tortls.c 79 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587
  1. /* Copyright (c) 2003, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2016, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. /**
  6. * \file tortls.c
  7. * \brief Wrapper functions to present a consistent interface to
  8. * TLS, SSL, and X.509 functions from OpenSSL.
  9. **/
  10. /* (Unlike other tor functions, these
  11. * are prefixed with tor_ in order to avoid conflicting with OpenSSL
  12. * functions and variables.)
  13. */
  14. #include "orconfig.h"
  15. #define TORTLS_PRIVATE
  16. #include <assert.h>
  17. #ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
  18. #include <winsock2.h>
  19. #include <ws2tcpip.h>
  20. #endif
  21. #include "compat.h"
  22. /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
  23. * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
  24. DISABLE_GCC_WARNING(redundant-decls)
  25. #include <openssl/opensslv.h>
  26. #include "crypto.h"
  27. #ifdef OPENSSL_NO_EC
  28. #error "We require OpenSSL with ECC support"
  29. #endif
  30. #include <openssl/ssl.h>
  31. #include <openssl/ssl3.h>
  32. #include <openssl/err.h>
  33. #include <openssl/tls1.h>
  34. #include <openssl/asn1.h>
  35. #include <openssl/bio.h>
  36. #include <openssl/bn.h>
  37. #include <openssl/rsa.h>
  38. ENABLE_GCC_WARNING(redundant-decls)
  39. #define TORTLS_PRIVATE
  40. #include "tortls.h"
  41. #include "util.h"
  42. #include "torlog.h"
  43. #include "container.h"
  44. #include <string.h>
  45. #define X509_get_notBefore_const(cert) \
  46. ((const ASN1_TIME*) X509_get_notBefore((X509 *)cert))
  47. #define X509_get_notAfter_const(cert) \
  48. ((const ASN1_TIME*) X509_get_notAfter((X509 *)cert))
  49. /* Copied from or.h */
  50. #define LEGAL_NICKNAME_CHARACTERS \
  51. "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  52. /** How long do identity certificates live? (sec) */
  53. #define IDENTITY_CERT_LIFETIME (365*24*60*60)
  54. #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer")
  55. #if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,0,'f')
  56. /* This is a version of OpenSSL before 1.0.0f. It does not have
  57. * the CVE-2011-4576 fix, and as such it can't use RELEASE_BUFFERS and
  58. * SSL3 safely at the same time.
  59. */
  60. #define DISABLE_SSL3_HANDSHAKE
  61. #endif
  62. /* We redefine these so that we can run correctly even if the vendor gives us
  63. * a version of OpenSSL that does not match its header files. (Apple: I am
  64. * looking at you.)
  65. */
  66. #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  67. #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
  68. #endif
  69. #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  70. #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
  71. #endif
  72. /** Return values for tor_tls_classify_client_ciphers.
  73. *
  74. * @{
  75. */
  76. /** An error occurred when examining the client ciphers */
  77. #define CIPHERS_ERR -1
  78. /** The client cipher list indicates that a v1 handshake was in use. */
  79. #define CIPHERS_V1 1
  80. /** The client cipher list indicates that the client is using the v2 or the
  81. * v3 handshake, but that it is (probably!) lying about what ciphers it
  82. * supports */
  83. #define CIPHERS_V2 2
  84. /** The client cipher list indicates that the client is using the v2 or the
  85. * v3 handshake, and that it is telling the truth about what ciphers it
  86. * supports */
  87. #define CIPHERS_UNRESTRICTED 3
  88. /** @} */
  89. /** The ex_data index in which we store a pointer to an SSL object's
  90. * corresponding tor_tls_t object. */
  91. STATIC int tor_tls_object_ex_data_index = -1;
  92. /** Helper: Allocate tor_tls_object_ex_data_index. */
  93. STATIC void
  94. tor_tls_allocate_tor_tls_object_ex_data_index(void)
  95. {
  96. if (tor_tls_object_ex_data_index == -1) {
  97. tor_tls_object_ex_data_index =
  98. SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
  99. tor_assert(tor_tls_object_ex_data_index != -1);
  100. }
  101. }
  102. /** Helper: given a SSL* pointer, return the tor_tls_t object using that
  103. * pointer. */
  104. STATIC tor_tls_t *
  105. tor_tls_get_by_ssl(const SSL *ssl)
  106. {
  107. tor_tls_t *result = SSL_get_ex_data(ssl, tor_tls_object_ex_data_index);
  108. if (result)
  109. tor_assert(result->magic == TOR_TLS_MAGIC);
  110. return result;
  111. }
  112. static void tor_tls_context_decref(tor_tls_context_t *ctx);
  113. static void tor_tls_context_incref(tor_tls_context_t *ctx);
  114. static int check_cert_lifetime_internal(int severity, const X509 *cert,
  115. time_t now,
  116. int past_tolerance, int future_tolerance);
  117. /** Global TLS contexts. We keep them here because nobody else needs
  118. * to touch them.
  119. *
  120. * @{ */
  121. STATIC tor_tls_context_t *server_tls_context = NULL;
  122. STATIC tor_tls_context_t *client_tls_context = NULL;
  123. /**@}*/
  124. /** True iff tor_tls_init() has been called. */
  125. static int tls_library_is_initialized = 0;
  126. /* Module-internal error codes. */
  127. #define TOR_TLS_SYSCALL_ (MIN_TOR_TLS_ERROR_VAL_ - 2)
  128. #define TOR_TLS_ZERORETURN_ (MIN_TOR_TLS_ERROR_VAL_ - 1)
  129. /** Write a description of the current state of <b>tls</b> into the
  130. * <b>sz</b>-byte buffer at <b>buf</b>. */
  131. void
  132. tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz)
  133. {
  134. const char *ssl_state;
  135. const char *tortls_state;
  136. if (PREDICT_UNLIKELY(!tls || !tls->ssl)) {
  137. strlcpy(buf, "(No SSL object)", sz);
  138. return;
  139. }
  140. ssl_state = SSL_state_string_long(tls->ssl);
  141. switch (tls->state) {
  142. #define CASE(st) case TOR_TLS_ST_##st: tortls_state = " in "#st ; break
  143. CASE(HANDSHAKE);
  144. CASE(OPEN);
  145. CASE(GOTCLOSE);
  146. CASE(SENTCLOSE);
  147. CASE(CLOSED);
  148. CASE(RENEGOTIATE);
  149. #undef CASE
  150. case TOR_TLS_ST_BUFFEREVENT:
  151. tortls_state = "";
  152. break;
  153. default:
  154. tortls_state = " in unknown TLS state";
  155. break;
  156. }
  157. tor_snprintf(buf, sz, "%s%s", ssl_state, tortls_state);
  158. }
  159. /** Log a single error <b>err</b> as returned by ERR_get_error(), which was
  160. * received while performing an operation <b>doing</b> on <b>tls</b>. Log
  161. * the message at <b>severity</b>, in log domain <b>domain</b>. */
  162. void
  163. tor_tls_log_one_error(tor_tls_t *tls, unsigned long err,
  164. int severity, int domain, const char *doing)
  165. {
  166. const char *state = NULL, *addr;
  167. const char *msg, *lib, *func;
  168. state = (tls && tls->ssl)?SSL_state_string_long(tls->ssl):"---";
  169. addr = tls ? tls->address : NULL;
  170. /* Some errors are known-benign, meaning they are the fault of the other
  171. * side of the connection. The caller doesn't know this, so override the
  172. * priority for those cases. */
  173. switch (ERR_GET_REASON(err)) {
  174. case SSL_R_HTTP_REQUEST:
  175. case SSL_R_HTTPS_PROXY_REQUEST:
  176. case SSL_R_RECORD_LENGTH_MISMATCH:
  177. #ifndef OPENSSL_1_1_API
  178. case SSL_R_RECORD_TOO_LARGE:
  179. #endif
  180. case SSL_R_UNKNOWN_PROTOCOL:
  181. case SSL_R_UNSUPPORTED_PROTOCOL:
  182. severity = LOG_INFO;
  183. break;
  184. default:
  185. break;
  186. }
  187. msg = (const char*)ERR_reason_error_string(err);
  188. lib = (const char*)ERR_lib_error_string(err);
  189. func = (const char*)ERR_func_error_string(err);
  190. if (!msg) msg = "(null)";
  191. if (!lib) lib = "(null)";
  192. if (!func) func = "(null)";
  193. if (doing) {
  194. tor_log(severity, domain, "TLS error while %s%s%s: %s (in %s:%s:%s)",
  195. doing, addr?" with ":"", addr?addr:"",
  196. msg, lib, func, state);
  197. } else {
  198. tor_log(severity, domain, "TLS error%s%s: %s (in %s:%s:%s)",
  199. addr?" with ":"", addr?addr:"",
  200. msg, lib, func, state);
  201. }
  202. }
  203. /** Log all pending tls errors at level <b>severity</b> in log domain
  204. * <b>domain</b>. Use <b>doing</b> to describe our current activities.
  205. */
  206. STATIC void
  207. tls_log_errors(tor_tls_t *tls, int severity, int domain, const char *doing)
  208. {
  209. unsigned long err;
  210. while ((err = ERR_get_error()) != 0) {
  211. tor_tls_log_one_error(tls, err, severity, domain, doing);
  212. }
  213. }
  214. /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
  215. * code. */
  216. STATIC int
  217. tor_errno_to_tls_error(int e)
  218. {
  219. switch (e) {
  220. case SOCK_ERRNO(ECONNRESET): // most common
  221. return TOR_TLS_ERROR_CONNRESET;
  222. case SOCK_ERRNO(ETIMEDOUT):
  223. return TOR_TLS_ERROR_TIMEOUT;
  224. case SOCK_ERRNO(EHOSTUNREACH):
  225. case SOCK_ERRNO(ENETUNREACH):
  226. return TOR_TLS_ERROR_NO_ROUTE;
  227. case SOCK_ERRNO(ECONNREFUSED):
  228. return TOR_TLS_ERROR_CONNREFUSED; // least common
  229. default:
  230. return TOR_TLS_ERROR_MISC;
  231. }
  232. }
  233. /** Given a TOR_TLS_* error code, return a string equivalent. */
  234. const char *
  235. tor_tls_err_to_string(int err)
  236. {
  237. if (err >= 0)
  238. return "[Not an error.]";
  239. switch (err) {
  240. case TOR_TLS_ERROR_MISC: return "misc error";
  241. case TOR_TLS_ERROR_IO: return "unexpected close";
  242. case TOR_TLS_ERROR_CONNREFUSED: return "connection refused";
  243. case TOR_TLS_ERROR_CONNRESET: return "connection reset";
  244. case TOR_TLS_ERROR_NO_ROUTE: return "host unreachable";
  245. case TOR_TLS_ERROR_TIMEOUT: return "connection timed out";
  246. case TOR_TLS_CLOSE: return "closed";
  247. case TOR_TLS_WANTREAD: return "want to read";
  248. case TOR_TLS_WANTWRITE: return "want to write";
  249. default: return "(unknown error code)";
  250. }
  251. }
  252. #define CATCH_SYSCALL 1
  253. #define CATCH_ZERO 2
  254. /** Given a TLS object and the result of an SSL_* call, use
  255. * SSL_get_error to determine whether an error has occurred, and if so
  256. * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
  257. * If extra&CATCH_SYSCALL is true, return TOR_TLS_SYSCALL_ instead of
  258. * reporting syscall errors. If extra&CATCH_ZERO is true, return
  259. * TOR_TLS_ZERORETURN_ instead of reporting zero-return errors.
  260. *
  261. * If an error has occurred, log it at level <b>severity</b> and describe the
  262. * current action as <b>doing</b>.
  263. */
  264. STATIC int
  265. tor_tls_get_error(tor_tls_t *tls, int r, int extra,
  266. const char *doing, int severity, int domain)
  267. {
  268. int err = SSL_get_error(tls->ssl, r);
  269. int tor_error = TOR_TLS_ERROR_MISC;
  270. switch (err) {
  271. case SSL_ERROR_NONE:
  272. return TOR_TLS_DONE;
  273. case SSL_ERROR_WANT_READ:
  274. return TOR_TLS_WANTREAD;
  275. case SSL_ERROR_WANT_WRITE:
  276. return TOR_TLS_WANTWRITE;
  277. case SSL_ERROR_SYSCALL:
  278. if (extra&CATCH_SYSCALL)
  279. return TOR_TLS_SYSCALL_;
  280. if (r == 0) {
  281. tor_log(severity, LD_NET, "TLS error: unexpected close while %s (%s)",
  282. doing, SSL_state_string_long(tls->ssl));
  283. tor_error = TOR_TLS_ERROR_IO;
  284. } else {
  285. int e = tor_socket_errno(tls->socket);
  286. tor_log(severity, LD_NET,
  287. "TLS error: <syscall error while %s> (errno=%d: %s; state=%s)",
  288. doing, e, tor_socket_strerror(e),
  289. SSL_state_string_long(tls->ssl));
  290. tor_error = tor_errno_to_tls_error(e);
  291. }
  292. tls_log_errors(tls, severity, domain, doing);
  293. return tor_error;
  294. case SSL_ERROR_ZERO_RETURN:
  295. if (extra&CATCH_ZERO)
  296. return TOR_TLS_ZERORETURN_;
  297. tor_log(severity, LD_NET, "TLS connection closed while %s in state %s",
  298. doing, SSL_state_string_long(tls->ssl));
  299. tls_log_errors(tls, severity, domain, doing);
  300. return TOR_TLS_CLOSE;
  301. default:
  302. tls_log_errors(tls, severity, domain, doing);
  303. return TOR_TLS_ERROR_MISC;
  304. }
  305. }
  306. /** Initialize OpenSSL, unless it has already been initialized.
  307. */
  308. static void
  309. tor_tls_init(void)
  310. {
  311. check_no_tls_errors();
  312. if (!tls_library_is_initialized) {
  313. SSL_library_init();
  314. SSL_load_error_strings();
  315. #if (SIZEOF_VOID_P >= 8 && \
  316. OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
  317. long version = OpenSSL_version_num();
  318. /* LCOV_EXCL_START : we can't test these lines on the same machine */
  319. if (version >= OPENSSL_V_SERIES(1,0,1)) {
  320. /* Warn if we could *almost* be running with much faster ECDH.
  321. If we're built for a 64-bit target, using OpenSSL 1.0.1, but we
  322. don't have one of the built-in __uint128-based speedups, we are
  323. just one build operation away from an accelerated handshake.
  324. (We could be looking at OPENSSL_NO_EC_NISTP_64_GCC_128 instead of
  325. doing this test, but that gives compile-time options, not runtime
  326. behavior.)
  327. */
  328. EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
  329. const EC_GROUP *g = key ? EC_KEY_get0_group(key) : NULL;
  330. const EC_METHOD *m = g ? EC_GROUP_method_of(g) : NULL;
  331. const int warn = (m == EC_GFp_simple_method() ||
  332. m == EC_GFp_mont_method() ||
  333. m == EC_GFp_nist_method());
  334. EC_KEY_free(key);
  335. if (warn)
  336. log_notice(LD_GENERAL, "We were built to run on a 64-bit CPU, with "
  337. "OpenSSL 1.0.1 or later, but with a version of OpenSSL "
  338. "that apparently lacks accelerated support for the NIST "
  339. "P-224 and P-256 groups. Building openssl with such "
  340. "support (using the enable-ec_nistp_64_gcc_128 option "
  341. "when configuring it) would make ECDH much faster.");
  342. }
  343. /* LCOV_EXCL_STOP */
  344. #endif
  345. tor_tls_allocate_tor_tls_object_ex_data_index();
  346. tls_library_is_initialized = 1;
  347. }
  348. }
  349. /** Free all global TLS structures. */
  350. void
  351. tor_tls_free_all(void)
  352. {
  353. check_no_tls_errors();
  354. if (server_tls_context) {
  355. tor_tls_context_t *ctx = server_tls_context;
  356. server_tls_context = NULL;
  357. tor_tls_context_decref(ctx);
  358. }
  359. if (client_tls_context) {
  360. tor_tls_context_t *ctx = client_tls_context;
  361. client_tls_context = NULL;
  362. tor_tls_context_decref(ctx);
  363. }
  364. }
  365. /** We need to give OpenSSL a callback to verify certificates. This is
  366. * it: We always accept peer certs and complete the handshake. We
  367. * don't validate them until later.
  368. */
  369. STATIC int
  370. always_accept_verify_cb(int preverify_ok,
  371. X509_STORE_CTX *x509_ctx)
  372. {
  373. (void) preverify_ok;
  374. (void) x509_ctx;
  375. return 1;
  376. }
  377. /** Return a newly allocated X509 name with commonName <b>cname</b>. */
  378. static X509_NAME *
  379. tor_x509_name_new(const char *cname)
  380. {
  381. int nid;
  382. X509_NAME *name;
  383. /* LCOV_EXCL_BR_START : these branches will only fail on OOM errors */
  384. if (!(name = X509_NAME_new()))
  385. return NULL;
  386. if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
  387. if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
  388. (unsigned char*)cname, -1, -1, 0)))
  389. goto error;
  390. /* LCOV_EXCL_BR_STOP */
  391. return name;
  392. error:
  393. /* LCOV_EXCL_START : these lines will only execute on out of memory errors*/
  394. X509_NAME_free(name);
  395. return NULL;
  396. /* LCOV_EXCL_STOP */
  397. }
  398. /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
  399. * signed by the private key <b>rsa_sign</b>. The commonName of the
  400. * certificate will be <b>cname</b>; the commonName of the issuer will be
  401. * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b>
  402. * seconds, starting from some time in the past.
  403. *
  404. * Return a certificate on success, NULL on failure.
  405. */
  406. MOCK_IMPL(STATIC X509 *,
  407. tor_tls_create_certificate,(crypto_pk_t *rsa,
  408. crypto_pk_t *rsa_sign,
  409. const char *cname,
  410. const char *cname_sign,
  411. unsigned int cert_lifetime))
  412. {
  413. /* OpenSSL generates self-signed certificates with random 64-bit serial
  414. * numbers, so let's do that too. */
  415. #define SERIAL_NUMBER_SIZE 8
  416. time_t start_time, end_time;
  417. BIGNUM *serial_number = NULL;
  418. unsigned char serial_tmp[SERIAL_NUMBER_SIZE];
  419. EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
  420. X509 *x509 = NULL;
  421. X509_NAME *name = NULL, *name_issuer=NULL;
  422. tor_tls_init();
  423. /* Make sure we're part-way through the certificate lifetime, rather
  424. * than having it start right now. Don't choose quite uniformly, since
  425. * then we might pick a time where we're about to expire. Lastly, be
  426. * sure to start on a day boundary. */
  427. time_t now = time(NULL);
  428. /* Our certificate lifetime will be cert_lifetime no matter what, but if we
  429. * start cert_lifetime in the past, we'll have 0 real lifetime. instead we
  430. * start up to (cert_lifetime - min_real_lifetime - start_granularity) in
  431. * the past. */
  432. const time_t min_real_lifetime = 24*3600;
  433. const time_t start_granularity = 24*3600;
  434. time_t earliest_start_time = now - cert_lifetime + min_real_lifetime
  435. + start_granularity;
  436. /* Don't actually start in the future! */
  437. if (earliest_start_time >= now)
  438. earliest_start_time = now - 1;
  439. start_time = crypto_rand_time_range(earliest_start_time, now);
  440. /* Round the start time back to the start of a day. */
  441. start_time -= start_time % start_granularity;
  442. end_time = start_time + cert_lifetime;
  443. tor_assert(rsa);
  444. tor_assert(cname);
  445. tor_assert(rsa_sign);
  446. tor_assert(cname_sign);
  447. if (!(sign_pkey = crypto_pk_get_evp_pkey_(rsa_sign,1)))
  448. goto error;
  449. if (!(pkey = crypto_pk_get_evp_pkey_(rsa,0)))
  450. goto error;
  451. if (!(x509 = X509_new()))
  452. goto error;
  453. if (!(X509_set_version(x509, 2)))
  454. goto error;
  455. { /* our serial number is 8 random bytes. */
  456. crypto_rand((char *)serial_tmp, sizeof(serial_tmp));
  457. if (!(serial_number = BN_bin2bn(serial_tmp, sizeof(serial_tmp), NULL)))
  458. goto error;
  459. if (!(BN_to_ASN1_INTEGER(serial_number, X509_get_serialNumber(x509))))
  460. goto error;
  461. }
  462. if (!(name = tor_x509_name_new(cname)))
  463. goto error;
  464. if (!(X509_set_subject_name(x509, name)))
  465. goto error;
  466. if (!(name_issuer = tor_x509_name_new(cname_sign)))
  467. goto error;
  468. if (!(X509_set_issuer_name(x509, name_issuer)))
  469. goto error;
  470. if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
  471. goto error;
  472. if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
  473. goto error;
  474. if (!X509_set_pubkey(x509, pkey))
  475. goto error;
  476. if (!X509_sign(x509, sign_pkey, EVP_sha256()))
  477. goto error;
  478. goto done;
  479. error:
  480. if (x509) {
  481. X509_free(x509);
  482. x509 = NULL;
  483. }
  484. done:
  485. tls_log_errors(NULL, LOG_WARN, LD_NET, "generating certificate");
  486. if (sign_pkey)
  487. EVP_PKEY_free(sign_pkey);
  488. if (pkey)
  489. EVP_PKEY_free(pkey);
  490. if (serial_number)
  491. BN_clear_free(serial_number);
  492. if (name)
  493. X509_NAME_free(name);
  494. if (name_issuer)
  495. X509_NAME_free(name_issuer);
  496. return x509;
  497. #undef SERIAL_NUMBER_SIZE
  498. }
  499. /** List of ciphers that servers should select from when the client might be
  500. * claiming extra unsupported ciphers in order to avoid fingerprinting. */
  501. #define SERVER_CIPHER_LIST \
  502. (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \
  503. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
  504. /** List of ciphers that servers should select from when we actually have
  505. * our choice of what cipher to use. */
  506. static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
  507. /* This list is autogenerated with the gen_server_ciphers.py script;
  508. * don't hand-edit it. */
  509. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  510. TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":"
  511. #endif
  512. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  513. TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
  514. #endif
  515. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
  516. TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 ":"
  517. #endif
  518. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
  519. TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":"
  520. #endif
  521. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
  522. TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
  523. #endif
  524. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
  525. TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":"
  526. #endif
  527. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
  528. TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 ":"
  529. #endif
  530. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
  531. TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 ":"
  532. #endif
  533. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_CCM
  534. TLS1_TXT_DHE_RSA_WITH_AES_256_CCM ":"
  535. #endif
  536. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_CCM
  537. TLS1_TXT_DHE_RSA_WITH_AES_128_CCM ":"
  538. #endif
  539. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
  540. TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 ":"
  541. #endif
  542. #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
  543. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 ":"
  544. #endif
  545. /* Required */
  546. TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
  547. /* Required */
  548. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
  549. #ifdef TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305
  550. TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 ":"
  551. #endif
  552. #ifdef TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
  553. TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
  554. #endif
  555. ;
  556. /* Note: to set up your own private testing network with link crypto
  557. * disabled, set your Tors' cipher list to
  558. * (SSL3_TXT_RSA_NULL_SHA). If you do this, you won't be able to communicate
  559. * with any of the "real" Tors, though. */
  560. #define CIPHER(id, name) name ":"
  561. #define XCIPHER(id, name)
  562. /** List of ciphers that clients should advertise, omitting items that
  563. * our OpenSSL doesn't know about. */
  564. static const char CLIENT_CIPHER_LIST[] =
  565. #include "ciphers.inc"
  566. /* Tell it not to use SSLv2 ciphers, so that it can select an SSLv3 version
  567. * of any cipher we say. */
  568. "!SSLv2"
  569. ;
  570. #undef CIPHER
  571. #undef XCIPHER
  572. /** Free all storage held in <b>cert</b> */
  573. void
  574. tor_x509_cert_free(tor_x509_cert_t *cert)
  575. {
  576. if (! cert)
  577. return;
  578. if (cert->cert)
  579. X509_free(cert->cert);
  580. tor_free(cert->encoded);
  581. memwipe(cert, 0x03, sizeof(*cert));
  582. /* LCOV_EXCL_BR_START since cert will never be NULL here */
  583. tor_free(cert);
  584. /* LCOV_EXCL_BR_STOP */
  585. }
  586. /**
  587. * Allocate a new tor_x509_cert_t to hold the certificate "x509_cert".
  588. *
  589. * Steals a reference to x509_cert.
  590. */
  591. MOCK_IMPL(STATIC tor_x509_cert_t *,
  592. tor_x509_cert_new,(X509 *x509_cert))
  593. {
  594. tor_x509_cert_t *cert;
  595. EVP_PKEY *pkey;
  596. RSA *rsa;
  597. int length;
  598. unsigned char *buf = NULL;
  599. if (!x509_cert)
  600. return NULL;
  601. length = i2d_X509(x509_cert, &buf);
  602. cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
  603. if (length <= 0 || buf == NULL) {
  604. /* LCOV_EXCL_START for the same reason as the exclusion above */
  605. tor_free(cert);
  606. log_err(LD_CRYPTO, "Couldn't get length of encoded x509 certificate");
  607. X509_free(x509_cert);
  608. return NULL;
  609. /* LCOV_EXCL_STOP */
  610. }
  611. cert->encoded_len = (size_t) length;
  612. cert->encoded = tor_malloc(length);
  613. memcpy(cert->encoded, buf, length);
  614. OPENSSL_free(buf);
  615. cert->cert = x509_cert;
  616. crypto_common_digests(&cert->cert_digests,
  617. (char*)cert->encoded, cert->encoded_len);
  618. if ((pkey = X509_get_pubkey(x509_cert)) &&
  619. (rsa = EVP_PKEY_get1_RSA(pkey))) {
  620. crypto_pk_t *pk = crypto_new_pk_from_rsa_(rsa);
  621. crypto_pk_get_common_digests(pk, &cert->pkey_digests);
  622. cert->pkey_digests_set = 1;
  623. crypto_pk_free(pk);
  624. EVP_PKEY_free(pkey);
  625. }
  626. return cert;
  627. }
  628. /** Return a new copy of <b>cert</b>. */
  629. tor_x509_cert_t *
  630. tor_x509_cert_dup(const tor_x509_cert_t *cert)
  631. {
  632. tor_assert(cert);
  633. X509 *x509 = cert->cert;
  634. return tor_x509_cert_new(X509_dup(x509));
  635. }
  636. /** Read a DER-encoded X509 cert, of length exactly <b>certificate_len</b>,
  637. * from a <b>certificate</b>. Return a newly allocated tor_x509_cert_t on
  638. * success and NULL on failure. */
  639. tor_x509_cert_t *
  640. tor_x509_cert_decode(const uint8_t *certificate, size_t certificate_len)
  641. {
  642. X509 *x509;
  643. const unsigned char *cp = (const unsigned char *)certificate;
  644. tor_x509_cert_t *newcert;
  645. tor_assert(certificate);
  646. check_no_tls_errors();
  647. if (certificate_len > INT_MAX)
  648. goto err;
  649. x509 = d2i_X509(NULL, &cp, (int)certificate_len);
  650. if (!x509)
  651. goto err; /* Couldn't decode */
  652. if (cp - certificate != (int)certificate_len) {
  653. X509_free(x509);
  654. goto err; /* Didn't use all the bytes */
  655. }
  656. newcert = tor_x509_cert_new(x509);
  657. if (!newcert) {
  658. goto err;
  659. }
  660. if (newcert->encoded_len != certificate_len ||
  661. fast_memneq(newcert->encoded, certificate, certificate_len)) {
  662. /* Cert wasn't in DER */
  663. tor_x509_cert_free(newcert);
  664. goto err;
  665. }
  666. return newcert;
  667. err:
  668. tls_log_errors(NULL, LOG_INFO, LD_CRYPTO, "decoding a certificate");
  669. return NULL;
  670. }
  671. /** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
  672. * representation and length, respectively. */
  673. void
  674. tor_x509_cert_get_der(const tor_x509_cert_t *cert,
  675. const uint8_t **encoded_out, size_t *size_out)
  676. {
  677. tor_assert(cert);
  678. tor_assert(encoded_out);
  679. tor_assert(size_out);
  680. *encoded_out = cert->encoded;
  681. *size_out = cert->encoded_len;
  682. }
  683. /** Return a set of digests for the public key in <b>cert</b>, or NULL if this
  684. * cert's public key is not one we know how to take the digest of. */
  685. const common_digests_t *
  686. tor_x509_cert_get_id_digests(const tor_x509_cert_t *cert)
  687. {
  688. if (cert->pkey_digests_set)
  689. return &cert->pkey_digests;
  690. else
  691. return NULL;
  692. }
  693. /** Return a set of digests for the public key in <b>cert</b>. */
  694. const common_digests_t *
  695. tor_x509_cert_get_cert_digests(const tor_x509_cert_t *cert)
  696. {
  697. return &cert->cert_digests;
  698. }
  699. /** Remove a reference to <b>ctx</b>, and free it if it has no more
  700. * references. */
  701. static void
  702. tor_tls_context_decref(tor_tls_context_t *ctx)
  703. {
  704. tor_assert(ctx);
  705. if (--ctx->refcnt == 0) {
  706. SSL_CTX_free(ctx->ctx);
  707. tor_x509_cert_free(ctx->my_link_cert);
  708. tor_x509_cert_free(ctx->my_id_cert);
  709. tor_x509_cert_free(ctx->my_auth_cert);
  710. crypto_pk_free(ctx->link_key);
  711. crypto_pk_free(ctx->auth_key);
  712. /* LCOV_EXCL_BR_START since ctx will never be NULL here */
  713. tor_free(ctx);
  714. /* LCOV_EXCL_BR_STOP */
  715. }
  716. }
  717. /** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate
  718. * and ID certificate that we're currently using for our V3 in-protocol
  719. * handshake's certificate chain. If <b>server</b> is true, provide the certs
  720. * that we use in server mode (auth, ID); otherwise, provide the certs that we
  721. * use in client mode. (link, ID) */
  722. int
  723. tor_tls_get_my_certs(int server,
  724. const tor_x509_cert_t **link_cert_out,
  725. const tor_x509_cert_t **id_cert_out)
  726. {
  727. tor_tls_context_t *ctx = server ? server_tls_context : client_tls_context;
  728. if (! ctx)
  729. return -1;
  730. if (link_cert_out)
  731. *link_cert_out = server ? ctx->my_link_cert : ctx->my_auth_cert;
  732. if (id_cert_out)
  733. *id_cert_out = ctx->my_id_cert;
  734. return 0;
  735. }
  736. /**
  737. * Return the authentication key that we use to authenticate ourselves as a
  738. * client in the V3 in-protocol handshake.
  739. */
  740. crypto_pk_t *
  741. tor_tls_get_my_client_auth_key(void)
  742. {
  743. if (! client_tls_context)
  744. return NULL;
  745. return client_tls_context->auth_key;
  746. }
  747. /**
  748. * Return a newly allocated copy of the public key that a certificate
  749. * certifies. Watch out! This returns NULL if the cert's key is not RSA.
  750. */
  751. crypto_pk_t *
  752. tor_tls_cert_get_key(tor_x509_cert_t *cert)
  753. {
  754. crypto_pk_t *result = NULL;
  755. EVP_PKEY *pkey = X509_get_pubkey(cert->cert);
  756. RSA *rsa;
  757. if (!pkey)
  758. return NULL;
  759. rsa = EVP_PKEY_get1_RSA(pkey);
  760. if (!rsa) {
  761. EVP_PKEY_free(pkey);
  762. return NULL;
  763. }
  764. result = crypto_new_pk_from_rsa_(rsa);
  765. EVP_PKEY_free(pkey);
  766. return result;
  767. }
  768. /** Return true iff the other side of <b>tls</b> has authenticated to us, and
  769. * the key certified in <b>cert</b> is the same as the key they used to do it.
  770. */
  771. MOCK_IMPL(int,
  772. tor_tls_cert_matches_key,(const tor_tls_t *tls, const tor_x509_cert_t *cert))
  773. {
  774. X509 *peercert = SSL_get_peer_certificate(tls->ssl);
  775. EVP_PKEY *link_key = NULL, *cert_key = NULL;
  776. int result;
  777. if (!peercert)
  778. return 0;
  779. link_key = X509_get_pubkey(peercert);
  780. cert_key = X509_get_pubkey(cert->cert);
  781. result = link_key && cert_key && EVP_PKEY_cmp(cert_key, link_key) == 1;
  782. X509_free(peercert);
  783. if (link_key)
  784. EVP_PKEY_free(link_key);
  785. if (cert_key)
  786. EVP_PKEY_free(cert_key);
  787. return result;
  788. }
  789. /** Check whether <b>cert</b> is well-formed, currently live, and correctly
  790. * signed by the public key in <b>signing_cert</b>. If <b>check_rsa_1024</b>,
  791. * make sure that it has an RSA key with 1024 bits; otherwise, just check that
  792. * the key is long enough. Return 1 if the cert is good, and 0 if it's bad or
  793. * we couldn't check it. */
  794. int
  795. tor_tls_cert_is_valid(int severity,
  796. const tor_x509_cert_t *cert,
  797. const tor_x509_cert_t *signing_cert,
  798. time_t now,
  799. int check_rsa_1024)
  800. {
  801. check_no_tls_errors();
  802. EVP_PKEY *cert_key;
  803. int r, key_ok = 0;
  804. if (!signing_cert || !cert)
  805. goto bad;
  806. EVP_PKEY *signing_key = X509_get_pubkey(signing_cert->cert);
  807. if (!signing_key)
  808. goto bad;
  809. r = X509_verify(cert->cert, signing_key);
  810. EVP_PKEY_free(signing_key);
  811. if (r <= 0)
  812. goto bad;
  813. /* okay, the signature checked out right. Now let's check the check the
  814. * lifetime. */
  815. if (check_cert_lifetime_internal(severity, cert->cert, now,
  816. 48*60*60, 30*24*60*60) < 0)
  817. goto bad;
  818. cert_key = X509_get_pubkey(cert->cert);
  819. if (check_rsa_1024 && cert_key) {
  820. RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
  821. #ifdef OPENSSL_1_1_API
  822. if (rsa && RSA_bits(rsa) == 1024)
  823. #else
  824. if (rsa && BN_num_bits(rsa->n) == 1024)
  825. #endif
  826. key_ok = 1;
  827. if (rsa)
  828. RSA_free(rsa);
  829. } else if (cert_key) {
  830. int min_bits = 1024;
  831. #ifdef EVP_PKEY_EC
  832. if (EVP_PKEY_base_id(cert_key) == EVP_PKEY_EC)
  833. min_bits = 128;
  834. #endif
  835. if (EVP_PKEY_bits(cert_key) >= min_bits)
  836. key_ok = 1;
  837. }
  838. EVP_PKEY_free(cert_key);
  839. if (!key_ok)
  840. goto bad;
  841. /* XXXX compare DNs or anything? */
  842. return 1;
  843. bad:
  844. tls_log_errors(NULL, LOG_INFO, LD_CRYPTO, "checking a certificate");
  845. return 0;
  846. }
  847. /** Increase the reference count of <b>ctx</b>. */
  848. static void
  849. tor_tls_context_incref(tor_tls_context_t *ctx)
  850. {
  851. ++ctx->refcnt;
  852. }
  853. /** Create new global client and server TLS contexts.
  854. *
  855. * If <b>server_identity</b> is NULL, this will not generate a server
  856. * TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in <b>flags</b>, use
  857. * the same TLS context for incoming and outgoing connections, and
  858. * ignore <b>client_identity</b>. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256}
  859. * is set in <b>flags</b>, use that ECDHE group if possible; otherwise use
  860. * the default ECDHE group. */
  861. int
  862. tor_tls_context_init(unsigned flags,
  863. crypto_pk_t *client_identity,
  864. crypto_pk_t *server_identity,
  865. unsigned int key_lifetime)
  866. {
  867. int rv1 = 0;
  868. int rv2 = 0;
  869. const int is_public_server = flags & TOR_TLS_CTX_IS_PUBLIC_SERVER;
  870. check_no_tls_errors();
  871. if (is_public_server) {
  872. tor_tls_context_t *new_ctx;
  873. tor_tls_context_t *old_ctx;
  874. tor_assert(server_identity != NULL);
  875. rv1 = tor_tls_context_init_one(&server_tls_context,
  876. server_identity,
  877. key_lifetime, flags, 0);
  878. if (rv1 >= 0) {
  879. new_ctx = server_tls_context;
  880. tor_tls_context_incref(new_ctx);
  881. old_ctx = client_tls_context;
  882. client_tls_context = new_ctx;
  883. if (old_ctx != NULL) {
  884. tor_tls_context_decref(old_ctx);
  885. }
  886. }
  887. } else {
  888. if (server_identity != NULL) {
  889. rv1 = tor_tls_context_init_one(&server_tls_context,
  890. server_identity,
  891. key_lifetime,
  892. flags,
  893. 0);
  894. } else {
  895. tor_tls_context_t *old_ctx = server_tls_context;
  896. server_tls_context = NULL;
  897. if (old_ctx != NULL) {
  898. tor_tls_context_decref(old_ctx);
  899. }
  900. }
  901. rv2 = tor_tls_context_init_one(&client_tls_context,
  902. client_identity,
  903. key_lifetime,
  904. flags,
  905. 1);
  906. }
  907. tls_log_errors(NULL, LOG_WARN, LD_CRYPTO, "constructing a TLS context");
  908. return MIN(rv1, rv2);
  909. }
  910. /** Create a new global TLS context.
  911. *
  912. * You can call this function multiple times. Each time you call it,
  913. * it generates new certificates; all new connections will use
  914. * the new SSL context.
  915. */
  916. STATIC int
  917. tor_tls_context_init_one(tor_tls_context_t **ppcontext,
  918. crypto_pk_t *identity,
  919. unsigned int key_lifetime,
  920. unsigned int flags,
  921. int is_client)
  922. {
  923. tor_tls_context_t *new_ctx = tor_tls_context_new(identity,
  924. key_lifetime,
  925. flags,
  926. is_client);
  927. tor_tls_context_t *old_ctx = *ppcontext;
  928. if (new_ctx != NULL) {
  929. *ppcontext = new_ctx;
  930. /* Free the old context if one existed. */
  931. if (old_ctx != NULL) {
  932. /* This is safe even if there are open connections: we reference-
  933. * count tor_tls_context_t objects. */
  934. tor_tls_context_decref(old_ctx);
  935. }
  936. }
  937. return ((new_ctx != NULL) ? 0 : -1);
  938. }
  939. /** The group we should use for ecdhe when none was selected. */
  940. #define NID_tor_default_ecdhe_group NID_X9_62_prime256v1
  941. #define RSA_LINK_KEY_BITS 2048
  942. /** Create a new TLS context for use with Tor TLS handshakes.
  943. * <b>identity</b> should be set to the identity key used to sign the
  944. * certificate.
  945. */
  946. STATIC tor_tls_context_t *
  947. tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
  948. unsigned flags, int is_client)
  949. {
  950. crypto_pk_t *rsa = NULL, *rsa_auth = NULL;
  951. EVP_PKEY *pkey = NULL;
  952. tor_tls_context_t *result = NULL;
  953. X509 *cert = NULL, *idcert = NULL, *authcert = NULL;
  954. char *nickname = NULL, *nn2 = NULL;
  955. tor_tls_init();
  956. nickname = crypto_random_hostname(8, 20, "www.", ".net");
  957. #ifdef DISABLE_V3_LINKPROTO_SERVERSIDE
  958. nn2 = crypto_random_hostname(8, 20, "www.", ".net");
  959. #else
  960. nn2 = crypto_random_hostname(8, 20, "www.", ".com");
  961. #endif
  962. /* Generate short-term RSA key for use with TLS. */
  963. if (!(rsa = crypto_pk_new()))
  964. goto error;
  965. if (crypto_pk_generate_key_with_bits(rsa, RSA_LINK_KEY_BITS)<0)
  966. goto error;
  967. if (!is_client) {
  968. /* Generate short-term RSA key for use in the in-protocol ("v3")
  969. * authentication handshake. */
  970. if (!(rsa_auth = crypto_pk_new()))
  971. goto error;
  972. if (crypto_pk_generate_key(rsa_auth)<0)
  973. goto error;
  974. /* Create a link certificate signed by identity key. */
  975. cert = tor_tls_create_certificate(rsa, identity, nickname, nn2,
  976. key_lifetime);
  977. /* Create self-signed certificate for identity key. */
  978. idcert = tor_tls_create_certificate(identity, identity, nn2, nn2,
  979. IDENTITY_CERT_LIFETIME);
  980. /* Create an authentication certificate signed by identity key. */
  981. authcert = tor_tls_create_certificate(rsa_auth, identity, nickname, nn2,
  982. key_lifetime);
  983. if (!cert || !idcert || !authcert) {
  984. log_warn(LD_CRYPTO, "Error creating certificate");
  985. goto error;
  986. }
  987. }
  988. result = tor_malloc_zero(sizeof(tor_tls_context_t));
  989. result->refcnt = 1;
  990. if (!is_client) {
  991. result->my_link_cert = tor_x509_cert_new(X509_dup(cert));
  992. result->my_id_cert = tor_x509_cert_new(X509_dup(idcert));
  993. result->my_auth_cert = tor_x509_cert_new(X509_dup(authcert));
  994. if (!result->my_link_cert || !result->my_id_cert || !result->my_auth_cert)
  995. goto error;
  996. result->link_key = crypto_pk_dup_key(rsa);
  997. result->auth_key = crypto_pk_dup_key(rsa_auth);
  998. }
  999. #if 0
  1000. /* Tell OpenSSL to only use TLS1. This may have subtly different results
  1001. * from SSLv23_method() with SSLv2 and SSLv3 disabled, so we need to do some
  1002. * investigation before we consider adjusting it. It should be compatible
  1003. * with existing Tors. */
  1004. if (!(result->ctx = SSL_CTX_new(TLSv1_method())))
  1005. goto error;
  1006. #endif
  1007. /* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
  1008. #ifdef HAVE_TLS_METHOD
  1009. if (!(result->ctx = SSL_CTX_new(TLS_method())))
  1010. goto error;
  1011. #else
  1012. if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
  1013. goto error;
  1014. #endif
  1015. SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
  1016. SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
  1017. /* Prefer the server's ordering of ciphers: the client's ordering has
  1018. * historically been chosen for fingerprinting resistance. */
  1019. SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
  1020. /* Disable TLS tickets if they're supported. We never want to use them;
  1021. * using them can make our perfect forward secrecy a little worse, *and*
  1022. * create an opportunity to fingerprint us (since it's unusual to use them
  1023. * with TLS sessions turned off).
  1024. *
  1025. * In 0.2.4, clients advertise support for them though, to avoid a TLS
  1026. * distinguishability vector. This can give us worse PFS, though, if we
  1027. * get a server that doesn't set SSL_OP_NO_TICKET. With luck, there will
  1028. * be few such servers by the time 0.2.4 is more stable.
  1029. */
  1030. #ifdef SSL_OP_NO_TICKET
  1031. if (! is_client) {
  1032. SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
  1033. }
  1034. #endif
  1035. SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
  1036. SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_ECDH_USE);
  1037. #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  1038. SSL_CTX_set_options(result->ctx,
  1039. SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
  1040. #endif
  1041. /* Yes, we know what we are doing here. No, we do not treat a renegotiation
  1042. * as authenticating any earlier-received data.
  1043. */
  1044. {
  1045. SSL_CTX_set_options(result->ctx,
  1046. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  1047. }
  1048. #ifdef SSL_OP_NO_COMPRESSION
  1049. SSL_CTX_set_options(result->ctx, SSL_OP_NO_COMPRESSION);
  1050. #endif
  1051. #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
  1052. #ifndef OPENSSL_NO_COMP
  1053. /* Don't actually allow compression; it uses ram and time, but the data
  1054. * we transmit is all encrypted anyway. */
  1055. if (result->ctx->comp_methods)
  1056. result->ctx->comp_methods = NULL;
  1057. #endif
  1058. #endif
  1059. #ifdef SSL_MODE_RELEASE_BUFFERS
  1060. SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
  1061. #endif
  1062. if (! is_client) {
  1063. if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
  1064. goto error;
  1065. X509_free(cert); /* We just added a reference to cert. */
  1066. cert=NULL;
  1067. if (idcert) {
  1068. X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
  1069. tor_assert(s);
  1070. X509_STORE_add_cert(s, idcert);
  1071. X509_free(idcert); /* The context now owns the reference to idcert */
  1072. idcert = NULL;
  1073. }
  1074. }
  1075. SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
  1076. if (!is_client) {
  1077. tor_assert(rsa);
  1078. if (!(pkey = crypto_pk_get_evp_pkey_(rsa,1)))
  1079. goto error;
  1080. if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
  1081. goto error;
  1082. EVP_PKEY_free(pkey);
  1083. pkey = NULL;
  1084. if (!SSL_CTX_check_private_key(result->ctx))
  1085. goto error;
  1086. }
  1087. {
  1088. crypto_dh_t *dh = crypto_dh_new(DH_TYPE_TLS);
  1089. tor_assert(dh);
  1090. SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh));
  1091. crypto_dh_free(dh);
  1092. }
  1093. if (! is_client) {
  1094. int nid;
  1095. EC_KEY *ec_key;
  1096. if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
  1097. nid = NID_secp224r1;
  1098. else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
  1099. nid = NID_X9_62_prime256v1;
  1100. else
  1101. nid = NID_tor_default_ecdhe_group;
  1102. /* Use P-256 for ECDHE. */
  1103. ec_key = EC_KEY_new_by_curve_name(nid);
  1104. if (ec_key != NULL) /*XXXX Handle errors? */
  1105. SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
  1106. EC_KEY_free(ec_key);
  1107. }
  1108. SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
  1109. always_accept_verify_cb);
  1110. /* let us realloc bufs that we're writing from */
  1111. SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
  1112. if (rsa)
  1113. crypto_pk_free(rsa);
  1114. if (rsa_auth)
  1115. crypto_pk_free(rsa_auth);
  1116. X509_free(authcert);
  1117. tor_free(nickname);
  1118. tor_free(nn2);
  1119. return result;
  1120. error:
  1121. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating TLS context");
  1122. tor_free(nickname);
  1123. tor_free(nn2);
  1124. if (pkey)
  1125. EVP_PKEY_free(pkey);
  1126. if (rsa)
  1127. crypto_pk_free(rsa);
  1128. if (rsa_auth)
  1129. crypto_pk_free(rsa_auth);
  1130. if (result)
  1131. tor_tls_context_decref(result);
  1132. if (cert)
  1133. X509_free(cert);
  1134. if (idcert)
  1135. X509_free(idcert);
  1136. if (authcert)
  1137. X509_free(authcert);
  1138. return NULL;
  1139. }
  1140. /** Invoked when a TLS state changes: log the change at severity 'debug' */
  1141. STATIC void
  1142. tor_tls_debug_state_callback(const SSL *ssl, int type, int val)
  1143. {
  1144. /* LCOV_EXCL_START since this depends on whether debug is captured or not */
  1145. log_debug(LD_HANDSHAKE, "SSL %p is now in state %s [type=%d,val=%d].",
  1146. ssl, SSL_state_string_long(ssl), type, val);
  1147. /* LCOV_EXCL_STOP */
  1148. }
  1149. /* Return the name of the negotiated ciphersuite in use on <b>tls</b> */
  1150. const char *
  1151. tor_tls_get_ciphersuite_name(tor_tls_t *tls)
  1152. {
  1153. return SSL_get_cipher(tls->ssl);
  1154. }
  1155. /* Here's the old V2 cipher list we sent from 0.2.1.1-alpha up to
  1156. * 0.2.3.17-beta. If a client is using this list, we can't believe the ciphers
  1157. * that it claims to support. We'll prune this list to remove the ciphers
  1158. * *we* don't recognize. */
  1159. STATIC uint16_t v2_cipher_list[] = {
  1160. 0xc00a, /* TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
  1161. 0xc014, /* TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA */
  1162. 0x0039, /* TLS1_TXT_DHE_RSA_WITH_AES_256_SHA */
  1163. 0x0038, /* TLS1_TXT_DHE_DSS_WITH_AES_256_SHA */
  1164. 0xc00f, /* TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA */
  1165. 0xc005, /* TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
  1166. 0x0035, /* TLS1_TXT_RSA_WITH_AES_256_SHA */
  1167. 0xc007, /* TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA */
  1168. 0xc009, /* TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
  1169. 0xc011, /* TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA */
  1170. 0xc013, /* TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA */
  1171. 0x0033, /* TLS1_TXT_DHE_RSA_WITH_AES_128_SHA */
  1172. 0x0032, /* TLS1_TXT_DHE_DSS_WITH_AES_128_SHA */
  1173. 0xc00c, /* TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA */
  1174. 0xc00e, /* TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA */
  1175. 0xc002, /* TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA */
  1176. 0xc004, /* TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
  1177. 0x0004, /* SSL3_TXT_RSA_RC4_128_MD5 */
  1178. 0x0005, /* SSL3_TXT_RSA_RC4_128_SHA */
  1179. 0x002f, /* TLS1_TXT_RSA_WITH_AES_128_SHA */
  1180. 0xc008, /* TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA */
  1181. 0xc012, /* TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA */
  1182. 0x0016, /* SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA */
  1183. 0x0013, /* SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA */
  1184. 0xc00d, /* TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA */
  1185. 0xc003, /* TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA */
  1186. 0xfeff, /* SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA */
  1187. 0x000a, /* SSL3_TXT_RSA_DES_192_CBC3_SHA */
  1188. 0
  1189. };
  1190. /** Have we removed the unrecognized ciphers from v2_cipher_list yet? */
  1191. static int v2_cipher_list_pruned = 0;
  1192. /** Return 0 if <b>m</b> does not support the cipher with ID <b>cipher</b>;
  1193. * return 1 if it does support it, or if we have no way to tell. */
  1194. STATIC int
  1195. find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m, uint16_t cipher)
  1196. {
  1197. const SSL_CIPHER *c;
  1198. #ifdef HAVE_SSL_CIPHER_FIND
  1199. (void) m;
  1200. {
  1201. unsigned char cipherid[3];
  1202. tor_assert(ssl);
  1203. set_uint16(cipherid, htons(cipher));
  1204. cipherid[2] = 0; /* If ssl23_get_cipher_by_char finds no cipher starting
  1205. * with a two-byte 'cipherid', it may look for a v2
  1206. * cipher with the appropriate 3 bytes. */
  1207. c = SSL_CIPHER_find((SSL*)ssl, cipherid);
  1208. if (c)
  1209. tor_assert((SSL_CIPHER_get_id(c) & 0xffff) == cipher);
  1210. return c != NULL;
  1211. }
  1212. #else
  1213. # if defined(HAVE_STRUCT_SSL_METHOD_ST_GET_CIPHER_BY_CHAR)
  1214. if (m && m->get_cipher_by_char) {
  1215. unsigned char cipherid[3];
  1216. set_uint16(cipherid, htons(cipher));
  1217. cipherid[2] = 0; /* If ssl23_get_cipher_by_char finds no cipher starting
  1218. * with a two-byte 'cipherid', it may look for a v2
  1219. * cipher with the appropriate 3 bytes. */
  1220. c = m->get_cipher_by_char(cipherid);
  1221. if (c)
  1222. tor_assert((c->id & 0xffff) == cipher);
  1223. return c != NULL;
  1224. }
  1225. # endif
  1226. # ifndef OPENSSL_1_1_API
  1227. if (m && m->get_cipher && m->num_ciphers) {
  1228. /* It would seem that some of the "let's-clean-up-openssl" forks have
  1229. * removed the get_cipher_by_char function. Okay, so now you get a
  1230. * quadratic search.
  1231. */
  1232. int i;
  1233. for (i = 0; i < m->num_ciphers(); ++i) {
  1234. c = m->get_cipher(i);
  1235. if (c && (c->id & 0xffff) == cipher) {
  1236. return 1;
  1237. }
  1238. }
  1239. return 0;
  1240. }
  1241. # endif
  1242. (void) ssl;
  1243. (void) m;
  1244. (void) cipher;
  1245. return 1; /* No way to search */
  1246. #endif
  1247. }
  1248. /** Remove from v2_cipher_list every cipher that we don't support, so that
  1249. * comparing v2_cipher_list to a client's cipher list will give a sensible
  1250. * result. */
  1251. static void
  1252. prune_v2_cipher_list(const SSL *ssl)
  1253. {
  1254. uint16_t *inp, *outp;
  1255. #ifdef HAVE_TLS_METHOD
  1256. const SSL_METHOD *m = TLS_method();
  1257. #else
  1258. const SSL_METHOD *m = SSLv23_method();
  1259. #endif
  1260. inp = outp = v2_cipher_list;
  1261. while (*inp) {
  1262. if (find_cipher_by_id(ssl, m, *inp)) {
  1263. *outp++ = *inp++;
  1264. } else {
  1265. inp++;
  1266. }
  1267. }
  1268. *outp = 0;
  1269. v2_cipher_list_pruned = 1;
  1270. }
  1271. /** Examine the client cipher list in <b>ssl</b>, and determine what kind of
  1272. * client it is. Return one of CIPHERS_ERR, CIPHERS_V1, CIPHERS_V2,
  1273. * CIPHERS_UNRESTRICTED.
  1274. **/
  1275. STATIC int
  1276. tor_tls_classify_client_ciphers(const SSL *ssl,
  1277. STACK_OF(SSL_CIPHER) *peer_ciphers)
  1278. {
  1279. int i, res;
  1280. tor_tls_t *tor_tls;
  1281. if (PREDICT_UNLIKELY(!v2_cipher_list_pruned))
  1282. prune_v2_cipher_list(ssl);
  1283. tor_tls = tor_tls_get_by_ssl(ssl);
  1284. if (tor_tls && tor_tls->client_cipher_list_type)
  1285. return tor_tls->client_cipher_list_type;
  1286. /* If we reached this point, we just got a client hello. See if there is
  1287. * a cipher list. */
  1288. if (!peer_ciphers) {
  1289. log_info(LD_NET, "No ciphers on session");
  1290. res = CIPHERS_ERR;
  1291. goto done;
  1292. }
  1293. /* Now we need to see if there are any ciphers whose presence means we're
  1294. * dealing with an updated Tor. */
  1295. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1296. const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1297. const char *ciphername = SSL_CIPHER_get_name(cipher);
  1298. if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
  1299. strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
  1300. strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) &&
  1301. strcmp(ciphername, "(NONE)")) {
  1302. log_debug(LD_NET, "Got a non-version-1 cipher called '%s'", ciphername);
  1303. // return 1;
  1304. goto v2_or_higher;
  1305. }
  1306. }
  1307. res = CIPHERS_V1;
  1308. goto done;
  1309. v2_or_higher:
  1310. {
  1311. const uint16_t *v2_cipher = v2_cipher_list;
  1312. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1313. const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1314. uint16_t id = SSL_CIPHER_get_id(cipher) & 0xffff;
  1315. if (id == 0x00ff) /* extended renegotiation indicator. */
  1316. continue;
  1317. if (!id || id != *v2_cipher) {
  1318. res = CIPHERS_UNRESTRICTED;
  1319. goto dump_ciphers;
  1320. }
  1321. ++v2_cipher;
  1322. }
  1323. if (*v2_cipher != 0) {
  1324. res = CIPHERS_UNRESTRICTED;
  1325. goto dump_ciphers;
  1326. }
  1327. res = CIPHERS_V2;
  1328. }
  1329. dump_ciphers:
  1330. {
  1331. smartlist_t *elts = smartlist_new();
  1332. char *s;
  1333. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1334. const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1335. const char *ciphername = SSL_CIPHER_get_name(cipher);
  1336. smartlist_add(elts, (char*)ciphername);
  1337. }
  1338. s = smartlist_join_strings(elts, ":", 0, NULL);
  1339. log_debug(LD_NET, "Got a %s V2/V3 cipher list from %s. It is: '%s'",
  1340. (res == CIPHERS_V2) ? "fictitious" : "real", ADDR(tor_tls), s);
  1341. tor_free(s);
  1342. smartlist_free(elts);
  1343. }
  1344. done:
  1345. if (tor_tls)
  1346. return tor_tls->client_cipher_list_type = res;
  1347. return res;
  1348. }
  1349. /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
  1350. * a list that indicates that the client knows how to do the v2 TLS connection
  1351. * handshake. */
  1352. STATIC int
  1353. tor_tls_client_is_using_v2_ciphers(const SSL *ssl)
  1354. {
  1355. STACK_OF(SSL_CIPHER) *ciphers;
  1356. #ifdef HAVE_SSL_GET_CLIENT_CIPHERS
  1357. ciphers = SSL_get_client_ciphers(ssl);
  1358. #else
  1359. SSL_SESSION *session;
  1360. if (!(session = SSL_get_session((SSL *)ssl))) {
  1361. log_info(LD_NET, "No session on TLS?");
  1362. return CIPHERS_ERR;
  1363. }
  1364. ciphers = session->ciphers;
  1365. #endif
  1366. return tor_tls_classify_client_ciphers(ssl, ciphers) >= CIPHERS_V2;
  1367. }
  1368. /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
  1369. * changes state. We use this:
  1370. * <ul><li>To alter the state of the handshake partway through, so we
  1371. * do not send or request extra certificates in v2 handshakes.</li>
  1372. * <li>To detect renegotiation</li></ul>
  1373. */
  1374. STATIC void
  1375. tor_tls_server_info_callback(const SSL *ssl, int type, int val)
  1376. {
  1377. tor_tls_t *tls;
  1378. (void) val;
  1379. IF_BUG_ONCE(ssl == NULL) {
  1380. return; // LCOV_EXCL_LINE
  1381. }
  1382. tor_tls_debug_state_callback(ssl, type, val);
  1383. if (type != SSL_CB_ACCEPT_LOOP)
  1384. return;
  1385. OSSL_HANDSHAKE_STATE ssl_state = SSL_get_state(ssl);
  1386. if (! STATE_IS_SW_SERVER_HELLO(ssl_state))
  1387. return;
  1388. tls = tor_tls_get_by_ssl(ssl);
  1389. if (tls) {
  1390. /* Check whether we're watching for renegotiates. If so, this is one! */
  1391. if (tls->negotiated_callback)
  1392. tls->got_renegotiate = 1;
  1393. if (tls->server_handshake_count < 127) /*avoid any overflow possibility*/
  1394. ++tls->server_handshake_count;
  1395. } else {
  1396. log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
  1397. return;
  1398. }
  1399. /* Now check the cipher list. */
  1400. if (tor_tls_client_is_using_v2_ciphers(ssl)) {
  1401. if (tls->wasV2Handshake)
  1402. return; /* We already turned this stuff off for the first handshake;
  1403. * This is a renegotiation. */
  1404. /* Yes, we're casting away the const from ssl. This is very naughty of us.
  1405. * Let's hope openssl doesn't notice! */
  1406. /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
  1407. SSL_set_mode((SSL*) ssl, SSL_MODE_NO_AUTO_CHAIN);
  1408. /* Don't send a hello request. */
  1409. SSL_set_verify((SSL*) ssl, SSL_VERIFY_NONE, NULL);
  1410. if (tls) {
  1411. tls->wasV2Handshake = 1;
  1412. } else {
  1413. /* LCOV_EXCL_START this line is not reachable */
  1414. log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
  1415. /* LCOV_EXCL_STOP */
  1416. }
  1417. }
  1418. }
  1419. /** Callback to get invoked on a server after we've read the list of ciphers
  1420. * the client supports, but before we pick our own ciphersuite.
  1421. *
  1422. * We can't abuse an info_cb for this, since by the time one of the
  1423. * client_hello info_cbs is called, we've already picked which ciphersuite to
  1424. * use.
  1425. *
  1426. * Technically, this function is an abuse of this callback, since the point of
  1427. * a session_secret_cb is to try to set up and/or verify a shared-secret for
  1428. * authentication on the fly. But as long as we return 0, we won't actually be
  1429. * setting up a shared secret, and all will be fine.
  1430. */
  1431. STATIC int
  1432. tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len,
  1433. STACK_OF(SSL_CIPHER) *peer_ciphers,
  1434. CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
  1435. void *arg)
  1436. {
  1437. (void) secret;
  1438. (void) secret_len;
  1439. (void) peer_ciphers;
  1440. (void) cipher;
  1441. (void) arg;
  1442. if (tor_tls_classify_client_ciphers(ssl, peer_ciphers) ==
  1443. CIPHERS_UNRESTRICTED) {
  1444. SSL_set_cipher_list(ssl, UNRESTRICTED_SERVER_CIPHER_LIST);
  1445. }
  1446. SSL_set_session_secret_cb(ssl, NULL, NULL);
  1447. return 0;
  1448. }
  1449. static void
  1450. tor_tls_setup_session_secret_cb(tor_tls_t *tls)
  1451. {
  1452. SSL_set_session_secret_cb(tls->ssl, tor_tls_session_secret_cb, NULL);
  1453. }
  1454. /** Create a new TLS object from a file descriptor, and a flag to
  1455. * determine whether it is functioning as a server.
  1456. */
  1457. tor_tls_t *
  1458. tor_tls_new(int sock, int isServer)
  1459. {
  1460. BIO *bio = NULL;
  1461. tor_tls_t *result = tor_malloc_zero(sizeof(tor_tls_t));
  1462. tor_tls_context_t *context = isServer ? server_tls_context :
  1463. client_tls_context;
  1464. result->magic = TOR_TLS_MAGIC;
  1465. check_no_tls_errors();
  1466. tor_assert(context); /* make sure somebody made it first */
  1467. if (!(result->ssl = SSL_new(context->ctx))) {
  1468. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating SSL object");
  1469. tor_free(result);
  1470. goto err;
  1471. }
  1472. #ifdef SSL_set_tlsext_host_name
  1473. /* Browsers use the TLS hostname extension, so we should too. */
  1474. if (!isServer) {
  1475. char *fake_hostname = crypto_random_hostname(4,25, "www.",".com");
  1476. SSL_set_tlsext_host_name(result->ssl, fake_hostname);
  1477. tor_free(fake_hostname);
  1478. }
  1479. #endif
  1480. if (!SSL_set_cipher_list(result->ssl,
  1481. isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST)) {
  1482. tls_log_errors(NULL, LOG_WARN, LD_NET, "setting ciphers");
  1483. #ifdef SSL_set_tlsext_host_name
  1484. SSL_set_tlsext_host_name(result->ssl, NULL);
  1485. #endif
  1486. SSL_free(result->ssl);
  1487. tor_free(result);
  1488. goto err;
  1489. }
  1490. result->socket = sock;
  1491. bio = BIO_new_socket(sock, BIO_NOCLOSE);
  1492. if (! bio) {
  1493. tls_log_errors(NULL, LOG_WARN, LD_NET, "opening BIO");
  1494. #ifdef SSL_set_tlsext_host_name
  1495. SSL_set_tlsext_host_name(result->ssl, NULL);
  1496. #endif
  1497. SSL_free(result->ssl);
  1498. tor_free(result);
  1499. goto err;
  1500. }
  1501. {
  1502. int set_worked =
  1503. SSL_set_ex_data(result->ssl, tor_tls_object_ex_data_index, result);
  1504. if (!set_worked) {
  1505. log_warn(LD_BUG,
  1506. "Couldn't set the tls for an SSL*; connection will fail");
  1507. }
  1508. }
  1509. SSL_set_bio(result->ssl, bio, bio);
  1510. tor_tls_context_incref(context);
  1511. result->context = context;
  1512. result->state = TOR_TLS_ST_HANDSHAKE;
  1513. result->isServer = isServer;
  1514. result->wantwrite_n = 0;
  1515. result->last_write_count = (unsigned long) BIO_number_written(bio);
  1516. result->last_read_count = (unsigned long) BIO_number_read(bio);
  1517. if (result->last_write_count || result->last_read_count) {
  1518. log_warn(LD_NET, "Newly created BIO has read count %lu, write count %lu",
  1519. result->last_read_count, result->last_write_count);
  1520. }
  1521. if (isServer) {
  1522. SSL_set_info_callback(result->ssl, tor_tls_server_info_callback);
  1523. } else {
  1524. SSL_set_info_callback(result->ssl, tor_tls_debug_state_callback);
  1525. }
  1526. if (isServer)
  1527. tor_tls_setup_session_secret_cb(result);
  1528. goto done;
  1529. err:
  1530. result = NULL;
  1531. done:
  1532. /* Not expected to get called. */
  1533. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating tor_tls_t object");
  1534. return result;
  1535. }
  1536. /** Make future log messages about <b>tls</b> display the address
  1537. * <b>address</b>.
  1538. */
  1539. void
  1540. tor_tls_set_logged_address(tor_tls_t *tls, const char *address)
  1541. {
  1542. tor_assert(tls);
  1543. tor_free(tls->address);
  1544. tls->address = tor_strdup(address);
  1545. }
  1546. /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
  1547. * next gets a client-side renegotiate in the middle of a read. Do not
  1548. * invoke this function until <em>after</em> initial handshaking is done!
  1549. */
  1550. void
  1551. tor_tls_set_renegotiate_callback(tor_tls_t *tls,
  1552. void (*cb)(tor_tls_t *, void *arg),
  1553. void *arg)
  1554. {
  1555. tls->negotiated_callback = cb;
  1556. tls->callback_arg = arg;
  1557. tls->got_renegotiate = 0;
  1558. if (cb) {
  1559. SSL_set_info_callback(tls->ssl, tor_tls_server_info_callback);
  1560. } else {
  1561. SSL_set_info_callback(tls->ssl, tor_tls_debug_state_callback);
  1562. }
  1563. }
  1564. /** If this version of openssl requires it, turn on renegotiation on
  1565. * <b>tls</b>.
  1566. */
  1567. void
  1568. tor_tls_unblock_renegotiation(tor_tls_t *tls)
  1569. {
  1570. /* Yes, we know what we are doing here. No, we do not treat a renegotiation
  1571. * as authenticating any earlier-received data. */
  1572. SSL_set_options(tls->ssl,
  1573. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  1574. }
  1575. /** If this version of openssl supports it, turn off renegotiation on
  1576. * <b>tls</b>. (Our protocol never requires this for security, but it's nice
  1577. * to use belt-and-suspenders here.)
  1578. */
  1579. void
  1580. tor_tls_block_renegotiation(tor_tls_t *tls)
  1581. {
  1582. #ifdef SUPPORT_UNSAFE_RENEGOTIATION_FLAG
  1583. tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
  1584. #else
  1585. (void) tls;
  1586. #endif
  1587. }
  1588. /** Assert that the flags that allow legacy renegotiation are still set */
  1589. void
  1590. tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
  1591. {
  1592. #if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && \
  1593. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION != 0
  1594. long options = SSL_get_options(tls->ssl);
  1595. tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
  1596. #else
  1597. (void) tls;
  1598. #endif
  1599. }
  1600. /** Return whether this tls initiated the connect (client) or
  1601. * received it (server). */
  1602. int
  1603. tor_tls_is_server(tor_tls_t *tls)
  1604. {
  1605. tor_assert(tls);
  1606. return tls->isServer;
  1607. }
  1608. /** Release resources associated with a TLS object. Does not close the
  1609. * underlying file descriptor.
  1610. */
  1611. void
  1612. tor_tls_free(tor_tls_t *tls)
  1613. {
  1614. if (!tls)
  1615. return;
  1616. tor_assert(tls->ssl);
  1617. {
  1618. size_t r,w;
  1619. tor_tls_get_n_raw_bytes(tls,&r,&w); /* ensure written_by_tls is updated */
  1620. }
  1621. #ifdef SSL_set_tlsext_host_name
  1622. SSL_set_tlsext_host_name(tls->ssl, NULL);
  1623. #endif
  1624. SSL_free(tls->ssl);
  1625. tls->ssl = NULL;
  1626. tls->negotiated_callback = NULL;
  1627. if (tls->context)
  1628. tor_tls_context_decref(tls->context);
  1629. tor_free(tls->address);
  1630. tls->magic = 0x99999999;
  1631. tor_free(tls);
  1632. }
  1633. /** Underlying function for TLS reading. Reads up to <b>len</b>
  1634. * characters from <b>tls</b> into <b>cp</b>. On success, returns the
  1635. * number of characters read. On failure, returns TOR_TLS_ERROR,
  1636. * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
  1637. */
  1638. MOCK_IMPL(int,
  1639. tor_tls_read,(tor_tls_t *tls, char *cp, size_t len))
  1640. {
  1641. int r, err;
  1642. tor_assert(tls);
  1643. tor_assert(tls->ssl);
  1644. tor_assert(tls->state == TOR_TLS_ST_OPEN);
  1645. tor_assert(len<INT_MAX);
  1646. r = SSL_read(tls->ssl, cp, (int)len);
  1647. if (r > 0) {
  1648. if (tls->got_renegotiate) {
  1649. /* Renegotiation happened! */
  1650. log_info(LD_NET, "Got a TLS renegotiation from %s", ADDR(tls));
  1651. if (tls->negotiated_callback)
  1652. tls->negotiated_callback(tls, tls->callback_arg);
  1653. tls->got_renegotiate = 0;
  1654. }
  1655. return r;
  1656. }
  1657. err = tor_tls_get_error(tls, r, CATCH_ZERO, "reading", LOG_DEBUG, LD_NET);
  1658. if (err == TOR_TLS_ZERORETURN_ || err == TOR_TLS_CLOSE) {
  1659. log_debug(LD_NET,"read returned r=%d; TLS is closed",r);
  1660. tls->state = TOR_TLS_ST_CLOSED;
  1661. return TOR_TLS_CLOSE;
  1662. } else {
  1663. tor_assert(err != TOR_TLS_DONE);
  1664. log_debug(LD_NET,"read returned r=%d, err=%d",r,err);
  1665. return err;
  1666. }
  1667. }
  1668. /** Total number of bytes that we've used TLS to send. Used to track TLS
  1669. * overhead. */
  1670. STATIC uint64_t total_bytes_written_over_tls = 0;
  1671. /** Total number of bytes that TLS has put on the network for us. Used to
  1672. * track TLS overhead. */
  1673. STATIC uint64_t total_bytes_written_by_tls = 0;
  1674. /** Underlying function for TLS writing. Write up to <b>n</b>
  1675. * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
  1676. * number of characters written. On failure, returns TOR_TLS_ERROR,
  1677. * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
  1678. */
  1679. int
  1680. tor_tls_write(tor_tls_t *tls, const char *cp, size_t n)
  1681. {
  1682. int r, err;
  1683. tor_assert(tls);
  1684. tor_assert(tls->ssl);
  1685. tor_assert(tls->state == TOR_TLS_ST_OPEN);
  1686. tor_assert(n < INT_MAX);
  1687. if (n == 0)
  1688. return 0;
  1689. if (tls->wantwrite_n) {
  1690. /* if WANTWRITE last time, we must use the _same_ n as before */
  1691. tor_assert(n >= tls->wantwrite_n);
  1692. log_debug(LD_NET,"resuming pending-write, (%d to flush, reusing %d)",
  1693. (int)n, (int)tls->wantwrite_n);
  1694. n = tls->wantwrite_n;
  1695. tls->wantwrite_n = 0;
  1696. }
  1697. r = SSL_write(tls->ssl, cp, (int)n);
  1698. err = tor_tls_get_error(tls, r, 0, "writing", LOG_INFO, LD_NET);
  1699. if (err == TOR_TLS_DONE) {
  1700. total_bytes_written_over_tls += r;
  1701. return r;
  1702. }
  1703. if (err == TOR_TLS_WANTWRITE || err == TOR_TLS_WANTREAD) {
  1704. tls->wantwrite_n = n;
  1705. }
  1706. return err;
  1707. }
  1708. /** Perform initial handshake on <b>tls</b>. When finished, returns
  1709. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
  1710. * or TOR_TLS_WANTWRITE.
  1711. */
  1712. int
  1713. tor_tls_handshake(tor_tls_t *tls)
  1714. {
  1715. int r;
  1716. tor_assert(tls);
  1717. tor_assert(tls->ssl);
  1718. tor_assert(tls->state == TOR_TLS_ST_HANDSHAKE);
  1719. check_no_tls_errors();
  1720. OSSL_HANDSHAKE_STATE oldstate = SSL_get_state(tls->ssl);
  1721. if (tls->isServer) {
  1722. log_debug(LD_HANDSHAKE, "About to call SSL_accept on %p (%s)", tls,
  1723. SSL_state_string_long(tls->ssl));
  1724. r = SSL_accept(tls->ssl);
  1725. } else {
  1726. log_debug(LD_HANDSHAKE, "About to call SSL_connect on %p (%s)", tls,
  1727. SSL_state_string_long(tls->ssl));
  1728. r = SSL_connect(tls->ssl);
  1729. }
  1730. OSSL_HANDSHAKE_STATE newstate = SSL_get_state(tls->ssl);
  1731. if (oldstate != newstate)
  1732. log_debug(LD_HANDSHAKE, "After call, %p was in state %s",
  1733. tls, SSL_state_string_long(tls->ssl));
  1734. /* We need to call this here and not earlier, since OpenSSL has a penchant
  1735. * for clearing its flags when you say accept or connect. */
  1736. tor_tls_unblock_renegotiation(tls);
  1737. r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO, LD_HANDSHAKE);
  1738. if (ERR_peek_error() != 0) {
  1739. tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN, LD_HANDSHAKE,
  1740. "handshaking");
  1741. return TOR_TLS_ERROR_MISC;
  1742. }
  1743. if (r == TOR_TLS_DONE) {
  1744. tls->state = TOR_TLS_ST_OPEN;
  1745. return tor_tls_finish_handshake(tls);
  1746. }
  1747. return r;
  1748. }
  1749. /** Perform the final part of the intial TLS handshake on <b>tls</b>. This
  1750. * should be called for the first handshake only: it determines whether the v1
  1751. * or the v2 handshake was used, and adjusts things for the renegotiation
  1752. * handshake as appropriate.
  1753. *
  1754. * tor_tls_handshake() calls this on its own; you only need to call this if
  1755. * bufferevent is doing the handshake for you.
  1756. */
  1757. int
  1758. tor_tls_finish_handshake(tor_tls_t *tls)
  1759. {
  1760. int r = TOR_TLS_DONE;
  1761. check_no_tls_errors();
  1762. if (tls->isServer) {
  1763. SSL_set_info_callback(tls->ssl, NULL);
  1764. SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
  1765. SSL_clear_mode(tls->ssl, SSL_MODE_NO_AUTO_CHAIN);
  1766. if (tor_tls_client_is_using_v2_ciphers(tls->ssl)) {
  1767. /* This check is redundant, but back when we did it in the callback,
  1768. * we might have not been able to look up the tor_tls_t if the code
  1769. * was buggy. Fixing that. */
  1770. if (!tls->wasV2Handshake) {
  1771. log_warn(LD_BUG, "For some reason, wasV2Handshake didn't"
  1772. " get set. Fixing that.");
  1773. }
  1774. tls->wasV2Handshake = 1;
  1775. log_debug(LD_HANDSHAKE, "Completed V2 TLS handshake with client; waiting"
  1776. " for renegotiation.");
  1777. } else {
  1778. tls->wasV2Handshake = 0;
  1779. }
  1780. } else {
  1781. /* Client-side */
  1782. tls->wasV2Handshake = 1;
  1783. /* XXXX this can move, probably? -NM */
  1784. if (SSL_set_cipher_list(tls->ssl, SERVER_CIPHER_LIST) == 0) {
  1785. tls_log_errors(NULL, LOG_WARN, LD_HANDSHAKE, "re-setting ciphers");
  1786. r = TOR_TLS_ERROR_MISC;
  1787. }
  1788. }
  1789. tls_log_errors(NULL, LOG_WARN, LD_NET, "finishing the handshake");
  1790. return r;
  1791. }
  1792. /** Shut down an open tls connection <b>tls</b>. When finished, returns
  1793. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
  1794. * or TOR_TLS_WANTWRITE.
  1795. */
  1796. int
  1797. tor_tls_shutdown(tor_tls_t *tls)
  1798. {
  1799. int r, err;
  1800. char buf[128];
  1801. tor_assert(tls);
  1802. tor_assert(tls->ssl);
  1803. check_no_tls_errors();
  1804. while (1) {
  1805. if (tls->state == TOR_TLS_ST_SENTCLOSE) {
  1806. /* If we've already called shutdown once to send a close message,
  1807. * we read until the other side has closed too.
  1808. */
  1809. do {
  1810. r = SSL_read(tls->ssl, buf, 128);
  1811. } while (r>0);
  1812. err = tor_tls_get_error(tls, r, CATCH_ZERO, "reading to shut down",
  1813. LOG_INFO, LD_NET);
  1814. if (err == TOR_TLS_ZERORETURN_) {
  1815. tls->state = TOR_TLS_ST_GOTCLOSE;
  1816. /* fall through... */
  1817. } else {
  1818. return err;
  1819. }
  1820. }
  1821. r = SSL_shutdown(tls->ssl);
  1822. if (r == 1) {
  1823. /* If shutdown returns 1, the connection is entirely closed. */
  1824. tls->state = TOR_TLS_ST_CLOSED;
  1825. return TOR_TLS_DONE;
  1826. }
  1827. err = tor_tls_get_error(tls, r, CATCH_SYSCALL|CATCH_ZERO, "shutting down",
  1828. LOG_INFO, LD_NET);
  1829. if (err == TOR_TLS_SYSCALL_) {
  1830. /* The underlying TCP connection closed while we were shutting down. */
  1831. tls->state = TOR_TLS_ST_CLOSED;
  1832. return TOR_TLS_DONE;
  1833. } else if (err == TOR_TLS_ZERORETURN_) {
  1834. /* The TLS connection says that it sent a shutdown record, but
  1835. * isn't done shutting down yet. Make sure that this hasn't
  1836. * happened before, then go back to the start of the function
  1837. * and try to read.
  1838. */
  1839. if (tls->state == TOR_TLS_ST_GOTCLOSE ||
  1840. tls->state == TOR_TLS_ST_SENTCLOSE) {
  1841. log_warn(LD_NET,
  1842. "TLS returned \"half-closed\" value while already half-closed");
  1843. return TOR_TLS_ERROR_MISC;
  1844. }
  1845. tls->state = TOR_TLS_ST_SENTCLOSE;
  1846. /* fall through ... */
  1847. } else {
  1848. return err;
  1849. }
  1850. } /* end loop */
  1851. }
  1852. /** Return true iff this TLS connection is authenticated.
  1853. */
  1854. int
  1855. tor_tls_peer_has_cert(tor_tls_t *tls)
  1856. {
  1857. X509 *cert;
  1858. cert = SSL_get_peer_certificate(tls->ssl);
  1859. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "getting peer certificate");
  1860. if (!cert)
  1861. return 0;
  1862. X509_free(cert);
  1863. return 1;
  1864. }
  1865. /** Return a newly allocated copy of the peer certificate, or NULL if there
  1866. * isn't one. */
  1867. MOCK_IMPL(tor_x509_cert_t *,
  1868. tor_tls_get_peer_cert,(tor_tls_t *tls))
  1869. {
  1870. X509 *cert;
  1871. cert = SSL_get_peer_certificate(tls->ssl);
  1872. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "getting peer certificate");
  1873. if (!cert)
  1874. return NULL;
  1875. return tor_x509_cert_new(cert);
  1876. }
  1877. /** Return a newly allocated copy of the cerficate we used on the connection,
  1878. * or NULL if somehow we didn't use one. */
  1879. MOCK_IMPL(tor_x509_cert_t *,
  1880. tor_tls_get_own_cert,(tor_tls_t *tls))
  1881. {
  1882. X509 *cert = SSL_get_certificate(tls->ssl);
  1883. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE,
  1884. "getting own-connection certificate");
  1885. if (!cert)
  1886. return NULL;
  1887. /* Fun inconsistency: SSL_get_peer_certificate increments the reference
  1888. * count, but SSL_get_certificate does not. */
  1889. X509 *duplicate = X509_dup(cert);
  1890. if (BUG(duplicate == NULL))
  1891. return NULL;
  1892. return tor_x509_cert_new(duplicate);
  1893. }
  1894. /** Warn that a certificate lifetime extends through a certain range. */
  1895. static void
  1896. log_cert_lifetime(int severity, const X509 *cert, const char *problem,
  1897. time_t now)
  1898. {
  1899. BIO *bio = NULL;
  1900. BUF_MEM *buf;
  1901. char *s1=NULL, *s2=NULL;
  1902. char mytime[33];
  1903. struct tm tm;
  1904. size_t n;
  1905. if (problem)
  1906. tor_log(severity, LD_GENERAL,
  1907. "Certificate %s. Either their clock is set wrong, or your clock "
  1908. "is wrong.",
  1909. problem);
  1910. if (!(bio = BIO_new(BIO_s_mem()))) {
  1911. log_warn(LD_GENERAL, "Couldn't allocate BIO!"); goto end;
  1912. }
  1913. if (!(ASN1_TIME_print(bio, X509_get_notBefore_const(cert)))) {
  1914. tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
  1915. goto end;
  1916. }
  1917. BIO_get_mem_ptr(bio, &buf);
  1918. s1 = tor_strndup(buf->data, buf->length);
  1919. (void)BIO_reset(bio);
  1920. if (!(ASN1_TIME_print(bio, X509_get_notAfter_const(cert)))) {
  1921. tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
  1922. goto end;
  1923. }
  1924. BIO_get_mem_ptr(bio, &buf);
  1925. s2 = tor_strndup(buf->data, buf->length);
  1926. n = strftime(mytime, 32, "%b %d %H:%M:%S %Y UTC", tor_gmtime_r(&now, &tm));
  1927. if (n > 0) {
  1928. tor_log(severity, LD_GENERAL,
  1929. "(certificate lifetime runs from %s through %s. Your time is %s.)",
  1930. s1,s2,mytime);
  1931. } else {
  1932. tor_log(severity, LD_GENERAL,
  1933. "(certificate lifetime runs from %s through %s. "
  1934. "Couldn't get your time.)",
  1935. s1, s2);
  1936. }
  1937. end:
  1938. /* Not expected to get invoked */
  1939. tls_log_errors(NULL, LOG_WARN, LD_NET, "getting certificate lifetime");
  1940. if (bio)
  1941. BIO_free(bio);
  1942. tor_free(s1);
  1943. tor_free(s2);
  1944. }
  1945. /** Helper function: try to extract a link certificate and an identity
  1946. * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
  1947. * *<b>id_cert_out</b> respectively. Log all messages at level
  1948. * <b>severity</b>.
  1949. *
  1950. * Note that a reference is added to cert_out, so it needs to be
  1951. * freed. id_cert_out doesn't. */
  1952. MOCK_IMPL(STATIC void,
  1953. try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls,
  1954. X509 **cert_out, X509 **id_cert_out))
  1955. {
  1956. X509 *cert = NULL, *id_cert = NULL;
  1957. STACK_OF(X509) *chain = NULL;
  1958. int num_in_chain, i;
  1959. *cert_out = *id_cert_out = NULL;
  1960. if (!(cert = SSL_get_peer_certificate(tls->ssl)))
  1961. return;
  1962. *cert_out = cert;
  1963. if (!(chain = SSL_get_peer_cert_chain(tls->ssl)))
  1964. return;
  1965. num_in_chain = sk_X509_num(chain);
  1966. /* 1 means we're receiving (server-side), and it's just the id_cert.
  1967. * 2 means we're connecting (client-side), and it's both the link
  1968. * cert and the id_cert.
  1969. */
  1970. if (num_in_chain < 1) {
  1971. log_fn(severity,LD_PROTOCOL,
  1972. "Unexpected number of certificates in chain (%d)",
  1973. num_in_chain);
  1974. return;
  1975. }
  1976. for (i=0; i<num_in_chain; ++i) {
  1977. id_cert = sk_X509_value(chain, i);
  1978. if (X509_cmp(id_cert, cert) != 0)
  1979. break;
  1980. }
  1981. *id_cert_out = id_cert;
  1982. }
  1983. /** If the provided tls connection is authenticated and has a
  1984. * certificate chain that is currently valid and signed, then set
  1985. * *<b>identity_key</b> to the identity certificate's key and return
  1986. * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
  1987. */
  1988. int
  1989. tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_t **identity_key)
  1990. {
  1991. X509 *cert = NULL, *id_cert = NULL;
  1992. EVP_PKEY *id_pkey = NULL;
  1993. RSA *rsa;
  1994. int r = -1;
  1995. check_no_tls_errors();
  1996. *identity_key = NULL;
  1997. try_to_extract_certs_from_tls(severity, tls, &cert, &id_cert);
  1998. if (!cert)
  1999. goto done;
  2000. if (!id_cert) {
  2001. log_fn(severity,LD_PROTOCOL,"No distinct identity certificate found");
  2002. goto done;
  2003. }
  2004. tls_log_errors(tls, severity, LD_HANDSHAKE, "before verifying certificate");
  2005. if (!(id_pkey = X509_get_pubkey(id_cert)) ||
  2006. X509_verify(cert, id_pkey) <= 0) {
  2007. log_fn(severity,LD_PROTOCOL,"X509_verify on cert and pkey returned <= 0");
  2008. tls_log_errors(tls, severity, LD_HANDSHAKE, "verifying certificate");
  2009. goto done;
  2010. }
  2011. rsa = EVP_PKEY_get1_RSA(id_pkey);
  2012. if (!rsa)
  2013. goto done;
  2014. *identity_key = crypto_new_pk_from_rsa_(rsa);
  2015. r = 0;
  2016. done:
  2017. if (cert)
  2018. X509_free(cert);
  2019. if (id_pkey)
  2020. EVP_PKEY_free(id_pkey);
  2021. /* This should never get invoked, but let's make sure in case OpenSSL
  2022. * acts unexpectedly. */
  2023. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "finishing tor_tls_verify");
  2024. return r;
  2025. }
  2026. /** Check whether the certificate set on the connection <b>tls</b> is expired
  2027. * give or take <b>past_tolerance</b> seconds, or not-yet-valid give or take
  2028. * <b>future_tolerance</b> seconds. Return 0 for valid, -1 for failure.
  2029. *
  2030. * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
  2031. */
  2032. int
  2033. tor_tls_check_lifetime(int severity, tor_tls_t *tls,
  2034. time_t now,
  2035. int past_tolerance, int future_tolerance)
  2036. {
  2037. X509 *cert;
  2038. int r = -1;
  2039. if (!(cert = SSL_get_peer_certificate(tls->ssl)))
  2040. goto done;
  2041. if (check_cert_lifetime_internal(severity, cert, now,
  2042. past_tolerance, future_tolerance) < 0)
  2043. goto done;
  2044. r = 0;
  2045. done:
  2046. if (cert)
  2047. X509_free(cert);
  2048. /* Not expected to get invoked */
  2049. tls_log_errors(tls, LOG_WARN, LD_NET, "checking certificate lifetime");
  2050. return r;
  2051. }
  2052. /** Helper: check whether <b>cert</b> is expired give or take
  2053. * <b>past_tolerance</b> seconds, or not-yet-valid give or take
  2054. * <b>future_tolerance</b> seconds. (Relative to the current time
  2055. * <b>now</b>.) If it is live, return 0. If it is not live, log a message
  2056. * and return -1. */
  2057. static int
  2058. check_cert_lifetime_internal(int severity, const X509 *cert,
  2059. time_t now,
  2060. int past_tolerance, int future_tolerance)
  2061. {
  2062. time_t t;
  2063. t = now + future_tolerance;
  2064. if (X509_cmp_time(X509_get_notBefore_const(cert), &t) > 0) {
  2065. log_cert_lifetime(severity, cert, "not yet valid", now);
  2066. return -1;
  2067. }
  2068. t = now - past_tolerance;
  2069. if (X509_cmp_time(X509_get_notAfter_const(cert), &t) < 0) {
  2070. log_cert_lifetime(severity, cert, "already expired", now);
  2071. return -1;
  2072. }
  2073. return 0;
  2074. }
  2075. /** Return the number of bytes available for reading from <b>tls</b>.
  2076. */
  2077. int
  2078. tor_tls_get_pending_bytes(tor_tls_t *tls)
  2079. {
  2080. tor_assert(tls);
  2081. return SSL_pending(tls->ssl);
  2082. }
  2083. /** If <b>tls</b> requires that the next write be of a particular size,
  2084. * return that size. Otherwise, return 0. */
  2085. size_t
  2086. tor_tls_get_forced_write_size(tor_tls_t *tls)
  2087. {
  2088. return tls->wantwrite_n;
  2089. }
  2090. /** Sets n_read and n_written to the number of bytes read and written,
  2091. * respectively, on the raw socket used by <b>tls</b> since the last time this
  2092. * function was called on <b>tls</b>. */
  2093. void
  2094. tor_tls_get_n_raw_bytes(tor_tls_t *tls, size_t *n_read, size_t *n_written)
  2095. {
  2096. BIO *wbio, *tmpbio;
  2097. unsigned long r, w;
  2098. r = (unsigned long) BIO_number_read(SSL_get_rbio(tls->ssl));
  2099. /* We want the number of bytes actually for real written. Unfortunately,
  2100. * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
  2101. * which makes the answer turn out wrong. Let's cope with that. Note
  2102. * that this approach will fail if we ever replace tls->ssl's BIOs with
  2103. * buffering bios for reasons of our own. As an alternative, we could
  2104. * save the original BIO for tls->ssl in the tor_tls_t structure, but
  2105. * that would be tempting fate. */
  2106. wbio = SSL_get_wbio(tls->ssl);
  2107. #if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
  2108. /* BIO structure is opaque as of OpenSSL 1.1.0-pre5-dev. Again, not
  2109. * supposed to use this form of the version macro, but the OpenSSL developers
  2110. * introduced major API changes in the pre-release stage.
  2111. */
  2112. if (BIO_method_type(wbio) == BIO_TYPE_BUFFER &&
  2113. (tmpbio = BIO_next(wbio)) != NULL)
  2114. wbio = tmpbio;
  2115. #else
  2116. if (wbio->method == BIO_f_buffer() && (tmpbio = BIO_next(wbio)) != NULL)
  2117. wbio = tmpbio;
  2118. #endif
  2119. w = (unsigned long) BIO_number_written(wbio);
  2120. /* We are ok with letting these unsigned ints go "negative" here:
  2121. * If we wrapped around, this should still give us the right answer, unless
  2122. * we wrapped around by more than ULONG_MAX since the last time we called
  2123. * this function.
  2124. */
  2125. *n_read = (size_t)(r - tls->last_read_count);
  2126. *n_written = (size_t)(w - tls->last_write_count);
  2127. if (*n_read > INT_MAX || *n_written > INT_MAX) {
  2128. log_warn(LD_BUG, "Preposterously large value in tor_tls_get_n_raw_bytes. "
  2129. "r=%lu, last_read=%lu, w=%lu, last_written=%lu",
  2130. r, tls->last_read_count, w, tls->last_write_count);
  2131. }
  2132. total_bytes_written_by_tls += *n_written;
  2133. tls->last_read_count = r;
  2134. tls->last_write_count = w;
  2135. }
  2136. /** Return a ratio of the bytes that TLS has sent to the bytes that we've told
  2137. * it to send. Used to track whether our TLS records are getting too tiny. */
  2138. MOCK_IMPL(double,
  2139. tls_get_write_overhead_ratio,(void))
  2140. {
  2141. if (total_bytes_written_over_tls == 0)
  2142. return 1.0;
  2143. return U64_TO_DBL(total_bytes_written_by_tls) /
  2144. U64_TO_DBL(total_bytes_written_over_tls);
  2145. }
  2146. /** Implement check_no_tls_errors: If there are any pending OpenSSL
  2147. * errors, log an error message. */
  2148. void
  2149. check_no_tls_errors_(const char *fname, int line)
  2150. {
  2151. if (ERR_peek_error() == 0)
  2152. return;
  2153. log_warn(LD_CRYPTO, "Unhandled OpenSSL errors found at %s:%d: ",
  2154. tor_fix_source_file(fname), line);
  2155. tls_log_errors(NULL, LOG_WARN, LD_NET, NULL);
  2156. }
  2157. /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
  2158. * TLS handshake. Output is undefined if the handshake isn't finished. */
  2159. int
  2160. tor_tls_used_v1_handshake(tor_tls_t *tls)
  2161. {
  2162. return ! tls->wasV2Handshake;
  2163. }
  2164. /** Return the number of server handshakes that we've noticed doing on
  2165. * <b>tls</b>. */
  2166. int
  2167. tor_tls_get_num_server_handshakes(tor_tls_t *tls)
  2168. {
  2169. return tls->server_handshake_count;
  2170. }
  2171. /** Return true iff the server TLS connection <b>tls</b> got the renegotiation
  2172. * request it was waiting for. */
  2173. int
  2174. tor_tls_server_got_renegotiate(tor_tls_t *tls)
  2175. {
  2176. return tls->got_renegotiate;
  2177. }
  2178. #ifndef HAVE_SSL_GET_CLIENT_RANDOM
  2179. static size_t
  2180. SSL_get_client_random(SSL *s, uint8_t *out, size_t len)
  2181. {
  2182. if (len == 0)
  2183. return SSL3_RANDOM_SIZE;
  2184. tor_assert(len == SSL3_RANDOM_SIZE);
  2185. tor_assert(s->s3);
  2186. memcpy(out, s->s3->client_random, len);
  2187. return len;
  2188. }
  2189. #endif
  2190. #ifndef HAVE_SSL_GET_SERVER_RANDOM
  2191. static size_t
  2192. SSL_get_server_random(SSL *s, uint8_t *out, size_t len)
  2193. {
  2194. if (len == 0)
  2195. return SSL3_RANDOM_SIZE;
  2196. tor_assert(len == SSL3_RANDOM_SIZE);
  2197. tor_assert(s->s3);
  2198. memcpy(out, s->s3->server_random, len);
  2199. return len;
  2200. }
  2201. #endif
  2202. #ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
  2203. STATIC size_t
  2204. SSL_SESSION_get_master_key(SSL_SESSION *s, uint8_t *out, size_t len)
  2205. {
  2206. tor_assert(s);
  2207. if (len == 0)
  2208. return s->master_key_length;
  2209. tor_assert(len == (size_t)s->master_key_length);
  2210. tor_assert(out);
  2211. memcpy(out, s->master_key, len);
  2212. return len;
  2213. }
  2214. #endif
  2215. /** Set the DIGEST256_LEN buffer at <b>secrets_out</b> to the value used in
  2216. * the v3 handshake to prove that the client knows the TLS secrets for the
  2217. * connection <b>tls</b>. Return 0 on success, -1 on failure.
  2218. */
  2219. MOCK_IMPL(int,
  2220. tor_tls_get_tlssecrets,(tor_tls_t *tls, uint8_t *secrets_out))
  2221. {
  2222. #define TLSSECRET_MAGIC "Tor V3 handshake TLS cross-certification"
  2223. uint8_t buf[128];
  2224. size_t len;
  2225. tor_assert(tls);
  2226. SSL *const ssl = tls->ssl;
  2227. SSL_SESSION *const session = SSL_get_session(ssl);
  2228. tor_assert(ssl);
  2229. tor_assert(session);
  2230. const size_t server_random_len = SSL_get_server_random(ssl, NULL, 0);
  2231. const size_t client_random_len = SSL_get_client_random(ssl, NULL, 0);
  2232. const size_t master_key_len = SSL_SESSION_get_master_key(session, NULL, 0);
  2233. tor_assert(server_random_len);
  2234. tor_assert(client_random_len);
  2235. tor_assert(master_key_len);
  2236. len = client_random_len + server_random_len + strlen(TLSSECRET_MAGIC) + 1;
  2237. tor_assert(len <= sizeof(buf));
  2238. {
  2239. size_t r = SSL_get_client_random(ssl, buf, client_random_len);
  2240. tor_assert(r == client_random_len);
  2241. }
  2242. {
  2243. size_t r = SSL_get_server_random(ssl,
  2244. buf+client_random_len,
  2245. server_random_len);
  2246. tor_assert(r == server_random_len);
  2247. }
  2248. uint8_t *master_key = tor_malloc_zero(master_key_len);
  2249. {
  2250. size_t r = SSL_SESSION_get_master_key(session, master_key, master_key_len);
  2251. tor_assert(r == master_key_len);
  2252. }
  2253. uint8_t *nextbuf = buf + client_random_len + server_random_len;
  2254. memcpy(nextbuf, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1);
  2255. /*
  2256. The value is an HMAC, using the TLS master key as the HMAC key, of
  2257. client_random | server_random | TLSSECRET_MAGIC
  2258. */
  2259. crypto_hmac_sha256((char*)secrets_out,
  2260. (char*)master_key,
  2261. master_key_len,
  2262. (char*)buf, len);
  2263. memwipe(buf, 0, sizeof(buf));
  2264. memwipe(master_key, 0, master_key_len);
  2265. tor_free(master_key);
  2266. return 0;
  2267. }
  2268. /** Using the RFC5705 key material exporting construction, and the
  2269. * provided <b>context</b> (<b>context_len</b> bytes long) and
  2270. * <b>label</b> (a NUL-terminated string), compute a 32-byte secret in
  2271. * <b>secrets_out</b> that only the parties to this TLS session can
  2272. * compute. Return 0 on success and -1 on failure.
  2273. */
  2274. MOCK_IMPL(int,
  2275. tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out,
  2276. const uint8_t *context,
  2277. size_t context_len,
  2278. const char *label))
  2279. {
  2280. tor_assert(tls);
  2281. tor_assert(tls->ssl);
  2282. int r = SSL_export_keying_material(tls->ssl,
  2283. secrets_out, DIGEST256_LEN,
  2284. label, strlen(label),
  2285. context, context_len, 1);
  2286. return (r == 1) ? 0 : -1;
  2287. }
  2288. /** Examine the amount of memory used and available for buffers in <b>tls</b>.
  2289. * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
  2290. * buffer and *<b>rbuf_bytes</b> to the amount actually used.
  2291. * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
  2292. * buffer and *<b>wbuf_bytes</b> to the amount actually used.
  2293. *
  2294. * Return 0 on success, -1 on failure.*/
  2295. int
  2296. tor_tls_get_buffer_sizes(tor_tls_t *tls,
  2297. size_t *rbuf_capacity, size_t *rbuf_bytes,
  2298. size_t *wbuf_capacity, size_t *wbuf_bytes)
  2299. {
  2300. #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
  2301. (void)tls;
  2302. (void)rbuf_capacity;
  2303. (void)rbuf_bytes;
  2304. (void)wbuf_capacity;
  2305. (void)wbuf_bytes;
  2306. return -1;
  2307. #else
  2308. if (tls->ssl->s3->rbuf.buf)
  2309. *rbuf_capacity = tls->ssl->s3->rbuf.len;
  2310. else
  2311. *rbuf_capacity = 0;
  2312. if (tls->ssl->s3->wbuf.buf)
  2313. *wbuf_capacity = tls->ssl->s3->wbuf.len;
  2314. else
  2315. *wbuf_capacity = 0;
  2316. *rbuf_bytes = tls->ssl->s3->rbuf.left;
  2317. *wbuf_bytes = tls->ssl->s3->wbuf.left;
  2318. return 0;
  2319. #endif
  2320. }
  2321. /** Check whether the ECC group requested is supported by the current OpenSSL
  2322. * library instance. Return 1 if the group is supported, and 0 if not.
  2323. */
  2324. int
  2325. evaluate_ecgroup_for_tls(const char *ecgroup)
  2326. {
  2327. EC_KEY *ec_key;
  2328. int nid;
  2329. int ret;
  2330. if (!ecgroup)
  2331. nid = NID_tor_default_ecdhe_group;
  2332. else if (!strcasecmp(ecgroup, "P256"))
  2333. nid = NID_X9_62_prime256v1;
  2334. else if (!strcasecmp(ecgroup, "P224"))
  2335. nid = NID_secp224r1;
  2336. else
  2337. return 0;
  2338. ec_key = EC_KEY_new_by_curve_name(nid);
  2339. ret = (ec_key != NULL);
  2340. EC_KEY_free(ec_key);
  2341. return ret;
  2342. }