tortls.c 81 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620
  1. /* Copyright (c) 2003, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2017, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. /**
  6. * \file tortls.c
  7. * \brief Wrapper functions to present a consistent interface to
  8. * TLS, SSL, and X.509 functions from OpenSSL.
  9. **/
  10. /* (Unlike other tor functions, these
  11. * are prefixed with tor_ in order to avoid conflicting with OpenSSL
  12. * functions and variables.)
  13. */
  14. #include "orconfig.h"
  15. #define TORTLS_PRIVATE
  16. #define TORTLS_OPENSSL_PRIVATE
  17. #include <assert.h>
  18. #ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
  19. #include <winsock2.h>
  20. #include <ws2tcpip.h>
  21. #endif
  22. #include "compat.h"
  23. /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
  24. * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
  25. DISABLE_GCC_WARNING(redundant-decls)
  26. #include <openssl/opensslv.h>
  27. #include "crypto.h"
  28. #ifdef OPENSSL_NO_EC
  29. #error "We require OpenSSL with ECC support"
  30. #endif
  31. #include <openssl/ssl.h>
  32. #include <openssl/ssl3.h>
  33. #include <openssl/err.h>
  34. #include <openssl/tls1.h>
  35. #include <openssl/asn1.h>
  36. #include <openssl/bio.h>
  37. #include <openssl/bn.h>
  38. #include <openssl/rsa.h>
  39. ENABLE_GCC_WARNING(redundant-decls)
  40. #define TORTLS_PRIVATE
  41. #include "tortls.h"
  42. #include "util.h"
  43. #include "torlog.h"
  44. #include "container.h"
  45. #include <string.h>
  46. #define X509_get_notBefore_const(cert) \
  47. ((const ASN1_TIME*) X509_get_notBefore((X509 *)cert))
  48. #define X509_get_notAfter_const(cert) \
  49. ((const ASN1_TIME*) X509_get_notAfter((X509 *)cert))
  50. /* Copied from or.h */
  51. #define LEGAL_NICKNAME_CHARACTERS \
  52. "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  53. /** How long do identity certificates live? (sec) */
  54. #define IDENTITY_CERT_LIFETIME (365*24*60*60)
  55. #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer")
  56. #if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,0,'f')
  57. /* This is a version of OpenSSL before 1.0.0f. It does not have
  58. * the CVE-2011-4576 fix, and as such it can't use RELEASE_BUFFERS and
  59. * SSL3 safely at the same time.
  60. */
  61. #define DISABLE_SSL3_HANDSHAKE
  62. #endif /* OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,0,'f') */
  63. /* We redefine these so that we can run correctly even if the vendor gives us
  64. * a version of OpenSSL that does not match its header files. (Apple: I am
  65. * looking at you.)
  66. */
  67. #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  68. #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
  69. #endif
  70. #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  71. #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
  72. #endif
  73. /** Return values for tor_tls_classify_client_ciphers.
  74. *
  75. * @{
  76. */
  77. /** An error occurred when examining the client ciphers */
  78. #define CIPHERS_ERR -1
  79. /** The client cipher list indicates that a v1 handshake was in use. */
  80. #define CIPHERS_V1 1
  81. /** The client cipher list indicates that the client is using the v2 or the
  82. * v3 handshake, but that it is (probably!) lying about what ciphers it
  83. * supports */
  84. #define CIPHERS_V2 2
  85. /** The client cipher list indicates that the client is using the v2 or the
  86. * v3 handshake, and that it is telling the truth about what ciphers it
  87. * supports */
  88. #define CIPHERS_UNRESTRICTED 3
  89. /** @} */
  90. /** The ex_data index in which we store a pointer to an SSL object's
  91. * corresponding tor_tls_t object. */
  92. STATIC int tor_tls_object_ex_data_index = -1;
  93. /** Helper: Allocate tor_tls_object_ex_data_index. */
  94. STATIC void
  95. tor_tls_allocate_tor_tls_object_ex_data_index(void)
  96. {
  97. if (tor_tls_object_ex_data_index == -1) {
  98. tor_tls_object_ex_data_index =
  99. SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
  100. tor_assert(tor_tls_object_ex_data_index != -1);
  101. }
  102. }
  103. /** Helper: given a SSL* pointer, return the tor_tls_t object using that
  104. * pointer. */
  105. STATIC tor_tls_t *
  106. tor_tls_get_by_ssl(const SSL *ssl)
  107. {
  108. tor_tls_t *result = SSL_get_ex_data(ssl, tor_tls_object_ex_data_index);
  109. if (result)
  110. tor_assert(result->magic == TOR_TLS_MAGIC);
  111. return result;
  112. }
  113. static void tor_tls_context_decref(tor_tls_context_t *ctx);
  114. static void tor_tls_context_incref(tor_tls_context_t *ctx);
  115. static int check_cert_lifetime_internal(int severity, const X509 *cert,
  116. time_t now,
  117. int past_tolerance, int future_tolerance);
  118. /** Global TLS contexts. We keep them here because nobody else needs
  119. * to touch them.
  120. *
  121. * @{ */
  122. STATIC tor_tls_context_t *server_tls_context = NULL;
  123. STATIC tor_tls_context_t *client_tls_context = NULL;
  124. /**@}*/
  125. /** True iff tor_tls_init() has been called. */
  126. static int tls_library_is_initialized = 0;
  127. /* Module-internal error codes. */
  128. #define TOR_TLS_SYSCALL_ (MIN_TOR_TLS_ERROR_VAL_ - 2)
  129. #define TOR_TLS_ZERORETURN_ (MIN_TOR_TLS_ERROR_VAL_ - 1)
  130. /** Write a description of the current state of <b>tls</b> into the
  131. * <b>sz</b>-byte buffer at <b>buf</b>. */
  132. void
  133. tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz)
  134. {
  135. const char *ssl_state;
  136. const char *tortls_state;
  137. if (PREDICT_UNLIKELY(!tls || !tls->ssl)) {
  138. strlcpy(buf, "(No SSL object)", sz);
  139. return;
  140. }
  141. ssl_state = SSL_state_string_long(tls->ssl);
  142. switch (tls->state) {
  143. #define CASE(st) case TOR_TLS_ST_##st: tortls_state = " in "#st ; break
  144. CASE(HANDSHAKE);
  145. CASE(OPEN);
  146. CASE(GOTCLOSE);
  147. CASE(SENTCLOSE);
  148. CASE(CLOSED);
  149. CASE(RENEGOTIATE);
  150. #undef CASE
  151. case TOR_TLS_ST_BUFFEREVENT:
  152. tortls_state = "";
  153. break;
  154. default:
  155. tortls_state = " in unknown TLS state";
  156. break;
  157. }
  158. tor_snprintf(buf, sz, "%s%s", ssl_state, tortls_state);
  159. }
  160. /** Log a single error <b>err</b> as returned by ERR_get_error(), which was
  161. * received while performing an operation <b>doing</b> on <b>tls</b>. Log
  162. * the message at <b>severity</b>, in log domain <b>domain</b>. */
  163. void
  164. tor_tls_log_one_error(tor_tls_t *tls, unsigned long err,
  165. int severity, int domain, const char *doing)
  166. {
  167. const char *state = NULL, *addr;
  168. const char *msg, *lib, *func;
  169. state = (tls && tls->ssl)?SSL_state_string_long(tls->ssl):"---";
  170. addr = tls ? tls->address : NULL;
  171. /* Some errors are known-benign, meaning they are the fault of the other
  172. * side of the connection. The caller doesn't know this, so override the
  173. * priority for those cases. */
  174. switch (ERR_GET_REASON(err)) {
  175. case SSL_R_HTTP_REQUEST:
  176. case SSL_R_HTTPS_PROXY_REQUEST:
  177. case SSL_R_RECORD_LENGTH_MISMATCH:
  178. #ifndef OPENSSL_1_1_API
  179. case SSL_R_RECORD_TOO_LARGE:
  180. #endif
  181. case SSL_R_UNKNOWN_PROTOCOL:
  182. case SSL_R_UNSUPPORTED_PROTOCOL:
  183. severity = LOG_INFO;
  184. break;
  185. default:
  186. break;
  187. }
  188. msg = (const char*)ERR_reason_error_string(err);
  189. lib = (const char*)ERR_lib_error_string(err);
  190. func = (const char*)ERR_func_error_string(err);
  191. if (!msg) msg = "(null)";
  192. if (!lib) lib = "(null)";
  193. if (!func) func = "(null)";
  194. if (doing) {
  195. tor_log(severity, domain, "TLS error while %s%s%s: %s (in %s:%s:%s)",
  196. doing, addr?" with ":"", addr?addr:"",
  197. msg, lib, func, state);
  198. } else {
  199. tor_log(severity, domain, "TLS error%s%s: %s (in %s:%s:%s)",
  200. addr?" with ":"", addr?addr:"",
  201. msg, lib, func, state);
  202. }
  203. }
  204. /** Log all pending tls errors at level <b>severity</b> in log domain
  205. * <b>domain</b>. Use <b>doing</b> to describe our current activities.
  206. */
  207. STATIC void
  208. tls_log_errors(tor_tls_t *tls, int severity, int domain, const char *doing)
  209. {
  210. unsigned long err;
  211. while ((err = ERR_get_error()) != 0) {
  212. tor_tls_log_one_error(tls, err, severity, domain, doing);
  213. }
  214. }
  215. /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
  216. * code. */
  217. STATIC int
  218. tor_errno_to_tls_error(int e)
  219. {
  220. switch (e) {
  221. case SOCK_ERRNO(ECONNRESET): // most common
  222. return TOR_TLS_ERROR_CONNRESET;
  223. case SOCK_ERRNO(ETIMEDOUT):
  224. return TOR_TLS_ERROR_TIMEOUT;
  225. case SOCK_ERRNO(EHOSTUNREACH):
  226. case SOCK_ERRNO(ENETUNREACH):
  227. return TOR_TLS_ERROR_NO_ROUTE;
  228. case SOCK_ERRNO(ECONNREFUSED):
  229. return TOR_TLS_ERROR_CONNREFUSED; // least common
  230. default:
  231. return TOR_TLS_ERROR_MISC;
  232. }
  233. }
  234. /** Given a TOR_TLS_* error code, return a string equivalent. */
  235. const char *
  236. tor_tls_err_to_string(int err)
  237. {
  238. if (err >= 0)
  239. return "[Not an error.]";
  240. switch (err) {
  241. case TOR_TLS_ERROR_MISC: return "misc error";
  242. case TOR_TLS_ERROR_IO: return "unexpected close";
  243. case TOR_TLS_ERROR_CONNREFUSED: return "connection refused";
  244. case TOR_TLS_ERROR_CONNRESET: return "connection reset";
  245. case TOR_TLS_ERROR_NO_ROUTE: return "host unreachable";
  246. case TOR_TLS_ERROR_TIMEOUT: return "connection timed out";
  247. case TOR_TLS_CLOSE: return "closed";
  248. case TOR_TLS_WANTREAD: return "want to read";
  249. case TOR_TLS_WANTWRITE: return "want to write";
  250. default: return "(unknown error code)";
  251. }
  252. }
  253. #define CATCH_SYSCALL 1
  254. #define CATCH_ZERO 2
  255. /** Given a TLS object and the result of an SSL_* call, use
  256. * SSL_get_error to determine whether an error has occurred, and if so
  257. * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
  258. * If extra&CATCH_SYSCALL is true, return TOR_TLS_SYSCALL_ instead of
  259. * reporting syscall errors. If extra&CATCH_ZERO is true, return
  260. * TOR_TLS_ZERORETURN_ instead of reporting zero-return errors.
  261. *
  262. * If an error has occurred, log it at level <b>severity</b> and describe the
  263. * current action as <b>doing</b>.
  264. */
  265. STATIC int
  266. tor_tls_get_error(tor_tls_t *tls, int r, int extra,
  267. const char *doing, int severity, int domain)
  268. {
  269. int err = SSL_get_error(tls->ssl, r);
  270. int tor_error = TOR_TLS_ERROR_MISC;
  271. switch (err) {
  272. case SSL_ERROR_NONE:
  273. return TOR_TLS_DONE;
  274. case SSL_ERROR_WANT_READ:
  275. return TOR_TLS_WANTREAD;
  276. case SSL_ERROR_WANT_WRITE:
  277. return TOR_TLS_WANTWRITE;
  278. case SSL_ERROR_SYSCALL:
  279. if (extra&CATCH_SYSCALL)
  280. return TOR_TLS_SYSCALL_;
  281. if (r == 0) {
  282. tor_log(severity, LD_NET, "TLS error: unexpected close while %s (%s)",
  283. doing, SSL_state_string_long(tls->ssl));
  284. tor_error = TOR_TLS_ERROR_IO;
  285. } else {
  286. int e = tor_socket_errno(tls->socket);
  287. tor_log(severity, LD_NET,
  288. "TLS error: <syscall error while %s> (errno=%d: %s; state=%s)",
  289. doing, e, tor_socket_strerror(e),
  290. SSL_state_string_long(tls->ssl));
  291. tor_error = tor_errno_to_tls_error(e);
  292. }
  293. tls_log_errors(tls, severity, domain, doing);
  294. return tor_error;
  295. case SSL_ERROR_ZERO_RETURN:
  296. if (extra&CATCH_ZERO)
  297. return TOR_TLS_ZERORETURN_;
  298. tor_log(severity, LD_NET, "TLS connection closed while %s in state %s",
  299. doing, SSL_state_string_long(tls->ssl));
  300. tls_log_errors(tls, severity, domain, doing);
  301. return TOR_TLS_CLOSE;
  302. default:
  303. tls_log_errors(tls, severity, domain, doing);
  304. return TOR_TLS_ERROR_MISC;
  305. }
  306. }
  307. /** Initialize OpenSSL, unless it has already been initialized.
  308. */
  309. static void
  310. tor_tls_init(void)
  311. {
  312. check_no_tls_errors();
  313. if (!tls_library_is_initialized) {
  314. SSL_library_init();
  315. SSL_load_error_strings();
  316. #if (SIZEOF_VOID_P >= 8 && \
  317. OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
  318. long version = OpenSSL_version_num();
  319. /* LCOV_EXCL_START : we can't test these lines on the same machine */
  320. if (version >= OPENSSL_V_SERIES(1,0,1)) {
  321. /* Warn if we could *almost* be running with much faster ECDH.
  322. If we're built for a 64-bit target, using OpenSSL 1.0.1, but we
  323. don't have one of the built-in __uint128-based speedups, we are
  324. just one build operation away from an accelerated handshake.
  325. (We could be looking at OPENSSL_NO_EC_NISTP_64_GCC_128 instead of
  326. doing this test, but that gives compile-time options, not runtime
  327. behavior.)
  328. */
  329. EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
  330. const EC_GROUP *g = key ? EC_KEY_get0_group(key) : NULL;
  331. const EC_METHOD *m = g ? EC_GROUP_method_of(g) : NULL;
  332. const int warn = (m == EC_GFp_simple_method() ||
  333. m == EC_GFp_mont_method() ||
  334. m == EC_GFp_nist_method());
  335. EC_KEY_free(key);
  336. if (warn)
  337. log_notice(LD_GENERAL, "We were built to run on a 64-bit CPU, with "
  338. "OpenSSL 1.0.1 or later, but with a version of OpenSSL "
  339. "that apparently lacks accelerated support for the NIST "
  340. "P-224 and P-256 groups. Building openssl with such "
  341. "support (using the enable-ec_nistp_64_gcc_128 option "
  342. "when configuring it) would make ECDH much faster.");
  343. }
  344. /* LCOV_EXCL_STOP */
  345. #endif /* (SIZEOF_VOID_P >= 8 && ... */
  346. tor_tls_allocate_tor_tls_object_ex_data_index();
  347. tls_library_is_initialized = 1;
  348. }
  349. }
  350. /** Free all global TLS structures. */
  351. void
  352. tor_tls_free_all(void)
  353. {
  354. check_no_tls_errors();
  355. if (server_tls_context) {
  356. tor_tls_context_t *ctx = server_tls_context;
  357. server_tls_context = NULL;
  358. tor_tls_context_decref(ctx);
  359. }
  360. if (client_tls_context) {
  361. tor_tls_context_t *ctx = client_tls_context;
  362. client_tls_context = NULL;
  363. tor_tls_context_decref(ctx);
  364. }
  365. }
  366. /** We need to give OpenSSL a callback to verify certificates. This is
  367. * it: We always accept peer certs and complete the handshake. We
  368. * don't validate them until later.
  369. */
  370. STATIC int
  371. always_accept_verify_cb(int preverify_ok,
  372. X509_STORE_CTX *x509_ctx)
  373. {
  374. (void) preverify_ok;
  375. (void) x509_ctx;
  376. return 1;
  377. }
  378. /** Return a newly allocated X509 name with commonName <b>cname</b>. */
  379. static X509_NAME *
  380. tor_x509_name_new(const char *cname)
  381. {
  382. int nid;
  383. X509_NAME *name;
  384. /* LCOV_EXCL_BR_START : these branches will only fail on OOM errors */
  385. if (!(name = X509_NAME_new()))
  386. return NULL;
  387. if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
  388. if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
  389. (unsigned char*)cname, -1, -1, 0)))
  390. goto error;
  391. /* LCOV_EXCL_BR_STOP */
  392. return name;
  393. /* LCOV_EXCL_START : these lines will only execute on out of memory errors*/
  394. error:
  395. X509_NAME_free(name);
  396. return NULL;
  397. /* LCOV_EXCL_STOP */
  398. }
  399. /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
  400. * signed by the private key <b>rsa_sign</b>. The commonName of the
  401. * certificate will be <b>cname</b>; the commonName of the issuer will be
  402. * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b>
  403. * seconds, starting from some time in the past.
  404. *
  405. * Return a certificate on success, NULL on failure.
  406. */
  407. MOCK_IMPL(STATIC X509 *,
  408. tor_tls_create_certificate,(crypto_pk_t *rsa,
  409. crypto_pk_t *rsa_sign,
  410. const char *cname,
  411. const char *cname_sign,
  412. unsigned int cert_lifetime))
  413. {
  414. /* OpenSSL generates self-signed certificates with random 64-bit serial
  415. * numbers, so let's do that too. */
  416. #define SERIAL_NUMBER_SIZE 8
  417. time_t start_time, end_time;
  418. BIGNUM *serial_number = NULL;
  419. unsigned char serial_tmp[SERIAL_NUMBER_SIZE];
  420. EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
  421. X509 *x509 = NULL;
  422. X509_NAME *name = NULL, *name_issuer=NULL;
  423. tor_tls_init();
  424. /* Make sure we're part-way through the certificate lifetime, rather
  425. * than having it start right now. Don't choose quite uniformly, since
  426. * then we might pick a time where we're about to expire. Lastly, be
  427. * sure to start on a day boundary. */
  428. time_t now = time(NULL);
  429. /* Our certificate lifetime will be cert_lifetime no matter what, but if we
  430. * start cert_lifetime in the past, we'll have 0 real lifetime. instead we
  431. * start up to (cert_lifetime - min_real_lifetime - start_granularity) in
  432. * the past. */
  433. const time_t min_real_lifetime = 24*3600;
  434. const time_t start_granularity = 24*3600;
  435. time_t earliest_start_time;
  436. /* Don't actually start in the future! */
  437. if (cert_lifetime <= min_real_lifetime + start_granularity) {
  438. earliest_start_time = now - 1;
  439. } else {
  440. earliest_start_time = now + min_real_lifetime + start_granularity
  441. - cert_lifetime;
  442. }
  443. start_time = crypto_rand_time_range(earliest_start_time, now);
  444. /* Round the start time back to the start of a day. */
  445. start_time -= start_time % start_granularity;
  446. end_time = start_time + cert_lifetime;
  447. tor_assert(rsa);
  448. tor_assert(cname);
  449. tor_assert(rsa_sign);
  450. tor_assert(cname_sign);
  451. if (!(sign_pkey = crypto_pk_get_evp_pkey_(rsa_sign,1)))
  452. goto error;
  453. if (!(pkey = crypto_pk_get_evp_pkey_(rsa,0)))
  454. goto error;
  455. if (!(x509 = X509_new()))
  456. goto error;
  457. if (!(X509_set_version(x509, 2)))
  458. goto error;
  459. { /* our serial number is 8 random bytes. */
  460. crypto_rand((char *)serial_tmp, sizeof(serial_tmp));
  461. if (!(serial_number = BN_bin2bn(serial_tmp, sizeof(serial_tmp), NULL)))
  462. goto error;
  463. if (!(BN_to_ASN1_INTEGER(serial_number, X509_get_serialNumber(x509))))
  464. goto error;
  465. }
  466. if (!(name = tor_x509_name_new(cname)))
  467. goto error;
  468. if (!(X509_set_subject_name(x509, name)))
  469. goto error;
  470. if (!(name_issuer = tor_x509_name_new(cname_sign)))
  471. goto error;
  472. if (!(X509_set_issuer_name(x509, name_issuer)))
  473. goto error;
  474. if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
  475. goto error;
  476. if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
  477. goto error;
  478. if (!X509_set_pubkey(x509, pkey))
  479. goto error;
  480. if (!X509_sign(x509, sign_pkey, EVP_sha256()))
  481. goto error;
  482. goto done;
  483. error:
  484. if (x509) {
  485. X509_free(x509);
  486. x509 = NULL;
  487. }
  488. done:
  489. tls_log_errors(NULL, LOG_WARN, LD_NET, "generating certificate");
  490. if (sign_pkey)
  491. EVP_PKEY_free(sign_pkey);
  492. if (pkey)
  493. EVP_PKEY_free(pkey);
  494. if (serial_number)
  495. BN_clear_free(serial_number);
  496. if (name)
  497. X509_NAME_free(name);
  498. if (name_issuer)
  499. X509_NAME_free(name_issuer);
  500. return x509;
  501. #undef SERIAL_NUMBER_SIZE
  502. }
  503. /** List of ciphers that servers should select from when the client might be
  504. * claiming extra unsupported ciphers in order to avoid fingerprinting. */
  505. #define SERVER_CIPHER_LIST \
  506. (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \
  507. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
  508. /** List of ciphers that servers should select from when we actually have
  509. * our choice of what cipher to use. */
  510. static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
  511. /* This list is autogenerated with the gen_server_ciphers.py script;
  512. * don't hand-edit it. */
  513. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  514. TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":"
  515. #endif
  516. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  517. TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
  518. #endif
  519. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
  520. TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 ":"
  521. #endif
  522. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
  523. TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":"
  524. #endif
  525. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
  526. TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
  527. #endif
  528. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
  529. TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":"
  530. #endif
  531. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
  532. TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 ":"
  533. #endif
  534. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
  535. TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 ":"
  536. #endif
  537. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_CCM
  538. TLS1_TXT_DHE_RSA_WITH_AES_256_CCM ":"
  539. #endif
  540. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_CCM
  541. TLS1_TXT_DHE_RSA_WITH_AES_128_CCM ":"
  542. #endif
  543. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
  544. TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 ":"
  545. #endif
  546. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
  547. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 ":"
  548. #endif
  549. /* Required */
  550. TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
  551. /* Required */
  552. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
  553. #ifdef TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305
  554. TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 ":"
  555. #endif
  556. #ifdef TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
  557. TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
  558. #endif
  559. ;
  560. /* Note: to set up your own private testing network with link crypto
  561. * disabled, set your Tors' cipher list to
  562. * (SSL3_TXT_RSA_NULL_SHA). If you do this, you won't be able to communicate
  563. * with any of the "real" Tors, though. */
  564. #define CIPHER(id, name) name ":"
  565. #define XCIPHER(id, name)
  566. /** List of ciphers that clients should advertise, omitting items that
  567. * our OpenSSL doesn't know about. */
  568. static const char CLIENT_CIPHER_LIST[] =
  569. #include "ciphers.inc"
  570. /* Tell it not to use SSLv2 ciphers, so that it can select an SSLv3 version
  571. * of any cipher we say. */
  572. "!SSLv2"
  573. ;
  574. #undef CIPHER
  575. #undef XCIPHER
  576. /** Free all storage held in <b>cert</b> */
  577. void
  578. tor_x509_cert_free_(tor_x509_cert_t *cert)
  579. {
  580. if (! cert)
  581. return;
  582. if (cert->cert)
  583. X509_free(cert->cert);
  584. tor_free(cert->encoded);
  585. memwipe(cert, 0x03, sizeof(*cert));
  586. /* LCOV_EXCL_BR_START since cert will never be NULL here */
  587. tor_free(cert);
  588. /* LCOV_EXCL_BR_STOP */
  589. }
  590. /**
  591. * Allocate a new tor_x509_cert_t to hold the certificate "x509_cert".
  592. *
  593. * Steals a reference to x509_cert.
  594. */
  595. MOCK_IMPL(STATIC tor_x509_cert_t *,
  596. tor_x509_cert_new,(X509 *x509_cert))
  597. {
  598. tor_x509_cert_t *cert;
  599. EVP_PKEY *pkey;
  600. RSA *rsa;
  601. int length;
  602. unsigned char *buf = NULL;
  603. if (!x509_cert)
  604. return NULL;
  605. length = i2d_X509(x509_cert, &buf);
  606. cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
  607. if (length <= 0 || buf == NULL) {
  608. goto err;
  609. }
  610. cert->encoded_len = (size_t) length;
  611. cert->encoded = tor_malloc(length);
  612. memcpy(cert->encoded, buf, length);
  613. OPENSSL_free(buf);
  614. cert->cert = x509_cert;
  615. crypto_common_digests(&cert->cert_digests,
  616. (char*)cert->encoded, cert->encoded_len);
  617. if ((pkey = X509_get_pubkey(x509_cert)) &&
  618. (rsa = EVP_PKEY_get1_RSA(pkey))) {
  619. crypto_pk_t *pk = crypto_new_pk_from_rsa_(rsa);
  620. if (crypto_pk_get_common_digests(pk, &cert->pkey_digests) < 0) {
  621. crypto_pk_free(pk);
  622. EVP_PKEY_free(pkey);
  623. goto err;
  624. }
  625. cert->pkey_digests_set = 1;
  626. crypto_pk_free(pk);
  627. EVP_PKEY_free(pkey);
  628. }
  629. return cert;
  630. err:
  631. /* LCOV_EXCL_START for the same reason as the exclusion above */
  632. tor_free(cert);
  633. log_err(LD_CRYPTO, "Couldn't wrap encoded X509 certificate.");
  634. X509_free(x509_cert);
  635. return NULL;
  636. /* LCOV_EXCL_STOP */
  637. }
  638. /** Return a new copy of <b>cert</b>. */
  639. tor_x509_cert_t *
  640. tor_x509_cert_dup(const tor_x509_cert_t *cert)
  641. {
  642. tor_assert(cert);
  643. X509 *x509 = cert->cert;
  644. return tor_x509_cert_new(X509_dup(x509));
  645. }
  646. /** Read a DER-encoded X509 cert, of length exactly <b>certificate_len</b>,
  647. * from a <b>certificate</b>. Return a newly allocated tor_x509_cert_t on
  648. * success and NULL on failure. */
  649. tor_x509_cert_t *
  650. tor_x509_cert_decode(const uint8_t *certificate, size_t certificate_len)
  651. {
  652. X509 *x509;
  653. const unsigned char *cp = (const unsigned char *)certificate;
  654. tor_x509_cert_t *newcert;
  655. tor_assert(certificate);
  656. check_no_tls_errors();
  657. if (certificate_len > INT_MAX)
  658. goto err;
  659. x509 = d2i_X509(NULL, &cp, (int)certificate_len);
  660. if (!x509)
  661. goto err; /* Couldn't decode */
  662. if (cp - certificate != (int)certificate_len) {
  663. X509_free(x509);
  664. goto err; /* Didn't use all the bytes */
  665. }
  666. newcert = tor_x509_cert_new(x509);
  667. if (!newcert) {
  668. goto err;
  669. }
  670. if (newcert->encoded_len != certificate_len ||
  671. fast_memneq(newcert->encoded, certificate, certificate_len)) {
  672. /* Cert wasn't in DER */
  673. tor_x509_cert_free(newcert);
  674. goto err;
  675. }
  676. return newcert;
  677. err:
  678. tls_log_errors(NULL, LOG_INFO, LD_CRYPTO, "decoding a certificate");
  679. return NULL;
  680. }
  681. /** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
  682. * representation and length, respectively. */
  683. void
  684. tor_x509_cert_get_der(const tor_x509_cert_t *cert,
  685. const uint8_t **encoded_out, size_t *size_out)
  686. {
  687. tor_assert(cert);
  688. tor_assert(encoded_out);
  689. tor_assert(size_out);
  690. *encoded_out = cert->encoded;
  691. *size_out = cert->encoded_len;
  692. }
  693. /** Return a set of digests for the public key in <b>cert</b>, or NULL if this
  694. * cert's public key is not one we know how to take the digest of. */
  695. const common_digests_t *
  696. tor_x509_cert_get_id_digests(const tor_x509_cert_t *cert)
  697. {
  698. if (cert->pkey_digests_set)
  699. return &cert->pkey_digests;
  700. else
  701. return NULL;
  702. }
  703. /** Return a set of digests for the public key in <b>cert</b>. */
  704. const common_digests_t *
  705. tor_x509_cert_get_cert_digests(const tor_x509_cert_t *cert)
  706. {
  707. return &cert->cert_digests;
  708. }
  709. /** Remove a reference to <b>ctx</b>, and free it if it has no more
  710. * references. */
  711. static void
  712. tor_tls_context_decref(tor_tls_context_t *ctx)
  713. {
  714. tor_assert(ctx);
  715. if (--ctx->refcnt == 0) {
  716. SSL_CTX_free(ctx->ctx);
  717. tor_x509_cert_free(ctx->my_link_cert);
  718. tor_x509_cert_free(ctx->my_id_cert);
  719. tor_x509_cert_free(ctx->my_auth_cert);
  720. crypto_pk_free(ctx->link_key);
  721. crypto_pk_free(ctx->auth_key);
  722. /* LCOV_EXCL_BR_START since ctx will never be NULL here */
  723. tor_free(ctx);
  724. /* LCOV_EXCL_BR_STOP */
  725. }
  726. }
  727. /** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate
  728. * and ID certificate that we're currently using for our V3 in-protocol
  729. * handshake's certificate chain. If <b>server</b> is true, provide the certs
  730. * that we use in server mode (auth, ID); otherwise, provide the certs that we
  731. * use in client mode. (link, ID) */
  732. int
  733. tor_tls_get_my_certs(int server,
  734. const tor_x509_cert_t **link_cert_out,
  735. const tor_x509_cert_t **id_cert_out)
  736. {
  737. tor_tls_context_t *ctx = server ? server_tls_context : client_tls_context;
  738. if (! ctx)
  739. return -1;
  740. if (link_cert_out)
  741. *link_cert_out = server ? ctx->my_link_cert : ctx->my_auth_cert;
  742. if (id_cert_out)
  743. *id_cert_out = ctx->my_id_cert;
  744. return 0;
  745. }
  746. /**
  747. * Return the authentication key that we use to authenticate ourselves as a
  748. * client in the V3 in-protocol handshake.
  749. */
  750. crypto_pk_t *
  751. tor_tls_get_my_client_auth_key(void)
  752. {
  753. if (! client_tls_context)
  754. return NULL;
  755. return client_tls_context->auth_key;
  756. }
  757. /**
  758. * Return a newly allocated copy of the public key that a certificate
  759. * certifies. Watch out! This returns NULL if the cert's key is not RSA.
  760. */
  761. crypto_pk_t *
  762. tor_tls_cert_get_key(tor_x509_cert_t *cert)
  763. {
  764. crypto_pk_t *result = NULL;
  765. EVP_PKEY *pkey = X509_get_pubkey(cert->cert);
  766. RSA *rsa;
  767. if (!pkey)
  768. return NULL;
  769. rsa = EVP_PKEY_get1_RSA(pkey);
  770. if (!rsa) {
  771. EVP_PKEY_free(pkey);
  772. return NULL;
  773. }
  774. result = crypto_new_pk_from_rsa_(rsa);
  775. EVP_PKEY_free(pkey);
  776. return result;
  777. }
  778. /** Return true iff the other side of <b>tls</b> has authenticated to us, and
  779. * the key certified in <b>cert</b> is the same as the key they used to do it.
  780. */
  781. MOCK_IMPL(int,
  782. tor_tls_cert_matches_key,(const tor_tls_t *tls, const tor_x509_cert_t *cert))
  783. {
  784. X509 *peercert = SSL_get_peer_certificate(tls->ssl);
  785. EVP_PKEY *link_key = NULL, *cert_key = NULL;
  786. int result;
  787. if (!peercert)
  788. return 0;
  789. link_key = X509_get_pubkey(peercert);
  790. cert_key = X509_get_pubkey(cert->cert);
  791. result = link_key && cert_key && EVP_PKEY_cmp(cert_key, link_key) == 1;
  792. X509_free(peercert);
  793. if (link_key)
  794. EVP_PKEY_free(link_key);
  795. if (cert_key)
  796. EVP_PKEY_free(cert_key);
  797. return result;
  798. }
  799. /** Check whether <b>cert</b> is well-formed, currently live, and correctly
  800. * signed by the public key in <b>signing_cert</b>. If <b>check_rsa_1024</b>,
  801. * make sure that it has an RSA key with 1024 bits; otherwise, just check that
  802. * the key is long enough. Return 1 if the cert is good, and 0 if it's bad or
  803. * we couldn't check it. */
  804. int
  805. tor_tls_cert_is_valid(int severity,
  806. const tor_x509_cert_t *cert,
  807. const tor_x509_cert_t *signing_cert,
  808. time_t now,
  809. int check_rsa_1024)
  810. {
  811. check_no_tls_errors();
  812. EVP_PKEY *cert_key;
  813. int r, key_ok = 0;
  814. if (!signing_cert || !cert)
  815. goto bad;
  816. EVP_PKEY *signing_key = X509_get_pubkey(signing_cert->cert);
  817. if (!signing_key)
  818. goto bad;
  819. r = X509_verify(cert->cert, signing_key);
  820. EVP_PKEY_free(signing_key);
  821. if (r <= 0)
  822. goto bad;
  823. /* okay, the signature checked out right. Now let's check the check the
  824. * lifetime. */
  825. if (check_cert_lifetime_internal(severity, cert->cert, now,
  826. 48*60*60, 30*24*60*60) < 0)
  827. goto bad;
  828. cert_key = X509_get_pubkey(cert->cert);
  829. if (check_rsa_1024 && cert_key) {
  830. RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
  831. #ifdef OPENSSL_1_1_API
  832. if (rsa && RSA_bits(rsa) == 1024)
  833. #else
  834. if (rsa && BN_num_bits(rsa->n) == 1024)
  835. #endif
  836. key_ok = 1;
  837. if (rsa)
  838. RSA_free(rsa);
  839. } else if (cert_key) {
  840. int min_bits = 1024;
  841. #ifdef EVP_PKEY_EC
  842. if (EVP_PKEY_base_id(cert_key) == EVP_PKEY_EC)
  843. min_bits = 128;
  844. #endif
  845. if (EVP_PKEY_bits(cert_key) >= min_bits)
  846. key_ok = 1;
  847. }
  848. EVP_PKEY_free(cert_key);
  849. if (!key_ok)
  850. goto bad;
  851. /* XXXX compare DNs or anything? */
  852. return 1;
  853. bad:
  854. tls_log_errors(NULL, LOG_INFO, LD_CRYPTO, "checking a certificate");
  855. return 0;
  856. }
  857. /** Increase the reference count of <b>ctx</b>. */
  858. static void
  859. tor_tls_context_incref(tor_tls_context_t *ctx)
  860. {
  861. ++ctx->refcnt;
  862. }
  863. /** Create new global client and server TLS contexts.
  864. *
  865. * If <b>server_identity</b> is NULL, this will not generate a server
  866. * TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in <b>flags</b>, use
  867. * the same TLS context for incoming and outgoing connections, and
  868. * ignore <b>client_identity</b>. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256}
  869. * is set in <b>flags</b>, use that ECDHE group if possible; otherwise use
  870. * the default ECDHE group. */
  871. int
  872. tor_tls_context_init(unsigned flags,
  873. crypto_pk_t *client_identity,
  874. crypto_pk_t *server_identity,
  875. unsigned int key_lifetime)
  876. {
  877. int rv1 = 0;
  878. int rv2 = 0;
  879. const int is_public_server = flags & TOR_TLS_CTX_IS_PUBLIC_SERVER;
  880. check_no_tls_errors();
  881. if (is_public_server) {
  882. tor_tls_context_t *new_ctx;
  883. tor_tls_context_t *old_ctx;
  884. tor_assert(server_identity != NULL);
  885. rv1 = tor_tls_context_init_one(&server_tls_context,
  886. server_identity,
  887. key_lifetime, flags, 0);
  888. if (rv1 >= 0) {
  889. new_ctx = server_tls_context;
  890. tor_tls_context_incref(new_ctx);
  891. old_ctx = client_tls_context;
  892. client_tls_context = new_ctx;
  893. if (old_ctx != NULL) {
  894. tor_tls_context_decref(old_ctx);
  895. }
  896. }
  897. } else {
  898. if (server_identity != NULL) {
  899. rv1 = tor_tls_context_init_one(&server_tls_context,
  900. server_identity,
  901. key_lifetime,
  902. flags,
  903. 0);
  904. } else {
  905. tor_tls_context_t *old_ctx = server_tls_context;
  906. server_tls_context = NULL;
  907. if (old_ctx != NULL) {
  908. tor_tls_context_decref(old_ctx);
  909. }
  910. }
  911. rv2 = tor_tls_context_init_one(&client_tls_context,
  912. client_identity,
  913. key_lifetime,
  914. flags,
  915. 1);
  916. }
  917. tls_log_errors(NULL, LOG_WARN, LD_CRYPTO, "constructing a TLS context");
  918. return MIN(rv1, rv2);
  919. }
  920. /** Create a new global TLS context.
  921. *
  922. * You can call this function multiple times. Each time you call it,
  923. * it generates new certificates; all new connections will use
  924. * the new SSL context.
  925. */
  926. STATIC int
  927. tor_tls_context_init_one(tor_tls_context_t **ppcontext,
  928. crypto_pk_t *identity,
  929. unsigned int key_lifetime,
  930. unsigned int flags,
  931. int is_client)
  932. {
  933. tor_tls_context_t *new_ctx = tor_tls_context_new(identity,
  934. key_lifetime,
  935. flags,
  936. is_client);
  937. tor_tls_context_t *old_ctx = *ppcontext;
  938. if (new_ctx != NULL) {
  939. *ppcontext = new_ctx;
  940. /* Free the old context if one existed. */
  941. if (old_ctx != NULL) {
  942. /* This is safe even if there are open connections: we reference-
  943. * count tor_tls_context_t objects. */
  944. tor_tls_context_decref(old_ctx);
  945. }
  946. }
  947. return ((new_ctx != NULL) ? 0 : -1);
  948. }
  949. /** The group we should use for ecdhe when none was selected. */
  950. #define NID_tor_default_ecdhe_group NID_X9_62_prime256v1
  951. #define RSA_LINK_KEY_BITS 2048
  952. /** Create a new TLS context for use with Tor TLS handshakes.
  953. * <b>identity</b> should be set to the identity key used to sign the
  954. * certificate.
  955. */
  956. STATIC tor_tls_context_t *
  957. tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
  958. unsigned flags, int is_client)
  959. {
  960. crypto_pk_t *rsa = NULL, *rsa_auth = NULL;
  961. EVP_PKEY *pkey = NULL;
  962. tor_tls_context_t *result = NULL;
  963. X509 *cert = NULL, *idcert = NULL, *authcert = NULL;
  964. char *nickname = NULL, *nn2 = NULL;
  965. tor_tls_init();
  966. nickname = crypto_random_hostname(8, 20, "www.", ".net");
  967. #ifdef DISABLE_V3_LINKPROTO_SERVERSIDE
  968. nn2 = crypto_random_hostname(8, 20, "www.", ".net");
  969. #else
  970. nn2 = crypto_random_hostname(8, 20, "www.", ".com");
  971. #endif
  972. /* Generate short-term RSA key for use with TLS. */
  973. if (!(rsa = crypto_pk_new()))
  974. goto error;
  975. if (crypto_pk_generate_key_with_bits(rsa, RSA_LINK_KEY_BITS)<0)
  976. goto error;
  977. if (!is_client) {
  978. /* Generate short-term RSA key for use in the in-protocol ("v3")
  979. * authentication handshake. */
  980. if (!(rsa_auth = crypto_pk_new()))
  981. goto error;
  982. if (crypto_pk_generate_key(rsa_auth)<0)
  983. goto error;
  984. /* Create a link certificate signed by identity key. */
  985. cert = tor_tls_create_certificate(rsa, identity, nickname, nn2,
  986. key_lifetime);
  987. /* Create self-signed certificate for identity key. */
  988. idcert = tor_tls_create_certificate(identity, identity, nn2, nn2,
  989. IDENTITY_CERT_LIFETIME);
  990. /* Create an authentication certificate signed by identity key. */
  991. authcert = tor_tls_create_certificate(rsa_auth, identity, nickname, nn2,
  992. key_lifetime);
  993. if (!cert || !idcert || !authcert) {
  994. log_warn(LD_CRYPTO, "Error creating certificate");
  995. goto error;
  996. }
  997. }
  998. result = tor_malloc_zero(sizeof(tor_tls_context_t));
  999. result->refcnt = 1;
  1000. if (!is_client) {
  1001. result->my_link_cert = tor_x509_cert_new(X509_dup(cert));
  1002. result->my_id_cert = tor_x509_cert_new(X509_dup(idcert));
  1003. result->my_auth_cert = tor_x509_cert_new(X509_dup(authcert));
  1004. if (!result->my_link_cert || !result->my_id_cert || !result->my_auth_cert)
  1005. goto error;
  1006. result->link_key = crypto_pk_dup_key(rsa);
  1007. result->auth_key = crypto_pk_dup_key(rsa_auth);
  1008. }
  1009. #if 0
  1010. /* Tell OpenSSL to only use TLS1. This may have subtly different results
  1011. * from SSLv23_method() with SSLv2 and SSLv3 disabled, so we need to do some
  1012. * investigation before we consider adjusting it. It should be compatible
  1013. * with existing Tors. */
  1014. if (!(result->ctx = SSL_CTX_new(TLSv1_method())))
  1015. goto error;
  1016. #endif /* 0 */
  1017. /* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
  1018. #ifdef HAVE_TLS_METHOD
  1019. if (!(result->ctx = SSL_CTX_new(TLS_method())))
  1020. goto error;
  1021. #else
  1022. if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
  1023. goto error;
  1024. #endif /* defined(HAVE_TLS_METHOD) */
  1025. SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
  1026. SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
  1027. /* Prefer the server's ordering of ciphers: the client's ordering has
  1028. * historically been chosen for fingerprinting resistance. */
  1029. SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
  1030. /* Disable TLS tickets if they're supported. We never want to use them;
  1031. * using them can make our perfect forward secrecy a little worse, *and*
  1032. * create an opportunity to fingerprint us (since it's unusual to use them
  1033. * with TLS sessions turned off).
  1034. *
  1035. * In 0.2.4, clients advertise support for them though, to avoid a TLS
  1036. * distinguishability vector. This can give us worse PFS, though, if we
  1037. * get a server that doesn't set SSL_OP_NO_TICKET. With luck, there will
  1038. * be few such servers by the time 0.2.4 is more stable.
  1039. */
  1040. #ifdef SSL_OP_NO_TICKET
  1041. if (! is_client) {
  1042. SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
  1043. }
  1044. #endif
  1045. SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
  1046. SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_ECDH_USE);
  1047. #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  1048. SSL_CTX_set_options(result->ctx,
  1049. SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
  1050. #endif
  1051. /* Yes, we know what we are doing here. No, we do not treat a renegotiation
  1052. * as authenticating any earlier-received data.
  1053. */
  1054. {
  1055. SSL_CTX_set_options(result->ctx,
  1056. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  1057. }
  1058. /* Don't actually allow compression; it uses RAM and time, it makes TLS
  1059. * vulnerable to CRIME-style attacks, and most of the data we transmit over
  1060. * TLS is encrypted (and therefore uncompressible) anyway. */
  1061. #ifdef SSL_OP_NO_COMPRESSION
  1062. SSL_CTX_set_options(result->ctx, SSL_OP_NO_COMPRESSION);
  1063. #endif
  1064. #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
  1065. #ifndef OPENSSL_NO_COMP
  1066. if (result->ctx->comp_methods)
  1067. result->ctx->comp_methods = NULL;
  1068. #endif
  1069. #endif /* OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0) */
  1070. #ifdef SSL_MODE_RELEASE_BUFFERS
  1071. SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
  1072. #endif
  1073. if (! is_client) {
  1074. if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
  1075. goto error;
  1076. X509_free(cert); /* We just added a reference to cert. */
  1077. cert=NULL;
  1078. if (idcert) {
  1079. X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
  1080. tor_assert(s);
  1081. X509_STORE_add_cert(s, idcert);
  1082. X509_free(idcert); /* The context now owns the reference to idcert */
  1083. idcert = NULL;
  1084. }
  1085. }
  1086. SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
  1087. if (!is_client) {
  1088. tor_assert(rsa);
  1089. if (!(pkey = crypto_pk_get_evp_pkey_(rsa,1)))
  1090. goto error;
  1091. if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
  1092. goto error;
  1093. EVP_PKEY_free(pkey);
  1094. pkey = NULL;
  1095. if (!SSL_CTX_check_private_key(result->ctx))
  1096. goto error;
  1097. }
  1098. {
  1099. crypto_dh_t *dh = crypto_dh_new(DH_TYPE_TLS);
  1100. tor_assert(dh);
  1101. SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh));
  1102. crypto_dh_free(dh);
  1103. }
  1104. if (! is_client) {
  1105. int nid;
  1106. EC_KEY *ec_key;
  1107. if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
  1108. nid = NID_secp224r1;
  1109. else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
  1110. nid = NID_X9_62_prime256v1;
  1111. else
  1112. nid = NID_tor_default_ecdhe_group;
  1113. /* Use P-256 for ECDHE. */
  1114. ec_key = EC_KEY_new_by_curve_name(nid);
  1115. if (ec_key != NULL) /*XXXX Handle errors? */
  1116. SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
  1117. EC_KEY_free(ec_key);
  1118. }
  1119. SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
  1120. always_accept_verify_cb);
  1121. /* let us realloc bufs that we're writing from */
  1122. SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
  1123. if (rsa)
  1124. crypto_pk_free(rsa);
  1125. if (rsa_auth)
  1126. crypto_pk_free(rsa_auth);
  1127. X509_free(authcert);
  1128. tor_free(nickname);
  1129. tor_free(nn2);
  1130. return result;
  1131. error:
  1132. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating TLS context");
  1133. tor_free(nickname);
  1134. tor_free(nn2);
  1135. if (pkey)
  1136. EVP_PKEY_free(pkey);
  1137. if (rsa)
  1138. crypto_pk_free(rsa);
  1139. if (rsa_auth)
  1140. crypto_pk_free(rsa_auth);
  1141. if (result)
  1142. tor_tls_context_decref(result);
  1143. if (cert)
  1144. X509_free(cert);
  1145. if (idcert)
  1146. X509_free(idcert);
  1147. if (authcert)
  1148. X509_free(authcert);
  1149. return NULL;
  1150. }
  1151. /** Invoked when a TLS state changes: log the change at severity 'debug' */
  1152. STATIC void
  1153. tor_tls_debug_state_callback(const SSL *ssl, int type, int val)
  1154. {
  1155. /* LCOV_EXCL_START since this depends on whether debug is captured or not */
  1156. log_debug(LD_HANDSHAKE, "SSL %p is now in state %s [type=%d,val=%d].",
  1157. ssl, SSL_state_string_long(ssl), type, val);
  1158. /* LCOV_EXCL_STOP */
  1159. }
  1160. /* Return the name of the negotiated ciphersuite in use on <b>tls</b> */
  1161. const char *
  1162. tor_tls_get_ciphersuite_name(tor_tls_t *tls)
  1163. {
  1164. return SSL_get_cipher(tls->ssl);
  1165. }
  1166. /* Here's the old V2 cipher list we sent from 0.2.1.1-alpha up to
  1167. * 0.2.3.17-beta. If a client is using this list, we can't believe the ciphers
  1168. * that it claims to support. We'll prune this list to remove the ciphers
  1169. * *we* don't recognize. */
  1170. STATIC uint16_t v2_cipher_list[] = {
  1171. 0xc00a, /* TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
  1172. 0xc014, /* TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA */
  1173. 0x0039, /* TLS1_TXT_DHE_RSA_WITH_AES_256_SHA */
  1174. 0x0038, /* TLS1_TXT_DHE_DSS_WITH_AES_256_SHA */
  1175. 0xc00f, /* TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA */
  1176. 0xc005, /* TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
  1177. 0x0035, /* TLS1_TXT_RSA_WITH_AES_256_SHA */
  1178. 0xc007, /* TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA */
  1179. 0xc009, /* TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
  1180. 0xc011, /* TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA */
  1181. 0xc013, /* TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA */
  1182. 0x0033, /* TLS1_TXT_DHE_RSA_WITH_AES_128_SHA */
  1183. 0x0032, /* TLS1_TXT_DHE_DSS_WITH_AES_128_SHA */
  1184. 0xc00c, /* TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA */
  1185. 0xc00e, /* TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA */
  1186. 0xc002, /* TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA */
  1187. 0xc004, /* TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
  1188. 0x0004, /* SSL3_TXT_RSA_RC4_128_MD5 */
  1189. 0x0005, /* SSL3_TXT_RSA_RC4_128_SHA */
  1190. 0x002f, /* TLS1_TXT_RSA_WITH_AES_128_SHA */
  1191. 0xc008, /* TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA */
  1192. 0xc012, /* TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA */
  1193. 0x0016, /* SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA */
  1194. 0x0013, /* SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA */
  1195. 0xc00d, /* TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA */
  1196. 0xc003, /* TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA */
  1197. 0xfeff, /* SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA */
  1198. 0x000a, /* SSL3_TXT_RSA_DES_192_CBC3_SHA */
  1199. 0
  1200. };
  1201. /** Have we removed the unrecognized ciphers from v2_cipher_list yet? */
  1202. static int v2_cipher_list_pruned = 0;
  1203. /** Return 0 if <b>m</b> does not support the cipher with ID <b>cipher</b>;
  1204. * return 1 if it does support it, or if we have no way to tell. */
  1205. STATIC int
  1206. find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m, uint16_t cipher)
  1207. {
  1208. const SSL_CIPHER *c;
  1209. #ifdef HAVE_SSL_CIPHER_FIND
  1210. (void) m;
  1211. {
  1212. unsigned char cipherid[3];
  1213. tor_assert(ssl);
  1214. set_uint16(cipherid, htons(cipher));
  1215. cipherid[2] = 0; /* If ssl23_get_cipher_by_char finds no cipher starting
  1216. * with a two-byte 'cipherid', it may look for a v2
  1217. * cipher with the appropriate 3 bytes. */
  1218. c = SSL_CIPHER_find((SSL*)ssl, cipherid);
  1219. if (c)
  1220. tor_assert((SSL_CIPHER_get_id(c) & 0xffff) == cipher);
  1221. return c != NULL;
  1222. }
  1223. #else /* !(defined(HAVE_SSL_CIPHER_FIND)) */
  1224. # if defined(HAVE_STRUCT_SSL_METHOD_ST_GET_CIPHER_BY_CHAR)
  1225. if (m && m->get_cipher_by_char) {
  1226. unsigned char cipherid[3];
  1227. set_uint16(cipherid, htons(cipher));
  1228. cipherid[2] = 0; /* If ssl23_get_cipher_by_char finds no cipher starting
  1229. * with a two-byte 'cipherid', it may look for a v2
  1230. * cipher with the appropriate 3 bytes. */
  1231. c = m->get_cipher_by_char(cipherid);
  1232. if (c)
  1233. tor_assert((c->id & 0xffff) == cipher);
  1234. return c != NULL;
  1235. }
  1236. #endif /* defined(HAVE_STRUCT_SSL_METHOD_ST_GET_CIPHER_BY_CHAR) */
  1237. # ifndef OPENSSL_1_1_API
  1238. if (m && m->get_cipher && m->num_ciphers) {
  1239. /* It would seem that some of the "let's-clean-up-openssl" forks have
  1240. * removed the get_cipher_by_char function. Okay, so now you get a
  1241. * quadratic search.
  1242. */
  1243. int i;
  1244. for (i = 0; i < m->num_ciphers(); ++i) {
  1245. c = m->get_cipher(i);
  1246. if (c && (c->id & 0xffff) == cipher) {
  1247. return 1;
  1248. }
  1249. }
  1250. return 0;
  1251. }
  1252. #endif /* !defined(OPENSSL_1_1_API) */
  1253. (void) ssl;
  1254. (void) m;
  1255. (void) cipher;
  1256. return 1; /* No way to search */
  1257. #endif /* defined(HAVE_SSL_CIPHER_FIND) */
  1258. }
  1259. /** Remove from v2_cipher_list every cipher that we don't support, so that
  1260. * comparing v2_cipher_list to a client's cipher list will give a sensible
  1261. * result. */
  1262. static void
  1263. prune_v2_cipher_list(const SSL *ssl)
  1264. {
  1265. uint16_t *inp, *outp;
  1266. #ifdef HAVE_TLS_METHOD
  1267. const SSL_METHOD *m = TLS_method();
  1268. #else
  1269. const SSL_METHOD *m = SSLv23_method();
  1270. #endif
  1271. inp = outp = v2_cipher_list;
  1272. while (*inp) {
  1273. if (find_cipher_by_id(ssl, m, *inp)) {
  1274. *outp++ = *inp++;
  1275. } else {
  1276. inp++;
  1277. }
  1278. }
  1279. *outp = 0;
  1280. v2_cipher_list_pruned = 1;
  1281. }
  1282. /** Examine the client cipher list in <b>ssl</b>, and determine what kind of
  1283. * client it is. Return one of CIPHERS_ERR, CIPHERS_V1, CIPHERS_V2,
  1284. * CIPHERS_UNRESTRICTED.
  1285. **/
  1286. STATIC int
  1287. tor_tls_classify_client_ciphers(const SSL *ssl,
  1288. STACK_OF(SSL_CIPHER) *peer_ciphers)
  1289. {
  1290. int i, res;
  1291. tor_tls_t *tor_tls;
  1292. if (PREDICT_UNLIKELY(!v2_cipher_list_pruned))
  1293. prune_v2_cipher_list(ssl);
  1294. tor_tls = tor_tls_get_by_ssl(ssl);
  1295. if (tor_tls && tor_tls->client_cipher_list_type)
  1296. return tor_tls->client_cipher_list_type;
  1297. /* If we reached this point, we just got a client hello. See if there is
  1298. * a cipher list. */
  1299. if (!peer_ciphers) {
  1300. log_info(LD_NET, "No ciphers on session");
  1301. res = CIPHERS_ERR;
  1302. goto done;
  1303. }
  1304. /* Now we need to see if there are any ciphers whose presence means we're
  1305. * dealing with an updated Tor. */
  1306. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1307. const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1308. const char *ciphername = SSL_CIPHER_get_name(cipher);
  1309. if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
  1310. strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
  1311. strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) &&
  1312. strcmp(ciphername, "(NONE)")) {
  1313. log_debug(LD_NET, "Got a non-version-1 cipher called '%s'", ciphername);
  1314. // return 1;
  1315. goto v2_or_higher;
  1316. }
  1317. }
  1318. res = CIPHERS_V1;
  1319. goto done;
  1320. v2_or_higher:
  1321. {
  1322. const uint16_t *v2_cipher = v2_cipher_list;
  1323. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1324. const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1325. uint16_t id = SSL_CIPHER_get_id(cipher) & 0xffff;
  1326. if (id == 0x00ff) /* extended renegotiation indicator. */
  1327. continue;
  1328. if (!id || id != *v2_cipher) {
  1329. res = CIPHERS_UNRESTRICTED;
  1330. goto dump_ciphers;
  1331. }
  1332. ++v2_cipher;
  1333. }
  1334. if (*v2_cipher != 0) {
  1335. res = CIPHERS_UNRESTRICTED;
  1336. goto dump_ciphers;
  1337. }
  1338. res = CIPHERS_V2;
  1339. }
  1340. dump_ciphers:
  1341. {
  1342. smartlist_t *elts = smartlist_new();
  1343. char *s;
  1344. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1345. const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1346. const char *ciphername = SSL_CIPHER_get_name(cipher);
  1347. smartlist_add(elts, (char*)ciphername);
  1348. }
  1349. s = smartlist_join_strings(elts, ":", 0, NULL);
  1350. log_debug(LD_NET, "Got a %s V2/V3 cipher list from %s. It is: '%s'",
  1351. (res == CIPHERS_V2) ? "fictitious" : "real", ADDR(tor_tls), s);
  1352. tor_free(s);
  1353. smartlist_free(elts);
  1354. }
  1355. done:
  1356. if (tor_tls)
  1357. return tor_tls->client_cipher_list_type = res;
  1358. return res;
  1359. }
  1360. /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
  1361. * a list that indicates that the client knows how to do the v2 TLS connection
  1362. * handshake. */
  1363. STATIC int
  1364. tor_tls_client_is_using_v2_ciphers(const SSL *ssl)
  1365. {
  1366. STACK_OF(SSL_CIPHER) *ciphers;
  1367. #ifdef HAVE_SSL_GET_CLIENT_CIPHERS
  1368. ciphers = SSL_get_client_ciphers(ssl);
  1369. #else
  1370. SSL_SESSION *session;
  1371. if (!(session = SSL_get_session((SSL *)ssl))) {
  1372. log_info(LD_NET, "No session on TLS?");
  1373. return CIPHERS_ERR;
  1374. }
  1375. ciphers = session->ciphers;
  1376. #endif /* defined(HAVE_SSL_GET_CLIENT_CIPHERS) */
  1377. return tor_tls_classify_client_ciphers(ssl, ciphers) >= CIPHERS_V2;
  1378. }
  1379. /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
  1380. * changes state. We use this:
  1381. * <ul><li>To alter the state of the handshake partway through, so we
  1382. * do not send or request extra certificates in v2 handshakes.</li>
  1383. * <li>To detect renegotiation</li></ul>
  1384. */
  1385. STATIC void
  1386. tor_tls_server_info_callback(const SSL *ssl, int type, int val)
  1387. {
  1388. tor_tls_t *tls;
  1389. (void) val;
  1390. IF_BUG_ONCE(ssl == NULL) {
  1391. return; // LCOV_EXCL_LINE
  1392. }
  1393. tor_tls_debug_state_callback(ssl, type, val);
  1394. if (type != SSL_CB_ACCEPT_LOOP)
  1395. return;
  1396. OSSL_HANDSHAKE_STATE ssl_state = SSL_get_state(ssl);
  1397. if (! STATE_IS_SW_SERVER_HELLO(ssl_state))
  1398. return;
  1399. tls = tor_tls_get_by_ssl(ssl);
  1400. if (tls) {
  1401. /* Check whether we're watching for renegotiates. If so, this is one! */
  1402. if (tls->negotiated_callback)
  1403. tls->got_renegotiate = 1;
  1404. if (tls->server_handshake_count < 127) /*avoid any overflow possibility*/
  1405. ++tls->server_handshake_count;
  1406. } else {
  1407. log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
  1408. return;
  1409. }
  1410. /* Now check the cipher list. */
  1411. if (tor_tls_client_is_using_v2_ciphers(ssl)) {
  1412. if (tls->wasV2Handshake)
  1413. return; /* We already turned this stuff off for the first handshake;
  1414. * This is a renegotiation. */
  1415. /* Yes, we're casting away the const from ssl. This is very naughty of us.
  1416. * Let's hope openssl doesn't notice! */
  1417. /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
  1418. SSL_set_mode((SSL*) ssl, SSL_MODE_NO_AUTO_CHAIN);
  1419. /* Don't send a hello request. */
  1420. SSL_set_verify((SSL*) ssl, SSL_VERIFY_NONE, NULL);
  1421. if (tls) {
  1422. tls->wasV2Handshake = 1;
  1423. } else {
  1424. /* LCOV_EXCL_START this line is not reachable */
  1425. log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
  1426. /* LCOV_EXCL_STOP */
  1427. }
  1428. }
  1429. }
  1430. /** Callback to get invoked on a server after we've read the list of ciphers
  1431. * the client supports, but before we pick our own ciphersuite.
  1432. *
  1433. * We can't abuse an info_cb for this, since by the time one of the
  1434. * client_hello info_cbs is called, we've already picked which ciphersuite to
  1435. * use.
  1436. *
  1437. * Technically, this function is an abuse of this callback, since the point of
  1438. * a session_secret_cb is to try to set up and/or verify a shared-secret for
  1439. * authentication on the fly. But as long as we return 0, we won't actually be
  1440. * setting up a shared secret, and all will be fine.
  1441. */
  1442. STATIC int
  1443. tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len,
  1444. STACK_OF(SSL_CIPHER) *peer_ciphers,
  1445. CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
  1446. void *arg)
  1447. {
  1448. (void) secret;
  1449. (void) secret_len;
  1450. (void) peer_ciphers;
  1451. (void) cipher;
  1452. (void) arg;
  1453. if (tor_tls_classify_client_ciphers(ssl, peer_ciphers) ==
  1454. CIPHERS_UNRESTRICTED) {
  1455. SSL_set_cipher_list(ssl, UNRESTRICTED_SERVER_CIPHER_LIST);
  1456. }
  1457. SSL_set_session_secret_cb(ssl, NULL, NULL);
  1458. return 0;
  1459. }
  1460. static void
  1461. tor_tls_setup_session_secret_cb(tor_tls_t *tls)
  1462. {
  1463. SSL_set_session_secret_cb(tls->ssl, tor_tls_session_secret_cb, NULL);
  1464. }
  1465. /** Create a new TLS object from a file descriptor, and a flag to
  1466. * determine whether it is functioning as a server.
  1467. */
  1468. tor_tls_t *
  1469. tor_tls_new(int sock, int isServer)
  1470. {
  1471. BIO *bio = NULL;
  1472. tor_tls_t *result = tor_malloc_zero(sizeof(tor_tls_t));
  1473. tor_tls_context_t *context = isServer ? server_tls_context :
  1474. client_tls_context;
  1475. result->magic = TOR_TLS_MAGIC;
  1476. check_no_tls_errors();
  1477. tor_assert(context); /* make sure somebody made it first */
  1478. if (!(result->ssl = SSL_new(context->ctx))) {
  1479. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating SSL object");
  1480. tor_free(result);
  1481. goto err;
  1482. }
  1483. #ifdef SSL_set_tlsext_host_name
  1484. /* Browsers use the TLS hostname extension, so we should too. */
  1485. if (!isServer) {
  1486. char *fake_hostname = crypto_random_hostname(4,25, "www.",".com");
  1487. SSL_set_tlsext_host_name(result->ssl, fake_hostname);
  1488. tor_free(fake_hostname);
  1489. }
  1490. #endif /* defined(SSL_set_tlsext_host_name) */
  1491. if (!SSL_set_cipher_list(result->ssl,
  1492. isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST)) {
  1493. tls_log_errors(NULL, LOG_WARN, LD_NET, "setting ciphers");
  1494. #ifdef SSL_set_tlsext_host_name
  1495. SSL_set_tlsext_host_name(result->ssl, NULL);
  1496. #endif
  1497. SSL_free(result->ssl);
  1498. tor_free(result);
  1499. goto err;
  1500. }
  1501. result->socket = sock;
  1502. bio = BIO_new_socket(sock, BIO_NOCLOSE);
  1503. if (! bio) {
  1504. tls_log_errors(NULL, LOG_WARN, LD_NET, "opening BIO");
  1505. #ifdef SSL_set_tlsext_host_name
  1506. SSL_set_tlsext_host_name(result->ssl, NULL);
  1507. #endif
  1508. SSL_free(result->ssl);
  1509. tor_free(result);
  1510. goto err;
  1511. }
  1512. {
  1513. int set_worked =
  1514. SSL_set_ex_data(result->ssl, tor_tls_object_ex_data_index, result);
  1515. if (!set_worked) {
  1516. log_warn(LD_BUG,
  1517. "Couldn't set the tls for an SSL*; connection will fail");
  1518. }
  1519. }
  1520. SSL_set_bio(result->ssl, bio, bio);
  1521. tor_tls_context_incref(context);
  1522. result->context = context;
  1523. result->state = TOR_TLS_ST_HANDSHAKE;
  1524. result->isServer = isServer;
  1525. result->wantwrite_n = 0;
  1526. result->last_write_count = (unsigned long) BIO_number_written(bio);
  1527. result->last_read_count = (unsigned long) BIO_number_read(bio);
  1528. if (result->last_write_count || result->last_read_count) {
  1529. log_warn(LD_NET, "Newly created BIO has read count %lu, write count %lu",
  1530. result->last_read_count, result->last_write_count);
  1531. }
  1532. if (isServer) {
  1533. SSL_set_info_callback(result->ssl, tor_tls_server_info_callback);
  1534. } else {
  1535. SSL_set_info_callback(result->ssl, tor_tls_debug_state_callback);
  1536. }
  1537. if (isServer)
  1538. tor_tls_setup_session_secret_cb(result);
  1539. goto done;
  1540. err:
  1541. result = NULL;
  1542. done:
  1543. /* Not expected to get called. */
  1544. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating tor_tls_t object");
  1545. return result;
  1546. }
  1547. /** Make future log messages about <b>tls</b> display the address
  1548. * <b>address</b>.
  1549. */
  1550. void
  1551. tor_tls_set_logged_address(tor_tls_t *tls, const char *address)
  1552. {
  1553. tor_assert(tls);
  1554. tor_free(tls->address);
  1555. tls->address = tor_strdup(address);
  1556. }
  1557. /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
  1558. * next gets a client-side renegotiate in the middle of a read. Do not
  1559. * invoke this function until <em>after</em> initial handshaking is done!
  1560. */
  1561. void
  1562. tor_tls_set_renegotiate_callback(tor_tls_t *tls,
  1563. void (*cb)(tor_tls_t *, void *arg),
  1564. void *arg)
  1565. {
  1566. tls->negotiated_callback = cb;
  1567. tls->callback_arg = arg;
  1568. tls->got_renegotiate = 0;
  1569. if (cb) {
  1570. SSL_set_info_callback(tls->ssl, tor_tls_server_info_callback);
  1571. } else {
  1572. SSL_set_info_callback(tls->ssl, tor_tls_debug_state_callback);
  1573. }
  1574. }
  1575. /** If this version of openssl requires it, turn on renegotiation on
  1576. * <b>tls</b>.
  1577. */
  1578. void
  1579. tor_tls_unblock_renegotiation(tor_tls_t *tls)
  1580. {
  1581. /* Yes, we know what we are doing here. No, we do not treat a renegotiation
  1582. * as authenticating any earlier-received data. */
  1583. SSL_set_options(tls->ssl,
  1584. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  1585. }
  1586. /** If this version of openssl supports it, turn off renegotiation on
  1587. * <b>tls</b>. (Our protocol never requires this for security, but it's nice
  1588. * to use belt-and-suspenders here.)
  1589. */
  1590. void
  1591. tor_tls_block_renegotiation(tor_tls_t *tls)
  1592. {
  1593. #ifdef SUPPORT_UNSAFE_RENEGOTIATION_FLAG
  1594. tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
  1595. #else
  1596. (void) tls;
  1597. #endif
  1598. }
  1599. /** Assert that the flags that allow legacy renegotiation are still set */
  1600. void
  1601. tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
  1602. {
  1603. #if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && \
  1604. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION != 0
  1605. long options = SSL_get_options(tls->ssl);
  1606. tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
  1607. #else
  1608. (void) tls;
  1609. #endif /* defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && ... */
  1610. }
  1611. /** Return whether this tls initiated the connect (client) or
  1612. * received it (server). */
  1613. int
  1614. tor_tls_is_server(tor_tls_t *tls)
  1615. {
  1616. tor_assert(tls);
  1617. return tls->isServer;
  1618. }
  1619. /** Release resources associated with a TLS object. Does not close the
  1620. * underlying file descriptor.
  1621. */
  1622. void
  1623. tor_tls_free_(tor_tls_t *tls)
  1624. {
  1625. if (!tls)
  1626. return;
  1627. tor_assert(tls->ssl);
  1628. {
  1629. size_t r,w;
  1630. tor_tls_get_n_raw_bytes(tls,&r,&w); /* ensure written_by_tls is updated */
  1631. }
  1632. #ifdef SSL_set_tlsext_host_name
  1633. SSL_set_tlsext_host_name(tls->ssl, NULL);
  1634. #endif
  1635. SSL_free(tls->ssl);
  1636. tls->ssl = NULL;
  1637. tls->negotiated_callback = NULL;
  1638. if (tls->context)
  1639. tor_tls_context_decref(tls->context);
  1640. tor_free(tls->address);
  1641. tls->magic = 0x99999999;
  1642. tor_free(tls);
  1643. }
  1644. /** Underlying function for TLS reading. Reads up to <b>len</b>
  1645. * characters from <b>tls</b> into <b>cp</b>. On success, returns the
  1646. * number of characters read. On failure, returns TOR_TLS_ERROR,
  1647. * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
  1648. */
  1649. MOCK_IMPL(int,
  1650. tor_tls_read,(tor_tls_t *tls, char *cp, size_t len))
  1651. {
  1652. int r, err;
  1653. tor_assert(tls);
  1654. tor_assert(tls->ssl);
  1655. tor_assert(tls->state == TOR_TLS_ST_OPEN);
  1656. tor_assert(len<INT_MAX);
  1657. r = SSL_read(tls->ssl, cp, (int)len);
  1658. if (r > 0) {
  1659. if (tls->got_renegotiate) {
  1660. /* Renegotiation happened! */
  1661. log_info(LD_NET, "Got a TLS renegotiation from %s", ADDR(tls));
  1662. if (tls->negotiated_callback)
  1663. tls->negotiated_callback(tls, tls->callback_arg);
  1664. tls->got_renegotiate = 0;
  1665. }
  1666. return r;
  1667. }
  1668. err = tor_tls_get_error(tls, r, CATCH_ZERO, "reading", LOG_DEBUG, LD_NET);
  1669. if (err == TOR_TLS_ZERORETURN_ || err == TOR_TLS_CLOSE) {
  1670. log_debug(LD_NET,"read returned r=%d; TLS is closed",r);
  1671. tls->state = TOR_TLS_ST_CLOSED;
  1672. return TOR_TLS_CLOSE;
  1673. } else {
  1674. tor_assert(err != TOR_TLS_DONE);
  1675. log_debug(LD_NET,"read returned r=%d, err=%d",r,err);
  1676. return err;
  1677. }
  1678. }
  1679. /** Total number of bytes that we've used TLS to send. Used to track TLS
  1680. * overhead. */
  1681. STATIC uint64_t total_bytes_written_over_tls = 0;
  1682. /** Total number of bytes that TLS has put on the network for us. Used to
  1683. * track TLS overhead. */
  1684. STATIC uint64_t total_bytes_written_by_tls = 0;
  1685. /** Underlying function for TLS writing. Write up to <b>n</b>
  1686. * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
  1687. * number of characters written. On failure, returns TOR_TLS_ERROR,
  1688. * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
  1689. */
  1690. int
  1691. tor_tls_write(tor_tls_t *tls, const char *cp, size_t n)
  1692. {
  1693. int r, err;
  1694. tor_assert(tls);
  1695. tor_assert(tls->ssl);
  1696. tor_assert(tls->state == TOR_TLS_ST_OPEN);
  1697. tor_assert(n < INT_MAX);
  1698. if (n == 0)
  1699. return 0;
  1700. if (tls->wantwrite_n) {
  1701. /* if WANTWRITE last time, we must use the _same_ n as before */
  1702. tor_assert(n >= tls->wantwrite_n);
  1703. log_debug(LD_NET,"resuming pending-write, (%d to flush, reusing %d)",
  1704. (int)n, (int)tls->wantwrite_n);
  1705. n = tls->wantwrite_n;
  1706. tls->wantwrite_n = 0;
  1707. }
  1708. r = SSL_write(tls->ssl, cp, (int)n);
  1709. err = tor_tls_get_error(tls, r, 0, "writing", LOG_INFO, LD_NET);
  1710. if (err == TOR_TLS_DONE) {
  1711. total_bytes_written_over_tls += r;
  1712. return r;
  1713. }
  1714. if (err == TOR_TLS_WANTWRITE || err == TOR_TLS_WANTREAD) {
  1715. tls->wantwrite_n = n;
  1716. }
  1717. return err;
  1718. }
  1719. /** Perform initial handshake on <b>tls</b>. When finished, returns
  1720. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
  1721. * or TOR_TLS_WANTWRITE.
  1722. */
  1723. int
  1724. tor_tls_handshake(tor_tls_t *tls)
  1725. {
  1726. int r;
  1727. tor_assert(tls);
  1728. tor_assert(tls->ssl);
  1729. tor_assert(tls->state == TOR_TLS_ST_HANDSHAKE);
  1730. check_no_tls_errors();
  1731. OSSL_HANDSHAKE_STATE oldstate = SSL_get_state(tls->ssl);
  1732. if (tls->isServer) {
  1733. log_debug(LD_HANDSHAKE, "About to call SSL_accept on %p (%s)", tls,
  1734. SSL_state_string_long(tls->ssl));
  1735. r = SSL_accept(tls->ssl);
  1736. } else {
  1737. log_debug(LD_HANDSHAKE, "About to call SSL_connect on %p (%s)", tls,
  1738. SSL_state_string_long(tls->ssl));
  1739. r = SSL_connect(tls->ssl);
  1740. }
  1741. OSSL_HANDSHAKE_STATE newstate = SSL_get_state(tls->ssl);
  1742. if (oldstate != newstate)
  1743. log_debug(LD_HANDSHAKE, "After call, %p was in state %s",
  1744. tls, SSL_state_string_long(tls->ssl));
  1745. /* We need to call this here and not earlier, since OpenSSL has a penchant
  1746. * for clearing its flags when you say accept or connect. */
  1747. tor_tls_unblock_renegotiation(tls);
  1748. r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO, LD_HANDSHAKE);
  1749. if (ERR_peek_error() != 0) {
  1750. tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN, LD_HANDSHAKE,
  1751. "handshaking");
  1752. return TOR_TLS_ERROR_MISC;
  1753. }
  1754. if (r == TOR_TLS_DONE) {
  1755. tls->state = TOR_TLS_ST_OPEN;
  1756. return tor_tls_finish_handshake(tls);
  1757. }
  1758. return r;
  1759. }
  1760. /** Perform the final part of the initial TLS handshake on <b>tls</b>. This
  1761. * should be called for the first handshake only: it determines whether the v1
  1762. * or the v2 handshake was used, and adjusts things for the renegotiation
  1763. * handshake as appropriate.
  1764. *
  1765. * tor_tls_handshake() calls this on its own; you only need to call this if
  1766. * bufferevent is doing the handshake for you.
  1767. */
  1768. int
  1769. tor_tls_finish_handshake(tor_tls_t *tls)
  1770. {
  1771. int r = TOR_TLS_DONE;
  1772. check_no_tls_errors();
  1773. if (tls->isServer) {
  1774. SSL_set_info_callback(tls->ssl, NULL);
  1775. SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
  1776. SSL_clear_mode(tls->ssl, SSL_MODE_NO_AUTO_CHAIN);
  1777. if (tor_tls_client_is_using_v2_ciphers(tls->ssl)) {
  1778. /* This check is redundant, but back when we did it in the callback,
  1779. * we might have not been able to look up the tor_tls_t if the code
  1780. * was buggy. Fixing that. */
  1781. if (!tls->wasV2Handshake) {
  1782. log_warn(LD_BUG, "For some reason, wasV2Handshake didn't"
  1783. " get set. Fixing that.");
  1784. }
  1785. tls->wasV2Handshake = 1;
  1786. log_debug(LD_HANDSHAKE, "Completed V2 TLS handshake with client; waiting"
  1787. " for renegotiation.");
  1788. } else {
  1789. tls->wasV2Handshake = 0;
  1790. }
  1791. } else {
  1792. /* Client-side */
  1793. tls->wasV2Handshake = 1;
  1794. /* XXXX this can move, probably? -NM */
  1795. if (SSL_set_cipher_list(tls->ssl, SERVER_CIPHER_LIST) == 0) {
  1796. tls_log_errors(NULL, LOG_WARN, LD_HANDSHAKE, "re-setting ciphers");
  1797. r = TOR_TLS_ERROR_MISC;
  1798. }
  1799. }
  1800. tls_log_errors(NULL, LOG_WARN, LD_NET, "finishing the handshake");
  1801. return r;
  1802. }
  1803. /** Shut down an open tls connection <b>tls</b>. When finished, returns
  1804. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
  1805. * or TOR_TLS_WANTWRITE.
  1806. */
  1807. int
  1808. tor_tls_shutdown(tor_tls_t *tls)
  1809. {
  1810. int r, err;
  1811. char buf[128];
  1812. tor_assert(tls);
  1813. tor_assert(tls->ssl);
  1814. check_no_tls_errors();
  1815. while (1) {
  1816. if (tls->state == TOR_TLS_ST_SENTCLOSE) {
  1817. /* If we've already called shutdown once to send a close message,
  1818. * we read until the other side has closed too.
  1819. */
  1820. do {
  1821. r = SSL_read(tls->ssl, buf, 128);
  1822. } while (r>0);
  1823. err = tor_tls_get_error(tls, r, CATCH_ZERO, "reading to shut down",
  1824. LOG_INFO, LD_NET);
  1825. if (err == TOR_TLS_ZERORETURN_) {
  1826. tls->state = TOR_TLS_ST_GOTCLOSE;
  1827. /* fall through... */
  1828. } else {
  1829. return err;
  1830. }
  1831. }
  1832. r = SSL_shutdown(tls->ssl);
  1833. if (r == 1) {
  1834. /* If shutdown returns 1, the connection is entirely closed. */
  1835. tls->state = TOR_TLS_ST_CLOSED;
  1836. return TOR_TLS_DONE;
  1837. }
  1838. err = tor_tls_get_error(tls, r, CATCH_SYSCALL|CATCH_ZERO, "shutting down",
  1839. LOG_INFO, LD_NET);
  1840. if (err == TOR_TLS_SYSCALL_) {
  1841. /* The underlying TCP connection closed while we were shutting down. */
  1842. tls->state = TOR_TLS_ST_CLOSED;
  1843. return TOR_TLS_DONE;
  1844. } else if (err == TOR_TLS_ZERORETURN_) {
  1845. /* The TLS connection says that it sent a shutdown record, but
  1846. * isn't done shutting down yet. Make sure that this hasn't
  1847. * happened before, then go back to the start of the function
  1848. * and try to read.
  1849. */
  1850. if (tls->state == TOR_TLS_ST_GOTCLOSE ||
  1851. tls->state == TOR_TLS_ST_SENTCLOSE) {
  1852. log_warn(LD_NET,
  1853. "TLS returned \"half-closed\" value while already half-closed");
  1854. return TOR_TLS_ERROR_MISC;
  1855. }
  1856. tls->state = TOR_TLS_ST_SENTCLOSE;
  1857. /* fall through ... */
  1858. } else {
  1859. return err;
  1860. }
  1861. } /* end loop */
  1862. }
  1863. /** Return true iff this TLS connection is authenticated.
  1864. */
  1865. int
  1866. tor_tls_peer_has_cert(tor_tls_t *tls)
  1867. {
  1868. X509 *cert;
  1869. cert = SSL_get_peer_certificate(tls->ssl);
  1870. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "getting peer certificate");
  1871. if (!cert)
  1872. return 0;
  1873. X509_free(cert);
  1874. return 1;
  1875. }
  1876. /** Return a newly allocated copy of the peer certificate, or NULL if there
  1877. * isn't one. */
  1878. MOCK_IMPL(tor_x509_cert_t *,
  1879. tor_tls_get_peer_cert,(tor_tls_t *tls))
  1880. {
  1881. X509 *cert;
  1882. cert = SSL_get_peer_certificate(tls->ssl);
  1883. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "getting peer certificate");
  1884. if (!cert)
  1885. return NULL;
  1886. return tor_x509_cert_new(cert);
  1887. }
  1888. /** Return a newly allocated copy of the cerficate we used on the connection,
  1889. * or NULL if somehow we didn't use one. */
  1890. MOCK_IMPL(tor_x509_cert_t *,
  1891. tor_tls_get_own_cert,(tor_tls_t *tls))
  1892. {
  1893. X509 *cert = SSL_get_certificate(tls->ssl);
  1894. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE,
  1895. "getting own-connection certificate");
  1896. if (!cert)
  1897. return NULL;
  1898. /* Fun inconsistency: SSL_get_peer_certificate increments the reference
  1899. * count, but SSL_get_certificate does not. */
  1900. X509 *duplicate = X509_dup(cert);
  1901. if (BUG(duplicate == NULL))
  1902. return NULL;
  1903. return tor_x509_cert_new(duplicate);
  1904. }
  1905. /** Warn that a certificate lifetime extends through a certain range. */
  1906. static void
  1907. log_cert_lifetime(int severity, const X509 *cert, const char *problem,
  1908. time_t now)
  1909. {
  1910. BIO *bio = NULL;
  1911. BUF_MEM *buf;
  1912. char *s1=NULL, *s2=NULL;
  1913. char mytime[33];
  1914. struct tm tm;
  1915. size_t n;
  1916. if (problem)
  1917. tor_log(severity, LD_GENERAL,
  1918. "Certificate %s. Either their clock is set wrong, or your clock "
  1919. "is wrong.",
  1920. problem);
  1921. if (!(bio = BIO_new(BIO_s_mem()))) {
  1922. log_warn(LD_GENERAL, "Couldn't allocate BIO!"); goto end;
  1923. }
  1924. if (!(ASN1_TIME_print(bio, X509_get_notBefore_const(cert)))) {
  1925. tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
  1926. goto end;
  1927. }
  1928. BIO_get_mem_ptr(bio, &buf);
  1929. s1 = tor_strndup(buf->data, buf->length);
  1930. (void)BIO_reset(bio);
  1931. if (!(ASN1_TIME_print(bio, X509_get_notAfter_const(cert)))) {
  1932. tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
  1933. goto end;
  1934. }
  1935. BIO_get_mem_ptr(bio, &buf);
  1936. s2 = tor_strndup(buf->data, buf->length);
  1937. n = strftime(mytime, 32, "%b %d %H:%M:%S %Y UTC", tor_gmtime_r(&now, &tm));
  1938. if (n > 0) {
  1939. tor_log(severity, LD_GENERAL,
  1940. "(certificate lifetime runs from %s through %s. Your time is %s.)",
  1941. s1,s2,mytime);
  1942. } else {
  1943. tor_log(severity, LD_GENERAL,
  1944. "(certificate lifetime runs from %s through %s. "
  1945. "Couldn't get your time.)",
  1946. s1, s2);
  1947. }
  1948. end:
  1949. /* Not expected to get invoked */
  1950. tls_log_errors(NULL, LOG_WARN, LD_NET, "getting certificate lifetime");
  1951. if (bio)
  1952. BIO_free(bio);
  1953. tor_free(s1);
  1954. tor_free(s2);
  1955. }
  1956. /** Helper function: try to extract a link certificate and an identity
  1957. * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
  1958. * *<b>id_cert_out</b> respectively. Log all messages at level
  1959. * <b>severity</b>.
  1960. *
  1961. * Note that a reference is added to cert_out, so it needs to be
  1962. * freed. id_cert_out doesn't. */
  1963. MOCK_IMPL(STATIC void,
  1964. try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls,
  1965. X509 **cert_out, X509 **id_cert_out))
  1966. {
  1967. X509 *cert = NULL, *id_cert = NULL;
  1968. STACK_OF(X509) *chain = NULL;
  1969. int num_in_chain, i;
  1970. *cert_out = *id_cert_out = NULL;
  1971. if (!(cert = SSL_get_peer_certificate(tls->ssl)))
  1972. return;
  1973. *cert_out = cert;
  1974. if (!(chain = SSL_get_peer_cert_chain(tls->ssl)))
  1975. return;
  1976. num_in_chain = sk_X509_num(chain);
  1977. /* 1 means we're receiving (server-side), and it's just the id_cert.
  1978. * 2 means we're connecting (client-side), and it's both the link
  1979. * cert and the id_cert.
  1980. */
  1981. if (num_in_chain < 1) {
  1982. log_fn(severity,LD_PROTOCOL,
  1983. "Unexpected number of certificates in chain (%d)",
  1984. num_in_chain);
  1985. return;
  1986. }
  1987. for (i=0; i<num_in_chain; ++i) {
  1988. id_cert = sk_X509_value(chain, i);
  1989. if (X509_cmp(id_cert, cert) != 0)
  1990. break;
  1991. }
  1992. *id_cert_out = id_cert;
  1993. }
  1994. /** If the provided tls connection is authenticated and has a
  1995. * certificate chain that is currently valid and signed, then set
  1996. * *<b>identity_key</b> to the identity certificate's key and return
  1997. * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
  1998. */
  1999. int
  2000. tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_t **identity_key)
  2001. {
  2002. X509 *cert = NULL, *id_cert = NULL;
  2003. EVP_PKEY *id_pkey = NULL;
  2004. RSA *rsa;
  2005. int r = -1;
  2006. check_no_tls_errors();
  2007. *identity_key = NULL;
  2008. try_to_extract_certs_from_tls(severity, tls, &cert, &id_cert);
  2009. if (!cert)
  2010. goto done;
  2011. if (!id_cert) {
  2012. log_fn(severity,LD_PROTOCOL,"No distinct identity certificate found");
  2013. goto done;
  2014. }
  2015. tls_log_errors(tls, severity, LD_HANDSHAKE, "before verifying certificate");
  2016. if (!(id_pkey = X509_get_pubkey(id_cert)) ||
  2017. X509_verify(cert, id_pkey) <= 0) {
  2018. log_fn(severity,LD_PROTOCOL,"X509_verify on cert and pkey returned <= 0");
  2019. tls_log_errors(tls, severity, LD_HANDSHAKE, "verifying certificate");
  2020. goto done;
  2021. }
  2022. rsa = EVP_PKEY_get1_RSA(id_pkey);
  2023. if (!rsa)
  2024. goto done;
  2025. *identity_key = crypto_new_pk_from_rsa_(rsa);
  2026. r = 0;
  2027. done:
  2028. if (cert)
  2029. X509_free(cert);
  2030. if (id_pkey)
  2031. EVP_PKEY_free(id_pkey);
  2032. /* This should never get invoked, but let's make sure in case OpenSSL
  2033. * acts unexpectedly. */
  2034. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "finishing tor_tls_verify");
  2035. return r;
  2036. }
  2037. /** Check whether the certificate set on the connection <b>tls</b> is expired
  2038. * give or take <b>past_tolerance</b> seconds, or not-yet-valid give or take
  2039. * <b>future_tolerance</b> seconds. Return 0 for valid, -1 for failure.
  2040. *
  2041. * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
  2042. */
  2043. int
  2044. tor_tls_check_lifetime(int severity, tor_tls_t *tls,
  2045. time_t now,
  2046. int past_tolerance, int future_tolerance)
  2047. {
  2048. X509 *cert;
  2049. int r = -1;
  2050. if (!(cert = SSL_get_peer_certificate(tls->ssl)))
  2051. goto done;
  2052. if (check_cert_lifetime_internal(severity, cert, now,
  2053. past_tolerance, future_tolerance) < 0)
  2054. goto done;
  2055. r = 0;
  2056. done:
  2057. if (cert)
  2058. X509_free(cert);
  2059. /* Not expected to get invoked */
  2060. tls_log_errors(tls, LOG_WARN, LD_NET, "checking certificate lifetime");
  2061. return r;
  2062. }
  2063. /** Helper: check whether <b>cert</b> is expired give or take
  2064. * <b>past_tolerance</b> seconds, or not-yet-valid give or take
  2065. * <b>future_tolerance</b> seconds. (Relative to the current time
  2066. * <b>now</b>.) If it is live, return 0. If it is not live, log a message
  2067. * and return -1. */
  2068. static int
  2069. check_cert_lifetime_internal(int severity, const X509 *cert,
  2070. time_t now,
  2071. int past_tolerance, int future_tolerance)
  2072. {
  2073. time_t t;
  2074. t = now + future_tolerance;
  2075. if (X509_cmp_time(X509_get_notBefore_const(cert), &t) > 0) {
  2076. log_cert_lifetime(severity, cert, "not yet valid", now);
  2077. return -1;
  2078. }
  2079. t = now - past_tolerance;
  2080. if (X509_cmp_time(X509_get_notAfter_const(cert), &t) < 0) {
  2081. log_cert_lifetime(severity, cert, "already expired", now);
  2082. return -1;
  2083. }
  2084. return 0;
  2085. }
  2086. #ifdef TOR_UNIT_TESTS
  2087. /* Testing only: return a new x509 cert with the same contents as <b>inp</b>,
  2088. but with the expiration time <b>new_expiration_time</b>, signed with
  2089. <b>signing_key</b>. */
  2090. STATIC tor_x509_cert_t *
  2091. tor_x509_cert_replace_expiration(const tor_x509_cert_t *inp,
  2092. time_t new_expiration_time,
  2093. crypto_pk_t *signing_key)
  2094. {
  2095. X509 *newc = X509_dup(inp->cert);
  2096. X509_time_adj(X509_get_notAfter(newc), 0, &new_expiration_time);
  2097. EVP_PKEY *pk = crypto_pk_get_evp_pkey_(signing_key, 1);
  2098. tor_assert(X509_sign(newc, pk, EVP_sha256()));
  2099. EVP_PKEY_free(pk);
  2100. return tor_x509_cert_new(newc);
  2101. }
  2102. #endif /* defined(TOR_UNIT_TESTS) */
  2103. /** Return the number of bytes available for reading from <b>tls</b>.
  2104. */
  2105. int
  2106. tor_tls_get_pending_bytes(tor_tls_t *tls)
  2107. {
  2108. tor_assert(tls);
  2109. return SSL_pending(tls->ssl);
  2110. }
  2111. /** If <b>tls</b> requires that the next write be of a particular size,
  2112. * return that size. Otherwise, return 0. */
  2113. size_t
  2114. tor_tls_get_forced_write_size(tor_tls_t *tls)
  2115. {
  2116. return tls->wantwrite_n;
  2117. }
  2118. /** Sets n_read and n_written to the number of bytes read and written,
  2119. * respectively, on the raw socket used by <b>tls</b> since the last time this
  2120. * function was called on <b>tls</b>. */
  2121. void
  2122. tor_tls_get_n_raw_bytes(tor_tls_t *tls, size_t *n_read, size_t *n_written)
  2123. {
  2124. BIO *wbio, *tmpbio;
  2125. unsigned long r, w;
  2126. r = (unsigned long) BIO_number_read(SSL_get_rbio(tls->ssl));
  2127. /* We want the number of bytes actually for real written. Unfortunately,
  2128. * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
  2129. * which makes the answer turn out wrong. Let's cope with that. Note
  2130. * that this approach will fail if we ever replace tls->ssl's BIOs with
  2131. * buffering bios for reasons of our own. As an alternative, we could
  2132. * save the original BIO for tls->ssl in the tor_tls_t structure, but
  2133. * that would be tempting fate. */
  2134. wbio = SSL_get_wbio(tls->ssl);
  2135. #if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
  2136. /* BIO structure is opaque as of OpenSSL 1.1.0-pre5-dev. Again, not
  2137. * supposed to use this form of the version macro, but the OpenSSL developers
  2138. * introduced major API changes in the pre-release stage.
  2139. */
  2140. if (BIO_method_type(wbio) == BIO_TYPE_BUFFER &&
  2141. (tmpbio = BIO_next(wbio)) != NULL)
  2142. wbio = tmpbio;
  2143. #else /* !(OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)) */
  2144. if (wbio->method == BIO_f_buffer() && (tmpbio = BIO_next(wbio)) != NULL)
  2145. wbio = tmpbio;
  2146. #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) */
  2147. w = (unsigned long) BIO_number_written(wbio);
  2148. /* We are ok with letting these unsigned ints go "negative" here:
  2149. * If we wrapped around, this should still give us the right answer, unless
  2150. * we wrapped around by more than ULONG_MAX since the last time we called
  2151. * this function.
  2152. */
  2153. *n_read = (size_t)(r - tls->last_read_count);
  2154. *n_written = (size_t)(w - tls->last_write_count);
  2155. if (*n_read > INT_MAX || *n_written > INT_MAX) {
  2156. log_warn(LD_BUG, "Preposterously large value in tor_tls_get_n_raw_bytes. "
  2157. "r=%lu, last_read=%lu, w=%lu, last_written=%lu",
  2158. r, tls->last_read_count, w, tls->last_write_count);
  2159. }
  2160. total_bytes_written_by_tls += *n_written;
  2161. tls->last_read_count = r;
  2162. tls->last_write_count = w;
  2163. }
  2164. /** Return a ratio of the bytes that TLS has sent to the bytes that we've told
  2165. * it to send. Used to track whether our TLS records are getting too tiny. */
  2166. MOCK_IMPL(double,
  2167. tls_get_write_overhead_ratio,(void))
  2168. {
  2169. if (total_bytes_written_over_tls == 0)
  2170. return 1.0;
  2171. return U64_TO_DBL(total_bytes_written_by_tls) /
  2172. U64_TO_DBL(total_bytes_written_over_tls);
  2173. }
  2174. /** Implement check_no_tls_errors: If there are any pending OpenSSL
  2175. * errors, log an error message. */
  2176. void
  2177. check_no_tls_errors_(const char *fname, int line)
  2178. {
  2179. if (ERR_peek_error() == 0)
  2180. return;
  2181. log_warn(LD_CRYPTO, "Unhandled OpenSSL errors found at %s:%d: ",
  2182. tor_fix_source_file(fname), line);
  2183. tls_log_errors(NULL, LOG_WARN, LD_NET, NULL);
  2184. }
  2185. /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
  2186. * TLS handshake. Output is undefined if the handshake isn't finished. */
  2187. int
  2188. tor_tls_used_v1_handshake(tor_tls_t *tls)
  2189. {
  2190. return ! tls->wasV2Handshake;
  2191. }
  2192. /** Return the number of server handshakes that we've noticed doing on
  2193. * <b>tls</b>. */
  2194. int
  2195. tor_tls_get_num_server_handshakes(tor_tls_t *tls)
  2196. {
  2197. return tls->server_handshake_count;
  2198. }
  2199. /** Return true iff the server TLS connection <b>tls</b> got the renegotiation
  2200. * request it was waiting for. */
  2201. int
  2202. tor_tls_server_got_renegotiate(tor_tls_t *tls)
  2203. {
  2204. return tls->got_renegotiate;
  2205. }
  2206. #ifndef HAVE_SSL_GET_CLIENT_RANDOM
  2207. static size_t
  2208. SSL_get_client_random(SSL *s, uint8_t *out, size_t len)
  2209. {
  2210. if (len == 0)
  2211. return SSL3_RANDOM_SIZE;
  2212. tor_assert(len == SSL3_RANDOM_SIZE);
  2213. tor_assert(s->s3);
  2214. memcpy(out, s->s3->client_random, len);
  2215. return len;
  2216. }
  2217. #endif /* !defined(HAVE_SSL_GET_CLIENT_RANDOM) */
  2218. #ifndef HAVE_SSL_GET_SERVER_RANDOM
  2219. static size_t
  2220. SSL_get_server_random(SSL *s, uint8_t *out, size_t len)
  2221. {
  2222. if (len == 0)
  2223. return SSL3_RANDOM_SIZE;
  2224. tor_assert(len == SSL3_RANDOM_SIZE);
  2225. tor_assert(s->s3);
  2226. memcpy(out, s->s3->server_random, len);
  2227. return len;
  2228. }
  2229. #endif /* !defined(HAVE_SSL_GET_SERVER_RANDOM) */
  2230. #ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
  2231. STATIC size_t
  2232. SSL_SESSION_get_master_key(SSL_SESSION *s, uint8_t *out, size_t len)
  2233. {
  2234. tor_assert(s);
  2235. if (len == 0)
  2236. return s->master_key_length;
  2237. tor_assert(len == (size_t)s->master_key_length);
  2238. tor_assert(out);
  2239. memcpy(out, s->master_key, len);
  2240. return len;
  2241. }
  2242. #endif /* !defined(HAVE_SSL_SESSION_GET_MASTER_KEY) */
  2243. /** Set the DIGEST256_LEN buffer at <b>secrets_out</b> to the value used in
  2244. * the v3 handshake to prove that the client knows the TLS secrets for the
  2245. * connection <b>tls</b>. Return 0 on success, -1 on failure.
  2246. */
  2247. MOCK_IMPL(int,
  2248. tor_tls_get_tlssecrets,(tor_tls_t *tls, uint8_t *secrets_out))
  2249. {
  2250. #define TLSSECRET_MAGIC "Tor V3 handshake TLS cross-certification"
  2251. uint8_t buf[128];
  2252. size_t len;
  2253. tor_assert(tls);
  2254. SSL *const ssl = tls->ssl;
  2255. SSL_SESSION *const session = SSL_get_session(ssl);
  2256. tor_assert(ssl);
  2257. tor_assert(session);
  2258. const size_t server_random_len = SSL_get_server_random(ssl, NULL, 0);
  2259. const size_t client_random_len = SSL_get_client_random(ssl, NULL, 0);
  2260. const size_t master_key_len = SSL_SESSION_get_master_key(session, NULL, 0);
  2261. tor_assert(server_random_len);
  2262. tor_assert(client_random_len);
  2263. tor_assert(master_key_len);
  2264. len = client_random_len + server_random_len + strlen(TLSSECRET_MAGIC) + 1;
  2265. tor_assert(len <= sizeof(buf));
  2266. {
  2267. size_t r = SSL_get_client_random(ssl, buf, client_random_len);
  2268. tor_assert(r == client_random_len);
  2269. }
  2270. {
  2271. size_t r = SSL_get_server_random(ssl,
  2272. buf+client_random_len,
  2273. server_random_len);
  2274. tor_assert(r == server_random_len);
  2275. }
  2276. uint8_t *master_key = tor_malloc_zero(master_key_len);
  2277. {
  2278. size_t r = SSL_SESSION_get_master_key(session, master_key, master_key_len);
  2279. tor_assert(r == master_key_len);
  2280. }
  2281. uint8_t *nextbuf = buf + client_random_len + server_random_len;
  2282. memcpy(nextbuf, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1);
  2283. /*
  2284. The value is an HMAC, using the TLS master key as the HMAC key, of
  2285. client_random | server_random | TLSSECRET_MAGIC
  2286. */
  2287. crypto_hmac_sha256((char*)secrets_out,
  2288. (char*)master_key,
  2289. master_key_len,
  2290. (char*)buf, len);
  2291. memwipe(buf, 0, sizeof(buf));
  2292. memwipe(master_key, 0, master_key_len);
  2293. tor_free(master_key);
  2294. return 0;
  2295. }
  2296. /** Using the RFC5705 key material exporting construction, and the
  2297. * provided <b>context</b> (<b>context_len</b> bytes long) and
  2298. * <b>label</b> (a NUL-terminated string), compute a 32-byte secret in
  2299. * <b>secrets_out</b> that only the parties to this TLS session can
  2300. * compute. Return 0 on success and -1 on failure.
  2301. */
  2302. MOCK_IMPL(int,
  2303. tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out,
  2304. const uint8_t *context,
  2305. size_t context_len,
  2306. const char *label))
  2307. {
  2308. tor_assert(tls);
  2309. tor_assert(tls->ssl);
  2310. int r = SSL_export_keying_material(tls->ssl,
  2311. secrets_out, DIGEST256_LEN,
  2312. label, strlen(label),
  2313. context, context_len, 1);
  2314. return (r == 1) ? 0 : -1;
  2315. }
  2316. /** Examine the amount of memory used and available for buffers in <b>tls</b>.
  2317. * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
  2318. * buffer and *<b>rbuf_bytes</b> to the amount actually used.
  2319. * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
  2320. * buffer and *<b>wbuf_bytes</b> to the amount actually used.
  2321. *
  2322. * Return 0 on success, -1 on failure.*/
  2323. int
  2324. tor_tls_get_buffer_sizes(tor_tls_t *tls,
  2325. size_t *rbuf_capacity, size_t *rbuf_bytes,
  2326. size_t *wbuf_capacity, size_t *wbuf_bytes)
  2327. {
  2328. #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
  2329. (void)tls;
  2330. (void)rbuf_capacity;
  2331. (void)rbuf_bytes;
  2332. (void)wbuf_capacity;
  2333. (void)wbuf_bytes;
  2334. return -1;
  2335. #else /* !(OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)) */
  2336. if (tls->ssl->s3->rbuf.buf)
  2337. *rbuf_capacity = tls->ssl->s3->rbuf.len;
  2338. else
  2339. *rbuf_capacity = 0;
  2340. if (tls->ssl->s3->wbuf.buf)
  2341. *wbuf_capacity = tls->ssl->s3->wbuf.len;
  2342. else
  2343. *wbuf_capacity = 0;
  2344. *rbuf_bytes = tls->ssl->s3->rbuf.left;
  2345. *wbuf_bytes = tls->ssl->s3->wbuf.left;
  2346. return 0;
  2347. #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) */
  2348. }
  2349. /** Check whether the ECC group requested is supported by the current OpenSSL
  2350. * library instance. Return 1 if the group is supported, and 0 if not.
  2351. */
  2352. int
  2353. evaluate_ecgroup_for_tls(const char *ecgroup)
  2354. {
  2355. EC_KEY *ec_key;
  2356. int nid;
  2357. int ret;
  2358. if (!ecgroup)
  2359. nid = NID_tor_default_ecdhe_group;
  2360. else if (!strcasecmp(ecgroup, "P256"))
  2361. nid = NID_X9_62_prime256v1;
  2362. else if (!strcasecmp(ecgroup, "P224"))
  2363. nid = NID_secp224r1;
  2364. else
  2365. return 0;
  2366. ec_key = EC_KEY_new_by_curve_name(nid);
  2367. ret = (ec_key != NULL);
  2368. EC_KEY_free(ec_key);
  2369. return ret;
  2370. }