Line data    Source code

       1             : /* Copyright (c) 2001, Matej Pfajfar.
       2             :  * Copyright (c) 2001-2004, Roger Dingledine.
       3             :  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
       4             :  * Copyright (c) 2007-2021, The Tor Project, Inc. */
       5             : /* See LICENSE for licensing information */
       6             : 
       7             : /**
       8             :  * \file crypto_dh.c
       9             :  * \brief Block of functions related with DH utilities and operations.
      10             :  *    over Z_p.  We aren't using this for any new crypto -- EC is more
      11             :  *    efficient.
      12             :  **/
      13             : 
      14             : #include "lib/crypt_ops/compat_openssl.h"
      15             : #include "lib/crypt_ops/crypto_dh.h"
      16             : #include "lib/crypt_ops/crypto_digest.h"
      17             : #include "lib/crypt_ops/crypto_hkdf.h"
      18             : #include "lib/crypt_ops/crypto_util.h"
      19             : #include "lib/log/log.h"
      20             : #include "lib/log/util_bug.h"
      21             : 
      22             : /** Our DH 'g' parameter */
      23             : const unsigned DH_GENERATOR = 2;
      24             : /** This is the 1024-bit safe prime that Apache uses for its DH stuff; see
      25             :  * modules/ssl/ssl_engine_dh.c; Apache also uses a generator of 2 with this
      26             :  * prime.
      27             :  */
      28             : const char TLS_DH_PRIME[] =
      29             :   "D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
      30             :   "BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
      31             :   "467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
      32             :   "DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
      33             :   "B0E7393E0F24218EB3";
      34             : /**
      35             :  * This is from rfc2409, section 6.2.  It's a safe prime, and
      36             :  * supposedly it equals:
      37             :  * 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
      38             :  */
      39             : const char OAKLEY_PRIME_2[] =
      40             :   "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
      41             :   "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
      42             :   "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
      43             :   "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
      44             :   "49286651ECE65381FFFFFFFFFFFFFFFF";
      45             : 
      46             : void
      47       11081 : crypto_dh_init(void)
      48             : {
      49             : #ifdef ENABLE_OPENSSL
      50       11081 :   crypto_dh_init_openssl();
      51             : #endif
      52             : #ifdef ENABLE_NSS
      53             :   crypto_dh_init_nss();
      54             : #endif
      55       11081 : }
      56             : 
      57             : void
      58         235 : crypto_dh_free_all(void)
      59             : {
      60             : #ifdef ENABLE_OPENSSL
      61         235 :   crypto_dh_free_all_openssl();
      62             : #endif
      63             : #ifdef ENABLE_NSS
      64             :   crypto_dh_free_all_nss();
      65             : #endif
      66         235 : }
      67             : 
      68             : /** Given a DH key exchange object, and our peer's value of g^y (as a
      69             :  * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
      70             :  * <b>secret_bytes_out</b> bytes of shared key material and write them
      71             :  * to <b>secret_out</b>.  Return the number of bytes generated on success,
      72             :  * or -1 on failure.
      73             :  *
      74             :  * (We generate key material by computing
      75             :  *         SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
      76             :  * where || is concatenation.)
      77             :  */
      78             : ssize_t
      79          28 : crypto_dh_compute_secret(int severity, crypto_dh_t *dh,
      80             :                          const char *pubkey, size_t pubkey_len,
      81             :                          char *secret_out, size_t secret_bytes_out)
      82             : {
      83          28 :   tor_assert(secret_bytes_out/DIGEST_LEN <= 255);
      84             : 
      85          28 :   unsigned char *secret_tmp = NULL;
      86          28 :   size_t secret_len=0, secret_tmp_len=0;
      87          28 :   secret_tmp_len = crypto_dh_get_bytes(dh);
      88          28 :   secret_tmp = tor_malloc(secret_tmp_len);
      89             : 
      90          28 :   ssize_t result = crypto_dh_handshake(severity, dh, pubkey, pubkey_len,
      91             :                                    secret_tmp, secret_tmp_len);
      92          28 :   if (result < 0)
      93          13 :     goto error;
      94             : 
      95          15 :   secret_len = result;
      96          15 :   if (crypto_expand_key_material_TAP(secret_tmp, secret_len,
      97             :                                      (uint8_t*)secret_out, secret_bytes_out)<0)
      98           0 :     goto error;
      99          15 :   secret_len = secret_bytes_out;
     100             : 
     101          15 :   goto done;
     102             :  error:
     103             :   result = -1;
     104          28 :  done:
     105          28 :   if (secret_tmp) {
     106          28 :     memwipe(secret_tmp, 0, secret_tmp_len);
     107          28 :     tor_free(secret_tmp);
     108             :   }
     109          28 :   if (result < 0)
     110             :     return result;
     111             :   else
     112          15 :     return secret_len;
     113             : }