tor  0.4.2.0-alpha-dev
crypto_dh_openssl.c
Go to the documentation of this file.
1 /* Copyright (c) 2001, Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2019, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
12 #include "lib/crypt_ops/compat_openssl.h"
17 #include "lib/log/log.h"
18 #include "lib/log/util_bug.h"
19 
20 DISABLE_GCC_WARNING(redundant-decls)
21 
22 #include <openssl/dh.h>
23 
24 ENABLE_GCC_WARNING(redundant-decls)
25 
26 #include <openssl/bn.h>
27 #include <string.h>
28 
29 #ifndef ENABLE_NSS
30 static int tor_check_dh_key(int severity, const BIGNUM *bn);
31 
34 struct crypto_dh_t {
35  DH *dh;
36 };
37 #endif /* !defined(ENABLE_NSS) */
38 
39 static DH *new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g);
40 
42 static BIGNUM *dh_param_p = NULL;
44 static BIGNUM *dh_param_p_tls = NULL;
46 static BIGNUM *dh_param_g = NULL;
47 
48 /* This function is disabled unless we change the DH parameters. */
49 #if 0
50 
54 static int
55 crypto_validate_dh_params(const BIGNUM *p, const BIGNUM *g)
56 {
57  DH *dh = NULL;
58  int ret = -1;
59 
60  /* Copy into a temporary DH object, just so that DH_check() can be called. */
61  if (!(dh = DH_new()))
62  goto out;
63 #ifdef OPENSSL_1_1_API
64  BIGNUM *dh_p, *dh_g;
65  if (!(dh_p = BN_dup(p)))
66  goto out;
67  if (!(dh_g = BN_dup(g)))
68  goto out;
69  if (!DH_set0_pqg(dh, dh_p, NULL, dh_g))
70  goto out;
71 #else /* !(defined(OPENSSL_1_1_API)) */
72  if (!(dh->p = BN_dup(p)))
73  goto out;
74  if (!(dh->g = BN_dup(g)))
75  goto out;
76 #endif /* defined(OPENSSL_1_1_API) */
77 
78  /* Perform the validation. */
79  int codes = 0;
80  if (!DH_check(dh, &codes))
81  goto out;
82  if (BN_is_word(g, DH_GENERATOR_2)) {
83  /* Per https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
84  *
85  * OpenSSL checks the prime is congruent to 11 when g = 2; while the
86  * IETF's primes are congruent to 23 when g = 2.
87  */
88  BN_ULONG residue = BN_mod_word(p, 24);
89  if (residue == 11 || residue == 23)
90  codes &= ~DH_NOT_SUITABLE_GENERATOR;
91  }
92  if (codes != 0) /* Specifics on why the params suck is irrelevant. */
93  goto out;
94 
95  /* Things are probably not evil. */
96  ret = 0;
97 
98  out:
99  if (dh)
100  DH_free(dh);
101  return ret;
102 }
103 #endif /* 0 */
104 
109 static BIGNUM *
110 bignum_from_hex(const char *hex)
111 {
112  BIGNUM *result = BN_new();
113  tor_assert(result);
114 
115  int r = BN_hex2bn(&result, hex);
116  tor_assert(r);
117  tor_assert(result);
118  return result;
119 }
120 
124 static void
126 {
127  BIGNUM *generator;
128  int r;
129 
130  if (dh_param_g)
131  return;
132 
133  generator = BN_new();
134  tor_assert(generator);
135 
136  r = BN_set_word(generator, DH_GENERATOR);
137  tor_assert(r);
138 
139  dh_param_g = generator;
140 }
141 
143 void
145 {
147  return;
148 
149  tor_assert(dh_param_g == NULL);
150  tor_assert(dh_param_p == NULL);
151  tor_assert(dh_param_p_tls == NULL);
152 
156 
157  /* Checks below are disabled unless we change the hardcoded DH parameters. */
158 #if 0
159  tor_assert(0 == crypto_validate_dh_params(dh_param_p, dh_param_g));
160  tor_assert(0 == crypto_validate_dh_params(dh_param_p_tls, dh_param_g));
161 #endif
162 }
163 
168 #define DH_PRIVATE_KEY_BITS 320
169 
172 DH *
174 {
176 }
177 
178 #ifndef ENABLE_NSS
179 
182 crypto_dh_t *
183 crypto_dh_new(int dh_type)
184 {
185  crypto_dh_t *res = tor_malloc_zero(sizeof(crypto_dh_t));
186 
187  tor_assert(dh_type == DH_TYPE_CIRCUIT || dh_type == DH_TYPE_TLS ||
188  dh_type == DH_TYPE_REND);
189 
190  if (!dh_param_p)
191  crypto_dh_init();
192 
193  BIGNUM *dh_p = NULL;
194  if (dh_type == DH_TYPE_TLS) {
195  dh_p = dh_param_p_tls;
196  } else {
197  dh_p = dh_param_p;
198  }
199 
201  if (res->dh == NULL)
202  tor_free(res); // sets res to NULL.
203  return res;
204 }
205 #endif /* !defined(ENABLE_NSS) */
206 
208 static DH *
209 new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g)
210 {
211  DH *res_dh;
212  if (!(res_dh = DH_new()))
213  goto err;
214 
215  BIGNUM *dh_p = NULL, *dh_g = NULL;
216  dh_p = BN_dup(p);
217  if (!dh_p)
218  goto err;
219 
220  dh_g = BN_dup(g);
221  if (!dh_g) {
222  BN_free(dh_p);
223  goto err;
224  }
225 
226 #ifdef OPENSSL_1_1_API
227 
228  if (!DH_set0_pqg(res_dh, dh_p, NULL, dh_g)) {
229  goto err;
230  }
231 
232  if (!DH_set_length(res_dh, DH_PRIVATE_KEY_BITS))
233  goto err;
234 #else /* !(defined(OPENSSL_1_1_API)) */
235  res_dh->p = dh_p;
236  res_dh->g = dh_g;
237  res_dh->length = DH_PRIVATE_KEY_BITS;
238 #endif /* defined(OPENSSL_1_1_API) */
239 
240  return res_dh;
241 
242  /* LCOV_EXCL_START
243  * This error condition is only reached when an allocation fails */
244  err:
245  crypto_openssl_log_errors(LOG_WARN, "creating DH object");
246  if (res_dh) DH_free(res_dh); /* frees p and g too */
247  return NULL;
248  /* LCOV_EXCL_STOP */
249 }
250 
251 #ifndef ENABLE_NSS
252 
253 crypto_dh_t *
255 {
256  crypto_dh_t *dh_new = tor_malloc_zero(sizeof(crypto_dh_t));
257  tor_assert(dh);
258  tor_assert(dh->dh);
259  dh_new->dh = dh->dh;
260  DH_up_ref(dh->dh);
261  return dh_new;
262 }
263 
266 int
268 {
269  tor_assert(dh);
270  return DH_size(dh->dh);
271 }
272 
276 int
278 {
279 #ifndef OPENSSL_1_1_API
280  again:
281 #endif
282  if (!DH_generate_key(dh->dh)) {
283  /* LCOV_EXCL_START
284  * To test this we would need some way to tell openssl to break DH. */
285  crypto_openssl_log_errors(LOG_WARN, "generating DH key");
286  return -1;
287  /* LCOV_EXCL_STOP */
288  }
289 #ifdef OPENSSL_1_1_API
290  /* OpenSSL 1.1.x doesn't appear to let you regenerate a DH key, without
291  * recreating the DH object. I have no idea what sort of aliasing madness
292  * can occur here, so do the check, and just bail on failure.
293  */
294  const BIGNUM *pub_key, *priv_key;
295  DH_get0_key(dh->dh, &pub_key, &priv_key);
296  if (tor_check_dh_key(LOG_WARN, pub_key)<0) {
297  log_warn(LD_CRYPTO, "Weird! Our own DH key was invalid. I guess once-in-"
298  "the-universe chances really do happen. Treating as a failure.");
299  return -1;
300  }
301 #else /* !(defined(OPENSSL_1_1_API)) */
302  if (tor_check_dh_key(LOG_WARN, dh->dh->pub_key)<0) {
303  /* LCOV_EXCL_START
304  * If this happens, then openssl's DH implementation is busted. */
305  log_warn(LD_CRYPTO, "Weird! Our own DH key was invalid. I guess once-in-"
306  "the-universe chances really do happen. Trying again.");
307  /* Free and clear the keys, so OpenSSL will actually try again. */
308  BN_clear_free(dh->dh->pub_key);
309  BN_clear_free(dh->dh->priv_key);
310  dh->dh->pub_key = dh->dh->priv_key = NULL;
311  goto again;
312  /* LCOV_EXCL_STOP */
313  }
314 #endif /* defined(OPENSSL_1_1_API) */
315  return 0;
316 }
317 
322 int
323 crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, size_t pubkey_len)
324 {
325  int bytes;
326  tor_assert(dh);
327 
328  const BIGNUM *dh_pub;
329 
330 #ifdef OPENSSL_1_1_API
331  const BIGNUM *dh_priv;
332  DH_get0_key(dh->dh, &dh_pub, &dh_priv);
333 #else
334  dh_pub = dh->dh->pub_key;
335 #endif /* defined(OPENSSL_1_1_API) */
336 
337  if (!dh_pub) {
338  if (crypto_dh_generate_public(dh)<0)
339  return -1;
340  else {
341 #ifdef OPENSSL_1_1_API
342  DH_get0_key(dh->dh, &dh_pub, &dh_priv);
343 #else
344  dh_pub = dh->dh->pub_key;
345 #endif
346  }
347  }
348 
349  tor_assert(dh_pub);
350  bytes = BN_num_bytes(dh_pub);
351  tor_assert(bytes >= 0);
352  if (pubkey_len < (size_t)bytes) {
353  log_warn(LD_CRYPTO,
354  "Weird! pubkey_len (%d) was smaller than DH1024_KEY_LEN (%d)",
355  (int) pubkey_len, bytes);
356  return -1;
357  }
358 
359  memset(pubkey, 0, pubkey_len);
360  BN_bn2bin(dh_pub, (unsigned char*)(pubkey+(pubkey_len-bytes)));
361 
362  return 0;
363 }
364 
369 static int
370 tor_check_dh_key(int severity, const BIGNUM *bn)
371 {
372  BIGNUM *x;
373  char *s;
374  tor_assert(bn);
375  x = BN_new();
376  tor_assert(x);
377  if (BUG(!dh_param_p))
378  crypto_dh_init(); //LCOV_EXCL_LINE we already checked whether we did this.
379  BN_set_word(x, 1);
380  if (BN_cmp(bn,x)<=0) {
381  log_fn(severity, LD_CRYPTO, "DH key must be at least 2.");
382  goto err;
383  }
384  BN_copy(x,dh_param_p);
385  BN_sub_word(x, 1);
386  if (BN_cmp(bn,x)>=0) {
387  log_fn(severity, LD_CRYPTO, "DH key must be at most p-2.");
388  goto err;
389  }
390  BN_clear_free(x);
391  return 0;
392  err:
393  BN_clear_free(x);
394  s = BN_bn2hex(bn);
395  log_fn(severity, LD_CRYPTO, "Rejecting insecure DH key [%s]", s);
396  OPENSSL_free(s);
397  return -1;
398 }
399 
408 ssize_t
410  const char *pubkey, size_t pubkey_len,
411  unsigned char *secret_out, size_t secret_bytes_out)
412 {
413  BIGNUM *pubkey_bn = NULL;
414  size_t secret_len=0;
415  int result=0;
416 
417  tor_assert(dh);
418  tor_assert(secret_bytes_out/DIGEST_LEN <= 255);
419  tor_assert(pubkey_len < INT_MAX);
420 
421  if (BUG(crypto_dh_get_bytes(dh) > (int)secret_bytes_out)) {
422  goto error;
423  }
424 
425  if (!(pubkey_bn = BN_bin2bn((const unsigned char*)pubkey,
426  (int)pubkey_len, NULL)))
427  goto error;
428  if (tor_check_dh_key(severity, pubkey_bn)<0) {
429  /* Check for invalid public keys. */
430  log_fn(severity, LD_CRYPTO,"Rejected invalid g^x");
431  goto error;
432  }
433  result = DH_compute_key(secret_out, pubkey_bn, dh->dh);
434  if (result < 0) {
435  log_warn(LD_CRYPTO,"DH_compute_key() failed.");
436  goto error;
437  }
438  secret_len = result;
439 
440  goto done;
441  error:
442  result = -1;
443  done:
444  crypto_openssl_log_errors(LOG_WARN, "completing DH handshake");
445  if (pubkey_bn)
446  BN_clear_free(pubkey_bn);
447  if (result < 0)
448  return result;
449  else
450  return secret_len;
451 }
452 
455 void
457 {
458  if (!dh)
459  return;
460  tor_assert(dh->dh);
461  DH_free(dh->dh);
462  tor_free(dh);
463 }
464 #endif /* !defined(ENABLE_NSS) */
465 
466 void
467 crypto_dh_free_all_openssl(void)
468 {
469  if (dh_param_p)
470  BN_clear_free(dh_param_p);
471  if (dh_param_p_tls)
472  BN_clear_free(dh_param_p_tls);
473  if (dh_param_g)
474  BN_clear_free(dh_param_g);
475 
477 }
const char OAKLEY_PRIME_2[]
Definition: crypto_dh.c:39
const char TLS_DH_PRIME[]
Definition: crypto_dh.c:28
Headers for crypto_dh.c.
int crypto_dh_get_bytes(crypto_dh_t *dh)
static BIGNUM * dh_param_p
void crypto_openssl_log_errors(int severity, const char *doing)
int crypto_dh_generate_public(crypto_dh_t *dh)
#define tor_free(p)
Definition: malloc.h:52
ssize_t crypto_dh_handshake(int severity, crypto_dh_t *dh, const char *pubkey, size_t pubkey_len, unsigned char *secret_out, size_t secret_bytes_out)
static int tor_check_dh_key(int severity, const BIGNUM *bn)
crypto_dh_t * crypto_dh_dup(const crypto_dh_t *dh)
static DH * new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g)
static void crypto_set_dh_generator(void)
Headers for crypto_hkdf.h.
Common functions for cryptographic routines.
tor_assert(buffer)
#define DIGEST_LEN
Definition: digest_sizes.h:20
void crypto_dh_free_(crypto_dh_t *dh)
DH * crypto_dh_new_openssl_tls(void)
const unsigned DH_GENERATOR
Definition: crypto_dh.c:23
static BIGNUM * bignum_from_hex(const char *hex)
void crypto_dh_init_openssl(void)
#define LOG_WARN
Definition: log.h:51
Headers for crypto_digest.c.
crypto_dh_t * crypto_dh_new(int dh_type)
#define log_fn(severity, domain, args,...)
Definition: log.h:274
static BIGNUM * dh_param_p_tls
static BIGNUM * dh_param_g
Headers for log.c.
int crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, size_t pubkey_len)
#define LD_CRYPTO
Definition: log.h:62
Macros to manage assertions, fatal and non-fatal.
#define DH_PRIVATE_KEY_BITS