summaryrefslogtreecommitdiff
path: root/scripts/codegen
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/codegen')
-rwxr-xr-xscripts/codegen/gen_linux_syscalls.pl37
-rwxr-xr-xscripts/codegen/gen_server_ciphers.py115
-rw-r--r--scripts/codegen/get_mozilla_ciphers.py210
-rw-r--r--scripts/codegen/makedesc.py218
-rwxr-xr-xscripts/codegen/run_trunnel.sh11
5 files changed, 591 insertions, 0 deletions
diff --git a/scripts/codegen/gen_linux_syscalls.pl b/scripts/codegen/gen_linux_syscalls.pl
new file mode 100755
index 0000000000..f985bad6c9
--- /dev/null
+++ b/scripts/codegen/gen_linux_syscalls.pl
@@ -0,0 +1,37 @@
+#!/usr/bin/perl -w
+
+use strict;
+my %syscalls = ();
+
+while (<>) {
+ if (/^#define (__NR_\w+) /) {
+ $syscalls{$1} = 1;
+ }
+}
+
+print <<EOL;
+/* Automatically generated with
+ gen_linux_syscalls.pl /usr/include/asm/unistd*.h
+ Do not edit.
+ */
+static const struct {
+ int syscall_num; const char *syscall_name;
+} SYSCALLS_BY_NUMBER[] = {
+EOL
+
+for my $k (sort keys %syscalls) {
+ my $name = $k;
+ $name =~ s/^__NR_//;
+ print <<EOL;
+#ifdef $k
+ { $k, "$name" },
+#endif
+EOL
+
+}
+
+print <<EOL
+ {0, NULL}
+};
+
+EOL
diff --git a/scripts/codegen/gen_server_ciphers.py b/scripts/codegen/gen_server_ciphers.py
new file mode 100755
index 0000000000..97ed9d0469
--- /dev/null
+++ b/scripts/codegen/gen_server_ciphers.py
@@ -0,0 +1,115 @@
+#!/usr/bin/python
+# Copyright 2014, The Tor Project, Inc
+# See LICENSE for licensing information
+
+# This script parses openssl headers to find ciphersuite names, determines
+# which ones we should be willing to use as a server, and sorts them according
+# to preference rules.
+#
+# Run it on all the files in your openssl include directory.
+
+import re
+import sys
+
+EPHEMERAL_INDICATORS = [ "_EDH_", "_DHE_", "_ECDHE_" ]
+BAD_STUFF = [ "_DES_40_", "MD5", "_RC4_", "_DES_64_",
+ "_SEED_", "_CAMELLIA_", "_NULL" ]
+
+# these never get #ifdeffed.
+MANDATORY = [
+ "TLS1_TXT_DHE_RSA_WITH_AES_256_SHA",
+ "TLS1_TXT_DHE_RSA_WITH_AES_128_SHA",
+ "SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA",
+]
+
+def find_ciphers(filename):
+ with open(filename) as f:
+ for line in f:
+ m = re.search(r'(?:SSL3|TLS1)_TXT_\w+', line)
+ if m:
+ yield m.group(0)
+
+def usable_cipher(ciph):
+ ephemeral = False
+ for e in EPHEMERAL_INDICATORS:
+ if e in ciph:
+ ephemeral = True
+ if not ephemeral:
+ return False
+
+ if "_RSA_" not in ciph:
+ return False
+
+ for b in BAD_STUFF:
+ if b in ciph:
+ return False
+ return True
+
+# All fields we sort on, in order of priority.
+FIELDS = [ 'cipher', 'fwsec', 'mode', 'digest', 'bitlength' ]
+# Map from sorted fields to recognized value in descending order of goodness
+FIELD_VALS = { 'cipher' : [ 'AES', 'DES'],
+ 'fwsec' : [ 'ECDHE', 'DHE' ],
+ 'mode' : [ 'GCM', 'CBC' ],
+ 'digest' : [ 'SHA384', 'SHA256', 'SHA' ],
+ 'bitlength' : [ '256', '128', '192' ],
+}
+
+class Ciphersuite(object):
+ def __init__(self, name, fwsec, cipher, bitlength, mode, digest):
+ self.name = name
+ self.fwsec = fwsec
+ self.cipher = cipher
+ self.bitlength = bitlength
+ self.mode = mode
+ self.digest = digest
+
+ for f in FIELDS:
+ assert(getattr(self, f) in FIELD_VALS[f])
+
+ def sort_key(self):
+ return tuple(FIELD_VALS[f].index(getattr(self,f)) for f in FIELDS)
+
+
+def parse_cipher(ciph):
+ m = re.match('(?:TLS1|SSL3)_TXT_(EDH|DHE|ECDHE)_RSA(?:_WITH)?_(AES|DES)_(256|128|192)(|_CBC|_CBC3|_GCM)_(SHA|SHA256|SHA384)$', ciph)
+
+ if not m:
+ print "/* Couldn't parse %s ! */"%ciph
+ return None
+
+ fwsec, cipher, bits, mode, digest = m.groups()
+ if fwsec == 'EDH':
+ fwsec = 'DHE'
+
+ if mode in [ '_CBC3', '_CBC', '' ]:
+ mode = 'CBC'
+ elif mode == '_GCM':
+ mode = 'GCM'
+
+ return Ciphersuite(ciph, fwsec, cipher, bits, mode, digest)
+
+ALL_CIPHERS = []
+
+for fname in sys.argv[1:]:
+ ALL_CIPHERS += (parse_cipher(c)
+ for c in find_ciphers(fname)
+ if usable_cipher(c) )
+
+ALL_CIPHERS.sort(key=Ciphersuite.sort_key)
+
+for c in ALL_CIPHERS:
+ if c is ALL_CIPHERS[-1]:
+ colon = ';'
+ else:
+ colon = ' ":"'
+
+ if c.name in MANDATORY:
+ print " /* Required */"
+ print ' %s%s'%(c.name,colon)
+ else:
+ print "#ifdef %s"%c.name
+ print ' %s%s'%(c.name,colon)
+ print "#endif"
+
+
diff --git a/scripts/codegen/get_mozilla_ciphers.py b/scripts/codegen/get_mozilla_ciphers.py
new file mode 100644
index 0000000000..0636eb3658
--- /dev/null
+++ b/scripts/codegen/get_mozilla_ciphers.py
@@ -0,0 +1,210 @@
+#!/usr/bin/python
+# coding=utf-8
+# Copyright 2011, The Tor Project, Inc
+# original version by Arturo Filastò
+# See LICENSE for licensing information
+
+# This script parses Firefox and OpenSSL sources, and uses this information
+# to generate a ciphers.inc file.
+#
+# It takes two arguments: the location of a firefox source directory, and the
+# location of an openssl source directory.
+
+import os
+import re
+import sys
+
+if len(sys.argv) != 3:
+ print >>sys.stderr, "Syntax: get_mozilla_ciphers.py <firefox-source-dir> <openssl-source-dir>"
+ sys.exit(1)
+
+ff_root = sys.argv[1]
+ossl_root = sys.argv[2]
+
+def ff(s):
+ return os.path.join(ff_root, s)
+def ossl(s):
+ return os.path.join(ossl_root, s)
+
+#####
+# Read the cpp file to understand what Ciphers map to what name :
+# Make "ciphers" a map from name used in the javascript to a cipher macro name
+fileA = open(ff('security/manager/ssl/src/nsNSSComponent.cpp'),'r')
+
+# The input format is a file containing exactly one section of the form:
+# static CipherPref CipherPrefs[] = {
+# {"name", MACRO_NAME}, // comment
+# ...
+# {NULL, 0}
+# }
+
+inCipherSection = False
+cipherLines = []
+for line in fileA:
+ if line.startswith('static const CipherPref sCipherPrefs[]'):
+ # Get the starting boundary of the Cipher Preferences
+ inCipherSection = True
+ elif inCipherSection:
+ line = line.strip()
+ if line.startswith('{ nullptr, 0}'):
+ # At the ending boundary of the Cipher Prefs
+ break
+ else:
+ cipherLines.append(line)
+fileA.close()
+
+# Parse the lines and put them into a dict
+ciphers = {}
+cipher_pref = {}
+key_pending = None
+for line in cipherLines:
+ m = re.search(r'^{\s*\"([^\"]+)\",\s*(\S+)\s*(?:,\s*(true|false))?\s*}', line)
+ if m:
+ assert not key_pending
+ key,value,enabled = m.groups()
+ if enabled == 'true':
+ ciphers[key] = value
+ cipher_pref[value] = key
+ continue
+ m = re.search(r'^{\s*\"([^\"]+)\",', line)
+ if m:
+ assert not key_pending
+ key_pending = m.group(1)
+ continue
+ m = re.search(r'^\s*(\S+)(?:,\s*(true|false))?\s*}', line)
+ if m:
+ assert key_pending
+ key = key_pending
+ value,enabled = m.groups()
+ key_pending = None
+ if enabled == 'true':
+ ciphers[key] = value
+ cipher_pref[value] = key
+
+####
+# Now find the correct order for the ciphers
+fileC = open(ff('security/nss/lib/ssl/ssl3con.c'), 'r')
+firefox_ciphers = []
+inEnum=False
+for line in fileC:
+ if not inEnum:
+ if "ssl3CipherSuiteCfg cipherSuites[" in line:
+ inEnum = True
+ continue
+
+ if line.startswith("};"):
+ break
+
+ m = re.match(r'^\s*\{\s*([A-Z_0-9]+),', line)
+ if m:
+ firefox_ciphers.append(m.group(1))
+
+fileC.close()
+
+#####
+# Read the JS file to understand what ciphers are enabled. The format is
+# pref("name", true/false);
+# Build a map enabled_ciphers from javascript name to "true" or "false",
+# and an (unordered!) list of the macro names for those ciphers that are
+# enabled.
+fileB = open(ff('netwerk/base/public/security-prefs.js'), 'r')
+
+enabled_ciphers = {}
+for line in fileB:
+ m = re.match(r'pref\(\"([^\"]+)\"\s*,\s*(\S*)\s*\)', line)
+ if not m:
+ continue
+ key, val = m.groups()
+ if key.startswith("security.ssl3"):
+ enabled_ciphers[key] = val
+fileB.close()
+
+used_ciphers = []
+for k, v in enabled_ciphers.items():
+ if v == "true":
+ used_ciphers.append(ciphers[k])
+
+#oSSLinclude = ('/usr/include/openssl/ssl3.h', '/usr/include/openssl/ssl.h',
+# '/usr/include/openssl/ssl2.h', '/usr/include/openssl/ssl23.h',
+# '/usr/include/openssl/tls1.h')
+oSSLinclude = ('ssl/ssl3.h', 'ssl/ssl.h',
+ 'ssl/ssl2.h', 'ssl/ssl23.h',
+ 'ssl/tls1.h')
+
+#####
+# This reads the hex code for the ciphers that are used by firefox.
+# sslProtoD is set to a map from macro name to macro value in sslproto.h;
+# cipher_codes is set to an (unordered!) list of these hex values.
+sslProto = open(ff('security/nss/lib/ssl/sslproto.h'), 'r')
+sslProtoD = {}
+
+for line in sslProto:
+ m = re.match('#define\s+(\S+)\s+(\S+)', line)
+ if m:
+ key, value = m.groups()
+ sslProtoD[key] = value
+sslProto.close()
+
+cipher_codes = []
+for x in used_ciphers:
+ cipher_codes.append(sslProtoD[x].lower())
+
+####
+# Now read through all the openssl include files, and try to find the openssl
+# macro names for those files.
+openssl_macro_by_hex = {}
+all_openssl_macros = {}
+for fl in oSSLinclude:
+ fp = open(ossl(fl), 'r')
+ for line in fp.readlines():
+ m = re.match('#define\s+(\S+)\s+(\S+)', line)
+ if m:
+ value,key = m.groups()
+ if key.startswith('0x') and "_CK_" in value:
+ key = key.replace('0x0300','0x').lower()
+ #print "%s %s" % (key, value)
+ openssl_macro_by_hex[key] = value
+ all_openssl_macros[value]=key
+ fp.close()
+
+# Now generate the output.
+print """\
+/* This is an include file used to define the list of ciphers clients should
+ * advertise. Before including it, you should define the CIPHER and XCIPHER
+ * macros.
+ *
+ * This file was automatically generated by get_mozilla_ciphers.py.
+ */"""
+# Go in order by the order in CipherPrefs
+for firefox_macro in firefox_ciphers:
+
+ try:
+ js_cipher_name = cipher_pref[firefox_macro]
+ except KeyError:
+ # This one has no javascript preference.
+ continue
+
+ # The cipher needs to be enabled in security-prefs.js
+ if enabled_ciphers.get(js_cipher_name, 'false') != 'true':
+ continue
+
+ hexval = sslProtoD[firefox_macro].lower()
+
+ try:
+ openssl_macro = openssl_macro_by_hex[hexval.lower()]
+ openssl_macro = openssl_macro.replace("_CK_", "_TXT_")
+ if openssl_macro not in all_openssl_macros:
+ raise KeyError()
+ format = {'hex':hexval, 'macro':openssl_macro, 'note':""}
+ except KeyError:
+ # openssl doesn't have a macro for this.
+ format = {'hex':hexval, 'macro':firefox_macro,
+ 'note':"/* No openssl macro found for "+hexval+" */\n"}
+
+ res = """\
+%(note)s#ifdef %(macro)s
+ CIPHER(%(hex)s, %(macro)s)
+#else
+ XCIPHER(%(hex)s, %(macro)s)
+#endif""" % format
+ print res
diff --git a/scripts/codegen/makedesc.py b/scripts/codegen/makedesc.py
new file mode 100644
index 0000000000..e0b2aed3f4
--- /dev/null
+++ b/scripts/codegen/makedesc.py
@@ -0,0 +1,218 @@
+#!/usr/bin/python
+# Copyright 2014, The Tor Project, Inc.
+# See LICENSE for license information
+
+# This is a kludgey python script that uses ctypes and openssl to sign
+# router descriptors and extrainfo documents and put all the keys in
+# the right places. There are examples at the end of the file.
+
+# I've used this to make inputs for unit tests. I wouldn't suggest
+# using it for anything else.
+
+import base64
+import binascii
+import ctypes
+import ctypes.util
+import hashlib
+
+crypt = ctypes.CDLL(ctypes.util.find_library('crypto'))
+BIO_s_mem = crypt.BIO_s_mem
+BIO_s_mem.argtypes = []
+BIO_s_mem.restype = ctypes.c_void_p
+
+BIO_new = crypt.BIO_new
+BIO_new.argtypes = [ctypes.c_void_p]
+BIO_new.restype = ctypes.c_void_p
+
+RSA_generate_key = crypt.RSA_generate_key
+RSA_generate_key.argtypes = [ctypes.c_int, ctypes.c_ulong, ctypes.c_void_p, ctypes.c_void_p]
+RSA_generate_key.restype = ctypes.c_void_p
+
+RSA_private_encrypt = crypt.RSA_private_encrypt
+RSA_private_encrypt.argtypes = [
+ ctypes.c_int, ctypes.c_char_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_int ]
+RSA_private_encrypt.restype = ctypes.c_int
+
+i2d_RSAPublicKey = crypt.i2d_RSAPublicKey
+i2d_RSAPublicKey.argtypes = [
+ ctypes.c_void_p, ctypes.POINTER(ctypes.c_char_p)
+]
+i2d_RSAPublicKey.restype = ctypes.c_int
+
+def b64(x):
+ x = base64.b64encode(x)
+ res = []
+ for i in xrange(0, len(x), 64):
+ res.append(x[i:i+64]+"\n")
+ return "".join(res)
+
+def bio_extract(bio):
+ buf = ctypes.c_char_p()
+ length = crypt.BIO_ctrl(bio, 3, 0, ctypes.byref(buf))
+ return ctypes.string_at(buf, length)
+
+def make_key(e=65537):
+ rsa = crypt.RSA_generate_key(1024, e, None, None)
+ bio = BIO_new(BIO_s_mem())
+ crypt.PEM_write_bio_RSAPublicKey(bio, rsa)
+ pem = bio_extract(bio).rstrip()
+ crypt.BIO_free(bio)
+
+ buf = ctypes.create_string_buffer(1024)
+ pBuf = ctypes.c_char_p(ctypes.addressof(buf))
+ n = crypt.i2d_RSAPublicKey(rsa, ctypes.byref(pBuf))
+ s = buf.raw[:n]
+ digest = hashlib.sha1(s).digest()
+
+ return (rsa,pem,digest)
+
+def signdesc(body, args_out=None):
+ rsa, ident_pem, id_digest = make_key()
+ _, onion_pem, _ = make_key()
+
+ hexdigest = binascii.b2a_hex(id_digest).upper()
+ fingerprint = " ".join(hexdigest[i:i+4] for i in range(0,len(hexdigest),4))
+
+ MAGIC = "<<<<<<MAGIC>>>>>>"
+ args = {
+ "RSA-IDENTITY" : ident_pem,
+ "ONION-KEY" : onion_pem,
+ "FINGERPRINT" : fingerprint,
+ "FINGERPRINT-NOSPACE" : hexdigest,
+ "RSA-SIGNATURE" : MAGIC
+ }
+ if args_out:
+ args_out.update(args)
+ body = body.format(**args)
+
+ idx = body.rindex("\nrouter-signature")
+ end_of_sig = body.index("\n", idx+1)
+
+ signed_part = body[:end_of_sig+1]
+
+ digest = hashlib.sha1(signed_part).digest()
+ assert len(digest) == 20
+
+ buf = ctypes.create_string_buffer(1024)
+ n = RSA_private_encrypt(20, digest, buf, rsa, 1)
+ sig = buf.raw[:n]
+
+ sig = """-----BEGIN SIGNATURE-----
+%s
+-----END SIGNATURE-----""" % b64(sig).rstrip()
+ body = body.replace(MAGIC, sig)
+
+ return body.rstrip()
+
+def emit_ri(name, body, args_out=None):
+ print "const char %s[] ="%name
+ body = "\n".join(line.rstrip() for line in body.split("\n"))+"\n"
+ b = signdesc(body, args_out)
+ for line in b.split("\n"):
+ print ' "%s\\n"'%line
+ print " ;"
+
+def emit_ei(name, body):
+ args = { 'NAME' : name }
+ emit_ri(name, body, args)
+ args['key'] = "\n".join(
+ ' "%s\\n"'%line for line in args['RSA-IDENTITY'].split("\n"))
+ print """
+const char {NAME}_fp[] = "{FINGERPRINT-NOSPACE}";
+const char {NAME}_key[] =
+{key};""".format(**args)
+
+if 0:
+ emit_ri("minimal",
+ """\
+router fred 127.0.0.1 9001 0 9002
+signing-key
+{RSA-IDENTITY}
+onion-key
+{ONION-KEY}
+published 2014-10-05 12:00:00
+bandwidth 1000 1000 1000
+reject *:*
+router-signature
+{RSA-SIGNATURE}
+""")
+
+if 0:
+ emit_ri("maximal",
+ """\
+router fred 127.0.0.1 9001 0 9002
+signing-key
+{RSA-IDENTITY}
+onion-key
+{ONION-KEY}
+published 2014-10-05 12:00:00
+bandwidth 1000 1000 1000
+reject 127.0.0.1:*
+accept *:80
+reject *:*
+ipv6-policy accept 80,100,101
+ntor-onion-key s7rSohmz9SXn8WWh1EefTHIsWePthsEntQi0WL+ScVw
+uptime 1000
+hibernating 0
+unrecognized-keywords are just dandy in this format
+platform Tor 0.2.4.23 on a Banana PC Jr 6000 Series
+contact O.W.Jones
+fingerprint {FINGERPRINT}
+read-history 900 1,2,3,4
+write-history 900 1,2,3,4
+extra-info-digest AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+hidden-service-dir
+allow-single-hop-exits
+family $AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
+caches-extra-info
+or-address [::1:2:3:4]:9999
+or-address 127.0.0.99:10000
+opt fred is a fine router
+router-signature
+{RSA-SIGNATURE}
+""")
+
+if 0:
+ emit_ei("maximal",
+"""\
+extra-info bob {FINGERPRINT-NOSPACE}
+published 2014-10-05 20:07:00
+opt foobarbaz
+read-history 900 1,2,3
+write-history 900 1,2,3
+dirreq-v2-ips 1
+dirreq-v3-ips 100
+dirreq-v3-reqs blahblah
+dirreq-v2-share blahblah
+dirreq-v3-share blahblah
+dirreq-v2-resp djfkdj
+dirreq-v3-resp djfkdj
+dirreq-v2-direct-dl djfkdj
+dirreq-v3-direct-dl djfkdj
+dirreq-v2-tunneled-dl djfkdj
+dirreq-v3-tunneled-dl djfkdj
+dirreq-stats-end foobar
+entry-ips jfsdfds
+entry-stats-end ksdflkjfdkf
+cell-stats-end FOO
+cell-processed-cells FOO
+cell-queued-cells FOO
+cell-time-in-queue FOO
+cell-circuits-per-decile FOO
+exit-stats-end FOO
+exit-kibibytes-written FOO
+exit-kibibytes-read FOO
+exit-streams-opened FOO
+router-signature
+{RSA-SIGNATURE}
+""")
+
+if 0:
+ emit_ei("minimal",
+"""\
+extra-info bob {FINGERPRINT-NOSPACE}
+published 2014-10-05 20:07:00
+router-signature
+{RSA-SIGNATURE}
+""")
+
diff --git a/scripts/codegen/run_trunnel.sh b/scripts/codegen/run_trunnel.sh
new file mode 100755
index 0000000000..5f694ce6c9
--- /dev/null
+++ b/scripts/codegen/run_trunnel.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if test "x$TRUNNEL_PATH" != "x"; then
+ PYTHONPATH="${TRUNNEL_PATH}:${PYTHONPATH}"
+ export PYTHONPATH
+fi
+
+python -m trunnel --require-version=1.2 ./src/trunnel/*.trunnel
+
+python -m trunnel --require-version=1.2 --write-c-files --target-dir=./src/ext/trunnel/
+
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion