| blob | 51ce4a6c3a2c333f361bd2b931c693dcf35000fd |
1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2008, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5 /* $Id$ */
9 /**
10 * \file tortls.c
11 * \brief Wrapper functions to present a consistent interface to
12 * TLS, SSL, and X.509 functions from OpenSSL.
13 **/
15 /* (Unlike other tor functions, these
16 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
17 * functions and variables.)
18 */
22 #include <assert.h>
23 #include <openssl/ssl.h>
24 #include <openssl/ssl3.h>
25 #include <openssl/err.h>
26 #include <openssl/tls1.h>
27 #include <openssl/asn1.h>
28 #include <openssl/bio.h>
29 #include <openssl/opensslv.h>
31 #if OPENSSL_VERSION_NUMBER < 0x00907000l
33 #endif
43 #include <string.h>
45 // #define V2_HANDSHAKE_SERVER
46 // #define V2_HANDSHAKE_CLIENT
48 /* Copied from or.h */
49 #define LEGAL_NICKNAME_CHARACTERS \
50 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
52 /** How long do identity certificates live? (sec) */
53 #define IDENTITY_CERT_LIFETIME (365*24*60*60)
55 /** Structure holding the TLS state for a single connection. */
64 /** Holds a SSL object and its associated data. Members are only
65 * accessed from within tortls.c.
66 */
76 * completed successfully. */
79 * this connection used the updated version
80 * of the connection protocol (client sends
81 * different cipher list, server sends only
82 * one certificate). */
84 * when we're done reading. */
86 * time. */
87 /** Last values retrieved from BIO_number_read()/write(); see
88 * tor_tls_get_n_raw_bytes() for usage.
89 */
92 /** If set, a callback to invoke whenever the client tries to renegotiate
93 * the handshake. */
95 /** Argument to pass to negotiated_callback. */
97 };
99 /** Helper: compare tor_tls_t objects by its SSL. */
102 {
104 }
106 /** Helper: return a hash value for a tor_tls_t by its SSL. */
109 {
110 #if SIZEOF_INT == SIZEOF_VOID_P
112 #else
114 #endif
115 }
117 /** Map from SSL* pointers to tor_tls_t objects using those pointers.
118 */
122 tor_tls_entries_eq)
126 /** Helper: given a SSL* pointer, return the tor_tls_t object using that
127 * pointer. */
130 {
136 }
146 /** Global tls context. We keep it here because nobody else needs to
147 * touch it. */
149 /** True iff tor_tls_init() has been called. */
152 /* Module-internal error codes. */
153 #define _TOR_TLS_SYSCALL (_MIN_TOR_TLS_ERROR_VAL - 2)
154 #define _TOR_TLS_ZERORETURN (_MIN_TOR_TLS_ERROR_VAL - 1)
156 /** Log all pending tls errors at level <b>severity</b>. Use
157 * <b>doing</b> to describe our current activities.
158 */
159 static void
161 {
174 }
175 }
176 }
178 /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
179 * code. */
180 static int
182 {
183 #if defined(MS_WINDOWS) && !defined(USE_BSOCKETS)
196 }
197 #else
210 }
211 #endif
212 }
214 /** Given a TOR_TLS_* error code, return a string equivalent. */
217 {
231 }
232 }
234 #define CATCH_SYSCALL 1
235 #define CATCH_ZERO 2
237 /** Given a TLS object and the result of an SSL_* call, use
238 * SSL_get_error to determine whether an error has occurred, and if so
239 * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
240 * If extra&CATCH_SYSCALL is true, return _TOR_TLS_SYSCALL instead of
241 * reporting syscall errors. If extra&CATCH_ZERO is true, return
242 * _TOR_TLS_ZERORETURN instead of reporting zero-return errors.
243 *
244 * If an error has occurred, log it at level <b>severity</b> and describe the
245 * current action as <b>doing</b>.
246 */
247 static int
250 {
272 }
280 /* XXXX020 Actually, a 'zero return' error has a pretty specific meaning:
281 * the connection has been closed cleanly. */
286 }
287 }
289 /** Initialize OpenSSL, unless it has already been initialized.
290 */
291 static void
293 {
299 }
300 }
302 /** Free all global TLS structures. */
303 void
305 {
309 }
310 }
312 /** We need to give OpenSSL a callback to verify certificates. This is
313 * it: We always accept peer certs and complete the handshake. We
314 * don't validate them until later.
315 */
316 static int
319 {
323 }
325 /** Return a newly allocated X509 name with commonName <b>cname</b>. */
328 {
338 error:
341 }
343 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
344 * signed by the private key <b>rsa_sign</b>. The commonName of the
345 * certificate will be <b>cname</b>; the commonName of the issuer will be
346 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
347 * starting from now. Return a certificate on success, NULL on
348 * failure.
349 */
356 {
401 error:
405 }
406 done:
417 }
419 #define SERVER_CIPHER_LIST \
422 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
423 /* Note: for setting up your own private testing network with link crypto
424 * disabled, set the cipher lists to your cipher list to
425 * SSL3_TXT_RSA_NULL_SHA. If you do this, you won't be able to communicate
426 * with any of the "real" Tors, though. */
428 #if OPENSSL_VERSION_NUMBER >= 0x00908000l
429 #define CLIENT_CIPHER_LIST \
457 SSL3_TXT_RSA_DES_192_CBC3_SHA)
458 /* SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is commented out because it doesn't
459 * really exist; if I understand correctly, it's a bit of silliness that
460 * netscape did on its own before any standard for what they wanted was
461 * formally approved. Nonetheless, Firefox still uses it, so we need to
462 * fake it at some point soon. XXXX020 -NM */
463 #else
464 /* Ug. We don't have as many ciphers with openssl 0.9.7 as we'd like. Fix
465 * this list into something that sucks less. */
466 #define CLIENT_CIPHER_LIST \
470 SSL3_TXT_RSA_RC4_128_SHA)
471 #endif
473 #ifndef V2_HANDSHAKE_CLIENT
474 #undef CLIENT_CIPHER_LIST
476 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
477 #endif
479 /** Remove a reference to <b>ctx</b>, and free it if it has no more
480 * references. */
481 static void
483 {
491 }
492 }
494 /** Increase the reference count of <b>ctx</b>. */
495 static void
497 {
499 }
501 /** Create a new TLS context for use with Tor TLS handshakes.
502 * <b>identity</b> should be set to the identity key used to sign the
503 * certificate, and <b>nickname</b> set to the nickname to use.
504 *
505 * You can call this function multiple times. Each time you call it,
506 * it generates new certificates; all new connections will use
507 * the new SSL context.
508 */
509 int
511 {
523 /* Generate short-term RSA key. */
528 /* Create certificate signed by identity key. */
530 key_lifetime);
531 /* Create self-signed certificate for identity key. */
533 IDENTITY_CERT_LIFETIME);
537 }
545 #ifdef EVERYONE_HAS_AES
546 /* Tell OpenSSL to only use TLS1 */
549 #else
550 /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
554 #endif
566 }
581 always_accept_verify_cb);
582 /* let us realloc bufs that we're writing from */
584 /* Free the old context if one exists. */
586 /* This is safe even if there are open connections: OpenSSL does
587 * reference counting with SSL and SSL_CTX objects. */
589 }
597 error:
614 }
616 #ifdef V2_HANDSHAKE_SERVER
617 /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
618 * a list that indicates that the client know how to do the v2 TLS connection
619 * handshake. */
620 static int
622 {
625 /* If we reached this point, we just got a client hello. See if there is
626 * a cipher list. */
630 }
634 }
635 /* Now we need to see if there are any ciphers whose presence means we're
636 * dealing with an updated Tor. */
644 /* XXXX should be ld_debug */
646 // return 1;
648 }
649 }
651 dump_list:
652 {
659 }
664 }
666 }
668 /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
669 * changes state. We use this:
670 * <ul><li>To alter the state of the handshake partway through, so we
671 * do not send or request extra certificates in v2 handshakes.</li>
672 * <li>To detect renegotiation</li></ul>
673 */
674 static void
676 {
686 /* Check whether we're watching for renegotiates. If so, this is one! */
691 }
693 /* Now check the cipher list. */
695 /*XXXX_TLS keep this from happening more than once! */
697 /* Yes, we're casting away the const from ssl. This is very naughty of us.
698 * Let's hope openssl doesn't notice! */
700 /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
702 /* Don't send a hello request. */
709 }
710 }
711 }
712 #endif
714 /** Create a new TLS object from a file descriptor, and a flag to
715 * determine whether it is functioning as a server.
716 */
717 tor_tls_t *
719 {
728 }
734 }
736 #ifdef USE_BSOCKETS
738 #else
740 #endif
746 }
754 #ifdef V2_HANDSHAKE_SERVER
757 }
758 #endif
759 /* Not expected to get called. */
762 }
764 /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
765 * next gets a client-side renegotiate in the middle of a read. Do not
766 * invoke this function untile <em>after</em> initial handshaking is done!
767 */
768 void
772 {
776 #ifdef V2_HANDSHAKE_SERVER
781 }
782 #endif
783 }
785 /** Return whether this tls initiated the connect (client) or
786 * received it (server). */
787 int
789 {
792 }
794 /** Release resources associated with a TLS object. Does not close the
795 * underlying file descriptor.
796 */
797 void
799 {
805 }
812 }
814 /** Underlying function for TLS reading. Reads up to <b>len</b>
815 * characters from <b>tls</b> into <b>cp</b>. On success, returns the
816 * number of characters read. On failure, returns TOR_TLS_ERROR,
817 * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
818 */
819 int
821 {
828 #ifdef V2_HANDSHAKE_SERVER
830 /* Renegotiation happened! */
835 }
836 #endif
838 }
848 }
849 }
851 /** Underlying function for TLS writing. Write up to <b>n</b>
852 * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
853 * number of characters written. On failure, returns TOR_TLS_ERROR,
854 * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
855 */
856 int
858 {
866 /* if WANTWRITE last time, we must use the _same_ n as before */
872 }
877 }
880 }
882 }
884 /** Perform initial handshake on <b>tls</b>. When finished, returns
885 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
886 * or TOR_TLS_WANTWRITE.
887 */
888 int
890 {
900 }
906 }
912 /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
914 #ifdef V2_HANDSHAKE_SERVER
916 /* This check is redundant, but back when we did it in the callback,
917 * we might have not been able to look up the tor_tls_t if the code
918 * was buggy. Fixing that. */
922 }
926 }
927 #endif
929 #ifdef V2_HANDSHAKE_CLIENT
930 /* If we got no ID cert, we're a v2 handshake. */
939 }
942 #endif
944 }
945 }
947 }
949 /** Client only: Renegotiate a TLS session. When finished, returns
950 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or
951 * TOR_TLS_WANTWRITE.
952 */
953 int
955 {
958 /* We could do server-initiated renegotiation too, but that would be tricky.
959 * Instead of "SSL_renegotiate, then SSL_do_handshake until done" */
966 }
968 }
976 }
978 /** Shut down an open tls connection <b>tls</b>. When finished, returns
979 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
980 * or TOR_TLS_WANTWRITE.
981 */
982 int
984 {
992 /* If we've already called shutdown once to send a close message,
993 * we read until the other side has closed too.
994 */
999 LOG_INFO);
1002 /* fall through... */
1005 }
1006 }
1010 /* If shutdown returns 1, the connection is entirely closed. */
1013 }
1015 LOG_INFO);
1017 /* The underlying TCP connection closed while we were shutting down. */
1021 /* The TLS connection says that it sent a shutdown record, but
1022 * isn't done shutting down yet. Make sure that this hasn't
1023 * happened before, then go back to the start of the function
1024 * and try to read.
1025 */
1031 }
1033 /* fall through ... */
1036 }
1038 }
1040 /** Return true iff this TLS connection is authenticated.
1041 */
1042 int
1044 {
1052 }
1054 /** Warn that a certificate lifetime extends through a certain range. */
1055 static void
1057 {
1068 problem);
1072 }
1076 }
1084 }
1094 end:
1095 /* Not expected to get invoked */
1103 }
1105 /** DOCDOC helper.
1106 * cert_out needs to be freed. id_cert_out doesn't. */
1107 static void
1110 {
1122 /* 1 means we're receiving (server-side), and it's just the id_cert.
1123 * 2 means we're connecting (client-side), and it's both the link
1124 * cert and the id_cert.
1125 */
1129 num_in_chain);
1131 }
1136 }
1138 }
1140 /** If the provided tls connection is authenticated and has a
1141 * certificate that is currently valid and signed, then set
1142 * *<b>identity_key</b> to the identity certificate's key and return
1143 * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
1144 */
1145 int
1147 {
1161 }
1167 }
1176 done:
1182 /* This should never get invoked, but let's make sure in case OpenSSL
1183 * acts unexpectedly. */
1187 }
1189 /** Check whether the certificate set on the connection <b>tls</b> is
1190 * expired or not-yet-valid, give or take <b>tolerance</b>
1191 * seconds. Return 0 for valid, -1 for failure.
1192 *
1193 * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
1194 */
1195 int
1197 {
1211 }
1216 }
1219 done:
1222 /* Not expected to get invoked */
1226 }
1228 /** Return the number of bytes available for reading from <b>tls</b>.
1229 */
1230 int
1232 {
1235 }
1237 /** If <b>tls</b> requires that the next write be of a particular size,
1238 * return that size. Otherwise, return 0. */
1239 size_t
1241 {
1243 }
1245 /** Sets n_read and n_written to the number of bytes read and written,
1246 * respectivey, on the raw socket used by <b>tls</b> since the last time this
1247 * function was called on <b>tls</b>. */
1248 void
1250 {
1255 /* We are ok with letting these unsigned ints go "negative" here:
1256 * If we wrapped around, this should still give us the right answer, unless
1257 * we wrapped around by more than ULONG_MAX since the last time we called
1258 * this function.
1259 */
1265 }
1267 /** Implement check_no_tls_errors: If there are any pending OpenSSL
1268 * errors, log an error message. */
1269 void
1271 {
1277 }
1279 /**DOCDOC */
1280 int
1282 {
1284 #ifdef V2_HANDSHAKE_SERVER
1286 #endif
1288 #ifdef V2_HANDSHAKE_CLIENT
1290 #endif
1291 }
1293 }