1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 const char tortls_c_id
[] =
11 * \brief Wrapper functions to present a consistent interface to
12 * TLS, SSL, and X.509 functions from OpenSSL.
15 /* (Unlike other tor functions, these
16 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
17 * functions and variables.)
23 #include <openssl/ssl.h>
24 #include <openssl/ssl3.h>
25 #include <openssl/err.h>
26 #include <openssl/tls1.h>
27 #include <openssl/asn1.h>
28 #include <openssl/bio.h>
29 #include <openssl/opensslv.h>
31 #if OPENSSL_VERSION_NUMBER < 0x00907000l
32 #error "We require openssl >= 0.9.7"
35 #define CRYPTO_PRIVATE /* to import prototypes from crypto.h */
41 #include "container.h"
45 // #define V2_HANDSHAKE_SERVER
46 // #define V2_HANDSHAKE_CLIENT
48 /* Copied from or.h */
49 #define LEGAL_NICKNAME_CHARACTERS \
50 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
52 /** How long do identity certificates live? (sec) */
53 #define IDENTITY_CERT_LIFETIME (365*24*60*60)
55 /** Structure holding the TLS state for a single connection. */
56 typedef struct tor_tls_context_t
{
64 /** Holds a SSL object and its associated data. Members are only
65 * accessed from within tortls.c.
68 HT_ENTRY(tor_tls_t
) node
;
69 tor_tls_context_t
*context
; /**DOCDOC */
70 SSL
*ssl
; /**< An OpenSSL SSL object. */
71 int socket
; /**< The underlying file descriptor for this TLS connection. */
73 TOR_TLS_ST_HANDSHAKE
, TOR_TLS_ST_OPEN
, TOR_TLS_ST_GOTCLOSE
,
74 TOR_TLS_ST_SENTCLOSE
, TOR_TLS_ST_CLOSED
, TOR_TLS_ST_RENEGOTIATE
,
75 } state
: 3; /**< The current SSL state, depending on which operations have
76 * completed successfully. */
77 unsigned int isServer
:1; /**< True iff this is a server-side connection */
78 unsigned int hadCert
:1; /**< Docdoc */
79 unsigned int wasV2Handshake
:1; /**< DOCDOC */
80 size_t wantwrite_n
; /**< 0 normally, >0 if we returned wantwrite last
82 unsigned long last_write_count
;
83 unsigned long last_read_count
;
84 void (*negotiated_callback
)(tor_tls_t
*tls
, void *arg
);
88 /** Helper: compare tor_tls_t objects by its SSL. */
90 tor_tls_entries_eq(const tor_tls_t
*a
, const tor_tls_t
*b
)
92 return a
->ssl
== b
->ssl
;
95 /** Helper: return a hash value for a tor_tls_t by its SSL. */
96 static INLINE
unsigned int
97 tor_tls_entry_hash(const tor_tls_t
*a
)
99 #if SIZEOF_INT == SIZEOF_VOID_P
100 return ((unsigned int)a
->ssl
);
102 return (unsigned int) ((((uint64_t)a
->ssl
)>>2) & UINT_MAX
);
106 /** Map from SSL* pointers to tor_tls_t objects using those pointers.
108 static HT_HEAD(tlsmap
, tor_tls_t
) tlsmap_root
= HT_INITIALIZER();
110 HT_PROTOTYPE(tlsmap
, tor_tls_t
, node
, tor_tls_entry_hash
,
112 HT_GENERATE(tlsmap
, tor_tls_t
, node
, tor_tls_entry_hash
,
113 tor_tls_entries_eq
, 0.6, malloc
, realloc
, free
)
115 /** Helper: given a SSL* pointer, return the tor_tls_t object using that
117 static INLINE tor_tls_t
*
118 tor_tls_get_by_ssl(SSL
*ssl
)
120 tor_tls_t search
, *result
;
121 memset(&search
, 0, sizeof(search
));
123 result
= HT_FIND(tlsmap
, &tlsmap_root
, &search
);
127 static void tor_tls_context_decref(tor_tls_context_t
*ctx
);
128 static void tor_tls_context_incref(tor_tls_context_t
*ctx
);
129 static X509
* tor_tls_create_certificate(crypto_pk_env_t
*rsa
,
130 crypto_pk_env_t
*rsa_sign
,
132 const char *cname_sign
,
133 unsigned int lifetime
);
135 /** Global tls context. We keep it here because nobody else needs to
137 static tor_tls_context_t
*global_tls_context
= NULL
;
138 /** True iff tor_tls_init() has been called. */
139 static int tls_library_is_initialized
= 0;
141 /* Module-internal error codes. */
142 #define _TOR_TLS_SYSCALL (_MIN_TOR_TLS_ERROR_VAL - 2)
143 #define _TOR_TLS_ZERORETURN (_MIN_TOR_TLS_ERROR_VAL - 1)
145 /** Log all pending tls errors at level <b>severity</b>. Use
146 * <b>doing</b> to describe our current activities.
149 tls_log_errors(int severity
, const char *doing
)
152 const char *msg
, *lib
, *func
;
153 while ((err
= ERR_get_error()) != 0) {
154 msg
= (const char*)ERR_reason_error_string(err
);
155 lib
= (const char*)ERR_lib_error_string(err
);
156 func
= (const char*)ERR_func_error_string(err
);
157 if (!msg
) msg
= "(null)";
159 log(severity
, LD_NET
, "TLS error while %s: %s (in %s:%s)",
160 doing
, msg
, lib
,func
);
162 log(severity
, LD_NET
, "TLS error: %s (in %s:%s)", msg
, lib
, func
);
167 /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
170 tor_errno_to_tls_error(int e
)
172 #if defined(MS_WINDOWS) && !defined(USE_BSOCKETS)
174 case WSAECONNRESET
: // most common
175 return TOR_TLS_ERROR_CONNRESET
;
177 return TOR_TLS_ERROR_TIMEOUT
;
179 case WSAEHOSTUNREACH
:
180 return TOR_TLS_ERROR_NO_ROUTE
;
181 case WSAECONNREFUSED
:
182 return TOR_TLS_ERROR_CONNREFUSED
; // least common
184 return TOR_TLS_ERROR_MISC
;
188 case ECONNRESET
: // most common
189 return TOR_TLS_ERROR_CONNRESET
;
191 return TOR_TLS_ERROR_TIMEOUT
;
194 return TOR_TLS_ERROR_NO_ROUTE
;
196 return TOR_TLS_ERROR_CONNREFUSED
; // least common
198 return TOR_TLS_ERROR_MISC
;
205 tor_tls_err_to_string(int err
)
208 return "[Not an error.]";
210 case TOR_TLS_ERROR_MISC
: return "misc error";
211 case TOR_TLS_ERROR_IO
: return "unexpected close";
212 case TOR_TLS_ERROR_CONNREFUSED
: return "connection refused";
213 case TOR_TLS_ERROR_CONNRESET
: return "connection reset";
214 case TOR_TLS_ERROR_NO_ROUTE
: return "host unreachable";
215 case TOR_TLS_ERROR_TIMEOUT
: return "connection timed out";
216 case TOR_TLS_CLOSE
: return "closed";
217 case TOR_TLS_WANTREAD
: return "want to read";
218 case TOR_TLS_WANTWRITE
: return "want to write";
219 default: return "(unknown error code)";
223 #define CATCH_SYSCALL 1
226 /** Given a TLS object and the result of an SSL_* call, use
227 * SSL_get_error to determine whether an error has occurred, and if so
228 * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
229 * If extra&CATCH_SYSCALL is true, return _TOR_TLS_SYSCALL instead of
230 * reporting syscall errors. If extra&CATCH_ZERO is true, return
231 * _TOR_TLS_ZERORETURN instead of reporting zero-return errors.
233 * If an error has occurred, log it at level <b>severity</b> and describe the
234 * current action as <b>doing</b>.
237 tor_tls_get_error(tor_tls_t
*tls
, int r
, int extra
,
238 const char *doing
, int severity
)
240 int err
= SSL_get_error(tls
->ssl
, r
);
241 int tor_error
= TOR_TLS_ERROR_MISC
;
245 case SSL_ERROR_WANT_READ
:
246 return TOR_TLS_WANTREAD
;
247 case SSL_ERROR_WANT_WRITE
:
248 return TOR_TLS_WANTWRITE
;
249 case SSL_ERROR_SYSCALL
:
250 if (extra
&CATCH_SYSCALL
)
251 return _TOR_TLS_SYSCALL
;
253 log(severity
, LD_NET
, "TLS error: unexpected close while %s", doing
);
254 tor_error
= TOR_TLS_ERROR_IO
;
256 int e
= tor_socket_errno(tls
->socket
);
257 log(severity
, LD_NET
,
258 "TLS error: <syscall error while %s> (errno=%d: %s)",
259 doing
, e
, tor_socket_strerror(e
));
260 tor_error
= tor_errno_to_tls_error(e
);
262 tls_log_errors(severity
, doing
);
264 case SSL_ERROR_ZERO_RETURN
:
265 if (extra
&CATCH_ZERO
)
266 return _TOR_TLS_ZERORETURN
;
267 log(severity
, LD_NET
, "TLS error: Zero return");
268 tls_log_errors(severity
, doing
);
269 /* XXXX020 Actually, a 'zero return' error has a pretty specific meaning:
270 * the connection has been closed cleanly. */
271 return TOR_TLS_ERROR_MISC
;
273 tls_log_errors(severity
, doing
);
274 return TOR_TLS_ERROR_MISC
;
278 /** Initialize OpenSSL, unless it has already been initialized.
283 if (!tls_library_is_initialized
) {
285 SSL_load_error_strings();
286 crypto_global_init(-1);
287 tls_library_is_initialized
= 1;
291 /** Free all global TLS structures. */
293 tor_tls_free_all(void)
295 if (global_tls_context
) {
296 tor_tls_context_decref(global_tls_context
);
297 global_tls_context
= NULL
;
301 /** We need to give OpenSSL a callback to verify certificates. This is
302 * it: We always accept peer certs and complete the handshake. We
303 * don't validate them until later.
306 always_accept_verify_cb(int preverify_ok
,
307 X509_STORE_CTX
*x509_ctx
)
309 /* avoid "unused parameter" warning. */
315 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
316 * signed by the private key <b>rsa_sign</b>. The commonName of the
317 * certificate will be <b>cname</b>; the commonName of the issuer will be
318 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
319 * starting from now. Return a certificate on success, NULL on
323 tor_tls_create_certificate(crypto_pk_env_t
*rsa
,
324 crypto_pk_env_t
*rsa_sign
,
326 const char *cname_sign
,
327 unsigned int cert_lifetime
)
329 time_t start_time
, end_time
;
330 EVP_PKEY
*sign_pkey
= NULL
, *pkey
=NULL
;
332 X509_NAME
*name
= NULL
, *name_issuer
=NULL
;
337 start_time
= time(NULL
);
341 tor_assert(rsa_sign
);
342 tor_assert(cname_sign
);
343 if (!(sign_pkey
= _crypto_pk_env_get_evp_pkey(rsa_sign
,1)))
345 if (!(pkey
= _crypto_pk_env_get_evp_pkey(rsa
,0)))
347 if (!(x509
= X509_new()))
349 if (!(X509_set_version(x509
, 2)))
351 if (!(ASN1_INTEGER_set(X509_get_serialNumber(x509
), (long)start_time
)))
354 if (!(name
= X509_NAME_new()))
356 if ((nid
= OBJ_txt2nid("organizationName")) == NID_undef
)
358 if (!(X509_NAME_add_entry_by_NID(name
, nid
, MBSTRING_ASC
,
359 (unsigned char*)"t o r", -1, -1, 0)))
361 if ((nid
= OBJ_txt2nid("commonName")) == NID_undef
) goto error
;
362 if (!(X509_NAME_add_entry_by_NID(name
, nid
, MBSTRING_ASC
,
363 (unsigned char*)cname
, -1, -1, 0)))
365 if (!(X509_set_subject_name(x509
, name
)))
368 if (!(name_issuer
= X509_NAME_new()))
370 if ((nid
= OBJ_txt2nid("organizationName")) == NID_undef
)
372 if (!(X509_NAME_add_entry_by_NID(name_issuer
, nid
, MBSTRING_ASC
,
373 (unsigned char*)"t o r", -1, -1, 0)))
375 if ((nid
= OBJ_txt2nid("commonName")) == NID_undef
) goto error
;
376 if (!(X509_NAME_add_entry_by_NID(name_issuer
, nid
, MBSTRING_ASC
,
377 (unsigned char*)cname_sign
, -1, -1, 0)))
379 if (!(X509_set_issuer_name(x509
, name_issuer
)))
382 if (!X509_time_adj(X509_get_notBefore(x509
),0,&start_time
))
384 end_time
= start_time
+ cert_lifetime
;
385 if (!X509_time_adj(X509_get_notAfter(x509
),0,&end_time
))
387 if (!X509_set_pubkey(x509
, pkey
))
389 if (!X509_sign(x509
, sign_pkey
, EVP_sha1()))
399 tls_log_errors(LOG_WARN
, "generating certificate");
401 EVP_PKEY_free(sign_pkey
);
405 X509_NAME_free(name
);
407 X509_NAME_free(name_issuer
);
411 #define SERVER_CIPHER_LIST \
412 (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \
413 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \
414 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
415 /* Note: for setting up your own private testing network with link crypto
416 * disabled, set the cipher lists to your cipher list to
417 * SSL3_TXT_RSA_NULL_SHA. If you do this, you won't be able to communicate
418 * with any of the "real" Tors, though. */
420 #if OPENSSL_VERSION_NUMBER >= 0x00908000l
421 #define CLIENT_CIPHER_LIST \
422 (TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ":" \
423 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":" \
424 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \
425 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA ":" \
426 TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA ":" \
427 TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA ":" \
428 TLS1_TXT_RSA_WITH_AES_256_SHA ":" \
429 TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA ":" \
430 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ":" \
431 TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA ":" \
432 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":" \
433 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \
434 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA ":" \
435 TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA":" \
436 TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA":" \
437 TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA ":" \
438 TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA ":" \
439 SSL3_TXT_RSA_RC4_128_MD5 ":" \
440 SSL3_TXT_RSA_RC4_128_SHA ":" \
441 TLS1_TXT_RSA_WITH_AES_128_SHA ":" \
442 TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA ":" \
443 TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":" \
444 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA ":" \
445 SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA ":" \
446 TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA ":" \
447 TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA ":" \
448 /*SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA ":"*/ \
449 SSL3_TXT_RSA_DES_192_CBC3_SHA)
450 /* SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is commented out because it doesn't
451 * really exist; if I understand correctly, it's a bit of silliness that
452 * netscape did on its own before any standard for what they wanted was
453 * formally approved. Nonetheless, Firefox still uses it, so we need to
454 * fake it at some point soon. XXXX020 -NM */
456 /* Ug. We don't have as many ciphers with openssl 0.9.7 as we'd like. Fix
457 * this list into something that sucks less. */
458 #define CLIENT_CIPHER_LIST \
459 (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \
460 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \
461 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA ":" \
462 SSL3_TXT_RSA_RC4_128_SHA)
465 #ifndef V2_HANDSHAKE_CLIENT
466 #undef CLIENT_CIPHER_LIST
467 #define CLIENT_CIPHER_LIST (TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \
468 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
473 tor_tls_context_decref(tor_tls_context_t
*ctx
)
476 if (--ctx
->refcnt
== 0) {
477 SSL_CTX_free(ctx
->ctx
);
478 X509_free(ctx
->my_cert
);
479 X509_free(ctx
->my_id_cert
);
480 crypto_free_pk_env(ctx
->key
);
487 tor_tls_context_incref(tor_tls_context_t
*ctx
)
492 /** Create a new TLS context for use with Tor TLS handshakes.
493 * <b>identity</b> should be set to the identity key used to sign the
494 * certificate, and <b>nickname</b> set to the nickname to use.
496 * You can call this function multiple times. Each time you call it,
497 * it generates new certificates; all new connections will use
498 * the new SSL context.
501 tor_tls_context_new(crypto_pk_env_t
*identity
, const char *nickname
,
502 unsigned int key_lifetime
)
504 crypto_pk_env_t
*rsa
= NULL
;
505 crypto_dh_env_t
*dh
= NULL
;
506 EVP_PKEY
*pkey
= NULL
;
507 tor_tls_context_t
*result
= NULL
;
508 X509
*cert
= NULL
, *idcert
= NULL
;
512 tor_snprintf(nn2
, sizeof(nn2
), "%s <signing>", nickname
);
516 /* Generate short-term RSA key. */
517 if (!(rsa
= crypto_new_pk_env()))
519 if (crypto_pk_generate_key(rsa
)<0)
521 /* Create certificate signed by identity key. */
522 cert
= tor_tls_create_certificate(rsa
, identity
, nickname
, nn2
,
524 /* Create self-signed certificate for identity key. */
525 idcert
= tor_tls_create_certificate(identity
, identity
, nn2
, nn2
,
526 IDENTITY_CERT_LIFETIME
);
527 if (!cert
|| !idcert
) {
528 log(LOG_WARN
, LD_CRYPTO
, "Error creating certificate");
532 result
= tor_malloc_zero(sizeof(tor_tls_context_t
));
534 result
->my_cert
= X509_dup(cert
);
535 result
->my_id_cert
= X509_dup(idcert
);
536 result
->key
= crypto_pk_dup_key(rsa
);
538 #ifdef EVERYONE_HAS_AES
539 /* Tell OpenSSL to only use TLS1 */
540 if (!(result
->ctx
= SSL_CTX_new(TLSv1_method())))
543 /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
544 if (!(result
->ctx
= SSL_CTX_new(SSLv23_method())))
546 SSL_CTX_set_options(result
->ctx
, SSL_OP_NO_SSLv2
);
548 SSL_CTX_set_options(result
->ctx
, SSL_OP_SINGLE_DH_USE
);
549 if (cert
&& !SSL_CTX_use_certificate(result
->ctx
,cert
))
551 X509_free(cert
); /* We just added a reference to cert. */
554 X509_STORE
*s
= SSL_CTX_get_cert_store(result
->ctx
);
556 X509_STORE_add_cert(s
, idcert
);
557 X509_free(idcert
); /* The context now owns the reference to idcert */
560 SSL_CTX_set_session_cache_mode(result
->ctx
, SSL_SESS_CACHE_OFF
);
562 if (!(pkey
= _crypto_pk_env_get_evp_pkey(rsa
,1)))
564 if (!SSL_CTX_use_PrivateKey(result
->ctx
, pkey
))
568 if (!SSL_CTX_check_private_key(result
->ctx
))
570 dh
= crypto_dh_new();
571 SSL_CTX_set_tmp_dh(result
->ctx
, _crypto_dh_env_get_dh(dh
));
573 SSL_CTX_set_verify(result
->ctx
, SSL_VERIFY_PEER
,
574 always_accept_verify_cb
);
575 /* let us realloc bufs that we're writing from */
576 SSL_CTX_set_mode(result
->ctx
, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
);
577 /* Free the old context if one exists. */
578 if (global_tls_context
) {
579 /* This is safe even if there are open connections: OpenSSL does
580 * reference counting with SSL and SSL_CTX objects. */
581 tor_tls_context_decref(global_tls_context
);
583 global_tls_context
= result
;
585 crypto_free_pk_env(rsa
);
589 tls_log_errors(LOG_WARN
, "creating TLS context");
593 crypto_free_pk_env(rsa
);
597 tor_tls_context_decref(result
);
605 #ifdef V2_HANDSHAKE_SERVER
608 tor_tls_client_is_using_v2_ciphers(const SSL
*ssl
)
611 SSL_SESSION
*session
;
612 /* If we reached this point, we just got a client hello. See if there is
614 if (!(session
= SSL_get_session(ssl
))) {
615 log_warn(LD_NET
, "No session on TLS?");
618 if (!session
->ciphers
) {
619 log_warn(LD_NET
, "No ciphers on session");
622 /* Now we need to see if there are any ciphers whose presence means we're
623 * dealing with an updated Tor. */
624 for (i
= 0; i
< sk_SSL_CIPHER_num(session
->ciphers
); ++i
) {
625 SSL_CIPHER
*cipher
= sk_SSL_CIPHER_value(session
->ciphers
, i
);
626 const char *ciphername
= SSL_CIPHER_get_name(cipher
);
627 if (strcmp(ciphername
, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
) &&
628 strcmp(ciphername
, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
) &&
629 strcmp(ciphername
, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
) &&
630 strcmp(ciphername
, "(NONE)")) {
631 /* XXXX should be ld_debug */
632 log_info(LD_NET
, "Got a non-version-1 cipher called '%s'",ciphername
);
640 smartlist_t
*elts
= smartlist_create();
642 for (i
= 0; i
< sk_SSL_CIPHER_num(session
->ciphers
); ++i
) {
643 SSL_CIPHER
*cipher
= sk_SSL_CIPHER_value(session
->ciphers
, i
);
644 const char *ciphername
= SSL_CIPHER_get_name(cipher
);
645 smartlist_add(elts
, (char*)ciphername
);
647 s
= smartlist_join_strings(elts
, ":", 0, NULL
);
648 log_info(LD_NET
, "Got a non-version-1 cipher list. It is: '%s'", s
);
650 smartlist_free(elts
);
657 tor_tls_server_info_callback(const SSL
*ssl
, int type
, int val
)
660 if (type
!= SSL_CB_ACCEPT_LOOP
)
662 if (ssl
->state
!= SSL3_ST_SW_SRVR_HELLO_A
)
665 if (tor_tls_client_is_using_v2_ciphers(ssl
)) {
667 /* Yes, we're casting away the const from ssl. This is very naughty of us.
668 * Let's hope openssl doesn't notice! */
670 /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
671 SSL_set_mode((SSL
*) ssl
, SSL_MODE_NO_AUTO_CHAIN
);
672 /* Don't send a hello request. */
673 SSL_set_verify((SSL
*) ssl
, SSL_VERIFY_NONE
, NULL
);
675 tls
= tor_tls_get_by_ssl((SSL
*)ssl
);
677 tls
->wasV2Handshake
= 1;
679 log_warn(LD_BUG
, "Couldn't look up the tls for an SSL*. How odd!");
685 /** Create a new TLS object from a file descriptor, and a flag to
686 * determine whether it is functioning as a server.
689 tor_tls_new(int sock
, int isServer
)
692 tor_tls_t
*result
= tor_malloc_zero(sizeof(tor_tls_t
));
694 tor_assert(global_tls_context
); /* make sure somebody made it first */
695 if (!(result
->ssl
= SSL_new(global_tls_context
->ctx
))) {
696 tls_log_errors(LOG_WARN
, "generating TLS context");
700 if (!SSL_set_cipher_list(result
->ssl
,
701 isServer
? SERVER_CIPHER_LIST
: CLIENT_CIPHER_LIST
)) {
702 SSL_free(result
->ssl
);
706 result
->socket
= sock
;
708 bio
= BIO_new_bsocket(sock
, BIO_NOCLOSE
);
710 bio
= BIO_new_socket(sock
, BIO_NOCLOSE
);
713 tls_log_errors(LOG_WARN
, "opening BIO");
714 SSL_free(result
->ssl
);
718 HT_INSERT(tlsmap
, &tlsmap_root
, result
);
719 SSL_set_bio(result
->ssl
, bio
, bio
);
720 tor_tls_context_incref(global_tls_context
);
721 result
->context
= global_tls_context
;
722 result
->state
= TOR_TLS_ST_HANDSHAKE
;
723 result
->isServer
= isServer
;
724 result
->wantwrite_n
= 0;
725 #ifdef V2_HANDSHAKE_SERVER
727 SSL_set_info_callback(result
->ssl
, tor_tls_server_info_callback
);
730 /* Not expected to get called. */
731 tls_log_errors(LOG_WARN
, "generating TLS context");
737 tor_tls_set_renegotiate_callback(tor_tls_t
*tls
,
738 void (*cb
)(tor_tls_t
*, void *arg
),
741 tls
->negotiated_callback
= cb
;
742 tls
->callback_arg
= arg
;
745 /** Return whether this tls initiated the connect (client) or
746 * received it (server). */
748 tor_tls_is_server(tor_tls_t
*tls
)
751 return tls
->isServer
;
754 /** Release resources associated with a TLS object. Does not close the
755 * underlying file descriptor.
758 tor_tls_free(tor_tls_t
*tls
)
761 tor_assert(tls
&& tls
->ssl
);
762 removed
= HT_REMOVE(tlsmap
, &tlsmap_root
, tls
);
764 log_warn(LD_BUG
, "Freeing a TLS that was not in the ssl->tls map.");
768 tls
->negotiated_callback
= NULL
;
770 tor_tls_context_decref(tls
->context
);
774 /** Underlying function for TLS reading. Reads up to <b>len</b>
775 * characters from <b>tls</b> into <b>cp</b>. On success, returns the
776 * number of characters read. On failure, returns TOR_TLS_ERROR,
777 * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
780 tor_tls_read(tor_tls_t
*tls
, char *cp
, size_t len
)
784 tor_assert(tls
->ssl
);
785 tor_assert(tls
->state
== TOR_TLS_ST_OPEN
);
786 r
= SSL_read(tls
->ssl
, cp
, len
);
788 #ifdef V2_HANDSHAKE_SERVER
789 if (!tls
->hadCert
&& tls
->ssl
->session
&& tls
->ssl
->session
->peer
) {
791 /* New certificate! */
792 log_info(LD_NET
, "Got a TLS renegotiation.");
793 if (tls
->negotiated_callback
)
794 tls
->negotiated_callback(tls
, tls
->callback_arg
);
799 err
= tor_tls_get_error(tls
, r
, CATCH_ZERO
, "reading", LOG_DEBUG
);
800 if (err
== _TOR_TLS_ZERORETURN
) {
801 log_debug(LD_NET
,"read returned r=%d; TLS is closed",r
);
802 tls
->state
= TOR_TLS_ST_CLOSED
;
803 return TOR_TLS_CLOSE
;
805 tor_assert(err
!= TOR_TLS_DONE
);
806 log_debug(LD_NET
,"read returned r=%d, err=%d",r
,err
);
811 /** Underlying function for TLS writing. Write up to <b>n</b>
812 * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
813 * number of characters written. On failure, returns TOR_TLS_ERROR,
814 * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
817 tor_tls_write(tor_tls_t
*tls
, const char *cp
, size_t n
)
821 tor_assert(tls
->ssl
);
822 tor_assert(tls
->state
== TOR_TLS_ST_OPEN
);
825 if (tls
->wantwrite_n
) {
826 /* if WANTWRITE last time, we must use the _same_ n as before */
827 tor_assert(n
>= tls
->wantwrite_n
);
828 log_debug(LD_NET
,"resuming pending-write, (%d to flush, reusing %d)",
829 (int)n
, (int)tls
->wantwrite_n
);
830 n
= tls
->wantwrite_n
;
831 tls
->wantwrite_n
= 0;
833 r
= SSL_write(tls
->ssl
, cp
, n
);
834 err
= tor_tls_get_error(tls
, r
, 0, "writing", LOG_INFO
);
835 if (err
== TOR_TLS_DONE
) {
838 if (err
== TOR_TLS_WANTWRITE
|| err
== TOR_TLS_WANTREAD
) {
839 tls
->wantwrite_n
= n
;
844 /** Perform initial handshake on <b>tls</b>. When finished, returns
845 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
846 * or TOR_TLS_WANTWRITE.
849 tor_tls_handshake(tor_tls_t
*tls
)
853 tor_assert(tls
->ssl
);
854 tor_assert(tls
->state
== TOR_TLS_ST_HANDSHAKE
);
855 check_no_tls_errors();
857 r
= SSL_accept(tls
->ssl
);
859 r
= SSL_connect(tls
->ssl
);
861 r
= tor_tls_get_error(tls
,r
,0, "handshaking", LOG_INFO
);
862 if (ERR_peek_error() != 0) {
863 tls_log_errors(tls
->isServer
? LOG_INFO
: LOG_WARN
,
865 return TOR_TLS_ERROR_MISC
;
867 if (r
== TOR_TLS_DONE
) {
868 tls
->state
= TOR_TLS_ST_OPEN
;
869 tls
->hadCert
= tor_tls_peer_has_cert(tls
) ? 1 : 0;
871 SSL_set_info_callback(tls
->ssl
, NULL
);
872 SSL_set_verify(tls
->ssl
, SSL_VERIFY_NONE
, always_accept_verify_cb
);
873 /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
874 tls
->ssl
->mode
&= ~SSL_MODE_NO_AUTO_CHAIN
;
875 #ifdef V2_HANDSHAKE_SERVER
876 if (tor_tls_client_is_using_v2_ciphers(tls
->ssl
)) {
877 /* This check is redundant, but back when we did it in the callback,
878 * we might have not been able to look up the tor_tls_t if the code
879 * was buggy. Fixing that. */
880 if (!tls
->wasV2Handshake
) {
881 log_warn(LD_BUG
, "For some reason, wasV2Handshake didn't"
882 " get set. Fixing that.");
884 tls
->wasV2Handshake
= 1;
886 tls
->wasV2Handshake
= 0;
890 #ifdef V2_HANDSHAKE_CLIENT
891 /* If we got no ID cert, we're a v2 handshake. */
892 X509
*cert
= SSL_get_peer_certificate(tls
->ssl
);/*XXXX020 refcnt?*/
893 STACK_OF(X509
) *chain
= SSL_get_peer_cert_chain(tls
->ssl
);
894 int n_certs
= sk_X509_num(chain
);
895 if (n_certs
> 1 || (n_certs
== 1 && cert
!= sk_X509_value(chain
, 0)))
896 tls
->wasV2Handshake
= 0;
898 log_notice(LD_NET
, "I think I got a v2 handshake!");
899 tls
->wasV2Handshake
= 1;
902 SSL_set_cipher_list(tls
->ssl
, SERVER_CIPHER_LIST
);
908 /** Client only: Renegotiate a TLS session. When finished, returns
909 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or
913 tor_tls_renegotiate(tor_tls_t
*tls
)
917 /* We could do server-initiated renegotiation too, but that would be tricky.
918 * Instead of "SSL_renegotiate, then SSL_do_handshake until done" */
919 tor_assert(!tls
->isServer
);
920 if (tls
->state
!= TOR_TLS_ST_RENEGOTIATE
) {
921 int r
= SSL_renegotiate(tls
->ssl
);
923 return tor_tls_get_error(tls
, r
, CATCH_SYSCALL
|CATCH_ZERO
,
924 "renegotiating", LOG_WARN
);
926 tls
->state
= TOR_TLS_ST_RENEGOTIATE
;
928 r
= SSL_do_handshake(tls
->ssl
);
930 tls
->state
= TOR_TLS_ST_OPEN
;
933 return tor_tls_get_error(tls
, r
, CATCH_SYSCALL
|CATCH_ZERO
,
934 "renegotiating handshake", LOG_WARN
);
937 /** Shut down an open tls connection <b>tls</b>. When finished, returns
938 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
939 * or TOR_TLS_WANTWRITE.
942 tor_tls_shutdown(tor_tls_t
*tls
)
947 tor_assert(tls
->ssl
);
950 if (tls
->state
== TOR_TLS_ST_SENTCLOSE
) {
951 /* If we've already called shutdown once to send a close message,
952 * we read until the other side has closed too.
955 r
= SSL_read(tls
->ssl
, buf
, 128);
957 err
= tor_tls_get_error(tls
, r
, CATCH_ZERO
, "reading to shut down",
959 if (err
== _TOR_TLS_ZERORETURN
) {
960 tls
->state
= TOR_TLS_ST_GOTCLOSE
;
961 /* fall through... */
967 r
= SSL_shutdown(tls
->ssl
);
969 /* If shutdown returns 1, the connection is entirely closed. */
970 tls
->state
= TOR_TLS_ST_CLOSED
;
973 err
= tor_tls_get_error(tls
, r
, CATCH_SYSCALL
|CATCH_ZERO
, "shutting down",
975 if (err
== _TOR_TLS_SYSCALL
) {
976 /* The underlying TCP connection closed while we were shutting down. */
977 tls
->state
= TOR_TLS_ST_CLOSED
;
979 } else if (err
== _TOR_TLS_ZERORETURN
) {
980 /* The TLS connection says that it sent a shutdown record, but
981 * isn't done shutting down yet. Make sure that this hasn't
982 * happened before, then go back to the start of the function
985 if (tls
->state
== TOR_TLS_ST_GOTCLOSE
||
986 tls
->state
== TOR_TLS_ST_SENTCLOSE
) {
987 log(LOG_WARN
, LD_NET
,
988 "TLS returned \"half-closed\" value while already half-closed");
989 return TOR_TLS_ERROR_MISC
;
991 tls
->state
= TOR_TLS_ST_SENTCLOSE
;
992 /* fall through ... */
999 /** Return true iff this TLS connection is authenticated.
1002 tor_tls_peer_has_cert(tor_tls_t
*tls
)
1005 cert
= SSL_get_peer_certificate(tls
->ssl
);
1006 tls_log_errors(LOG_WARN
, "getting peer certificate");
1015 tor_tls_get_cert_digests(tor_tls_t
*tls
,
1016 char *my_digest_out
,
1017 char *peer_digest_out
)
1021 tor_assert(tls
&& tls
->context
);
1022 cert
= tls
->context
->my_cert
;
1024 X509_digest(cert
, EVP_sha1(), (unsigned char*)my_digest_out
, &len
);
1025 if (len
!= DIGEST_LEN
)
1028 cert
= SSL_get_peer_certificate(tls
->ssl
);
1030 X509_digest(cert
, EVP_sha1(), (unsigned char*)peer_digest_out
, &len
);
1031 if (len
!= DIGEST_LEN
)
1039 tor_tls_dup_private_key(tor_tls_t
*tls
)
1041 return crypto_pk_dup_key(tls
->context
->key
);
1046 tor_tls_encode_my_certificate(tor_tls_t
*tls
, size_t *size_out
,
1049 unsigned char *result
, *cp
;
1052 tor_assert(tls
&& tls
->context
);
1053 cert
= conn_cert
? tls
->context
->my_cert
: tls
->context
->my_id_cert
;
1055 certlen
= i2d_X509(cert
, NULL
);
1056 tor_assert(certlen
>= 0);
1057 cp
= result
= tor_malloc(certlen
);
1058 i2d_X509(cert
, &cp
);
1059 tor_assert(cp
-result
== certlen
);
1060 *size_out
= (size_t)certlen
;
1061 return (char*) result
;
1064 /** Warn that a certificate lifetime extends through a certain range. */
1066 log_cert_lifetime(X509
*cert
, const char *problem
)
1070 char *s1
=NULL
, *s2
=NULL
;
1072 time_t now
= time(NULL
);
1076 log_warn(LD_GENERAL
,
1077 "Certificate %s: is your system clock set incorrectly?",
1080 if (!(bio
= BIO_new(BIO_s_mem()))) {
1081 log_warn(LD_GENERAL
, "Couldn't allocate BIO!"); goto end
;
1083 if (!(ASN1_TIME_print(bio
, X509_get_notBefore(cert
)))) {
1084 tls_log_errors(LOG_WARN
, "printing certificate lifetime");
1087 BIO_get_mem_ptr(bio
, &buf
);
1088 s1
= tor_strndup(buf
->data
, buf
->length
);
1090 (void)BIO_reset(bio
);
1091 if (!(ASN1_TIME_print(bio
, X509_get_notAfter(cert
)))) {
1092 tls_log_errors(LOG_WARN
, "printing certificate lifetime");
1095 BIO_get_mem_ptr(bio
, &buf
);
1096 s2
= tor_strndup(buf
->data
, buf
->length
);
1098 strftime(mytime
, 32, "%b %d %H:%M:%S %Y GMT", tor_gmtime_r(&now
, &tm
));
1100 log_warn(LD_GENERAL
,
1101 "(certificate lifetime runs from %s through %s. Your time is %s.)",
1105 /* Not expected to get invoked */
1106 tls_log_errors(LOG_WARN
, "getting certificate lifetime");
1116 * cert_out needs to be freed. id_cert_out doesn't. */
1118 try_to_extract_certs_from_tls(int severity
, tor_tls_t
*tls
,
1119 X509
**cert_out
, X509
**id_cert_out
)
1121 X509
*cert
= NULL
, *id_cert
= NULL
;
1122 STACK_OF(X509
) *chain
= NULL
;
1123 int num_in_chain
, i
;
1124 *cert_out
= *id_cert_out
= NULL
;
1126 if (!(cert
= SSL_get_peer_certificate(tls
->ssl
)))
1129 if (!(chain
= SSL_get_peer_cert_chain(tls
->ssl
)))
1131 num_in_chain
= sk_X509_num(chain
);
1132 /* 1 means we're receiving (server-side), and it's just the id_cert.
1133 * 2 means we're connecting (client-side), and it's both the link
1134 * cert and the id_cert.
1136 if (num_in_chain
< 1) {
1137 log_fn(severity
,LD_PROTOCOL
,
1138 "Unexpected number of certificates in chain (%d)",
1142 for (i
=0; i
<num_in_chain
; ++i
) {
1143 id_cert
= sk_X509_value(chain
, i
);
1144 if (X509_cmp(id_cert
, cert
) != 0)
1147 *id_cert_out
= id_cert
;
1150 /** If the provided tls connection is authenticated and has a
1151 * certificate that is currently valid and signed, then set
1152 * *<b>identity_key</b> to the identity certificate's key and return
1153 * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
1156 tor_tls_verify_v1(int severity
, tor_tls_t
*tls
, crypto_pk_env_t
**identity_key
)
1158 X509
*cert
= NULL
, *id_cert
= NULL
;
1159 EVP_PKEY
*id_pkey
= NULL
;
1163 *identity_key
= NULL
;
1165 try_to_extract_certs_from_tls(severity
, tls
, &cert
, &id_cert
);
1169 log_fn(severity
,LD_PROTOCOL
,"No distinct identity certificate found");
1172 if (!(id_pkey
= X509_get_pubkey(id_cert
)) ||
1173 X509_verify(cert
, id_pkey
) <= 0) {
1174 log_fn(severity
,LD_PROTOCOL
,"X509_verify on cert and pkey returned <= 0");
1175 tls_log_errors(severity
,"verifying certificate");
1179 rsa
= EVP_PKEY_get1_RSA(id_pkey
);
1182 *identity_key
= _crypto_new_pk_env_rsa(rsa
);
1190 EVP_PKEY_free(id_pkey
);
1192 /* This should never get invoked, but let's make sure in case OpenSSL
1193 * acts unexpectedly. */
1194 tls_log_errors(LOG_WARN
, "finishing tor_tls_verify");
1202 * Returns 1 on "verification is done", 0 on "still need LINK_AUTH."
1205 tor_tls_verify_certs_v2(int severity
, tor_tls_t
*tls
,
1206 const char *cert_str
, size_t cert_len
,
1207 const char *id_cert_str
, size_t id_cert_len
,
1208 crypto_pk_env_t
**cert_key_out
,
1209 char *conn_cert_digest_out
,
1210 crypto_pk_env_t
**id_key_out
,
1211 char *id_digest_out
)
1213 X509
*cert
= NULL
, *id_cert
= NULL
;
1214 EVP_PKEY
*id_pkey
= NULL
, *cert_pkey
= NULL
;
1215 int free_id_cert
= 0, peer_used_tls_cert
= 0;
1218 tor_assert(cert_key_out
);
1219 tor_assert(conn_cert_digest_out
);
1220 tor_assert(id_key_out
);
1221 tor_assert(id_digest_out
);
1223 *cert_key_out
= NULL
;
1225 if (cert_str
&& cert_len
) {
1226 /*XXXX020 warn on error. */
1227 const unsigned char *cp
= (const unsigned char*) cert_str
;
1228 cert
= d2i_X509(NULL
, &cp
, cert_len
);
1230 if (id_cert_str
&& id_cert_len
) {
1231 /*XXXX020 warn on error. */
1232 const unsigned char *cp
= (const unsigned char*) id_cert_str
;
1233 id_cert
= d2i_X509(NULL
, &cp
, id_cert_len
);
1240 X509
*cert_tmp
= SSL_get_peer_certificate(tls
->ssl
);
1242 peer_used_tls_cert
= 1;
1243 cmp
= X509_cmp(cert
, cert_tmp
);
1244 X509_free(cert_tmp
);
1247 log_fn(severity
, LD_PROTOCOL
,
1248 "Certificate in CERT cell didn't match TLS cert.");
1253 if (!cert
|| !id_cert
) {
1254 X509
*c
=NULL
, *id
=NULL
;
1255 try_to_extract_certs_from_tls(severity
, tls
, &c
, &id
);
1265 if (!id_cert
|| !cert
)
1268 if (!(id_pkey
= X509_get_pubkey(id_cert
)) ||
1269 X509_verify(cert
, id_pkey
) <= 0) {
1270 log_fn(severity
,LD_PROTOCOL
,"X509_verify on cert and pkey returned <= 0");
1271 tls_log_errors(severity
,"verifying certificate");
1275 if (!(*id_key_out
= _crypto_new_pk_env_evp_pkey(id_pkey
)))
1277 crypto_pk_get_digest(*id_key_out
, id_digest_out
);
1278 if (!(cert_pkey
= X509_get_pubkey(cert
)))
1280 if (!(*cert_key_out
= _crypto_new_pk_env_evp_pkey(cert_pkey
)))
1284 unsigned int len
= 0;
1285 X509_digest(cert
, EVP_sha1(), (unsigned char*)conn_cert_digest_out
, &len
);
1286 tor_assert(len
== DIGEST_LEN
);
1289 r
= peer_used_tls_cert
? 1 : 0;
1293 if (id_cert
&& free_id_cert
)
1296 EVP_PKEY_free(id_pkey
);
1298 EVP_PKEY_free(cert_pkey
);
1304 /** Check whether the certificate set on the connection <b>tls</b> is
1305 * expired or not-yet-valid, give or take <b>tolerance</b>
1306 * seconds. Return 0 for valid, -1 for failure.
1308 * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
1311 tor_tls_check_lifetime(tor_tls_t
*tls
, int tolerance
)
1319 if (!(cert
= SSL_get_peer_certificate(tls
->ssl
)))
1322 t
= now
+ tolerance
;
1323 if (X509_cmp_time(X509_get_notBefore(cert
), &t
) > 0) {
1324 log_cert_lifetime(cert
, "not yet valid");
1327 t
= now
- tolerance
;
1328 if (X509_cmp_time(X509_get_notAfter(cert
), &t
) < 0) {
1329 log_cert_lifetime(cert
, "already expired");
1337 /* Not expected to get invoked */
1338 tls_log_errors(LOG_WARN
, "checking certificate lifetime");
1343 /** Return the number of bytes available for reading from <b>tls</b>.
1346 tor_tls_get_pending_bytes(tor_tls_t
*tls
)
1349 return SSL_pending(tls
->ssl
);
1352 /** If <b>tls</b> requires that the next write be of a particular size,
1353 * return that size. Otherwise, return 0. */
1355 tor_tls_get_forced_write_size(tor_tls_t
*tls
)
1357 return tls
->wantwrite_n
;
1360 /** Sets n_read and n_written to the number of bytes read and written,
1361 * respectivey, on the raw socket used by <b>tls</b> since the last time this
1362 * function was called on <b>tls</b>. */
1364 tor_tls_get_n_raw_bytes(tor_tls_t
*tls
, size_t *n_read
, size_t *n_written
)
1367 r
= BIO_number_read(SSL_get_rbio(tls
->ssl
));
1368 w
= BIO_number_written(SSL_get_wbio(tls
->ssl
));
1370 /* We are ok with letting these unsigned ints go "negative" here:
1371 * If we wrapped around, this should still give us the right answer, unless
1372 * we wrapped around by more than ULONG_MAX since the last time we called
1376 *n_read
= (size_t)(r
- tls
->last_read_count
);
1377 *n_written
= (size_t)(w
- tls
->last_write_count
);
1378 tls
->last_read_count
= r
;
1379 tls
->last_write_count
= w
;
1382 /** Implement check_no_tls_errors: If there are any pending OpenSSL
1383 * errors, log an error message. */
1385 _check_no_tls_errors(const char *fname
, int line
)
1387 if (ERR_peek_error() == 0)
1389 log(LOG_WARN
, LD_CRYPTO
, "Unhandled OpenSSL errors found at %s:%d: ",
1390 tor_fix_source_file(fname
), line
);
1391 tls_log_errors(LOG_WARN
, NULL
);
1396 tor_tls_used_v1_handshake(tor_tls_t
*tls
)
1398 if (tls
->isServer
) {
1399 #ifdef V2_HANDSHAKE_SERVER
1400 return ! tls
->wasV2Handshake
;
1403 #ifdef V2_HANDSHAKE_CLIENT
1404 return ! tls
->wasV2Handshake
;
1410 #if SSL3_RANDOM_SIZE != TOR_TLS_RANDOM_LEN
1411 #error "The TOR_TLS_RANDOM_LEN macro is defined incorrectly. That's a bug."
1416 tor_tls_get_random_values(tor_tls_t
*tls
, char *client_random_out
,
1417 char *server_random_out
)
1419 tor_assert(tls
&& tls
->ssl
);
1422 memcpy(client_random_out
, tls
->ssl
->s3
->client_random
, SSL3_RANDOM_SIZE
);
1423 memcpy(server_random_out
, tls
->ssl
->s3
->server_random
, SSL3_RANDOM_SIZE
);
1429 tor_tls_hmac_with_master_secret(tor_tls_t
*tls
, char *hmac_out
,
1430 const char *data
, size_t data_len
)
1433 tor_assert(tls
&& tls
->ssl
);
1434 if (!(s
= SSL_get_session(tls
->ssl
)))
1436 if (s
->master_key_length
< 0)
1438 crypto_hmac_sha1(hmac_out
,
1439 (const char*)s
->master_key
,
1440 (size_t)s
->master_key_length
,