| blob | a518e83d203608af67af004b4f9ff83578752b7d |
1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2009, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file tortls.c
8 * \brief Wrapper functions to present a consistent interface to
9 * TLS, SSL, and X.509 functions from OpenSSL.
10 **/
12 /* (Unlike other tor functions, these
13 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
14 * functions and variables.)
15 */
19 #include <assert.h>
20 #include <openssl/ssl.h>
21 #include <openssl/ssl3.h>
22 #include <openssl/err.h>
23 #include <openssl/tls1.h>
24 #include <openssl/asn1.h>
25 #include <openssl/bio.h>
26 #include <openssl/opensslv.h>
28 #if OPENSSL_VERSION_NUMBER < 0x00907000l
30 #endif
40 #include <string.h>
42 /* Enable the "v2" TLS handshake.
43 */
44 #define V2_HANDSHAKE_SERVER
45 #define V2_HANDSHAKE_CLIENT
47 /* Copied from or.h */
48 #define LEGAL_NICKNAME_CHARACTERS \
49 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
51 /** How long do identity certificates live? (sec) */
52 #define IDENTITY_CERT_LIFETIME (365*24*60*60)
56 /** Structure holding the TLS state for a single connection. */
65 /** Holds a SSL object and its associated data. Members are only
66 * accessed from within tortls.c.
67 */
78 * completed successfully. */
81 * this connection used the updated version
82 * of the connection protocol (client sends
83 * different cipher list, server sends only
84 * one certificate). */
85 /** True iff we should call negotiated_callback when we're done reading. */
88 * time. */
89 /** Last values retrieved from BIO_number_read()/write(); see
90 * tor_tls_get_n_raw_bytes() for usage.
91 */
94 /** If set, a callback to invoke whenever the client tries to renegotiate
95 * the handshake. */
97 /** Argument to pass to negotiated_callback. */
99 };
101 #ifdef V2_HANDSHAKE_CLIENT
102 /** An array of fake SSL_CIPHER objects that we use in order to trick OpenSSL
103 * in client mode into advertising the ciphers we want. See
104 * rectify_client_ciphers() for details. */
106 /** A stack of SSL_CIPHER objects, some real, some fake.
107 * See rectify_client_ciphers() for details. */
109 #endif
111 /** Helper: compare tor_tls_t objects by its SSL. */
114 {
116 }
118 /** Helper: return a hash value for a tor_tls_t by its SSL. */
121 {
122 #if SIZEOF_INT == SIZEOF_VOID_P
124 #else
126 #endif
127 }
129 /** Map from SSL* pointers to tor_tls_t objects using those pointers.
130 */
134 tor_tls_entries_eq)
138 /** Helper: given a SSL* pointer, return the tor_tls_t object using that
139 * pointer. */
142 {
148 }
158 /** Global tls context. We keep it here because nobody else needs to
159 * touch it. */
161 /** True iff tor_tls_init() has been called. */
164 /* Module-internal error codes. */
165 #define _TOR_TLS_SYSCALL (_MIN_TOR_TLS_ERROR_VAL - 2)
166 #define _TOR_TLS_ZERORETURN (_MIN_TOR_TLS_ERROR_VAL - 1)
168 /** Log all pending tls errors at level <b>severity</b>. Use
169 * <b>doing</b> to describe our current activities.
170 */
171 static void
173 {
190 }
191 }
192 }
194 /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
195 * code. */
196 static int
198 {
199 #if defined(MS_WINDOWS)
212 }
213 #else
226 }
227 #endif
228 }
230 /** Given a TOR_TLS_* error code, return a string equivalent. */
233 {
247 }
248 }
250 #define CATCH_SYSCALL 1
251 #define CATCH_ZERO 2
253 /** Given a TLS object and the result of an SSL_* call, use
254 * SSL_get_error to determine whether an error has occurred, and if so
255 * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
256 * If extra&CATCH_SYSCALL is true, return _TOR_TLS_SYSCALL instead of
257 * reporting syscall errors. If extra&CATCH_ZERO is true, return
258 * _TOR_TLS_ZERORETURN instead of reporting zero-return errors.
259 *
260 * If an error has occurred, log it at level <b>severity</b> and describe the
261 * current action as <b>doing</b>.
262 */
263 static int
266 {
288 }
300 }
301 }
303 /** Initialize OpenSSL, unless it has already been initialized.
304 */
305 static void
307 {
312 }
313 }
315 /** Free all global TLS structures. */
316 void
318 {
322 }
325 }
327 #ifdef V2_HANDSHAKE_CLIENT
332 #endif
333 }
335 /** We need to give OpenSSL a callback to verify certificates. This is
336 * it: We always accept peer certs and complete the handshake. We
337 * don't validate them until later.
338 */
339 static int
342 {
346 }
348 /** Return a newly allocated X509 name with commonName <b>cname</b>. */
351 {
361 error:
364 }
366 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
367 * signed by the private key <b>rsa_sign</b>. The commonName of the
368 * certificate will be <b>cname</b>; the commonName of the issuer will be
369 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
370 * starting from now. Return a certificate on success, NULL on
371 * failure.
372 */
379 {
424 error:
428 }
429 done:
440 }
442 /** List of ciphers that servers should select from.*/
443 #define SERVER_CIPHER_LIST \
446 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
447 /* Note: for setting up your own private testing network with link crypto
448 * disabled, set the cipher lists to your cipher list to
449 * SSL3_TXT_RSA_NULL_SHA. If you do this, you won't be able to communicate
450 * with any of the "real" Tors, though. */
452 #ifdef V2_HANDSHAKE_CLIENT
454 #define XCIPHER(id, name)
455 /** List of ciphers that clients should advertise, omitting items that
456 * our OpenSSL doesn't know about. */
459 ;
460 #undef CIPHER
461 #undef XCIPHER
463 /** Holds a cipher that we want to advertise, and its 2-byte ID. */
465 /** A list of all the ciphers that clients should advertise, including items
466 * that OpenSSL might not know about. */
468 #define CIPHER(id, name) { id, name },
469 #define XCIPHER(id, name) { id, #name },
471 #undef CIPHER
472 #undef XCIPHER
473 };
475 /** The length of CLIENT_CIPHER_INFO_LIST and CLIENT_CIPHER_DUMMIES. */
478 #endif
480 #ifndef V2_HANDSHAKE_CLIENT
481 #undef CLIENT_CIPHER_LIST
483 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
484 #endif
486 /** Remove a reference to <b>ctx</b>, and free it if it has no more
487 * references. */
488 static void
490 {
498 }
499 }
501 /** Increase the reference count of <b>ctx</b>. */
502 static void
504 {
506 }
508 /** Create a new TLS context for use with Tor TLS handshakes.
509 * <b>identity</b> should be set to the identity key used to sign the
510 * certificate, and <b>nickname</b> set to the nickname to use.
511 *
512 * You can call this function multiple times. Each time you call it,
513 * it generates new certificates; all new connections will use
514 * the new SSL context.
515 */
516 int
518 {
529 /* Generate short-term RSA key. */
534 /* Create certificate signed by identity key. */
536 key_lifetime);
537 /* Create self-signed certificate for identity key. */
539 IDENTITY_CERT_LIFETIME);
543 }
551 #ifdef EVERYONE_HAS_AES
552 /* Tell OpenSSL to only use TLS1 */
555 #else
556 /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
560 #endif
563 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
565 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
566 #endif
567 /* Don't actually allow compression; it uses ram and time, but the data
568 * we transmit is all encrypted anyway. */
571 #ifdef SSL_MODE_RELEASE_BUFFERS
573 #endif
584 }
595 {
599 }
601 always_accept_verify_cb);
602 /* let us realloc bufs that we're writing from */
604 /* Free the old context if one exists. */
606 /* This is safe even if there are open connections: OpenSSL does
607 * reference counting with SSL and SSL_CTX objects. */
609 }
617 error:
632 }
634 #ifdef V2_HANDSHAKE_SERVER
635 /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
636 * a list that indicates that the client knows how to do the v2 TLS connection
637 * handshake. */
638 static int
640 {
643 /* If we reached this point, we just got a client hello. See if there is
644 * a cipher list. */
648 }
652 }
653 /* Now we need to see if there are any ciphers whose presence means we're
654 * dealing with an updated Tor. */
662 /* XXXX should be ld_debug */
664 // return 1;
666 }
667 }
669 dump_list:
670 {
677 }
683 }
685 }
687 /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
688 * changes state. We use this:
689 * <ul><li>To alter the state of the handshake partway through, so we
690 * do not send or request extra certificates in v2 handshakes.</li>
691 * <li>To detect renegotiation</li></ul>
692 */
693 static void
695 {
705 /* Check whether we're watching for renegotiates. If so, this is one! */
710 }
712 /* Now check the cipher list. */
714 /*XXXX_TLS keep this from happening more than once! */
716 /* Yes, we're casting away the const from ssl. This is very naughty of us.
717 * Let's hope openssl doesn't notice! */
719 /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
721 /* Don't send a hello request. */
728 }
729 }
730 }
731 #endif
733 /** Replace *<b>ciphers</b> with a new list of SSL ciphersuites: specifically,
734 * a list designed to mimic a common web browser. Some of the ciphers in the
735 * list won't actually be implemented by OpenSSL: that's okay so long as the
736 * server doesn't select them, and the server won't select anything besides
737 * what's in SERVER_CIPHER_LIST.
738 *
739 * [If the server <b>does</b> select a bogus cipher, we won't crash or
740 * anything; we'll just fail later when we try to look up the cipher in
741 * ssl->cipher_list_by_id.]
742 */
743 static void
745 {
746 #ifdef V2_HANDSHAKE_CLIENT
748 /* We need to set CLIENT_CIPHER_STACK to an array of the ciphers
749 * we want.*/
752 /* First, create a dummy SSL_CIPHER for every cipher. */
753 CLIENT_CIPHER_DUMMIES =
759 }
768 }
770 /* Then copy as many ciphers as we can from the good list, inserting
771 * dummies as needed. */
790 }
791 }
792 }
798 #else
800 #endif
801 }
803 /** Create a new TLS object from a file descriptor, and a flag to
804 * determine whether it is functioning as a server.
805 */
806 tor_tls_t *
808 {
817 }
819 #ifdef SSL_set_tlsext_host_name
820 /* Browsers use the TLS hostname extension, so we should too. */
821 {
825 }
826 #endif
834 }
844 }
857 }
858 #ifdef V2_HANDSHAKE_SERVER
861 }
862 #endif
863 /* Not expected to get called. */
866 }
868 /** Make future log messages about <b>tls</b> display the address
869 * <b>address</b>.
870 */
871 void
873 {
877 }
879 /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
880 * next gets a client-side renegotiate in the middle of a read. Do not
881 * invoke this function until <em>after</em> initial handshaking is done!
882 */
883 void
887 {
891 #ifdef V2_HANDSHAKE_SERVER
896 }
897 #endif
898 }
900 /** Return whether this tls initiated the connect (client) or
901 * received it (server). */
902 int
904 {
907 }
909 /** Release resources associated with a TLS object. Does not close the
910 * underlying file descriptor.
911 */
912 void
914 {
920 }
928 }
930 /** Underlying function for TLS reading. Reads up to <b>len</b>
931 * characters from <b>tls</b> into <b>cp</b>. On success, returns the
932 * number of characters read. On failure, returns TOR_TLS_ERROR,
933 * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
934 */
935 int
937 {
945 #ifdef V2_HANDSHAKE_SERVER
947 /* Renegotiation happened! */
952 }
953 #endif
955 }
965 }
966 }
968 /** Underlying function for TLS writing. Write up to <b>n</b>
969 * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
970 * number of characters written. On failure, returns TOR_TLS_ERROR,
971 * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
972 */
973 int
975 {
984 /* if WANTWRITE last time, we must use the _same_ n as before */
990 }
995 }
998 }
1000 }
1002 /** Perform initial handshake on <b>tls</b>. When finished, returns
1003 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1004 * or TOR_TLS_WANTWRITE.
1005 */
1006 int
1008 {
1018 }
1024 }
1030 /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
1032 #ifdef V2_HANDSHAKE_SERVER
1034 /* This check is redundant, but back when we did it in the callback,
1035 * we might have not been able to look up the tor_tls_t if the code
1036 * was buggy. Fixing that. */
1040 }
1046 }
1047 #endif
1049 #ifdef V2_HANDSHAKE_CLIENT
1050 /* If we got no ID cert, we're a v2 handshake. */
1060 }
1063 #endif
1067 }
1068 }
1069 }
1071 }
1073 /** Client only: Renegotiate a TLS session. When finished, returns
1074 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or
1075 * TOR_TLS_WANTWRITE.
1076 */
1077 int
1079 {
1082 /* We could do server-initiated renegotiation too, but that would be tricky.
1083 * Instead of "SSL_renegotiate, then SSL_do_handshake until done" */
1089 }
1091 }
1098 }
1100 /** Shut down an open tls connection <b>tls</b>. When finished, returns
1101 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1102 * or TOR_TLS_WANTWRITE.
1103 */
1104 int
1106 {
1114 /* If we've already called shutdown once to send a close message,
1115 * we read until the other side has closed too.
1116 */
1121 LOG_INFO);
1124 /* fall through... */
1127 }
1128 }
1132 /* If shutdown returns 1, the connection is entirely closed. */
1135 }
1137 LOG_INFO);
1139 /* The underlying TCP connection closed while we were shutting down. */
1143 /* The TLS connection says that it sent a shutdown record, but
1144 * isn't done shutting down yet. Make sure that this hasn't
1145 * happened before, then go back to the start of the function
1146 * and try to read.
1147 */
1153 }
1155 /* fall through ... */
1158 }
1160 }
1162 /** Return true iff this TLS connection is authenticated.
1163 */
1164 int
1166 {
1174 }
1176 /** Warn that a certificate lifetime extends through a certain range. */
1177 static void
1179 {
1190 problem);
1194 }
1198 }
1206 }
1216 end:
1217 /* Not expected to get invoked */
1225 }
1227 /** Helper function: try to extract a link certificate and an identity
1228 * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
1229 * *<b>id_cert_out</b> respectively. Log all messages at level
1230 * <b>severity</b>.
1231 *
1232 * Note that a reference is added to cert_out, so it needs to be
1233 * freed. id_cert_out doesn't. */
1234 static void
1237 {
1249 /* 1 means we're receiving (server-side), and it's just the id_cert.
1250 * 2 means we're connecting (client-side), and it's both the link
1251 * cert and the id_cert.
1252 */
1256 num_in_chain);
1258 }
1263 }
1265 }
1267 /** If the provided tls connection is authenticated and has a
1268 * certificate chain that is currently valid and signed, then set
1269 * *<b>identity_key</b> to the identity certificate's key and return
1270 * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
1271 */
1272 int
1274 {
1288 }
1294 }
1303 done:
1309 /* This should never get invoked, but let's make sure in case OpenSSL
1310 * acts unexpectedly. */
1314 }
1316 /** Check whether the certificate set on the connection <b>tls</b> is
1317 * expired or not-yet-valid, give or take <b>tolerance</b>
1318 * seconds. Return 0 for valid, -1 for failure.
1319 *
1320 * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
1321 */
1322 int
1324 {
1338 }
1343 }
1346 done:
1349 /* Not expected to get invoked */
1353 }
1355 /** Return the number of bytes available for reading from <b>tls</b>.
1356 */
1357 int
1359 {
1362 }
1364 /** If <b>tls</b> requires that the next write be of a particular size,
1365 * return that size. Otherwise, return 0. */
1366 size_t
1368 {
1370 }
1372 /** Sets n_read and n_written to the number of bytes read and written,
1373 * respectively, on the raw socket used by <b>tls</b> since the last time this
1374 * function was called on <b>tls</b>. */
1375 void
1377 {
1381 /* We want the number of bytes actually for real written. Unfortunately,
1382 * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
1383 * which makes the answer turn out wrong. Let's cope with that. Note
1384 * that this approach will fail if we ever replace tls->ssl's BIOs with
1385 * buffering bios for reasons of our own. As an alternative, we could
1386 * save the original BIO for tls->ssl in the tor_tls_t structure, but
1387 * that would be tempting fate. */
1393 /* We are ok with letting these unsigned ints go "negative" here:
1394 * If we wrapped around, this should still give us the right answer, unless
1395 * we wrapped around by more than ULONG_MAX since the last time we called
1396 * this function.
1397 */
1404 }
1407 }
1409 /** Implement check_no_tls_errors: If there are any pending OpenSSL
1410 * errors, log an error message. */
1411 void
1413 {
1419 }
1421 /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
1422 * TLS handshake. Output is undefined if the handshake isn't finished. */
1423 int
1425 {
1427 #ifdef V2_HANDSHAKE_SERVER
1429 #endif
1431 #ifdef V2_HANDSHAKE_CLIENT
1433 #endif
1434 }
1436 }
1438 /** Examine the amount of memory used and available for buffers in <b>tls</b>.
1439 * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
1440 * buffer and *<b>rbuf_bytes</b> to the amount actually used.
1441 * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
1442 * buffer and *<b>wbuf_bytes</b> to the amount actually used. */
1443 void
1447 {
1450 else
1454 else
1458 }