search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dirvote: Fix memleak when computing consensus
[tor.git] / src / lib / crypt_ops / crypto_dh_openssl.c
blobb2bebd26555deb8d62233e6e7a59a4aeee70992c
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6
7 /**
8 * \file crypto_dh_openssl.c
9 * \brief Implement Tor's Z_p diffie-hellman stuff for OpenSSL.
10 **/
11
12 #include "lib/crypt_ops/compat_openssl.h"
13 #include "lib/crypt_ops/crypto_dh.h"
14 #include "lib/crypt_ops/crypto_digest.h"
15 #include "lib/crypt_ops/crypto_hkdf.h"
16 #include "lib/crypt_ops/crypto_util.h"
17 #include "lib/log/log.h"
18 #include "lib/log/util_bug.h"
19
20 DISABLE_GCC_WARNING("-Wredundant-decls")
21
22 #include <openssl/dh.h>
23
24 ENABLE_GCC_WARNING("-Wredundant-decls")
25
26 #include <openssl/bn.h>
27 #include <string.h>
28
29 #ifndef ENABLE_NSS
30 static int tor_check_dh_key(int severity, const BIGNUM *bn);
31
32 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
33 * while we're waiting for the second.*/
34 struct crypto_dh_t {
35 DH *dh; /**< The openssl DH object */
36 };
37 #endif /* !defined(ENABLE_NSS) */
38
39 static DH *new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g);
40
41 /** Shared P parameter for our circuit-crypto DH key exchanges. */
42 static BIGNUM *dh_param_p = NULL;
43 /** Shared P parameter for our TLS DH key exchanges. */
44 static BIGNUM *dh_param_p_tls = NULL;
45 /** Shared G parameter for our DH key exchanges. */
46 static BIGNUM *dh_param_g = NULL;
47
48 /* This function is disabled unless we change the DH parameters. */
49 #if 0
50 /** Validate a given set of Diffie-Hellman parameters. This is moderately
51 * computationally expensive (milliseconds), so should only be called when
52 * the DH parameters change. Returns 0 on success, * -1 on failure.
53 */
54 static int
55 crypto_validate_dh_params(const BIGNUM *p, const BIGNUM *g)
56 {
57 DH *dh = NULL;
58 int ret = -1;
59
60 /* Copy into a temporary DH object, just so that DH_check() can be called. */
61 if (!(dh = DH_new()))
62 goto out;
63 #ifdef OPENSSL_1_1_API
64 BIGNUM *dh_p, *dh_g;
65 if (!(dh_p = BN_dup(p)))
66 goto out;
67 if (!(dh_g = BN_dup(g)))
68 goto out;
69 if (!DH_set0_pqg(dh, dh_p, NULL, dh_g))
70 goto out;
71 #else /* !defined(OPENSSL_1_1_API) */
72 if (!(dh->p = BN_dup(p)))
73 goto out;
74 if (!(dh->g = BN_dup(g)))
75 goto out;
76 #endif /* defined(OPENSSL_1_1_API) */
77
78 /* Perform the validation. */
79 int codes = 0;
80 if (!DH_check(dh, &codes))
81 goto out;
82 if (BN_is_word(g, DH_GENERATOR_2)) {
83 /* Per https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
84 *
85 * OpenSSL checks the prime is congruent to 11 when g = 2; while the
86 * IETF's primes are congruent to 23 when g = 2.
87 */
88 BN_ULONG residue = BN_mod_word(p, 24);
89 if (residue == 11 || residue == 23)
90 codes &= ~DH_NOT_SUITABLE_GENERATOR;
91 }
92 if (codes != 0) /* Specifics on why the params suck is irrelevant. */
93 goto out;
94
95 /* Things are probably not evil. */
96 ret = 0;
97
98 out:
99 if (dh)
100 DH_free(dh);
101 return ret;
102 }
103 #endif /* 0 */
104
105 /**
106 * Helper: convert <b>hex</b> to a bignum, and return it. Assert that the
107 * operation was successful.
108 */
109 static BIGNUM *
110 bignum_from_hex(const char *hex)
111 {
112 BIGNUM *result = BN_new();
113 tor_assert(result);
114
115 int r = BN_hex2bn(&result, hex);
116 tor_assert(r);
117 tor_assert(result);
118 return result;
119 }
120
121 /** Set the global Diffie-Hellman generator, used for both TLS and internal
122 * DH stuff.
123 */
124 static void
125 crypto_set_dh_generator(void)
126 {
127 BIGNUM *generator;
128 int r;
129
130 if (dh_param_g)
131 return;
132
133 generator = BN_new();
134 tor_assert(generator);
135
136 r = BN_set_word(generator, DH_GENERATOR);
137 tor_assert(r);
138
139 dh_param_g = generator;
140 }
141
142 /** Initialize our DH parameters. Idempotent. */
143 void
144 crypto_dh_init_openssl(void)
145 {
146 if (dh_param_p && dh_param_g && dh_param_p_tls)
147 return;
148
149 tor_assert(dh_param_g == NULL);
150 tor_assert(dh_param_p == NULL);
151 tor_assert(dh_param_p_tls == NULL);
152
153 crypto_set_dh_generator();
154 dh_param_p = bignum_from_hex(OAKLEY_PRIME_2);
155 dh_param_p_tls = bignum_from_hex(TLS_DH_PRIME);
156
157 /* Checks below are disabled unless we change the hardcoded DH parameters. */
158 #if 0
159 tor_assert(0 == crypto_validate_dh_params(dh_param_p, dh_param_g));
160 tor_assert(0 == crypto_validate_dh_params(dh_param_p_tls, dh_param_g));
161 #endif
162 }
163
164 /** Number of bits to use when choosing the x or y value in a Diffie-Hellman
165 * handshake. Since we exponentiate by this value, choosing a smaller one
166 * lets our handshake go faster.
167 */
168 #define DH_PRIVATE_KEY_BITS 320
169
170 /** Used by tortls.c: Get the DH* for use with TLS.
171 */
172 DH *
173 crypto_dh_new_openssl_tls(void)
174 {
175 return new_openssl_dh_from_params(dh_param_p_tls, dh_param_g);
176 }
177
178 #ifndef ENABLE_NSS
179 /** Allocate and return a new DH object for a key exchange. Returns NULL on
180 * failure.
181 */
182 crypto_dh_t *
183 crypto_dh_new(int dh_type)
184 {
185 crypto_dh_t *res = tor_malloc_zero(sizeof(crypto_dh_t));
186
187 tor_assert(dh_type == DH_TYPE_CIRCUIT || dh_type == DH_TYPE_TLS ||
188 dh_type == DH_TYPE_REND);
189
190 if (!dh_param_p)
191 crypto_dh_init();
192
193 BIGNUM *dh_p = NULL;
194 if (dh_type == DH_TYPE_TLS) {
195 dh_p = dh_param_p_tls;
196 } else {
197 dh_p = dh_param_p;
198 }
199
200 res->dh = new_openssl_dh_from_params(dh_p, dh_param_g);
201 if (res->dh == NULL)
202 tor_free(res); // sets res to NULL.
203 return res;
204 }
205 #endif /* !defined(ENABLE_NSS) */
206
207 /** Create and return a new openssl DH from a given prime and generator. */
208 static DH *
209 new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g)
210 {
211 DH *res_dh;
212 if (!(res_dh = DH_new()))
213 goto err;
214
215 BIGNUM *dh_p = NULL, *dh_g = NULL;
216 dh_p = BN_dup(p);
217 if (!dh_p)
218 goto err;
219
220 dh_g = BN_dup(g);
221 if (!dh_g) {
222 BN_free(dh_p);
223 goto err;
224 }
225
226 #ifdef OPENSSL_1_1_API
227
228 if (!DH_set0_pqg(res_dh, dh_p, NULL, dh_g)) {
229 goto err;
230 }
231
232 if (!DH_set_length(res_dh, DH_PRIVATE_KEY_BITS))
233 goto err;
234 #else /* !defined(OPENSSL_1_1_API) */
235 res_dh->p = dh_p;
236 res_dh->g = dh_g;
237 res_dh->length = DH_PRIVATE_KEY_BITS;
238 #endif /* defined(OPENSSL_1_1_API) */
239
240 return res_dh;
241
242 /* LCOV_EXCL_START
243 * This error condition is only reached when an allocation fails */
244 err:
245 crypto_openssl_log_errors(LOG_WARN, "creating DH object");
246 if (res_dh) DH_free(res_dh); /* frees p and g too */
247 return NULL;
248 /* LCOV_EXCL_STOP */
249 }
250
251 #ifndef ENABLE_NSS
252 /** Return a copy of <b>dh</b>, sharing its internal state. */
253 crypto_dh_t *
254 crypto_dh_dup(const crypto_dh_t *dh)
255 {
256 crypto_dh_t *dh_new = tor_malloc_zero(sizeof(crypto_dh_t));
257 tor_assert(dh);
258 tor_assert(dh->dh);
259 dh_new->dh = dh->dh;
260 DH_up_ref(dh->dh);
261 return dh_new;
262 }
263
264 /** Return the length of the DH key in <b>dh</b>, in bytes.
265 */
266 int
267 crypto_dh_get_bytes(crypto_dh_t *dh)
268 {
269 tor_assert(dh);
270 return DH_size(dh->dh);
271 }
272
273 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
274 * success, -1 on failure.
275 */
276 int
277 crypto_dh_generate_public(crypto_dh_t *dh)
278 {
279 #ifndef OPENSSL_1_1_API
280 again:
281 #endif
282 if (!DH_generate_key(dh->dh)) {
283 /* LCOV_EXCL_START
284 * To test this we would need some way to tell openssl to break DH. */
285 crypto_openssl_log_errors(LOG_WARN, "generating DH key");
286 return -1;
287 /* LCOV_EXCL_STOP */
288 }
289 #ifdef OPENSSL_1_1_API
290 /* OpenSSL 1.1.x doesn't appear to let you regenerate a DH key, without
291 * recreating the DH object. I have no idea what sort of aliasing madness
292 * can occur here, so do the check, and just bail on failure.
293 */
294 const BIGNUM *pub_key, *priv_key;
295 DH_get0_key(dh->dh, &pub_key, &priv_key);
296 if (tor_check_dh_key(LOG_WARN, pub_key)<0) {
297 log_warn(LD_CRYPTO, "Weird! Our own DH key was invalid. I guess once-in-"
298 "the-universe chances really do happen. Treating as a failure.");
299 return -1;
300 }
301 #else /* !defined(OPENSSL_1_1_API) */
302 if (tor_check_dh_key(LOG_WARN, dh->dh->pub_key)<0) {
303 /* LCOV_EXCL_START
304 * If this happens, then openssl's DH implementation is busted. */
305 log_warn(LD_CRYPTO, "Weird! Our own DH key was invalid. I guess once-in-"
306 "the-universe chances really do happen. Trying again.");
307 /* Free and clear the keys, so OpenSSL will actually try again. */
308 BN_clear_free(dh->dh->pub_key);
309 BN_clear_free(dh->dh->priv_key);
310 dh->dh->pub_key = dh->dh->priv_key = NULL;
311 goto again;
312 /* LCOV_EXCL_STOP */
313 }
314 #endif /* defined(OPENSSL_1_1_API) */
315 return 0;
316 }
317
318 /** Generate g^x as necessary, and write the g^x for the key exchange
319 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
320 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH1024_KEY_LEN.
321 */
322 int
323 crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, size_t pubkey_len)
324 {
325 int bytes;
326 tor_assert(dh);
327
328 const BIGNUM *dh_pub;
329
330 #ifdef OPENSSL_1_1_API
331 const BIGNUM *dh_priv;
332 DH_get0_key(dh->dh, &dh_pub, &dh_priv);
333 #else
334 dh_pub = dh->dh->pub_key;
335 #endif /* defined(OPENSSL_1_1_API) */
336
337 if (!dh_pub) {
338 if (crypto_dh_generate_public(dh)<0)
339 return -1;
340 else {
341 #ifdef OPENSSL_1_1_API
342 DH_get0_key(dh->dh, &dh_pub, &dh_priv);
343 #else
344 dh_pub = dh->dh->pub_key;
345 #endif
346 }
347 }
348
349 tor_assert(dh_pub);
350 bytes = BN_num_bytes(dh_pub);
351 tor_assert(bytes >= 0);
352 if (pubkey_len < (size_t)bytes) {
353 log_warn(LD_CRYPTO,
354 "Weird! pubkey_len (%d) was smaller than DH1024_KEY_LEN (%d)",
355 (int) pubkey_len, bytes);
356 return -1;
357 }
358
359 memset(pubkey, 0, pubkey_len);
360 BN_bn2bin(dh_pub, (unsigned char*)(pubkey+(pubkey_len-bytes)));
361
362 return 0;
363 }
364
365 /** Check for bad Diffie-Hellman public keys (g^x). Return 0 if the key is
366 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
367 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
368 */
369 static int
370 tor_check_dh_key(int severity, const BIGNUM *bn)
371 {
372 BIGNUM *x;
373 char *s;
374 tor_assert(bn);
375 x = BN_new();
376 tor_assert(x);
377 if (BUG(!dh_param_p))
378 crypto_dh_init(); //LCOV_EXCL_LINE we already checked whether we did this.
379 BN_set_word(x, 1);
380 if (BN_cmp(bn,x)<=0) {
381 log_fn(severity, LD_CRYPTO, "DH key must be at least 2.");
382 goto err;
383 }
384 BN_copy(x,dh_param_p);
385 BN_sub_word(x, 1);
386 if (BN_cmp(bn,x)>=0) {
387 log_fn(severity, LD_CRYPTO, "DH key must be at most p-2.");
388 goto err;
389 }
390 BN_clear_free(x);
391 return 0;
392 err:
393 BN_clear_free(x);
394 s = BN_bn2hex(bn);
395 log_fn(severity, LD_CRYPTO, "Rejecting insecure DH key [%s]", s);
396 OPENSSL_free(s);
397 return -1;
398 }
399
400 /** Given a DH key exchange object, and our peer's value of g^y (as a
401 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
402 * g^xy as a big-endian integer in <b>secret_out</b>.
403 * Return the number of bytes generated on success,
404 * or -1 on failure.
405 *
406 * This function MUST validate that g^y is actually in the group.
407 */
408 ssize_t
409 crypto_dh_handshake(int severity, crypto_dh_t *dh,
410 const char *pubkey, size_t pubkey_len,
411 unsigned char *secret_out, size_t secret_bytes_out)
412 {
413 BIGNUM *pubkey_bn = NULL;
414 size_t secret_len=0;
415 int result=0;
416
417 tor_assert(dh);
418 tor_assert(secret_bytes_out/DIGEST_LEN <= 255);
419 tor_assert(pubkey_len < INT_MAX);
420
421 if (BUG(crypto_dh_get_bytes(dh) > (int)secret_bytes_out)) {
422 goto error;
423 }
424
425 if (!(pubkey_bn = BN_bin2bn((const unsigned char*)pubkey,
426 (int)pubkey_len, NULL)))
427 goto error;
428 if (tor_check_dh_key(severity, pubkey_bn)<0) {
429 /* Check for invalid public keys. */
430 log_fn(severity, LD_CRYPTO,"Rejected invalid g^x");
431 goto error;
432 }
433 result = DH_compute_key(secret_out, pubkey_bn, dh->dh);
434 if (result < 0) {
435 log_warn(LD_CRYPTO,"DH_compute_key() failed.");
436 goto error;
437 }
438 secret_len = result;
439
440 goto done;
441 error:
442 result = -1;
443 done:
444 crypto_openssl_log_errors(LOG_WARN, "completing DH handshake");
445 if (pubkey_bn)
446 BN_clear_free(pubkey_bn);
447 if (result < 0)
448 return result;
449 else
450 return secret_len;
451 }
452
453 /** Free a DH key exchange object.
454 */
455 void
456 crypto_dh_free_(crypto_dh_t *dh)
457 {
458 if (!dh)
459 return;
460 tor_assert(dh->dh);
461 DH_free(dh->dh);
462 tor_free(dh);
463 }
464 #endif /* !defined(ENABLE_NSS) */
465
466 void
467 crypto_dh_free_all_openssl(void)
468 {
469 if (dh_param_p)
470 BN_clear_free(dh_param_p);
471 if (dh_param_p_tls)
472 BN_clear_free(dh_param_p_tls);
473 if (dh_param_g)
474 BN_clear_free(dh_param_g);
475
476 dh_param_p = dh_param_p_tls = dh_param_g = NULL;
477 }
The Onion Router