| blob | aeb0ca0800fd2538beb55f9932296db55c1a7eae |
1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2009, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file tortls.c
8 * \brief Wrapper functions to present a consistent interface to
9 * TLS, SSL, and X.509 functions from OpenSSL.
10 **/
12 /* (Unlike other tor functions, these
13 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
14 * functions and variables.)
15 */
19 #include <assert.h>
20 #include <openssl/ssl.h>
21 #include <openssl/ssl3.h>
22 #include <openssl/err.h>
23 #include <openssl/tls1.h>
24 #include <openssl/asn1.h>
25 #include <openssl/bio.h>
26 #include <openssl/opensslv.h>
28 #if OPENSSL_VERSION_NUMBER < 0x00907000l
30 #endif
40 #include <string.h>
42 /* Enable the "v2" TLS handshake.
43 */
44 #define V2_HANDSHAKE_SERVER
45 #define V2_HANDSHAKE_CLIENT
47 /* Copied from or.h */
48 #define LEGAL_NICKNAME_CHARACTERS \
49 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
51 /** How long do identity certificates live? (sec) */
52 #define IDENTITY_CERT_LIFETIME (365*24*60*60)
56 /** Structure holding the TLS state for a single connection. */
65 /** Holds a SSL object and its associated data. Members are only
66 * accessed from within tortls.c.
67 */
78 * completed successfully. */
81 * this connection used the updated version
82 * of the connection protocol (client sends
83 * different cipher list, server sends only
84 * one certificate). */
85 /** True iff we should call negotiated_callback when we're done reading. */
88 * time. */
89 /** Last values retrieved from BIO_number_read()/write(); see
90 * tor_tls_get_n_raw_bytes() for usage.
91 */
94 /** If set, a callback to invoke whenever the client tries to renegotiate
95 * the handshake. */
97 /** Argument to pass to negotiated_callback. */
99 };
101 #ifdef V2_HANDSHAKE_CLIENT
102 /** An array of fake SSL_CIPHER objects that we use in order to trick OpenSSL
103 * in client mode into advertising the ciphers we want. See
104 * rectify_client_ciphers() for details. */
106 /** A stack of SSL_CIPHER objects, some real, some fake.
107 * See rectify_client_ciphers() for details. */
109 #endif
111 /** Helper: compare tor_tls_t objects by its SSL. */
114 {
116 }
118 /** Helper: return a hash value for a tor_tls_t by its SSL. */
121 {
122 #if SIZEOF_INT == SIZEOF_VOID_P
124 #else
126 #endif
127 }
129 /** Map from SSL* pointers to tor_tls_t objects using those pointers.
130 */
134 tor_tls_entries_eq)
138 /** Helper: given a SSL* pointer, return the tor_tls_t object using that
139 * pointer. */
142 {
148 }
158 /** Global tls context. We keep it here because nobody else needs to
159 * touch it. */
161 /** True iff tor_tls_init() has been called. */
164 /* Module-internal error codes. */
165 #define _TOR_TLS_SYSCALL (_MIN_TOR_TLS_ERROR_VAL - 2)
166 #define _TOR_TLS_ZERORETURN (_MIN_TOR_TLS_ERROR_VAL - 1)
168 /** Log all pending tls errors at level <b>severity</b>. Use
169 * <b>doing</b> to describe our current activities.
170 */
171 static void
173 {
190 }
191 }
192 }
194 /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
195 * code. */
196 static int
198 {
199 #if defined(MS_WINDOWS)
212 }
213 #else
226 }
227 #endif
228 }
230 /** Given a TOR_TLS_* error code, return a string equivalent. */
233 {
247 }
248 }
250 #define CATCH_SYSCALL 1
251 #define CATCH_ZERO 2
253 /** Given a TLS object and the result of an SSL_* call, use
254 * SSL_get_error to determine whether an error has occurred, and if so
255 * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
256 * If extra&CATCH_SYSCALL is true, return _TOR_TLS_SYSCALL instead of
257 * reporting syscall errors. If extra&CATCH_ZERO is true, return
258 * _TOR_TLS_ZERORETURN instead of reporting zero-return errors.
259 *
260 * If an error has occurred, log it at level <b>severity</b> and describe the
261 * current action as <b>doing</b>.
262 */
263 static int
266 {
288 }
300 }
301 }
303 /** Initialize OpenSSL, unless it has already been initialized.
304 */
305 static void
307 {
313 }
314 }
316 /** Free all global TLS structures. */
317 void
319 {
323 }
326 }
328 #ifdef V2_HANDSHAKE_CLIENT
333 #endif
334 }
336 /** We need to give OpenSSL a callback to verify certificates. This is
337 * it: We always accept peer certs and complete the handshake. We
338 * don't validate them until later.
339 */
340 static int
343 {
347 }
349 /** Return a newly allocated X509 name with commonName <b>cname</b>. */
352 {
362 error:
365 }
367 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
368 * signed by the private key <b>rsa_sign</b>. The commonName of the
369 * certificate will be <b>cname</b>; the commonName of the issuer will be
370 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
371 * starting from now. Return a certificate on success, NULL on
372 * failure.
373 */
380 {
425 error:
429 }
430 done:
441 }
443 /** List of ciphers that servers should select from.*/
444 #define SERVER_CIPHER_LIST \
447 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
448 /* Note: for setting up your own private testing network with link crypto
449 * disabled, set the cipher lists to your cipher list to
450 * SSL3_TXT_RSA_NULL_SHA. If you do this, you won't be able to communicate
451 * with any of the "real" Tors, though. */
453 #ifdef V2_HANDSHAKE_CLIENT
455 #define XCIPHER(id, name)
456 /** List of ciphers that clients should advertise, omitting items that
457 * our OpenSSL doesn't know about. */
460 ;
461 #undef CIPHER
462 #undef XCIPHER
464 /** Holds a cipher that we want to advertise, and its 2-byte ID. */
466 /** A list of all the ciphers that clients should advertise, including items
467 * that OpenSSL might not know about. */
469 #define CIPHER(id, name) { id, name },
470 #define XCIPHER(id, name) { id, #name },
472 #undef CIPHER
473 #undef XCIPHER
474 };
476 /** The length of CLIENT_CIPHER_INFO_LIST and CLIENT_CIPHER_DUMMIES. */
479 #endif
481 #ifndef V2_HANDSHAKE_CLIENT
482 #undef CLIENT_CIPHER_LIST
484 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
485 #endif
487 /** Remove a reference to <b>ctx</b>, and free it if it has no more
488 * references. */
489 static void
491 {
499 }
500 }
502 /** Increase the reference count of <b>ctx</b>. */
503 static void
505 {
507 }
509 /** Create a new TLS context for use with Tor TLS handshakes.
510 * <b>identity</b> should be set to the identity key used to sign the
511 * certificate, and <b>nickname</b> set to the nickname to use.
512 *
513 * You can call this function multiple times. Each time you call it,
514 * it generates new certificates; all new connections will use
515 * the new SSL context.
516 */
517 int
519 {
530 /* Generate short-term RSA key. */
535 /* Create certificate signed by identity key. */
537 key_lifetime);
538 /* Create self-signed certificate for identity key. */
540 IDENTITY_CERT_LIFETIME);
544 }
552 #ifdef EVERYONE_HAS_AES
553 /* Tell OpenSSL to only use TLS1 */
556 #else
557 /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
561 #endif
564 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
566 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
567 #endif
568 /* Don't actually allow compression; it uses ram and time, but the data
569 * we transmit is all encrypted anyway. */
572 #ifdef SSL_MODE_RELEASE_BUFFERS
574 #endif
585 }
596 {
600 }
602 always_accept_verify_cb);
603 /* let us realloc bufs that we're writing from */
605 /* Free the old context if one exists. */
607 /* This is safe even if there are open connections: OpenSSL does
608 * reference counting with SSL and SSL_CTX objects. */
610 }
618 error:
633 }
635 #ifdef V2_HANDSHAKE_SERVER
636 /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
637 * a list that indicates that the client knows how to do the v2 TLS connection
638 * handshake. */
639 static int
641 {
644 /* If we reached this point, we just got a client hello. See if there is
645 * a cipher list. */
649 }
653 }
654 /* Now we need to see if there are any ciphers whose presence means we're
655 * dealing with an updated Tor. */
663 /* XXXX should be ld_debug */
665 // return 1;
667 }
668 }
670 dump_list:
671 {
678 }
684 }
686 }
688 /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
689 * changes state. We use this:
690 * <ul><li>To alter the state of the handshake partway through, so we
691 * do not send or request extra certificates in v2 handshakes.</li>
692 * <li>To detect renegotiation</li></ul>
693 */
694 static void
696 {
706 /* Check whether we're watching for renegotiates. If so, this is one! */
711 }
713 /* Now check the cipher list. */
715 /*XXXX_TLS keep this from happening more than once! */
717 /* Yes, we're casting away the const from ssl. This is very naughty of us.
718 * Let's hope openssl doesn't notice! */
720 /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
722 /* Don't send a hello request. */
729 }
730 }
731 }
732 #endif
734 /** Replace *<b>ciphers</b> with a new list of SSL ciphersuites: specifically,
735 * a list designed to mimic a common web browser. Some of the ciphers in the
736 * list won't actually be implemented by OpenSSL: that's okay so long as the
737 * server doesn't select them, and the server won't select anything besides
738 * what's in SERVER_CIPHER_LIST.
739 *
740 * [If the server <b>does</b> select a bogus cipher, we won't crash or
741 * anything; we'll just fail later when we try to look up the cipher in
742 * ssl->cipher_list_by_id.]
743 */
744 static void
746 {
747 #ifdef V2_HANDSHAKE_CLIENT
749 /* We need to set CLIENT_CIPHER_STACK to an array of the ciphers
750 * we want.*/
753 /* First, create a dummy SSL_CIPHER for every cipher. */
754 CLIENT_CIPHER_DUMMIES =
760 }
769 }
771 /* Then copy as many ciphers as we can from the good list, inserting
772 * dummies as needed. */
791 }
792 }
793 }
799 #else
801 #endif
802 }
804 /** Create a new TLS object from a file descriptor, and a flag to
805 * determine whether it is functioning as a server.
806 */
807 tor_tls_t *
809 {
818 }
820 #ifdef SSL_set_tlsext_host_name
821 /* Browsers use the TLS hostname extension, so we should too. */
822 {
826 }
827 #endif
835 }
845 }
858 }
859 #ifdef V2_HANDSHAKE_SERVER
862 }
863 #endif
864 /* Not expected to get called. */
867 }
869 /** Make future log messages about <b>tls</b> display the address
870 * <b>address</b>.
871 */
872 void
874 {
878 }
880 /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
881 * next gets a client-side renegotiate in the middle of a read. Do not
882 * invoke this function until <em>after</em> initial handshaking is done!
883 */
884 void
888 {
892 #ifdef V2_HANDSHAKE_SERVER
897 }
898 #endif
899 }
901 /** Return whether this tls initiated the connect (client) or
902 * received it (server). */
903 int
905 {
908 }
910 /** Release resources associated with a TLS object. Does not close the
911 * underlying file descriptor.
912 */
913 void
915 {
921 }
929 }
931 /** Underlying function for TLS reading. Reads up to <b>len</b>
932 * characters from <b>tls</b> into <b>cp</b>. On success, returns the
933 * number of characters read. On failure, returns TOR_TLS_ERROR,
934 * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
935 */
936 int
938 {
946 #ifdef V2_HANDSHAKE_SERVER
948 /* Renegotiation happened! */
953 }
954 #endif
956 }
966 }
967 }
969 /** Underlying function for TLS writing. Write up to <b>n</b>
970 * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
971 * number of characters written. On failure, returns TOR_TLS_ERROR,
972 * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
973 */
974 int
976 {
985 /* if WANTWRITE last time, we must use the _same_ n as before */
991 }
996 }
999 }
1001 }
1003 /** Perform initial handshake on <b>tls</b>. When finished, returns
1004 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1005 * or TOR_TLS_WANTWRITE.
1006 */
1007 int
1009 {
1019 }
1025 }
1031 /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
1033 #ifdef V2_HANDSHAKE_SERVER
1035 /* This check is redundant, but back when we did it in the callback,
1036 * we might have not been able to look up the tor_tls_t if the code
1037 * was buggy. Fixing that. */
1041 }
1047 }
1048 #endif
1050 #ifdef V2_HANDSHAKE_CLIENT
1051 /* If we got no ID cert, we're a v2 handshake. */
1061 }
1064 #endif
1068 }
1069 }
1070 }
1072 }
1074 /** Client only: Renegotiate a TLS session. When finished, returns
1075 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or
1076 * TOR_TLS_WANTWRITE.
1077 */
1078 int
1080 {
1083 /* We could do server-initiated renegotiation too, but that would be tricky.
1084 * Instead of "SSL_renegotiate, then SSL_do_handshake until done" */
1090 }
1092 }
1099 }
1101 /** Shut down an open tls connection <b>tls</b>. When finished, returns
1102 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1103 * or TOR_TLS_WANTWRITE.
1104 */
1105 int
1107 {
1115 /* If we've already called shutdown once to send a close message,
1116 * we read until the other side has closed too.
1117 */
1122 LOG_INFO);
1125 /* fall through... */
1128 }
1129 }
1133 /* If shutdown returns 1, the connection is entirely closed. */
1136 }
1138 LOG_INFO);
1140 /* The underlying TCP connection closed while we were shutting down. */
1144 /* The TLS connection says that it sent a shutdown record, but
1145 * isn't done shutting down yet. Make sure that this hasn't
1146 * happened before, then go back to the start of the function
1147 * and try to read.
1148 */
1154 }
1156 /* fall through ... */
1159 }
1161 }
1163 /** Return true iff this TLS connection is authenticated.
1164 */
1165 int
1167 {
1175 }
1177 /** Warn that a certificate lifetime extends through a certain range. */
1178 static void
1180 {
1191 problem);
1195 }
1199 }
1207 }
1217 end:
1218 /* Not expected to get invoked */
1226 }
1228 /** Helper function: try to extract a link certificate and an identity
1229 * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
1230 * *<b>id_cert_out</b> respectively. Log all messages at level
1231 * <b>severity</b>.
1232 *
1233 * Note that a reference is added to cert_out, so it needs to be
1234 * freed. id_cert_out doesn't. */
1235 static void
1238 {
1250 /* 1 means we're receiving (server-side), and it's just the id_cert.
1251 * 2 means we're connecting (client-side), and it's both the link
1252 * cert and the id_cert.
1253 */
1257 num_in_chain);
1259 }
1264 }
1266 }
1268 /** If the provided tls connection is authenticated and has a
1269 * certificate chain that is currently valid and signed, then set
1270 * *<b>identity_key</b> to the identity certificate's key and return
1271 * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
1272 */
1273 int
1275 {
1289 }
1295 }
1304 done:
1310 /* This should never get invoked, but let's make sure in case OpenSSL
1311 * acts unexpectedly. */
1315 }
1317 /** Check whether the certificate set on the connection <b>tls</b> is
1318 * expired or not-yet-valid, give or take <b>tolerance</b>
1319 * seconds. Return 0 for valid, -1 for failure.
1320 *
1321 * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
1322 */
1323 int
1325 {
1339 }
1344 }
1347 done:
1350 /* Not expected to get invoked */
1354 }
1356 /** Return the number of bytes available for reading from <b>tls</b>.
1357 */
1358 int
1360 {
1363 }
1365 /** If <b>tls</b> requires that the next write be of a particular size,
1366 * return that size. Otherwise, return 0. */
1367 size_t
1369 {
1371 }
1373 /** Sets n_read and n_written to the number of bytes read and written,
1374 * respectively, on the raw socket used by <b>tls</b> since the last time this
1375 * function was called on <b>tls</b>. */
1376 void
1378 {
1382 /* We want the number of bytes actually for real written. Unfortunately,
1383 * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
1384 * which makes the answer turn out wrong. Let's cope with that. Note
1385 * that this approach will fail if we ever replace tls->ssl's BIOs with
1386 * buffering bios for reasons of our own. As an alternative, we could
1387 * save the original BIO for tls->ssl in the tor_tls_t structure, but
1388 * that would be tempting fate. */
1394 /* We are ok with letting these unsigned ints go "negative" here:
1395 * If we wrapped around, this should still give us the right answer, unless
1396 * we wrapped around by more than ULONG_MAX since the last time we called
1397 * this function.
1398 */
1405 }
1408 }
1410 /** Implement check_no_tls_errors: If there are any pending OpenSSL
1411 * errors, log an error message. */
1412 void
1414 {
1420 }
1422 /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
1423 * TLS handshake. Output is undefined if the handshake isn't finished. */
1424 int
1426 {
1428 #ifdef V2_HANDSHAKE_SERVER
1430 #endif
1432 #ifdef V2_HANDSHAKE_CLIENT
1434 #endif
1435 }
1437 }
1439 /** Examine the amount of memory used and available for buffers in <b>tls</b>.
1440 * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
1441 * buffer and *<b>rbuf_bytes</b> to the amount actually used.
1442 * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
1443 * buffer and *<b>wbuf_bytes</b> to the amount actually used. */
1444 void
1448 {
1451 else
1455 else
1459 }