| blob | c78a9ec9530f7ad74e9772a91f4150b6efcd8851 |
1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2011, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file tortls.c
8 * \brief Wrapper functions to present a consistent interface to
9 * TLS, SSL, and X.509 functions from OpenSSL.
10 **/
12 /* (Unlike other tor functions, these
13 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
14 * functions and variables.)
15 */
19 #include <assert.h>
21 #define WIN32_WINNT 0x400
22 #define _WIN32_WINNT 0x400
23 #define WIN32_LEAN_AND_MEAN
24 #if defined(_MSC_VER) && (_MSC_VER < 1300)
25 #include <winsock.h>
26 #else
27 #include <winsock2.h>
28 #include <ws2tcpip.h>
29 #endif
30 #endif
31 #include <openssl/ssl.h>
32 #include <openssl/ssl3.h>
33 #include <openssl/err.h>
34 #include <openssl/tls1.h>
35 #include <openssl/asn1.h>
36 #include <openssl/bio.h>
37 #include <openssl/opensslv.h>
39 #if OPENSSL_VERSION_NUMBER < 0x00907000l
41 #endif
51 #include <string.h>
53 /* Enable the "v2" TLS handshake.
54 */
55 #define V2_HANDSHAKE_SERVER
56 #define V2_HANDSHAKE_CLIENT
58 /* Copied from or.h */
59 #define LEGAL_NICKNAME_CHARACTERS \
60 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
62 /** How long do identity certificates live? (sec) */
63 #define IDENTITY_CERT_LIFETIME (365*24*60*60)
67 /* We redefine these so that we can run correctly even if the vendor gives us
68 * a version of OpenSSL that does not match its header files. (Apple: I am
69 * looking at you.)
70 */
71 #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
72 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
73 #endif
74 #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
75 #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
76 #endif
78 /** Does the run-time openssl version look like we need
79 * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
81 /** Does the run-time openssl version look like we need
82 * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
85 /** Structure holding the TLS state for a single connection. */
94 /** Holds a SSL object and its associated data. Members are only
95 * accessed from within tortls.c.
96 */
107 * completed successfully. */
110 * this connection used the updated version
111 * of the connection protocol (client sends
112 * different cipher list, server sends only
113 * one certificate). */
114 /** True iff we should call negotiated_callback when we're done reading. */
117 * time. */
118 /** Last values retrieved from BIO_number_read()/write(); see
119 * tor_tls_get_n_raw_bytes() for usage.
120 */
123 /** If set, a callback to invoke whenever the client tries to renegotiate
124 * the handshake. */
126 /** Argument to pass to negotiated_callback. */
128 };
130 #ifdef V2_HANDSHAKE_CLIENT
131 /** An array of fake SSL_CIPHER objects that we use in order to trick OpenSSL
132 * in client mode into advertising the ciphers we want. See
133 * rectify_client_ciphers() for details. */
135 /** A stack of SSL_CIPHER objects, some real, some fake.
136 * See rectify_client_ciphers() for details. */
138 #endif
140 /** Helper: compare tor_tls_t objects by its SSL. */
143 {
145 }
147 /** Helper: return a hash value for a tor_tls_t by its SSL. */
150 {
151 #if SIZEOF_INT == SIZEOF_VOID_P
153 #else
155 #endif
156 }
158 /** Map from SSL* pointers to tor_tls_t objects using those pointers.
159 */
163 tor_tls_entries_eq)
167 /** Helper: given a SSL* pointer, return the tor_tls_t object using that
168 * pointer. */
171 {
177 }
193 /** Global TLS contexts. We keep them here because nobody else needs
194 * to touch them. */
197 /** True iff tor_tls_init() has been called. */
200 /* Module-internal error codes. */
201 #define _TOR_TLS_SYSCALL (_MIN_TOR_TLS_ERROR_VAL - 2)
202 #define _TOR_TLS_ZERORETURN (_MIN_TOR_TLS_ERROR_VAL - 1)
204 /** Log all pending tls errors at level <b>severity</b>. Use
205 * <b>doing</b> to describe our current activities.
206 */
207 static void
209 {
228 }
229 }
230 }
232 /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
233 * code. */
234 static int
236 {
237 #if defined(MS_WINDOWS)
250 }
251 #else
264 }
265 #endif
266 }
268 /** Given a TOR_TLS_* error code, return a string equivalent. */
271 {
285 }
286 }
288 #define CATCH_SYSCALL 1
289 #define CATCH_ZERO 2
291 /** Given a TLS object and the result of an SSL_* call, use
292 * SSL_get_error to determine whether an error has occurred, and if so
293 * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
294 * If extra&CATCH_SYSCALL is true, return _TOR_TLS_SYSCALL instead of
295 * reporting syscall errors. If extra&CATCH_ZERO is true, return
296 * _TOR_TLS_ZERORETURN instead of reporting zero-return errors.
297 *
298 * If an error has occurred, log it at level <b>severity</b> and describe the
299 * current action as <b>doing</b>.
300 */
301 static int
304 {
326 }
338 }
339 }
341 /** Initialize OpenSSL, unless it has already been initialized.
342 */
343 static void
345 {
354 /* OpenSSL 0.9.8l introdeced SSL3_FLAGS_ALLOW_UNSAGE_LEGACY_RENEGOTIATION
355 * here, but without thinking too hard about it: it turns out that the
356 * flag in question needed to be set at the last minute, and that it
357 * conflicted with an existing flag number that had already been added
358 * in the OpenSSL 1.0.0 betas. OpenSSL 0.9.8m thoughtfully replaced
359 * the flag with an option and (it seems) broke anything that used
360 * SSL3_FLAGS_* for the purpose. So we need to know how to do both,
361 * and we mustn't use the SSL3_FLAGS option with anything besides
362 * OpenSSL 0.9.8l.
363 *
364 * No, we can't just set flag 0x0010 everywhere. It breaks Tor with
365 * OpenSSL 1.0.0beta3 and later. On the other hand, we might be able to
366 * set option 0x00040000L everywhere.
367 *
368 * No, we can't simply detect whether the flag or the option is present
369 * in the headers at build-time: some vendors (notably Apple) like to
370 * leave their headers out of sync with their libraries.
371 *
372 * Yes, it _is_ almost as if the OpenSSL developers decided that no
373 * program should be allowed to use renegotiation its first passed an
374 * test of intelligence and determination.
375 */
389 "0.9.8l, but some vendors have backported 0.9.8l's "
390 "renegotiation code to earlier versions, and some have "
391 "backported the code from 0.9.8m or 0.9.8n. I'll set both "
399 }
402 }
403 }
405 /** Free all global TLS structures. */
406 void
408 {
413 }
418 }
421 }
423 #ifdef V2_HANDSHAKE_CLIENT
428 #endif
429 }
431 /** We need to give OpenSSL a callback to verify certificates. This is
432 * it: We always accept peer certs and complete the handshake. We
433 * don't validate them until later.
434 */
435 static int
438 {
442 }
444 /** Return a newly allocated X509 name with commonName <b>cname</b>. */
447 {
457 error:
460 }
462 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
463 * signed by the private key <b>rsa_sign</b>. The commonName of the
464 * certificate will be <b>cname</b>; the commonName of the issuer will be
465 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
466 * starting from now. Return a certificate on success, NULL on
467 * failure.
468 */
475 {
520 error:
524 }
525 done:
536 }
538 /** List of ciphers that servers should select from.*/
539 #define SERVER_CIPHER_LIST \
542 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
543 /* Note: for setting up your own private testing network with link crypto
544 * disabled, set the cipher lists to your cipher list to
545 * SSL3_TXT_RSA_NULL_SHA. If you do this, you won't be able to communicate
546 * with any of the "real" Tors, though. */
548 #ifdef V2_HANDSHAKE_CLIENT
550 #define XCIPHER(id, name)
551 /** List of ciphers that clients should advertise, omitting items that
552 * our OpenSSL doesn't know about. */
555 ;
556 #undef CIPHER
557 #undef XCIPHER
559 /** Holds a cipher that we want to advertise, and its 2-byte ID. */
561 /** A list of all the ciphers that clients should advertise, including items
562 * that OpenSSL might not know about. */
564 #define CIPHER(id, name) { id, name },
565 #define XCIPHER(id, name) { id, #name },
567 #undef CIPHER
568 #undef XCIPHER
569 };
571 /** The length of CLIENT_CIPHER_INFO_LIST and CLIENT_CIPHER_DUMMIES. */
574 #endif
576 #ifndef V2_HANDSHAKE_CLIENT
577 #undef CLIENT_CIPHER_LIST
579 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
580 #endif
582 /** Remove a reference to <b>ctx</b>, and free it if it has no more
583 * references. */
584 static void
586 {
594 }
595 }
597 /** Increase the reference count of <b>ctx</b>. */
598 static void
600 {
602 }
604 /** Create new global client and server TLS contexts.
605 *
606 * If <b>server_identity</b> is NULL, this will not generate a server
607 * TLS context. If <b>is_public_server</b> is non-zero, this will use
608 * the same TLS context for incoming and outgoing connections, and
609 * ignore <b>client_identity</b>. */
610 int
615 {
626 server_identity,
627 key_lifetime);
637 }
638 }
642 server_identity,
643 key_lifetime);
650 }
651 }
654 client_identity,
655 key_lifetime);
656 }
659 }
661 /** Create a new TLS context for use with Tor TLS handshakes.
662 * <b>identity</b> should be set to the identity key used to sign the
663 * certificate.
664 *
665 * You can call this function multiple times. Each time you call it,
666 * it generates new certificates; all new connections will use
667 * the new SSL context.
668 */
669 static int
673 {
675 key_lifetime);
681 /* Free the old context if one existed. */
683 /* This is safe even if there are open connections: we reference-
684 * count tor_tls_context_t objects. */
686 }
687 }
690 }
692 /** Create a new TLS context for use with Tor TLS handshakes.
693 * <b>identity</b> should be set to the identity key used to sign the
694 * certificate.
695 */
698 {
709 /* Generate short-term RSA key. */
714 /* Create certificate signed by identity key. */
716 key_lifetime);
717 /* Create self-signed certificate for identity key. */
719 IDENTITY_CERT_LIFETIME);
723 }
731 #ifdef EVERYONE_HAS_AES
732 /* Tell OpenSSL to only use TLS1 */
735 #else
736 /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
740 #endif
743 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
745 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
746 #endif
747 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
748 * as authenticating any earlier-received data.
749 */
752 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
753 }
754 /* Don't actually allow compression; it uses ram and time, but the data
755 * we transmit is all encrypted anyway. */
758 #ifdef SSL_MODE_RELEASE_BUFFERS
760 #endif
771 }
782 {
786 }
788 always_accept_verify_cb);
789 /* let us realloc bufs that we're writing from */
798 error:
813 }
815 #ifdef V2_HANDSHAKE_SERVER
816 /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
817 * a list that indicates that the client knows how to do the v2 TLS connection
818 * handshake. */
819 static int
821 {
824 /* If we reached this point, we just got a client hello. See if there is
825 * a cipher list. */
829 }
833 }
834 /* Now we need to see if there are any ciphers whose presence means we're
835 * dealing with an updated Tor. */
843 /* XXXX should be ld_debug */
845 // return 1;
847 }
848 }
850 dump_list:
851 {
858 }
864 }
866 }
868 /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
869 * changes state. We use this:
870 * <ul><li>To alter the state of the handshake partway through, so we
871 * do not send or request extra certificates in v2 handshakes.</li>
872 * <li>To detect renegotiation</li></ul>
873 */
874 static void
876 {
886 /* Check whether we're watching for renegotiates. If so, this is one! */
891 }
893 /* Now check the cipher list. */
895 /*XXXX_TLS keep this from happening more than once! */
897 /* Yes, we're casting away the const from ssl. This is very naughty of us.
898 * Let's hope openssl doesn't notice! */
900 /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
902 /* Don't send a hello request. */
909 }
910 }
911 }
912 #endif
914 /** Replace *<b>ciphers</b> with a new list of SSL ciphersuites: specifically,
915 * a list designed to mimic a common web browser. Some of the ciphers in the
916 * list won't actually be implemented by OpenSSL: that's okay so long as the
917 * server doesn't select them, and the server won't select anything besides
918 * what's in SERVER_CIPHER_LIST.
919 *
920 * [If the server <b>does</b> select a bogus cipher, we won't crash or
921 * anything; we'll just fail later when we try to look up the cipher in
922 * ssl->cipher_list_by_id.]
923 */
924 static void
926 {
927 #ifdef V2_HANDSHAKE_CLIENT
929 /* We need to set CLIENT_CIPHER_STACK to an array of the ciphers
930 * we want.*/
933 /* First, create a dummy SSL_CIPHER for every cipher. */
934 CLIENT_CIPHER_DUMMIES =
940 }
949 }
951 /* Then copy as many ciphers as we can from the good list, inserting
952 * dummies as needed. */
971 }
972 }
973 }
979 #else
981 #endif
982 }
984 /** Create a new TLS object from a file descriptor, and a flag to
985 * determine whether it is functioning as a server.
986 */
987 tor_tls_t *
989 {
993 client_tls_context;
1000 }
1002 #ifdef SSL_set_tlsext_host_name
1003 /* Browsers use the TLS hostname extension, so we should too. */
1008 }
1009 #endif
1014 #ifdef SSL_set_tlsext_host_name
1016 #endif
1020 }
1027 #ifdef SSL_set_tlsext_host_name
1029 #endif
1033 }
1046 }
1047 #ifdef V2_HANDSHAKE_SERVER
1050 }
1051 #endif
1053 /* Not expected to get called. */
1056 }
1058 /** Make future log messages about <b>tls</b> display the address
1059 * <b>address</b>.
1060 */
1061 void
1063 {
1067 }
1069 /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
1070 * next gets a client-side renegotiate in the middle of a read. Do not
1071 * invoke this function until <em>after</em> initial handshaking is done!
1072 */
1073 void
1077 {
1081 #ifdef V2_HANDSHAKE_SERVER
1086 }
1087 #endif
1088 }
1090 /** If this version of openssl requires it, turn on renegotiation on
1091 * <b>tls</b>.
1092 */
1093 static void
1095 {
1096 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
1097 * as authenticating any earlier-received data. */
1100 }
1103 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1104 }
1105 }
1107 /** If this version of openssl supports it, turn off renegotiation on
1108 * <b>tls</b>. (Our protocol never requires this for security, but it's nice
1109 * to use belt-and-suspenders here.)
1110 */
1111 void
1113 {
1115 }
1117 /** Return whether this tls initiated the connect (client) or
1118 * received it (server). */
1119 int
1121 {
1124 }
1126 /** Release resources associated with a TLS object. Does not close the
1127 * underlying file descriptor.
1128 */
1129 void
1131 {
1137 }
1138 #ifdef SSL_set_tlsext_host_name
1140 #endif
1148 }
1150 /** Underlying function for TLS reading. Reads up to <b>len</b>
1151 * characters from <b>tls</b> into <b>cp</b>. On success, returns the
1152 * number of characters read. On failure, returns TOR_TLS_ERROR,
1153 * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
1154 */
1155 int
1157 {
1165 #ifdef V2_HANDSHAKE_SERVER
1167 /* Renegotiation happened! */
1172 }
1173 #endif
1175 }
1185 }
1186 }
1188 /** Underlying function for TLS writing. Write up to <b>n</b>
1189 * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
1190 * number of characters written. On failure, returns TOR_TLS_ERROR,
1191 * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
1192 */
1193 int
1195 {
1204 /* if WANTWRITE last time, we must use the _same_ n as before */
1210 }
1215 }
1218 }
1220 }
1222 /** Perform initial handshake on <b>tls</b>. When finished, returns
1223 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1224 * or TOR_TLS_WANTWRITE.
1225 */
1226 int
1228 {
1238 }
1239 /* We need to call this here and not earlier, since OpenSSL has a penchant
1240 * for clearing its flags when you say accept or connect. */
1247 }
1253 /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
1255 #ifdef V2_HANDSHAKE_SERVER
1257 /* This check is redundant, but back when we did it in the callback,
1258 * we might have not been able to look up the tor_tls_t if the code
1259 * was buggy. Fixing that. */
1263 }
1269 }
1270 #endif
1272 #ifdef V2_HANDSHAKE_CLIENT
1273 /* If we got no ID cert, we're a v2 handshake. */
1283 }
1286 #endif
1290 }
1291 }
1292 }
1294 }
1296 /** Client only: Renegotiate a TLS session. When finished, returns
1297 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or
1298 * TOR_TLS_WANTWRITE.
1299 */
1300 int
1302 {
1305 /* We could do server-initiated renegotiation too, but that would be tricky.
1306 * Instead of "SSL_renegotiate, then SSL_do_handshake until done" */
1312 }
1314 }
1321 }
1323 /** Shut down an open tls connection <b>tls</b>. When finished, returns
1324 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1325 * or TOR_TLS_WANTWRITE.
1326 */
1327 int
1329 {
1337 /* If we've already called shutdown once to send a close message,
1338 * we read until the other side has closed too.
1339 */
1344 LOG_INFO);
1347 /* fall through... */
1350 }
1351 }
1355 /* If shutdown returns 1, the connection is entirely closed. */
1358 }
1360 LOG_INFO);
1362 /* The underlying TCP connection closed while we were shutting down. */
1366 /* The TLS connection says that it sent a shutdown record, but
1367 * isn't done shutting down yet. Make sure that this hasn't
1368 * happened before, then go back to the start of the function
1369 * and try to read.
1370 */
1376 }
1378 /* fall through ... */
1381 }
1383 }
1385 /** Return true iff this TLS connection is authenticated.
1386 */
1387 int
1389 {
1397 }
1399 /** Warn that a certificate lifetime extends through a certain range. */
1400 static void
1402 {
1413 problem);
1417 }
1421 }
1429 }
1439 end:
1440 /* Not expected to get invoked */
1448 }
1450 /** Helper function: try to extract a link certificate and an identity
1451 * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
1452 * *<b>id_cert_out</b> respectively. Log all messages at level
1453 * <b>severity</b>.
1454 *
1455 * Note that a reference is added to cert_out, so it needs to be
1456 * freed. id_cert_out doesn't. */
1457 static void
1460 {
1472 /* 1 means we're receiving (server-side), and it's just the id_cert.
1473 * 2 means we're connecting (client-side), and it's both the link
1474 * cert and the id_cert.
1475 */
1479 num_in_chain);
1481 }
1486 }
1488 }
1490 /** If the provided tls connection is authenticated and has a
1491 * certificate chain that is currently valid and signed, then set
1492 * *<b>identity_key</b> to the identity certificate's key and return
1493 * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
1494 */
1495 int
1497 {
1511 }
1517 }
1526 done:
1532 /* This should never get invoked, but let's make sure in case OpenSSL
1533 * acts unexpectedly. */
1537 }
1539 /** Check whether the certificate set on the connection <b>tls</b> is
1540 * expired or not-yet-valid, give or take <b>tolerance</b>
1541 * seconds. Return 0 for valid, -1 for failure.
1542 *
1543 * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
1544 */
1545 int
1547 {
1561 }
1566 }
1569 done:
1572 /* Not expected to get invoked */
1576 }
1578 /** Return the number of bytes available for reading from <b>tls</b>.
1579 */
1580 int
1582 {
1585 }
1587 /** If <b>tls</b> requires that the next write be of a particular size,
1588 * return that size. Otherwise, return 0. */
1589 size_t
1591 {
1593 }
1595 /** Sets n_read and n_written to the number of bytes read and written,
1596 * respectively, on the raw socket used by <b>tls</b> since the last time this
1597 * function was called on <b>tls</b>. */
1598 void
1600 {
1604 /* We want the number of bytes actually for real written. Unfortunately,
1605 * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
1606 * which makes the answer turn out wrong. Let's cope with that. Note
1607 * that this approach will fail if we ever replace tls->ssl's BIOs with
1608 * buffering bios for reasons of our own. As an alternative, we could
1609 * save the original BIO for tls->ssl in the tor_tls_t structure, but
1610 * that would be tempting fate. */
1616 /* We are ok with letting these unsigned ints go "negative" here:
1617 * If we wrapped around, this should still give us the right answer, unless
1618 * we wrapped around by more than ULONG_MAX since the last time we called
1619 * this function.
1620 */
1627 }
1630 }
1632 /** Implement check_no_tls_errors: If there are any pending OpenSSL
1633 * errors, log an error message. */
1634 void
1636 {
1642 }
1644 /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
1645 * TLS handshake. Output is undefined if the handshake isn't finished. */
1646 int
1648 {
1650 #ifdef V2_HANDSHAKE_SERVER
1652 #endif
1654 #ifdef V2_HANDSHAKE_CLIENT
1656 #endif
1657 }
1659 }
1661 /** Examine the amount of memory used and available for buffers in <b>tls</b>.
1662 * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
1663 * buffer and *<b>rbuf_bytes</b> to the amount actually used.
1664 * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
1665 * buffer and *<b>wbuf_bytes</b> to the amount actually used. */
1666 void
1670 {
1673 else
1677 else
1681 }