search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'tor-gitlab/mr/583' into maint-0.4.7
[tor.git] / src / lib / tls / x509_openssl.c
blob249c9c66882c98669a274cdc35fd5ec99d0a933e
1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2021, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5
6 /**
7 * \file x509_openssl.c
8 * \brief Wrapper functions to present a consistent interface to
9 * X.509 functions from OpenSSL.
10 **/
11
12 #define TOR_X509_PRIVATE
13 #include "lib/tls/x509.h"
14 #include "lib/tls/x509_internal.h"
15 #include "lib/tls/tortls.h"
16 #include "lib/crypt_ops/crypto_rand.h"
17 #include "lib/crypt_ops/crypto_util.h"
18 #include "lib/crypt_ops/compat_openssl.h"
19
20 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
21 * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
22 DISABLE_GCC_WARNING("-Wredundant-decls")
23
24 #include <openssl/opensslv.h>
25
26 #ifdef OPENSSL_NO_EC
27 #error "We require OpenSSL with ECC support"
28 #endif
29
30 #include <openssl/err.h>
31 #include <openssl/asn1.h>
32 #include <openssl/bio.h>
33 #include <openssl/bn.h>
34 #include <openssl/evp.h>
35 #include <openssl/objects.h>
36 #include <openssl/rsa.h>
37 #include <openssl/x509.h>
38
39 ENABLE_GCC_WARNING("-Wredundant-decls")
40
41 #include "lib/log/log.h"
42 #include "lib/log/util_bug.h"
43 #include "lib/ctime/di_ops.h"
44 #include "lib/encoding/time_fmt.h"
45
46 #include <stdlib.h>
47 #include <string.h>
48
49 #ifdef OPENSSL_1_1_API
50 #define X509_get_notBefore_const(cert) \
51 X509_get0_notBefore(cert)
52 #define X509_get_notAfter_const(cert) \
53 X509_get0_notAfter(cert)
54 #ifndef X509_get_notBefore
55 #define X509_get_notBefore(cert) \
56 X509_getm_notBefore(cert)
57 #endif
58 #ifndef X509_get_notAfter
59 #define X509_get_notAfter(cert) \
60 X509_getm_notAfter(cert)
61 #endif
62 #else /* !defined(OPENSSL_1_1_API) */
63 #define X509_get_notBefore_const(cert) \
64 ((const ASN1_TIME*) X509_get_notBefore((X509 *)cert))
65 #define X509_get_notAfter_const(cert) \
66 ((const ASN1_TIME*) X509_get_notAfter((X509 *)cert))
67 #endif /* defined(OPENSSL_1_1_API) */
68
69 /** Return a newly allocated X509 name with commonName <b>cname</b>. */
70 static X509_NAME *
71 tor_x509_name_new(const char *cname)
72 {
73 int nid;
74 X509_NAME *name;
75 /* LCOV_EXCL_BR_START : these branches will only fail on OOM errors */
76 if (!(name = X509_NAME_new()))
77 return NULL;
78 if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
79 if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
80 (unsigned char*)cname, -1, -1, 0)))
81 goto error;
82 /* LCOV_EXCL_BR_STOP */
83 return name;
84
85 /* LCOV_EXCL_START : these lines will only execute on out of memory errors*/
86 error:
87 X509_NAME_free(name);
88 return NULL;
89 /* LCOV_EXCL_STOP */
90 }
91
92 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
93 * signed by the private key <b>rsa_sign</b>. The commonName of the
94 * certificate will be <b>cname</b>; the commonName of the issuer will be
95 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b>
96 * seconds, starting from some time in the past.
97 *
98 * Return a certificate on success, NULL on failure.
99 */
100 MOCK_IMPL(X509 *,
101 tor_tls_create_certificate,(crypto_pk_t *rsa,
102 crypto_pk_t *rsa_sign,
103 const char *cname,
104 const char *cname_sign,
105 unsigned int cert_lifetime))
106 {
107 /* OpenSSL generates self-signed certificates with random 64-bit serial
108 * numbers, so let's do that too. */
109 #define SERIAL_NUMBER_SIZE 8
110
111 time_t start_time, end_time;
112 BIGNUM *serial_number = NULL;
113 unsigned char serial_tmp[SERIAL_NUMBER_SIZE];
114 EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
115 X509 *x509 = NULL;
116 X509_NAME *name = NULL, *name_issuer=NULL;
117
118 tor_tls_init();
119
120 time_t now = time(NULL);
121
122 tor_tls_pick_certificate_lifetime(now, cert_lifetime,
123 &start_time, &end_time);
124
125 tor_assert(rsa);
126 tor_assert(cname);
127 tor_assert(rsa_sign);
128 tor_assert(cname_sign);
129 if (!(sign_pkey = crypto_pk_get_openssl_evp_pkey_(rsa_sign,1)))
130 goto error;
131 if (!(pkey = crypto_pk_get_openssl_evp_pkey_(rsa,0)))
132 goto error;
133 if (!(x509 = X509_new()))
134 goto error;
135 if (!(X509_set_version(x509, 2)))
136 goto error;
137
138 { /* our serial number is 8 random bytes. */
139 crypto_rand((char *)serial_tmp, sizeof(serial_tmp));
140 if (!(serial_number = BN_bin2bn(serial_tmp, sizeof(serial_tmp), NULL)))
141 goto error;
142 if (!(BN_to_ASN1_INTEGER(serial_number, X509_get_serialNumber(x509))))
143 goto error;
144 }
145
146 if (!(name = tor_x509_name_new(cname)))
147 goto error;
148 if (!(X509_set_subject_name(x509, name)))
149 goto error;
150 if (!(name_issuer = tor_x509_name_new(cname_sign)))
151 goto error;
152 if (!(X509_set_issuer_name(x509, name_issuer)))
153 goto error;
154
155 if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
156 goto error;
157 if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
158 goto error;
159 if (!X509_set_pubkey(x509, pkey))
160 goto error;
161
162 if (!X509_sign(x509, sign_pkey, EVP_sha256()))
163 goto error;
164
165 goto done;
166 error:
167 if (x509) {
168 X509_free(x509);
169 x509 = NULL;
170 }
171 done:
172 tls_log_errors(NULL, LOG_WARN, LD_NET, "generating certificate");
173 if (sign_pkey)
174 EVP_PKEY_free(sign_pkey);
175 if (pkey)
176 EVP_PKEY_free(pkey);
177 if (serial_number)
178 BN_clear_free(serial_number);
179 if (name)
180 X509_NAME_free(name);
181 if (name_issuer)
182 X509_NAME_free(name_issuer);
183 return x509;
184
185 #undef SERIAL_NUMBER_SIZE
186 }
187
188 /** Set the 'encoded' and 'encoded_len' fields of "cert" from cert->cert. */
189 int
190 tor_x509_cert_set_cached_der_encoding(tor_x509_cert_t *cert)
191 {
192 unsigned char *buf = NULL;
193 int length = i2d_X509(cert->cert, &buf);
194
195 if (length <= 0 || buf == NULL) {
196 return -1;
197 }
198 cert->encoded_len = (size_t) length;
199 cert->encoded = tor_malloc(length);
200 memcpy(cert->encoded, buf, length);
201 OPENSSL_free(buf);
202 return 0;
203 }
204
205 void
206 tor_x509_cert_impl_free_(tor_x509_cert_impl_t *cert)
207 {
208 if (cert)
209 X509_free(cert);
210 }
211
212 tor_x509_cert_impl_t *
213 tor_x509_cert_impl_dup_(tor_x509_cert_impl_t *cert)
214 {
215 if (cert)
216 return X509_dup(cert);
217 else
218 return NULL;
219 }
220
221 /** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
222 * representation and length, respectively. */
223 void
224 tor_x509_cert_get_der(const tor_x509_cert_t *cert,
225 const uint8_t **encoded_out, size_t *size_out)
226 {
227 tor_assert(cert);
228 tor_assert(encoded_out);
229 tor_assert(size_out);
230 *encoded_out = cert->encoded;
231 *size_out = cert->encoded_len;
232 }
233
234 /** Read a DER-encoded X509 cert, of length exactly <b>certificate_len</b>,
235 * from a <b>certificate</b>. Return a newly allocated tor_x509_cert_t on
236 * success and NULL on failure. */
237 tor_x509_cert_t *
238 tor_x509_cert_decode(const uint8_t *certificate, size_t certificate_len)
239 {
240 X509 *x509;
241 const unsigned char *cp = (const unsigned char *)certificate;
242 tor_x509_cert_t *newcert;
243 tor_assert(certificate);
244 check_no_tls_errors();
245
246 if (certificate_len > INT_MAX)
247 goto err;
248
249 x509 = d2i_X509(NULL, &cp, (int)certificate_len);
250
251 if (!x509)
252 goto err; /* Couldn't decode */
253 if (cp - certificate != (int)certificate_len) {
254 X509_free(x509);
255 goto err; /* Didn't use all the bytes */
256 }
257 newcert = tor_x509_cert_new(x509);
258 if (!newcert) {
259 goto err;
260 }
261 if (newcert->encoded_len != certificate_len ||
262 fast_memneq(newcert->encoded, certificate, certificate_len)) {
263 /* Cert wasn't in DER */
264 tor_x509_cert_free(newcert);
265 goto err;
266 }
267 return newcert;
268 err:
269 tls_log_errors(NULL, LOG_INFO, LD_CRYPTO, "decoding a certificate");
270 return NULL;
271 }
272
273 /**
274 * Return a newly allocated copy of the public key that a certificate
275 * certifies. Watch out! This returns NULL if the cert's key is not RSA.
276 */
277 crypto_pk_t *
278 tor_tls_cert_get_key(tor_x509_cert_t *cert)
279 {
280 crypto_pk_t *result = NULL;
281 EVP_PKEY *pkey = X509_get_pubkey(cert->cert);
282 RSA *rsa;
283 if (!pkey)
284 return NULL;
285 rsa = EVP_PKEY_get1_RSA(pkey);
286 if (!rsa) {
287 EVP_PKEY_free(pkey);
288 return NULL;
289 }
290 result = crypto_new_pk_from_openssl_rsa_(rsa);
291 EVP_PKEY_free(pkey);
292 return result;
293 }
294
295 /** Check whether <b>cert</b> is well-formed, currently live, and correctly
296 * signed by the public key in <b>signing_cert</b>. If <b>check_rsa_1024</b>,
297 * make sure that it has an RSA key with 1024 bits; otherwise, just check that
298 * the key is long enough. Return 1 if the cert is good, and 0 if it's bad or
299 * we couldn't check it. */
300 int
301 tor_tls_cert_is_valid(int severity,
302 const tor_x509_cert_t *cert,
303 const tor_x509_cert_t *signing_cert,
304 time_t now,
305 int check_rsa_1024)
306 {
307 check_no_tls_errors();
308 EVP_PKEY *cert_key;
309 int r, key_ok = 0;
310
311 if (!signing_cert || !cert)
312 goto bad;
313
314 EVP_PKEY *signing_key = X509_get_pubkey(signing_cert->cert);
315 if (!signing_key)
316 goto bad;
317 r = X509_verify(cert->cert, signing_key);
318 EVP_PKEY_free(signing_key);
319 if (r <= 0)
320 goto bad;
321
322 /* okay, the signature checked out right. Now let's check the check the
323 * lifetime. */
324 if (tor_x509_check_cert_lifetime_internal(severity, cert->cert, now,
325 TOR_X509_PAST_SLOP,
326 TOR_X509_FUTURE_SLOP) < 0)
327 goto bad;
328
329 cert_key = X509_get_pubkey(cert->cert);
330 if (check_rsa_1024 && cert_key) {
331 RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
332 #ifdef OPENSSL_1_1_API
333 if (rsa && RSA_bits(rsa) == 1024) {
334 #else
335 if (rsa && BN_num_bits(rsa->n) == 1024) {
336 #endif
337 key_ok = 1;
338 } else {
339 log_fn(severity, LD_CRYPTO, "Invalid certificate: Key is not RSA1024.");
340 }
341
342 if (rsa)
343 RSA_free(rsa);
344 } else if (cert_key) {
345 int min_bits = 1024;
346 #ifdef EVP_PKEY_EC
347 if (EVP_PKEY_base_id(cert_key) == EVP_PKEY_EC)
348 min_bits = 128;
349 #endif
350 if (EVP_PKEY_bits(cert_key) >= min_bits)
351 key_ok = 1;
352 }
353 EVP_PKEY_free(cert_key);
354 if (!key_ok)
355 goto bad;
356
357 /* XXXX compare DNs or anything? */
358
359 return 1;
360 bad:
361 tls_log_errors(NULL, LOG_INFO, LD_CRYPTO, "checking a certificate");
362 return 0;
363 }
364
365 /** Warn that a certificate lifetime extends through a certain range. */
366 static void
367 log_cert_lifetime(int severity, const X509 *cert, const char *problem,
368 time_t now)
369 {
370 BIO *bio = NULL;
371 BUF_MEM *buf;
372 char *s1=NULL, *s2=NULL;
373 char mytime[33];
374 struct tm tm;
375 size_t n;
376
377 if (problem)
378 tor_log(severity, LD_GENERAL,
379 "Certificate %s. Either their clock is set wrong, or your clock "
380 "is wrong.",
381 problem);
382
383 if (!(bio = BIO_new(BIO_s_mem()))) {
384 log_warn(LD_GENERAL, "Couldn't allocate BIO!"); goto end;
385 }
386 if (!(ASN1_TIME_print(bio, X509_get_notBefore_const(cert)))) {
387 tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
388 goto end;
389 }
390 BIO_get_mem_ptr(bio, &buf);
391 s1 = tor_strndup(buf->data, buf->length);
392
393 (void)BIO_reset(bio);
394 if (!(ASN1_TIME_print(bio, X509_get_notAfter_const(cert)))) {
395 tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
396 goto end;
397 }
398 BIO_get_mem_ptr(bio, &buf);
399 s2 = tor_strndup(buf->data, buf->length);
400
401 n = strftime(mytime, 32, "%b %d %H:%M:%S %Y UTC", tor_gmtime_r(&now, &tm));
402 if (n > 0) {
403 tor_log(severity, LD_GENERAL,
404 "(certificate lifetime runs from %s through %s. Your time is %s.)",
405 s1,s2,mytime);
406 } else {
407 tor_log(severity, LD_GENERAL,
408 "(certificate lifetime runs from %s through %s. "
409 "Couldn't get your time.)",
410 s1, s2);
411 }
412
413 end:
414 /* Not expected to get invoked */
415 tls_log_errors(NULL, LOG_WARN, LD_NET, "getting certificate lifetime");
416 if (bio)
417 BIO_free(bio);
418 tor_free(s1);
419 tor_free(s2);
420 }
421
422 /** Helper: check whether <b>cert</b> is expired give or take
423 * <b>past_tolerance</b> seconds, or not-yet-valid give or take
424 * <b>future_tolerance</b> seconds. (Relative to the current time
425 * <b>now</b>.) If it is live, return 0. If it is not live, log a message
426 * and return -1. */
427 int
428 tor_x509_check_cert_lifetime_internal(int severity, const X509 *cert,
429 time_t now,
430 int past_tolerance, int future_tolerance)
431 {
432 time_t t;
433
434 t = now + future_tolerance;
435 if (X509_cmp_time(X509_get_notBefore_const(cert), &t) > 0) {
436 log_cert_lifetime(severity, cert, "not yet valid", now);
437 return -1;
438 }
439 t = now - past_tolerance;
440 if (X509_cmp_time(X509_get_notAfter_const(cert), &t) < 0) {
441 log_cert_lifetime(severity, cert, "already expired", now);
442 return -1;
443 }
444
445 return 0;
446 }
447
448 #ifdef TOR_UNIT_TESTS
449 /* Testing only: return a new x509 cert with the same contents as <b>inp</b>,
450 but with the expiration time <b>new_expiration_time</b>, signed with
451 <b>signing_key</b>. */
452 STATIC tor_x509_cert_t *
453 tor_x509_cert_replace_expiration(const tor_x509_cert_t *inp,
454 time_t new_expiration_time,
455 crypto_pk_t *signing_key)
456 {
457 X509 *newc = X509_dup(inp->cert);
458 X509_time_adj(X509_get_notAfter(newc), 0, &new_expiration_time);
459 EVP_PKEY *pk = crypto_pk_get_openssl_evp_pkey_(signing_key, 1);
460 tor_assert(X509_sign(newc, pk, EVP_sha256()));
461 EVP_PKEY_free(pk);
462 return tor_x509_cert_new(newc);
463 }
464 #endif /* defined(TOR_UNIT_TESTS) */
The Onion Router