| blob | 8ad0f2f310eda2bd0705aa708ca4147c862b18e5 |
1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2011, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file tortls.c
8 * \brief Wrapper functions to present a consistent interface to
9 * TLS, SSL, and X.509 functions from OpenSSL.
10 **/
12 /* (Unlike other tor functions, these
13 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
14 * functions and variables.)
15 */
19 #if defined (WINCE)
20 #include <WinSock2.h>
21 #endif
23 #include <assert.h>
25 #define WIN32_WINNT 0x400
26 #define _WIN32_WINNT 0x400
27 #define WIN32_LEAN_AND_MEAN
28 #if defined(_MSC_VER) && (_MSC_VER < 1300)
29 #include <winsock.h>
30 #else
31 #include <winsock2.h>
32 #include <ws2tcpip.h>
33 #endif
34 #endif
35 #include <openssl/ssl.h>
36 #include <openssl/ssl3.h>
37 #include <openssl/err.h>
38 #include <openssl/tls1.h>
39 #include <openssl/asn1.h>
40 #include <openssl/bio.h>
41 #include <openssl/opensslv.h>
43 #if OPENSSL_VERSION_NUMBER < 0x00907000l
45 #endif
55 #include <string.h>
57 /* Enable the "v2" TLS handshake.
58 */
59 #define V2_HANDSHAKE_SERVER
60 #define V2_HANDSHAKE_CLIENT
62 /* Copied from or.h */
63 #define LEGAL_NICKNAME_CHARACTERS \
64 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
66 /** How long do identity certificates live? (sec) */
67 #define IDENTITY_CERT_LIFETIME (365*24*60*60)
71 /* We redefine these so that we can run correctly even if the vendor gives us
72 * a version of OpenSSL that does not match its header files. (Apple: I am
73 * looking at you.)
74 */
75 #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
76 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
77 #endif
78 #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
79 #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
80 #endif
82 /** Does the run-time openssl version look like we need
83 * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
85 /** Does the run-time openssl version look like we need
86 * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
89 /** Holds a SSL_CTX object and related state used to configure TLS
90 * connections.
91 */
100 /** Holds a SSL object and its associated data. Members are only
101 * accessed from within tortls.c.
102 */
113 * completed successfully. */
116 * this connection used the updated version
117 * of the connection protocol (client sends
118 * different cipher list, server sends only
119 * one certificate). */
120 /** True iff we should call negotiated_callback when we're done reading. */
123 * time. */
124 /** Last values retrieved from BIO_number_read()/write(); see
125 * tor_tls_get_n_raw_bytes() for usage.
126 */
129 /** If set, a callback to invoke whenever the client tries to renegotiate
130 * the handshake. */
132 /** Argument to pass to negotiated_callback. */
134 };
136 #ifdef V2_HANDSHAKE_CLIENT
137 /** An array of fake SSL_CIPHER objects that we use in order to trick OpenSSL
138 * in client mode into advertising the ciphers we want. See
139 * rectify_client_ciphers() for details. */
141 /** A stack of SSL_CIPHER objects, some real, some fake.
142 * See rectify_client_ciphers() for details. */
144 #endif
146 /** Helper: compare tor_tls_t objects by its SSL. */
149 {
151 }
153 /** Helper: return a hash value for a tor_tls_t by its SSL. */
156 {
157 #if SIZEOF_INT == SIZEOF_VOID_P
159 #else
161 #endif
162 }
164 /** Map from SSL* pointers to tor_tls_t objects using those pointers.
165 */
169 tor_tls_entries_eq)
173 /** Helper: given a SSL* pointer, return the tor_tls_t object using that
174 * pointer. */
177 {
183 }
199 /** Global TLS contexts. We keep them here because nobody else needs
200 * to touch them. */
203 /** True iff tor_tls_init() has been called. */
206 /* Module-internal error codes. */
207 #define _TOR_TLS_SYSCALL (_MIN_TOR_TLS_ERROR_VAL - 2)
208 #define _TOR_TLS_ZERORETURN (_MIN_TOR_TLS_ERROR_VAL - 1)
212 /** Return the symbolic name of an OpenSSL state. */
215 {
221 }
224 }
226 /** Log all pending tls errors at level <b>severity</b>. Use
227 * <b>doing</b> to describe our current activities.
228 */
229 static void
231 {
255 }
256 }
257 }
259 /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
260 * code. */
261 static int
263 {
264 #if defined(MS_WINDOWS)
277 }
278 #else
291 }
292 #endif
293 }
295 /** Given a TOR_TLS_* error code, return a string equivalent. */
298 {
312 }
313 }
315 #define CATCH_SYSCALL 1
316 #define CATCH_ZERO 2
318 /** Given a TLS object and the result of an SSL_* call, use
319 * SSL_get_error to determine whether an error has occurred, and if so
320 * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
321 * If extra&CATCH_SYSCALL is true, return _TOR_TLS_SYSCALL instead of
322 * reporting syscall errors. If extra&CATCH_ZERO is true, return
323 * _TOR_TLS_ZERORETURN instead of reporting zero-return errors.
324 *
325 * If an error has occurred, log it at level <b>severity</b> and describe the
326 * current action as <b>doing</b>.
327 */
328 static int
331 {
355 }
368 }
369 }
371 /** Initialize OpenSSL, unless it has already been initialized.
372 */
373 static void
375 {
383 /* OpenSSL 0.9.8l introduced SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
384 * here, but without thinking too hard about it: it turns out that the
385 * flag in question needed to be set at the last minute, and that it
386 * conflicted with an existing flag number that had already been added
387 * in the OpenSSL 1.0.0 betas. OpenSSL 0.9.8m thoughtfully replaced
388 * the flag with an option and (it seems) broke anything that used
389 * SSL3_FLAGS_* for the purpose. So we need to know how to do both,
390 * and we mustn't use the SSL3_FLAGS option with anything besides
391 * OpenSSL 0.9.8l.
392 *
393 * No, we can't just set flag 0x0010 everywhere. It breaks Tor with
394 * OpenSSL 1.0.0beta3 and later. On the other hand, we might be able to
395 * set option 0x00040000L everywhere.
396 *
397 * No, we can't simply detect whether the flag or the option is present
398 * in the headers at build-time: some vendors (notably Apple) like to
399 * leave their headers out of sync with their libraries.
400 *
401 * Yes, it _is_ almost as if the OpenSSL developers decided that no
402 * program should be allowed to use renegotiation unless it first passed
403 * a test of intelligence and determination.
404 */
418 "0.9.8l, but some vendors have backported 0.9.8l's "
419 "renegotiation code to earlier versions, and some have "
420 "backported the code from 0.9.8m or 0.9.8n. I'll set both "
428 }
431 }
432 }
434 /** Free all global TLS structures. */
435 void
437 {
442 }
447 }
450 }
452 #ifdef V2_HANDSHAKE_CLIENT
457 #endif
458 }
460 /** We need to give OpenSSL a callback to verify certificates. This is
461 * it: We always accept peer certs and complete the handshake. We
462 * don't validate them until later.
463 */
464 static int
467 {
471 }
473 /** Return a newly allocated X509 name with commonName <b>cname</b>. */
476 {
486 error:
489 }
491 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
492 * signed by the private key <b>rsa_sign</b>. The commonName of the
493 * certificate will be <b>cname</b>; the commonName of the issuer will be
494 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
495 * starting from now. Return a certificate on success, NULL on
496 * failure.
497 */
504 {
549 error:
553 }
554 done:
565 }
567 /** List of ciphers that servers should select from.*/
568 #define SERVER_CIPHER_LIST \
571 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
572 /* Note: to set up your own private testing network with link crypto
573 * disabled, set your Tors' cipher list to
574 * (SSL3_TXT_RSA_NULL_SHA). If you do this, you won't be able to communicate
575 * with any of the "real" Tors, though. */
577 #ifdef V2_HANDSHAKE_CLIENT
579 #define XCIPHER(id, name)
580 /** List of ciphers that clients should advertise, omitting items that
581 * our OpenSSL doesn't know about. */
584 ;
585 #undef CIPHER
586 #undef XCIPHER
588 /** Holds a cipher that we want to advertise, and its 2-byte ID. */
590 /** A list of all the ciphers that clients should advertise, including items
591 * that OpenSSL might not know about. */
593 #define CIPHER(id, name) { id, name },
594 #define XCIPHER(id, name) { id, #name },
596 #undef CIPHER
597 #undef XCIPHER
598 };
600 /** The length of CLIENT_CIPHER_INFO_LIST and CLIENT_CIPHER_DUMMIES. */
603 #endif
605 #ifndef V2_HANDSHAKE_CLIENT
606 #undef CLIENT_CIPHER_LIST
608 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
609 #endif
611 /** Remove a reference to <b>ctx</b>, and free it if it has no more
612 * references. */
613 static void
615 {
623 }
624 }
626 /** Increase the reference count of <b>ctx</b>. */
627 static void
629 {
631 }
633 /** Create new global client and server TLS contexts.
634 *
635 * If <b>server_identity</b> is NULL, this will not generate a server
636 * TLS context. If <b>is_public_server</b> is non-zero, this will use
637 * the same TLS context for incoming and outgoing connections, and
638 * ignore <b>client_identity</b>. */
639 int
644 {
655 server_identity,
656 key_lifetime);
666 }
667 }
671 server_identity,
672 key_lifetime);
679 }
680 }
683 client_identity,
684 key_lifetime);
685 }
688 }
690 /** Create a new global TLS context.
691 *
692 * You can call this function multiple times. Each time you call it,
693 * it generates new certificates; all new connections will use
694 * the new SSL context.
695 */
696 static int
700 {
702 key_lifetime);
708 /* Free the old context if one existed. */
710 /* This is safe even if there are open connections: we reference-
711 * count tor_tls_context_t objects. */
713 }
714 }
717 }
719 /** Create a new TLS context for use with Tor TLS handshakes.
720 * <b>identity</b> should be set to the identity key used to sign the
721 * certificate.
722 */
725 {
736 /* Generate short-term RSA key. */
741 /* Create certificate signed by identity key. */
743 key_lifetime);
744 /* Create self-signed certificate for identity key. */
746 IDENTITY_CERT_LIFETIME);
750 }
758 #ifdef EVERYONE_HAS_AES
759 /* Tell OpenSSL to only use TLS1 */
762 #else
763 /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
767 #endif
770 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
772 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
773 #endif
774 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
775 * as authenticating any earlier-received data.
776 */
779 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
780 }
781 /* Don't actually allow compression; it uses ram and time, but the data
782 * we transmit is all encrypted anyway. */
785 #ifdef SSL_MODE_RELEASE_BUFFERS
787 #endif
798 }
809 {
813 }
815 always_accept_verify_cb);
816 /* let us realloc bufs that we're writing from */
825 error:
840 }
842 #ifdef V2_HANDSHAKE_SERVER
843 /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
844 * a list that indicates that the client knows how to do the v2 TLS connection
845 * handshake. */
846 static int
848 {
851 /* If we reached this point, we just got a client hello. See if there is
852 * a cipher list. */
856 }
860 }
861 /* Now we need to see if there are any ciphers whose presence means we're
862 * dealing with an updated Tor. */
871 // return 1;
873 }
874 }
876 dump_list:
877 {
884 }
890 }
892 }
894 /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
895 * changes state. We use this:
896 * <ul><li>To alter the state of the handshake partway through, so we
897 * do not send or request extra certificates in v2 handshakes.</li>
898 * <li>To detect renegotiation</li></ul>
899 */
900 static void
902 {
912 /* Check whether we're watching for renegotiates. If so, this is one! */
917 }
919 /* Now check the cipher list. */
921 /*XXXX_TLS keep this from happening more than once! */
923 /* Yes, we're casting away the const from ssl. This is very naughty of us.
924 * Let's hope openssl doesn't notice! */
926 /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
928 /* Don't send a hello request. */
935 }
936 }
937 }
938 #endif
940 /** Replace *<b>ciphers</b> with a new list of SSL ciphersuites: specifically,
941 * a list designed to mimic a common web browser. Some of the ciphers in the
942 * list won't actually be implemented by OpenSSL: that's okay so long as the
943 * server doesn't select them, and the server won't select anything besides
944 * what's in SERVER_CIPHER_LIST.
945 *
946 * [If the server <b>does</b> select a bogus cipher, we won't crash or
947 * anything; we'll just fail later when we try to look up the cipher in
948 * ssl->cipher_list_by_id.]
949 */
950 static void
952 {
953 #ifdef V2_HANDSHAKE_CLIENT
955 /* We need to set CLIENT_CIPHER_STACK to an array of the ciphers
956 * we want.*/
959 /* First, create a dummy SSL_CIPHER for every cipher. */
960 CLIENT_CIPHER_DUMMIES =
966 }
975 }
977 /* Then copy as many ciphers as we can from the good list, inserting
978 * dummies as needed. */
997 }
998 }
999 }
1005 #else
1007 #endif
1008 }
1010 /** Create a new TLS object from a file descriptor, and a flag to
1011 * determine whether it is functioning as a server.
1012 */
1013 tor_tls_t *
1015 {
1019 client_tls_context;
1026 }
1028 #ifdef SSL_set_tlsext_host_name
1029 /* Browsers use the TLS hostname extension, so we should too. */
1034 }
1035 #endif
1040 #ifdef SSL_set_tlsext_host_name
1042 #endif
1046 }
1053 #ifdef SSL_set_tlsext_host_name
1055 #endif
1059 }
1072 }
1073 #ifdef V2_HANDSHAKE_SERVER
1076 }
1077 #endif
1079 /* Not expected to get called. */
1082 }
1084 /** Make future log messages about <b>tls</b> display the address
1085 * <b>address</b>.
1086 */
1087 void
1089 {
1093 }
1095 /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
1096 * next gets a client-side renegotiate in the middle of a read. Do not
1097 * invoke this function until <em>after</em> initial handshaking is done!
1098 */
1099 void
1103 {
1107 #ifdef V2_HANDSHAKE_SERVER
1112 }
1113 #endif
1114 }
1116 /** If this version of openssl requires it, turn on renegotiation on
1117 * <b>tls</b>.
1118 */
1119 static void
1121 {
1122 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
1123 * as authenticating any earlier-received data. */
1126 }
1129 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1130 }
1131 }
1133 /** If this version of openssl supports it, turn off renegotiation on
1134 * <b>tls</b>. (Our protocol never requires this for security, but it's nice
1135 * to use belt-and-suspenders here.)
1136 */
1137 void
1139 {
1141 }
1143 /** Return whether this tls initiated the connect (client) or
1144 * received it (server). */
1145 int
1147 {
1150 }
1152 /** Release resources associated with a TLS object. Does not close the
1153 * underlying file descriptor.
1154 */
1155 void
1157 {
1165 }
1166 #ifdef SSL_set_tlsext_host_name
1168 #endif
1176 }
1178 /** Underlying function for TLS reading. Reads up to <b>len</b>
1179 * characters from <b>tls</b> into <b>cp</b>. On success, returns the
1180 * number of characters read. On failure, returns TOR_TLS_ERROR,
1181 * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
1182 */
1183 int
1185 {
1193 #ifdef V2_HANDSHAKE_SERVER
1195 /* Renegotiation happened! */
1200 }
1201 #endif
1203 }
1213 }
1214 }
1216 /** Underlying function for TLS writing. Write up to <b>n</b>
1217 * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
1218 * number of characters written. On failure, returns TOR_TLS_ERROR,
1219 * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
1220 */
1221 int
1223 {
1232 /* if WANTWRITE last time, we must use the _same_ n as before */
1238 }
1243 }
1246 }
1248 }
1250 /** Perform initial handshake on <b>tls</b>. When finished, returns
1251 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1252 * or TOR_TLS_WANTWRITE.
1253 */
1254 int
1256 {
1272 }
1276 /* We need to call this here and not earlier, since OpenSSL has a penchant
1277 * for clearing its flags when you say accept or connect. */
1284 }
1290 /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
1292 #ifdef V2_HANDSHAKE_SERVER
1294 /* This check is redundant, but back when we did it in the callback,
1295 * we might have not been able to look up the tor_tls_t if the code
1296 * was buggy. Fixing that. */
1300 }
1303 "Completed V2 TLS handshake with client; waiting "
1307 }
1308 #endif
1310 #ifdef V2_HANDSHAKE_CLIENT
1311 /* If we got no ID cert, we're a v2 handshake. */
1321 "Server sent back a single certificate; looks like "
1324 }
1327 #endif
1331 }
1332 }
1333 }
1335 }
1337 /** Client only: Renegotiate a TLS session. When finished, returns
1338 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or
1339 * TOR_TLS_WANTWRITE.
1340 */
1341 int
1343 {
1346 /* We could do server-initiated renegotiation too, but that would be tricky.
1347 * Instead of "SSL_renegotiate, then SSL_do_handshake until done" */
1353 LD_HANDSHAKE);
1354 }
1356 }
1363 LD_HANDSHAKE);
1364 }
1366 /** Shut down an open tls connection <b>tls</b>. When finished, returns
1367 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1368 * or TOR_TLS_WANTWRITE.
1369 */
1370 int
1372 {
1380 /* If we've already called shutdown once to send a close message,
1381 * we read until the other side has closed too.
1382 */
1390 /* fall through... */
1393 }
1394 }
1398 /* If shutdown returns 1, the connection is entirely closed. */
1401 }
1405 /* The underlying TCP connection closed while we were shutting down. */
1409 /* The TLS connection says that it sent a shutdown record, but
1410 * isn't done shutting down yet. Make sure that this hasn't
1411 * happened before, then go back to the start of the function
1412 * and try to read.
1413 */
1419 }
1421 /* fall through ... */
1424 }
1426 }
1428 /** Return true iff this TLS connection is authenticated.
1429 */
1430 int
1432 {
1440 }
1442 /** Warn that a certificate lifetime extends through a certain range. */
1443 static void
1445 {
1456 problem);
1460 }
1464 }
1472 }
1482 end:
1483 /* Not expected to get invoked */
1489 }
1491 /** Helper function: try to extract a link certificate and an identity
1492 * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
1493 * *<b>id_cert_out</b> respectively. Log all messages at level
1494 * <b>severity</b>.
1495 *
1496 * Note that a reference is added to cert_out, so it needs to be
1497 * freed. id_cert_out doesn't. */
1498 static void
1501 {
1513 /* 1 means we're receiving (server-side), and it's just the id_cert.
1514 * 2 means we're connecting (client-side), and it's both the link
1515 * cert and the id_cert.
1516 */
1520 num_in_chain);
1522 }
1527 }
1529 }
1531 /** If the provided tls connection is authenticated and has a
1532 * certificate chain that is currently valid and signed, then set
1533 * *<b>identity_key</b> to the identity certificate's key and return
1534 * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
1535 */
1536 int
1538 {
1552 }
1558 }
1567 done:
1573 /* This should never get invoked, but let's make sure in case OpenSSL
1574 * acts unexpectedly. */
1578 }
1580 /** Check whether the certificate set on the connection <b>tls</b> is
1581 * expired or not-yet-valid, give or take <b>tolerance</b>
1582 * seconds. Return 0 for valid, -1 for failure.
1583 *
1584 * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
1585 */
1586 int
1588 {
1602 }
1607 }
1610 done:
1613 /* Not expected to get invoked */
1617 }
1619 /** Return the number of bytes available for reading from <b>tls</b>.
1620 */
1621 int
1623 {
1626 }
1628 /** If <b>tls</b> requires that the next write be of a particular size,
1629 * return that size. Otherwise, return 0. */
1630 size_t
1632 {
1634 }
1636 /** Sets n_read and n_written to the number of bytes read and written,
1637 * respectively, on the raw socket used by <b>tls</b> since the last time this
1638 * function was called on <b>tls</b>. */
1639 void
1641 {
1645 /* We want the number of bytes actually for real written. Unfortunately,
1646 * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
1647 * which makes the answer turn out wrong. Let's cope with that. Note
1648 * that this approach will fail if we ever replace tls->ssl's BIOs with
1649 * buffering bios for reasons of our own. As an alternative, we could
1650 * save the original BIO for tls->ssl in the tor_tls_t structure, but
1651 * that would be tempting fate. */
1657 /* We are ok with letting these unsigned ints go "negative" here:
1658 * If we wrapped around, this should still give us the right answer, unless
1659 * we wrapped around by more than ULONG_MAX since the last time we called
1660 * this function.
1661 */
1668 }
1671 }
1673 /** Implement check_no_tls_errors: If there are any pending OpenSSL
1674 * errors, log an error message. */
1675 void
1677 {
1683 }
1685 /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
1686 * TLS handshake. Output is undefined if the handshake isn't finished. */
1687 int
1689 {
1691 #ifdef V2_HANDSHAKE_SERVER
1693 #endif
1695 #ifdef V2_HANDSHAKE_CLIENT
1697 #endif
1698 }
1700 }
1702 /** Examine the amount of memory used and available for buffers in <b>tls</b>.
1703 * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
1704 * buffer and *<b>rbuf_bytes</b> to the amount actually used.
1705 * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
1706 * buffer and *<b>wbuf_bytes</b> to the amount actually used. */
1707 void
1711 {
1714 else
1718 else
1722 }