| blob | 653bd66de5d5918514234ea09378ebd3b8367a0c |
1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2017, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file tortls.c
8 * \brief Wrapper functions to present a consistent interface to
9 * TLS, SSL, and X.509 functions from OpenSSL.
10 **/
12 /* (Unlike other tor functions, these
13 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
14 * functions and variables.)
15 */
19 #define TORTLS_PRIVATE
20 #define TORTLS_OPENSSL_PRIVATE
22 #include <assert.h>
24 #include <winsock2.h>
25 #include <ws2tcpip.h>
26 #endif
33 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
34 * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
37 #include <openssl/opensslv.h>
39 #ifdef OPENSSL_NO_EC
41 #endif
43 #include <openssl/ssl.h>
44 #include <openssl/ssl3.h>
45 #include <openssl/err.h>
46 #include <openssl/tls1.h>
47 #include <openssl/asn1.h>
48 #include <openssl/bio.h>
49 #include <openssl/bn.h>
50 #include <openssl/rsa.h>
54 #define TORTLS_PRIVATE
59 #include <string.h>
61 #ifdef OPENSSL_1_1_API
62 #define X509_get_notBefore_const(cert) \
63 X509_get0_notBefore(cert)
64 #define X509_get_notAfter_const(cert) \
65 X509_get0_notAfter(cert)
66 #ifndef X509_get_notBefore
67 #define X509_get_notBefore(cert) \
68 X509_getm_notBefore(cert)
69 #endif
70 #ifndef X509_get_notAfter
71 #define X509_get_notAfter(cert) \
72 X509_getm_notAfter(cert)
73 #endif
75 #define X509_get_notBefore_const(cert) \
76 ((const ASN1_TIME*) X509_get_notBefore((X509 *)cert))
77 #define X509_get_notAfter_const(cert) \
78 ((const ASN1_TIME*) X509_get_notAfter((X509 *)cert))
79 #endif
81 /* Copied from or.h */
82 #define LEGAL_NICKNAME_CHARACTERS \
83 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
85 /** How long do identity certificates live? (sec) */
86 #define IDENTITY_CERT_LIFETIME (365*24*60*60)
91 /* This is a version of OpenSSL before 1.0.0f. It does not have
92 * the CVE-2011-4576 fix, and as such it can't use RELEASE_BUFFERS and
93 * SSL3 safely at the same time.
94 */
95 #define DISABLE_SSL3_HANDSHAKE
98 /* We redefine these so that we can run correctly even if the vendor gives us
99 * a version of OpenSSL that does not match its header files. (Apple: I am
100 * looking at you.)
101 */
102 #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
103 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
104 #endif
105 #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
106 #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
107 #endif
109 /** Return values for tor_tls_classify_client_ciphers.
110 *
111 * @{
112 */
113 /** An error occurred when examining the client ciphers */
114 #define CIPHERS_ERR -1
115 /** The client cipher list indicates that a v1 handshake was in use. */
116 #define CIPHERS_V1 1
117 /** The client cipher list indicates that the client is using the v2 or the
118 * v3 handshake, but that it is (probably!) lying about what ciphers it
119 * supports */
120 #define CIPHERS_V2 2
121 /** The client cipher list indicates that the client is using the v2 or the
122 * v3 handshake, and that it is telling the truth about what ciphers it
123 * supports */
124 #define CIPHERS_UNRESTRICTED 3
125 /** @} */
127 /** The ex_data index in which we store a pointer to an SSL object's
128 * corresponding tor_tls_t object. */
131 /** Helper: Allocate tor_tls_object_ex_data_index. */
132 STATIC void
134 {
136 tor_tls_object_ex_data_index =
139 }
140 }
142 /** Helper: given a SSL* pointer, return the tor_tls_t object using that
143 * pointer. */
144 STATIC tor_tls_t *
146 {
151 }
160 /** Global TLS contexts. We keep them here because nobody else needs
161 * to touch them.
162 *
163 * @{ */
166 /**@}*/
168 /** True iff tor_tls_init() has been called. */
171 /* Module-internal error codes. */
172 #define TOR_TLS_SYSCALL_ (MIN_TOR_TLS_ERROR_VAL_ - 2)
173 #define TOR_TLS_ZERORETURN_ (MIN_TOR_TLS_ERROR_VAL_ - 1)
175 /** Write a description of the current state of <b>tls</b> into the
176 * <b>sz</b>-byte buffer at <b>buf</b>. */
177 void
179 {
186 }
197 #undef CASE
204 }
207 }
209 /** Log a single error <b>err</b> as returned by ERR_get_error(), which was
210 * received while performing an operation <b>doing</b> on <b>tls</b>. Log
211 * the message at <b>severity</b>, in log domain <b>domain</b>. */
212 void
215 {
223 /* Some errors are known-benign, meaning they are the fault of the other
224 * side of the connection. The caller doesn't know this, so override the
225 * priority for those cases. */
230 #ifndef OPENSSL_1_1_API
232 #endif
239 }
255 }
256 }
258 /** Log all pending tls errors at level <b>severity</b> in log domain
259 * <b>domain</b>. Use <b>doing</b> to describe our current activities.
260 */
261 STATIC void
263 {
268 }
269 }
271 /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
272 * code. */
273 STATIC int
275 {
288 }
289 }
291 /** Given a TOR_TLS_* error code, return a string equivalent. */
294 {
308 }
309 }
311 #define CATCH_SYSCALL 1
312 #define CATCH_ZERO 2
314 /** Given a TLS object and the result of an SSL_* call, use
315 * SSL_get_error to determine whether an error has occurred, and if so
316 * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
317 * If extra&CATCH_SYSCALL is true, return TOR_TLS_SYSCALL_ instead of
318 * reporting syscall errors. If extra&CATCH_ZERO is true, return
319 * TOR_TLS_ZERORETURN_ instead of reporting zero-return errors.
320 *
321 * If an error has occurred, log it at level <b>severity</b> and describe the
322 * current action as <b>doing</b>.
323 */
324 STATIC int
327 {
351 }
364 }
365 }
367 /** Initialize OpenSSL, unless it has already been initialized.
368 */
369 static void
371 {
375 #ifdef OPENSSL_1_1_API
377 #else
380 #endif
382 #if (SIZEOF_VOID_P >= 8 && \
383 OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
386 /* LCOV_EXCL_START : we can't test these lines on the same machine */
388 /* Warn if we could *almost* be running with much faster ECDH.
389 If we're built for a 64-bit target, using OpenSSL 1.0.1, but we
390 don't have one of the built-in __uint128-based speedups, we are
391 just one build operation away from an accelerated handshake.
393 (We could be looking at OPENSSL_NO_EC_NISTP_64_GCC_128 instead of
394 doing this test, but that gives compile-time options, not runtime
395 behavior.)
396 */
407 "OpenSSL 1.0.1 or later, but with a version of OpenSSL "
408 "that apparently lacks accelerated support for the NIST "
409 "P-224 and P-256 groups. Building openssl with such "
410 "support (using the enable-ec_nistp_64_gcc_128 option "
412 }
413 /* LCOV_EXCL_STOP */
419 }
420 }
422 /** Free all global TLS structures. */
423 void
425 {
432 }
437 }
438 }
440 /** We need to give OpenSSL a callback to verify certificates. This is
441 * it: We always accept peer certs and complete the handshake. We
442 * don't validate them until later.
443 */
444 STATIC int
447 {
451 }
453 /** Return a newly allocated X509 name with commonName <b>cname</b>. */
456 {
459 /* LCOV_EXCL_BR_START : these branches will only fail on OOM errors */
466 /* LCOV_EXCL_BR_STOP */
469 /* LCOV_EXCL_START : these lines will only execute on out of memory errors*/
470 error:
473 /* LCOV_EXCL_STOP */
474 }
476 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
477 * signed by the private key <b>rsa_sign</b>. The commonName of the
478 * certificate will be <b>cname</b>; the commonName of the issuer will be
479 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b>
480 * seconds, starting from some time in the past.
481 *
482 * Return a certificate on success, NULL on failure.
483 */
490 {
491 /* OpenSSL generates self-signed certificates with random 64-bit serial
492 * numbers, so let's do that too. */
493 #define SERIAL_NUMBER_SIZE 8
504 /* Make sure we're part-way through the certificate lifetime, rather
505 * than having it start right now. Don't choose quite uniformly, since
506 * then we might pick a time where we're about to expire. Lastly, be
507 * sure to start on a day boundary. */
509 /* Our certificate lifetime will be cert_lifetime no matter what, but if we
510 * start cert_lifetime in the past, we'll have 0 real lifetime. instead we
511 * start up to (cert_lifetime - min_real_lifetime - start_granularity) in
512 * the past. */
516 /* Don't actually start in the future! */
522 }
524 /* Round the start time back to the start of a day. */
548 }
570 error:
574 }
575 done:
589 #undef SERIAL_NUMBER_SIZE
590 }
592 /** List of ciphers that servers should select from when the client might be
593 * claiming extra unsupported ciphers in order to avoid fingerprinting. */
595 #ifdef TLS1_3_TXT_AES_128_GCM_SHA256
596 /* This one can never actually get selected, since if the client lists it,
597 * we will assume that the client is honest, and not use this list.
598 * Nonetheless we list it if it's available, so that the server doesn't
599 * conclude that it has no valid ciphers if it's running with TLS1.3.
600 */
601 TLS1_3_TXT_AES_128_GCM_SHA256 ":"
602 #endif
603 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
604 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA;
606 /** List of ciphers that servers should select from when we actually have
607 * our choice of what cipher to use. */
609 /* Here are the TLS 1.3 ciphers we like, in the order we prefer. */
610 #ifdef TLS1_3_TXT_AES_256_GCM_SHA384
611 TLS1_3_TXT_AES_256_GCM_SHA384 ":"
612 #endif
613 #ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256
614 TLS1_3_TXT_CHACHA20_POLY1305_SHA256 ":"
615 #endif
616 #ifdef TLS1_3_TXT_AES_128_GCM_SHA256
617 TLS1_3_TXT_AES_128_GCM_SHA256 ":"
618 #endif
619 #ifdef TLS1_3_TXT_AES_128_CCM_SHA256
620 TLS1_3_TXT_AES_128_CCM_SHA256 ":"
621 #endif
623 /* This list is autogenerated with the gen_server_ciphers.py script;
624 * don't hand-edit it. */
625 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
626 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":"
627 #endif
628 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
629 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
630 #endif
631 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
632 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 ":"
633 #endif
634 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
635 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":"
636 #endif
637 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
638 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
639 #endif
640 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
641 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":"
642 #endif
643 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
644 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 ":"
645 #endif
646 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
647 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 ":"
648 #endif
649 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_CCM
650 TLS1_TXT_DHE_RSA_WITH_AES_256_CCM ":"
651 #endif
652 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_CCM
653 TLS1_TXT_DHE_RSA_WITH_AES_128_CCM ":"
654 #endif
655 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
656 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 ":"
657 #endif
658 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
659 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 ":"
660 #endif
661 /* Required */
662 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
663 /* Required */
664 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
665 #ifdef TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305
666 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 ":"
667 #endif
668 #ifdef TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
669 TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
670 #endif
671 ;
673 /* Note: to set up your own private testing network with link crypto
674 * disabled, set your Tors' cipher list to
675 * (SSL3_TXT_RSA_NULL_SHA). If you do this, you won't be able to communicate
676 * with any of the "real" Tors, though. */
679 #define XCIPHER(id, name)
680 /** List of ciphers that clients should advertise, omitting items that
681 * our OpenSSL doesn't know about. */
684 /* Tell it not to use SSLv2 ciphers, so that it can select an SSLv3 version
685 * of any cipher we say. */
686 "!SSLv2"
687 ;
688 #undef CIPHER
689 #undef XCIPHER
691 /** Free all storage held in <b>cert</b> */
692 void
694 {
701 /* LCOV_EXCL_BR_START since cert will never be NULL here */
703 /* LCOV_EXCL_BR_STOP */
704 }
706 /**
707 * Allocate a new tor_x509_cert_t to hold the certificate "x509_cert".
708 *
709 * Steals a reference to x509_cert.
710 */
713 {
727 }
745 }
750 }
753 err:
754 /* LCOV_EXCL_START for the same reason as the exclusion above */
759 /* LCOV_EXCL_STOP */
760 }
762 /** Return a new copy of <b>cert</b>. */
763 tor_x509_cert_t *
765 {
769 }
771 /** Read a DER-encoded X509 cert, of length exactly <b>certificate_len</b>,
772 * from a <b>certificate</b>. Return a newly allocated tor_x509_cert_t on
773 * success and NULL on failure. */
774 tor_x509_cert_t *
776 {
793 }
797 }
800 /* Cert wasn't in DER */
803 }
805 err:
808 }
810 /** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
811 * representation and length, respectively. */
812 void
815 {
821 }
823 /** Return a set of digests for the public key in <b>cert</b>, or NULL if this
824 * cert's public key is not one we know how to take the digest of. */
827 {
830 else
832 }
834 /** Return a set of digests for the public key in <b>cert</b>. */
837 {
839 }
841 /** Remove a reference to <b>ctx</b>, and free it if it has no more
842 * references. */
843 static void
845 {
854 /* LCOV_EXCL_BR_START since ctx will never be NULL here */
856 /* LCOV_EXCL_BR_STOP */
857 }
858 }
860 /** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate
861 * and ID certificate that we're currently using for our V3 in-protocol
862 * handshake's certificate chain. If <b>server</b> is true, provide the certs
863 * that we use in server mode (auth, ID); otherwise, provide the certs that we
864 * use in client mode. (link, ID) */
865 int
869 {
878 }
880 /**
881 * Return the authentication key that we use to authenticate ourselves as a
882 * client in the V3 in-protocol handshake.
883 */
884 crypto_pk_t *
886 {
890 }
892 /**
893 * Return a newly allocated copy of the public key that a certificate
894 * certifies. Watch out! This returns NULL if the cert's key is not RSA.
895 */
896 crypto_pk_t *
898 {
908 }
912 }
914 /** Return true iff the other side of <b>tls</b> has authenticated to us, and
915 * the key certified in <b>cert</b> is the same as the key they used to do it.
916 */
919 {
940 }
942 /** Check whether <b>cert</b> is well-formed, currently live, and correctly
943 * signed by the public key in <b>signing_cert</b>. If <b>check_rsa_1024</b>,
944 * make sure that it has an RSA key with 1024 bits; otherwise, just check that
945 * the key is long enough. Return 1 if the cert is good, and 0 if it's bad or
946 * we couldn't check it. */
947 int
953 {
969 /* okay, the signature checked out right. Now let's check the check the
970 * lifetime. */
978 #ifdef OPENSSL_1_1_API
980 #else
982 #endif
988 #ifdef EVP_PKEY_EC
991 #endif
994 }
999 /* XXXX compare DNs or anything? */
1002 bad:
1005 }
1007 /** Increase the reference count of <b>ctx</b>. */
1008 static void
1010 {
1012 }
1014 /** Create new global client and server TLS contexts.
1015 *
1016 * If <b>server_identity</b> is NULL, this will not generate a server
1017 * TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in <b>flags</b>, use
1018 * the same TLS context for incoming and outgoing connections, and
1019 * ignore <b>client_identity</b>. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256}
1020 * is set in <b>flags</b>, use that ECDHE group if possible; otherwise use
1021 * the default ECDHE group. */
1022 int
1027 {
1040 server_identity,
1051 }
1052 }
1056 server_identity,
1057 key_lifetime,
1058 flags,
1066 }
1067 }
1070 client_identity,
1071 key_lifetime,
1072 flags,
1074 }
1078 }
1080 /** Create a new global TLS context.
1081 *
1082 * You can call this function multiple times. Each time you call it,
1083 * it generates new certificates; all new connections will use
1084 * the new SSL context.
1085 */
1086 STATIC int
1092 {
1094 key_lifetime,
1095 flags,
1096 is_client);
1102 /* Free the old context if one existed. */
1104 /* This is safe even if there are open connections: we reference-
1105 * count tor_tls_context_t objects. */
1107 }
1108 }
1111 }
1113 /** The group we should use for ecdhe when none was selected. */
1114 #define NID_tor_default_ecdhe_group NID_X9_62_prime256v1
1116 #define RSA_LINK_KEY_BITS 2048
1118 /** Create a new TLS context for use with Tor TLS handshakes.
1119 * <b>identity</b> should be set to the identity key used to sign the
1120 * certificate.
1121 */
1122 STATIC tor_tls_context_t *
1125 {
1134 #ifdef DISABLE_V3_LINKPROTO_SERVERSIDE
1136 #else
1138 #endif
1140 /* Generate short-term RSA key for use with TLS. */
1146 /* Generate short-term RSA key for use in the in-protocol ("v3")
1147 * authentication handshake. */
1152 /* Create a link certificate signed by identity key. */
1154 key_lifetime);
1155 /* Create self-signed certificate for identity key. */
1157 IDENTITY_CERT_LIFETIME);
1158 /* Create an authentication certificate signed by identity key. */
1160 key_lifetime);
1164 }
1165 }
1177 }
1179 #if 0
1180 /* Tell OpenSSL to only use TLS1. This may have subtly different results
1181 * from SSLv23_method() with SSLv2 and SSLv3 disabled, so we need to do some
1182 * investigation before we consider adjusting it. It should be compatible
1183 * with existing Tors. */
1188 /* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
1189 #ifdef HAVE_TLS_METHOD
1192 #else
1197 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
1198 /* Level 1 re-enables RSA1024 and DH1024 for compatibility with old tors */
1200 #endif
1205 /* Prefer the server's ordering of ciphers: the client's ordering has
1206 * historically been chosen for fingerprinting resistance. */
1209 /* Disable TLS tickets if they're supported. We never want to use them;
1210 * using them can make our perfect forward secrecy a little worse, *and*
1211 * create an opportunity to fingerprint us (since it's unusual to use them
1212 * with TLS sessions turned off).
1213 *
1214 * In 0.2.4, clients advertise support for them though, to avoid a TLS
1215 * distinguishability vector. This can give us worse PFS, though, if we
1216 * get a server that doesn't set SSL_OP_NO_TICKET. With luck, there will
1217 * be few such servers by the time 0.2.4 is more stable.
1218 */
1219 #ifdef SSL_OP_NO_TICKET
1222 }
1223 #endif
1228 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1230 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
1231 #endif
1232 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
1233 * as authenticating any earlier-received data.
1234 */
1235 {
1237 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1238 }
1240 /* Don't actually allow compression; it uses RAM and time, it makes TLS
1241 * vulnerable to CRIME-style attacks, and most of the data we transmit over
1242 * TLS is encrypted (and therefore uncompressible) anyway. */
1243 #ifdef SSL_OP_NO_COMPRESSION
1245 #endif
1246 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
1247 #ifndef OPENSSL_NO_COMP
1250 #endif
1253 #ifdef SSL_MODE_RELEASE_BUFFERS
1255 #endif
1267 }
1268 }
1280 }
1281 {
1286 }
1287 /* We check for this function in two ways, since it might be either a symbol
1288 * or a macro. */
1289 #if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
1290 {
1296 else
1301 }
1302 #else
1310 else
1312 /* Use P-256 for ECDHE. */
1317 }
1318 #endif
1320 always_accept_verify_cb);
1321 /* let us realloc bufs that we're writing from */
1333 error:
1352 }
1354 /** Invoked when a TLS state changes: log the change at severity 'debug' */
1355 STATIC void
1357 {
1358 /* LCOV_EXCL_START since this depends on whether debug is captured or not */
1361 /* LCOV_EXCL_STOP */
1362 }
1364 /* Return the name of the negotiated ciphersuite in use on <b>tls</b> */
1367 {
1369 }
1371 /* Here's the old V2 cipher list we sent from 0.2.1.1-alpha up to
1372 * 0.2.3.17-beta. If a client is using this list, we can't believe the ciphers
1373 * that it claims to support. We'll prune this list to remove the ciphers
1374 * *we* don't recognize. */
1404 0
1405 };
1406 /** Have we removed the unrecognized ciphers from v2_cipher_list yet? */
1409 /** Return 0 if <b>m</b> does not support the cipher with ID <b>cipher</b>;
1410 * return 1 if it does support it, or if we have no way to tell. */
1411 STATIC int
1413 {
1415 #ifdef HAVE_SSL_CIPHER_FIND
1417 {
1422 * with a two-byte 'cipherid', it may look for a v2
1423 * cipher with the appropriate 3 bytes. */
1428 }
1431 # if defined(HAVE_STRUCT_SSL_METHOD_ST_GET_CIPHER_BY_CHAR)
1436 * with a two-byte 'cipherid', it may look for a v2
1437 * cipher with the appropriate 3 bytes. */
1442 }
1444 # ifndef OPENSSL_1_1_API
1446 /* It would seem that some of the "let's-clean-up-openssl" forks have
1447 * removed the get_cipher_by_char function. Okay, so now you get a
1448 * quadratic search.
1449 */
1455 }
1456 }
1458 }
1465 }
1467 /** Remove from v2_cipher_list every cipher that we don't support, so that
1468 * comparing v2_cipher_list to a client's cipher list will give a sensible
1469 * result. */
1470 static void
1472 {
1474 #ifdef HAVE_TLS_METHOD
1476 #else
1478 #endif
1485 inp++;
1486 }
1487 }
1491 }
1493 /** Examine the client cipher list in <b>ssl</b>, and determine what kind of
1494 * client it is. Return one of CIPHERS_ERR, CIPHERS_V1, CIPHERS_V2,
1495 * CIPHERS_UNRESTRICTED.
1496 **/
1497 STATIC int
1500 {
1510 /* If we reached this point, we just got a client hello. See if there is
1511 * a cipher list. */
1516 }
1517 /* Now we need to see if there are any ciphers whose presence means we're
1518 * dealing with an updated Tor. */
1527 // return 1;
1529 }
1530 }
1533 v2_or_higher:
1534 {
1544 }
1546 }
1550 }
1552 }
1554 dump_ciphers:
1555 {
1562 }
1568 }
1569 done:
1574 }
1576 /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
1577 * a list that indicates that the client knows how to do the v2 TLS connection
1578 * handshake. */
1579 STATIC int
1581 {
1583 #ifdef HAVE_SSL_GET_CLIENT_CIPHERS
1585 #else
1590 }
1595 }
1597 /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
1598 * changes state. We use this:
1599 * <ul><li>To alter the state of the handshake partway through, so we
1600 * do not send or request extra certificates in v2 handshakes.</li>
1601 * <li>To detect renegotiation</li></ul>
1602 */
1603 STATIC void
1605 {
1611 }
1623 /* Check whether we're watching for renegotiates. If so, this is one! */
1631 }
1633 /* Now check the cipher list. */
1637 * This is a renegotiation. */
1639 /* Yes, we're casting away the const from ssl. This is very naughty of us.
1640 * Let's hope openssl doesn't notice! */
1642 /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
1644 /* Don't send a hello request. */
1650 /* LCOV_EXCL_START this line is not reachable */
1652 /* LCOV_EXCL_STOP */
1653 }
1654 }
1655 }
1657 /** Callback to get invoked on a server after we've read the list of ciphers
1658 * the client supports, but before we pick our own ciphersuite.
1659 *
1660 * We can't abuse an info_cb for this, since by the time one of the
1661 * client_hello info_cbs is called, we've already picked which ciphersuite to
1662 * use.
1663 *
1664 * Technically, this function is an abuse of this callback, since the point of
1665 * a session_secret_cb is to try to set up and/or verify a shared-secret for
1666 * authentication on the fly. But as long as we return 0, we won't actually be
1667 * setting up a shared secret, and all will be fine.
1668 */
1669 STATIC int
1674 {
1682 CIPHERS_UNRESTRICTED) {
1684 }
1689 }
1690 static void
1692 {
1694 }
1696 /** Create a new TLS object from a file descriptor, and a flag to
1697 * determine whether it is functioning as a server.
1698 */
1699 tor_tls_t *
1701 {
1705 client_tls_context;
1714 }
1716 #ifdef SSL_set_tlsext_host_name
1717 /* Browsers use the TLS hostname extension, so we should too. */
1722 }
1728 #ifdef SSL_set_tlsext_host_name
1730 #endif
1734 }
1739 #ifdef SSL_set_tlsext_host_name
1741 #endif
1745 }
1746 {
1752 }
1753 }
1765 }
1770 }
1776 err:
1778 done:
1779 /* Not expected to get called. */
1782 }
1784 /** Make future log messages about <b>tls</b> display the address
1785 * <b>address</b>.
1786 */
1787 void
1789 {
1793 }
1795 /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
1796 * next gets a client-side renegotiate in the middle of a read. Do not
1797 * invoke this function until <em>after</em> initial handshaking is done!
1798 */
1799 void
1803 {
1811 }
1812 }
1814 /** If this version of openssl requires it, turn on renegotiation on
1815 * <b>tls</b>.
1816 */
1817 void
1819 {
1820 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
1821 * as authenticating any earlier-received data. */
1823 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1824 }
1826 /** If this version of openssl supports it, turn off renegotiation on
1827 * <b>tls</b>. (Our protocol never requires this for security, but it's nice
1828 * to use belt-and-suspenders here.)
1829 */
1830 void
1832 {
1833 #ifdef SUPPORT_UNSAFE_RENEGOTIATION_FLAG
1835 #else
1837 #endif
1838 }
1840 /** Assert that the flags that allow legacy renegotiation are still set */
1841 void
1843 {
1844 #if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && \
1845 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION != 0
1848 #else
1851 }
1853 /** Return whether this tls initiated the connect (client) or
1854 * received it (server). */
1855 int
1857 {
1860 }
1862 /** Release resources associated with a TLS object. Does not close the
1863 * underlying file descriptor.
1864 */
1865 void
1867 {
1871 {
1874 }
1875 #ifdef SSL_set_tlsext_host_name
1877 #endif
1886 }
1888 /** Underlying function for TLS reading. Reads up to <b>len</b>
1889 * characters from <b>tls</b> into <b>cp</b>. On success, returns the
1890 * number of characters read. On failure, returns TOR_TLS_ERROR,
1891 * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
1892 */
1895 {
1904 /* Renegotiation happened! */
1909 }
1911 }
1921 }
1922 }
1924 /** Total number of bytes that we've used TLS to send. Used to track TLS
1925 * overhead. */
1927 /** Total number of bytes that TLS has put on the network for us. Used to
1928 * track TLS overhead. */
1931 /** Underlying function for TLS writing. Write up to <b>n</b>
1932 * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
1933 * number of characters written. On failure, returns TOR_TLS_ERROR,
1934 * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
1935 */
1936 int
1938 {
1947 /* if WANTWRITE last time, we must use the _same_ n as before */
1953 }
1959 }
1962 }
1964 }
1966 /** Perform initial handshake on <b>tls</b>. When finished, returns
1967 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1968 * or TOR_TLS_WANTWRITE.
1969 */
1970 int
1972 {
1990 }
1997 /* We need to call this here and not earlier, since OpenSSL has a penchant
1998 * for clearing its flags when you say accept or connect. */
2005 }
2009 }
2011 }
2013 /** Perform the final part of the initial TLS handshake on <b>tls</b>. This
2014 * should be called for the first handshake only: it determines whether the v1
2015 * or the v2 handshake was used, and adjusts things for the renegotiation
2016 * handshake as appropriate.
2017 *
2018 * tor_tls_handshake() calls this on its own; you only need to call this if
2019 * bufferevent is doing the handshake for you.
2020 */
2021 int
2023 {
2031 /* This check is redundant, but back when we did it in the callback,
2032 * we might have not been able to look up the tor_tls_t if the code
2033 * was buggy. Fixing that. */
2037 }
2043 }
2045 /* Client-side */
2047 /* XXXX this can move, probably? -NM */
2051 }
2052 }
2055 }
2057 /** Shut down an open tls connection <b>tls</b>. When finished, returns
2058 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
2059 * or TOR_TLS_WANTWRITE.
2060 */
2061 int
2063 {
2072 /* If we've already called shutdown once to send a close message,
2073 * we read until the other side has closed too.
2074 */
2082 /* fall through... */
2085 }
2086 }
2090 /* If shutdown returns 1, the connection is entirely closed. */
2093 }
2097 /* The underlying TCP connection closed while we were shutting down. */
2101 /* The TLS connection says that it sent a shutdown record, but
2102 * isn't done shutting down yet. Make sure that this hasn't
2103 * happened before, then go back to the start of the function
2104 * and try to read.
2105 */
2111 }
2113 /* fall through ... */
2116 }
2118 }
2120 /** Return true iff this TLS connection is authenticated.
2121 */
2122 int
2124 {
2132 }
2134 /** Return a newly allocated copy of the peer certificate, or NULL if there
2135 * isn't one. */
2138 {
2145 }
2147 /** Return a newly allocated copy of the cerficate we used on the connection,
2148 * or NULL if somehow we didn't use one. */
2151 {
2157 /* Fun inconsistency: SSL_get_peer_certificate increments the reference
2158 * count, but SSL_get_certificate does not. */
2163 }
2165 /** Warn that a certificate lifetime extends through a certain range. */
2166 static void
2169 {
2179 "Certificate %s. Either their clock is set wrong, or your clock "
2181 problem);
2185 }
2189 }
2197 }
2208 "(certificate lifetime runs from %s through %s. "
2211 }
2213 end:
2214 /* Not expected to get invoked */
2220 }
2222 /** Helper function: try to extract a link certificate and an identity
2223 * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
2224 * *<b>id_cert_out</b> respectively. Log all messages at level
2225 * <b>severity</b>.
2226 *
2227 * Note that a reference is added to cert_out, so it needs to be
2228 * freed. id_cert_out doesn't. */
2232 {
2243 /* 1 means we're receiving (server-side), and it's just the id_cert.
2244 * 2 means we're connecting (client-side), and it's both the link
2245 * cert and the id_cert.
2246 */
2250 num_in_chain);
2252 }
2257 }
2259 }
2261 /** If the provided tls connection is authenticated and has a
2262 * certificate chain that is currently valid and signed, then set
2263 * *<b>identity_key</b> to the identity certificate's key and return
2264 * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
2265 */
2266 int
2268 {
2283 }
2291 }
2300 done:
2306 /* This should never get invoked, but let's make sure in case OpenSSL
2307 * acts unexpectedly. */
2311 }
2313 /** Check whether the certificate set on the connection <b>tls</b> is expired
2314 * give or take <b>past_tolerance</b> seconds, or not-yet-valid give or take
2315 * <b>future_tolerance</b> seconds. Return 0 for valid, -1 for failure.
2316 *
2317 * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
2318 */
2319 int
2323 {
2335 done:
2338 /* Not expected to get invoked */
2342 }
2344 /** Helper: check whether <b>cert</b> is expired give or take
2345 * <b>past_tolerance</b> seconds, or not-yet-valid give or take
2346 * <b>future_tolerance</b> seconds. (Relative to the current time
2347 * <b>now</b>.) If it is live, return 0. If it is not live, log a message
2348 * and return -1. */
2349 static int
2353 {
2360 }
2365 }
2368 }
2370 #ifdef TOR_UNIT_TESTS
2371 /* Testing only: return a new x509 cert with the same contents as <b>inp</b>,
2372 but with the expiration time <b>new_expiration_time</b>, signed with
2373 <b>signing_key</b>. */
2374 STATIC tor_x509_cert_t *
2378 {
2385 }
2388 /** Return the number of bytes available for reading from <b>tls</b>.
2389 */
2390 int
2392 {
2395 }
2397 /** If <b>tls</b> requires that the next write be of a particular size,
2398 * return that size. Otherwise, return 0. */
2399 size_t
2401 {
2403 }
2405 /** Sets n_read and n_written to the number of bytes read and written,
2406 * respectively, on the raw socket used by <b>tls</b> since the last time this
2407 * function was called on <b>tls</b>. */
2408 void
2410 {
2414 /* We want the number of bytes actually for real written. Unfortunately,
2415 * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
2416 * which makes the answer turn out wrong. Let's cope with that. Note
2417 * that this approach will fail if we ever replace tls->ssl's BIOs with
2418 * buffering bios for reasons of our own. As an alternative, we could
2419 * save the original BIO for tls->ssl in the tor_tls_t structure, but
2420 * that would be tempting fate. */
2422 #if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
2423 /* BIO structure is opaque as of OpenSSL 1.1.0-pre5-dev. Again, not
2424 * supposed to use this form of the version macro, but the OpenSSL developers
2425 * introduced major API changes in the pre-release stage.
2426 */
2436 /* We are ok with letting these unsigned ints go "negative" here:
2437 * If we wrapped around, this should still give us the right answer, unless
2438 * we wrapped around by more than ULONG_MAX since the last time we called
2439 * this function.
2440 */
2447 }
2451 }
2453 /** Return a ratio of the bytes that TLS has sent to the bytes that we've told
2454 * it to send. Used to track whether our TLS records are getting too tiny. */
2457 {
2463 }
2465 /** Implement check_no_tls_errors: If there are any pending OpenSSL
2466 * errors, log an error message. */
2467 void
2469 {
2475 }
2477 /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
2478 * TLS handshake. Output is undefined if the handshake isn't finished. */
2479 int
2481 {
2483 }
2485 /** Return the number of server handshakes that we've noticed doing on
2486 * <b>tls</b>. */
2487 int
2489 {
2491 }
2493 /** Return true iff the server TLS connection <b>tls</b> got the renegotiation
2494 * request it was waiting for. */
2495 int
2497 {
2499 }
2501 #ifndef HAVE_SSL_GET_CLIENT_RANDOM
2502 static size_t
2504 {
2511 }
2514 #ifndef HAVE_SSL_GET_SERVER_RANDOM
2515 static size_t
2517 {
2524 }
2527 #ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
2528 STATIC size_t
2530 {
2538 }
2541 /** Set the DIGEST256_LEN buffer at <b>secrets_out</b> to the value used in
2542 * the v3 handshake to prove that the client knows the TLS secrets for the
2543 * connection <b>tls</b>. Return 0 on success, -1 on failure.
2544 */
2547 {
2570 {
2573 }
2575 {
2578 server_random_len);
2580 }
2583 {
2586 }
2591 /*
2592 The value is an HMAC, using the TLS master key as the HMAC key, of
2593 client_random | server_random | TLSSECRET_MAGIC
2594 */
2597 master_key_len,
2604 }
2606 /** Using the RFC5705 key material exporting construction, and the
2607 * provided <b>context</b> (<b>context_len</b> bytes long) and
2608 * <b>label</b> (a NUL-terminated string), compute a 32-byte secret in
2609 * <b>secrets_out</b> that only the parties to this TLS session can
2610 * compute. Return 0 on success and -1 on failure.
2611 */
2617 {
2626 }
2628 /** Examine the amount of memory used and available for buffers in <b>tls</b>.
2629 * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
2630 * buffer and *<b>rbuf_bytes</b> to the amount actually used.
2631 * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
2632 * buffer and *<b>wbuf_bytes</b> to the amount actually used.
2633 *
2634 * Return 0 on success, -1 on failure.*/
2635 int
2639 {
2640 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
2651 else
2655 else
2661 }
2663 /** Check whether the ECC group requested is supported by the current OpenSSL
2664 * library instance. Return 1 if the group is supported, and 0 if not.
2665 */
2666 int
2668 {
2679 else
2687 }