Tor  0.4.7.0-alpha-dev
crypto_dh.c
Go to the documentation of this file.
1 /* Copyright (c) 2001, Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
7 /**
8  * \file crypto_dh.c
9  * \brief Block of functions related with DH utilities and operations.
10  * over Z_p. We aren't using this for any new crypto -- EC is more
11  * efficient.
12  **/
13 
14 #include "lib/crypt_ops/compat_openssl.h"
19 #include "lib/log/log.h"
20 #include "lib/log/util_bug.h"
21 
22 /** Our DH 'g' parameter */
23 const unsigned DH_GENERATOR = 2;
24 /** This is the 1024-bit safe prime that Apache uses for its DH stuff; see
25  * modules/ssl/ssl_engine_dh.c; Apache also uses a generator of 2 with this
26  * prime.
27  */
28 const char TLS_DH_PRIME[] =
29  "D67DE440CBBBDC1936D693D34AFD0AD50C84D239A45F520BB88174CB98"
30  "BCE951849F912E639C72FB13B4B4D7177E16D55AC179BA420B2A29FE324A"
31  "467A635E81FF5901377BEDDCFD33168A461AAD3B72DAE8860078045B07A7"
32  "DBCA7874087D1510EA9FCC9DDD330507DD62DB88AEAA747DE0F4D6E2BD68"
33  "B0E7393E0F24218EB3";
34 /**
35  * This is from rfc2409, section 6.2. It's a safe prime, and
36  * supposedly it equals:
37  * 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
38  */
39 const char OAKLEY_PRIME_2[] =
40  "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
41  "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
42  "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
43  "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
44  "49286651ECE65381FFFFFFFFFFFFFFFF";
45 
46 void
47 crypto_dh_init(void)
48 {
49 #ifdef ENABLE_OPENSSL
51 #endif
52 #ifdef ENABLE_NSS
53  crypto_dh_init_nss();
54 #endif
55 }
56 
57 void
58 crypto_dh_free_all(void)
59 {
60 #ifdef ENABLE_OPENSSL
61  crypto_dh_free_all_openssl();
62 #endif
63 #ifdef ENABLE_NSS
64  crypto_dh_free_all_nss();
65 #endif
66 }
67 
68 /** Given a DH key exchange object, and our peer's value of g^y (as a
69  * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
70  * <b>secret_bytes_out</b> bytes of shared key material and write them
71  * to <b>secret_out</b>. Return the number of bytes generated on success,
72  * or -1 on failure.
73  *
74  * (We generate key material by computing
75  * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
76  * where || is concatenation.)
77  */
78 ssize_t
80  const char *pubkey, size_t pubkey_len,
81  char *secret_out, size_t secret_bytes_out)
82 {
83  tor_assert(secret_bytes_out/DIGEST_LEN <= 255);
84 
85  unsigned char *secret_tmp = NULL;
86  size_t secret_len=0, secret_tmp_len=0;
87  secret_tmp_len = crypto_dh_get_bytes(dh);
88  secret_tmp = tor_malloc(secret_tmp_len);
89 
90  ssize_t result = crypto_dh_handshake(severity, dh, pubkey, pubkey_len,
91  secret_tmp, secret_tmp_len);
92  if (result < 0)
93  goto error;
94 
95  secret_len = result;
96  if (crypto_expand_key_material_TAP(secret_tmp, secret_len,
97  (uint8_t*)secret_out, secret_bytes_out)<0)
98  goto error;
99  secret_len = secret_bytes_out;
100 
101  goto done;
102  error:
103  result = -1;
104  done:
105  if (secret_tmp) {
106  memwipe(secret_tmp, 0, secret_tmp_len);
107  tor_free(secret_tmp);
108  }
109  if (result < 0)
110  return result;
111  else
112  return secret_len;
113 }
ssize_t crypto_dh_compute_secret(int severity, crypto_dh_t *dh, const char *pubkey, size_t pubkey_len, char *secret_out, size_t secret_bytes_out)
Definition: crypto_dh.c:79
const char OAKLEY_PRIME_2[]
Definition: crypto_dh.c:39
const char TLS_DH_PRIME[]
Definition: crypto_dh.c:28
const unsigned DH_GENERATOR
Definition: crypto_dh.c:23
Headers for crypto_dh.c.
int crypto_dh_get_bytes(crypto_dh_t *dh)
Definition: crypto_dh_nss.c:93
ssize_t crypto_dh_handshake(int severity, crypto_dh_t *dh, const char *pubkey, size_t pubkey_len, unsigned char *secret_out, size_t secret_bytes_out)
void crypto_dh_init_openssl(void)
Headers for crypto_digest.c.
int crypto_expand_key_material_TAP(const uint8_t *key_in, size_t key_in_len, uint8_t *key_out, size_t key_out_len)
Definition: crypto_hkdf.c:43
Headers for crypto_hkdf.h.
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55
Common functions for cryptographic routines.
#define DIGEST_LEN
Definition: digest_sizes.h:20
Headers for log.c.
#define tor_free(p)
Definition: malloc.h:52
Macros to manage assertions, fatal and non-fatal.
#define tor_assert(expr)
Definition: util_bug.h:102