;
|
2003-05-01 02:53:46 +02:00
|
|
|
|
2003-07-30 21:10:20 +02:00
|
|
|
goto done;
|
|
|
|
error:
|
2004-10-12 22:20:19 +02:00
|
|
|
result = -1;
|
2003-07-30 21:10:20 +02:00
|
|
|
done:
|
2004-04-26 20:09:50 +02:00
|
|
|
crypto_log_errors(LOG_WARN, "completing DH handshake");
|
2003-07-30 21:10:20 +02:00
|
|
|
if (pubkey_bn)
|
2014-02-02 19:40:30 +01:00
|
|
|
BN_clear_free(pubkey_bn);
|
2011-01-15 17:22:25 +01:00
|
|
|
if (secret_tmp) {
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(secret_tmp, 0, secret_tmp_len);
|
2011-01-15 17:22:25 +01:00
|
|
|
tor_free(secret_tmp);
|
|
|
|
}
|
2004-11-28 10:05:49 +01:00
|
|
|
if (result < 0)
|
2004-10-12 22:20:19 +02:00
|
|
|
return result;
|
|
|
|
else
|
|
|
|
return secret_len;
|
2003-05-01 02:53:46 +02:00
|
|
|
}
|
2004-10-12 22:20:19 +02:00
|
|
|
|
2005-12-08 18:38:32 +01:00
|
|
|
/** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
|
|
|
|
* ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
|
2008-02-09 04:11:10 +01:00
|
|
|
* <b>key_out</b> by taking the first <b>key_out_len</b> bytes of
|
2005-12-08 18:38:32 +01:00
|
|
|
* H(K | [00]) | H(K | [01]) | ....
|
|
|
|
*
|
2012-12-03 18:20:05 +01:00
|
|
|
* This is the key expansion algorithm used in the "TAP" circuit extension
|
|
|
|
* mechanism; it shouldn't be used for new protocols.
|
|
|
|
*
|
2005-12-08 18:38:32 +01:00
|
|
|
* Return 0 on success, -1 on failure.
|
|
|
|
*/
|
|
|
|
int
|
2012-12-03 18:20:05 +01:00
|
|
|
crypto_expand_key_material_TAP(const uint8_t *key_in, size_t key_in_len,
|
|
|
|
uint8_t *key_out, size_t key_out_len)
|
2005-12-08 18:38:32 +01:00
|
|
|
{
|
2015-11-13 15:46:32 +01:00
|
|
|
int i, r = -1;
|
2012-12-03 18:20:05 +01:00
|
|
|
uint8_t *cp, *tmp = tor_malloc(key_in_len+1);
|
|
|
|
uint8_t digest[DIGEST_LEN];
|
2005-12-08 18:38:32 +01:00
|
|
|
|
|
|
|
/* If we try to get more than this amount of key data, we'll repeat blocks.*/
|
|
|
|
tor_assert(key_out_len <= DIGEST_LEN*256);
|
|
|
|
|
|
|
|
memcpy(tmp, key_in, key_in_len);
|
2007-06-06 15:02:22 +02:00
|
|
|
for (cp = key_out, i=0; cp < key_out+key_out_len;
|
|
|
|
++i, cp += DIGEST_LEN) {
|
2005-12-08 18:38:32 +01:00
|
|
|
tmp[key_in_len] = i;
|
2016-11-18 04:45:24 +01:00
|
|
|
if (crypto_digest((char*)digest, (const char *)tmp, key_in_len+1) < 0)
|
2015-11-13 15:46:32 +01:00
|
|
|
goto exit;
|
2007-06-06 15:02:22 +02:00
|
|
|
memcpy(cp, digest, MIN(DIGEST_LEN, key_out_len-(cp-key_out)));
|
2005-12-08 18:38:32 +01:00
|
|
|
}
|
|
|
|
|
2015-11-13 15:46:32 +01:00
|
|
|
r = 0;
|
|
|
|
exit:
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(tmp, 0, key_in_len+1);
|
2005-12-08 18:38:32 +01:00
|
|
|
tor_free(tmp);
|
2012-11-07 22:09:58 +01:00
|
|
|
memwipe(digest, 0, sizeof(digest));
|
2015-11-13 15:46:32 +01:00
|
|
|
return r;
|
2005-12-08 18:38:32 +01:00
|
|
|
}
|
|
|
|
|
2012-12-03 18:20:05 +01:00
|
|
|
/** Expand some secret key material according to RFC5869, using SHA256 as the
|
|
|
|
* underlying hash. The <b>key_in_len</b> bytes at <b>key_in</b> are the
|
|
|
|
* secret key material; the <b>salt_in_len</b> bytes at <b>salt_in</b> and the
|
|
|
|
* <b>info_in_len</b> bytes in <b>info_in_len</b> are the algorithm's "salt"
|
|
|
|
* and "info" parameters respectively. On success, write <b>key_out_len</b>
|
2015-11-23 10:31:57 +01:00
|
|
|
* bytes to <b>key_out</b> and return 0. Assert on failure.
|
2012-12-03 18:20:05 +01:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
crypto_expand_key_material_rfc5869_sha256(
|
|
|
|
const uint8_t *key_in, size_t key_in_len,
|
|
|
|
const uint8_t *salt_in, size_t salt_in_len,
|
|
|
|
const uint8_t *info_in, size_t info_in_len,
|
|
|
|
uint8_t *key_out, size_t key_out_len)
|
|
|
|
{
|
|
|
|
uint8_t prk[DIGEST256_LEN];
|
|
|
|
uint8_t tmp[DIGEST256_LEN + 128 + 1];
|
|
|
|
uint8_t mac[DIGEST256_LEN];
|
|
|
|
int i;
|
|
|
|
uint8_t *outp;
|
|
|
|
size_t tmp_len;
|
|
|
|
|
|
|
|
crypto_hmac_sha256((char*)prk,
|
|
|
|
(const char*)salt_in, salt_in_len,
|
|
|
|
(const char*)key_in, key_in_len);
|
|
|
|
|
|
|
|
/* If we try to get more than this amount of key data, we'll repeat blocks.*/
|
|
|
|
tor_assert(key_out_len <= DIGEST256_LEN * 256);
|
|
|
|
tor_assert(info_in_len <= 128);
|
|
|
|
memset(tmp, 0, sizeof(tmp));
|
|
|
|
outp = key_out;
|
|
|
|
i = 1;
|
|
|
|
|
|
|
|
while (key_out_len) {
|
|
|
|
size_t n;
|
|
|
|
if (i > 1) {
|
|
|
|
memcpy(tmp, mac, DIGEST256_LEN);
|
|
|
|
memcpy(tmp+DIGEST256_LEN, info_in, info_in_len);
|
|
|
|
tmp[DIGEST256_LEN+info_in_len] = i;
|
|
|
|
tmp_len = DIGEST256_LEN + info_in_len + 1;
|
|
|
|
} else {
|
|
|
|
memcpy(tmp, info_in, info_in_len);
|
|
|
|
tmp[info_in_len] = i;
|
|
|
|
tmp_len = info_in_len + 1;
|
|
|
|
}
|
|
|
|
crypto_hmac_sha256((char*)mac,
|
|
|
|
(const char*)prk, DIGEST256_LEN,
|
|
|
|
(const char*)tmp, tmp_len);
|
|
|
|
n = key_out_len < DIGEST256_LEN ? key_out_len : DIGEST256_LEN;
|
|
|
|
memcpy(outp, mac, n);
|
|
|
|
key_out_len -= n;
|
|
|
|
outp += n;
|
|
|
|
++i;
|
|
|
|
}
|
|
|
|
|
|
|
|
memwipe(tmp, 0, sizeof(tmp));
|
|
|
|
memwipe(mac, 0, sizeof(mac));
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2004-05-10 05:53:24 +02:00
|
|
|
/** Free a DH key exchange object.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2005-09-30 03:09:52 +02:00
|
|
|
void
|
2012-01-18 21:53:30 +01:00
|
|
|
crypto_dh_free(crypto_dh_t *dh)
|
2003-05-01 02:53:46 +02:00
|
|
|
{
|
2009-09-28 16:37:01 +02:00
|
|
|
if (!dh)
|
|
|
|
return;
|
2004-10-17 00:28:11 +02:00
|
|
|
tor_assert(dh->dh);
|
2003-05-01 02:53:46 +02:00
|
|
|
DH_free(dh->dh);
|
2005-09-30 22:47:58 +02:00
|
|
|
tor_free(dh);
|
2003-05-01 02:53:46 +02:00
|
|
|
}
|
|
|
|
|
2002-07-24 16:02:39 +02:00
|
|
|
/* random numbers */
|
2004-05-01 23:41:23 +02:00
|
|
|
|
2011-03-16 22:05:37 +01:00
|
|
|
/** How many bytes of entropy we add at once.
|
|
|
|
*
|
|
|
|
* This is how much entropy OpenSSL likes to add right now, so maybe it will
|
2005-10-07 21:03:09 +02:00
|
|
|
* work for us too. */
|
|
|
|
#define ADD_ENTROPY 32
|
|
|
|
|
2011-03-16 22:05:37 +01:00
|
|
|
/** Set the seed of the weak RNG to a random value. */
|
2013-02-08 22:28:05 +01:00
|
|
|
void
|
|
|
|
crypto_seed_weak_rng(tor_weak_rng_t *rng)
|
2010-11-29 21:53:33 +01:00
|
|
|
{
|
|
|
|
unsigned seed;
|
|
|
|
crypto_rand((void*)&seed, sizeof(seed));
|
2013-02-08 22:28:05 +01:00
|
|
|
tor_init_weak_random(rng, seed);
|
2010-11-29 21:53:33 +01:00
|
|
|
}
|
|
|
|
|
2016-05-03 19:33:33 +02:00
|
|
|
#ifdef TOR_UNIT_TESTS
|
|
|
|
int break_strongest_rng_syscall = 0;
|
|
|
|
int break_strongest_rng_fallback = 0;
|
|
|
|
#endif
|
|
|
|
|
2012-12-04 05:31:07 +01:00
|
|
|
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
2015-12-08 18:53:51 +01:00
|
|
|
* via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
|
2015-11-26 16:21:50 +01:00
|
|
|
* failure. A maximum request size of 256 bytes is imposed.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2015-11-26 16:21:50 +01:00
|
|
|
static int
|
|
|
|
crypto_strongest_rand_syscall(uint8_t *out, size_t out_len)
|
2004-03-11 06:14:06 +01:00
|
|
|
{
|
2015-11-26 16:21:50 +01:00
|
|
|
tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
|
|
|
|
|
2016-05-03 19:33:33 +02:00
|
|
|
#ifdef TOR_UNIT_TESTS
|
|
|
|
if (break_strongest_rng_syscall)
|
|
|
|
return -1;
|
|
|
|
#endif
|
|
|
|
|
2015-11-26 16:21:50 +01:00
|
|
|
#if defined(_WIN32)
|
2004-03-11 06:14:06 +01:00
|
|
|
static int provider_set = 0;
|
2004-03-11 07:19:08 +01:00
|
|
|
static HCRYPTPROV provider;
|
2004-03-11 06:14:06 +01:00
|
|
|
|
|
|
|
if (!provider_set) {
|
2005-12-14 21:40:40 +01:00
|
|
|
if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
|
|
|
|
CRYPT_VERIFYCONTEXT)) {
|
2014-08-29 19:24:29 +02:00
|
|
|
log_warn(LD_CRYPTO, "Can't get CryptoAPI provider [1]");
|
|
|
|
return -1;
|
2004-03-11 06:14:06 +01:00
|
|
|
}
|
|
|
|
provider_set = 1;
|
|
|
|
}
|
2012-12-04 05:31:07 +01:00
|
|
|
if (!CryptGenRandom(provider, out_len, out)) {
|
2006-02-13 09:01:59 +01:00
|
|
|
log_warn(LD_CRYPTO, "Can't get entropy from CryptoAPI.");
|
2012-12-04 05:31:07 +01:00
|
|
|
return -1;
|
2004-03-11 06:14:06 +01:00
|
|
|
}
|
2012-12-04 05:31:07 +01:00
|
|
|
|
2004-03-11 06:14:06 +01:00
|
|
|
return 0;
|
2015-11-26 16:21:50 +01:00
|
|
|
#elif defined(__linux__) && defined(SYS_getrandom)
|
|
|
|
static int getrandom_works = 1; /* Be optimitic about our chances... */
|
|
|
|
|
|
|
|
/* getrandom() isn't as straight foward as getentropy(), and has
|
|
|
|
* no glibc wrapper.
|
|
|
|
*
|
|
|
|
* As far as I can tell from getrandom(2) and the source code, the
|
|
|
|
* requests we issue will always succeed (though it will block on the
|
|
|
|
* call if /dev/urandom isn't seeded yet), since we are NOT specifying
|
|
|
|
* GRND_NONBLOCK and the request is <= 256 bytes.
|
|
|
|
*
|
|
|
|
* The manpage is unclear on what happens if a signal interrupts the call
|
|
|
|
* while the request is blocked due to lack of entropy....
|
|
|
|
*
|
|
|
|
* We optimistically assume that getrandom() is available and functional
|
|
|
|
* because it is the way of the future, and 2 branch mispredicts pale in
|
|
|
|
* comparision to the overheads involved with failing to open
|
|
|
|
* /dev/srandom followed by opening and reading from /dev/urandom.
|
|
|
|
*/
|
|
|
|
if (PREDICT_LIKELY(getrandom_works)) {
|
2015-12-09 14:31:29 +01:00
|
|
|
long ret;
|
|
|
|
/* A flag of '0' here means to read from '/dev/urandom', and to
|
|
|
|
* block if insufficient entropy is available to service the
|
|
|
|
* request.
|
|
|
|
*/
|
|
|
|
const unsigned int flags = 0;
|
2015-11-26 16:21:50 +01:00
|
|
|
do {
|
2015-12-09 14:31:29 +01:00
|
|
|
ret = syscall(SYS_getrandom, out, out_len, flags);
|
2015-11-26 16:21:50 +01:00
|
|
|
} while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN)));
|
|
|
|
|
|
|
|
if (PREDICT_UNLIKELY(ret == -1)) {
|
2016-05-03 19:47:33 +02:00
|
|
|
/* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
|
2015-11-26 16:21:50 +01:00
|
|
|
tor_assert(errno != EAGAIN);
|
|
|
|
tor_assert(errno != EINTR);
|
|
|
|
|
2017-12-05 00:17:09 +01:00
|
|
|
/* Useful log message for errno. */
|
|
|
|
if (errno == ENOSYS) {
|
2018-01-06 00:23:07 +01:00
|
|
|
log_warn(LD_CRYPTO, "Can't get entropy from getrandom()."
|
2017-12-05 00:17:09 +01:00
|
|
|
" You are running a version of Tor built to support"
|
2017-12-05 18:09:57 +01:00
|
|
|
" getrandom(), but the kernel doesn't implement this"
|
2018-01-06 00:23:07 +01:00
|
|
|
" function--probably because it is too old?");
|
2017-12-05 00:17:09 +01:00
|
|
|
} else {
|
2017-12-05 18:09:57 +01:00
|
|
|
log_warn(LD_CRYPTO, "Can't get entropy from getrandom(): %s.",
|
2017-12-05 00:17:09 +01:00
|
|
|
strerror(errno));
|
|
|
|
}
|
|
|
|
|
2015-11-26 16:21:50 +01:00
|
|
|
getrandom_works = 0; /* Don't bother trying again. */
|
|
|
|
return -1;
|
2016-05-03 19:47:33 +02:00
|
|
|
/* LCOV_EXCL_STOP */
|
2015-11-26 16:21:50 +01:00
|
|
|
}
|
|
|
|
|
2015-12-09 14:31:29 +01:00
|
|
|
tor_assert(ret == (long)out_len);
|
2015-11-26 16:21:50 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return -1; /* getrandom() previously failed unexpectedly. */
|
|
|
|
#elif defined(HAVE_GETENTROPY)
|
|
|
|
/* getentropy() is what Linux's getrandom() wants to be when it grows up.
|
|
|
|
* the only gotcha is that requests are limited to 256 bytes.
|
|
|
|
*/
|
|
|
|
return getentropy(out, out_len);
|
2015-12-08 23:17:17 +01:00
|
|
|
#else
|
|
|
|
(void) out;
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(_WIN32) || ... */
|
2015-11-26 16:21:50 +01:00
|
|
|
|
|
|
|
/* This platform doesn't have a supported syscall based random. */
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
|
|
|
* via the per-platform fallback mechanism, storing it into <b>out</b>.
|
2015-12-08 18:53:51 +01:00
|
|
|
* Return 0 on success, -1 on failure. A maximum request size of 256 bytes
|
2015-11-26 16:21:50 +01:00
|
|
|
* is imposed.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
crypto_strongest_rand_fallback(uint8_t *out, size_t out_len)
|
|
|
|
{
|
2016-05-03 19:33:33 +02:00
|
|
|
#ifdef TOR_UNIT_TESTS
|
|
|
|
if (break_strongest_rng_fallback)
|
|
|
|
return -1;
|
|
|
|
#endif
|
|
|
|
|
2015-11-26 16:21:50 +01:00
|
|
|
#ifdef _WIN32
|
|
|
|
/* Windows exclusively uses crypto_strongest_rand_syscall(). */
|
2015-12-09 17:58:32 +01:00
|
|
|
(void)out;
|
|
|
|
(void)out_len;
|
2015-11-26 16:21:50 +01:00
|
|
|
return -1;
|
2017-09-15 22:24:44 +02:00
|
|
|
#else /* !(defined(_WIN32)) */
|
2015-11-26 16:21:50 +01:00
|
|
|
static const char *filenames[] = {
|
|
|
|
"/dev/srandom", "/dev/urandom", "/dev/random", NULL
|
|
|
|
};
|
|
|
|
int fd, i;
|
|
|
|
size_t n;
|
|
|
|
|
2003-06-13 23:13:37 +02:00
|
|
|
for (i = 0; filenames[i]; ++i) {
|
2016-12-18 09:48:31 +01:00
|
|
|
log_debug(LD_FS, "Considering %s for entropy", filenames[i]);
|
2013-08-09 18:07:20 +02:00
|
|
|
fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
|
2004-04-26 20:09:50 +02:00
|
|
|
if (fd<0) continue;
|
2012-12-04 05:31:07 +01:00
|
|
|
log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
|
|
|
|
n = read_all(fd, (char*)out, out_len, 0);
|
2004-04-26 20:09:50 +02:00
|
|
|
close(fd);
|
2012-12-04 05:31:07 +01:00
|
|
|
if (n != out_len) {
|
2016-05-03 19:47:33 +02:00
|
|
|
/* LCOV_EXCL_START
|
|
|
|
* We can't make /dev/foorandom actually fail. */
|
2006-02-13 09:01:59 +01:00
|
|
|
log_warn(LD_CRYPTO,
|
2008-02-21 22:57:47 +01:00
|
|
|
"Error reading from entropy source (read only %lu bytes).",
|
|
|
|
(unsigned long)n);
|
2003-06-13 23:13:37 +02:00
|
|
|
return -1;
|
2016-05-03 19:47:33 +02:00
|
|
|
/* LCOV_EXCL_STOP */
|
2003-06-13 23:13:37 +02:00
|
|
|
}
|
2012-12-04 05:31:07 +01:00
|
|
|
|
2003-06-13 23:13:37 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-12-04 05:31:07 +01:00
|
|
|
return -1;
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(_WIN32) */
|
2004-05-01 23:41:23 +02:00
|
|
|
}
|
2003-06-13 23:13:37 +02:00
|
|
|
|
2015-11-26 16:21:50 +01:00
|
|
|
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
2015-12-08 18:53:51 +01:00
|
|
|
* storing it into <b>out</b>. Return 0 on success, -1 on failure. A maximum
|
2015-11-26 16:21:50 +01:00
|
|
|
* request size of 256 bytes is imposed.
|
|
|
|
*/
|
2016-05-03 19:33:33 +02:00
|
|
|
STATIC int
|
2015-12-10 15:02:10 +01:00
|
|
|
crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
|
2015-11-26 16:21:50 +01:00
|
|
|
{
|
|
|
|
static const size_t sanity_min_size = 16;
|
|
|
|
static const int max_attempts = 3;
|
|
|
|
tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
|
|
|
|
|
|
|
|
/* For buffers >= 16 bytes (128 bits), we sanity check the output by
|
|
|
|
* zero filling the buffer and ensuring that it actually was at least
|
|
|
|
* partially modified.
|
|
|
|
*
|
|
|
|
* Checking that any individual byte is non-zero seems like it would
|
|
|
|
* fail too often (p = out_len * 1/256) for comfort, but this is an
|
|
|
|
* "adjust according to taste" sort of check.
|
|
|
|
*/
|
|
|
|
memwipe(out, 0, out_len);
|
|
|
|
for (int i = 0; i < max_attempts; i++) {
|
|
|
|
/* Try to use the syscall/OS favored mechanism to get strong entropy. */
|
|
|
|
if (crypto_strongest_rand_syscall(out, out_len) != 0) {
|
|
|
|
/* Try to use the less-favored mechanism to get strong entropy. */
|
|
|
|
if (crypto_strongest_rand_fallback(out, out_len) != 0) {
|
|
|
|
/* Welp, we tried. Hopefully the calling code terminates the process
|
|
|
|
* since we're basically boned without good entropy.
|
|
|
|
*/
|
|
|
|
log_warn(LD_CRYPTO,
|
|
|
|
"Cannot get strong entropy: no entropy source found.");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len))
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-05-03 19:33:33 +02:00
|
|
|
/* LCOV_EXCL_START
|
|
|
|
*
|
|
|
|
* We tried max_attempts times to fill a buffer >= 128 bits long,
|
2015-11-26 16:21:50 +01:00
|
|
|
* and each time it returned all '0's. Either the system entropy
|
|
|
|
* source is busted, or the user should go out and buy a ticket to
|
|
|
|
* every lottery on the planet.
|
|
|
|
*/
|
|
|
|
log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer.");
|
2016-05-03 19:33:33 +02:00
|
|
|
|
2015-11-26 16:21:50 +01:00
|
|
|
return -1;
|
2016-05-03 19:33:33 +02:00
|
|
|
/* LCOV_EXCL_STOP */
|
2015-11-26 16:21:50 +01:00
|
|
|
}
|
|
|
|
|
2015-12-08 16:54:42 +01:00
|
|
|
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
|
|
|
* storing it into <b>out</b>.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
crypto_strongest_rand(uint8_t *out, size_t out_len)
|
|
|
|
{
|
2015-12-10 17:50:02 +01:00
|
|
|
#define DLEN SHA512_DIGEST_LENGTH
|
2015-12-09 15:15:57 +01:00
|
|
|
/* We're going to hash DLEN bytes from the system RNG together with some
|
|
|
|
* bytes from the openssl PRNG, in order to yield DLEN bytes.
|
|
|
|
*/
|
2015-12-08 16:54:42 +01:00
|
|
|
uint8_t inp[DLEN*2];
|
|
|
|
uint8_t tmp[DLEN];
|
|
|
|
tor_assert(out);
|
|
|
|
while (out_len) {
|
2015-12-09 15:15:57 +01:00
|
|
|
crypto_rand((char*) inp, DLEN);
|
|
|
|
if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) {
|
2016-04-13 03:13:33 +02:00
|
|
|
// LCOV_EXCL_START
|
2015-12-08 16:54:42 +01:00
|
|
|
log_err(LD_CRYPTO, "Failed to load strong entropy when generating an "
|
|
|
|
"important key. Exiting.");
|
2015-12-09 15:15:57 +01:00
|
|
|
/* Die with an assertion so we get a stack trace. */
|
2015-12-08 16:54:42 +01:00
|
|
|
tor_assert(0);
|
2016-04-13 03:13:33 +02:00
|
|
|
// LCOV_EXCL_STOP
|
2015-12-08 16:54:42 +01:00
|
|
|
}
|
|
|
|
if (out_len >= DLEN) {
|
|
|
|
SHA512(inp, sizeof(inp), out);
|
|
|
|
out += DLEN;
|
|
|
|
out_len -= DLEN;
|
|
|
|
} else {
|
|
|
|
SHA512(inp, sizeof(inp), tmp);
|
|
|
|
memcpy(out, tmp, out_len);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
memwipe(tmp, 0, sizeof(tmp));
|
|
|
|
memwipe(inp, 0, sizeof(inp));
|
2015-12-10 17:50:02 +01:00
|
|
|
#undef DLEN
|
2015-12-08 16:54:42 +01:00
|
|
|
}
|
|
|
|
|
2012-12-04 05:31:07 +01:00
|
|
|
/** Seed OpenSSL's random number generator with bytes from the operating
|
2015-11-23 00:26:07 +01:00
|
|
|
* system. Return 0 on success, -1 on failure.
|
2012-12-04 05:31:07 +01:00
|
|
|
*/
|
|
|
|
int
|
2015-05-19 22:17:03 +02:00
|
|
|
crypto_seed_rng(void)
|
2012-12-04 05:31:07 +01:00
|
|
|
{
|
|
|
|
int rand_poll_ok = 0, load_entropy_ok = 0;
|
|
|
|
uint8_t buf[ADD_ENTROPY];
|
|
|
|
|
|
|
|
/* OpenSSL has a RAND_poll function that knows about more kinds of
|
|
|
|
* entropy than we do. We'll try calling that, *and* calling our own entropy
|
|
|
|
* functions. If one succeeds, we'll accept the RNG as seeded. */
|
2015-05-19 22:14:20 +02:00
|
|
|
rand_poll_ok = RAND_poll();
|
|
|
|
if (rand_poll_ok == 0)
|
2016-05-03 19:47:33 +02:00
|
|
|
log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE
|
2012-12-04 05:31:07 +01:00
|
|
|
|
2015-12-08 16:54:42 +01:00
|
|
|
load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf));
|
2012-12-04 05:31:07 +01:00
|
|
|
if (load_entropy_ok) {
|
|
|
|
RAND_seed(buf, sizeof(buf));
|
|
|
|
}
|
|
|
|
|
|
|
|
memwipe(buf, 0, sizeof(buf));
|
2013-02-08 22:28:05 +01:00
|
|
|
|
2015-11-25 16:30:58 +01:00
|
|
|
if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1)
|
2012-12-04 05:31:07 +01:00
|
|
|
return 0;
|
|
|
|
else
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2015-11-25 18:28:20 +01:00
|
|
|
/** Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
|
|
|
|
* for unit tests.
|
|
|
|
*
|
|
|
|
* This function is not allowed to fail; if it would fail to generate strong
|
|
|
|
* entropy, it must terminate the process instead.
|
2004-05-01 23:41:23 +02:00
|
|
|
*/
|
2015-11-25 16:42:00 +01:00
|
|
|
MOCK_IMPL(void,
|
2013-08-01 18:13:09 +02:00
|
|
|
crypto_rand, (char *to, size_t n))
|
2015-08-12 17:57:05 +02:00
|
|
|
{
|
2015-11-25 16:42:00 +01:00
|
|
|
crypto_rand_unmocked(to, n);
|
2015-08-12 17:57:05 +02:00
|
|
|
}
|
|
|
|
|
2015-11-25 18:28:20 +01:00
|
|
|
/** Write <b>n</b> bytes of strong random data to <b>to</b>. Most callers
|
|
|
|
* will want crypto_rand instead.
|
|
|
|
*
|
|
|
|
* This function is not allowed to fail; if it would fail to generate strong
|
|
|
|
* entropy, it must terminate the process instead.
|
2015-08-12 17:57:05 +02:00
|
|
|
*/
|
2015-11-25 16:42:00 +01:00
|
|
|
void
|
2015-08-12 17:57:05 +02:00
|
|
|
crypto_rand_unmocked(char *to, size_t n)
|
2002-07-24 16:02:39 +02:00
|
|
|
{
|
2004-04-26 20:09:50 +02:00
|
|
|
int r;
|
2015-11-25 16:30:58 +01:00
|
|
|
if (n == 0)
|
2015-11-25 16:42:00 +01:00
|
|
|
return;
|
2015-11-25 16:30:58 +01:00
|
|
|
|
2008-02-21 22:57:47 +01:00
|
|
|
tor_assert(n < INT_MAX);
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(to);
|
2008-02-21 22:57:47 +01:00
|
|
|
r = RAND_bytes((unsigned char*)to, (int)n);
|
2015-12-09 15:15:57 +01:00
|
|
|
/* We consider a PRNG failure non-survivable. Let's assert so that we get a
|
|
|
|
* stack trace about where it happened.
|
|
|
|
*/
|
2015-11-25 16:30:58 +01:00
|
|
|
tor_assert(r >= 0);
|
2002-07-24 16:02:39 +02:00
|
|
|
}
|
2002-07-25 10:17:22 +02:00
|
|
|
|
2004-12-01 04:48:14 +01:00
|
|
|
/** Return a pseudorandom integer, chosen uniformly from the values
|
2011-06-01 17:48:39 +02:00
|
|
|
* between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
|
|
|
|
* INT_MAX+1, inclusive. */
|
2005-09-30 03:09:52 +02:00
|
|
|
int
|
2005-10-07 00:18:01 +02:00
|
|
|
crypto_rand_int(unsigned int max)
|
2005-09-30 03:09:52 +02:00
|
|
|
{
|
2003-11-12 05:12:35 +01:00
|
|
|
unsigned int val;
|
2003-11-12 05:28:30 +01:00
|
|
|
unsigned int cutoff;
|
2011-06-01 17:48:39 +02:00
|
|
|
tor_assert(max <= ((unsigned int)INT_MAX)+1);
|
2004-04-25 21:59:38 +02:00
|
|
|
tor_assert(max > 0); /* don't div by 0 */
|
2003-11-12 05:28:30 +01:00
|
|
|
|
|
|
|
/* We ignore any values that are >= 'cutoff,' to avoid biasing the
|
|
|
|
* distribution with clipping at the upper end of unsigned int's
|
|
|
|
* range.
|
|
|
|
*/
|
|
|
|
cutoff = UINT_MAX - (UINT_MAX%max);
|
2004-11-28 10:05:49 +01:00
|
|
|
while (1) {
|
2005-10-07 00:18:01 +02:00
|
|
|
crypto_rand((char*)&val, sizeof(val));
|
2006-10-01 23:59:05 +02:00
|
|
|
if (val < cutoff)
|
|
|
|
return val % max;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-11-23 10:31:57 +01:00
|
|
|
/** Return a pseudorandom integer, chosen uniformly from the values i such
|
|
|
|
* that min <= i < max.
|
2015-04-21 16:17:12 +02:00
|
|
|
*
|
2015-04-21 17:30:21 +02:00
|
|
|
* <b>min</b> MUST be in range [0, <b>max</b>).
|
|
|
|
* <b>max</b> MUST be in range (min, INT_MAX].
|
2015-04-21 16:17:12 +02:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
crypto_rand_int_range(unsigned int min, unsigned int max)
|
|
|
|
{
|
2015-04-21 17:30:21 +02:00
|
|
|
tor_assert(min < max);
|
2015-04-21 16:17:12 +02:00
|
|
|
tor_assert(max <= INT_MAX);
|
|
|
|
|
|
|
|
/* The overflow is avoided here because crypto_rand_int() returns a value
|
2015-04-23 17:13:51 +02:00
|
|
|
* between 0 and (max - min) inclusive. */
|
2015-04-21 17:30:21 +02:00
|
|
|
return min + crypto_rand_int(max - min);
|
2015-04-21 16:17:12 +02:00
|
|
|
}
|
|
|
|
|
2015-04-23 15:16:42 +02:00
|
|
|
/** As crypto_rand_int_range, but supports uint64_t. */
|
|
|
|
uint64_t
|
|
|
|
crypto_rand_uint64_range(uint64_t min, uint64_t max)
|
|
|
|
{
|
|
|
|
tor_assert(min < max);
|
|
|
|
return min + crypto_rand_uint64(max - min);
|
|
|
|
}
|
|
|
|
|
|
|
|
/** As crypto_rand_int_range, but supports time_t. */
|
|
|
|
time_t
|
|
|
|
crypto_rand_time_range(time_t min, time_t max)
|
|
|
|
{
|
2015-09-08 16:22:01 +02:00
|
|
|
tor_assert(min < max);
|
|
|
|
return min + (time_t)crypto_rand_uint64(max - min);
|
2015-04-23 15:16:42 +02:00
|
|
|
}
|
|
|
|
|
2008-02-09 04:11:10 +01:00
|
|
|
/** Return a pseudorandom 64-bit integer, chosen uniformly from the values
|
2015-04-23 17:13:51 +02:00
|
|
|
* between 0 and <b>max</b>-1 inclusive. */
|
2006-10-01 23:59:05 +02:00
|
|
|
uint64_t
|
|
|
|
crypto_rand_uint64(uint64_t max)
|
|
|
|
{
|
|
|
|
uint64_t val;
|
|
|
|
uint64_t cutoff;
|
|
|
|
tor_assert(max < UINT64_MAX);
|
|
|
|
tor_assert(max > 0); /* don't div by 0 */
|
|
|
|
|
|
|
|
/* We ignore any values that are >= 'cutoff,' to avoid biasing the
|
|
|
|
* distribution with clipping at the upper end of unsigned int's
|
|
|
|
* range.
|
|
|
|
*/
|
|
|
|
cutoff = UINT64_MAX - (UINT64_MAX%max);
|
|
|
|
while (1) {
|
|
|
|
crypto_rand((char*)&val, sizeof(val));
|
2003-11-12 05:28:30 +01:00
|
|
|
if (val < cutoff)
|
|
|
|
return val % max;
|
|
|
|
}
|
2002-07-25 10:17:22 +02:00
|
|
|
}
|
|
|
|
|
2010-06-23 03:30:26 +02:00
|
|
|
/** Return a pseudorandom double d, chosen uniformly from the range
|
|
|
|
* 0.0 <= d < 1.0.
|
|
|
|
*/
|
|
|
|
double
|
|
|
|
crypto_rand_double(void)
|
|
|
|
{
|
|
|
|
/* We just use an unsigned int here; we don't really care about getting
|
|
|
|
* more than 32 bits of resolution */
|
2016-07-28 16:22:10 +02:00
|
|
|
unsigned int u;
|
|
|
|
crypto_rand((char*)&u, sizeof(u));
|
2010-06-23 03:31:31 +02:00
|
|
|
#if SIZEOF_INT == 4
|
|
|
|
#define UINT_MAX_AS_DOUBLE 4294967296.0
|
|
|
|
#elif SIZEOF_INT == 8
|
|
|
|
#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
|
|
|
|
#else
|
|
|
|
#error SIZEOF_INT is neither 4 nor 8
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* SIZEOF_INT == 4 || ... */
|
2016-07-28 16:22:10 +02:00
|
|
|
return ((double)u) / UINT_MAX_AS_DOUBLE;
|
2010-06-23 03:30:26 +02:00
|
|
|
}
|
|
|
|
|
2008-02-09 04:11:10 +01:00
|
|
|
/** Generate and return a new random hostname starting with <b>prefix</b>,
|
2012-01-10 01:14:51 +01:00
|
|
|
* ending with <b>suffix</b>, and containing no fewer than
|
2008-02-09 04:11:10 +01:00
|
|
|
* <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
|
2015-11-23 10:31:57 +01:00
|
|
|
* characters. Does not check for failure.
|
2012-01-10 01:14:51 +01:00
|
|
|
*
|
|
|
|
* Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
|
|
|
|
**/
|
2008-02-08 22:13:12 +01:00
|
|
|
char *
|
|
|
|
crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
|
|
|
|
const char *suffix)
|
|
|
|
{
|
|
|
|
char *result, *rand_bytes;
|
2008-02-21 22:57:47 +01:00
|
|
|
int randlen, rand_bytes_len;
|
|
|
|
size_t resultlen, prefixlen;
|
2008-02-08 22:13:12 +01:00
|
|
|
|
2012-01-10 01:14:51 +01:00
|
|
|
if (max_rand_len > MAX_DNS_LABEL_SIZE)
|
|
|
|
max_rand_len = MAX_DNS_LABEL_SIZE;
|
|
|
|
if (min_rand_len > max_rand_len)
|
|
|
|
min_rand_len = max_rand_len;
|
2011-12-21 18:48:38 +01:00
|
|
|
|
2015-04-21 17:30:21 +02:00
|
|
|
randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1);
|
2011-12-21 18:48:38 +01:00
|
|
|
|
2008-02-08 22:13:12 +01:00
|
|
|
prefixlen = strlen(prefix);
|
|
|
|
resultlen = prefixlen + strlen(suffix) + randlen + 16;
|
|
|
|
|
|
|
|
rand_bytes_len = ((randlen*5)+7)/8;
|
|
|
|
if (rand_bytes_len % 5)
|
|
|
|
rand_bytes_len += 5 - (rand_bytes_len%5);
|
|
|
|
rand_bytes = tor_malloc(rand_bytes_len);
|
|
|
|
crypto_rand(rand_bytes, rand_bytes_len);
|
|
|
|
|
|
|
|
result = tor_malloc(resultlen);
|
|
|
|
memcpy(result, prefix, prefixlen);
|
|
|
|
base32_encode(result+prefixlen, resultlen-prefixlen,
|
|
|
|
rand_bytes, rand_bytes_len);
|
|
|
|
tor_free(rand_bytes);
|
|
|
|
strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
|
|
|
|
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
2008-02-09 04:11:10 +01:00
|
|
|
/** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
|
|
|
|
* is empty. */
|
2005-09-30 03:09:52 +02:00
|
|
|
void *
|
|
|
|
smartlist_choose(const smartlist_t *sl)
|
|
|
|
{
|
2008-02-21 22:57:47 +01:00
|
|
|
int len = smartlist_len(sl);
|
2004-11-28 10:05:49 +01:00
|
|
|
if (len)
|
2005-10-07 00:18:01 +02:00
|
|
|
return smartlist_get(sl,crypto_rand_int(len));
|
2004-10-30 21:26:31 +02:00
|
|
|
return NULL; /* no elements to choose from */
|
|
|
|
}
|
|
|
|
|
2008-02-09 04:11:10 +01:00
|
|
|
/** Scramble the elements of <b>sl</b> into a random order. */
|
2007-05-18 23:19:14 +02:00
|
|
|
void
|
|
|
|
smartlist_shuffle(smartlist_t *sl)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
/* From the end of the list to the front, choose at random from the
|
|
|
|
positions we haven't looked at yet, and swap that position into the
|
|
|
|
current position. Remember to give "no swap" the same probability as
|
|
|
|
any other swap. */
|
|
|
|
for (i = smartlist_len(sl)-1; i > 0; --i) {
|
|
|
|
int j = crypto_rand_int(i+1);
|
|
|
|
smartlist_swap(sl, i, j);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-11-07 22:09:58 +01:00
|
|
|
/**
|
|
|
|
* Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
|
|
|
|
* the value <b>byte</b>.
|
2016-01-19 01:22:58 +01:00
|
|
|
* If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
|
2012-11-07 22:09:58 +01:00
|
|
|
*
|
|
|
|
* This function is preferable to memset, since many compilers will happily
|
|
|
|
* optimize out memset() when they can convince themselves that the data being
|
|
|
|
* cleared will never be read.
|
|
|
|
*
|
|
|
|
* Right now, our convention is to use this function when we are wiping data
|
|
|
|
* that's about to become inaccessible, such as stack buffers that are about
|
|
|
|
* to go out of scope or structures that are about to get freed. (In
|
|
|
|
* practice, it appears that the compilers we're currently using will optimize
|
|
|
|
* out the memset()s for stack-allocated buffers, but not those for
|
|
|
|
* about-to-be-freed structures. That could change, though, so we're being
|
|
|
|
* wary.) If there are live reads for the data, then you can just use
|
|
|
|
* memset().
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
memwipe(void *mem, uint8_t byte, size_t sz)
|
|
|
|
{
|
2016-01-19 14:28:58 +01:00
|
|
|
if (sz == 0) {
|
2016-01-19 01:22:58 +01:00
|
|
|
return;
|
|
|
|
}
|
2016-01-19 14:28:58 +01:00
|
|
|
/* If sz is nonzero, then mem must not be NULL. */
|
|
|
|
tor_assert(mem != NULL);
|
2016-01-19 01:22:58 +01:00
|
|
|
|
|
|
|
/* Data this large is likely to be an underflow. */
|
|
|
|
tor_assert(sz < SIZE_T_CEILING);
|
|
|
|
|
2012-11-07 22:09:58 +01:00
|
|
|
/* Because whole-program-optimization exists, we may not be able to just
|
|
|
|
* have this function call "memset". A smart compiler could inline it, then
|
|
|
|
* eliminate dead memsets, and declare itself to be clever. */
|
|
|
|
|
2016-01-11 15:02:42 +01:00
|
|
|
#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
|
2016-01-03 17:08:21 +01:00
|
|
|
/* Here's what you do on windows. */
|
|
|
|
SecureZeroMemory(mem,sz);
|
2016-01-11 15:02:42 +01:00
|
|
|
#elif defined(HAVE_RTLSECUREZEROMEMORY)
|
|
|
|
RtlSecureZeroMemory(mem,sz);
|
2016-01-03 17:08:21 +01:00
|
|
|
#elif defined(HAVE_EXPLICIT_BZERO)
|
|
|
|
/* The BSDs provide this. */
|
|
|
|
explicit_bzero(mem, sz);
|
|
|
|
#elif defined(HAVE_MEMSET_S)
|
|
|
|
/* This is in the C99 standard. */
|
|
|
|
memset_s(mem, sz, 0, sz);
|
|
|
|
#else
|
2012-11-07 22:09:58 +01:00
|
|
|
/* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
|
|
|
|
* based on the pointer value, then uses that junk to update a global
|
|
|
|
* variable. It's an elaborate ruse to trick the compiler into not
|
|
|
|
* optimizing out the "wipe this memory" code. Read it if you like zany
|
|
|
|
* programming tricks! In later versions of Tor, we should look for better
|
2015-12-10 15:03:47 +01:00
|
|
|
* not-optimized-out memory wiping stuff...
|
|
|
|
*
|
|
|
|
* ...or maybe not. In practice, there are pure-asm implementations of
|
|
|
|
* OPENSSL_cleanse() on most platforms, which ought to do the job.
|
|
|
|
**/
|
2016-01-07 21:53:24 +01:00
|
|
|
|
2012-11-07 22:09:58 +01:00
|
|
|
OPENSSL_cleanse(mem, sz);
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */
|
2016-01-07 21:53:24 +01:00
|
|
|
|
2012-11-07 22:09:58 +01:00
|
|
|
/* Just in case some caller of memwipe() is relying on getting a buffer
|
|
|
|
* filled with a particular value, fill the buffer.
|
|
|
|
*
|
|
|
|
* If this function gets inlined, this memset might get eliminated, but
|
|
|
|
* that's okay: We only care about this particular memset in the case where
|
|
|
|
* the caller should have been using memset(), and the memset() wouldn't get
|
|
|
|
* eliminated. In other words, this is here so that we won't break anything
|
|
|
|
* if somebody accidentally calls memwipe() instead of memset().
|
|
|
|
**/
|
|
|
|
memset(mem, byte, sz);
|
|
|
|
}
|
|
|
|
|
2015-12-23 15:58:36 +01:00
|
|
|
#if 0
|
|
|
|
/* This code is disabled, because OpenSSL never actually uses these callbacks.
|
|
|
|
*/
|
|
|
|
|
2009-05-28 17:54:56 +02:00
|
|
|
/** OpenSSL helper type: wraps a Tor mutex so that OpenSSL can use it
|
|
|
|
* as a lock. */
|
2008-06-13 18:35:12 +02:00
|
|
|
struct CRYPTO_dynlock_value {
|
|
|
|
tor_mutex_t *lock;
|
|
|
|
};
|
|
|
|
|
2009-05-27 23:55:51 +02:00
|
|
|
/** OpenSSL callback function to allocate a lock: see CRYPTO_set_dynlock_*
|
2008-12-22 18:53:04 +01:00
|
|
|
* documentation in OpenSSL's docs for more info. */
|
2008-06-13 18:35:12 +02:00
|
|
|
static struct CRYPTO_dynlock_value *
|
2012-10-12 18:22:13 +02:00
|
|
|
openssl_dynlock_create_cb_(const char *file, int line)
|
2008-06-13 18:35:12 +02:00
|
|
|
{
|
|
|
|
struct CRYPTO_dynlock_value *v;
|
|
|
|
(void)file;
|
|
|
|
(void)line;
|
|
|
|
v = tor_malloc(sizeof(struct CRYPTO_dynlock_value));
|
|
|
|
v->lock = tor_mutex_new();
|
|
|
|
return v;
|
|
|
|
}
|
|
|
|
|
2009-05-27 23:55:51 +02:00
|
|
|
/** OpenSSL callback function to acquire or release a lock: see
|
2008-12-22 18:53:04 +01:00
|
|
|
* CRYPTO_set_dynlock_* documentation in OpenSSL's docs for more info. */
|
2008-06-13 18:35:12 +02:00
|
|
|
static void
|
2012-10-12 18:22:13 +02:00
|
|
|
openssl_dynlock_lock_cb_(int mode, struct CRYPTO_dynlock_value *v,
|
2008-06-13 18:35:12 +02:00
|
|
|
const char *file, int line)
|
|
|
|
{
|
|
|
|
(void)file;
|
|
|
|
(void)line;
|
|
|
|
if (mode & CRYPTO_LOCK)
|
|
|
|
tor_mutex_acquire(v->lock);
|
|
|
|
else
|
|
|
|
tor_mutex_release(v->lock);
|
|
|
|
}
|
|
|
|
|
2009-05-27 23:55:51 +02:00
|
|
|
/** OpenSSL callback function to free a lock: see CRYPTO_set_dynlock_*
|
2008-12-22 18:53:04 +01:00
|
|
|
* documentation in OpenSSL's docs for more info. */
|
2008-06-13 18:35:12 +02:00
|
|
|
static void
|
2012-10-12 18:22:13 +02:00
|
|
|
openssl_dynlock_destroy_cb_(struct CRYPTO_dynlock_value *v,
|
2008-06-13 18:35:12 +02:00
|
|
|
const char *file, int line)
|
|
|
|
{
|
|
|
|
(void)file;
|
|
|
|
(void)line;
|
|
|
|
tor_mutex_free(v->lock);
|
|
|
|
tor_free(v);
|
|
|
|
}
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* 0 */
|
2008-06-13 18:35:12 +02:00
|
|
|
|
2011-03-16 22:05:37 +01:00
|
|
|
/** @{ */
|
2015-11-23 10:31:57 +01:00
|
|
|
/** Uninitialize the crypto library. Return 0 on success. Does not detect
|
|
|
|
* failure.
|
2011-11-22 15:11:40 +01:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
crypto_global_cleanup(void)
|
|
|
|
{
|
|
|
|
EVP_cleanup();
|
2016-06-14 06:40:36 +02:00
|
|
|
#ifndef NEW_THREAD_API
|
2015-11-10 16:13:04 +01:00
|
|
|
ERR_remove_thread_state(NULL);
|
2016-04-04 05:51:47 +02:00
|
|
|
#endif
|
2011-11-22 15:11:40 +01:00
|
|
|
ERR_free_strings();
|
|
|
|
|
2011-11-22 15:14:59 +01:00
|
|
|
if (dh_param_p)
|
2014-02-02 19:40:30 +01:00
|
|
|
BN_clear_free(dh_param_p);
|
2011-11-22 15:14:59 +01:00
|
|
|
if (dh_param_p_tls)
|
2014-02-02 19:40:30 +01:00
|
|
|
BN_clear_free(dh_param_p_tls);
|
2011-11-22 15:14:59 +01:00
|
|
|
if (dh_param_g)
|
2014-02-02 19:40:30 +01:00
|
|
|
BN_clear_free(dh_param_g);
|
2011-11-22 15:14:59 +01:00
|
|
|
|
2011-11-22 15:11:40 +01:00
|
|
|
#ifndef DISABLE_ENGINES
|
|
|
|
ENGINE_cleanup();
|
|
|
|
#endif
|
|
|
|
|
|
|
|
CONF_modules_unload(1);
|
|
|
|
CRYPTO_cleanup_all_ex_data();
|
2014-06-20 16:20:10 +02:00
|
|
|
|
2016-04-04 05:51:47 +02:00
|
|
|
#ifndef NEW_THREAD_API
|
2012-10-12 18:22:13 +02:00
|
|
|
if (n_openssl_mutexes_) {
|
|
|
|
int n = n_openssl_mutexes_;
|
|
|
|
tor_mutex_t **ms = openssl_mutexes_;
|
2011-11-22 15:11:40 +01:00
|
|
|
int i;
|
2012-10-12 18:22:13 +02:00
|
|
|
openssl_mutexes_ = NULL;
|
|
|
|
n_openssl_mutexes_ = 0;
|
2011-11-22 15:11:40 +01:00
|
|
|
for (i=0;i<n;++i) {
|
|
|
|
tor_mutex_free(ms[i]);
|
|
|
|
}
|
|
|
|
tor_free(ms);
|
|
|
|
}
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* !defined(NEW_THREAD_API) */
|
2014-06-20 16:20:10 +02:00
|
|
|
|
2018-01-08 15:31:41 +01:00
|
|
|
free_openssl();
|
2011-11-22 15:11:40 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-03-16 22:05:37 +01:00
|
|
|
/** @} */
|
2016-02-06 20:00:24 +01:00
|
|
|
|
2017-03-25 11:27:50 +01:00
|
|
|
#ifdef USE_DMALLOC
|
|
|
|
/** Tell the crypto library to use Tor's allocation functions rather than
|
|
|
|
* calling libc's allocation functions directly. Return 0 on success, -1
|
|
|
|
* on failure. */
|
|
|
|
int
|
|
|
|
crypto_use_tor_alloc_functions(void)
|
|
|
|
{
|
|
|
|
int r = CRYPTO_set_mem_ex_functions(tor_malloc_, tor_realloc_, tor_free_);
|
|
|
|
return r ? 0 : -1;
|
|
|
|
}
|
2017-09-15 22:24:44 +02:00
|
|
|
#endif /* defined(USE_DMALLOC) */
|
2017-03-25 11:27:50 +01:00
|
|
|
|