| blob | 886ee0ddac1984efd96b19453f17e70588e2bfea |
1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2013, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file tortls.c
8 * \brief Wrapper functions to present a consistent interface to
9 * TLS, SSL, and X.509 functions from OpenSSL.
10 **/
12 /* (Unlike other tor functions, these
13 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
14 * functions and variables.)
15 */
19 #if defined (WINCE)
20 #include <WinSock2.h>
21 #endif
23 #include <assert.h>
25 #ifndef _WIN32_WINNT
26 #define _WIN32_WINNT 0x0501
27 #endif
28 #define WIN32_LEAN_AND_MEAN
29 #if defined(_MSC_VER) && (_MSC_VER < 1300)
30 #include <winsock.h>
31 #else
32 #include <winsock2.h>
33 #include <ws2tcpip.h>
34 #endif
35 #endif
36 #include <openssl/ssl.h>
37 #include <openssl/ssl3.h>
38 #include <openssl/err.h>
39 #include <openssl/tls1.h>
40 #include <openssl/asn1.h>
41 #include <openssl/bio.h>
42 #include <openssl/opensslv.h>
44 #ifdef USE_BUFFEREVENTS
45 #include <event2/bufferevent_ssl.h>
46 #include <event2/buffer.h>
47 #include <event2/event.h>
49 #endif
52 #define TORTLS_PRIVATE
59 #include <string.h>
61 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(0,9,8)
63 #endif
65 /* Enable the "v2" TLS handshake.
66 */
67 #define V2_HANDSHAKE_SERVER
68 #define V2_HANDSHAKE_CLIENT
70 /* Copied from or.h */
71 #define LEGAL_NICKNAME_CHARACTERS \
72 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
74 /** How long do identity certificates live? (sec) */
75 #define IDENTITY_CERT_LIFETIME (365*24*60*60)
80 (OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(0,9,9) && \
82 /* This is a version of OpenSSL before 0.9.8s/1.0.0f. It does not have
83 * the CVE-2011-4576 fix, and as such it can't use RELEASE_BUFFERS and
84 * SSL3 safely at the same time.
85 */
86 #define DISABLE_SSL3_HANDSHAKE
87 #endif
89 /* We redefine these so that we can run correctly even if the vendor gives us
90 * a version of OpenSSL that does not match its header files. (Apple: I am
91 * looking at you.)
92 */
93 #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
94 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
95 #endif
96 #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
97 #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
98 #endif
100 /** Does the run-time openssl version look like we need
101 * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
103 /** Does the run-time openssl version look like we need
104 * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
107 /** Structure that we use for a single certificate. */
113 digests_t cert_digests;
114 digests_t pkey_digests;
115 };
117 /** Holds a SSL_CTX object and related state used to configure TLS
118 * connections.
119 */
130 /** Return values for tor_tls_classify_client_ciphers.
131 *
132 * @{
133 */
134 /** An error occurred when examining the client ciphers */
135 #define CIPHERS_ERR -1
136 /** The client cipher list indicates that a v1 handshake was in use. */
137 #define CIPHERS_V1 1
138 /** The client cipher list indicates that the client is using the v2 or the
139 * v3 handshake, but that it is (probably!) lying about what ciphers it
140 * supports */
141 #define CIPHERS_V2 2
142 /** The client cipher list indicates that the client is using the v2 or the
143 * v3 handshake, and that it is telling the truth about what ciphers it
144 * supports */
145 #define CIPHERS_UNRESTRICTED 3
146 /** @} */
148 #define TOR_TLS_MAGIC 0x71571571
153 TOR_TLS_ST_BUFFEREVENT
156 /** Holds a SSL object and its associated data. Members are only
157 * accessed from within tortls.c.
158 */
166 * depending on which operations
167 * have completed successfully. */
170 * this connection used the updated version
171 * of the connection protocol (client sends
172 * different cipher list, server sends only
173 * one certificate). */
174 /** True iff we should call negotiated_callback when we're done reading. */
176 /** Return value from tor_tls_classify_client_ciphers, or 0 if we haven't
177 * called that function yet. */
179 /** Incremented every time we start the server side of a handshake. */
182 * time. */
183 /** Last values retrieved from BIO_number_read()/write(); see
184 * tor_tls_get_n_raw_bytes() for usage.
185 */
188 /** If set, a callback to invoke whenever the client tries to renegotiate
189 * the handshake. */
191 /** Argument to pass to negotiated_callback. */
193 };
195 #ifdef V2_HANDSHAKE_CLIENT
196 /** An array of fake SSL_CIPHER objects that we use in order to trick OpenSSL
197 * in client mode into advertising the ciphers we want. See
198 * rectify_client_ciphers() for details. */
200 /** A stack of SSL_CIPHER objects, some real, some fake.
201 * See rectify_client_ciphers() for details. */
203 #endif
205 /** The ex_data index in which we store a pointer to an SSL object's
206 * corresponding tor_tls_t object. */
209 /** Helper: Allocate tor_tls_object_ex_data_index. */
210 static void
212 {
214 tor_tls_object_ex_data_index =
217 }
218 }
220 /** Helper: given a SSL* pointer, return the tor_tls_t object using that
221 * pointer. */
224 {
229 }
251 /** Global TLS contexts. We keep them here because nobody else needs
252 * to touch them.
253 *
254 * @{ */
257 /**@}*/
259 /** True iff tor_tls_init() has been called. */
262 /* Module-internal error codes. */
263 #define TOR_TLS_SYSCALL_ (MIN_TOR_TLS_ERROR_VAL_ - 2)
264 #define TOR_TLS_ZERORETURN_ (MIN_TOR_TLS_ERROR_VAL_ - 1)
266 /** Write a description of the current state of <b>tls</b> into the
267 * <b>sz</b>-byte buffer at <b>buf</b>. */
268 void
270 {
277 }
288 #undef CASE
295 }
298 }
300 /** Log a single error <b>err</b> as returned by ERR_get_error(), which was
301 * received while performing an operation <b>doing</b> on <b>tls</b>. Log
302 * the message at <b>severity</b>, in log domain <b>domain</b>. */
303 void
306 {
314 /* Some errors are known-benign, meaning they are the fault of the other
315 * side of the connection. The caller doesn't know this, so override the
316 * priority for those cases. */
328 }
344 }
345 }
347 /** Log all pending tls errors at level <b>severity</b> in log domain
348 * <b>domain</b>. Use <b>doing</b> to describe our current activities.
349 */
350 static void
352 {
357 }
358 }
360 /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
361 * code. */
362 static int
364 {
377 }
378 }
380 /** Given a TOR_TLS_* error code, return a string equivalent. */
383 {
397 }
398 }
400 #define CATCH_SYSCALL 1
401 #define CATCH_ZERO 2
403 /** Given a TLS object and the result of an SSL_* call, use
404 * SSL_get_error to determine whether an error has occurred, and if so
405 * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
406 * If extra&CATCH_SYSCALL is true, return TOR_TLS_SYSCALL_ instead of
407 * reporting syscall errors. If extra&CATCH_ZERO is true, return
408 * TOR_TLS_ZERORETURN_ instead of reporting zero-return errors.
409 *
410 * If an error has occurred, log it at level <b>severity</b> and describe the
411 * current action as <b>doing</b>.
412 */
413 static int
416 {
440 }
453 }
454 }
456 /** Initialize OpenSSL, unless it has already been initialized.
457 */
458 static void
460 {
468 /* OpenSSL 0.9.8l introduced SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
469 * here, but without thinking too hard about it: it turns out that the
470 * flag in question needed to be set at the last minute, and that it
471 * conflicted with an existing flag number that had already been added
472 * in the OpenSSL 1.0.0 betas. OpenSSL 0.9.8m thoughtfully replaced
473 * the flag with an option and (it seems) broke anything that used
474 * SSL3_FLAGS_* for the purpose. So we need to know how to do both,
475 * and we mustn't use the SSL3_FLAGS option with anything besides
476 * OpenSSL 0.9.8l.
477 *
478 * No, we can't just set flag 0x0010 everywhere. It breaks Tor with
479 * OpenSSL 1.0.0beta3 and later. On the other hand, we might be able to
480 * set option 0x00040000L everywhere.
481 *
482 * No, we can't simply detect whether the flag or the option is present
483 * in the headers at build-time: some vendors (notably Apple) like to
484 * leave their headers out of sync with their libraries.
485 *
486 * Yes, it _is_ almost as if the OpenSSL developers decided that no
487 * program should be allowed to use renegotiation unless it first passed
488 * a test of intelligence and determination.
489 */
492 "some vendors have backported renegotiation code from "
493 "0.9.8m without updating the version number. "
505 "0.9.8l, but some vendors have backported 0.9.8l's "
506 "renegotiation code to earlier versions, and some have "
507 "backported the code from 0.9.8m or 0.9.8n. I'll set both "
513 /* this is dead code, yes? */
516 }
518 #if (SIZEOF_VOID_P >= 8 && \
519 !defined(OPENSSL_NO_EC) && \
520 OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
522 /* Warn if we could *almost* be running with much faster ECDH.
523 If we're built for a 64-bit target, using OpenSSL 1.0.1, but we
524 don't have one of the built-in __uint128-based speedups, we are
525 just one build operation away from an accelerated handshake.
527 (We could be looking at OPENSSL_NO_EC_NISTP_64_GCC_128 instead of
528 doing this test, but that gives compile-time options, not runtime
529 behavior.)
530 */
541 "OpenSSL 1.0.1 or later, but with a version of OpenSSL "
542 "that apparently lacks accelerated support for the NIST "
543 "P-224 and P-256 groups. Building openssl with such "
544 "support (using the enable-ec_nistp_64_gcc_128 option "
546 }
547 #endif
552 }
553 }
555 /** Free all global TLS structures. */
556 void
558 {
563 }
568 }
569 #ifdef V2_HANDSHAKE_CLIENT
574 #endif
575 }
577 /** We need to give OpenSSL a callback to verify certificates. This is
578 * it: We always accept peer certs and complete the handshake. We
579 * don't validate them until later.
580 */
581 static int
584 {
588 }
590 /** Return a newly allocated X509 name with commonName <b>cname</b>. */
593 {
603 error:
606 }
608 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
609 * signed by the private key <b>rsa_sign</b>. The commonName of the
610 * certificate will be <b>cname</b>; the commonName of the issuer will be
611 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b>
612 * seconds, starting from some time in the past.
613 *
614 * Return a certificate on success, NULL on failure.
615 */
622 {
623 /* OpenSSL generates self-signed certificates with random 64-bit serial
624 * numbers, so let's do that too. */
625 #define SERIAL_NUMBER_SIZE 8
636 /* Make sure we're part-way through the certificate lifetime, rather
637 * than having it start right now. Don't choose quite uniformly, since
638 * then we might pick a time where we're about to expire. Lastly, be
639 * sure to start on a day boundary. */
663 }
685 error:
689 }
690 done:
704 #undef SERIAL_NUMBER_SIZE
705 }
707 /** List of ciphers that servers should select from when the client might be
708 * claiming extra unsupported ciphers in order to avoid fingerprinting. */
709 #define SERVER_CIPHER_LIST \
712 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
714 /** List of ciphers that servers should select from when we actually have
715 * our choice of what cipher to use. */
717 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CHC_SHA
718 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
719 #endif
720 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
721 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":"
722 #endif
723 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
724 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":"
725 #endif
726 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
727 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":"
728 #endif
729 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
730 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
731 #endif
732 //#if TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
733 // TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA ":"
734 //#endif
735 /* These next two are mandatory. */
736 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
737 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
738 #ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
739 TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":"
740 #endif
741 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
743 /* Note: to set up your own private testing network with link crypto
744 * disabled, set your Tors' cipher list to
745 * (SSL3_TXT_RSA_NULL_SHA). If you do this, you won't be able to communicate
746 * with any of the "real" Tors, though. */
748 #ifdef V2_HANDSHAKE_CLIENT
750 #define XCIPHER(id, name)
751 /** List of ciphers that clients should advertise, omitting items that
752 * our OpenSSL doesn't know about. */
755 /* Tell it not to use SSLv2 ciphers, so that it can select an SSLv3 version
756 * of any cipher we say. */
757 "!SSLv2"
758 ;
759 #undef CIPHER
760 #undef XCIPHER
762 /** Holds a cipher that we want to advertise, and its 2-byte ID. */
764 /** A list of all the ciphers that clients should advertise, including items
765 * that OpenSSL might not know about. */
767 #define CIPHER(id, name) { id, name },
768 #define XCIPHER(id, name) { id, #name },
770 #undef CIPHER
771 #undef XCIPHER
772 };
774 /** The length of CLIENT_CIPHER_INFO_LIST and CLIENT_CIPHER_DUMMIES. */
777 #endif
779 #ifndef V2_HANDSHAKE_CLIENT
780 #undef CLIENT_CIPHER_LIST
782 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
783 #endif
785 /** Free all storage held in <b>cert</b> */
786 void
788 {
796 }
798 /**
799 * Allocate a new tor_cert_t to hold the certificate "x509_cert".
800 *
801 * Steals a reference to x509_cert.
802 */
805 {
822 }
840 }
843 }
845 /** Read a DER-encoded X509 cert, of length exactly <b>certificate_len</b>,
846 * from a <b>certificate</b>. Return a newly allocated tor_cert_t on success
847 * and NULL on failure. */
848 tor_cert_t *
850 {
866 }
870 }
873 /* Cert wasn't in DER */
876 }
878 }
880 /** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
881 * representation and length, respectively. */
882 void
885 {
891 }
893 /** Return a set of digests for the public key in <b>cert</b>, or NULL if this
894 * cert's public key is not one we know how to take the digest of. */
897 {
900 else
902 }
904 /** Return a set of digests for the public key in <b>cert</b>. */
907 {
909 }
911 /** Remove a reference to <b>ctx</b>, and free it if it has no more
912 * references. */
913 static void
915 {
925 }
926 }
928 /** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate
929 * and ID certificate that we're currently using for our V3 in-protocol
930 * handshake's certificate chain. If <b>server</b> is true, provide the certs
931 * that we use in server mode; otherwise, provide the certs that we use in
932 * client mode. */
933 int
937 {
946 }
948 /**
949 * Return the authentication key that we use to authenticate ourselves as a
950 * client in the V3 in-protocol handshake.
951 */
952 crypto_pk_t *
954 {
958 }
960 /**
961 * Return a newly allocated copy of the public key that a certificate
962 * certifies. Return NULL if the cert's key is not RSA.
963 */
964 crypto_pk_t *
966 {
976 }
980 }
982 /** Return true iff <b>a</b> and <b>b</b> represent the same public key. */
983 static int
985 {
986 /* We'd like to do this, but openssl 0.9.7 doesn't have it:
987 return EVP_PKEY_cmp(a,b) == 1;
988 */
1005 }
1007 /** Return true iff the other side of <b>tls</b> has authenticated to us, and
1008 * the key certified in <b>cert</b> is the same as the key they used to do it.
1009 */
1010 int
1012 {
1031 }
1033 /** Check whether <b>cert</b> is well-formed, currently live, and correctly
1034 * signed by the public key in <b>signing_cert</b>. If <b>check_rsa_1024</b>,
1035 * make sure that it has an RSA key with 1024 bits; otherwise, just check that
1036 * the key is long enough. Return 1 if the cert is good, and 0 if it's bad or
1037 * we couldn't check it. */
1038 int
1043 {
1054 /* okay, the signature checked out right. Now let's check the check the
1055 * lifetime. */
1069 #ifdef EVP_PKEY_EC
1072 #endif
1075 }
1080 /* XXXX compare DNs or anything? */
1083 }
1085 /** Increase the reference count of <b>ctx</b>. */
1086 static void
1088 {
1090 }
1092 /** Create new global client and server TLS contexts.
1093 *
1094 * If <b>server_identity</b> is NULL, this will not generate a server
1095 * TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in <b>flags</b>, use
1096 * the same TLS context for incoming and outgoing connections, and
1097 * ignore <b>client_identity</b>. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256}
1098 * is set in <b>flags</b>, use that ECDHE group if possible; otherwise use
1099 * the default ECDHE group. */
1100 int
1105 {
1117 server_identity,
1128 }
1129 }
1133 server_identity,
1134 key_lifetime,
1135 flags,
1143 }
1144 }
1147 client_identity,
1148 key_lifetime,
1149 flags,
1151 }
1154 }
1156 /** Create a new global TLS context.
1157 *
1158 * You can call this function multiple times. Each time you call it,
1159 * it generates new certificates; all new connections will use
1160 * the new SSL context.
1161 */
1162 static int
1168 {
1170 key_lifetime,
1171 flags,
1172 is_client);
1178 /* Free the old context if one existed. */
1180 /* This is safe even if there are open connections: we reference-
1181 * count tor_tls_context_t objects. */
1183 }
1184 }
1187 }
1189 /** Create a new TLS context for use with Tor TLS handshakes.
1190 * <b>identity</b> should be set to the identity key used to sign the
1191 * certificate.
1192 */
1196 {
1205 #ifdef DISABLE_V3_LINKPROTO_SERVERSIDE
1207 #else
1209 #endif
1211 /* Generate short-term RSA key for use with TLS. */
1217 /* Generate short-term RSA key for use in the in-protocol ("v3")
1218 * authentication handshake. */
1223 /* Create a link certificate signed by identity key. */
1225 key_lifetime);
1226 /* Create self-signed certificate for identity key. */
1228 IDENTITY_CERT_LIFETIME);
1229 /* Create an authentication certificate signed by identity key. */
1231 key_lifetime);
1235 }
1236 }
1248 }
1250 #if 0
1251 /* Tell OpenSSL to only use TLS1. This may have subtly different results
1252 * from SSLv23_method() with SSLv2 and SSLv3 disabled, so we need to do some
1253 * investigation before we consider adjusting it. It should be compatible
1254 * with existing Tors. */
1257 #endif
1259 /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
1264 /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to
1265 * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
1266 * June 2012), wherein renegotiating while using one of these TLS
1267 * protocols will cause the client to send a TLS 1.0 ServerHello
1268 * rather than a ServerHello written with the appropriate protocol
1269 * version. Once some version of OpenSSL does TLS1.1 and TLS1.2
1270 * renegotiation properly, we can turn them back on when built with
1271 * that version. */
1273 #ifdef SSL_OP_NO_TLSv1_2
1275 #endif
1276 #ifdef SSL_OP_NO_TLSv1_1
1278 #endif
1279 #endif
1281 /* Disable TLS tickets if they're supported. We never want to use them;
1282 * using them can make our perfect forward secrecy a little worse, *and*
1283 * create an opportunity to fingerprint us (since it's unusual to use them
1284 * with TLS sessions turned off).
1285 *
1286 * In 0.2.4, clients advertise support for them though, to avoid a TLS
1287 * distinguishability vector. This can give us worse PFS, though, if we
1288 * get a server that doesn't set SSL_OP_NO_TICKET. With luck, there will
1289 * be few such servers by the time 0.2.4 is more stable.
1290 */
1291 #ifdef SSL_OP_NO_TICKET
1294 }
1295 #endif
1298 #ifdef DISABLE_SSL3_HANDSHAKE
1300 #endif
1304 /* And not SSL3 if it's subject to CVE-2011-4576. */
1306 "might otherwise be vulnerable to CVE-2011-4576 "
1307 "(compile-time version %08lx (%s); "
1312 }
1317 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1319 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
1320 #endif
1321 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
1322 * as authenticating any earlier-received data.
1323 */
1326 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1327 }
1328 /* Don't actually allow compression; it uses ram and time, but the data
1329 * we transmit is all encrypted anyway. */
1332 #ifdef SSL_MODE_RELEASE_BUFFERS
1334 #endif
1346 }
1347 }
1359 }
1360 {
1365 }
1366 #if (!defined(OPENSSL_NO_EC) && \
1367 OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,0))
1375 else
1377 /* Use P-256 for ECDHE. */
1382 }
1383 #else
1385 #endif
1387 always_accept_verify_cb);
1388 /* let us realloc bufs that we're writing from */
1400 error:
1419 }
1421 #ifdef V2_HANDSHAKE_SERVER
1423 /* Here's the old V2 cipher list we sent from 0.2.1.1-alpha up to
1424 * 0.2.3.17-beta. If a client is using this list, we can't believe the ciphers
1425 * that it claims to support. We'll prune this list to remove the ciphers
1426 * *we* don't recognize. */
1456 0
1457 };
1458 /** Have we removed the unrecognized ciphers from v2_cipher_list yet? */
1461 /** Remove from v2_cipher_list every cipher that we don't support, so that
1462 * comparing v2_cipher_list to a client's cipher list will give a sensible
1463 * result. */
1464 static void
1466 {
1474 /* Is there no better way to do this? */
1481 inp++;
1482 }
1483 }
1487 }
1489 /* Return the name of the negotiated ciphersuite in use on <b>tls</b> */
1492 {
1494 }
1496 /** Examine the client cipher list in <b>ssl</b>, and determine what kind of
1497 * client it is. Return one of CIPHERS_ERR, CIPHERS_V1, CIPHERS_V2,
1498 * CIPHERS_UNRESTRICTED.
1499 **/
1500 static int
1503 {
1513 /* If we reached this point, we just got a client hello. See if there is
1514 * a cipher list. */
1519 }
1520 /* Now we need to see if there are any ciphers whose presence means we're
1521 * dealing with an updated Tor. */
1530 // return 1;
1532 }
1533 }
1536 v2_or_higher:
1537 {
1547 }
1549 }
1553 }
1555 }
1557 dump_ciphers:
1558 {
1565 }
1571 }
1572 done:
1577 }
1579 /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
1580 * a list that indicates that the client knows how to do the v2 TLS connection
1581 * handshake. */
1582 static int
1584 {
1589 }
1592 }
1594 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,0)
1595 /** Callback to get invoked on a server after we've read the list of ciphers
1596 * the client supports, but before we pick our own ciphersuite.
1597 *
1598 * We can't abuse an info_cb for this, since by the time one of the
1599 * client_hello info_cbs is called, we've already picked which ciphersuite to
1600 * use.
1601 *
1602 * Technically, this function is an abuse of this callback, since the point of
1603 * a session_secret_cb is to try to set up and/or verify a shared-secret for
1604 * authentication on the fly. But as long as we return 0, we won't actually be
1605 * setting up a shared secret, and all will be fine.
1606 */
1607 static int
1611 {
1619 CIPHERS_UNRESTRICTED) {
1621 }
1626 }
1627 static void
1629 {
1631 }
1632 #else
1633 #define tor_tls_setup_session_secret_cb(tls) STMT_NIL
1634 #endif
1636 /** Invoked when a TLS state changes: log the change at severity 'debug' */
1637 static void
1639 {
1642 }
1644 /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
1645 * changes state. We use this:
1646 * <ul><li>To alter the state of the handshake partway through, so we
1647 * do not send or request extra certificates in v2 handshakes.</li>
1648 * <li>To detect renegotiation</li></ul>
1649 */
1650 static void
1652 {
1666 /* Check whether we're watching for renegotiates. If so, this is one! */
1674 }
1676 /* Now check the cipher list. */
1680 * This is a renegotiation. */
1682 /* Yes, we're casting away the const from ssl. This is very naughty of us.
1683 * Let's hope openssl doesn't notice! */
1685 /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
1687 /* Don't send a hello request. */
1692 #ifdef USE_BUFFEREVENTS
1695 #endif
1698 }
1699 }
1700 }
1701 #endif
1703 /** Explain which ciphers we're missing. */
1704 static void
1706 {
1710 "TLS ciphersuites that we wanted to advertise. This won't "
1711 "hurt security, but it might make your Tor (if run as a client) "
1720 }
1725 }
1727 /** Replace *<b>ciphers</b> with a new list of SSL ciphersuites: specifically,
1728 * a list designed to mimic a common web browser. We might not be able to do
1729 * that if OpenSSL doesn't support all the ciphers we want. Some of the
1730 * ciphers in the list won't actually be implemented by OpenSSL: that's okay
1731 * so long as the server doesn't select them.
1732 *
1733 * [If the server <b>does</b> select a bogus cipher, we won't crash or
1734 * anything; we'll just fail later when we try to look up the cipher in
1735 * ssl->cipher_list_by_id.]
1736 */
1737 static void
1739 {
1740 #ifdef V2_HANDSHAKE_CLIENT
1742 /* We need to set CLIENT_CIPHER_STACK to an array of the ciphers
1743 * we want to use/advertise. */
1747 /* First, create a dummy SSL_CIPHER for every cipher. */
1748 CLIENT_CIPHER_DUMMIES =
1752 /* The "3<<24" here signifies that the cipher is supposed to work with
1753 * SSL3 and TLS1. */
1756 }
1765 }
1767 /* Then copy as many ciphers as we can from the good list, inserting
1768 * dummies as needed. Let j be an index into list of ciphers we have
1769 * (*ciphers) and let i be an index into the ciphers we want
1770 * (CLIENT_INFO_CIPHER_LIST). We are building a list of ciphers in
1771 * CLIENT_CIPHER_STACK.
1772 */
1778 /* Skip over non-v3 ciphers entirely. (This should no longer be
1779 * needed, thanks to saying !SSLv2 above.) */
1786 /* "cipher" is the cipher we expect. Put it on the list. */
1793 /* We found bogus cipher 0xfeff, which OpenSSL doesn't support and
1794 * never has. For this one, we need a dummy. */
1799 /* OpenSSL doesn't have this one. */
1804 }
1805 }
1811 }
1817 #else
1819 #endif
1820 }
1822 /** Create a new TLS object from a file descriptor, and a flag to
1823 * determine whether it is functioning as a server.
1824 */
1825 tor_tls_t *
1827 {
1831 client_tls_context;
1839 }
1841 #ifdef SSL_set_tlsext_host_name
1842 /* Browsers use the TLS hostname extension, so we should too. */
1847 }
1848 #endif
1853 #ifdef SSL_set_tlsext_host_name
1855 #endif
1859 }
1866 #ifdef SSL_set_tlsext_host_name
1868 #endif
1872 }
1873 {
1879 }
1880 }
1892 }
1893 #ifdef V2_HANDSHAKE_SERVER
1897 #endif
1898 {
1900 }
1905 /* Not expected to get called. */
1908 }
1910 /** Make future log messages about <b>tls</b> display the address
1911 * <b>address</b>.
1912 */
1913 void
1915 {
1919 }
1921 /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
1922 * next gets a client-side renegotiate in the middle of a read. Do not
1923 * invoke this function until <em>after</em> initial handshaking is done!
1924 */
1925 void
1929 {
1933 #ifdef V2_HANDSHAKE_SERVER
1938 }
1939 #endif
1940 }
1942 /** If this version of openssl requires it, turn on renegotiation on
1943 * <b>tls</b>.
1944 */
1945 void
1947 {
1948 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
1949 * as authenticating any earlier-received data. */
1952 }
1955 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1956 }
1957 }
1959 /** If this version of openssl supports it, turn off renegotiation on
1960 * <b>tls</b>. (Our protocol never requires this for security, but it's nice
1961 * to use belt-and-suspenders here.)
1962 */
1963 void
1965 {
1967 }
1969 /** Assert that the flags that allow legacy renegotiation are still set */
1970 void
1972 {
1975 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
1976 }
1980 }
1981 }
1983 /** Return whether this tls initiated the connect (client) or
1984 * received it (server). */
1985 int
1987 {
1990 }
1992 /** Release resources associated with a TLS object. Does not close the
1993 * underlying file descriptor.
1994 */
1995 void
1997 {
2001 {
2004 }
2005 #ifdef SSL_set_tlsext_host_name
2007 #endif
2016 }
2018 /** Underlying function for TLS reading. Reads up to <b>len</b>
2019 * characters from <b>tls</b> into <b>cp</b>. On success, returns the
2020 * number of characters read. On failure, returns TOR_TLS_ERROR,
2021 * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
2022 */
2023 int
2025 {
2033 #ifdef V2_HANDSHAKE_SERVER
2035 /* Renegotiation happened! */
2040 }
2041 #endif
2043 }
2053 }
2054 }
2056 /** Total number of bytes that we've used TLS to send. Used to track TLS
2057 * overhead. */
2059 /** Total number of bytes that TLS has put on the network for us. Used to
2060 * track TLS overhead. */
2063 /** Underlying function for TLS writing. Write up to <b>n</b>
2064 * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
2065 * number of characters written. On failure, returns TOR_TLS_ERROR,
2066 * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
2067 */
2068 int
2070 {
2079 /* if WANTWRITE last time, we must use the _same_ n as before */
2085 }
2091 }
2094 }
2096 }
2098 /** Perform initial handshake on <b>tls</b>. When finished, returns
2099 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
2100 * or TOR_TLS_WANTWRITE.
2101 */
2102 int
2104 {
2120 }
2124 /* We need to call this here and not earlier, since OpenSSL has a penchant
2125 * for clearing its flags when you say accept or connect. */
2132 }
2136 }
2138 }
2140 /** Perform the final part of the intial TLS handshake on <b>tls</b>. This
2141 * should be called for the first handshake only: it determines whether the v1
2142 * or the v2 handshake was used, and adjusts things for the renegotiation
2143 * handshake as appropriate.
2144 *
2145 * tor_tls_handshake() calls this on its own; you only need to call this if
2146 * bufferevent is doing the handshake for you.
2147 */
2148 int
2150 {
2155 /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
2157 #ifdef V2_HANDSHAKE_SERVER
2159 /* This check is redundant, but back when we did it in the callback,
2160 * we might have not been able to look up the tor_tls_t if the code
2161 * was buggy. Fixing that. */
2165 }
2171 }
2172 #endif
2174 #ifdef V2_HANDSHAKE_CLIENT
2175 /* If we got no ID cert, we're a v2 handshake. */
2185 "Server sent back a single certificate; looks like "
2188 }
2191 #endif
2195 }
2196 }
2198 }
2200 #ifdef USE_BUFFEREVENTS
2201 /** Put <b>tls</b>, which must be a client connection, into renegotiation
2202 * mode. */
2203 int
2205 {
2209 LD_HANDSHAKE);
2210 }
2212 }
2213 #endif
2215 /** Client only: Renegotiate a TLS session. When finished, returns
2216 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or
2217 * TOR_TLS_WANTWRITE.
2218 */
2219 int
2221 {
2224 /* We could do server-initiated renegotiation too, but that would be tricky.
2225 * Instead of "SSL_renegotiate, then SSL_do_handshake until done" */
2231 LD_HANDSHAKE);
2232 }
2234 }
2241 LD_HANDSHAKE);
2242 }
2244 /** Shut down an open tls connection <b>tls</b>. When finished, returns
2245 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
2246 * or TOR_TLS_WANTWRITE.
2247 */
2248 int
2250 {
2258 /* If we've already called shutdown once to send a close message,
2259 * we read until the other side has closed too.
2260 */
2268 /* fall through... */
2271 }
2272 }
2276 /* If shutdown returns 1, the connection is entirely closed. */
2279 }
2283 /* The underlying TCP connection closed while we were shutting down. */
2287 /* The TLS connection says that it sent a shutdown record, but
2288 * isn't done shutting down yet. Make sure that this hasn't
2289 * happened before, then go back to the start of the function
2290 * and try to read.
2291 */
2297 }
2299 /* fall through ... */
2302 }
2304 }
2306 /** Return true iff this TLS connection is authenticated.
2307 */
2308 int
2310 {
2318 }
2320 /** Return the peer certificate, or NULL if there isn't one. */
2321 tor_cert_t *
2323 {
2330 }
2332 /** Warn that a certificate lifetime extends through a certain range. */
2333 static void
2335 {
2345 "Certificate %s. Either their clock is set wrong, or your clock "
2347 problem);
2351 }
2355 }
2363 }
2373 end:
2374 /* Not expected to get invoked */
2380 }
2382 /** Helper function: try to extract a link certificate and an identity
2383 * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
2384 * *<b>id_cert_out</b> respectively. Log all messages at level
2385 * <b>severity</b>.
2386 *
2387 * Note that a reference is added to cert_out, so it needs to be
2388 * freed. id_cert_out doesn't. */
2389 static void
2392 {
2404 /* 1 means we're receiving (server-side), and it's just the id_cert.
2405 * 2 means we're connecting (client-side), and it's both the link
2406 * cert and the id_cert.
2407 */
2411 num_in_chain);
2413 }
2418 }
2420 }
2422 /** If the provided tls connection is authenticated and has a
2423 * certificate chain that is currently valid and signed, then set
2424 * *<b>identity_key</b> to the identity certificate's key and return
2425 * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
2426 */
2427 int
2429 {
2443 }
2451 }
2460 done:
2466 /* This should never get invoked, but let's make sure in case OpenSSL
2467 * acts unexpectedly. */
2471 }
2473 /** Check whether the certificate set on the connection <b>tls</b> is expired
2474 * give or take <b>past_tolerance</b> seconds, or not-yet-valid give or take
2475 * <b>future_tolerance</b> seconds. Return 0 for valid, -1 for failure.
2476 *
2477 * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
2478 */
2479 int
2482 {
2494 done:
2497 /* Not expected to get invoked */
2501 }
2503 /** Helper: check whether <b>cert</b> is expired give or take
2504 * <b>past_tolerance</b> seconds, or not-yet-valid give or take
2505 * <b>future_tolerance</b> seconds. If it is live, return 0. If it is not
2506 * live, log a message and return -1. */
2507 static int
2510 {
2519 }
2524 }
2527 }
2529 /** Return the number of bytes available for reading from <b>tls</b>.
2530 */
2531 int
2533 {
2536 }
2538 /** If <b>tls</b> requires that the next write be of a particular size,
2539 * return that size. Otherwise, return 0. */
2540 size_t
2542 {
2544 }
2546 /** Sets n_read and n_written to the number of bytes read and written,
2547 * respectively, on the raw socket used by <b>tls</b> since the last time this
2548 * function was called on <b>tls</b>. */
2549 void
2551 {
2555 /* We want the number of bytes actually for real written. Unfortunately,
2556 * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
2557 * which makes the answer turn out wrong. Let's cope with that. Note
2558 * that this approach will fail if we ever replace tls->ssl's BIOs with
2559 * buffering bios for reasons of our own. As an alternative, we could
2560 * save the original BIO for tls->ssl in the tor_tls_t structure, but
2561 * that would be tempting fate. */
2567 /* We are ok with letting these unsigned ints go "negative" here:
2568 * If we wrapped around, this should still give us the right answer, unless
2569 * we wrapped around by more than ULONG_MAX since the last time we called
2570 * this function.
2571 */
2578 }
2582 }
2584 /** Return a ratio of the bytes that TLS has sent to the bytes that we've told
2585 * it to send. Used to track whether our TLS records are getting too tiny. */
2586 double
2588 {
2594 }
2596 /** Implement check_no_tls_errors: If there are any pending OpenSSL
2597 * errors, log an error message. */
2598 void
2600 {
2606 }
2608 /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
2609 * TLS handshake. Output is undefined if the handshake isn't finished. */
2610 int
2612 {
2614 #ifdef V2_HANDSHAKE_SERVER
2616 #endif
2618 #ifdef V2_HANDSHAKE_CLIENT
2620 #endif
2621 }
2623 }
2625 /** Return true iff <b>name</b> is a DN of a kind that could only
2626 * occur in a v3-handshake-indicating certificate */
2627 static int
2629 {
2630 #ifdef DISABLE_V3_LINKPROTO_CLIENTSIDE
2633 #else
2657 #endif
2658 }
2660 /** Return true iff the peer certificate we're received on <b>tls</b>
2661 * indicates that this connection should use the v3 (in-protocol)
2662 * authentication handshake.
2663 *
2664 * Only the connection initiator should use this, and only once the initial
2665 * handshake is done; the responder detects a v1 handshake by cipher types,
2666 * and a v3/v2 handshake by Versions cell vs renegotiation.
2667 */
2668 int
2670 {
2679 }
2687 }
2693 }
2700 }
2702 done:
2709 }
2711 /** Return the number of server handshakes that we've noticed doing on
2712 * <b>tls</b>. */
2713 int
2715 {
2717 }
2719 /** Return true iff the server TLS connection <b>tls</b> got the renegotiation
2720 * request it was waiting for. */
2721 int
2723 {
2725 }
2727 /** Set the DIGEST256_LEN buffer at <b>secrets_out</b> to the value used in
2728 * the v3 handshake to prove that the client knows the TLS secrets for the
2729 * connection <b>tls</b>. Return 0 on success, -1 on failure.
2730 */
2731 int
2733 {
2741 /*
2742 The value is an HMAC, using the TLS master key as the HMAC key, of
2743 client_random | server_random | TLSSECRET_MAGIC
2744 */
2755 }
2757 /** Examine the amount of memory used and available for buffers in <b>tls</b>.
2758 * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
2759 * buffer and *<b>rbuf_bytes</b> to the amount actually used.
2760 * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
2761 * buffer and *<b>wbuf_bytes</b> to the amount actually used. */
2762 void
2766 {
2769 else
2773 else
2777 }
2779 #ifdef USE_BUFFEREVENTS
2780 /** Construct and return an TLS-encrypting bufferevent to send data over
2781 * <b>socket</b>, which must match the socket of the underlying bufferevent
2782 * <b>bufev_in</b>. The TLS object <b>tls</b> is used for encryption.
2783 *
2784 * This function will either create a filtering bufferevent that wraps around
2785 * <b>bufev_in</b>, or it will free bufev_in and return a new bufferevent that
2786 * uses the <b>tls</b> to talk to the network directly. Do not use
2787 * <b>bufev_in</b> after calling this function.
2788 *
2789 * The connection will start out doing a server handshake if <b>receiving</b>
2790 * is strue, and a client handshake otherwise.
2791 *
2792 * Returns NULL on failure.
2793 */
2798 {
2804 /* Grab an extra reference to the SSL, since BEV_OPT_CLOSE_ON_FREE
2805 means that the SSL will get freed too.
2807 This increment makes our SSL usage not-threadsafe, BTW. We should
2808 see if we're allowed to use CRYPTO_add from outside openssl. */
2811 bufev_in,
2813 state,
2814 BEV_OPT_DEFER_CALLBACKS|
2815 BEV_OPT_CLOSE_ON_FREE);
2816 /* Tell the underlying bufferevent when to accept more data from the SSL
2817 filter (only when it's got less than 32K to write), and when to notify
2818 the SSL filter that it could write more (when it drops under 24K). */
2829 }
2831 /* Current versions (as of 2.0.x) of Libevent need to defer
2832 * bufferevent_openssl callbacks, or else our callback functions will
2833 * get called reentrantly, which is bad for us.
2834 */
2836 socket,
2838 state,
2839 BEV_OPT_DEFER_CALLBACKS);
2840 }
2843 /* Unblock _after_ creating the bufferevent, since accept/connect tend to
2844 * clear flags. */
2848 }
2849 #endif