| blob | 77de2d6a1112e6b765c3a04645f7490c56bfc176 |
1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2021, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file tortls.c
8 * \brief Wrapper functions to present a consistent interface to
9 * TLS, SSL, and X.509 functions from OpenSSL.
10 **/
12 /* (Unlike other tor functions, these
13 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
14 * functions and variables.)
15 */
19 #define TORTLS_PRIVATE
20 #define TORTLS_OPENSSL_PRIVATE
21 #define TOR_X509_PRIVATE
23 #ifdef _WIN32
24 /* We need to include these here, or else the dtls1.h header will include
25 * <winsock.h> and mess things up, in at least some openssl versions. */
26 #include <winsock2.h>
27 #include <ws2tcpip.h>
38 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
39 * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
42 #include <openssl/opensslv.h>
44 #ifdef OPENSSL_NO_EC
46 #endif
48 #include <openssl/ssl.h>
49 #include <openssl/ssl3.h>
50 #include <openssl/err.h>
51 #include <openssl/tls1.h>
52 #include <openssl/asn1.h>
53 #include <openssl/bio.h>
54 #include <openssl/bn.h>
55 #include <openssl/rsa.h>
72 #include <stdlib.h>
73 #include <string.h>
77 /* Copied from or.h */
78 #define LEGAL_NICKNAME_CHARACTERS \
79 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
84 /* This is a version of OpenSSL before 1.0.0f. It does not have
85 * the CVE-2011-4576 fix, and as such it can't use RELEASE_BUFFERS and
86 * SSL3 safely at the same time.
87 */
88 #define DISABLE_SSL3_HANDSHAKE
91 /* We redefine these so that we can run correctly even if the vendor gives us
92 * a version of OpenSSL that does not match its header files. (Apple: I am
93 * looking at you.)
94 */
95 #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
96 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
97 #endif
98 #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
99 #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
100 #endif
102 /** Set to true iff openssl bug 7712 has been detected. */
105 /** Return values for tor_tls_classify_client_ciphers.
106 *
107 * @{
108 */
109 /** An error occurred when examining the client ciphers */
110 #define CIPHERS_ERR -1
111 /** The client cipher list indicates that a v1 handshake was in use. */
112 #define CIPHERS_V1 1
113 /** The client cipher list indicates that the client is using the v2 or the
114 * v3 handshake, but that it is (probably!) lying about what ciphers it
115 * supports */
116 #define CIPHERS_V2 2
117 /** The client cipher list indicates that the client is using the v2 or the
118 * v3 handshake, and that it is telling the truth about what ciphers it
119 * supports */
120 #define CIPHERS_UNRESTRICTED 3
121 /** @} */
123 /** The ex_data index in which we store a pointer to an SSL object's
124 * corresponding tor_tls_t object. */
127 /** Helper: Allocate tor_tls_object_ex_data_index. */
128 void
130 {
132 tor_tls_object_ex_data_index =
135 }
136 }
138 /** Helper: given a SSL* pointer, return the tor_tls_t object using that
139 * pointer. */
140 tor_tls_t *
142 {
147 }
149 /** True iff tor_tls_init() has been called. */
152 /* Module-internal error codes. */
153 #define TOR_TLS_SYSCALL_ (MIN_TOR_TLS_ERROR_VAL_ - 2)
154 #define TOR_TLS_ZERORETURN_ (MIN_TOR_TLS_ERROR_VAL_ - 1)
156 /** Write a description of the current state of <b>tls</b> into the
157 * <b>sz</b>-byte buffer at <b>buf</b>. */
158 void
160 {
167 }
178 #undef CASE
185 }
188 }
190 /** Log a single error <b>err</b> as returned by ERR_get_error(), which was
191 * received while performing an operation <b>doing</b> on <b>tls</b>. Log
192 * the message at <b>severity</b>, in log domain <b>domain</b>. */
193 void
196 {
204 /* Some errors are known-benign, meaning they are the fault of the other
205 * side of the connection. The caller doesn't know this, so override the
206 * priority for those cases. */
211 #ifndef OPENSSL_1_1_API
213 #endif
220 }
236 }
237 }
239 /** Log all pending tls errors at level <b>severity</b> in log domain
240 * <b>domain</b>. Use <b>doing</b> to describe our current activities.
241 */
242 void
244 {
251 }
252 }
254 /**
255 * Return a string representing more detail about the last error received
256 * on TLS.
257 *
258 * May return null if no error was found.
259 **/
262 {
265 }
268 }
270 }
272 #define CATCH_SYSCALL 1
273 #define CATCH_ZERO 2
275 /** Given a TLS object and the result of an SSL_* call, use
276 * SSL_get_error to determine whether an error has occurred, and if so
277 * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
278 * If extra&CATCH_SYSCALL is true, return TOR_TLS_SYSCALL_ instead of
279 * reporting syscall errors. If extra&CATCH_ZERO is true, return
280 * TOR_TLS_ZERORETURN_ instead of reporting zero-return errors.
281 *
282 * If an error has occurred, log it at level <b>severity</b> and describe the
283 * current action as <b>doing</b>.
284 */
285 int
288 {
312 }
325 }
326 }
328 /** Initialize OpenSSL, unless it has already been initialized.
329 */
330 void
332 {
336 #ifdef OPENSSL_1_1_API
338 #else
343 #if (SIZEOF_VOID_P >= 8 && \
344 OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
347 /* LCOV_EXCL_START : we can't test these lines on the same machine */
349 /* Warn if we could *almost* be running with much faster ECDH.
350 If we're built for a 64-bit target, using OpenSSL 1.0.1, but we
351 don't have one of the built-in __uint128-based speedups, we are
352 just one build operation away from an accelerated handshake.
354 (We could be looking at OPENSSL_NO_EC_NISTP_64_GCC_128 instead of
355 doing this test, but that gives compile-time options, not runtime
356 behavior.)
357 */
368 "OpenSSL 1.0.1 or later, but with a version of OpenSSL "
369 "that apparently lacks accelerated support for the NIST "
370 "P-224 and P-256 groups. Building openssl with such "
371 "support (using the enable-ec_nistp_64_gcc_128 option "
373 }
374 /* LCOV_EXCL_STOP */
380 }
381 }
383 /** We need to give OpenSSL a callback to verify certificates. This is
384 * it: We always accept peer certs and complete the handshake. We
385 * don't validate them until later.
386 */
387 int
390 {
394 }
396 /** List of ciphers that servers should select from when the client might be
397 * claiming extra unsupported ciphers in order to avoid fingerprinting. */
399 #ifdef TLS1_3_TXT_AES_128_GCM_SHA256
400 /* This one can never actually get selected, since if the client lists it,
401 * we will assume that the client is honest, and not use this list.
402 * Nonetheless we list it if it's available, so that the server doesn't
403 * conclude that it has no valid ciphers if it's running with TLS1.3.
404 */
405 TLS1_3_TXT_AES_128_GCM_SHA256 ":"
407 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
408 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA;
410 /** List of ciphers that servers should select from when we actually have
411 * our choice of what cipher to use. */
413 /* Here are the TLS 1.3 ciphers we like, in the order we prefer. */
414 #ifdef TLS1_3_TXT_AES_256_GCM_SHA384
415 TLS1_3_TXT_AES_256_GCM_SHA384 ":"
416 #endif
417 #ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256
418 TLS1_3_TXT_CHACHA20_POLY1305_SHA256 ":"
419 #endif
420 #ifdef TLS1_3_TXT_AES_128_GCM_SHA256
421 TLS1_3_TXT_AES_128_GCM_SHA256 ":"
422 #endif
423 #ifdef TLS1_3_TXT_AES_128_CCM_SHA256
424 TLS1_3_TXT_AES_128_CCM_SHA256 ":"
425 #endif
427 /* This list is autogenerated with the gen_server_ciphers.py script;
428 * don't hand-edit it. */
429 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
430 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":"
431 #endif
432 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
433 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
434 #endif
435 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
436 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 ":"
437 #endif
438 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
439 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":"
440 #endif
441 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
442 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
443 #endif
444 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
445 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":"
446 #endif
447 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
448 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 ":"
449 #endif
450 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
451 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 ":"
452 #endif
453 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_CCM
454 TLS1_TXT_DHE_RSA_WITH_AES_256_CCM ":"
455 #endif
456 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_CCM
457 TLS1_TXT_DHE_RSA_WITH_AES_128_CCM ":"
458 #endif
459 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
460 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 ":"
461 #endif
462 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
463 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 ":"
464 #endif
465 /* Required */
466 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
467 /* Required */
468 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
469 #ifdef TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305
470 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 ":"
471 #endif
472 #ifdef TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
473 TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
474 #endif
475 ;
477 /* Note: to set up your own private testing network with link crypto
478 * disabled, set your Tors' cipher list to
479 * (SSL3_TXT_RSA_NULL_SHA). If you do this, you won't be able to communicate
480 * with any of the "real" Tors, though. */
483 #define XCIPHER(id, name)
484 /** List of ciphers that clients should advertise, omitting items that
485 * our OpenSSL doesn't know about. */
487 #ifndef COCCI
489 #endif
490 /* Tell it not to use SSLv2 ciphers, so that it can select an SSLv3 version
491 * of any cipher we say. */
492 "!SSLv2"
493 ;
494 #undef CIPHER
495 #undef XCIPHER
497 /** Return true iff the other side of <b>tls</b> has authenticated to us, and
498 * the key certified in <b>cert</b> is the same as the key they used to do it.
499 */
502 {
523 }
525 void
527 {
531 }
533 /** The group we should use for ecdhe when none was selected. */
534 #define NID_tor_default_ecdhe_group NID_X9_62_prime256v1
536 /** Create a new TLS context for use with Tor TLS handshakes.
537 * <b>identity</b> should be set to the identity key used to sign the
538 * certificate.
539 */
540 tor_tls_context_t *
543 {
556 }
557 }
559 #if 0
560 /* Tell OpenSSL to only use TLS1. This may have subtly different results
561 * from SSLv23_method() with SSLv2 and SSLv3 disabled, so we need to do some
562 * investigation before we consider adjusting it. It should be compatible
563 * with existing Tors. */
568 /* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
569 #ifdef HAVE_TLS_METHOD
572 #else
577 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
578 /* Level 1 re-enables RSA1024 and DH1024 for compatibility with old tors */
580 #endif
585 /* Prefer the server's ordering of ciphers: the client's ordering has
586 * historically been chosen for fingerprinting resistance. */
589 /* Disable TLS tickets if they're supported. We never want to use them;
590 * using them can make our perfect forward secrecy a little worse, *and*
591 * create an opportunity to fingerprint us (since it's unusual to use them
592 * with TLS sessions turned off).
593 *
594 * In 0.2.4, clients advertise support for them though, to avoid a TLS
595 * distinguishability vector. This can give us worse PFS, though, if we
596 * get a server that doesn't set SSL_OP_NO_TICKET. With luck, there will
597 * be few such servers by the time 0.2.4 is more stable.
598 */
599 #ifdef SSL_OP_NO_TICKET
602 }
603 #endif
608 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
610 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
611 #endif
612 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
613 * as authenticating any earlier-received data.
614 */
615 {
617 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
618 }
620 /* Don't actually allow compression; it uses RAM and time, it makes TLS
621 * vulnerable to CRIME-style attacks, and most of the data we transmit over
622 * TLS is encrypted (and therefore uncompressible) anyway. */
623 #ifdef SSL_OP_NO_COMPRESSION
625 #endif
626 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
627 #ifndef OPENSSL_NO_COMP
630 #endif
633 #ifdef SSL_MODE_RELEASE_BUFFERS
635 #endif
641 }
646 }
647 }
659 }
661 {
666 }
667 /* We check for this function in two ways, since it might be either a symbol
668 * or a macro. */
669 #if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
670 {
676 else
681 }
690 else
692 /* Use P-256 for ECDHE. */
697 }
700 always_accept_verify_cb);
701 /* let us realloc bufs that we're writing from */
704 #ifdef SSL_OP_TLSEXT_PADDING
705 /* Adds a padding extension to ensure the ClientHello size is never between
706 * 256 and 511 bytes in length. */
708 #endif
712 error:
718 }
720 /** Invoked when a TLS state changes: log the change at severity 'debug' */
721 void
723 {
724 /* LCOV_EXCL_START since this depends on whether debug is captured or not */
727 /* LCOV_EXCL_STOP */
728 }
730 /* Return the name of the negotiated ciphersuite in use on <b>tls</b> */
733 {
735 }
737 /* Here's the old V2 cipher list we sent from 0.2.1.1-alpha up to
738 * 0.2.3.17-beta. If a client is using this list, we can't believe the ciphers
739 * that it claims to support. We'll prune this list to remove the ciphers
740 * *we* don't recognize. */
770 0
771 };
772 /** Have we removed the unrecognized ciphers from v2_cipher_list yet? */
775 /** Return 0 if <b>m</b> does not support the cipher with ID <b>cipher</b>;
776 * return 1 if it does support it, or if we have no way to tell. */
777 int
779 {
781 #ifdef HAVE_SSL_CIPHER_FIND
783 {
788 * with a two-byte 'cipherid', it may look for a v2
789 * cipher with the appropriate 3 bytes. */
794 }
797 # if defined(HAVE_STRUCT_SSL_METHOD_ST_GET_CIPHER_BY_CHAR)
802 * with a two-byte 'cipherid', it may look for a v2
803 * cipher with the appropriate 3 bytes. */
808 }
810 # ifndef OPENSSL_1_1_API
812 /* It would seem that some of the "let's-clean-up-openssl" forks have
813 * removed the get_cipher_by_char function. Okay, so now you get a
814 * quadratic search.
815 */
821 }
822 }
824 }
831 }
833 /** Remove from v2_cipher_list every cipher that we don't support, so that
834 * comparing v2_cipher_list to a client's cipher list will give a sensible
835 * result. */
836 static void
838 {
840 #ifdef HAVE_TLS_METHOD
842 #else
844 #endif
851 inp++;
852 }
853 }
857 }
859 /** Examine the client cipher list in <b>ssl</b>, and determine what kind of
860 * client it is. Return one of CIPHERS_ERR, CIPHERS_V1, CIPHERS_V2,
861 * CIPHERS_UNRESTRICTED.
862 **/
863 int
866 {
876 /* If we reached this point, we just got a client hello. See if there is
877 * a cipher list. */
882 }
883 /* Now we need to see if there are any ciphers whose presence means we're
884 * dealing with an updated Tor. */
893 // return 1;
895 }
896 }
899 v2_or_higher:
900 {
910 }
912 }
916 }
918 }
920 dump_ciphers:
921 {
928 }
934 }
935 done:
940 }
942 /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
943 * a list that indicates that the client knows how to do the v2 TLS connection
944 * handshake. */
945 int
947 {
949 #ifdef HAVE_SSL_GET_CLIENT_CIPHERS
951 #else
956 }
961 }
963 /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
964 * changes state. We use this:
965 * <ul><li>To alter the state of the handshake partway through, so we
966 * do not send or request extra certificates in v2 handshakes.</li>
967 * <li>To detect renegotiation</li></ul>
968 */
969 void
971 {
977 }
989 /* Check whether we're watching for renegotiates. If so, this is one! */
995 }
997 /* Now check the cipher list. */
1001 * This is a renegotiation. */
1003 /* Yes, we're casting away the const from ssl. This is very naughty of us.
1004 * Let's hope openssl doesn't notice! */
1006 /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
1008 /* Don't send a hello request. */
1014 /* LCOV_EXCL_START this line is not reachable */
1016 /* LCOV_EXCL_STOP */
1017 }
1018 }
1019 }
1021 /** Callback to get invoked on a server after we've read the list of ciphers
1022 * the client supports, but before we pick our own ciphersuite.
1023 *
1024 * We can't abuse an info_cb for this, since by the time one of the
1025 * client_hello info_cbs is called, we've already picked which ciphersuite to
1026 * use.
1027 *
1028 * Technically, this function is an abuse of this callback, since the point of
1029 * a session_secret_cb is to try to set up and/or verify a shared-secret for
1030 * authentication on the fly. But as long as we return 0, we won't actually be
1031 * setting up a shared secret, and all will be fine.
1032 */
1033 int
1038 {
1046 CIPHERS_UNRESTRICTED) {
1048 }
1053 }
1054 static void
1056 {
1058 }
1060 /** Create a new TLS object from a file descriptor, and a flag to
1061 * determine whether it is functioning as a server.
1062 */
1063 tor_tls_t *
1065 {
1077 }
1079 #ifdef SSL_set_tlsext_host_name
1080 /* Browsers use the TLS hostname extension, so we should too. */
1085 }
1088 #ifdef SSL_CTRL_SET_MAX_PROTO_VERSION
1090 /* We can't actually use TLS 1.3 until this bug is fixed. */
1092 }
1098 #ifdef SSL_set_tlsext_host_name
1100 #endif
1104 }
1109 #ifdef SSL_set_tlsext_host_name
1111 #endif
1115 }
1116 {
1122 }
1123 }
1135 }
1140 }
1146 err:
1148 done:
1149 /* Not expected to get called. */
1152 }
1154 /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
1155 * next gets a client-side renegotiate in the middle of a read. Do not
1156 * invoke this function until <em>after</em> initial handshaking is done!
1157 */
1158 void
1162 {
1170 }
1171 }
1173 /** If this version of openssl requires it, turn on renegotiation on
1174 * <b>tls</b>.
1175 */
1176 void
1178 {
1179 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
1180 * as authenticating any earlier-received data. */
1182 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1183 }
1185 /** If this version of openssl supports it, turn off renegotiation on
1186 * <b>tls</b>. (Our protocol never requires this for security, but it's nice
1187 * to use belt-and-suspenders here.)
1188 */
1189 void
1191 {
1192 #ifdef SUPPORT_UNSAFE_RENEGOTIATION_FLAG
1194 #else
1196 #endif
1197 }
1199 /**
1200 * Tell the TLS library that the underlying socket for <b>tls</b> has been
1201 * closed, and the library should not attempt to free that socket itself.
1202 */
1203 void
1205 {
1215 }
1218 }
1219 }
1221 void
1223 {
1227 #ifdef SSL_set_tlsext_host_name
1229 #endif
1231 }
1233 /** Underlying function for TLS reading. Reads up to <b>len</b>
1234 * characters from <b>tls</b> into <b>cp</b>. On success, returns the
1235 * number of characters read. On failure, returns TOR_TLS_ERROR,
1236 * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
1237 */
1240 {
1249 /* Renegotiation happened! */
1254 }
1256 }
1266 }
1267 }
1269 /** Total number of bytes that we've used TLS to send. Used to track TLS
1270 * overhead. */
1272 /** Total number of bytes that TLS has put on the network for us. Used to
1273 * track TLS overhead. */
1276 /** Underlying function for TLS writing. Write up to <b>n</b>
1277 * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
1278 * number of characters written. On failure, returns TOR_TLS_ERROR,
1279 * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
1280 */
1281 int
1283 {
1292 /* if WANTWRITE last time, we must use the _same_ n as before */
1298 }
1304 }
1307 }
1309 }
1311 /** Perform initial handshake on <b>tls</b>. When finished, returns
1312 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1313 * or TOR_TLS_WANTWRITE.
1314 */
1315 int
1317 {
1335 }
1342 /* We need to call this here and not earlier, since OpenSSL has a penchant
1343 * for clearing its flags when you say accept or connect. */
1350 }
1354 }
1356 }
1358 /** Perform the final part of the initial TLS handshake on <b>tls</b>. This
1359 * should be called for the first handshake only: it determines whether the v1
1360 * or the v2 handshake was used, and adjusts things for the renegotiation
1361 * handshake as appropriate.
1362 *
1363 * tor_tls_handshake() calls this on its own; you only need to call this if
1364 * bufferevent is doing the handshake for you.
1365 */
1366 int
1368 {
1376 /* This check is redundant, but back when we did it in the callback,
1377 * we might have not been able to look up the tor_tls_t if the code
1378 * was buggy. Fixing that. */
1382 }
1388 }
1390 /* Client-side */
1392 /* XXXX this can move, probably? -NM */
1396 }
1397 }
1400 }
1402 /** Return true iff this TLS connection is authenticated.
1403 */
1404 int
1406 {
1414 }
1416 /** Return a newly allocated copy of the peer certificate, or NULL if there
1417 * isn't one. */
1420 {
1427 }
1429 /** Return a newly allocated copy of the cerficate we used on the connection,
1430 * or NULL if somehow we didn't use one. */
1433 {
1439 /* Fun inconsistency: SSL_get_peer_certificate increments the reference
1440 * count, but SSL_get_certificate does not. */
1445 }
1447 /** Helper function: try to extract a link certificate and an identity
1448 * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
1449 * *<b>id_cert_out</b> respectively. Log all messages at level
1450 * <b>severity</b>.
1451 *
1452 * Note that a reference is added both of the returned certificates. */
1456 {
1467 /* 1 means we're receiving (server-side), and it's just the id_cert.
1468 * 2 means we're connecting (client-side), and it's both the link
1469 * cert and the id_cert.
1470 */
1474 num_in_chain);
1476 }
1481 }
1483 }
1485 /** Return the number of bytes available for reading from <b>tls</b>.
1486 */
1487 int
1489 {
1492 }
1494 /** If <b>tls</b> requires that the next write be of a particular size,
1495 * return that size. Otherwise, return 0. */
1496 size_t
1498 {
1500 }
1502 /** Sets n_read and n_written to the number of bytes read and written,
1503 * respectively, on the raw socket used by <b>tls</b> since the last time this
1504 * function was called on <b>tls</b>. */
1505 void
1507 {
1511 /* We want the number of bytes actually for real written. Unfortunately,
1512 * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
1513 * which makes the answer turn out wrong. Let's cope with that. Note
1514 * that this approach will fail if we ever replace tls->ssl's BIOs with
1515 * buffering bios for reasons of our own. As an alternative, we could
1516 * save the original BIO for tls->ssl in the tor_tls_t structure, but
1517 * that would be tempting fate. */
1519 #if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
1520 /* BIO structure is opaque as of OpenSSL 1.1.0-pre5-dev. Again, not
1521 * supposed to use this form of the version macro, but the OpenSSL developers
1522 * introduced major API changes in the pre-release stage.
1523 */
1533 /* We are ok with letting these unsigned ints go "negative" here:
1534 * If we wrapped around, this should still give us the right answer, unless
1535 * we wrapped around by more than ULONG_MAX since the last time we called
1536 * this function.
1537 */
1544 }
1548 }
1550 /** Return a ratio of the bytes that TLS has sent to the bytes that we've told
1551 * it to send. Used to track whether our TLS records are getting too tiny. */
1554 {
1560 }
1562 /** Implement check_no_tls_errors: If there are any pending OpenSSL
1563 * errors, log an error message. */
1564 void
1566 {
1572 }
1574 /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
1575 * TLS handshake. Output is undefined if the handshake isn't finished. */
1576 int
1578 {
1580 }
1582 /** Return true iff the server TLS connection <b>tls</b> got the renegotiation
1583 * request it was waiting for. */
1584 int
1586 {
1588 }
1590 #ifndef HAVE_SSL_GET_CLIENT_RANDOM
1591 static size_t
1593 {
1600 }
1603 #ifndef HAVE_SSL_GET_SERVER_RANDOM
1604 static size_t
1606 {
1613 }
1616 #ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
1617 size_t
1619 {
1627 }
1630 /** Set the DIGEST256_LEN buffer at <b>secrets_out</b> to the value used in
1631 * the v3 handshake to prove that the client knows the TLS secrets for the
1632 * connection <b>tls</b>. Return 0 on success, -1 on failure.
1633 */
1636 {
1659 {
1662 }
1664 {
1667 server_random_len);
1669 }
1672 {
1675 }
1680 /*
1681 The value is an HMAC, using the TLS master key as the HMAC key, of
1682 client_random | server_random | TLSSECRET_MAGIC
1683 */
1686 master_key_len,
1693 }
1695 /** Using the RFC5705 key material exporting construction, and the
1696 * provided <b>context</b> (<b>context_len</b> bytes long) and
1697 * <b>label</b> (a NUL-terminated string), compute a 32-byte secret in
1698 * <b>secrets_out</b> that only the parties to this TLS session can
1699 * compute. Return 0 on success; -1 on failure; and -2 on failure
1700 * caused by OpenSSL bug 7712.
1701 */
1707 {
1719 }
1721 #ifdef TLS1_3_VERSION
1727 /* We might have run into OpenSSL issue 7712, which caused OpenSSL
1728 * 1.1.1a to not handle long labels. Let's test to see if we have.
1729 */
1733 /* A short label succeeds, but a long label fails. This was openssl
1734 * issue 7712. */
1737 "future connections. A fix is expected to appear in OpenSSL "
1739 }
1740 }
1743 else
1745 }
1749 }
1751 /** Examine the amount of memory used and available for buffers in <b>tls</b>.
1752 * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
1753 * buffer and *<b>rbuf_bytes</b> to the amount actually used.
1754 * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
1755 * buffer and *<b>wbuf_bytes</b> to the amount actually used.
1756 *
1757 * Return 0 on success, -1 on failure.*/
1758 int
1762 {
1763 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
1774 else
1778 else
1784 }
1786 /** Check whether the ECC group requested is supported by the current OpenSSL
1787 * library instance. Return 1 if the group is supported, and 0 if not.
1788 */
1789 int
1791 {
1802 else
1810 }