tortls.c 79 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586
  1. /* Copyright (c) 2003, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2016, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. /**
  6. * \file tortls.c
  7. * \brief Wrapper functions to present a consistent interface to
  8. * TLS, SSL, and X.509 functions from OpenSSL.
  9. **/
  10. /* (Unlike other tor functions, these
  11. * are prefixed with tor_ in order to avoid conflicting with OpenSSL
  12. * functions and variables.)
  13. */
  14. #include "orconfig.h"
  15. #define TORTLS_PRIVATE
  16. #include <assert.h>
  17. #ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
  18. #include <winsock2.h>
  19. #include <ws2tcpip.h>
  20. #endif
  21. #include "compat.h"
  22. /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
  23. * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
  24. DISABLE_GCC_WARNING(redundant-decls)
  25. #include <openssl/opensslv.h>
  26. #include "crypto.h"
  27. #ifdef OPENSSL_NO_EC
  28. #error "We require OpenSSL with ECC support"
  29. #endif
  30. #include <openssl/ssl.h>
  31. #include <openssl/ssl3.h>
  32. #include <openssl/err.h>
  33. #include <openssl/tls1.h>
  34. #include <openssl/asn1.h>
  35. #include <openssl/bio.h>
  36. #include <openssl/bn.h>
  37. #include <openssl/rsa.h>
  38. ENABLE_GCC_WARNING(redundant-decls)
  39. #ifdef USE_BUFFEREVENTS
  40. #include <event2/bufferevent_ssl.h>
  41. #include <event2/buffer.h>
  42. #include <event2/event.h>
  43. #include "compat_libevent.h"
  44. #endif
  45. #define TORTLS_PRIVATE
  46. #include "tortls.h"
  47. #include "util.h"
  48. #include "torlog.h"
  49. #include "container.h"
  50. #include <string.h>
  51. #define X509_get_notBefore_const(cert) \
  52. ((const ASN1_TIME*) X509_get_notBefore((X509 *)cert))
  53. #define X509_get_notAfter_const(cert) \
  54. ((const ASN1_TIME*) X509_get_notAfter((X509 *)cert))
  55. /* Copied from or.h */
  56. #define LEGAL_NICKNAME_CHARACTERS \
  57. "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  58. /** How long do identity certificates live? (sec) */
  59. #define IDENTITY_CERT_LIFETIME (365*24*60*60)
  60. #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer")
  61. #if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,0,'f')
  62. /* This is a version of OpenSSL before 1.0.0f. It does not have
  63. * the CVE-2011-4576 fix, and as such it can't use RELEASE_BUFFERS and
  64. * SSL3 safely at the same time.
  65. */
  66. #define DISABLE_SSL3_HANDSHAKE
  67. #endif
  68. /* We redefine these so that we can run correctly even if the vendor gives us
  69. * a version of OpenSSL that does not match its header files. (Apple: I am
  70. * looking at you.)
  71. */
  72. #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  73. #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
  74. #endif
  75. #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  76. #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
  77. #endif
  78. /** Return values for tor_tls_classify_client_ciphers.
  79. *
  80. * @{
  81. */
  82. /** An error occurred when examining the client ciphers */
  83. #define CIPHERS_ERR -1
  84. /** The client cipher list indicates that a v1 handshake was in use. */
  85. #define CIPHERS_V1 1
  86. /** The client cipher list indicates that the client is using the v2 or the
  87. * v3 handshake, but that it is (probably!) lying about what ciphers it
  88. * supports */
  89. #define CIPHERS_V2 2
  90. /** The client cipher list indicates that the client is using the v2 or the
  91. * v3 handshake, and that it is telling the truth about what ciphers it
  92. * supports */
  93. #define CIPHERS_UNRESTRICTED 3
  94. /** @} */
  95. /** The ex_data index in which we store a pointer to an SSL object's
  96. * corresponding tor_tls_t object. */
  97. STATIC int tor_tls_object_ex_data_index = -1;
  98. /** Helper: Allocate tor_tls_object_ex_data_index. */
  99. STATIC void
  100. tor_tls_allocate_tor_tls_object_ex_data_index(void)
  101. {
  102. if (tor_tls_object_ex_data_index == -1) {
  103. tor_tls_object_ex_data_index =
  104. SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
  105. tor_assert(tor_tls_object_ex_data_index != -1);
  106. }
  107. }
  108. /** Helper: given a SSL* pointer, return the tor_tls_t object using that
  109. * pointer. */
  110. STATIC inline tor_tls_t *
  111. tor_tls_get_by_ssl(const SSL *ssl)
  112. {
  113. tor_tls_t *result = SSL_get_ex_data(ssl, tor_tls_object_ex_data_index);
  114. if (result)
  115. tor_assert(result->magic == TOR_TLS_MAGIC);
  116. return result;
  117. }
  118. static void tor_tls_context_decref(tor_tls_context_t *ctx);
  119. static void tor_tls_context_incref(tor_tls_context_t *ctx);
  120. static int check_cert_lifetime_internal(int severity, const X509 *cert,
  121. int past_tolerance, int future_tolerance);
  122. /** Global TLS contexts. We keep them here because nobody else needs
  123. * to touch them.
  124. *
  125. * @{ */
  126. STATIC tor_tls_context_t *server_tls_context = NULL;
  127. STATIC tor_tls_context_t *client_tls_context = NULL;
  128. /**@}*/
  129. /** True iff tor_tls_init() has been called. */
  130. static int tls_library_is_initialized = 0;
  131. /* Module-internal error codes. */
  132. #define TOR_TLS_SYSCALL_ (MIN_TOR_TLS_ERROR_VAL_ - 2)
  133. #define TOR_TLS_ZERORETURN_ (MIN_TOR_TLS_ERROR_VAL_ - 1)
  134. /** Write a description of the current state of <b>tls</b> into the
  135. * <b>sz</b>-byte buffer at <b>buf</b>. */
  136. void
  137. tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz)
  138. {
  139. const char *ssl_state;
  140. const char *tortls_state;
  141. if (PREDICT_UNLIKELY(!tls || !tls->ssl)) {
  142. strlcpy(buf, "(No SSL object)", sz);
  143. return;
  144. }
  145. ssl_state = SSL_state_string_long(tls->ssl);
  146. switch (tls->state) {
  147. #define CASE(st) case TOR_TLS_ST_##st: tortls_state = " in "#st ; break
  148. CASE(HANDSHAKE);
  149. CASE(OPEN);
  150. CASE(GOTCLOSE);
  151. CASE(SENTCLOSE);
  152. CASE(CLOSED);
  153. CASE(RENEGOTIATE);
  154. #undef CASE
  155. case TOR_TLS_ST_BUFFEREVENT:
  156. tortls_state = "";
  157. break;
  158. default:
  159. tortls_state = " in unknown TLS state";
  160. break;
  161. }
  162. tor_snprintf(buf, sz, "%s%s", ssl_state, tortls_state);
  163. }
  164. /** Log a single error <b>err</b> as returned by ERR_get_error(), which was
  165. * received while performing an operation <b>doing</b> on <b>tls</b>. Log
  166. * the message at <b>severity</b>, in log domain <b>domain</b>. */
  167. void
  168. tor_tls_log_one_error(tor_tls_t *tls, unsigned long err,
  169. int severity, int domain, const char *doing)
  170. {
  171. const char *state = NULL, *addr;
  172. const char *msg, *lib, *func;
  173. state = (tls && tls->ssl)?SSL_state_string_long(tls->ssl):"---";
  174. addr = tls ? tls->address : NULL;
  175. /* Some errors are known-benign, meaning they are the fault of the other
  176. * side of the connection. The caller doesn't know this, so override the
  177. * priority for those cases. */
  178. switch (ERR_GET_REASON(err)) {
  179. case SSL_R_HTTP_REQUEST:
  180. case SSL_R_HTTPS_PROXY_REQUEST:
  181. case SSL_R_RECORD_LENGTH_MISMATCH:
  182. #ifndef OPENSSL_1_1_API
  183. case SSL_R_RECORD_TOO_LARGE:
  184. #endif
  185. case SSL_R_UNKNOWN_PROTOCOL:
  186. case SSL_R_UNSUPPORTED_PROTOCOL:
  187. severity = LOG_INFO;
  188. break;
  189. default:
  190. break;
  191. }
  192. msg = (const char*)ERR_reason_error_string(err);
  193. lib = (const char*)ERR_lib_error_string(err);
  194. func = (const char*)ERR_func_error_string(err);
  195. if (!msg) msg = "(null)";
  196. if (!lib) lib = "(null)";
  197. if (!func) func = "(null)";
  198. if (doing) {
  199. tor_log(severity, domain, "TLS error while %s%s%s: %s (in %s:%s:%s)",
  200. doing, addr?" with ":"", addr?addr:"",
  201. msg, lib, func, state);
  202. } else {
  203. tor_log(severity, domain, "TLS error%s%s: %s (in %s:%s:%s)",
  204. addr?" with ":"", addr?addr:"",
  205. msg, lib, func, state);
  206. }
  207. }
  208. /** Log all pending tls errors at level <b>severity</b> in log domain
  209. * <b>domain</b>. Use <b>doing</b> to describe our current activities.
  210. */
  211. STATIC void
  212. tls_log_errors(tor_tls_t *tls, int severity, int domain, const char *doing)
  213. {
  214. unsigned long err;
  215. while ((err = ERR_get_error()) != 0) {
  216. tor_tls_log_one_error(tls, err, severity, domain, doing);
  217. }
  218. }
  219. /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
  220. * code. */
  221. STATIC int
  222. tor_errno_to_tls_error(int e)
  223. {
  224. switch (e) {
  225. case SOCK_ERRNO(ECONNRESET): // most common
  226. return TOR_TLS_ERROR_CONNRESET;
  227. case SOCK_ERRNO(ETIMEDOUT):
  228. return TOR_TLS_ERROR_TIMEOUT;
  229. case SOCK_ERRNO(EHOSTUNREACH):
  230. case SOCK_ERRNO(ENETUNREACH):
  231. return TOR_TLS_ERROR_NO_ROUTE;
  232. case SOCK_ERRNO(ECONNREFUSED):
  233. return TOR_TLS_ERROR_CONNREFUSED; // least common
  234. default:
  235. return TOR_TLS_ERROR_MISC;
  236. }
  237. }
  238. /** Given a TOR_TLS_* error code, return a string equivalent. */
  239. const char *
  240. tor_tls_err_to_string(int err)
  241. {
  242. if (err >= 0)
  243. return "[Not an error.]";
  244. switch (err) {
  245. case TOR_TLS_ERROR_MISC: return "misc error";
  246. case TOR_TLS_ERROR_IO: return "unexpected close";
  247. case TOR_TLS_ERROR_CONNREFUSED: return "connection refused";
  248. case TOR_TLS_ERROR_CONNRESET: return "connection reset";
  249. case TOR_TLS_ERROR_NO_ROUTE: return "host unreachable";
  250. case TOR_TLS_ERROR_TIMEOUT: return "connection timed out";
  251. case TOR_TLS_CLOSE: return "closed";
  252. case TOR_TLS_WANTREAD: return "want to read";
  253. case TOR_TLS_WANTWRITE: return "want to write";
  254. default: return "(unknown error code)";
  255. }
  256. }
  257. #define CATCH_SYSCALL 1
  258. #define CATCH_ZERO 2
  259. /** Given a TLS object and the result of an SSL_* call, use
  260. * SSL_get_error to determine whether an error has occurred, and if so
  261. * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
  262. * If extra&CATCH_SYSCALL is true, return TOR_TLS_SYSCALL_ instead of
  263. * reporting syscall errors. If extra&CATCH_ZERO is true, return
  264. * TOR_TLS_ZERORETURN_ instead of reporting zero-return errors.
  265. *
  266. * If an error has occurred, log it at level <b>severity</b> and describe the
  267. * current action as <b>doing</b>.
  268. */
  269. STATIC int
  270. tor_tls_get_error(tor_tls_t *tls, int r, int extra,
  271. const char *doing, int severity, int domain)
  272. {
  273. int err = SSL_get_error(tls->ssl, r);
  274. int tor_error = TOR_TLS_ERROR_MISC;
  275. switch (err) {
  276. case SSL_ERROR_NONE:
  277. return TOR_TLS_DONE;
  278. case SSL_ERROR_WANT_READ:
  279. return TOR_TLS_WANTREAD;
  280. case SSL_ERROR_WANT_WRITE:
  281. return TOR_TLS_WANTWRITE;
  282. case SSL_ERROR_SYSCALL:
  283. if (extra&CATCH_SYSCALL)
  284. return TOR_TLS_SYSCALL_;
  285. if (r == 0) {
  286. tor_log(severity, LD_NET, "TLS error: unexpected close while %s (%s)",
  287. doing, SSL_state_string_long(tls->ssl));
  288. tor_error = TOR_TLS_ERROR_IO;
  289. } else {
  290. int e = tor_socket_errno(tls->socket);
  291. tor_log(severity, LD_NET,
  292. "TLS error: <syscall error while %s> (errno=%d: %s; state=%s)",
  293. doing, e, tor_socket_strerror(e),
  294. SSL_state_string_long(tls->ssl));
  295. tor_error = tor_errno_to_tls_error(e);
  296. }
  297. tls_log_errors(tls, severity, domain, doing);
  298. return tor_error;
  299. case SSL_ERROR_ZERO_RETURN:
  300. if (extra&CATCH_ZERO)
  301. return TOR_TLS_ZERORETURN_;
  302. tor_log(severity, LD_NET, "TLS connection closed while %s in state %s",
  303. doing, SSL_state_string_long(tls->ssl));
  304. tls_log_errors(tls, severity, domain, doing);
  305. return TOR_TLS_CLOSE;
  306. default:
  307. tls_log_errors(tls, severity, domain, doing);
  308. return TOR_TLS_ERROR_MISC;
  309. }
  310. }
  311. /** Initialize OpenSSL, unless it has already been initialized.
  312. */
  313. static void
  314. tor_tls_init(void)
  315. {
  316. check_no_tls_errors();
  317. if (!tls_library_is_initialized) {
  318. SSL_library_init();
  319. SSL_load_error_strings();
  320. #if (SIZEOF_VOID_P >= 8 && \
  321. OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
  322. long version = OpenSSL_version_num();
  323. /* LCOV_EXCL_START : we can't test these lines on the same machine */
  324. if (version >= OPENSSL_V_SERIES(1,0,1)) {
  325. /* Warn if we could *almost* be running with much faster ECDH.
  326. If we're built for a 64-bit target, using OpenSSL 1.0.1, but we
  327. don't have one of the built-in __uint128-based speedups, we are
  328. just one build operation away from an accelerated handshake.
  329. (We could be looking at OPENSSL_NO_EC_NISTP_64_GCC_128 instead of
  330. doing this test, but that gives compile-time options, not runtime
  331. behavior.)
  332. */
  333. EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
  334. const EC_GROUP *g = key ? EC_KEY_get0_group(key) : NULL;
  335. const EC_METHOD *m = g ? EC_GROUP_method_of(g) : NULL;
  336. const int warn = (m == EC_GFp_simple_method() ||
  337. m == EC_GFp_mont_method() ||
  338. m == EC_GFp_nist_method());
  339. EC_KEY_free(key);
  340. if (warn)
  341. log_notice(LD_GENERAL, "We were built to run on a 64-bit CPU, with "
  342. "OpenSSL 1.0.1 or later, but with a version of OpenSSL "
  343. "that apparently lacks accelerated support for the NIST "
  344. "P-224 and P-256 groups. Building openssl with such "
  345. "support (using the enable-ec_nistp_64_gcc_128 option "
  346. "when configuring it) would make ECDH much faster.");
  347. }
  348. /* LCOV_EXCL_STOP */
  349. #endif
  350. tor_tls_allocate_tor_tls_object_ex_data_index();
  351. tls_library_is_initialized = 1;
  352. }
  353. }
  354. /** Free all global TLS structures. */
  355. void
  356. tor_tls_free_all(void)
  357. {
  358. check_no_tls_errors();
  359. if (server_tls_context) {
  360. tor_tls_context_t *ctx = server_tls_context;
  361. server_tls_context = NULL;
  362. tor_tls_context_decref(ctx);
  363. }
  364. if (client_tls_context) {
  365. tor_tls_context_t *ctx = client_tls_context;
  366. client_tls_context = NULL;
  367. tor_tls_context_decref(ctx);
  368. }
  369. }
  370. /** We need to give OpenSSL a callback to verify certificates. This is
  371. * it: We always accept peer certs and complete the handshake. We
  372. * don't validate them until later.
  373. */
  374. STATIC int
  375. always_accept_verify_cb(int preverify_ok,
  376. X509_STORE_CTX *x509_ctx)
  377. {
  378. (void) preverify_ok;
  379. (void) x509_ctx;
  380. return 1;
  381. }
  382. /** Return a newly allocated X509 name with commonName <b>cname</b>. */
  383. static X509_NAME *
  384. tor_x509_name_new(const char *cname)
  385. {
  386. int nid;
  387. X509_NAME *name;
  388. /* LCOV_EXCL_BR_START : these branches will only fail on OOM errors */
  389. if (!(name = X509_NAME_new()))
  390. return NULL;
  391. if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
  392. if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
  393. (unsigned char*)cname, -1, -1, 0)))
  394. goto error;
  395. /* LCOV_EXCL_BR_STOP */
  396. return name;
  397. error:
  398. /* LCOV_EXCL_START : these lines will only execute on out of memory errors*/
  399. X509_NAME_free(name);
  400. return NULL;
  401. /* LCOV_EXCL_STOP */
  402. }
  403. /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
  404. * signed by the private key <b>rsa_sign</b>. The commonName of the
  405. * certificate will be <b>cname</b>; the commonName of the issuer will be
  406. * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b>
  407. * seconds, starting from some time in the past.
  408. *
  409. * Return a certificate on success, NULL on failure.
  410. */
  411. MOCK_IMPL(STATIC X509 *,
  412. tor_tls_create_certificate,(crypto_pk_t *rsa,
  413. crypto_pk_t *rsa_sign,
  414. const char *cname,
  415. const char *cname_sign,
  416. unsigned int cert_lifetime))
  417. {
  418. /* OpenSSL generates self-signed certificates with random 64-bit serial
  419. * numbers, so let's do that too. */
  420. #define SERIAL_NUMBER_SIZE 8
  421. time_t start_time, end_time;
  422. BIGNUM *serial_number = NULL;
  423. unsigned char serial_tmp[SERIAL_NUMBER_SIZE];
  424. EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
  425. X509 *x509 = NULL;
  426. X509_NAME *name = NULL, *name_issuer=NULL;
  427. tor_tls_init();
  428. /* Make sure we're part-way through the certificate lifetime, rather
  429. * than having it start right now. Don't choose quite uniformly, since
  430. * then we might pick a time where we're about to expire. Lastly, be
  431. * sure to start on a day boundary. */
  432. time_t now = time(NULL);
  433. start_time = crypto_rand_time_range(now - cert_lifetime, now) + 2*24*3600;
  434. start_time -= start_time % (24*3600);
  435. tor_assert(rsa);
  436. tor_assert(cname);
  437. tor_assert(rsa_sign);
  438. tor_assert(cname_sign);
  439. if (!(sign_pkey = crypto_pk_get_evp_pkey_(rsa_sign,1)))
  440. goto error;
  441. if (!(pkey = crypto_pk_get_evp_pkey_(rsa,0)))
  442. goto error;
  443. if (!(x509 = X509_new()))
  444. goto error;
  445. if (!(X509_set_version(x509, 2)))
  446. goto error;
  447. { /* our serial number is 8 random bytes. */
  448. crypto_rand((char *)serial_tmp, sizeof(serial_tmp));
  449. if (!(serial_number = BN_bin2bn(serial_tmp, sizeof(serial_tmp), NULL)))
  450. goto error;
  451. if (!(BN_to_ASN1_INTEGER(serial_number, X509_get_serialNumber(x509))))
  452. goto error;
  453. }
  454. if (!(name = tor_x509_name_new(cname)))
  455. goto error;
  456. if (!(X509_set_subject_name(x509, name)))
  457. goto error;
  458. if (!(name_issuer = tor_x509_name_new(cname_sign)))
  459. goto error;
  460. if (!(X509_set_issuer_name(x509, name_issuer)))
  461. goto error;
  462. if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
  463. goto error;
  464. end_time = start_time + cert_lifetime;
  465. if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
  466. goto error;
  467. if (!X509_set_pubkey(x509, pkey))
  468. goto error;
  469. if (!X509_sign(x509, sign_pkey, EVP_sha1()))
  470. goto error;
  471. goto done;
  472. error:
  473. if (x509) {
  474. X509_free(x509);
  475. x509 = NULL;
  476. }
  477. done:
  478. tls_log_errors(NULL, LOG_WARN, LD_NET, "generating certificate");
  479. if (sign_pkey)
  480. EVP_PKEY_free(sign_pkey);
  481. if (pkey)
  482. EVP_PKEY_free(pkey);
  483. if (serial_number)
  484. BN_clear_free(serial_number);
  485. if (name)
  486. X509_NAME_free(name);
  487. if (name_issuer)
  488. X509_NAME_free(name_issuer);
  489. return x509;
  490. #undef SERIAL_NUMBER_SIZE
  491. }
  492. /** List of ciphers that servers should select from when the client might be
  493. * claiming extra unsupported ciphers in order to avoid fingerprinting. */
  494. #define SERVER_CIPHER_LIST \
  495. (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \
  496. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \
  497. SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
  498. /** List of ciphers that servers should select from when we actually have
  499. * our choice of what cipher to use. */
  500. static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
  501. /* This list is autogenerated with the gen_server_ciphers.py script;
  502. * don't hand-edit it. */
  503. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  504. TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":"
  505. #endif
  506. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  507. TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
  508. #endif
  509. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
  510. TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 ":"
  511. #endif
  512. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
  513. TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":"
  514. #endif
  515. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
  516. TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
  517. #endif
  518. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
  519. TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":"
  520. #endif
  521. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
  522. TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 ":"
  523. #endif
  524. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
  525. TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 ":"
  526. #endif
  527. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
  528. TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 ":"
  529. #endif
  530. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
  531. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 ":"
  532. #endif
  533. /* Required */
  534. TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
  535. /* Required */
  536. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
  537. #ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
  538. TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":"
  539. #endif
  540. /* Required */
  541. SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
  542. /* Note: to set up your own private testing network with link crypto
  543. * disabled, set your Tors' cipher list to
  544. * (SSL3_TXT_RSA_NULL_SHA). If you do this, you won't be able to communicate
  545. * with any of the "real" Tors, though. */
  546. #define CIPHER(id, name) name ":"
  547. #define XCIPHER(id, name)
  548. /** List of ciphers that clients should advertise, omitting items that
  549. * our OpenSSL doesn't know about. */
  550. static const char CLIENT_CIPHER_LIST[] =
  551. #include "ciphers.inc"
  552. /* Tell it not to use SSLv2 ciphers, so that it can select an SSLv3 version
  553. * of any cipher we say. */
  554. "!SSLv2"
  555. ;
  556. #undef CIPHER
  557. #undef XCIPHER
  558. /** Free all storage held in <b>cert</b> */
  559. void
  560. tor_x509_cert_free(tor_x509_cert_t *cert)
  561. {
  562. if (! cert)
  563. return;
  564. if (cert->cert)
  565. X509_free(cert->cert);
  566. tor_free(cert->encoded);
  567. memwipe(cert, 0x03, sizeof(*cert));
  568. /* LCOV_EXCL_BR_START since cert will never be NULL here */
  569. tor_free(cert);
  570. /* LCOV_EXCL_BR_STOP */
  571. }
  572. /**
  573. * Allocate a new tor_x509_cert_t to hold the certificate "x509_cert".
  574. *
  575. * Steals a reference to x509_cert.
  576. */
  577. MOCK_IMPL(STATIC tor_x509_cert_t *,
  578. tor_x509_cert_new,(X509 *x509_cert))
  579. {
  580. tor_x509_cert_t *cert;
  581. EVP_PKEY *pkey;
  582. RSA *rsa;
  583. int length;
  584. unsigned char *buf = NULL;
  585. if (!x509_cert)
  586. return NULL;
  587. length = i2d_X509(x509_cert, &buf);
  588. cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
  589. if (length <= 0 || buf == NULL) {
  590. /* LCOV_EXCL_START for the same reason as the exclusion above */
  591. tor_free(cert);
  592. log_err(LD_CRYPTO, "Couldn't get length of encoded x509 certificate");
  593. X509_free(x509_cert);
  594. return NULL;
  595. /* LCOV_EXCL_STOP */
  596. }
  597. cert->encoded_len = (size_t) length;
  598. cert->encoded = tor_malloc(length);
  599. memcpy(cert->encoded, buf, length);
  600. OPENSSL_free(buf);
  601. cert->cert = x509_cert;
  602. crypto_common_digests(&cert->cert_digests,
  603. (char*)cert->encoded, cert->encoded_len);
  604. if ((pkey = X509_get_pubkey(x509_cert)) &&
  605. (rsa = EVP_PKEY_get1_RSA(pkey))) {
  606. crypto_pk_t *pk = crypto_new_pk_from_rsa_(rsa);
  607. crypto_pk_get_common_digests(pk, &cert->pkey_digests);
  608. cert->pkey_digests_set = 1;
  609. crypto_pk_free(pk);
  610. EVP_PKEY_free(pkey);
  611. }
  612. return cert;
  613. }
  614. /** Read a DER-encoded X509 cert, of length exactly <b>certificate_len</b>,
  615. * from a <b>certificate</b>. Return a newly allocated tor_x509_cert_t on
  616. * success and NULL on failure. */
  617. tor_x509_cert_t *
  618. tor_x509_cert_decode(const uint8_t *certificate, size_t certificate_len)
  619. {
  620. X509 *x509;
  621. const unsigned char *cp = (const unsigned char *)certificate;
  622. tor_x509_cert_t *newcert;
  623. tor_assert(certificate);
  624. check_no_tls_errors();
  625. if (certificate_len > INT_MAX)
  626. goto err;
  627. x509 = d2i_X509(NULL, &cp, (int)certificate_len);
  628. if (!x509)
  629. goto err; /* Couldn't decode */
  630. if (cp - certificate != (int)certificate_len) {
  631. X509_free(x509);
  632. goto err; /* Didn't use all the bytes */
  633. }
  634. newcert = tor_x509_cert_new(x509);
  635. if (!newcert) {
  636. goto err;
  637. }
  638. if (newcert->encoded_len != certificate_len ||
  639. fast_memneq(newcert->encoded, certificate, certificate_len)) {
  640. /* Cert wasn't in DER */
  641. tor_x509_cert_free(newcert);
  642. goto err;
  643. }
  644. return newcert;
  645. err:
  646. tls_log_errors(NULL, LOG_INFO, LD_CRYPTO, "decoding a certificate");
  647. return NULL;
  648. }
  649. /** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
  650. * representation and length, respectively. */
  651. void
  652. tor_x509_cert_get_der(const tor_x509_cert_t *cert,
  653. const uint8_t **encoded_out, size_t *size_out)
  654. {
  655. tor_assert(cert);
  656. tor_assert(encoded_out);
  657. tor_assert(size_out);
  658. *encoded_out = cert->encoded;
  659. *size_out = cert->encoded_len;
  660. }
  661. /** Return a set of digests for the public key in <b>cert</b>, or NULL if this
  662. * cert's public key is not one we know how to take the digest of. */
  663. const common_digests_t *
  664. tor_x509_cert_get_id_digests(const tor_x509_cert_t *cert)
  665. {
  666. if (cert->pkey_digests_set)
  667. return &cert->pkey_digests;
  668. else
  669. return NULL;
  670. }
  671. /** Return a set of digests for the public key in <b>cert</b>. */
  672. const common_digests_t *
  673. tor_x509_cert_get_cert_digests(const tor_x509_cert_t *cert)
  674. {
  675. return &cert->cert_digests;
  676. }
  677. /** Remove a reference to <b>ctx</b>, and free it if it has no more
  678. * references. */
  679. static void
  680. tor_tls_context_decref(tor_tls_context_t *ctx)
  681. {
  682. tor_assert(ctx);
  683. if (--ctx->refcnt == 0) {
  684. SSL_CTX_free(ctx->ctx);
  685. tor_x509_cert_free(ctx->my_link_cert);
  686. tor_x509_cert_free(ctx->my_id_cert);
  687. tor_x509_cert_free(ctx->my_auth_cert);
  688. crypto_pk_free(ctx->link_key);
  689. crypto_pk_free(ctx->auth_key);
  690. /* LCOV_EXCL_BR_START since ctx will never be NULL here */
  691. tor_free(ctx);
  692. /* LCOV_EXCL_BR_STOP */
  693. }
  694. }
  695. /** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate
  696. * and ID certificate that we're currently using for our V3 in-protocol
  697. * handshake's certificate chain. If <b>server</b> is true, provide the certs
  698. * that we use in server mode; otherwise, provide the certs that we use in
  699. * client mode. */
  700. int
  701. tor_tls_get_my_certs(int server,
  702. const tor_x509_cert_t **link_cert_out,
  703. const tor_x509_cert_t **id_cert_out)
  704. {
  705. tor_tls_context_t *ctx = server ? server_tls_context : client_tls_context;
  706. if (! ctx)
  707. return -1;
  708. if (link_cert_out)
  709. *link_cert_out = server ? ctx->my_link_cert : ctx->my_auth_cert;
  710. if (id_cert_out)
  711. *id_cert_out = ctx->my_id_cert;
  712. return 0;
  713. }
  714. /**
  715. * Return the authentication key that we use to authenticate ourselves as a
  716. * client in the V3 in-protocol handshake.
  717. */
  718. crypto_pk_t *
  719. tor_tls_get_my_client_auth_key(void)
  720. {
  721. if (! client_tls_context)
  722. return NULL;
  723. return client_tls_context->auth_key;
  724. }
  725. /**
  726. * Return a newly allocated copy of the public key that a certificate
  727. * certifies. Return NULL if the cert's key is not RSA.
  728. */
  729. crypto_pk_t *
  730. tor_tls_cert_get_key(tor_x509_cert_t *cert)
  731. {
  732. crypto_pk_t *result = NULL;
  733. EVP_PKEY *pkey = X509_get_pubkey(cert->cert);
  734. RSA *rsa;
  735. if (!pkey)
  736. return NULL;
  737. rsa = EVP_PKEY_get1_RSA(pkey);
  738. if (!rsa) {
  739. EVP_PKEY_free(pkey);
  740. return NULL;
  741. }
  742. result = crypto_new_pk_from_rsa_(rsa);
  743. EVP_PKEY_free(pkey);
  744. return result;
  745. }
  746. /** Return true iff the other side of <b>tls</b> has authenticated to us, and
  747. * the key certified in <b>cert</b> is the same as the key they used to do it.
  748. */
  749. MOCK_IMPL(int,
  750. tor_tls_cert_matches_key,(const tor_tls_t *tls, const tor_x509_cert_t *cert))
  751. {
  752. X509 *peercert = SSL_get_peer_certificate(tls->ssl);
  753. EVP_PKEY *link_key = NULL, *cert_key = NULL;
  754. int result;
  755. if (!peercert)
  756. return 0;
  757. link_key = X509_get_pubkey(peercert);
  758. cert_key = X509_get_pubkey(cert->cert);
  759. result = link_key && cert_key && EVP_PKEY_cmp(cert_key, link_key) == 1;
  760. X509_free(peercert);
  761. if (link_key)
  762. EVP_PKEY_free(link_key);
  763. if (cert_key)
  764. EVP_PKEY_free(cert_key);
  765. return result;
  766. }
  767. /** Check whether <b>cert</b> is well-formed, currently live, and correctly
  768. * signed by the public key in <b>signing_cert</b>. If <b>check_rsa_1024</b>,
  769. * make sure that it has an RSA key with 1024 bits; otherwise, just check that
  770. * the key is long enough. Return 1 if the cert is good, and 0 if it's bad or
  771. * we couldn't check it. */
  772. int
  773. tor_tls_cert_is_valid(int severity,
  774. const tor_x509_cert_t *cert,
  775. const tor_x509_cert_t *signing_cert,
  776. int check_rsa_1024)
  777. {
  778. check_no_tls_errors();
  779. EVP_PKEY *cert_key;
  780. int r, key_ok = 0;
  781. if (!signing_cert || !cert)
  782. goto bad;
  783. EVP_PKEY *signing_key = X509_get_pubkey(signing_cert->cert);
  784. if (!signing_key)
  785. goto bad;
  786. r = X509_verify(cert->cert, signing_key);
  787. EVP_PKEY_free(signing_key);
  788. if (r <= 0)
  789. goto bad;
  790. /* okay, the signature checked out right. Now let's check the check the
  791. * lifetime. */
  792. if (check_cert_lifetime_internal(severity, cert->cert,
  793. 48*60*60, 30*24*60*60) < 0)
  794. goto bad;
  795. cert_key = X509_get_pubkey(cert->cert);
  796. if (check_rsa_1024 && cert_key) {
  797. RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
  798. #ifdef OPENSSL_1_1_API
  799. if (rsa && RSA_bits(rsa) == 1024)
  800. #else
  801. if (rsa && BN_num_bits(rsa->n) == 1024)
  802. #endif
  803. key_ok = 1;
  804. if (rsa)
  805. RSA_free(rsa);
  806. } else if (cert_key) {
  807. int min_bits = 1024;
  808. #ifdef EVP_PKEY_EC
  809. if (EVP_PKEY_base_id(cert_key) == EVP_PKEY_EC)
  810. min_bits = 128;
  811. #endif
  812. if (EVP_PKEY_bits(cert_key) >= min_bits)
  813. key_ok = 1;
  814. }
  815. EVP_PKEY_free(cert_key);
  816. if (!key_ok)
  817. goto bad;
  818. /* XXXX compare DNs or anything? */
  819. return 1;
  820. bad:
  821. tls_log_errors(NULL, LOG_INFO, LD_CRYPTO, "checking a certificate");
  822. return 0;
  823. }
  824. /** Increase the reference count of <b>ctx</b>. */
  825. static void
  826. tor_tls_context_incref(tor_tls_context_t *ctx)
  827. {
  828. ++ctx->refcnt;
  829. }
  830. /** Create new global client and server TLS contexts.
  831. *
  832. * If <b>server_identity</b> is NULL, this will not generate a server
  833. * TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in <b>flags</b>, use
  834. * the same TLS context for incoming and outgoing connections, and
  835. * ignore <b>client_identity</b>. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256}
  836. * is set in <b>flags</b>, use that ECDHE group if possible; otherwise use
  837. * the default ECDHE group. */
  838. int
  839. tor_tls_context_init(unsigned flags,
  840. crypto_pk_t *client_identity,
  841. crypto_pk_t *server_identity,
  842. unsigned int key_lifetime)
  843. {
  844. int rv1 = 0;
  845. int rv2 = 0;
  846. const int is_public_server = flags & TOR_TLS_CTX_IS_PUBLIC_SERVER;
  847. check_no_tls_errors();
  848. if (is_public_server) {
  849. tor_tls_context_t *new_ctx;
  850. tor_tls_context_t *old_ctx;
  851. tor_assert(server_identity != NULL);
  852. rv1 = tor_tls_context_init_one(&server_tls_context,
  853. server_identity,
  854. key_lifetime, flags, 0);
  855. if (rv1 >= 0) {
  856. new_ctx = server_tls_context;
  857. tor_tls_context_incref(new_ctx);
  858. old_ctx = client_tls_context;
  859. client_tls_context = new_ctx;
  860. if (old_ctx != NULL) {
  861. tor_tls_context_decref(old_ctx);
  862. }
  863. }
  864. } else {
  865. if (server_identity != NULL) {
  866. rv1 = tor_tls_context_init_one(&server_tls_context,
  867. server_identity,
  868. key_lifetime,
  869. flags,
  870. 0);
  871. } else {
  872. tor_tls_context_t *old_ctx = server_tls_context;
  873. server_tls_context = NULL;
  874. if (old_ctx != NULL) {
  875. tor_tls_context_decref(old_ctx);
  876. }
  877. }
  878. rv2 = tor_tls_context_init_one(&client_tls_context,
  879. client_identity,
  880. key_lifetime,
  881. flags,
  882. 1);
  883. }
  884. tls_log_errors(NULL, LOG_WARN, LD_CRYPTO, "constructing a TLS context");
  885. return MIN(rv1, rv2);
  886. }
  887. /** Create a new global TLS context.
  888. *
  889. * You can call this function multiple times. Each time you call it,
  890. * it generates new certificates; all new connections will use
  891. * the new SSL context.
  892. */
  893. STATIC int
  894. tor_tls_context_init_one(tor_tls_context_t **ppcontext,
  895. crypto_pk_t *identity,
  896. unsigned int key_lifetime,
  897. unsigned int flags,
  898. int is_client)
  899. {
  900. tor_tls_context_t *new_ctx = tor_tls_context_new(identity,
  901. key_lifetime,
  902. flags,
  903. is_client);
  904. tor_tls_context_t *old_ctx = *ppcontext;
  905. if (new_ctx != NULL) {
  906. *ppcontext = new_ctx;
  907. /* Free the old context if one existed. */
  908. if (old_ctx != NULL) {
  909. /* This is safe even if there are open connections: we reference-
  910. * count tor_tls_context_t objects. */
  911. tor_tls_context_decref(old_ctx);
  912. }
  913. }
  914. return ((new_ctx != NULL) ? 0 : -1);
  915. }
  916. /** The group we should use for ecdhe when none was selected. */
  917. #define NID_tor_default_ecdhe_group NID_X9_62_prime256v1
  918. /** Create a new TLS context for use with Tor TLS handshakes.
  919. * <b>identity</b> should be set to the identity key used to sign the
  920. * certificate.
  921. */
  922. STATIC tor_tls_context_t *
  923. tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
  924. unsigned flags, int is_client)
  925. {
  926. crypto_pk_t *rsa = NULL, *rsa_auth = NULL;
  927. EVP_PKEY *pkey = NULL;
  928. tor_tls_context_t *result = NULL;
  929. X509 *cert = NULL, *idcert = NULL, *authcert = NULL;
  930. char *nickname = NULL, *nn2 = NULL;
  931. tor_tls_init();
  932. nickname = crypto_random_hostname(8, 20, "www.", ".net");
  933. #ifdef DISABLE_V3_LINKPROTO_SERVERSIDE
  934. nn2 = crypto_random_hostname(8, 20, "www.", ".net");
  935. #else
  936. nn2 = crypto_random_hostname(8, 20, "www.", ".com");
  937. #endif
  938. /* Generate short-term RSA key for use with TLS. */
  939. if (!(rsa = crypto_pk_new()))
  940. goto error;
  941. if (crypto_pk_generate_key(rsa)<0)
  942. goto error;
  943. if (!is_client) {
  944. /* Generate short-term RSA key for use in the in-protocol ("v3")
  945. * authentication handshake. */
  946. if (!(rsa_auth = crypto_pk_new()))
  947. goto error;
  948. if (crypto_pk_generate_key(rsa_auth)<0)
  949. goto error;
  950. /* Create a link certificate signed by identity key. */
  951. cert = tor_tls_create_certificate(rsa, identity, nickname, nn2,
  952. key_lifetime);
  953. /* Create self-signed certificate for identity key. */
  954. idcert = tor_tls_create_certificate(identity, identity, nn2, nn2,
  955. IDENTITY_CERT_LIFETIME);
  956. /* Create an authentication certificate signed by identity key. */
  957. authcert = tor_tls_create_certificate(rsa_auth, identity, nickname, nn2,
  958. key_lifetime);
  959. if (!cert || !idcert || !authcert) {
  960. log_warn(LD_CRYPTO, "Error creating certificate");
  961. goto error;
  962. }
  963. }
  964. result = tor_malloc_zero(sizeof(tor_tls_context_t));
  965. result->refcnt = 1;
  966. if (!is_client) {
  967. result->my_link_cert = tor_x509_cert_new(X509_dup(cert));
  968. result->my_id_cert = tor_x509_cert_new(X509_dup(idcert));
  969. result->my_auth_cert = tor_x509_cert_new(X509_dup(authcert));
  970. if (!result->my_link_cert || !result->my_id_cert || !result->my_auth_cert)
  971. goto error;
  972. result->link_key = crypto_pk_dup_key(rsa);
  973. result->auth_key = crypto_pk_dup_key(rsa_auth);
  974. }
  975. #if 0
  976. /* Tell OpenSSL to only use TLS1. This may have subtly different results
  977. * from SSLv23_method() with SSLv2 and SSLv3 disabled, so we need to do some
  978. * investigation before we consider adjusting it. It should be compatible
  979. * with existing Tors. */
  980. if (!(result->ctx = SSL_CTX_new(TLSv1_method())))
  981. goto error;
  982. #endif
  983. /* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
  984. #ifdef HAVE_TLS_METHOD
  985. if (!(result->ctx = SSL_CTX_new(TLS_method())))
  986. goto error;
  987. #else
  988. if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
  989. goto error;
  990. #endif
  991. SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
  992. SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
  993. /* Prefer the server's ordering of ciphers: the client's ordering has
  994. * historically been chosen for fingerprinting resistance. */
  995. SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
  996. /* Disable TLS tickets if they're supported. We never want to use them;
  997. * using them can make our perfect forward secrecy a little worse, *and*
  998. * create an opportunity to fingerprint us (since it's unusual to use them
  999. * with TLS sessions turned off).
  1000. *
  1001. * In 0.2.4, clients advertise support for them though, to avoid a TLS
  1002. * distinguishability vector. This can give us worse PFS, though, if we
  1003. * get a server that doesn't set SSL_OP_NO_TICKET. With luck, there will
  1004. * be few such servers by the time 0.2.4 is more stable.
  1005. */
  1006. #ifdef SSL_OP_NO_TICKET
  1007. if (! is_client) {
  1008. SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
  1009. }
  1010. #endif
  1011. SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
  1012. SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_ECDH_USE);
  1013. #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  1014. SSL_CTX_set_options(result->ctx,
  1015. SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
  1016. #endif
  1017. /* Yes, we know what we are doing here. No, we do not treat a renegotiation
  1018. * as authenticating any earlier-received data.
  1019. */
  1020. {
  1021. SSL_CTX_set_options(result->ctx,
  1022. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  1023. }
  1024. #ifdef SSL_OP_NO_COMPRESSION
  1025. SSL_CTX_set_options(result->ctx, SSL_OP_NO_COMPRESSION);
  1026. #endif
  1027. #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
  1028. #ifndef OPENSSL_NO_COMP
  1029. /* Don't actually allow compression; it uses ram and time, but the data
  1030. * we transmit is all encrypted anyway. */
  1031. if (result->ctx->comp_methods)
  1032. result->ctx->comp_methods = NULL;
  1033. #endif
  1034. #endif
  1035. #ifdef SSL_MODE_RELEASE_BUFFERS
  1036. SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
  1037. #endif
  1038. if (! is_client) {
  1039. if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
  1040. goto error;
  1041. X509_free(cert); /* We just added a reference to cert. */
  1042. cert=NULL;
  1043. if (idcert) {
  1044. X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
  1045. tor_assert(s);
  1046. X509_STORE_add_cert(s, idcert);
  1047. X509_free(idcert); /* The context now owns the reference to idcert */
  1048. idcert = NULL;
  1049. }
  1050. }
  1051. SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
  1052. if (!is_client) {
  1053. tor_assert(rsa);
  1054. if (!(pkey = crypto_pk_get_evp_pkey_(rsa,1)))
  1055. goto error;
  1056. if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
  1057. goto error;
  1058. EVP_PKEY_free(pkey);
  1059. pkey = NULL;
  1060. if (!SSL_CTX_check_private_key(result->ctx))
  1061. goto error;
  1062. }
  1063. {
  1064. crypto_dh_t *dh = crypto_dh_new(DH_TYPE_TLS);
  1065. tor_assert(dh);
  1066. SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh));
  1067. crypto_dh_free(dh);
  1068. }
  1069. if (! is_client) {
  1070. int nid;
  1071. EC_KEY *ec_key;
  1072. if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
  1073. nid = NID_secp224r1;
  1074. else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
  1075. nid = NID_X9_62_prime256v1;
  1076. else
  1077. nid = NID_tor_default_ecdhe_group;
  1078. /* Use P-256 for ECDHE. */
  1079. ec_key = EC_KEY_new_by_curve_name(nid);
  1080. if (ec_key != NULL) /*XXXX Handle errors? */
  1081. SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
  1082. EC_KEY_free(ec_key);
  1083. }
  1084. SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
  1085. always_accept_verify_cb);
  1086. /* let us realloc bufs that we're writing from */
  1087. SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
  1088. if (rsa)
  1089. crypto_pk_free(rsa);
  1090. if (rsa_auth)
  1091. crypto_pk_free(rsa_auth);
  1092. X509_free(authcert);
  1093. tor_free(nickname);
  1094. tor_free(nn2);
  1095. return result;
  1096. error:
  1097. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating TLS context");
  1098. tor_free(nickname);
  1099. tor_free(nn2);
  1100. if (pkey)
  1101. EVP_PKEY_free(pkey);
  1102. if (rsa)
  1103. crypto_pk_free(rsa);
  1104. if (rsa_auth)
  1105. crypto_pk_free(rsa_auth);
  1106. if (result)
  1107. tor_tls_context_decref(result);
  1108. if (cert)
  1109. X509_free(cert);
  1110. if (idcert)
  1111. X509_free(idcert);
  1112. if (authcert)
  1113. X509_free(authcert);
  1114. return NULL;
  1115. }
  1116. /** Invoked when a TLS state changes: log the change at severity 'debug' */
  1117. STATIC void
  1118. tor_tls_debug_state_callback(const SSL *ssl, int type, int val)
  1119. {
  1120. /* LCOV_EXCL_START since this depends on whether debug is captured or not */
  1121. log_debug(LD_HANDSHAKE, "SSL %p is now in state %s [type=%d,val=%d].",
  1122. ssl, SSL_state_string_long(ssl), type, val);
  1123. /* LCOV_EXCL_STOP */
  1124. }
  1125. /* Return the name of the negotiated ciphersuite in use on <b>tls</b> */
  1126. const char *
  1127. tor_tls_get_ciphersuite_name(tor_tls_t *tls)
  1128. {
  1129. return SSL_get_cipher(tls->ssl);
  1130. }
  1131. /* Here's the old V2 cipher list we sent from 0.2.1.1-alpha up to
  1132. * 0.2.3.17-beta. If a client is using this list, we can't believe the ciphers
  1133. * that it claims to support. We'll prune this list to remove the ciphers
  1134. * *we* don't recognize. */
  1135. STATIC uint16_t v2_cipher_list[] = {
  1136. 0xc00a, /* TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
  1137. 0xc014, /* TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA */
  1138. 0x0039, /* TLS1_TXT_DHE_RSA_WITH_AES_256_SHA */
  1139. 0x0038, /* TLS1_TXT_DHE_DSS_WITH_AES_256_SHA */
  1140. 0xc00f, /* TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA */
  1141. 0xc005, /* TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
  1142. 0x0035, /* TLS1_TXT_RSA_WITH_AES_256_SHA */
  1143. 0xc007, /* TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA */
  1144. 0xc009, /* TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
  1145. 0xc011, /* TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA */
  1146. 0xc013, /* TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA */
  1147. 0x0033, /* TLS1_TXT_DHE_RSA_WITH_AES_128_SHA */
  1148. 0x0032, /* TLS1_TXT_DHE_DSS_WITH_AES_128_SHA */
  1149. 0xc00c, /* TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA */
  1150. 0xc00e, /* TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA */
  1151. 0xc002, /* TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA */
  1152. 0xc004, /* TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
  1153. 0x0004, /* SSL3_TXT_RSA_RC4_128_MD5 */
  1154. 0x0005, /* SSL3_TXT_RSA_RC4_128_SHA */
  1155. 0x002f, /* TLS1_TXT_RSA_WITH_AES_128_SHA */
  1156. 0xc008, /* TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA */
  1157. 0xc012, /* TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA */
  1158. 0x0016, /* SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA */
  1159. 0x0013, /* SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA */
  1160. 0xc00d, /* TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA */
  1161. 0xc003, /* TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA */
  1162. 0xfeff, /* SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA */
  1163. 0x000a, /* SSL3_TXT_RSA_DES_192_CBC3_SHA */
  1164. 0
  1165. };
  1166. /** Have we removed the unrecognized ciphers from v2_cipher_list yet? */
  1167. static int v2_cipher_list_pruned = 0;
  1168. /** Return 0 if <b>m</b> does not support the cipher with ID <b>cipher</b>;
  1169. * return 1 if it does support it, or if we have no way to tell. */
  1170. STATIC int
  1171. find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m, uint16_t cipher)
  1172. {
  1173. const SSL_CIPHER *c;
  1174. #ifdef HAVE_SSL_CIPHER_FIND
  1175. (void) m;
  1176. {
  1177. unsigned char cipherid[3];
  1178. tor_assert(ssl);
  1179. set_uint16(cipherid, htons(cipher));
  1180. cipherid[2] = 0; /* If ssl23_get_cipher_by_char finds no cipher starting
  1181. * with a two-byte 'cipherid', it may look for a v2
  1182. * cipher with the appropriate 3 bytes. */
  1183. c = SSL_CIPHER_find((SSL*)ssl, cipherid);
  1184. if (c)
  1185. tor_assert((SSL_CIPHER_get_id(c) & 0xffff) == cipher);
  1186. return c != NULL;
  1187. }
  1188. #else
  1189. # if defined(HAVE_STRUCT_SSL_METHOD_ST_GET_CIPHER_BY_CHAR)
  1190. if (m && m->get_cipher_by_char) {
  1191. unsigned char cipherid[3];
  1192. set_uint16(cipherid, htons(cipher));
  1193. cipherid[2] = 0; /* If ssl23_get_cipher_by_char finds no cipher starting
  1194. * with a two-byte 'cipherid', it may look for a v2
  1195. * cipher with the appropriate 3 bytes. */
  1196. c = m->get_cipher_by_char(cipherid);
  1197. if (c)
  1198. tor_assert((c->id & 0xffff) == cipher);
  1199. return c != NULL;
  1200. }
  1201. # endif
  1202. # ifndef OPENSSL_1_1_API
  1203. if (m && m->get_cipher && m->num_ciphers) {
  1204. /* It would seem that some of the "let's-clean-up-openssl" forks have
  1205. * removed the get_cipher_by_char function. Okay, so now you get a
  1206. * quadratic search.
  1207. */
  1208. int i;
  1209. for (i = 0; i < m->num_ciphers(); ++i) {
  1210. c = m->get_cipher(i);
  1211. if (c && (c->id & 0xffff) == cipher) {
  1212. return 1;
  1213. }
  1214. }
  1215. return 0;
  1216. }
  1217. # endif
  1218. (void) ssl;
  1219. (void) m;
  1220. (void) cipher;
  1221. return 1; /* No way to search */
  1222. #endif
  1223. }
  1224. /** Remove from v2_cipher_list every cipher that we don't support, so that
  1225. * comparing v2_cipher_list to a client's cipher list will give a sensible
  1226. * result. */
  1227. static void
  1228. prune_v2_cipher_list(const SSL *ssl)
  1229. {
  1230. uint16_t *inp, *outp;
  1231. #ifdef HAVE_TLS_METHOD
  1232. const SSL_METHOD *m = TLS_method();
  1233. #else
  1234. const SSL_METHOD *m = SSLv23_method();
  1235. #endif
  1236. inp = outp = v2_cipher_list;
  1237. while (*inp) {
  1238. if (find_cipher_by_id(ssl, m, *inp)) {
  1239. *outp++ = *inp++;
  1240. } else {
  1241. inp++;
  1242. }
  1243. }
  1244. *outp = 0;
  1245. v2_cipher_list_pruned = 1;
  1246. }
  1247. /** Examine the client cipher list in <b>ssl</b>, and determine what kind of
  1248. * client it is. Return one of CIPHERS_ERR, CIPHERS_V1, CIPHERS_V2,
  1249. * CIPHERS_UNRESTRICTED.
  1250. **/
  1251. STATIC int
  1252. tor_tls_classify_client_ciphers(const SSL *ssl,
  1253. STACK_OF(SSL_CIPHER) *peer_ciphers)
  1254. {
  1255. int i, res;
  1256. tor_tls_t *tor_tls;
  1257. if (PREDICT_UNLIKELY(!v2_cipher_list_pruned))
  1258. prune_v2_cipher_list(ssl);
  1259. tor_tls = tor_tls_get_by_ssl(ssl);
  1260. if (tor_tls && tor_tls->client_cipher_list_type)
  1261. return tor_tls->client_cipher_list_type;
  1262. /* If we reached this point, we just got a client hello. See if there is
  1263. * a cipher list. */
  1264. if (!peer_ciphers) {
  1265. log_info(LD_NET, "No ciphers on session");
  1266. res = CIPHERS_ERR;
  1267. goto done;
  1268. }
  1269. /* Now we need to see if there are any ciphers whose presence means we're
  1270. * dealing with an updated Tor. */
  1271. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1272. const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1273. const char *ciphername = SSL_CIPHER_get_name(cipher);
  1274. if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
  1275. strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
  1276. strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) &&
  1277. strcmp(ciphername, "(NONE)")) {
  1278. log_debug(LD_NET, "Got a non-version-1 cipher called '%s'", ciphername);
  1279. // return 1;
  1280. goto v2_or_higher;
  1281. }
  1282. }
  1283. res = CIPHERS_V1;
  1284. goto done;
  1285. v2_or_higher:
  1286. {
  1287. const uint16_t *v2_cipher = v2_cipher_list;
  1288. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1289. const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1290. uint16_t id = SSL_CIPHER_get_id(cipher) & 0xffff;
  1291. if (id == 0x00ff) /* extended renegotiation indicator. */
  1292. continue;
  1293. if (!id || id != *v2_cipher) {
  1294. res = CIPHERS_UNRESTRICTED;
  1295. goto dump_ciphers;
  1296. }
  1297. ++v2_cipher;
  1298. }
  1299. if (*v2_cipher != 0) {
  1300. res = CIPHERS_UNRESTRICTED;
  1301. goto dump_ciphers;
  1302. }
  1303. res = CIPHERS_V2;
  1304. }
  1305. dump_ciphers:
  1306. {
  1307. smartlist_t *elts = smartlist_new();
  1308. char *s;
  1309. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1310. const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1311. const char *ciphername = SSL_CIPHER_get_name(cipher);
  1312. smartlist_add(elts, (char*)ciphername);
  1313. }
  1314. s = smartlist_join_strings(elts, ":", 0, NULL);
  1315. log_debug(LD_NET, "Got a %s V2/V3 cipher list from %s. It is: '%s'",
  1316. (res == CIPHERS_V2) ? "fictitious" : "real", ADDR(tor_tls), s);
  1317. tor_free(s);
  1318. smartlist_free(elts);
  1319. }
  1320. done:
  1321. if (tor_tls)
  1322. return tor_tls->client_cipher_list_type = res;
  1323. return res;
  1324. }
  1325. /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
  1326. * a list that indicates that the client knows how to do the v2 TLS connection
  1327. * handshake. */
  1328. STATIC int
  1329. tor_tls_client_is_using_v2_ciphers(const SSL *ssl)
  1330. {
  1331. STACK_OF(SSL_CIPHER) *ciphers;
  1332. #ifdef HAVE_SSL_GET_CLIENT_CIPHERS
  1333. ciphers = SSL_get_client_ciphers(ssl);
  1334. #else
  1335. SSL_SESSION *session;
  1336. if (!(session = SSL_get_session((SSL *)ssl))) {
  1337. log_info(LD_NET, "No session on TLS?");
  1338. return CIPHERS_ERR;
  1339. }
  1340. ciphers = session->ciphers;
  1341. #endif
  1342. return tor_tls_classify_client_ciphers(ssl, ciphers) >= CIPHERS_V2;
  1343. }
  1344. /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
  1345. * changes state. We use this:
  1346. * <ul><li>To alter the state of the handshake partway through, so we
  1347. * do not send or request extra certificates in v2 handshakes.</li>
  1348. * <li>To detect renegotiation</li></ul>
  1349. */
  1350. STATIC void
  1351. tor_tls_server_info_callback(const SSL *ssl, int type, int val)
  1352. {
  1353. tor_tls_t *tls;
  1354. (void) val;
  1355. tor_tls_debug_state_callback(ssl, type, val);
  1356. if (type != SSL_CB_ACCEPT_LOOP)
  1357. return;
  1358. OSSL_HANDSHAKE_STATE ssl_state = SSL_get_state(ssl);
  1359. if (! STATE_IS_SW_SERVER_HELLO(ssl_state))
  1360. return;
  1361. tls = tor_tls_get_by_ssl(ssl);
  1362. if (tls) {
  1363. /* Check whether we're watching for renegotiates. If so, this is one! */
  1364. if (tls->negotiated_callback)
  1365. tls->got_renegotiate = 1;
  1366. if (tls->server_handshake_count < 127) /*avoid any overflow possibility*/
  1367. ++tls->server_handshake_count;
  1368. } else {
  1369. log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
  1370. return;
  1371. }
  1372. /* Now check the cipher list. */
  1373. if (tor_tls_client_is_using_v2_ciphers(ssl)) {
  1374. if (tls->wasV2Handshake)
  1375. return; /* We already turned this stuff off for the first handshake;
  1376. * This is a renegotiation. */
  1377. /* Yes, we're casting away the const from ssl. This is very naughty of us.
  1378. * Let's hope openssl doesn't notice! */
  1379. /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
  1380. SSL_set_mode((SSL*) ssl, SSL_MODE_NO_AUTO_CHAIN);
  1381. /* Don't send a hello request. */
  1382. SSL_set_verify((SSL*) ssl, SSL_VERIFY_NONE, NULL);
  1383. if (tls) {
  1384. tls->wasV2Handshake = 1;
  1385. } else {
  1386. /* LCOV_EXCL_START this line is not reachable */
  1387. log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
  1388. /* LCOV_EXCL_STOP */
  1389. }
  1390. }
  1391. }
  1392. /** Callback to get invoked on a server after we've read the list of ciphers
  1393. * the client supports, but before we pick our own ciphersuite.
  1394. *
  1395. * We can't abuse an info_cb for this, since by the time one of the
  1396. * client_hello info_cbs is called, we've already picked which ciphersuite to
  1397. * use.
  1398. *
  1399. * Technically, this function is an abuse of this callback, since the point of
  1400. * a session_secret_cb is to try to set up and/or verify a shared-secret for
  1401. * authentication on the fly. But as long as we return 0, we won't actually be
  1402. * setting up a shared secret, and all will be fine.
  1403. */
  1404. STATIC int
  1405. tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len,
  1406. STACK_OF(SSL_CIPHER) *peer_ciphers,
  1407. CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
  1408. void *arg)
  1409. {
  1410. (void) secret;
  1411. (void) secret_len;
  1412. (void) peer_ciphers;
  1413. (void) cipher;
  1414. (void) arg;
  1415. if (tor_tls_classify_client_ciphers(ssl, peer_ciphers) ==
  1416. CIPHERS_UNRESTRICTED) {
  1417. SSL_set_cipher_list(ssl, UNRESTRICTED_SERVER_CIPHER_LIST);
  1418. }
  1419. SSL_set_session_secret_cb(ssl, NULL, NULL);
  1420. return 0;
  1421. }
  1422. static void
  1423. tor_tls_setup_session_secret_cb(tor_tls_t *tls)
  1424. {
  1425. SSL_set_session_secret_cb(tls->ssl, tor_tls_session_secret_cb, NULL);
  1426. }
  1427. /** Create a new TLS object from a file descriptor, and a flag to
  1428. * determine whether it is functioning as a server.
  1429. */
  1430. tor_tls_t *
  1431. tor_tls_new(int sock, int isServer)
  1432. {
  1433. BIO *bio = NULL;
  1434. tor_tls_t *result = tor_malloc_zero(sizeof(tor_tls_t));
  1435. tor_tls_context_t *context = isServer ? server_tls_context :
  1436. client_tls_context;
  1437. result->magic = TOR_TLS_MAGIC;
  1438. check_no_tls_errors();
  1439. tor_assert(context); /* make sure somebody made it first */
  1440. if (!(result->ssl = SSL_new(context->ctx))) {
  1441. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating SSL object");
  1442. tor_free(result);
  1443. goto err;
  1444. }
  1445. #ifdef SSL_set_tlsext_host_name
  1446. /* Browsers use the TLS hostname extension, so we should too. */
  1447. if (!isServer) {
  1448. char *fake_hostname = crypto_random_hostname(4,25, "www.",".com");
  1449. SSL_set_tlsext_host_name(result->ssl, fake_hostname);
  1450. tor_free(fake_hostname);
  1451. }
  1452. #endif
  1453. if (!SSL_set_cipher_list(result->ssl,
  1454. isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST)) {
  1455. tls_log_errors(NULL, LOG_WARN, LD_NET, "setting ciphers");
  1456. #ifdef SSL_set_tlsext_host_name
  1457. SSL_set_tlsext_host_name(result->ssl, NULL);
  1458. #endif
  1459. SSL_free(result->ssl);
  1460. tor_free(result);
  1461. goto err;
  1462. }
  1463. result->socket = sock;
  1464. bio = BIO_new_socket(sock, BIO_NOCLOSE);
  1465. if (! bio) {
  1466. tls_log_errors(NULL, LOG_WARN, LD_NET, "opening BIO");
  1467. #ifdef SSL_set_tlsext_host_name
  1468. SSL_set_tlsext_host_name(result->ssl, NULL);
  1469. #endif
  1470. SSL_free(result->ssl);
  1471. tor_free(result);
  1472. goto err;
  1473. }
  1474. {
  1475. int set_worked =
  1476. SSL_set_ex_data(result->ssl, tor_tls_object_ex_data_index, result);
  1477. if (!set_worked) {
  1478. log_warn(LD_BUG,
  1479. "Couldn't set the tls for an SSL*; connection will fail");
  1480. }
  1481. }
  1482. SSL_set_bio(result->ssl, bio, bio);
  1483. tor_tls_context_incref(context);
  1484. result->context = context;
  1485. result->state = TOR_TLS_ST_HANDSHAKE;
  1486. result->isServer = isServer;
  1487. result->wantwrite_n = 0;
  1488. result->last_write_count = BIO_number_written(bio);
  1489. result->last_read_count = BIO_number_read(bio);
  1490. if (result->last_write_count || result->last_read_count) {
  1491. log_warn(LD_NET, "Newly created BIO has read count %lu, write count %lu",
  1492. result->last_read_count, result->last_write_count);
  1493. }
  1494. if (isServer) {
  1495. SSL_set_info_callback(result->ssl, tor_tls_server_info_callback);
  1496. } else {
  1497. SSL_set_info_callback(result->ssl, tor_tls_debug_state_callback);
  1498. }
  1499. if (isServer)
  1500. tor_tls_setup_session_secret_cb(result);
  1501. goto done;
  1502. err:
  1503. result = NULL;
  1504. done:
  1505. /* Not expected to get called. */
  1506. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating tor_tls_t object");
  1507. return result;
  1508. }
  1509. /** Make future log messages about <b>tls</b> display the address
  1510. * <b>address</b>.
  1511. */
  1512. void
  1513. tor_tls_set_logged_address(tor_tls_t *tls, const char *address)
  1514. {
  1515. tor_assert(tls);
  1516. tor_free(tls->address);
  1517. tls->address = tor_strdup(address);
  1518. }
  1519. /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
  1520. * next gets a client-side renegotiate in the middle of a read. Do not
  1521. * invoke this function until <em>after</em> initial handshaking is done!
  1522. */
  1523. void
  1524. tor_tls_set_renegotiate_callback(tor_tls_t *tls,
  1525. void (*cb)(tor_tls_t *, void *arg),
  1526. void *arg)
  1527. {
  1528. tls->negotiated_callback = cb;
  1529. tls->callback_arg = arg;
  1530. tls->got_renegotiate = 0;
  1531. if (cb) {
  1532. SSL_set_info_callback(tls->ssl, tor_tls_server_info_callback);
  1533. } else {
  1534. SSL_set_info_callback(tls->ssl, tor_tls_debug_state_callback);
  1535. }
  1536. }
  1537. /** If this version of openssl requires it, turn on renegotiation on
  1538. * <b>tls</b>.
  1539. */
  1540. void
  1541. tor_tls_unblock_renegotiation(tor_tls_t *tls)
  1542. {
  1543. /* Yes, we know what we are doing here. No, we do not treat a renegotiation
  1544. * as authenticating any earlier-received data. */
  1545. SSL_set_options(tls->ssl,
  1546. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  1547. }
  1548. /** If this version of openssl supports it, turn off renegotiation on
  1549. * <b>tls</b>. (Our protocol never requires this for security, but it's nice
  1550. * to use belt-and-suspenders here.)
  1551. */
  1552. void
  1553. tor_tls_block_renegotiation(tor_tls_t *tls)
  1554. {
  1555. #ifdef SUPPORT_UNSAFE_RENEGOTIATION_FLAG
  1556. tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
  1557. #else
  1558. (void) tls;
  1559. #endif
  1560. }
  1561. /** Assert that the flags that allow legacy renegotiation are still set */
  1562. void
  1563. tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
  1564. {
  1565. #if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && \
  1566. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION != 0
  1567. long options = SSL_get_options(tls->ssl);
  1568. tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
  1569. #else
  1570. (void) tls;
  1571. #endif
  1572. }
  1573. /** Return whether this tls initiated the connect (client) or
  1574. * received it (server). */
  1575. int
  1576. tor_tls_is_server(tor_tls_t *tls)
  1577. {
  1578. tor_assert(tls);
  1579. return tls->isServer;
  1580. }
  1581. /** Release resources associated with a TLS object. Does not close the
  1582. * underlying file descriptor.
  1583. */
  1584. void
  1585. tor_tls_free(tor_tls_t *tls)
  1586. {
  1587. if (!tls)
  1588. return;
  1589. tor_assert(tls->ssl);
  1590. {
  1591. size_t r,w;
  1592. tor_tls_get_n_raw_bytes(tls,&r,&w); /* ensure written_by_tls is updated */
  1593. }
  1594. #ifdef SSL_set_tlsext_host_name
  1595. SSL_set_tlsext_host_name(tls->ssl, NULL);
  1596. #endif
  1597. SSL_free(tls->ssl);
  1598. tls->ssl = NULL;
  1599. tls->negotiated_callback = NULL;
  1600. if (tls->context)
  1601. tor_tls_context_decref(tls->context);
  1602. tor_free(tls->address);
  1603. tls->magic = 0x99999999;
  1604. tor_free(tls);
  1605. }
  1606. /** Underlying function for TLS reading. Reads up to <b>len</b>
  1607. * characters from <b>tls</b> into <b>cp</b>. On success, returns the
  1608. * number of characters read. On failure, returns TOR_TLS_ERROR,
  1609. * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
  1610. */
  1611. MOCK_IMPL(int,
  1612. tor_tls_read,(tor_tls_t *tls, char *cp, size_t len))
  1613. {
  1614. int r, err;
  1615. tor_assert(tls);
  1616. tor_assert(tls->ssl);
  1617. tor_assert(tls->state == TOR_TLS_ST_OPEN);
  1618. tor_assert(len<INT_MAX);
  1619. r = SSL_read(tls->ssl, cp, (int)len);
  1620. if (r > 0) {
  1621. if (tls->got_renegotiate) {
  1622. /* Renegotiation happened! */
  1623. log_info(LD_NET, "Got a TLS renegotiation from %s", ADDR(tls));
  1624. if (tls->negotiated_callback)
  1625. tls->negotiated_callback(tls, tls->callback_arg);
  1626. tls->got_renegotiate = 0;
  1627. }
  1628. return r;
  1629. }
  1630. err = tor_tls_get_error(tls, r, CATCH_ZERO, "reading", LOG_DEBUG, LD_NET);
  1631. if (err == TOR_TLS_ZERORETURN_ || err == TOR_TLS_CLOSE) {
  1632. log_debug(LD_NET,"read returned r=%d; TLS is closed",r);
  1633. tls->state = TOR_TLS_ST_CLOSED;
  1634. return TOR_TLS_CLOSE;
  1635. } else {
  1636. tor_assert(err != TOR_TLS_DONE);
  1637. log_debug(LD_NET,"read returned r=%d, err=%d",r,err);
  1638. return err;
  1639. }
  1640. }
  1641. /** Total number of bytes that we've used TLS to send. Used to track TLS
  1642. * overhead. */
  1643. STATIC uint64_t total_bytes_written_over_tls = 0;
  1644. /** Total number of bytes that TLS has put on the network for us. Used to
  1645. * track TLS overhead. */
  1646. STATIC uint64_t total_bytes_written_by_tls = 0;
  1647. /** Underlying function for TLS writing. Write up to <b>n</b>
  1648. * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
  1649. * number of characters written. On failure, returns TOR_TLS_ERROR,
  1650. * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
  1651. */
  1652. int
  1653. tor_tls_write(tor_tls_t *tls, const char *cp, size_t n)
  1654. {
  1655. int r, err;
  1656. tor_assert(tls);
  1657. tor_assert(tls->ssl);
  1658. tor_assert(tls->state == TOR_TLS_ST_OPEN);
  1659. tor_assert(n < INT_MAX);
  1660. if (n == 0)
  1661. return 0;
  1662. if (tls->wantwrite_n) {
  1663. /* if WANTWRITE last time, we must use the _same_ n as before */
  1664. tor_assert(n >= tls->wantwrite_n);
  1665. log_debug(LD_NET,"resuming pending-write, (%d to flush, reusing %d)",
  1666. (int)n, (int)tls->wantwrite_n);
  1667. n = tls->wantwrite_n;
  1668. tls->wantwrite_n = 0;
  1669. }
  1670. r = SSL_write(tls->ssl, cp, (int)n);
  1671. err = tor_tls_get_error(tls, r, 0, "writing", LOG_INFO, LD_NET);
  1672. if (err == TOR_TLS_DONE) {
  1673. total_bytes_written_over_tls += r;
  1674. return r;
  1675. }
  1676. if (err == TOR_TLS_WANTWRITE || err == TOR_TLS_WANTREAD) {
  1677. tls->wantwrite_n = n;
  1678. }
  1679. return err;
  1680. }
  1681. /** Perform initial handshake on <b>tls</b>. When finished, returns
  1682. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
  1683. * or TOR_TLS_WANTWRITE.
  1684. */
  1685. int
  1686. tor_tls_handshake(tor_tls_t *tls)
  1687. {
  1688. int r;
  1689. tor_assert(tls);
  1690. tor_assert(tls->ssl);
  1691. tor_assert(tls->state == TOR_TLS_ST_HANDSHAKE);
  1692. check_no_tls_errors();
  1693. OSSL_HANDSHAKE_STATE oldstate = SSL_get_state(tls->ssl);
  1694. if (tls->isServer) {
  1695. log_debug(LD_HANDSHAKE, "About to call SSL_accept on %p (%s)", tls,
  1696. SSL_state_string_long(tls->ssl));
  1697. r = SSL_accept(tls->ssl);
  1698. } else {
  1699. log_debug(LD_HANDSHAKE, "About to call SSL_connect on %p (%s)", tls,
  1700. SSL_state_string_long(tls->ssl));
  1701. r = SSL_connect(tls->ssl);
  1702. }
  1703. OSSL_HANDSHAKE_STATE newstate = SSL_get_state(tls->ssl);
  1704. if (oldstate != newstate)
  1705. log_debug(LD_HANDSHAKE, "After call, %p was in state %s",
  1706. tls, SSL_state_string_long(tls->ssl));
  1707. /* We need to call this here and not earlier, since OpenSSL has a penchant
  1708. * for clearing its flags when you say accept or connect. */
  1709. tor_tls_unblock_renegotiation(tls);
  1710. r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO, LD_HANDSHAKE);
  1711. if (ERR_peek_error() != 0) {
  1712. tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN, LD_HANDSHAKE,
  1713. "handshaking");
  1714. return TOR_TLS_ERROR_MISC;
  1715. }
  1716. if (r == TOR_TLS_DONE) {
  1717. tls->state = TOR_TLS_ST_OPEN;
  1718. return tor_tls_finish_handshake(tls);
  1719. }
  1720. return r;
  1721. }
  1722. /** Perform the final part of the intial TLS handshake on <b>tls</b>. This
  1723. * should be called for the first handshake only: it determines whether the v1
  1724. * or the v2 handshake was used, and adjusts things for the renegotiation
  1725. * handshake as appropriate.
  1726. *
  1727. * tor_tls_handshake() calls this on its own; you only need to call this if
  1728. * bufferevent is doing the handshake for you.
  1729. */
  1730. int
  1731. tor_tls_finish_handshake(tor_tls_t *tls)
  1732. {
  1733. int r = TOR_TLS_DONE;
  1734. check_no_tls_errors();
  1735. if (tls->isServer) {
  1736. SSL_set_info_callback(tls->ssl, NULL);
  1737. SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
  1738. SSL_clear_mode(tls->ssl, SSL_MODE_NO_AUTO_CHAIN);
  1739. if (tor_tls_client_is_using_v2_ciphers(tls->ssl)) {
  1740. /* This check is redundant, but back when we did it in the callback,
  1741. * we might have not been able to look up the tor_tls_t if the code
  1742. * was buggy. Fixing that. */
  1743. if (!tls->wasV2Handshake) {
  1744. log_warn(LD_BUG, "For some reason, wasV2Handshake didn't"
  1745. " get set. Fixing that.");
  1746. }
  1747. tls->wasV2Handshake = 1;
  1748. log_debug(LD_HANDSHAKE, "Completed V2 TLS handshake with client; waiting"
  1749. " for renegotiation.");
  1750. } else {
  1751. tls->wasV2Handshake = 0;
  1752. }
  1753. } else {
  1754. /* Client-side */
  1755. tls->wasV2Handshake = 1;
  1756. /* XXXX this can move, probably? -NM */
  1757. if (SSL_set_cipher_list(tls->ssl, SERVER_CIPHER_LIST) == 0) {
  1758. tls_log_errors(NULL, LOG_WARN, LD_HANDSHAKE, "re-setting ciphers");
  1759. r = TOR_TLS_ERROR_MISC;
  1760. }
  1761. }
  1762. tls_log_errors(NULL, LOG_WARN, LD_NET, "finishing the handshake");
  1763. return r;
  1764. }
  1765. /** Shut down an open tls connection <b>tls</b>. When finished, returns
  1766. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
  1767. * or TOR_TLS_WANTWRITE.
  1768. */
  1769. int
  1770. tor_tls_shutdown(tor_tls_t *tls)
  1771. {
  1772. int r, err;
  1773. char buf[128];
  1774. tor_assert(tls);
  1775. tor_assert(tls->ssl);
  1776. check_no_tls_errors();
  1777. while (1) {
  1778. if (tls->state == TOR_TLS_ST_SENTCLOSE) {
  1779. /* If we've already called shutdown once to send a close message,
  1780. * we read until the other side has closed too.
  1781. */
  1782. do {
  1783. r = SSL_read(tls->ssl, buf, 128);
  1784. } while (r>0);
  1785. err = tor_tls_get_error(tls, r, CATCH_ZERO, "reading to shut down",
  1786. LOG_INFO, LD_NET);
  1787. if (err == TOR_TLS_ZERORETURN_) {
  1788. tls->state = TOR_TLS_ST_GOTCLOSE;
  1789. /* fall through... */
  1790. } else {
  1791. return err;
  1792. }
  1793. }
  1794. r = SSL_shutdown(tls->ssl);
  1795. if (r == 1) {
  1796. /* If shutdown returns 1, the connection is entirely closed. */
  1797. tls->state = TOR_TLS_ST_CLOSED;
  1798. return TOR_TLS_DONE;
  1799. }
  1800. err = tor_tls_get_error(tls, r, CATCH_SYSCALL|CATCH_ZERO, "shutting down",
  1801. LOG_INFO, LD_NET);
  1802. if (err == TOR_TLS_SYSCALL_) {
  1803. /* The underlying TCP connection closed while we were shutting down. */
  1804. tls->state = TOR_TLS_ST_CLOSED;
  1805. return TOR_TLS_DONE;
  1806. } else if (err == TOR_TLS_ZERORETURN_) {
  1807. /* The TLS connection says that it sent a shutdown record, but
  1808. * isn't done shutting down yet. Make sure that this hasn't
  1809. * happened before, then go back to the start of the function
  1810. * and try to read.
  1811. */
  1812. if (tls->state == TOR_TLS_ST_GOTCLOSE ||
  1813. tls->state == TOR_TLS_ST_SENTCLOSE) {
  1814. log_warn(LD_NET,
  1815. "TLS returned \"half-closed\" value while already half-closed");
  1816. return TOR_TLS_ERROR_MISC;
  1817. }
  1818. tls->state = TOR_TLS_ST_SENTCLOSE;
  1819. /* fall through ... */
  1820. } else {
  1821. return err;
  1822. }
  1823. } /* end loop */
  1824. }
  1825. /** Return true iff this TLS connection is authenticated.
  1826. */
  1827. int
  1828. tor_tls_peer_has_cert(tor_tls_t *tls)
  1829. {
  1830. X509 *cert;
  1831. cert = SSL_get_peer_certificate(tls->ssl);
  1832. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "getting peer certificate");
  1833. if (!cert)
  1834. return 0;
  1835. X509_free(cert);
  1836. return 1;
  1837. }
  1838. /** Return the peer certificate, or NULL if there isn't one. */
  1839. MOCK_IMPL(tor_x509_cert_t *,
  1840. tor_tls_get_peer_cert,(tor_tls_t *tls))
  1841. {
  1842. X509 *cert;
  1843. cert = SSL_get_peer_certificate(tls->ssl);
  1844. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "getting peer certificate");
  1845. if (!cert)
  1846. return NULL;
  1847. return tor_x509_cert_new(cert);
  1848. }
  1849. /** Warn that a certificate lifetime extends through a certain range. */
  1850. static void
  1851. log_cert_lifetime(int severity, const X509 *cert, const char *problem)
  1852. {
  1853. BIO *bio = NULL;
  1854. BUF_MEM *buf;
  1855. char *s1=NULL, *s2=NULL;
  1856. char mytime[33];
  1857. time_t now = time(NULL);
  1858. struct tm tm;
  1859. size_t n;
  1860. if (problem)
  1861. tor_log(severity, LD_GENERAL,
  1862. "Certificate %s. Either their clock is set wrong, or your clock "
  1863. "is wrong.",
  1864. problem);
  1865. if (!(bio = BIO_new(BIO_s_mem()))) {
  1866. log_warn(LD_GENERAL, "Couldn't allocate BIO!"); goto end;
  1867. }
  1868. if (!(ASN1_TIME_print(bio, X509_get_notBefore_const(cert)))) {
  1869. tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
  1870. goto end;
  1871. }
  1872. BIO_get_mem_ptr(bio, &buf);
  1873. s1 = tor_strndup(buf->data, buf->length);
  1874. (void)BIO_reset(bio);
  1875. if (!(ASN1_TIME_print(bio, X509_get_notAfter_const(cert)))) {
  1876. tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
  1877. goto end;
  1878. }
  1879. BIO_get_mem_ptr(bio, &buf);
  1880. s2 = tor_strndup(buf->data, buf->length);
  1881. n = strftime(mytime, 32, "%b %d %H:%M:%S %Y UTC", tor_gmtime_r(&now, &tm));
  1882. if (n > 0) {
  1883. tor_log(severity, LD_GENERAL,
  1884. "(certificate lifetime runs from %s through %s. Your time is %s.)",
  1885. s1,s2,mytime);
  1886. } else {
  1887. tor_log(severity, LD_GENERAL,
  1888. "(certificate lifetime runs from %s through %s. "
  1889. "Couldn't get your time.)",
  1890. s1, s2);
  1891. }
  1892. end:
  1893. /* Not expected to get invoked */
  1894. tls_log_errors(NULL, LOG_WARN, LD_NET, "getting certificate lifetime");
  1895. if (bio)
  1896. BIO_free(bio);
  1897. tor_free(s1);
  1898. tor_free(s2);
  1899. }
  1900. /** Helper function: try to extract a link certificate and an identity
  1901. * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
  1902. * *<b>id_cert_out</b> respectively. Log all messages at level
  1903. * <b>severity</b>.
  1904. *
  1905. * Note that a reference is added to cert_out, so it needs to be
  1906. * freed. id_cert_out doesn't. */
  1907. MOCK_IMPL(STATIC void,
  1908. try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls,
  1909. X509 **cert_out, X509 **id_cert_out))
  1910. {
  1911. X509 *cert = NULL, *id_cert = NULL;
  1912. STACK_OF(X509) *chain = NULL;
  1913. int num_in_chain, i;
  1914. *cert_out = *id_cert_out = NULL;
  1915. if (!(cert = SSL_get_peer_certificate(tls->ssl)))
  1916. return;
  1917. *cert_out = cert;
  1918. if (!(chain = SSL_get_peer_cert_chain(tls->ssl)))
  1919. return;
  1920. num_in_chain = sk_X509_num(chain);
  1921. /* 1 means we're receiving (server-side), and it's just the id_cert.
  1922. * 2 means we're connecting (client-side), and it's both the link
  1923. * cert and the id_cert.
  1924. */
  1925. if (num_in_chain < 1) {
  1926. log_fn(severity,LD_PROTOCOL,
  1927. "Unexpected number of certificates in chain (%d)",
  1928. num_in_chain);
  1929. return;
  1930. }
  1931. for (i=0; i<num_in_chain; ++i) {
  1932. id_cert = sk_X509_value(chain, i);
  1933. if (X509_cmp(id_cert, cert) != 0)
  1934. break;
  1935. }
  1936. *id_cert_out = id_cert;
  1937. }
  1938. /** If the provided tls connection is authenticated and has a
  1939. * certificate chain that is currently valid and signed, then set
  1940. * *<b>identity_key</b> to the identity certificate's key and return
  1941. * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
  1942. */
  1943. int
  1944. tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_t **identity_key)
  1945. {
  1946. X509 *cert = NULL, *id_cert = NULL;
  1947. EVP_PKEY *id_pkey = NULL;
  1948. RSA *rsa;
  1949. int r = -1;
  1950. check_no_tls_errors();
  1951. *identity_key = NULL;
  1952. try_to_extract_certs_from_tls(severity, tls, &cert, &id_cert);
  1953. if (!cert)
  1954. goto done;
  1955. if (!id_cert) {
  1956. log_fn(severity,LD_PROTOCOL,"No distinct identity certificate found");
  1957. goto done;
  1958. }
  1959. tls_log_errors(tls, severity, LD_HANDSHAKE, "before verifying certificate");
  1960. if (!(id_pkey = X509_get_pubkey(id_cert)) ||
  1961. X509_verify(cert, id_pkey) <= 0) {
  1962. log_fn(severity,LD_PROTOCOL,"X509_verify on cert and pkey returned <= 0");
  1963. tls_log_errors(tls, severity, LD_HANDSHAKE, "verifying certificate");
  1964. goto done;
  1965. }
  1966. rsa = EVP_PKEY_get1_RSA(id_pkey);
  1967. if (!rsa)
  1968. goto done;
  1969. *identity_key = crypto_new_pk_from_rsa_(rsa);
  1970. r = 0;
  1971. done:
  1972. if (cert)
  1973. X509_free(cert);
  1974. if (id_pkey)
  1975. EVP_PKEY_free(id_pkey);
  1976. /* This should never get invoked, but let's make sure in case OpenSSL
  1977. * acts unexpectedly. */
  1978. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "finishing tor_tls_verify");
  1979. return r;
  1980. }
  1981. /** Check whether the certificate set on the connection <b>tls</b> is expired
  1982. * give or take <b>past_tolerance</b> seconds, or not-yet-valid give or take
  1983. * <b>future_tolerance</b> seconds. Return 0 for valid, -1 for failure.
  1984. *
  1985. * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
  1986. */
  1987. int
  1988. tor_tls_check_lifetime(int severity, tor_tls_t *tls,
  1989. int past_tolerance, int future_tolerance)
  1990. {
  1991. X509 *cert;
  1992. int r = -1;
  1993. if (!(cert = SSL_get_peer_certificate(tls->ssl)))
  1994. goto done;
  1995. if (check_cert_lifetime_internal(severity, cert,
  1996. past_tolerance, future_tolerance) < 0)
  1997. goto done;
  1998. r = 0;
  1999. done:
  2000. if (cert)
  2001. X509_free(cert);
  2002. /* Not expected to get invoked */
  2003. tls_log_errors(tls, LOG_WARN, LD_NET, "checking certificate lifetime");
  2004. return r;
  2005. }
  2006. /** Helper: check whether <b>cert</b> is expired give or take
  2007. * <b>past_tolerance</b> seconds, or not-yet-valid give or take
  2008. * <b>future_tolerance</b> seconds. If it is live, return 0. If it is not
  2009. * live, log a message and return -1. */
  2010. static int
  2011. check_cert_lifetime_internal(int severity, const X509 *cert,
  2012. int past_tolerance, int future_tolerance)
  2013. {
  2014. time_t now, t;
  2015. now = time(NULL);
  2016. t = now + future_tolerance;
  2017. if (X509_cmp_time(X509_get_notBefore_const(cert), &t) > 0) {
  2018. log_cert_lifetime(severity, cert, "not yet valid");
  2019. return -1;
  2020. }
  2021. t = now - past_tolerance;
  2022. if (X509_cmp_time(X509_get_notAfter_const(cert), &t) < 0) {
  2023. log_cert_lifetime(severity, cert, "already expired");
  2024. return -1;
  2025. }
  2026. return 0;
  2027. }
  2028. /** Return the number of bytes available for reading from <b>tls</b>.
  2029. */
  2030. int
  2031. tor_tls_get_pending_bytes(tor_tls_t *tls)
  2032. {
  2033. tor_assert(tls);
  2034. return SSL_pending(tls->ssl);
  2035. }
  2036. /** If <b>tls</b> requires that the next write be of a particular size,
  2037. * return that size. Otherwise, return 0. */
  2038. size_t
  2039. tor_tls_get_forced_write_size(tor_tls_t *tls)
  2040. {
  2041. return tls->wantwrite_n;
  2042. }
  2043. /** Sets n_read and n_written to the number of bytes read and written,
  2044. * respectively, on the raw socket used by <b>tls</b> since the last time this
  2045. * function was called on <b>tls</b>. */
  2046. void
  2047. tor_tls_get_n_raw_bytes(tor_tls_t *tls, size_t *n_read, size_t *n_written)
  2048. {
  2049. BIO *wbio, *tmpbio;
  2050. unsigned long r, w;
  2051. r = BIO_number_read(SSL_get_rbio(tls->ssl));
  2052. /* We want the number of bytes actually for real written. Unfortunately,
  2053. * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
  2054. * which makes the answer turn out wrong. Let's cope with that. Note
  2055. * that this approach will fail if we ever replace tls->ssl's BIOs with
  2056. * buffering bios for reasons of our own. As an alternative, we could
  2057. * save the original BIO for tls->ssl in the tor_tls_t structure, but
  2058. * that would be tempting fate. */
  2059. wbio = SSL_get_wbio(tls->ssl);
  2060. #if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
  2061. /* BIO structure is opaque as of OpenSSL 1.1.0-pre5-dev. Again, not
  2062. * supposed to use this form of the version macro, but the OpenSSL developers
  2063. * introduced major API changes in the pre-release stage.
  2064. */
  2065. if (BIO_method_type(wbio) == BIO_TYPE_BUFFER &&
  2066. (tmpbio = BIO_next(wbio)) != NULL)
  2067. wbio = tmpbio;
  2068. #else
  2069. if (wbio->method == BIO_f_buffer() && (tmpbio = BIO_next(wbio)) != NULL)
  2070. wbio = tmpbio;
  2071. #endif
  2072. w = BIO_number_written(wbio);
  2073. /* We are ok with letting these unsigned ints go "negative" here:
  2074. * If we wrapped around, this should still give us the right answer, unless
  2075. * we wrapped around by more than ULONG_MAX since the last time we called
  2076. * this function.
  2077. */
  2078. *n_read = (size_t)(r - tls->last_read_count);
  2079. *n_written = (size_t)(w - tls->last_write_count);
  2080. if (*n_read > INT_MAX || *n_written > INT_MAX) {
  2081. log_warn(LD_BUG, "Preposterously large value in tor_tls_get_n_raw_bytes. "
  2082. "r=%lu, last_read=%lu, w=%lu, last_written=%lu",
  2083. r, tls->last_read_count, w, tls->last_write_count);
  2084. }
  2085. total_bytes_written_by_tls += *n_written;
  2086. tls->last_read_count = r;
  2087. tls->last_write_count = w;
  2088. }
  2089. /** Return a ratio of the bytes that TLS has sent to the bytes that we've told
  2090. * it to send. Used to track whether our TLS records are getting too tiny. */
  2091. MOCK_IMPL(double,
  2092. tls_get_write_overhead_ratio,(void))
  2093. {
  2094. if (total_bytes_written_over_tls == 0)
  2095. return 1.0;
  2096. return U64_TO_DBL(total_bytes_written_by_tls) /
  2097. U64_TO_DBL(total_bytes_written_over_tls);
  2098. }
  2099. /** Implement check_no_tls_errors: If there are any pending OpenSSL
  2100. * errors, log an error message. */
  2101. void
  2102. check_no_tls_errors_(const char *fname, int line)
  2103. {
  2104. if (ERR_peek_error() == 0)
  2105. return;
  2106. log_warn(LD_CRYPTO, "Unhandled OpenSSL errors found at %s:%d: ",
  2107. tor_fix_source_file(fname), line);
  2108. tls_log_errors(NULL, LOG_WARN, LD_NET, NULL);
  2109. }
  2110. /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
  2111. * TLS handshake. Output is undefined if the handshake isn't finished. */
  2112. int
  2113. tor_tls_used_v1_handshake(tor_tls_t *tls)
  2114. {
  2115. return ! tls->wasV2Handshake;
  2116. }
  2117. /** Return the number of server handshakes that we've noticed doing on
  2118. * <b>tls</b>. */
  2119. int
  2120. tor_tls_get_num_server_handshakes(tor_tls_t *tls)
  2121. {
  2122. return tls->server_handshake_count;
  2123. }
  2124. /** Return true iff the server TLS connection <b>tls</b> got the renegotiation
  2125. * request it was waiting for. */
  2126. int
  2127. tor_tls_server_got_renegotiate(tor_tls_t *tls)
  2128. {
  2129. return tls->got_renegotiate;
  2130. }
  2131. #ifndef HAVE_SSL_GET_CLIENT_RANDOM
  2132. static size_t
  2133. SSL_get_client_random(SSL *s, uint8_t *out, size_t len)
  2134. {
  2135. if (len == 0)
  2136. return SSL3_RANDOM_SIZE;
  2137. tor_assert(len == SSL3_RANDOM_SIZE);
  2138. tor_assert(s->s3);
  2139. memcpy(out, s->s3->client_random, len);
  2140. return len;
  2141. }
  2142. #endif
  2143. #ifndef HAVE_SSL_GET_SERVER_RANDOM
  2144. static size_t
  2145. SSL_get_server_random(SSL *s, uint8_t *out, size_t len)
  2146. {
  2147. if (len == 0)
  2148. return SSL3_RANDOM_SIZE;
  2149. tor_assert(len == SSL3_RANDOM_SIZE);
  2150. tor_assert(s->s3);
  2151. memcpy(out, s->s3->server_random, len);
  2152. return len;
  2153. }
  2154. #endif
  2155. #ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
  2156. STATIC size_t
  2157. SSL_SESSION_get_master_key(SSL_SESSION *s, uint8_t *out, size_t len)
  2158. {
  2159. tor_assert(s);
  2160. if (len == 0)
  2161. return s->master_key_length;
  2162. tor_assert(len == (size_t)s->master_key_length);
  2163. tor_assert(out);
  2164. memcpy(out, s->master_key, len);
  2165. return len;
  2166. }
  2167. #endif
  2168. /** Set the DIGEST256_LEN buffer at <b>secrets_out</b> to the value used in
  2169. * the v3 handshake to prove that the client knows the TLS secrets for the
  2170. * connection <b>tls</b>. Return 0 on success, -1 on failure.
  2171. */
  2172. MOCK_IMPL(int,
  2173. tor_tls_get_tlssecrets,(tor_tls_t *tls, uint8_t *secrets_out))
  2174. {
  2175. #define TLSSECRET_MAGIC "Tor V3 handshake TLS cross-certification"
  2176. uint8_t buf[128];
  2177. size_t len;
  2178. tor_assert(tls);
  2179. SSL *const ssl = tls->ssl;
  2180. SSL_SESSION *const session = SSL_get_session(ssl);
  2181. tor_assert(ssl);
  2182. tor_assert(session);
  2183. const size_t server_random_len = SSL_get_server_random(ssl, NULL, 0);
  2184. const size_t client_random_len = SSL_get_client_random(ssl, NULL, 0);
  2185. const size_t master_key_len = SSL_SESSION_get_master_key(session, NULL, 0);
  2186. tor_assert(server_random_len);
  2187. tor_assert(client_random_len);
  2188. tor_assert(master_key_len);
  2189. len = client_random_len + server_random_len + strlen(TLSSECRET_MAGIC) + 1;
  2190. tor_assert(len <= sizeof(buf));
  2191. {
  2192. size_t r = SSL_get_client_random(ssl, buf, client_random_len);
  2193. tor_assert(r == client_random_len);
  2194. }
  2195. {
  2196. size_t r = SSL_get_server_random(ssl,
  2197. buf+client_random_len,
  2198. server_random_len);
  2199. tor_assert(r == server_random_len);
  2200. }
  2201. uint8_t *master_key = tor_malloc_zero(master_key_len);
  2202. {
  2203. size_t r = SSL_SESSION_get_master_key(session, master_key, master_key_len);
  2204. tor_assert(r == master_key_len);
  2205. }
  2206. uint8_t *nextbuf = buf + client_random_len + server_random_len;
  2207. memcpy(nextbuf, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1);
  2208. /*
  2209. The value is an HMAC, using the TLS master key as the HMAC key, of
  2210. client_random | server_random | TLSSECRET_MAGIC
  2211. */
  2212. crypto_hmac_sha256((char*)secrets_out,
  2213. (char*)master_key,
  2214. master_key_len,
  2215. (char*)buf, len);
  2216. memwipe(buf, 0, sizeof(buf));
  2217. memwipe(master_key, 0, master_key_len);
  2218. tor_free(master_key);
  2219. return 0;
  2220. }
  2221. /** Examine the amount of memory used and available for buffers in <b>tls</b>.
  2222. * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
  2223. * buffer and *<b>rbuf_bytes</b> to the amount actually used.
  2224. * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
  2225. * buffer and *<b>wbuf_bytes</b> to the amount actually used.
  2226. *
  2227. * Return 0 on success, -1 on failure.*/
  2228. int
  2229. tor_tls_get_buffer_sizes(tor_tls_t *tls,
  2230. size_t *rbuf_capacity, size_t *rbuf_bytes,
  2231. size_t *wbuf_capacity, size_t *wbuf_bytes)
  2232. {
  2233. #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
  2234. (void)tls;
  2235. (void)rbuf_capacity;
  2236. (void)rbuf_bytes;
  2237. (void)wbuf_capacity;
  2238. (void)wbuf_bytes;
  2239. return -1;
  2240. #else
  2241. if (tls->ssl->s3->rbuf.buf)
  2242. *rbuf_capacity = tls->ssl->s3->rbuf.len;
  2243. else
  2244. *rbuf_capacity = 0;
  2245. if (tls->ssl->s3->wbuf.buf)
  2246. *wbuf_capacity = tls->ssl->s3->wbuf.len;
  2247. else
  2248. *wbuf_capacity = 0;
  2249. *rbuf_bytes = tls->ssl->s3->rbuf.left;
  2250. *wbuf_bytes = tls->ssl->s3->wbuf.left;
  2251. return 0;
  2252. #endif
  2253. }
  2254. #ifdef USE_BUFFEREVENTS
  2255. /** Construct and return an TLS-encrypting bufferevent to send data over
  2256. * <b>socket</b>, which must match the socket of the underlying bufferevent
  2257. * <b>bufev_in</b>. The TLS object <b>tls</b> is used for encryption.
  2258. *
  2259. * This function will either create a filtering bufferevent that wraps around
  2260. * <b>bufev_in</b>, or it will free bufev_in and return a new bufferevent that
  2261. * uses the <b>tls</b> to talk to the network directly. Do not use
  2262. * <b>bufev_in</b> after calling this function.
  2263. *
  2264. * The connection will start out doing a server handshake if <b>receiving</b>
  2265. * is strue, and a client handshake otherwise.
  2266. *
  2267. * Returns NULL on failure.
  2268. */
  2269. struct bufferevent *
  2270. tor_tls_init_bufferevent(tor_tls_t *tls, struct bufferevent *bufev_in,
  2271. evutil_socket_t socket, int receiving,
  2272. int filter)
  2273. {
  2274. struct bufferevent *out;
  2275. const enum bufferevent_ssl_state state = receiving ?
  2276. BUFFEREVENT_SSL_ACCEPTING : BUFFEREVENT_SSL_CONNECTING;
  2277. if (filter || tor_libevent_using_iocp_bufferevents()) {
  2278. /* Grab an extra reference to the SSL, since BEV_OPT_CLOSE_ON_FREE
  2279. means that the SSL will get freed too.
  2280. This increment makes our SSL usage not-threadsafe, BTW. We should
  2281. see if we're allowed to use CRYPTO_add from outside openssl. */
  2282. tls->ssl->references += 1;
  2283. out = bufferevent_openssl_filter_new(tor_libevent_get_base(),
  2284. bufev_in,
  2285. tls->ssl,
  2286. state,
  2287. BEV_OPT_DEFER_CALLBACKS|
  2288. BEV_OPT_CLOSE_ON_FREE);
  2289. /* Tell the underlying bufferevent when to accept more data from the SSL
  2290. filter (only when it's got less than 32K to write), and when to notify
  2291. the SSL filter that it could write more (when it drops under 24K). */
  2292. bufferevent_setwatermark(bufev_in, EV_WRITE, 24*1024, 32*1024);
  2293. } else {
  2294. if (bufev_in) {
  2295. evutil_socket_t s = bufferevent_getfd(bufev_in);
  2296. tor_assert(s == -1 || s == socket);
  2297. tor_assert(evbuffer_get_length(bufferevent_get_input(bufev_in)) == 0);
  2298. tor_assert(evbuffer_get_length(bufferevent_get_output(bufev_in)) == 0);
  2299. tor_assert(BIO_number_read(SSL_get_rbio(tls->ssl)) == 0);
  2300. tor_assert(BIO_number_written(SSL_get_rbio(tls->ssl)) == 0);
  2301. bufferevent_free(bufev_in);
  2302. }
  2303. /* Current versions (as of 2.0.x) of Libevent need to defer
  2304. * bufferevent_openssl callbacks, or else our callback functions will
  2305. * get called reentrantly, which is bad for us.
  2306. */
  2307. out = bufferevent_openssl_socket_new(tor_libevent_get_base(),
  2308. socket,
  2309. tls->ssl,
  2310. state,
  2311. BEV_OPT_DEFER_CALLBACKS);
  2312. }
  2313. tls->state = TOR_TLS_ST_BUFFEREVENT;
  2314. /* Unblock _after_ creating the bufferevent, since accept/connect tend to
  2315. * clear flags. */
  2316. tor_tls_unblock_renegotiation(tls);
  2317. return out;
  2318. }
  2319. #endif
  2320. /** Check whether the ECC group requested is supported by the current OpenSSL
  2321. * library instance. Return 1 if the group is supported, and 0 if not.
  2322. */
  2323. int
  2324. evaluate_ecgroup_for_tls(const char *ecgroup)
  2325. {
  2326. EC_KEY *ec_key;
  2327. int nid;
  2328. int ret;
  2329. if (!ecgroup)
  2330. nid = NID_tor_default_ecdhe_group;
  2331. else if (!strcasecmp(ecgroup, "P256"))
  2332. nid = NID_X9_62_prime256v1;
  2333. else if (!strcasecmp(ecgroup, "P224"))
  2334. nid = NID_secp224r1;
  2335. else
  2336. return 0;
  2337. ec_key = EC_KEY_new_by_curve_name(nid);
  2338. ret = (ec_key != NULL);
  2339. EC_KEY_free(ec_key);
  2340. return ret;
  2341. }