| blob | b931176973a480bc6e6df738cf90ff7e236cf7cf |
1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2008, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5 /* $Id$ */
9 /**
10 * \file tortls.c
11 * \brief Wrapper functions to present a consistent interface to
12 * TLS, SSL, and X.509 functions from OpenSSL.
13 **/
15 /* (Unlike other tor functions, these
16 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
17 * functions and variables.)
18 */
22 #include <assert.h>
23 #include <openssl/ssl.h>
24 #include <openssl/ssl3.h>
25 #include <openssl/err.h>
26 #include <openssl/tls1.h>
27 #include <openssl/asn1.h>
28 #include <openssl/bio.h>
29 #include <openssl/opensslv.h>
31 #if OPENSSL_VERSION_NUMBER < 0x00907000l
33 #endif
43 #include <string.h>
45 /* Enable the "v2" TLS handshake.
46 */
47 #define V2_HANDSHAKE_SERVER
48 #define V2_HANDSHAKE_CLIENT
50 /* Copied from or.h */
51 #define LEGAL_NICKNAME_CHARACTERS \
52 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
54 /** How long do identity certificates live? (sec) */
55 #define IDENTITY_CERT_LIFETIME (365*24*60*60)
59 /** Structure holding the TLS state for a single connection. */
68 /** Holds a SSL object and its associated data. Members are only
69 * accessed from within tortls.c.
70 */
81 * completed successfully. */
84 * this connection used the updated version
85 * of the connection protocol (client sends
86 * different cipher list, server sends only
87 * one certificate). */
88 /** True iff we should call negotiated_callback when we're done reading. */
91 * time. */
92 /** Last values retrieved from BIO_number_read()/write(); see
93 * tor_tls_get_n_raw_bytes() for usage.
94 */
97 /** If set, a callback to invoke whenever the client tries to renegotiate
98 * the handshake. */
100 /** Argument to pass to negotiated_callback. */
102 };
104 /** Helper: compare tor_tls_t objects by its SSL. */
107 {
109 }
111 /** Helper: return a hash value for a tor_tls_t by its SSL. */
114 {
115 #if SIZEOF_INT == SIZEOF_VOID_P
117 #else
119 #endif
120 }
122 /** Map from SSL* pointers to tor_tls_t objects using those pointers.
123 */
127 tor_tls_entries_eq)
131 /** Helper: given a SSL* pointer, return the tor_tls_t object using that
132 * pointer. */
135 {
141 }
151 /** Global tls context. We keep it here because nobody else needs to
152 * touch it. */
154 /** True iff tor_tls_init() has been called. */
157 /* Module-internal error codes. */
158 #define _TOR_TLS_SYSCALL (_MIN_TOR_TLS_ERROR_VAL - 2)
159 #define _TOR_TLS_ZERORETURN (_MIN_TOR_TLS_ERROR_VAL - 1)
161 /** Log all pending tls errors at level <b>severity</b>. Use
162 * <b>doing</b> to describe our current activities.
163 */
164 static void
166 {
183 }
184 }
185 }
187 /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
188 * code. */
189 static int
191 {
192 #if defined(MS_WINDOWS) && !defined(USE_BSOCKETS)
205 }
206 #else
219 }
220 #endif
221 }
223 /** Given a TOR_TLS_* error code, return a string equivalent. */
226 {
240 }
241 }
243 #define CATCH_SYSCALL 1
244 #define CATCH_ZERO 2
246 /** Given a TLS object and the result of an SSL_* call, use
247 * SSL_get_error to determine whether an error has occurred, and if so
248 * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
249 * If extra&CATCH_SYSCALL is true, return _TOR_TLS_SYSCALL instead of
250 * reporting syscall errors. If extra&CATCH_ZERO is true, return
251 * _TOR_TLS_ZERORETURN instead of reporting zero-return errors.
252 *
253 * If an error has occurred, log it at level <b>severity</b> and describe the
254 * current action as <b>doing</b>.
255 */
256 static int
259 {
281 }
293 }
294 }
296 /** Initialize OpenSSL, unless it has already been initialized.
297 */
298 static void
300 {
306 }
307 }
309 /** Free all global TLS structures. */
310 void
312 {
316 }
319 }
321 }
323 /** We need to give OpenSSL a callback to verify certificates. This is
324 * it: We always accept peer certs and complete the handshake. We
325 * don't validate them until later.
326 */
327 static int
330 {
334 }
336 /** Return a newly allocated X509 name with commonName <b>cname</b>. */
339 {
349 error:
352 }
354 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
355 * signed by the private key <b>rsa_sign</b>. The commonName of the
356 * certificate will be <b>cname</b>; the commonName of the issuer will be
357 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
358 * starting from now. Return a certificate on success, NULL on
359 * failure.
360 */
367 {
412 error:
416 }
417 done:
428 }
430 #define SERVER_CIPHER_LIST \
433 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
434 /* Note: for setting up your own private testing network with link crypto
435 * disabled, set the cipher lists to your cipher list to
436 * SSL3_TXT_RSA_NULL_SHA. If you do this, you won't be able to communicate
437 * with any of the "real" Tors, though. */
439 #if OPENSSL_VERSION_NUMBER >= 0x00908020l
440 #define CLIENT_CIPHER_LIST \
468 SSL3_TXT_RSA_DES_192_CBC3_SHA)
469 /* SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is commented out because it doesn't
470 * really exist; if I understand correctly, it's a bit of silliness that
471 * netscape did on its own before any standard for what they wanted was
472 * formally approved. Nonetheless, Firefox still uses it, so we need to
473 * fake it at some point soon. XXXX021 -NM */
474 #else
475 /* Ug. We don't have as many ciphers with openssl 0.9.7 as we'd like. Fix
476 * this list into something that sucks less. */
477 #define CLIENT_CIPHER_LIST \
481 SSL3_TXT_RSA_RC4_128_SHA)
482 #endif
484 #ifndef V2_HANDSHAKE_CLIENT
485 #undef CLIENT_CIPHER_LIST
487 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
488 #endif
490 /** Remove a reference to <b>ctx</b>, and free it if it has no more
491 * references. */
492 static void
494 {
502 }
503 }
505 /** Increase the reference count of <b>ctx</b>. */
506 static void
508 {
510 }
512 /** Create a new TLS context for use with Tor TLS handshakes.
513 * <b>identity</b> should be set to the identity key used to sign the
514 * certificate, and <b>nickname</b> set to the nickname to use.
515 *
516 * You can call this function multiple times. Each time you call it,
517 * it generates new certificates; all new connections will use
518 * the new SSL context.
519 */
520 int
522 {
534 /* Generate short-term RSA key. */
539 /* Create certificate signed by identity key. */
541 key_lifetime);
542 /* Create self-signed certificate for identity key. */
544 IDENTITY_CERT_LIFETIME);
548 }
556 #ifdef EVERYONE_HAS_AES
557 /* Tell OpenSSL to only use TLS1 */
560 #else
561 /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
565 #endif
567 #ifdef SSL_MODE_RELEASE_BUFFERS
569 #endif
580 }
595 always_accept_verify_cb);
596 /* let us realloc bufs that we're writing from */
598 /* Free the old context if one exists. */
600 /* This is safe even if there are open connections: OpenSSL does
601 * reference counting with SSL and SSL_CTX objects. */
603 }
611 error:
628 }
630 #ifdef V2_HANDSHAKE_SERVER
631 /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
632 * a list that indicates that the client knows how to do the v2 TLS connection
633 * handshake. */
634 static int
636 {
639 /* If we reached this point, we just got a client hello. See if there is
640 * a cipher list. */
644 }
648 }
649 /* Now we need to see if there are any ciphers whose presence means we're
650 * dealing with an updated Tor. */
658 /* XXXX should be ld_debug */
660 // return 1;
662 }
663 }
665 dump_list:
666 {
673 }
679 }
681 }
683 /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
684 * changes state. We use this:
685 * <ul><li>To alter the state of the handshake partway through, so we
686 * do not send or request extra certificates in v2 handshakes.</li>
687 * <li>To detect renegotiation</li></ul>
688 */
689 static void
691 {
701 /* Check whether we're watching for renegotiates. If so, this is one! */
706 }
708 /* Now check the cipher list. */
710 /*XXXX_TLS keep this from happening more than once! */
712 /* Yes, we're casting away the const from ssl. This is very naughty of us.
713 * Let's hope openssl doesn't notice! */
715 /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
717 /* Don't send a hello request. */
724 }
725 }
726 }
727 #endif
729 /** Create a new TLS object from a file descriptor, and a flag to
730 * determine whether it is functioning as a server.
731 */
732 tor_tls_t *
734 {
743 }
749 }
751 #ifdef USE_BSOCKETS
753 #else
755 #endif
761 }
774 }
775 #ifdef V2_HANDSHAKE_SERVER
778 }
779 #endif
780 /* Not expected to get called. */
783 }
785 /** Make future log messages about <b>tls</b> display the address
786 * <b>address</b>.
787 */
788 void
790 {
794 }
796 /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
797 * next gets a client-side renegotiate in the middle of a read. Do not
798 * invoke this function untile <em>after</em> initial handshaking is done!
799 */
800 void
804 {
808 #ifdef V2_HANDSHAKE_SERVER
813 }
814 #endif
815 }
817 /** Return whether this tls initiated the connect (client) or
818 * received it (server). */
819 int
821 {
824 }
826 /** Release resources associated with a TLS object. Does not close the
827 * underlying file descriptor.
828 */
829 void
831 {
837 }
845 }
847 /** Underlying function for TLS reading. Reads up to <b>len</b>
848 * characters from <b>tls</b> into <b>cp</b>. On success, returns the
849 * number of characters read. On failure, returns TOR_TLS_ERROR,
850 * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
851 */
852 int
854 {
862 #ifdef V2_HANDSHAKE_SERVER
864 /* Renegotiation happened! */
869 }
870 #endif
872 }
882 }
883 }
885 /** Underlying function for TLS writing. Write up to <b>n</b>
886 * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
887 * number of characters written. On failure, returns TOR_TLS_ERROR,
888 * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
889 */
890 int
892 {
901 /* if WANTWRITE last time, we must use the _same_ n as before */
907 }
912 }
915 }
917 }
919 /** Perform initial handshake on <b>tls</b>. When finished, returns
920 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
921 * or TOR_TLS_WANTWRITE.
922 */
923 int
925 {
935 }
941 }
947 /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
949 #ifdef V2_HANDSHAKE_SERVER
951 /* This check is redundant, but back when we did it in the callback,
952 * we might have not been able to look up the tor_tls_t if the code
953 * was buggy. Fixing that. */
957 }
963 }
964 #endif
966 #ifdef V2_HANDSHAKE_CLIENT
967 /* If we got no ID cert, we're a v2 handshake. */
977 }
980 #endif
982 }
983 }
985 }
987 /** Client only: Renegotiate a TLS session. When finished, returns
988 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or
989 * TOR_TLS_WANTWRITE.
990 */
991 int
993 {
996 /* We could do server-initiated renegotiation too, but that would be tricky.
997 * Instead of "SSL_renegotiate, then SSL_do_handshake until done" */
1003 }
1005 }
1012 }
1014 /** Shut down an open tls connection <b>tls</b>. When finished, returns
1015 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1016 * or TOR_TLS_WANTWRITE.
1017 */
1018 int
1020 {
1028 /* If we've already called shutdown once to send a close message,
1029 * we read until the other side has closed too.
1030 */
1035 LOG_INFO);
1038 /* fall through... */
1041 }
1042 }
1046 /* If shutdown returns 1, the connection is entirely closed. */
1049 }
1051 LOG_INFO);
1053 /* The underlying TCP connection closed while we were shutting down. */
1057 /* The TLS connection says that it sent a shutdown record, but
1058 * isn't done shutting down yet. Make sure that this hasn't
1059 * happened before, then go back to the start of the function
1060 * and try to read.
1061 */
1067 }
1069 /* fall through ... */
1072 }
1074 }
1076 /** Return true iff this TLS connection is authenticated.
1077 */
1078 int
1080 {
1088 }
1090 /** Warn that a certificate lifetime extends through a certain range. */
1091 static void
1093 {
1104 problem);
1108 }
1112 }
1120 }
1130 end:
1131 /* Not expected to get invoked */
1139 }
1141 /** Helper function: try to extract a link certificate and an identity
1142 * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
1143 * *<b>id_cert_out</b> respectively. Log all messages at level
1144 * <b>severity</b>.
1145 *
1146 * Note that a reference is added to cert_out, so it needs to be
1147 * freed. id_cert_out doesn't. */
1148 static void
1151 {
1163 /* 1 means we're receiving (server-side), and it's just the id_cert.
1164 * 2 means we're connecting (client-side), and it's both the link
1165 * cert and the id_cert.
1166 */
1170 num_in_chain);
1172 }
1177 }
1179 }
1181 /** If the provided tls connection is authenticated and has a
1182 * certificate chain that is currently valid and signed, then set
1183 * *<b>identity_key</b> to the identity certificate's key and return
1184 * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
1185 */
1186 int
1188 {
1202 }
1208 }
1217 done:
1223 /* This should never get invoked, but let's make sure in case OpenSSL
1224 * acts unexpectedly. */
1228 }
1230 /** Check whether the certificate set on the connection <b>tls</b> is
1231 * expired or not-yet-valid, give or take <b>tolerance</b>
1232 * seconds. Return 0 for valid, -1 for failure.
1233 *
1234 * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
1235 */
1236 int
1238 {
1252 }
1257 }
1260 done:
1263 /* Not expected to get invoked */
1267 }
1269 /** Return the number of bytes available for reading from <b>tls</b>.
1270 */
1271 int
1273 {
1276 }
1278 /** If <b>tls</b> requires that the next write be of a particular size,
1279 * return that size. Otherwise, return 0. */
1280 size_t
1282 {
1284 }
1286 /** Sets n_read and n_written to the number of bytes read and written,
1287 * respectively, on the raw socket used by <b>tls</b> since the last time this
1288 * function was called on <b>tls</b>. */
1289 void
1291 {
1295 /* We want the number of bytes actually for real written. Unfortunately,
1296 * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
1297 * which makes the answer turn out wrong. Let's cope with that. Note
1298 * that this approach will fail if we ever replace tls->ssl's BIOs with
1299 * buffering bios for reasons of our own. As an alternative, we could
1300 * save the original BIO for tls->ssl in the tor_tls_t structure, but
1301 * that would be tempting fate. */
1307 /* We are ok with letting these unsigned ints go "negative" here:
1308 * If we wrapped around, this should still give us the right answer, unless
1309 * we wrapped around by more than ULONG_MAX since the last time we called
1310 * this function.
1311 */
1318 }
1321 }
1323 /** Implement check_no_tls_errors: If there are any pending OpenSSL
1324 * errors, log an error message. */
1325 void
1327 {
1333 }
1335 /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
1336 * TLS handshake. Output is undefined if the handshake isn't finished. */
1337 int
1339 {
1341 #ifdef V2_HANDSHAKE_SERVER
1343 #endif
1345 #ifdef V2_HANDSHAKE_CLIENT
1347 #endif
1348 }
1350 }
1352 /** DOCDOC */
1353 void
1357 {
1360 else
1364 else
1368 }